Summary:
NtAddAtom(>) | 1 | NtUserGetObjectInformation(>) | 1 | NtOpenEvent(>) | 4 | NtCreateEvent(>) | 26 |
NtAdjustPrivilegesToken(>) | 1 | NtUserGetProcessWindowStation(>) | 1 | NtQueryPerformanceCounter(>) | 4 | NtFreeVirtualMemory(>) | 28 |
NtCallbackReturn(>) | 1 | NtUserGetThreadDesktop(>) | 1 | NtSetInformationObject(>) | 4 | NtOpenProcess(>) | 29 |
NtCreateThread(>) | 1 | NtAccessCheck(>) | 2 | NtFsControlFile(>) | 5 | NtOpenFile(>) | 30 |
NtEnumerateValueKey(>) | 1 | NtContinue(>) | 2 | NtGdiGetStockObject(>) | 5 | NtCreateFile(>) | 31 |
NtGdiCreateBitmap(>) | 1 | NtCreateIoCompletion(>) | 2 | NtOpenProcessToken(>) | 5 | NtUserFindExistingCursorIcon(>) | 34 |
NtGdiInit(>) | 1 | NtEnumerateKey(>) | 2 | NtSetInformationFile(>) | 5 | NtRequestWaitReplyPort(>) | 39 |
NtGdiQueryFontAssocInfo(>) | 1 | NtGdiCreateSolidBrush(>) | 2 | NtQueryDefaultUILanguage(>) | 6 | NtUserRegisterClassExWOW(>) | 42 |
NtGdiSelectBitmap(>) | 1 | NtNotifyChangeKey(>) | 2 | NtQueryVolumeInformationFile(>) | 6 | NtQueryVirtualMemory(>) | 54 |
NtOpenKeyedEvent(>) | 1 | NtOpenDirectoryObject(>) | 2 | NtWaitForSingleObject(>) | 6 | NtOpenSection(>) | 57 |
NtOpenSymbolicLinkObject(>) | 1 | NtOpenThreadToken(>) | 2 | NtCreateMutant(>) | 7 | NtCreateSection(>) | 76 |
NtQueryInstallUILanguage(>) | 1 | NtQueryKey(>) | 2 | NtQueryInformationProcess(>) | 7 | NtQueryAttributesFile(>) | 77 |
NtQueryObject(>) | 1 | NtReadFile(>) | 2 | NtUserSystemParametersInfo(>) | 7 | NtQuerySystemInformation(>) | 82 |
NtQuerySymbolicLinkObject(>) | 1 | NtUserRegisterWindowMessage(>) | 2 | NtQueryDebugFilterState(>) | 8 | NtUnmapViewOfSection(>) | 82 |
NtQuerySystemTime(>) | 1 | NtWaitForMultipleObjects(>) | 2 | NtSetValueKey(>) | 8 | NtAllocateVirtualMemory(>) | 95 |
NtRegisterThreadTerminatePort(>) | 1 | NtWriteFile(>) | 2 | NtOpenProcessTokenEx(>) | 9 | NtFlushInstructionCache(>) | 101 |
NtResumeThread(>) | 1 | NtCreateSemaphore(>) | 3 | NtOpenThreadTokenEx(>) | 9 | NtWriteVirtualMemory(>) | 116 |
NtSecureConnectPort(>) | 1 | NtDelayExecution(>) | 3 | NtQueryInformationFile(>) | 9 | NtMapViewOfSection(>) | 142 |
NtSetInformationProcess(>) | 1 | NtDuplicateObject(>) | 3 | NtCreateKey(>) | 11 | NtOpenKey(>) | 190 |
NtTestAlert(>) | 1 | NtGdiCreateCompatibleDC(>) | 3 | NtQueryInformationToken(>) | 12 | NtQueryValueKey(>) | 256 |
NtUserCallNoParam(>) | 1 | NtQueryDefaultLocale(>) | 3 | NtQuerySection(>) | 13 | NtProtectVirtualMemory(>) | 319 |
NtUserCallOneParam(>) | 1 | NtSetInformationThread(>) | 3 | NtQueryDirectoryFile(>) | 14 | NtClose(>) | 379 |
NtUserGetDC(>) | 1 | NtConnectPort(>) | 4 | NtDeviceIoControlFile(>) | 24 |
275\331\253\366_\233\22$\233\251\31\365\232\322;\340\352{U\14\273\227n\23+\325\312\330\263\372\3150\230\4RS\377\32\256U%\36\361L5&~\242\2335\321\236\363\226s-\274*_\277\313]j~\333\307\345\276.\256B*'e\376A\273
7\335Q\27K\3o\30139\231", ) == 0x0 01787 896 NtDeviceIoControlFile (96, 0, 0x0, 0x0, 0x390008, (96, 0, 0x0, 0x0, 0x390008, "Z\205\35\11!,\22\320z\235Lx\31\222K\24\347\0V\213\351\320`\347\0V\213\351\320`\347\0V\213\351\320`\347\0V\213\351\320`\347\0V\213\351oA\326kN\301\272\200I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ... 01788 896 NtQuerySystemInformation (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0 01789 896 NtQuerySystemInformation (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0 01790 896 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0 01791 896 NtQuerySystemInformation (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0 01792 896 NtQuerySystemInformation (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0 01793 896 NtQuerySystemInformation (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0 01794 896 NtQuerySystemInformation (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH 01795 896 NtCreateKey (0x2, {24, 0, 0x240, 0, 0, (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481368, 2, ) }, 0, 0x0, 0, ... -2147481368, 2, ) == 0x0 01796 896 NtSetValueKey (-2147481368, (-2147481368, "Seed", 0, 3, "Mb\226\304\357[\266\227\364\10\237\26M2\204\340\21 \266\69\373\247\15\333\377\206\260\207\326\262\361\34L)%_]0N4+\271s\371\330?_P^%\243d\344\6\300\14\233\32&\356-m\262[\350\7\210T\201X\363\355\356![[}\24{", 80, ... ) , 0, 3, (-2147481368, "Seed", 0, 3, "Mb\226\304\357[\266\227\364\10\237\26M2\204\340\21 \266\69\373\247\15\333\377\206\260\207\326\262\361\34L)%_]0N4+\271s\371\330?_P^%\243d\344\6\300\14\233\32&\356-m\262[\350\7\210T\201X\363\355\356![[}\24{", 80, ... ) , 80, ... ) == 0x0 01797 896 NtClose (-2147481368, ... ) == 0x0 01787 896 NtDeviceIoControlFile ... {status=0x0, info=256}, ... {status=0x0, info=256}, "j\311M\356,v.\35Jkb\200q\377\10\363O\266h\352 pZ\334+h\262\327^^\23\237\375n\3143\144+E\344\330\25\206\24U\302\344\10Fp\205;\6\14\262\237\13\241`xEi#d\340\327G\371\215?p~\22\370\325\310\4\337\23\16D\224\316\22329\326\375\20E\267\225\3430y\344\2054\30537\311\303Ud\366\33\306\323\244\274\6c\31\264\21cw\2138h[\252\21\35\270o\364\304\233A\301\3365\27\373*\264\22\366\251s\370\254\177\3077\207\312P7\351\261\252\310*\324t\212I\314\334U\245&\227\200\235\353\266\3531S[JZ2K\201\224b\214J\271\317\365\324\342\357b\201nA\204\255.B4\266\343\207\11\2044\300\5\245 \262H\276O\201$0H\320`a\225\336\16\378\354"\22\351Q\350y\276\263\3434\10R$\302\1\254\21\331]\374\332 \232z\224\366\320\202\253", ) \22\351Q\350y\276\263\3434\10R$\302\1\254\21\331]\374\332 \232z\224\366\320\202\253", ) == 0x0 01798 896 NtDeviceIoControlFile (96, 0, 0x0, 0x0, 0x390008, (96, 0, 0x0, 0x0, 0x390008, "Z\205\35\11!,\22\320z\235Lx\31\222K\24\347\0V\213\351\320`\347\0V\213\351\320`\347\0V\213\351\320`\347\0V\213\351\320`\347\0V\213\351\320`\347\0V\213\351oA\326kN\301\272\200I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ... 01799 896 NtQuerySystemInformation (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0 01800 896 NtQuerySystemInformation (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0 01801 896 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0 01802 896 NtQuerySystemInformation (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0 01803 896 NtQuerySystemInformation (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0 01804 896 NtQuerySystemInformation (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0 01805 896 NtQuerySystemInformation (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH 01806 896 NtCreateKey (0x2, {24, 0, 0x240, 0, 0, (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481368, 2, ) }, 0, 0x0, 0, ... -2147481368, 2, ) == 0x0 01807 896 NtSetValueKey (-2147481368, (-2147481368, "Seed", 0, 3, "\1\337\15\264o\200\2\206nb\30\351/\317^\354\335h\303\242\6\327\334\214\30+rTA\312\354\270\377\215\326?\232\6\2654\314\30&u}\\333\303\215\261\325\344/M\366N\255#JW\225\233\342\177\305\275\354\323\325\220\257\225I!L{\10\315p\205", 80, ... ) , 0, 3, (-2147481368, "Seed", 0, 3, "\1\337\15\264o\200\2\206nb\30\351/\317^\354\335h\303\242\6\327\334\214\30+rTA\312\354\270\377\215\326?\232\6\2654\314\30&u}\\333\303\215\261\325\344/M\366N\255#JW\225\233\342\177\305\275\354\323\325\220\257\225I!L{\10\315p\205", 80, ... ) , 80, ... ) == 0x0 01808 896 NtClose (-2147481368, ... ) == 0x0 01798 896 NtDeviceIoControlFile ... {status=0x0, info=256}, ... {status=0x0, info=256}, "\375\3719\242\5\302\265j\363\313\262\264\242\376>\310\32\4\367\315\276:E\332vX\202\347/\13\317\252h\335\26\213slY\223\336\207_=\236\35\10\23Gv;\23\202\5\313!\326\224\236LeyQq/\376n\12\12\375\237\353`1r\244 4\306\262\340\321>\3019\241\327\15\354\320\250K)j/[MOm\345\212\237h\365r\5\322\346\225\372r_\263\225\257\5NV2\341*\210bS\221\352\350A\214AVP\301\270\272\357\349C\213\216O\343S\307\306\265I\333Y\225\273\347>\212\270\373\343\306\362&q\214\234\320sF\361Z\10\240\352\316z\20\363\11p\202\4K\203\243\373\11;i\303g\241+%\215\264)!\16\211?\313E\201k0$\254x\333[&\343\277F\306\246\341\0\302\332q\257]\253\354q=\216xN\16\202#`\353\223\254U\211\325\242rL\252\201t\365@v\35\202\245\361\314\260.X", ) , ) == 0x0 01809 896 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 132, ) == 0x0 01810 896 NtConnectPort ( ("\RPC Control\ntsvcs", {12, 2, 1, 1}, 0x0, 0x0, 1243284, 188, ... 140, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 1}, 0x0, 0x0, 1243284, 188, ... 140, 0x0, 0x0, 0x0, 188, ) == 0x0 01811 896 NtRequestWaitReplyPort (140, {200, 224, new_msg, 0, 1341512, 12, 2, 1310977} (140, {200, 224, new_msg, 0, 1341512, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\44\24\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\1\0\0\0\20\232\24\0\4\0\0\0\2\0\0\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\312\252\224\257\253;|\330p\215\24\0Sf\237\323\12\0\0\0\0\0\0\0p\215\24\0(\0\0\0x\215\24\0\225\1\320\240\1\24\0(\0\0\0\333s\0\0\0\0\24\0\360\366\22\0\224\0\0\0\0\0\0\0X[\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\24\367\22\0\372\31\221|\250\376\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1252, 896, 81887, 0} "\7\0\0\0\274\0\0\0\44\24\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\2\0\0\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\312\252\224\257\253;|\330p\215\24\0Sf\237\323\12\0\0\0\0\0\0\0p\215\24\0(\0\0\0x\215\24\0\225\1\320\240\1\24\0(\0\0\0\333s\0\0\0\0\24\0\360\366\22\0\224\0\0\0\0\0\0\0X[\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\24\367\22\0\372\31\221|\250\376\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ) ... {200, 224, reply, 0, 1252, 896, 81887, 0} (140, {200, 224, new_msg, 0, 1341512, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\44\24\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\1\0\0\0\20\232\24\0\4\0\0\0\2\0\0\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\312\252\224\257\253;|\330p\215\24\0Sf\237\323\12\0\0\0\0\0\0\0p\215\24\0(\0\0\0x\215\24\0\225\1\320\240\1\24\0(\0\0\0\333s\0\0\0\0\24\0\360\366\22\0\224\0\0\0\0\0\0\0X[\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\24\367\22\0\372\31\221|\250\376\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1252, 896, 81887, 0} "\7\0\0\0\274\0\0\0\44\24\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\2\0\0\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\312\252\224\257\253;|\330p\215\24\0Sf\237\323\12\0\0\0\0\0\0\0p\215\24\0(\0\0\0x\215\24\0\225\1\320\240\1\24\0(\0\0\0\333s\0\0\0\0\24\0\360\366\22\0\224\0\0\0\0\0\0\0X[\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\24\367\22\0\372\31\221|\250\376\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ) ) == 0x0 01812 896 NtRequestWaitReplyPort (140, {48, 72, new_msg, 0, 44, 3, 20, 0} (140, {48, 72, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\33\0gS\263F\252\227\2L\355h\28 \0"\0\377\377\377\377\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200D\0e\0" ... {96, 120, reply, 0, 1252, 896, 81888, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\31/\\7\271\346)E\242\237T\31D\323\36r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" ) \0\377\377\377\377\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200D\0e\0 (140, {48, 72, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\33\0gS\263F\252\227\2L\355h\28 \0"\0\377\377\377\377\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200D\0e\0" ... {96, 120, reply, 0, 1252, 896, 81888, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\31/\\7\271\346)E\242\237T\31D\323\36r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" ) \2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\31/\\7\271\346)E\242\237T\31D\323\36r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" ) == 0x0 01813 896 NtRequestWaitReplyPort (140, {100, 124, new_msg, 0, 1252, 896, 81888, 0} (140, {100, 124, new_msg, 0, 1252, 896, 81888, 0} "\1\0\0\0A\2\34\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0\31/\\7\271\346)E\242\237T\31D\323\36r\11\0\0\0\0\0\0\0\11\0\0\0RpcPatch\0\0\0\0\377\1\17\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81889, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\4\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" ) ... {96, 120, reply, 0, 1252, 896, 81889, 0} (140, {100, 124, new_msg, 0, 1252, 896, 81888, 0} "\1\0\0\0A\2\34\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0\31/\\7\271\346)E\242\237T\31D\323\36r\11\0\0\0\0\0\0\0\11\0\0\0RpcPatch\0\0\0\0\377\1\17\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81889, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\4\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" ) ) == 0x0 01814 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\DLLCACHE\TFTPD.EXE"}, 1243000, ... ) }, 1243000, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01815 896 NtCreateFile (0x80100080, {24, 0, 0x40, 0, 1243248, (0x80100080, {24, 0, 0x40, 0, 1243248, "\??\C:\WINDOWS\system32\dllcache\tftpd.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01816 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\DLLCACHE\TFTPD.EXE"}, 1243000, ... ) }, 1243000, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01817 896 NtCreateFile (0x80100080, {24, 0, 0x40, 0, 1243248, (0x80100080, {24, 0, 0x40, 0, 1243248, "\??\C:\WINDOWS\SYSTEM32\DLLCACHE\TFTPD.EXE"}, 0x0, 0, 3, 1, 2097252, 0, 0, ... ) }, 0x0, 0, 3, 1, 2097252, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01818 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\DLLCACHE\TFTPD.EXE"}, 1243000, ... ) }, 1243000, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01819 896 NtCreateFile (0x80100080, {24, 0, 0x40, 0, 1243248, (0x80100080, {24, 0, 0x40, 0, 1243248, "\??\C:\WINDOWS\SYSTEM32\DLLCACHE\TFTPD.EXE"}, 0x0, 0, 1, 1, 100, 0, 0, ... ) }, 0x0, 0, 1, 1, 100, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01820 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\DLLCACHE\TFTPD.EXE"}, 1243000, ... ) }, 1243000, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01821 896 NtCreateFile (0x80100080, {24, 0, 0x40, 0, 1243248, (0x80100080, {24, 0, 0x40, 0, 1243248, "\??\C:\WINDOWS\SYSTEM32\DLLCACHE\TFTPD.EXE"}, 0x0, 0, 3, 1, 100, 0, 0, ... ) }, 0x0, 0, 3, 1, 100, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01822 896 NtOpenEvent (0x100000, {24, 100, 0x0, 0, 0, (0x100000, {24, 100, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 180, ) }, ... 180, ) == 0x0 01823 896 NtWaitForSingleObject (180, 0, {-1800000000, -1}, ... ) == 0x0 01824 896 NtClose (180, ... ) == 0x0 01825 896 NtRequestWaitReplyPort (140, {48, 72, new_msg, 0, 1252, 896, 81889, 0} (140, {48, 72, new_msg, 0, 1252, 896, 81889, 0} "\1\356\0\0A\2\33\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0?\0\17\0\0\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81890, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0L\317\255)z\4\255L\271t\2429&Dg\11\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" ) ... {96, 120, reply, 0, 1252, 896, 81890, 0} (140, {48, 72, new_msg, 0, 1252, 896, 81889, 0} "\1\356\0\0A\2\33\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0?\0\17\0\0\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81890, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0L\317\255)z\4\255L\271t\2429&Dg\11\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" ) ) == 0x0 01826 896 NtAllocateVirtualMemory (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0 01827 896 NtRequestWaitReplyPort (140, {44, 68, new_msg, 56, 1252, 896, 81890, 0} (140, {44, 68, new_msg, 56, 1252, 896, 81890, 0} "\1+\0\0B\2\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\1\0\0\0\330\237\24\0\370\0\0\0" ... {124, 148, reply, 0, 1252, 896, 81891, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\0\0\0\03]d=\263\216,F\261P\34\351\263\227R~\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0B\0a\0s\0e\0\0\0s\0\2\0\0\0\0\0\0\0\2\0\0\0/\0\0\0" ) ... {124, 148, reply, 0, 1252, 896, 81891, 0} (140, {44, 68, new_msg, 56, 1252, 896, 81890, 0} "\1+\0\0B\2\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\1\0\0\0\330\237\24\0\370\0\0\0" ... {124, 148, reply, 0, 1252, 896, 81891, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\0\0\0\03]d=\263\216,F\261P\34\351\263\227R~\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0B\0a\0s\0e\0\0\0s\0\2\0\0\0\0\0\0\0\2\0\0\0/\0\0\0" ) ) == 0x0 01828 896 NtRequestWaitReplyPort (140, {96, 120, new_msg, 0, 1252, 896, 81891, 0} (140, {96, 120, new_msg, 0, 1252, 896, 81891, 0} "\1\0\0\0A\2\34\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0L\317\255)z\4\255L\271t\2429&Dg\11\6\0\0\0\0\0\0\0\6\0\0\0MSDTC\0\0\0\377\1\17\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81892, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0x\32\303\216yS\204G\225b~C.'\276\316\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" ) ... {96, 120, reply, 0, 1252, 896, 81892, 0} (140, {96, 120, new_msg, 0, 1252, 896, 81891, 0} "\1\0\0\0A\2\34\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0L\317\255)z\4\255L\271t\2429&Dg\11\6\0\0\0\0\0\0\0\6\0\0\0MSDTC\0\0\0\377\1\17\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81892, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0x\32\303\216yS\204G\225b~C.'\276\316\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" ) ) == 0x0 01829 896 NtRequestWaitReplyPort (140, {84, 108, new_msg, 0, 1252, 896, 81892, 0} (140, {84, 108, new_msg, 0, 1252, 896, 81892, 0} "\1\356\0\0A\2&\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0x\32\303\216yS\204G\225b~C.'\276\316\1\0\0\0\0\4\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0" ... {40, 64, reply, 0, 1252, 896, 81893, 0} "\2+\263\341\4\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0(\4\0\0x~\15\0" ) ... {40, 64, reply, 0, 1252, 896, 81893, 0} (140, {84, 108, new_msg, 0, 1252, 896, 81892, 0} "\1\356\0\0A\2&\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0x\32\303\216yS\204G\225b~C.'\276\316\1\0\0\0\0\4\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0" ... {40, 64, reply, 0, 1252, 896, 81893, 0} "\2+\263\341\4\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0(\4\0\0x~\15\0" ) ) == 0x0 01830 896 NtRequestWaitReplyPort (140, {64, 88, new_msg, 56, 1351976, 1242952, 1243052, 0} (140, {64, 88, new_msg, 56, 1351976, 1242952, 1243052, 0} "\10\367\22\0@\0\24\0\346\277\347w\254\367\22\0H\367\22\0\20\0\0\0\250\35\336w\234\241\24\0\1\0\0\0H\246\24\0(\4\0\0(\4\0\0x~\15\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {64, 88, reply, 56, 1252, 896, 81894, 0} "\10\367\22\0@\0\24\0\346\277\347w\254\367\22\0H\367\22\0\20\0\0\0\250\35\336w\234\241\24\0\1\0\0\0H\246\24\0(\4\0\0(\4\0\0x~\15\0\0\0\0\0\0\0\0\0\1\0\0\0" ) ... {64, 88, reply, 56, 1252, 896, 81894, 0} (140, {64, 88, new_msg, 56, 1351976, 1242952, 1243052, 0} "\10\367\22\0@\0\24\0\346\277\347w\254\367\22\0H\367\22\0\20\0\0\0\250\35\336w\234\241\24\0\1\0\0\0H\246\24\0(\4\0\0(\4\0\0x~\15\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {64, 88, reply, 56, 1252, 896, 81894, 0} "\10\367\22\0@\0\24\0\346\277\347w\254\367\22\0H\367\22\0\20\0\0\0\250\35\336w\234\241\24\0\1\0\0\0H\246\24\0(\4\0\0(\4\0\0x~\15\0\0\0\0\0\0\0\0\0\1\0\0\0" ) ) == 0x0 01831 896 NtRequestWaitReplyPort (140, {88, 112, new_msg, 0, 1252, 896, 81893, 0} (140, {88, 112, new_msg, 0, 1252, 896, 81893, 0} "\1+\0\0A\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\0x\32\303\216yS\204G\225b~C.'\276\316\1\0\0\0\0\4\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201" ... {96, 120, reply, 0, 1252, 896, 81895, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" ) ... {96, 120, reply, 0, 1252, 896, 81895, 0} (140, {88, 112, new_msg, 0, 1252, 896, 81893, 0} "\1+\0\0A\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\0x\32\303\216yS\204G\225b~C.'\276\316\1\0\0\0\0\4\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201" ... {96, 120, reply, 0, 1252, 896, 81895, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" ) ) == 0x0 01832 896 NtRequestWaitReplyPort (140, {44, 68, new_msg, 56, 1252, 896, 81895, 0} (140, {44, 68, new_msg, 56, 1252, 896, 81895, 0} "\1\356\0\0B\2$\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0H\246\24\0O\1\0\0" ... {40, 64, reply, 0, 1252, 896, 81896, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0x~\15\0" ) ... {40, 64, reply, 0, 1252, 896, 81896, 0} (140, {44, 68, new_msg, 56, 1252, 896, 81895, 0} "\1\356\0\0B\2$\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0H\246\24\0O\1\0\0" ... {40, 64, reply, 0, 1252, 896, 81896, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0x~\15\0" ) ) == 0x0 01833 896 NtRequestWaitReplyPort (140, {88, 112, new_msg, 0, 1252, 896, 81896, 0} (140, {88, 112, new_msg, 0, 1252, 896, 81896, 0} "\1+\0\0A\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\03]d=\263\216,F\261P\34\351\263\227R~\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201" ... {96, 120, reply, 0, 1252, 896, 81897, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" ) ... {96, 120, reply, 0, 1252, 896, 81897, 0} (140, {88, 112, new_msg, 0, 1252, 896, 81896, 0} "\1+\0\0A\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\03]d=\263\216,F\261P\34\351\263\227R~\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201" ... {96, 120, reply, 0, 1252, 896, 81897, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" ) ) == 0x0 01834 896 NtRequestWaitReplyPort (140, {88, 112, new_msg, 0, 1252, 896, 81897, 0} (140, {88, 112, new_msg, 0, 1252, 896, 81897, 0} "\1\0\0\0A\2\0\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0L\317\255)z\4\255L\271t\2429&Dg\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81898, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" ) ... {96, 120, reply, 0, 1252, 896, 81898, 0} (140, {88, 112, new_msg, 0, 1252, 896, 81897, 0} "\1\0\0\0A\2\0\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0L\317\255)z\4\255L\271t\2429&Dg\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81898, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" ) ) == 0x0 01835 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 1243000, ... ) }, 1243000, ... ) == 0x0 01836 896 NtOpenFile (0x100100, {24, 0, 0x40, 0, 0, (0x100100, {24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 7, 2113568, ... 180, {status=0x0, info=1}, ) }, 7, 2113568, ... 180, {status=0x0, info=1}, ) == 0x0 01837 896 NtSetInformationFile (180, 1242976, 40, Basic, ... ) == STATUS_ACCESS_DENIED 01838 896 NtClose (180, ... ) == 0x0 01839 896 NtCreateFile (0x80100080, {24, 0, 0x40, 0, 1243248, (0x80100080, {24, 0, 0x40, 0, 1243248, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 180, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 180, {status=0x0, info=1}, ) == 0x0 01840 896 NtQueryInformationFile (180, 1243684, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0 01841 896 NtQueryInformationFile (180, 1243600, 24, Standard, ... {status=0x0, info=24}, ) == 0x0 01842 896 NtQueryInformationFile (180, 1243416, 40, Basic, ... {status=0x0, info=40}, ) == 0x0 01843 896 NtAllocateVirtualMemory (-1, 1355776, 0, 8192, 4096, 4, ... 1355776, 8192, ) == 0x0 01844 896 NtQueryInformationFile (180, 1353632, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0 01845 896 NtQueryInformationFile (180, 1241864, 40, Basic, ... {status=0x0, info=40}, ) == 0x0 01846 896 NtQueryInformationFile (180, 1242140, 4, Ea, ... {status=0x0, info=4}, ) == 0x0 01847 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\WINS\DLLHOST.EXE"}, 1241336, ... ) }, 1241336, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01848 896 NtCreateFile (0x40110080, {24, 0, 0x40, 0, 1242016, (0x40110080, {24, 0, 0x40, 0, 1242016, "\??\C:\WINDOWS\system32\wins\DLLHOST.EXE"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ... 01849 896 NtClose (-2147481484, ... ) == 0x0 01848 896 NtCreateFile ... 184, {status=0x0, info=2}, ) == 0x0 01850 896 NtQueryVolumeInformationFile (184, 1242168, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0 01851 896 NtQueryInformationFile (184, 1241752, 40, Basic, ... {status=0x0, info=40}, ) == 0x0 01852 896 NtQueryVolumeInformationFile (180, 1242168, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0 01853 896 NtSetInformationFile (184, 1242068, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0 01854 896 NtCreateSection (0xf001f, 0x0, 0x0, 2, 134217728, 180, ... 188, ) == 0x0 01855 896 NtMapViewOfSection (188, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 01856 896 NtClose (188, ... ) == 0x0 01857 896 NtWriteFile (184, 0, 0, 0, (184, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\250\0\0\0\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0V^%\35\22?KN\22?KN\22?KNK\34XN\20?KN\2217\26N\30?KNi#GN\23?KN} AN\31?KN\221#EN\23?KN} ON\21?KN\22?JNv?KN\24\34@N\20?KNRich\22?KN\0\0\0\0\0\0\0\0PE\0\0L\1\3\0irus\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\00\0\0\0\20\0\0\0`\0\0`\220\0\0\0p\0\0\0\240\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\00\1\0\0\4\0\0\0\0\0\0\3\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\240\0\0\240\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\0\20\0\0\0\0\0\0\0\4\0\0\0\0\0\0", 19968, 0x0, 0, ... {status=0x0, info=19968}, ) , 19968, 0x0, 0, ... {status=0x0, info=19968}, ) == 0x0 01858 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 01859 896 NtSetInformationFile (184, 1243416, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 01860 896 NtClose (180, ... ) == 0x0 01861 896 NtClose (184, ... ) == 0x0 01862 896 NtOpenEvent (0x100000, {24, 100, 0x0, 0, 0, (0x100000, {24, 100, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 184, ) }, ... 184, ) == 0x0 01863 896 NtWaitForSingleObject (184, 0, {-1800000000, -1}, ... ) == 0x0 01864 896 NtClose (184, ... ) == 0x0 01865 896 NtRequestWaitReplyPort (140, {48, 72, new_msg, 0, 1252, 896, 81898, 0} (140, {48, 72, new_msg, 0, 1252, 896, 81898, 0} "\1\356\0\0A\2\33\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0?\0\17\0\0\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81899, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0I\213\375\202\222>wH\214\230[v\4\22\245c\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" ) ... {96, 120, reply, 0, 1252, 896, 81899, 0} (140, {48, 72, new_msg, 0, 1252, 896, 81898, 0} "\1\356\0\0A\2\33\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0?\0\17\0\0\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81899, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0I\213\375\202\222>wH\214\230[v\4\22\245c\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" ) ) == 0x0 01866 896 NtRequestWaitReplyPort (140, {44, 68, new_msg, 56, 1252, 896, 81899, 0} (140, {44, 68, new_msg, 56, 1252, 896, 81899, 0} "\1+\0\0B\2\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\1\0\0\0\300\236\24\0\350\0\0\0" ... {124, 148, reply, 0, 1252, 896, 81900, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\0\0\0\0\227\14>{z\307\36M\236\253\23\312\345>u\322\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0B\0a\0s\0e\0\0\0s\0\2\0\0\0\0\0\0\0\2\0\0\0/\0\0\0" ) ... {124, 148, reply, 0, 1252, 896, 81900, 0} (140, {44, 68, new_msg, 56, 1252, 896, 81899, 0} "\1+\0\0B\2\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\1\0\0\0\300\236\24\0\350\0\0\0" ... {124, 148, reply, 0, 1252, 896, 81900, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\0\0\0\0\227\14>{z\307\36M\236\253\23\312\345>u\322\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0B\0a\0s\0e\0\0\0s\0\2\0\0\0\0\0\0\0\2\0\0\0/\0\0\0" ) ) == 0x0 01867 896 NtRequestWaitReplyPort (140, {96, 120, new_msg, 0, 1252, 896, 81900, 0} (140, {96, 120, new_msg, 0, 1252, 896, 81900, 0} "\1\0\0\0A\2\34\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0I\213\375\202\222>wH\214\230[v\4\22\245c\10\0\0\0\0\0\0\0\10\0\0\0Browser\0\377\1\17\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81901, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\307v\231\2503\242\376L\223\303\257\367:\34\353\313\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" ) ... {96, 120, reply, 0, 1252, 896, 81901, 0} (140, {96, 120, new_msg, 0, 1252, 896, 81900, 0} "\1\0\0\0A\2\34\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0I\213\375\202\222>wH\214\230[v\4\22\245c\10\0\0\0\0\0\0\0\10\0\0\0Browser\0\377\1\17\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81901, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\307v\231\2503\242\376L\223\303\257\367:\34\353\313\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" ) ) == 0x0 01868 896 NtRequestWaitReplyPort (140, {84, 108, new_msg, 0, 1252, 896, 81901, 0} (140, {84, 108, new_msg, 0, 1252, 896, 81901, 0} "\1\356\0\0A\2&\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\307v\231\2503\242\376L\223\303\257\367:\34\353\313\1\0\0\0\0\4\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0" ... {40, 64, reply, 0, 1252, 896, 81902, 0} "\2+\263\341\4\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0(\4\0\0x~\15\0" ) ... {40, 64, reply, 0, 1252, 896, 81902, 0} (140, {84, 108, new_msg, 0, 1252, 896, 81901, 0} "\1\356\0\0A\2&\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\307v\231\2503\242\376L\223\303\257\367:\34\353\313\1\0\0\0\0\4\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0" ... {40, 64, reply, 0, 1252, 896, 81902, 0} "\2+\263\341\4\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0(\4\0\0x~\15\0" ) ) == 0x0 01869 896 NtRequestWaitReplyPort (140, {64, 88, new_msg, 56, 1351976, 1242952, 1243052, 0} (140, {64, 88, new_msg, 56, 1351976, 1242952, 1243052, 0} "\10\367\22\0@\0\24\0\346\277\347w\254\367\22\0H\367\22\0\20\0\0\0\250\35\336w\234\241\24\0\1\0\0\0\240\247\24\0(\4\0\0(\4\0\0x~\15\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {64, 88, reply, 56, 1252, 896, 81903, 0} "\10\367\22\0@\0\24\0\346\277\347w\254\367\22\0H\367\22\0\20\0\0\0\250\35\336w\234\241\24\0\1\0\0\0\240\247\24\0(\4\0\0(\4\0\0x~\15\0\0\0\0\0\0\0\0\0\1\0\0\0" ) ... {64, 88, reply, 56, 1252, 896, 81903, 0} (140, {64, 88, new_msg, 56, 1351976, 1242952, 1243052, 0} "\10\367\22\0@\0\24\0\346\277\347w\254\367\22\0H\367\22\0\20\0\0\0\250\35\336w\234\241\24\0\1\0\0\0\240\247\24\0(\4\0\0(\4\0\0x~\15\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {64, 88, reply, 56, 1252, 896, 81903, 0} "\10\367\22\0@\0\24\0\346\277\347w\254\367\22\0H\367\22\0\20\0\0\0\250\35\336w\234\241\24\0\1\0\0\0\240\247\24\0(\4\0\0(\4\0\0x~\15\0\0\0\0\0\0\0\0\0\1\0\0\0" ) ) == 0x0 01870 896 NtRequestWaitReplyPort (140, {88, 112, new_msg, 0, 1252, 896, 81902, 0} (140, {88, 112, new_msg, 0, 1252, 896, 81902, 0} "\1+\0\0A\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\0\307v\231\2503\242\376L\223\303\257\367:\34\353\313\1\0\0\0\0\4\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201" ... {96, 120, reply, 0, 1252, 896, 81904, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" ) ... {96, 120, reply, 0, 1252, 896, 81904, 0} (140, {88, 112, new_msg, 0, 1252, 896, 81902, 0} "\1+\0\0A\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\0\307v\231\2503\242\376L\223\303\257\367:\34\353\313\1\0\0\0\0\4\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201" ... {96, 120, reply, 0, 1252, 896, 81904, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" ) ) == 0x0 01871 896 NtRequestWaitReplyPort (140, {44, 68, new_msg, 56, 1252, 896, 81904, 0} (140, {44, 68, new_msg, 56, 1252, 896, 81904, 0} "\1\356\0\0B\2$\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\30\220\24\0V\1\0\0" ... {40, 64, reply, 0, 1252, 896, 81905, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0x~\15\0" ) ... {40, 64, reply, 0, 1252, 896, 81905, 0} (140, {44, 68, new_msg, 56, 1252, 896, 81904, 0} "\1\356\0\0B\2$\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\30\220\24\0V\1\0\0" ... {40, 64, reply, 0, 1252, 896, 81905, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0x~\15\0" ) ) == 0x0 01872 896 NtRequestWaitReplyPort (140, {88, 112, new_msg, 0, 1252, 896, 81905, 0} (140, {88, 112, new_msg, 0, 1252, 896, 81905, 0} "\1+\0\0A\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\0\227\14>{z\307\36M\236\253\23\312\345>u\322\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201" ... {96, 120, reply, 0, 1252, 896, 81906, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" ) ... {96, 120, reply, 0, 1252, 896, 81906, 0} (140, {88, 112, new_msg, 0, 1252, 896, 81905, 0} "\1+\0\0A\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\0\227\14>{z\307\36M\236\253\23\312\345>u\322\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201" ... {96, 120, reply, 0, 1252, 896, 81906, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" ) ) == 0x0 01873 896 NtRequestWaitReplyPort (140, {88, 112, new_msg, 0, 1252, 896, 81906, 0} (140, {88, 112, new_msg, 0, 1252, 896, 81906, 0} "\1\0\0\0A\2\0\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0I\213\375\202\222>wH\214\230[v\4\22\245c\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81907, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" ) ... {96, 120, reply, 0, 1252, 896, 81907, 0} (140, {88, 112, new_msg, 0, 1252, 896, 81906, 0} "\1\0\0\0A\2\0\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0I\213\375\202\222>wH\214\230[v\4\22\245c\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81907, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" ) ) == 0x0 01874 896 NtOpenKey (0x2000000, {24, 32, 0x40, 0, 0, (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 184, ) }, ... 184, ) == 0x0 01875 896 NtQueryValueKey (184, (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0 01876 896 NtQueryValueKey (184, (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0 01877 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 180, ) == 0x0 01878 896 NtOpenKey (0x2000000, {24, 184, 0x40, 0, 0, (0x2000000, {24, 184, 0x40, 0, 0, "Protocol_Catalog9"}, ... 188, ) }, ... 188, ) == 0x0 01879 896 NtQueryValueKey (188, (188, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (188, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0 01880 896 NtNotifyChangeKey (188, 180, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103 01881 896 NtQueryValueKey (188, (188, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (188, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0 01882 896 NtOpenKey (0x2000000, {24, 188, 0x40, 0, 0, (0x2000000, {24, 188, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01883 896 NtQueryValueKey (188, (188, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (188, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0 01884 896 NtQueryValueKey (188, (188, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (188, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0 01885 896 NtOpenKey (0x2000000, {24, 188, 0x40, 0, 0, (0x2000000, {24, 188, 0x40, 0, 0, "Catalog_Entries"}, ... 192, ) }, ... 192, ) == 0x0 01886 896 NtOpenKey (0x20019, {24, 192, 0x40, 0, 0, (0x20019, {24, 192, 0x40, 0, 0, "000000000001"}, ... 196, ) }, ... 196, ) == 0x0 01887 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01888 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01889 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0b\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0b\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0c\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0d\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0b\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0b\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0c\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0d\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0b\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0b\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0c\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0d\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 01890 896 NtClose (196, ... ) == 0x0 01891 896 NtOpenKey (0x20019, {24, 192, 0x40, 0, 0, (0x20019, {24, 192, 0x40, 0, 0, "000000000002"}, ... 196, ) }, ... 196, ) == 0x0 01892 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01893 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01894 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0g\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0g\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0h\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0i\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0g\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0g\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0h\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0i\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0g\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0g\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0h\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0i\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 01895 896 NtClose (196, ... ) == 0x0 01896 896 NtOpenKey (0x20019, {24, 192, 0x40, 0, 0, (0x20019, {24, 192, 0x40, 0, 0, "000000000003"}, ... 196, ) }, ... 196, ) == 0x0 01897 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01898 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01899 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0l\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0l\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0m\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0n\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0l\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0l\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0m\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0n\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0l\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0l\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0m\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0n\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 01900 896 NtClose (196, ... ) == 0x0 01901 896 NtOpenKey (0x20019, {24, 192, 0x40, 0, 0, (0x20019, {24, 192, 0x40, 0, 0, "000000000004"}, ... 196, ) }, ... 196, ) == 0x0 01902 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01903 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01904 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0q\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0q\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0r\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0s\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0q\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0q\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0r\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0s\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0q\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0q\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0r\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0s\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 01905 896 NtClose (196, ... ) == 0x0 01906 896 NtOpenKey (0x20019, {24, 192, 0x40, 0, 0, (0x20019, {24, 192, 0x40, 0, 0, "000000000005"}, ... 196, ) }, ... 196, ) == 0x0 01907 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01908 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01909 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0v\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0v\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0w\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0w\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0x\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0x\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0v\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0v\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0w\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0w\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0x\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0x\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0x\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0v\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0v\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0w\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0w\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0x\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0x\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 01910 896 NtClose (196, ... ) == 0x0 01911 896 NtOpenKey (0x20019, {24, 192, 0x40, 0, 0, (0x20019, {24, 192, 0x40, 0, 0, "000000000006"}, ... 196, ) }, ... 196, ) == 0x0 01912 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01913 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01914 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0{\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0{\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0|\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0|\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0}\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0}\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0~\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0{\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0{\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0|\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0|\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0}\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0}\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0~\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0}\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0~\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0{\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0{\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0|\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0|\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0}\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0}\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0~\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 01915 896 NtClose (196, ... ) == 0x0 01916 896 NtOpenKey (0x20019, {24, 192, 0x40, 0, 0, (0x20019, {24, 192, 0x40, 0, 0, "000000000007"}, ... 196, ) }, ... 196, ) == 0x0 01917 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01918 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01919 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\200\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\200\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\201\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\201\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\202\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\202\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\203\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\200\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\200\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\201\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\201\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\202\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\202\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\203\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\202\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\203\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\200\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\200\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\201\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\201\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\202\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\202\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\203\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 01920 896 NtClose (196, ... ) == 0x0 01921 896 NtOpenKey (0x20019, {24, 192, 0x40, 0, 0, (0x20019, {24, 192, 0x40, 0, 0, "000000000008"}, ... 196, ) }, ... 196, ) == 0x0 01922 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01923 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01924 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\205\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\205\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\206\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\206\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\207\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\207\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\210\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\205\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\205\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\206\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\206\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\207\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\207\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\210\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\207\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\210\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\205\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\205\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\206\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\206\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\207\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\207\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\210\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 01925 896 NtClose (196, ... ) == 0x0 01926 896 NtOpenKey (0x20019, {24, 192, 0x40, 0, 0, (0x20019, {24, 192, 0x40, 0, 0, "000000000009"}, ... 196, ) }, ... 196, ) == 0x0 01927 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01928 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01929 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\212\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\212\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\213\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\213\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\214\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\214\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\215\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\212\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\212\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\213\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\213\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\214\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\214\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\215\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\214\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\215\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\212\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\212\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\213\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\213\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\214\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\214\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\215\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 01930 896 NtClose (196, ... ) == 0x0 01931 896 NtOpenKey (0x20019, {24, 192, 0x40, 0, 0, (0x20019, {24, 192, 0x40, 0, 0, "000000000010"}, ... 196, ) }, ... 196, ) == 0x0 01932 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01933 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01934 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\217\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\217\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\220\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\220\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\221\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\221\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\222\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\217\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\217\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\220\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\220\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\221\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\221\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\222\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\221\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\222\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\217\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\217\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\220\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\220\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\221\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\221\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\222\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 01935 896 NtClose (196, ... ) == 0x0 01936 896 NtOpenKey (0x20019, {24, 192, 0x40, 0, 0, (0x20019, {24, 192, 0x40, 0, 0, "000000000011"}, ... 196, ) }, ... 196, ) == 0x0 01937 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01938 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01939 896 NtAllocateVirtualMemory (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0 01940 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\225\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\225\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\226\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\226\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\227\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\227\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\230\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\225\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\225\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\226\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\226\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\227\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\227\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\230\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\227\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\230\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\225\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\225\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\226\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\226\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\227\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\227\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\230\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 01941 896 NtClose (196, ... ) == 0x0 01942 896 NtOpenKey (0x20019, {24, 192, 0x40, 0, 0, (0x20019, {24, 192, 0x40, 0, 0, "000000000012"}, ... 196, ) }, ... 196, ) == 0x0 01943 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01944 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01945 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\232\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\232\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\233\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\233\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\234\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\234\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\235\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\232\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\232\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\233\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\233\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\234\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\234\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\235\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\234\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\235\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\232\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\232\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\233\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\233\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\234\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\234\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\235\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 01946 896 NtClose (196, ... ) == 0x0 01947 896 NtOpenKey (0x20019, {24, 192, 0x40, 0, 0, (0x20019, {24, 192, 0x40, 0, 0, "000000000013"}, ... 196, ) }, ... 196, ) == 0x0 01948 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01949 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01950 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\237\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\237\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\240\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\240\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\241\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\241\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\242\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\237\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\237\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\240\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\240\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\241\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\241\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\242\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\241\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\242\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\237\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\237\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\240\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\240\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\241\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\241\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\242\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 01951 896 NtClose (196, ... ) == 0x0 01952 896 NtOpenKey (0x20019, {24, 192, 0x40, 0, 0, (0x20019, {24, 192, 0x40, 0, 0, "000000000014"}, ... 196, ) }, ... 196, ) == 0x0 01953 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01954 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01955 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\244\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\244\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\245\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\245\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\246\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\246\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\247\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\244\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\244\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\245\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\245\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\246\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\246\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\247\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\246\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\247\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\244\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\244\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\245\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\245\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\246\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\246\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\247\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 01956 896 NtClose (196, ... ) == 0x0 01957 896 NtOpenKey (0x20019, {24, 192, 0x40, 0, 0, (0x20019, {24, 192, 0x40, 0, 0, "000000000015"}, ... 196, ) }, ... 196, ) == 0x0 01958 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01959 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01960 896 NtAllocateVirtualMemory (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0 01961 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\252\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\252\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\253\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\253\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\254\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\254\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\255\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\252\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\252\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\253\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\253\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\254\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\254\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\255\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\254\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\255\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\252\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\252\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\253\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\253\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\254\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\254\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\255\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 01962 896 NtClose (196, ... ) == 0x0 01963 896 NtOpenKey (0x20019, {24, 192, 0x40, 0, 0, (0x20019, {24, 192, 0x40, 0, 0, "000000000016"}, ... 196, ) }, ... 196, ) == 0x0 01964 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01965 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01966 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\257\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\257\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\260\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\261\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\261\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\262\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\257\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\257\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\260\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\261\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\261\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\262\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\261\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\262\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\257\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\257\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\260\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\261\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\261\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\262\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 01967 896 NtClose (196, ... ) == 0x0 01968 896 NtOpenKey (0x20019, {24, 192, 0x40, 0, 0, (0x20019, {24, 192, 0x40, 0, 0, "000000000017"}, ... 196, ) }, ... 196, ) == 0x0 01969 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01970 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01971 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\264\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\264\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\265\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\265\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\266\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\266\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\267\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\264\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\264\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\265\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\265\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\266\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\266\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\267\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\266\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\267\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\264\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\264\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\265\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\265\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\266\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\266\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\267\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 01972 896 NtClose (196, ... ) == 0x0 01973 896 NtOpenKey (0x20019, {24, 192, 0x40, 0, 0, (0x20019, {24, 192, 0x40, 0, 0, "000000000018"}, ... 196, ) }, ... 196, ) == 0x0 01974 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01975 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01976 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\271\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\271\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\272\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\272\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\273\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\273\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\274\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\271\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\271\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\272\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\272\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\273\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\273\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\274\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\273\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\274\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\271\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\271\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\272\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\272\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\273\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\273\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\274\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 01977 896 NtClose (196, ... ) == 0x0 01978 896 NtOpenKey (0x20019, {24, 192, 0x40, 0, 0, (0x20019, {24, 192, 0x40, 0, 0, "000000000019"}, ... 196, ) }, ... 196, ) == 0x0 01979 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01980 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01981 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\276\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\276\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\277\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\277\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\300\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\300\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\301\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\276\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\276\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\277\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\277\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\300\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\300\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\301\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\300\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\301\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\276\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\276\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\277\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\277\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\300\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\300\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\301\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 01982 896 NtClose (196, ... ) == 0x0 01983 896 NtOpenKey (0x20019, {24, 192, 0x40, 0, 0, (0x20019, {24, 192, 0x40, 0, 0, "000000000020"}, ... 196, ) }, ... 196, ) == 0x0 01984 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01985 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01986 896 NtAllocateVirtualMemory (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0 01987 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\304\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\304\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\305\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\305\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\306\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\306\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\307\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\304\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\304\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\305\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\305\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\306\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\306\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\307\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\306\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\307\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\304\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\304\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\305\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\305\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\306\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\306\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\307\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 01988 896 NtClose (196, ... ) == 0x0 01989 896 NtOpenKey (0x20019, {24, 192, 0x40, 0, 0, (0x20019, {24, 192, 0x40, 0, 0, "000000000021"}, ... 196, ) }, ... 196, ) == 0x0 01990 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01991 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01992 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\311\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\311\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\312\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\312\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\313\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\313\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\314\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\311\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\311\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\312\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\312\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\313\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\313\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\314\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\313\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\314\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\311\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\311\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\312\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\312\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\313\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\313\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\314\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 01993 896 NtClose (196, ... ) == 0x0 01994 896 NtOpenKey (0x20019, {24, 192, 0x40, 0, 0, (0x20019, {24, 192, 0x40, 0, 0, "000000000022"}, ... 196, ) }, ... 196, ) == 0x0 01995 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01996 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01997 896 NtQueryValueKey (196, (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\316\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\316\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\317\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\300\0\0\0\317\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\320\7\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\264\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\7\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\321\7\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\321\7\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\300\0\0\0\322\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\270\0\0\0\234\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0Hx\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\316\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\316\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\317\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\300\0\0\0\317\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\320\7\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\264\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\7\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\321\7\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\321\7\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\300\0\0\0\322\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\270\0\0\0\234\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0Hx\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\316\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\316\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\317\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\300\0\0\0\317\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\320\7\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\264\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\7\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\321\7\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\321\7\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\300\0\0\0\322\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\270\0\0\0\234\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0Hx\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0 01998 896 NtClose (196, ... ) == 0x0 01999 896 NtClose (192, ... ) == 0x0 02000 896 NtWaitForSingleObject (180, 0, {0, 0}, ... ) == 0x102 02001 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 192, ) == 0x0 02002 896 NtOpenKey (0x2000000, {24, 184, 0x40, 0, 0, (0x2000000, {24, 184, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 196, ) }, ... 196, ) == 0x0 02003 896 NtQueryValueKey (196, (196, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (196, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0 02004 896 NtNotifyChangeKey (196, 192, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103 02005 896 NtQueryValueKey (196, (196, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (196, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0 02006 896 NtOpenKey (0x2000000, {24, 196, 0x40, 0, 0, (0x2000000, {24, 196, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02007 896 NtQueryValueKey (196, (196, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (196, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0 02008 896 NtOpenKey (0x2000000, {24, 196, 0x40, 0, 0, (0x2000000, {24, 196, 0x40, 0, 0, "Catalog_Entries"}, ... 200, ) }, ... 200, ) == 0x0 02009 896 NtOpenKey (0x20019, {24, 200, 0x40, 0, 0, (0x20019, {24, 200, 0x40, 0, 0, "000000000001"}, ... 204, ) }, ... 204, ) == 0x0 02010 896 NtQueryValueKey (204, (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0 02011 896 NtQueryValueKey (204, (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0 02012 896 NtQueryValueKey (204, (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0 02013 896 NtQueryValueKey (204, (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0 02014 896 NtQueryValueKey (204, (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0 02015 896 NtQueryValueKey (204, (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0 02016 896 NtQueryValueKey (204, (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0 02017 896 NtQueryValueKey (204, (204, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02018 896 NtQueryValueKey (204, (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0 02019 896 NtQueryValueKey (204, (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 02020 896 NtQueryValueKey (204, (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 02021 896 NtQueryValueKey (204, (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 02022 896 NtClose (204, ... ) == 0x0 02023 896 NtOpenKey (0x20019, {24, 200, 0x40, 0, 0, (0x20019, {24, 200, 0x40, 0, 0, "000000000002"}, ... 204, ) }, ... 204, ) == 0x0 02024 896 NtQueryValueKey (204, (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0 02025 896 NtQueryValueKey (204, (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0 02026 896 NtQueryValueKey (204, (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0 02027 896 NtQueryValueKey (204, (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0 02028 896 NtQueryValueKey (204, (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0 02029 896 NtQueryValueKey (204, (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0 02030 896 NtQueryValueKey (204, (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0 02031 896 NtQueryValueKey (204, (204, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02032 896 NtQueryValueKey (204, (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0 02033 896 NtQueryValueKey (204, (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 02034 896 NtQueryValueKey (204, (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 02035 896 NtQueryValueKey (204, (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 02036 896 NtClose (204, ... ) == 0x0 02037 896 NtAllocateVirtualMemory (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0 02038 896 NtOpenKey (0x20019, {24, 200, 0x40, 0, 0, (0x20019, {24, 200, 0x40, 0, 0, "000000000003"}, ... 204, ) }, ... 204, ) == 0x0 02039 896 NtQueryValueKey (204, (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0 02040 896 NtQueryValueKey (204, (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0 02041 896 NtQueryValueKey (204, (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0 02042 896 NtQueryValueKey (204, (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0 02043 896 NtQueryValueKey (204, (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0 02044 896 NtQueryValueKey (204, (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0 02045 896 NtQueryValueKey (204, (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0 02046 896 NtQueryValueKey (204, (204, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02047 896 NtQueryValueKey (204, (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0 02048 896 NtQueryValueKey (204, (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 02049 896 NtQueryValueKey (204, (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 02050 896 NtQueryValueKey (204, (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 02051 896 NtClose (204, ... ) == 0x0 02052 896 NtOpenKey (0x20019, {24, 200, 0x40, 0, 0, (0x20019, {24, 200, 0x40, 0, 0, "000000000004"}, ... 204, ) }, ... 204, ) == 0x0 02053 896 NtQueryValueKey (204, (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0 02054 896 NtQueryValueKey (204, (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0 02055 896 NtQueryValueKey (204, (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0 02056 896 NtQueryValueKey (204, (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0 02057 896 NtQueryValueKey (204, (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0 02058 896 NtQueryValueKey (204, (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0 02059 896 NtQueryValueKey (204, (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0 02060 896 NtQueryValueKey (204, (204, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02061 896 NtQueryValueKey (204, (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0 02062 896 NtQueryValueKey (204, (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 02063 896 NtQueryValueKey (204, (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 02064 896 NtQueryValueKey (204, (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 02065 896 NtClose (204, ... ) == 0x0 02066 896 NtClose (200, ... ) == 0x0 02067 896 NtWaitForSingleObject (192, 0, {0, 0}, ... ) == 0x102 02068 896 NtClose (184, ... ) == 0x0 02069 896 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 02070 896 NtQuerySystemInformation (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0 02071 896 NtOpenKey (0x1, {24, 32, 0x40, 0, 0, (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 184, ) }, ... 184, ) == 0x0 02072 896 NtQueryValueKey (184, (184, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02073 896 NtClose (184, ... ) == 0x0 02074 896 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 184, ) == 0x0 02075 896 NtAllocateVirtualMemory (-1, 0, 0, 65536, 4096, 4, ... 3801088, 65536, ) == 0x0 02076 896 NtQuerySystemInformation (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0 02077 896 NtCreateSection (0xf0007, 0x0, {18400, 0}, 4, 134217728, 0, ... 200, ) == 0x0 02078 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3b0000), {0, 0}, 20480, ) == 0x0 02079 896 NtUnmapViewOfSection (-1, 0x3b0000, ... ) == 0x0 02080 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3b0000), {0, 0}, 20480, ) == 0x0 02081 896 NtFreeVirtualMemory (-1, (0x3a0000), 0, 32768, ... (0x3a0000), 65536, ) == 0x0 02082 896 NtUnmapViewOfSection (-1, 0x3b0000, ... ) == 0x0 02083 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02084 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02085 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02086 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02087 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02088 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02089 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02090 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02091 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02092 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02093 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02094 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02095 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02096 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02097 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02098 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02099 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02100 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02101 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02102 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02103 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02104 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02105 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02106 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02107 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02108 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02109 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02110 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02111 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02112 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02113 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02114 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02115 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02116 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02117 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02118 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02119 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02120 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02121 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02122 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02123 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02124 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02125 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02126 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02127 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02128 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02129 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02130 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02131 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02132 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02133 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02134 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02135 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02136 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02137 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02138 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02139 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02140 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02141 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02142 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02143 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02144 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02145 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02146 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02147 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02148 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02149 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0 02150 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02151 896 NtClose (200, ... ) == 0x0 02152 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msblast.exe"}, 1244192, ... ) }, 1244192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02153 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\MSBLAST.EXE"}, 1243984, ... ) }, 1243984, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02154 896 NtOpenFile (0x100100, {24, 0, 0x40, 0, 0, (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msblast.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02155 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\MSBLAST.EXE"}, 1244016, ... ) }, 1244016, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02156 896 NtOpenFile (0x10080, {24, 0, 0x40, 0, 0, (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msblast.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02157 896 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 9437184, 1048576, ) == 0x0 02158 896 NtAllocateVirtualMemory (-1, 9437184, 0, 72104, 4096, 4, ... 9437184, 73728, ) == 0x0 02159 896 NtDelayExecution (0, {-1000000, -1}, ... ) == 0x0 02160 896 NtWaitForSingleObject (192, 0, {0, 0}, ... ) == 0x102 02161 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 1240664, ... ) }, 1240664, ... ) == 0x0 02162 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 200, {status=0x0, info=1}, ) }, 5, 96, ... 200, {status=0x0, info=1}, ) == 0x0 02163 896 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 200, ... 204, ) == 0x0 02164 896 NtClose (200, ... ) == 0x0 02165 896 NtMapViewOfSection (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3a0000), 0x0, 245760, ) == 0x0 02166 896 NtClose (204, ... ) == 0x0 02167 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02168 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 1240972, ... ) }, 1240972, ... ) == 0x0 02169 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0 02170 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 204, ... 200, ) == 0x0 02171 896 NtQuerySection (200, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 02172 896 NtClose (204, ... ) == 0x0 02173 896 NtMapViewOfSection (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0 02174 896 NtClose (200, ... ) == 0x0 02175 896 NtProtectVirtualMemory (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0 02176 896 NtProtectVirtualMemory (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0 02177 896 NtFlushInstructionCache (-1, 1906642944, 1060, ... ) == 0x0 02178 896 NtProtectVirtualMemory (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0 02179 896 NtProtectVirtualMemory (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0 02180 896 NtFlushInstructionCache (-1, 1906642944, 1060, ... ) == 0x0 02181 896 NtProtectVirtualMemory (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0 02182 896 NtProtectVirtualMemory (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0 02183 896 NtFlushInstructionCache (-1, 1906642944, 1060, ... ) == 0x0 02184 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02185 896 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 02186 896 NtQuerySystemInformation (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0 02187 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 200, ) == 0x0 02188 896 NtAllocateVirtualMemory (-1, 1380352, 0, 4096, 4096, 4, ... 1380352, 4096, ) == 0x0 02189 896 NtOpenSection (0xe, {24, 12, 0x40, 0, 0, (0xe, {24, 12, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02190 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 1240768, ... ) }, 1240768, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02191 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 1240768, ... ) }, 1240768, ... ) == 0x0 02192 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0 02193 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 204, ... 208, ) == 0x0 02194 896 NtQuerySection (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 02195 896 NtClose (204, ... ) == 0x0 02196 896 NtMapViewOfSection (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 159744, ) == 0x0 02197 896 NtClose (208, ... ) == 0x0 02198 896 NtProtectVirtualMemory (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0 02199 896 NtProtectVirtualMemory (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0 02200 896 NtFlushInstructionCache (-1, 1995575296, 616, ... ) == 0x0 02201 896 NtProtectVirtualMemory (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0 02202 896 NtProtectVirtualMemory (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0 02203 896 NtFlushInstructionCache (-1, 1995575296, 616, ... ) == 0x0 02204 896 NtProtectVirtualMemory (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0 02205 896 NtProtectVirtualMemory (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0 02206 896 NtFlushInstructionCache (-1, 1995575296, 616, ... ) == 0x0 02207 896 NtProtectVirtualMemory (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0 02208 896 NtProtectVirtualMemory (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0 02209 896 NtFlushInstructionCache (-1, 1995575296, 616, ... ) == 0x0 02210 896 NtProtectVirtualMemory (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0 02211 896 NtProtectVirtualMemory (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0 02212 896 NtFlushInstructionCache (-1, 1995575296, 616, ... ) == 0x0 02213 896 NtProtectVirtualMemory (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0 02214 896 NtProtectVirtualMemory (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0 02215 896 NtFlushInstructionCache (-1, 1995575296, 616, ... ) == 0x0 02216 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02217 896 NtCreateKey (0x20019, {24, 32, 0x40, 0, 0, (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) }, 0, (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) , 0, ... 208, 2, ) == 0x0 02218 896 NtOpenKey (0x20019, {24, 32, 0x40, 0, 0, (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 204, ) }, ... 204, ) == 0x0 02219 896 NtOpenKey (0x20019, {24, 32, 0x40, 0, 0, (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02220 896 NtQueryValueKey (204, (204, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02221 896 NtQueryValueKey (208, (208, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02222 896 NtQueryValueKey (204, (204, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02223 896 NtQueryValueKey (208, (208, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 02224 896 NtQueryValueKey (204, (204, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02225 896 NtQueryValueKey (208, (208, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02226 896 NtQueryValueKey (204, (204, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02227 896 NtQueryValueKey (208, (208, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02228 896 NtQueryValueKey (204, (204, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02229 896 NtQueryValueKey (204, (204, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02230 896 NtQueryValueKey (204, (204, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02231 896 NtQueryValueKey (204, (204, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02232 896 NtQueryValueKey (204, (204, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02233 896 NtQueryValueKey (204, (204, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02234 896 NtQueryValueKey (204, (204, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02235 896 NtQueryValueKey (204, (204, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02236 896 NtQueryValueKey (204, (204, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02237 896 NtQueryValueKey (208, (208, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02238 896 NtQueryValueKey (204, (204, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02239 896 NtQueryValueKey (204, (204, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02240 896 NtQueryValueKey (208, (208, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02241 896 NtQueryValueKey (204, (204, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02242 896 NtQueryValueKey (208, (208, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02243 896 NtQueryValueKey (204, (204, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02244 896 NtQueryValueKey (208, (208, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02245 896 NtQueryValueKey (204, (204, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02246 896 NtQueryValueKey (208, (208, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02247 896 NtQueryValueKey (204, (204, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02248 896 NtQueryValueKey (208, (208, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02249 896 NtQueryValueKey (204, (204, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02250 896 NtQueryValueKey (208, (208, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02251 896 NtQueryValueKey (204, (204, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02252 896 NtQueryValueKey (208, (208, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02253 896 NtQueryValueKey (204, (204, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02254 896 NtQueryValueKey (204, (204, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02255 896 NtQueryValueKey (204, (204, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02256 896 NtQueryValueKey (204, (204, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02257 896 NtQueryValueKey (204, (204, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02258 896 NtQueryValueKey (204, (204, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02259 896 NtQueryValueKey (204, (204, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02260 896 NtQueryValueKey (204, (204, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02261 896 NtQueryValueKey (204, (204, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02262 896 NtQueryValueKey (204, (204, "MulticastListenLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02263 896 NtQueryValueKey (204, (204, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02264 896 NtOpenKey (0x1, {24, 32, 0x40, 0, 0, (0x1, {24, 32, 0x40, 0, 0, "System\Setup"}, ... 212, ) }, ... 212, ) == 0x0 02265 896 NtQueryValueKey (212, (212, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 02266 896 NtClose (212, ... ) == 0x0 02267 896 NtClose (208, ... ) == 0x0 02268 896 NtClose (204, ... ) == 0x0 02269 896 NtOpenKey (0x1, {24, 32, 0x40, 0, 0, (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 204, ) }, ... 204, ) == 0x0 02270 896 NtQueryValueKey (204, (204, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02271 896 NtQueryValueKey (204, (204, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02272 896 NtQueryValueKey (204, (204, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02273 896 NtClose (204, ... ) == 0x0 02274 896 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 204, ) == 0x0 02275 896 NtConnectPort ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 1241228, 188, ... 208, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 0}, 0x0, 0x0, 1241228, 188, ... 208, 0x0, 0x0, 0x0, 188, ) == 0x0 02276 896 NtRequestWaitReplyPort (208, {200, 224, new_msg, 0, 1344344, 12, 2, 1310721} (208, {200, 224, new_msg, 0, 1344344, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0\300\24\25\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0y\17~\323\204\346G\371\270\24\25\0h\1\24\0\12\0\0\0\0\0\0\0\270\24\25\0(\0\0\0\300\24\25\0\355y\36\17x\1\24\0(\0\0\0\376\317\0\0\0\0\24\0\350\356\22\0\273\331r4\0\0\0\0@\7\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\14\357\22\0\372\31\221|\240\366\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1252, 896, 81909, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\300\24\25\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0y\17~\323\204\346G\371\270\24\25\0h\1\24\0\12\0\0\0\0\0\0\0\270\24\25\0(\0\0\0\300\24\25\0\355y\36\17x\1\24\0(\0\0\0\376\317\0\0\0\0\24\0\350\356\22\0\273\331r4\0\0\0\0@\7\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\14\357\22\0\372\31\221|\240\366\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ) ... {200, 224, reply, 0, 1252, 896, 81909, 0} (208, {200, 224, new_msg, 0, 1344344, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0\300\24\25\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0y\17~\323\204\346G\371\270\24\25\0h\1\24\0\12\0\0\0\0\0\0\0\270\24\25\0(\0\0\0\300\24\25\0\355y\36\17x\1\24\0(\0\0\0\376\317\0\0\0\0\24\0\350\356\22\0\273\331r4\0\0\0\0@\7\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\14\357\22\0\372\31\221|\240\366\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1252, 896, 81909, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\300\24\25\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0y\17~\323\204\346G\371\270\24\25\0h\1\24\0\12\0\0\0\0\0\0\0\270\24\25\0(\0\0\0\300\24\25\0\355y\36\17x\1\24\0(\0\0\0\376\317\0\0\0\0\24\0\350\356\22\0\273\331r4\0\0\0\0@\7\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\14\357\22\0\372\31\221|\240\366\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ) ) == 0x0 02277 896 NtRequestWaitReplyPort (208, {64, 88, new_msg, 0, 0, 0, 0, 0} (208, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 1252, 896, 81910, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\360\317\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" ) ... {52, 76, reply, 0, 1252, 896, 81910, 0} (208, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 1252, 896, 81910, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\360\317\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" ) ) == 0x0 02278 896 NtClose (204, ... ) == 0x0 02279 896 NtClose (208, ... ) == 0x0 02280 896 NtCreateKey (0x20019, {24, 32, 0x40, 0, 0, (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) }, 0, (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) , 0, ... 208, 2, ) == 0x0 02281 896 NtOpenKey (0x20019, {24, 32, 0x40, 0, 0, (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 204, ) }, ... 204, ) == 0x0 02282 896 NtOpenKey (0x20019, {24, 32, 0x40, 0, 0, (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02283 896 NtQueryValueKey (208, (208, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0 02284 896 NtQueryValueKey (208, (208, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0 02285 896 NtClose (208, ... ) == 0x0 02286 896 NtClose (204, ... ) == 0x0 02287 896 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 204, ) == 0x0 02288 896 NtConnectPort ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 1241076, 188, ... 208, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 0}, 0x0, 0x0, 1241076, 188, ... 208, 0x0, 0x0, 0x0, 188, ) == 0x0 02289 896 NtRequestWaitReplyPort (208, {200, 224, new_msg, 0, 1344344, 12, 2, 1310721} (208, {200, 224, new_msg, 0, 1344344, 12, 2, 1310721} "\0\0\0\0\274\0\0\0D6\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0\4\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\217K&\320\322%\30[\236-\241\237H\35\14\222\12\0\0\0\245-\31r\367\204\252a\0\0\0\0@\22\25\09\302\300\37\262\372\204X(\0\0\0\261\243\0\213\0\0\24\0P\356\22\0\217\327\263\373\0\0\0\0@\7\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0t\356\22\0\372\31\221|\10\366\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1252, 896, 81913, 0} "\7\0\0\0\274\0\0\0D6\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\217K&\320\322%\30[\236-\241\237H\35\14\222\12\0\0\0\245-\31r\367\204\252a\0\0\0\0@\22\25\09\302\300\37\262\372\204X(\0\0\0\261\243\0\213\0\0\24\0P\356\22\0\217\327\263\373\0\0\0\0@\7\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0t\356\22\0\372\31\221|\10\366\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ) ... {200, 224, reply, 0, 1252, 896, 81913, 0} (208, {200, 224, new_msg, 0, 1344344, 12, 2, 1310721} "\0\0\0\0\274\0\0\0D6\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0\4\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\217K&\320\322%\30[\236-\241\237H\35\14\222\12\0\0\0\245-\31r\367\204\252a\0\0\0\0@\22\25\09\302\300\37\262\372\204X(\0\0\0\261\243\0\213\0\0\24\0P\356\22\0\217\327\263\373\0\0\0\0@\7\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0t\356\22\0\372\31\221|\10\366\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1252, 896, 81913, 0} "\7\0\0\0\274\0\0\0D6\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\217K&\320\322%\30[\236-\241\237H\35\14\222\12\0\0\0\245-\31r\367\204\252a\0\0\0\0@\22\25\09\302\300\37\262\372\204X(\0\0\0\261\243\0\213\0\0\24\0P\356\22\0\217\327\263\373\0\0\0\0@\7\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0t\356\22\0\372\31\221|\10\366\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ) ) == 0x0 02290 896 NtRequestWaitReplyPort (208, {44, 68, new_msg, 0, 1252, 896, 81910, 0} (208, {44, 68, new_msg, 0, 1252, 896, 81910, 0} "\1\356\0\0A\2\4\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 1252, 896, 81914, 0} "\2\356Q\200\4\0\0\0@\14\250\201\0\320\372\177\220kt\367\370\37`\300lkt\367X\353Q\200\320\1\0\0X-\12\0" ) ... {40, 64, reply, 0, 1252, 896, 81914, 0} (208, {44, 68, new_msg, 0, 1252, 896, 81910, 0} "\1\356\0\0A\2\4\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 1252, 896, 81914, 0} "\2\356Q\200\4\0\0\0@\14\250\201\0\320\372\177\220kt\367\370\37`\300lkt\367X\353Q\200\320\1\0\0X-\12\0" ) ) == 0x0 02291 896 NtRequestWaitReplyPort (208, {64, 88, new_msg, 56, 1349616, 1241588, 1241688, 0} (208, {64, 88, new_msg, 56, 1349616, 1241588, 1241688, 0} "\10\362\22\0@\0\24\0\346\277\347wX\362\22\0\364\361\22\0\20\0\0\0\250.\362vd\230\24\0\1\0\0\0\20\26\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\300\22\25\0" ... {64, 88, reply, 56, 1252, 896, 81915, 0} "\10\362\22\0@\0\24\0\346\277\347wX\362\22\0\364\361\22\0\20\0\0\0\250.\362vd\230\24\0\1\0\0\0\20\26\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\300\22\25\0" ) ... {64, 88, reply, 56, 1252, 896, 81915, 0} (208, {64, 88, new_msg, 56, 1349616, 1241588, 1241688, 0} "\10\362\22\0@\0\24\0\346\277\347wX\362\22\0\364\361\22\0\20\0\0\0\250.\362vd\230\24\0\1\0\0\0\20\26\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\300\22\25\0" ... {64, 88, reply, 56, 1252, 896, 81915, 0} "\10\362\22\0@\0\24\0\346\277\347wX\362\22\0\364\361\22\0\20\0\0\0\250.\362vd\230\24\0\1\0\0\0\20\26\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\300\22\25\0" ) ) == 0x0 02292 896 NtClose (204, ... ) == 0x0 02293 896 NtClose (208, ... ) == 0x0 02294 896 NtCreateKey (0x20019, {24, 32, 0x40, 0, 0, (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) }, 0, (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) , 0, ... 208, 2, ) == 0x0 02295 896 NtOpenKey (0x20019, {24, 32, 0x40, 0, 0, (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 204, ) }, ... 204, ) == 0x0 02296 896 NtOpenKey (0x20019, {24, 32, 0x40, 0, 0, (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02297 896 NtOpenKey (0x1, {24, 32, 0x40, 0, 0, (0x1, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\System\DNSClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02298 896 NtQueryValueKey (208, (208, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0 02299 896 NtQueryValueKey (208, (208, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0 02300 896 NtClose (208, ... ) == 0x0 02301 896 NtClose (204, ... ) == 0x0 02302 896 NtOpenKey (0x1, {24, 32, 0x40, 0, 0, (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 204, ) }, ... 204, ) == 0x0 02303 896 NtQueryValueKey (204, (204, "DnsNbtLookupOrder", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02304 896 NtClose (204, ... ) == 0x0 02305 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 1240664, ... ) }, 1240664, ... ) == 0x0 02306 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0 02307 896 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 204, ... 208, ) == 0x0 02308 896 NtClose (204, ... ) == 0x0 02309 896 NtMapViewOfSection (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3a0000), 0x0, 20480, ) == 0x0 02310 896 NtClose (208, ... ) == 0x0 02311 896 NtUnmapViewOfSection (-1, 0x3a0000, ... ) == 0x0 02312 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 1240972, ... ) }, 1240972, ... ) == 0x0 02313 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0 02314 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 208, ... 204, ) == 0x0 02315 896 NtQuerySection (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 02316 896 NtClose (208, ... ) == 0x0 02317 896 NtMapViewOfSection (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fb0000), 0x0, 32768, ) == 0x0 02318 896 NtClose (204, ... ) == 0x0 02319 896 NtProtectVirtualMemory (-1, (0x76fb1000), 232, 4, ... (0x76fb1000), 4096, 32, ) == 0x0 02320 896 NtProtectVirtualMemory (-1, (0x76fb1000), 4096, 32, ... (0x76fb1000), 4096, 4, ) == 0x0 02321 896 NtFlushInstructionCache (-1, 1996165120, 232, ... ) == 0x0 02322 896 NtProtectVirtualMemory (-1, (0x76fb1000), 232, 4, ... (0x76fb1000), 4096, 32, ) == 0x0 02323 896 NtProtectVirtualMemory (-1, (0x76fb1000), 4096, 32, ... (0x76fb1000), 4096, 4, ) == 0x0 02324 896 NtFlushInstructionCache (-1, 1996165120, 232, ... ) == 0x0 02325 896 NtOpenSection (0xe, {24, 12, 0x40, 0, 0, (0xe, {24, 12, 0x40, 0, 0, "WLDAP32.dll"}, ... 204, ) }, ... 204, ) == 0x0 02326 896 NtMapViewOfSection (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0 02327 896 NtClose (204, ... ) == 0x0 02328 896 NtProtectVirtualMemory (-1, (0x76f61000), 228, 4, ... (0x76f61000), 4096, 32, ) == 0x0 02329 896 NtProtectVirtualMemory (-1, (0x76f61000), 4096, 32, ... (0x76f61000), 4096, 4, ) == 0x0 02330 896 NtFlushInstructionCache (-1, 1995837440, 228, ... ) == 0x0 02331 896 NtProtectVirtualMemory (-1, (0x76f61000), 228, 4, ... (0x76f61000), 4096, 32, ) == 0x0 02332 896 NtProtectVirtualMemory (-1, (0x76f61000), 4096, 32, ... (0x76f61000), 4096, 4, ) == 0x0 02333 896 NtFlushInstructionCache (-1, 1995837440, 228, ... ) == 0x0 02334 896 NtProtectVirtualMemory (-1, (0x76fb1000), 232, 4, ... (0x76fb1000), 4096, 32, ) == 0x0 02335 896 NtProtectVirtualMemory (-1, (0x76fb1000), 4096, 32, ... (0x76fb1000), 4096, 4, ) == 0x0 02336 896 NtFlushInstructionCache (-1, 1996165120, 232, ... ) == 0x0 02337 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02338 896 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 204, ) == 0x0 02339 896 NtOpenKey (0x20019, {24, 32, 0x40, 0, 0, (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 208, ) }, ... 208, ) == 0x0 02340 896 NtQueryValueKey (208, (208, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 02341 896 NtClose (208, ... ) == 0x0 02342 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winrnr.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02343 896 NtQueryPerformanceCounter (... {-1446884868, 16}, {3579545, 0}, ) == 0x0 02344 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 1240664, ... ) }, 1240664, ... ) == 0x0 02345 896 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 02346 896 NtAllocateVirtualMemory (-1, 0, 0, 65536, 8192, 4, ... 3801088, 65536, ) == 0x0 02347 896 NtAllocateVirtualMemory (-1, 3801088, 0, 4096, 4096, 4, ... 3801088, 4096, ) == 0x0 02348 896 NtAllocateVirtualMemory (-1, 3805184, 0, 8192, 4096, 4, ... 3805184, 8192, ) == 0x0 02349 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 1240664, ... ) }, 1240664, ... ) == 0x0 02350 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0 02351 896 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 208, ... 212, ) == 0x0 02352 896 NtClose (208, ... ) == 0x0 02353 896 NtMapViewOfSection (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3b0000), 0x0, 110592, ) == 0x0 02354 896 NtClose (212, ... ) == 0x0 02355 896 NtUnmapViewOfSection (-1, 0x3b0000, ... ) == 0x0 02356 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 1240972, ... ) }, 1240972, ... ) == 0x0 02357 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0 02358 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 212, ... 208, ) == 0x0 02359 896 NtQuerySection (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 02360 896 NtClose (212, ... ) == 0x0 02361 896 NtMapViewOfSection (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x751d0000), 0x0, 122880, ) == 0x0 02362 896 NtClose (208, ... ) == 0x0 02363 896 NtProtectVirtualMemory (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0 02364 896 NtProtectVirtualMemory (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0 02365 896 NtFlushInstructionCache (-1, 1964838912, 224, ... ) == 0x0 02366 896 NtProtectVirtualMemory (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0 02367 896 NtProtectVirtualMemory (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0 02368 896 NtFlushInstructionCache (-1, 1964838912, 224, ... ) == 0x0 02369 896 NtOpenSection (0xe, {24, 12, 0x40, 0, 0, (0xe, {24, 12, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02370 896 NtAllocateVirtualMemory (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0 02371 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1240148, ... ) }, 1240148, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02372 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 1240148, ... ) }, 1240148, ... ) == 0x0 02373 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0 02374 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 208, ... 212, ) == 0x0 02375 896 NtQuerySection (212, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 02376 896 NtClose (208, ... ) == 0x0 02377 896 NtMapViewOfSection (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77920000), 0x0, 995328, ) == 0x0 02378 896 NtClose (212, ... ) == 0x0 02379 896 NtProtectVirtualMemory (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0 02380 896 NtProtectVirtualMemory (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0 02381 896 NtFlushInstructionCache (-1, 2006061056, 1368, ... ) == 0x0 02382 896 NtProtectVirtualMemory (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0 02383 896 NtProtectVirtualMemory (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0 02384 896 NtFlushInstructionCache (-1, 2006061056, 1368, ... ) == 0x0 02385 896 NtProtectVirtualMemory (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0 02386 896 NtProtectVirtualMemory (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0 02387 896 NtFlushInstructionCache (-1, 2006061056, 1368, ... ) == 0x0 02388 896 NtProtectVirtualMemory (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0 02389 896 NtProtectVirtualMemory (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0 02390 896 NtFlushInstructionCache (-1, 2006061056, 1368, ... ) == 0x0 02391 896 NtProtectVirtualMemory (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0 02392 896 NtProtectVirtualMemory (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0 02393 896 NtFlushInstructionCache (-1, 2006061056, 1368, ... ) == 0x0 02394 896 NtProtectVirtualMemory (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0 02395 896 NtProtectVirtualMemory (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0 02396 896 NtFlushInstructionCache (-1, 1964838912, 224, ... ) == 0x0 02397 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02398 896 NtQueryDefaultUILanguage (2090319928, ... 02399 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02400 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... -2147482760, ) == 0x0 02401 896 NtQueryInformationToken (-2147482760, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02402 896 NtClose (-2147482760, ... ) == 0x0 02403 896 NtOpenKey (0x2000000, {24, 0, 0x640, 0, 0, (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482760, ) }, ... -2147482760, ) == 0x0 02404 896 NtOpenKey (0x80000000, {24, -2147482760, 0x240, 0, 0, (0x80000000, {24, -2147482760, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02405 896 NtOpenKey (0x80000000, {24, -2147482760, 0x640, 0, 0, (0x80000000, {24, -2147482760, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482680, ) }, ... -2147482680, ) == 0x0 02406 896 NtQueryValueKey (-2147482680, (-2147482680, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02407 896 NtClose (-2147482680, ... ) == 0x0 02408 896 NtClose (-2147482760, ... ) == 0x0 02398 896 NtQueryDefaultUILanguage ... ) == 0x0 02409 896 NtQueryInstallUILanguage (2090319930, ... ) == 0x0 02410 896 NtQueryDefaultLocale (1, 1240868, ... ) == 0x0 02411 896 NtQueryInformationProcess (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0 02412 896 NtOpenKey (0x20019, {24, 32, 0x40, 0, 0, (0x20019, {24, 32, 0x40, 0, 0, "System\Setup"}, ... 212, ) }, ... 212, ) == 0x0 02413 896 NtQueryValueKey (212, (212, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 02414 896 NtClose (212, ... ) == 0x0 02415 896 NtUserGetProcessWindowStation (... ) == 0x14 02416 896 NtUserGetObjectInformation (20, 1, 1240464, 12, 1240476, ... ) == 0x1 02417 896 NtOpenKey (0xf003f, {24, 32, 0x40, 0, 0, (0xf003f, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02418 896 NtOpenKey (0x20019, {24, 32, 0x40, 0, 0, (0x20019, {24, 32, 0x40, 0, 0, "System\WPA\PnP"}, ... 212, ) }, ... 212, ) == 0x0 02419 896 NtQueryValueKey (212, (212, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0 02420 896 NtClose (212, ... ) == 0x0 02421 896 NtOpenKey (0x20019, {24, 32, 0x40, 0, 0, (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 212, ) }, ... 212, ) == 0x0 02422 896 NtQueryValueKey (212, (212, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0 02423 896 NtQueryValueKey (212, (212, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0 02424 896 NtClose (212, ... ) == 0x0 02425 896 NtOpenKey (0x20019, {24, 32, 0x40, 0, 0, (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 212, ) }, ... 212, ) == 0x0 02426 896 NtQueryValueKey (212, (212, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0 02427 896 NtQueryValueKey (212, (212, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0 02428 896 NtClose (212, ... ) == 0x0 02429 896 NtOpenKey (0x20019, {24, 32, 0x40, 0, 0, (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 212, ) }, ... 212, ) == 0x0 02430 896 NtQueryValueKey (212, (212, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0 02431 896 NtQueryValueKey (212, (212, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0 02432 896 NtClose (212, ... ) == 0x0 02433 896 NtOpenKey (0x20019, {24, 32, 0x40, 0, 0, (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 212, ) }, ... 212, ) == 0x0 02434 896 NtQueryValueKey (212, (212, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0 02435 896 NtQueryValueKey (212, (212, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0 02436 896 NtClose (212, ... ) == 0x0 02437 896 NtOpenKey (0x20019, {24, 32, 0x40, 0, 0, (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 212, ) }, ... 212, ) == 0x0 02438 896 NtQueryValueKey (212, (212, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0 02439 896 NtQueryValueKey (212, (212, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0 02440 896 NtClose (212, ... ) == 0x0 02441 896 NtOpenKey (0x20019, {24, 32, 0x40, 0, 0, (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 212, ) }, ... 212, ) == 0x0 02442 896 NtQueryValueKey (212, (212, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (212, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0 02443 896 NtQueryValueKey (212, (212, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (212, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0 02444 896 NtClose (212, ... ) == 0x0 02445 896 NtOpenKey (0x20019, {24, 32, 0x40, 0, 0, (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 212, ) }, ... 212, ) == 0x0 02446 896 NtQueryValueKey (212, (212, "DevicePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 02447 896 NtQueryValueKey (212, (212, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) , Partial, 346, ... TitleIdx=0, Type=2, Data= (212, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0 02448 896 NtClose (212, ... ) == 0x0 02449 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 212, ) == 0x0 02450 896 NtCreateMutant (0x1f0001, 0x0, 0, ... 208, ) == 0x0 02451 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 216, ) == 0x0 02452 896 NtCreateMutant (0x1f0001, 0x0, 0, ... 220, ) == 0x0 02453 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 224, ) == 0x0 02454 896 NtCreateMutant (0x1f0001, 0x0, 0, ... 228, ) == 0x0 02455 896 NtOpenKey (0x1, {24, 32, 0x40, 0, 0, (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 232, ) }, ... 232, ) == 0x0 02456 896 NtQueryValueKey (232, (232, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (232, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 02457 896 NtQueryValueKey (232, (232, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (232, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 02458 896 NtQueryValueKey (232, (232, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02459 896 NtOpenKey (0x1, {24, 232, 0x40, 0, 0, (0x1, {24, 232, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02460 896 NtClose (232, ... ) == 0x0 02461 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1240380, ... ) }, 1240380, ... ) == 0x0 02462 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 232, ) }, ... 232, ) == 0x0 02463 896 NtQueryValueKey (232, (232, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (232, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (232, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0 02464 896 NtClose (232, ... ) == 0x0 02465 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 232, ) }, ... 232, ) == 0x0 02466 896 NtQueryValueKey (232, (232, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (232, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (232, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0 02467 896 NtClose (232, ... ) == 0x0 02468 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02469 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 232, ) }, ... 232, ) == 0x0 02470 896 NtQueryValueKey (232, (232, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (232, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (232, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0 02471 896 NtClose (232, ... ) == 0x0 02472 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshbth.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02473 896 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 232, ) == 0x0 02474 896 NtConnectPort ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 1240880, 188, ... 236, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 0}, 0x0, 0x0, 1240880, 188, ... 236, 0x0, 0x0, 0x0, 188, ) == 0x0 02475 896 NtRequestWaitReplyPort (236, {200, 224, new_msg, 0, 3276848, 1385072, 12, 2} (236, {200, 224, new_msg, 0, 3276848, 1385072, 12, 2} "\0\0\24\0\10\0\0\0\274\0\0\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\1\0\5\0\4\0\0\0\2001\24\0H"\25\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\371\322\331\360\213\320\253&@"\25\0h\1\24\0\12\0\0\0\0\0\0\0@"\25\0(\0\0\0H"\25\0k\224\202\234x\1\24\0(\0\0\0\344X\0\0\0\0\24\0\214\355\22\0\374\325\247\276\0\0\0\0P\32\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\260\355\22\0\372\31\221|D\365\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 1252, 896, 81918, 0} "\7\0\24\0\10\0\0\0\274\0\0\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\2001\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\371\322\331\360\213\320\253&@"\25\0h\1\24\0\12\0\0\0\0\0\0\0@"\25\0(\0\0\0H"\25\0k\224\202\234x\1\24\0(\0\0\0\344X\0\0\0\0\24\0\214\355\22\0\374\325\247\276\0\0\0\0P\32\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\260\355\22\0\372\31\221|D\365\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ) \25\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\371\322\331\360\213\320\253&@ (236, {200, 224, new_msg, 0, 3276848, 1385072, 12, 2} "\0\0\24\0\10\0\0\0\274\0\0\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\1\0\5\0\4\0\0\0\2001\24\0H"\25\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\371\322\331\360\213\320\253&@"\25\0h\1\24\0\12\0\0\0\0\0\0\0@"\25\0(\0\0\0H"\25\0k\224\202\234x\1\24\0(\0\0\0\344X\0\0\0\0\24\0\214\355\22\0\374\325\247\276\0\0\0\0P\32\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\260\355\22\0\372\31\221|D\365\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 1252, 896, 81918, 0} "\7\0\24\0\10\0\0\0\274\0\0\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\2001\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\371\322\331\360\213\320\253&@"\25\0h\1\24\0\12\0\0\0\0\0\0\0@"\25\0(\0\0\0H"\25\0k\224\202\234x\1\24\0(\0\0\0\344X\0\0\0\0\24\0\214\355\22\0\374\325\247\276\0\0\0\0P\32\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\260\355\22\0\372\31\221|D\365\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ) \25\0(\0\0\0H (236, {200, 224, new_msg, 0, 3276848, 1385072, 12, 2} "\0\0\24\0\10\0\0\0\274\0\0\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\1\0\5\0\4\0\0\0\2001\24\0H"\25\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\371\322\331\360\213\320\253&@"\25\0h\1\24\0\12\0\0\0\0\0\0\0@"\25\0(\0\0\0H"\25\0k\224\202\234x\1\24\0(\0\0\0\344X\0\0\0\0\24\0\214\355\22\0\374\325\247\276\0\0\0\0P\32\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\260\355\22\0\372\31\221|D\365\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 1252, 896, 81918, 0} "\7\0\24\0\10\0\0\0\274\0\0\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\2001\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\371\322\331\360\213\320\253&@"\25\0h\1\24\0\12\0\0\0\0\0\0\0@"\25\0(\0\0\0H"\25\0k\224\202\234x\1\24\0(\0\0\0\344X\0\0\0\0\24\0\214\355\22\0\374\325\247\276\0\0\0\0P\32\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\260\355\22\0\372\31\221|D\365\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ) ... {200, 224, reply, 0, 1252, 896, 81918, 0} (236, {200, 224, new_msg, 0, 3276848, 1385072, 12, 2} "\0\0\24\0\10\0\0\0\274\0\0\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\1\0\5\0\4\0\0\0\2001\24\0H"\25\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\371\322\331\360\213\320\253&@"\25\0h\1\24\0\12\0\0\0\0\0\0\0@"\25\0(\0\0\0H"\25\0k\224\202\234x\1\24\0(\0\0\0\344X\0\0\0\0\24\0\214\355\22\0\374\325\247\276\0\0\0\0P\32\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\260\355\22\0\372\31\221|D\365\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 1252, 896, 81918, 0} "\7\0\24\0\10\0\0\0\274\0\0\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\2001\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\371\322\331\360\213\320\253&@"\25\0h\1\24\0\12\0\0\0\0\0\0\0@"\25\0(\0\0\0H"\25\0k\224\202\234x\1\24\0(\0\0\0\344X\0\0\0\0\24\0\214\355\22\0\374\325\247\276\0\0\0\0P\32\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\260\355\22\0\372\31\221|D\365\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ) \25\0h\1\24\0\12\0\0\0\0\0\0\0@ (236, {200, 224, new_msg, 0, 3276848, 1385072, 12, 2} "\0\0\24\0\10\0\0\0\274\0\0\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\1\0\5\0\4\0\0\0\2001\24\0H"\25\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\371\322\331\360\213\320\253&@"\25\0h\1\24\0\12\0\0\0\0\0\0\0@"\25\0(\0\0\0H"\25\0k\224\202\234x\1\24\0(\0\0\0\344X\0\0\0\0\24\0\214\355\22\0\374\325\247\276\0\0\0\0P\32\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\260\355\22\0\372\31\221|D\365\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 1252, 896, 81918, 0} "\7\0\24\0\10\0\0\0\274\0\0\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\2001\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\371\322\331\360\213\320\253&@"\25\0h\1\24\0\12\0\0\0\0\0\0\0@"\25\0(\0\0\0H"\25\0k\224\202\234x\1\24\0(\0\0\0\344X\0\0\0\0\24\0\214\355\22\0\374\325\247\276\0\0\0\0P\32\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\260\355\22\0\372\31\221|D\365\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ) \25\0k\224\202\234x\1\24\0(\0\0\0\344X\0\0\0\0\24\0\214\355\22\0\374\325\247\276\0\0\0\0P\32\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\260\355\22\0\372\31\221|D\365\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ) == 0x0 02476 896 NtRequestWaitReplyPort (236, {96, 120, new_msg, 0, 1252, 896, 81914, 0} (236, {96, 120, new_msg, 0, 1252, 896, 81914, 0} "\1\356\0\0A\2\11\0@\14\250\201\0\320\372\177\220kt\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0,h\24\0\16\0\0\0\0\0\0\0\16\0\0\0m\0i\0c\0r\0o\0s\0o\0f\0t\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 1252, 896, 81919, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\0\0\0\0\264\5\0\0\1\0\0\0" ) ... {44, 68, reply, 0, 1252, 896, 81919, 0} (236, {96, 120, new_msg, 0, 1252, 896, 81914, 0} "\1\356\0\0A\2\11\0@\14\250\201\0\320\372\177\220kt\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0,h\24\0\16\0\0\0\0\0\0\0\16\0\0\0m\0i\0c\0r\0o\0s\0o\0f\0t\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 1252, 896, 81919, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\0\0\0\0\264\5\0\0\1\0\0\0" ) ) == 0x0 02477 896 NtClose (232, ... ) == 0x0 02478 896 NtClose (236, ... ) == 0x0 02479 896 NtOpenKey (0x20019, {24, 32, 0x40, 0, 0, (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Linkage"}, ... 236, ) }, ... 236, ) == 0x0 02480 896 NtQueryValueKey (236, (236, "Export", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 02481 896 NtQueryValueKey (236, (236, "Export", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 02482 896 NtQueryValueKey (236, (236, "Export", Partial, 958, ... TitleIdx=0, Type=7, Data="\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\04\07\02\0-\06\09\07\02\08\0E\0B\08\0A\07\0D\07\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\06\0C\01\0-\05\04\02\05\0C\00\0D\0E\02\07\0B\06\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0C\09\0C\0-\0E\0E\0A\0F\0B\07\06\0F\0F\0A\02\0F\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\08\02\00\0-\09\02\07\0E\02\00\07\06\00\0A\0B\04\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0\0\0\0\0\276\3\0\0\263\11\0\0\344\4\0\0\200\3\0\0\27\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\20 \0\0\0\0\30\0\0\0\0\0\0\0p\365\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\0v\0\260"\25\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\04\07\02\0-\06\09\07\02\08\0E\0B\08\0A\07\0D\07\0}\0\377\377\377\377\0\0\0\0\0\0\0\0\3\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\263\11\0\0\344\4\0\0\200\3\0\0\27\0\0\0\1\0\1\04\0\0\300\0\0\0\0\264\11\0\0\344\4\0\0\200\3\0\0\27\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\20 \0\0\0\0\30\0\0\0\0\0\0\0p\365\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\0v\0\25\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\06\0C\01\0-\05\04\02\05\0C\00\0D\0E\02\07\0B\06\0}\0\377\377\377\377\0\0"}, 958, ) , Partial, 958, ... TitleIdx=0, Type=7, Data= (236, "Export", Partial, 958, ... TitleIdx=0, Type=7, Data="\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\04\07\02\0-\06\09\07\02\08\0E\0B\08\0A\07\0D\07\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\06\0C\01\0-\05\04\02\05\0C\00\0D\0E\02\07\0B\06\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0C\09\0C\0-\0E\0E\0A\0F\0B\07\06\0F\0F\0A\02\0F\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\08\02\00\0-\09\02\07\0E\02\00\07\06\00\0A\0B\04\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0\0\0\0\0\276\3\0\0\263\11\0\0\344\4\0\0\200\3\0\0\27\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\20 \0\0\0\0\30\0\0\0\0\0\0\0p\365\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\0v\0\260"\25\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\04\07\02\0-\06\09\07\02\08\0E\0B\08\0A\07\0D\07\0}\0\377\377\377\377\0\0\0\0\0\0\0\0\3\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\263\11\0\0\344\4\0\0\200\3\0\0\27\0\0\0\1\0\1\04\0\0\300\0\0\0\0\264\11\0\0\344\4\0\0\200\3\0\0\27\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\20 \0\0\0\0\30\0\0\0\0\0\0\0p\365\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\0v\0\25\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\06\0C\01\0-\05\04\02\05\0C\00\0D\0E\02\07\0B\06\0}\0\377\377\377\377\0\0"}, 958, ) \25\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\04\07\02\0-\06\09\07\02\08\0E\0B\08\0A\07\0D\07\0}\0\377\377\377\377\0\0\0\0\0\0\0\0\3\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\263\11\0\0\344\4\0\0\200\3\0\0\27\0\0\0\1\0\1\04\0\0\300\0\0\0\0\264\11\0\0\344\4\0\0\200\3\0\0\27\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\20 \0\0\0\0\30\0\0\0\0\0\0\0p\365\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\0v\0\25\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\06\0C\01\0-\05\04\02\05\0C\00\0D\0E\02\07\0B\06\0}\0\377\377\377\377\0\0"}, 958, ) == 0x0 02483 896 NtCreateFile (0x20100000, {24, 0, 0x40, 0, 0, (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{FCC03A41-8CCC-4919-A472-69728EB8A7D7}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02484 896 NtCreateFile (0x20100000, {24, 0, 0x40, 0, 0, (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{AE7421B5-732D-4567-A6C1-5425C0DE27B6}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02485 896 NtCreateFile (0x20100000, {24, 0, 0x40, 0, 0, (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{97C2D9F4-6954-4EB3-8C9C-EEAFB76FFA2F}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02486 896 NtCreateFile (0x20100000, {24, 0, 0x40, 0, 0, (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{0D430A6F-0410-4A68-9820-927E20760AB4}"}, 0x0, 0, 3, 3, 0, 0, 0, ... 232, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 0, 0, ... 232, {status=0x0, info=0}, ) == 0x0 02487 896 NtCreateFile (0x20100000, {24, 0, 0x40, 0, 0, (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{8AD4D806-081B-4446-A4DB-6273DFAED94F}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02488 896 NtCreateFile (0x20100000, {24, 0, 0x40, 0, 0, (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{E559B0C1-FA46-464D-B965-7E2AC2627EE9}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02489 896 NtCreateFile (0x20100000, {24, 0, 0x40, 0, 0, (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{CD3C64B8-DB76-44C8-9C02-70E6C1185259}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02490 896 NtCreateFile (0x20100000, {24, 0, 0x40, 0, 0, (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{21B8E9D5-3FC3-4F9D-8FA8-4CA01330DCD8}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02491 896 NtClose (236, ... ) == 0x0 02492 896 NtCreateEvent (0x1f0003, 0x0, 0, 1, ... 236, ) == 0x0 02493 896 NtDeviceIoControlFile (232, 236, 0x0, 0x0, 0x210096, (232, 236, 0x0, 0x0, 0x210096, "\0\0\0\0\0\0\0\0MICROSOFT.COM \0", 24, 1160, ... {status=0x140178, info=1311096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 24, 1160, ... {status=0x140178, info=1311096}, (232, 236, 0x0, 0x0, 0x210096, "\0\0\0\0\0\0\0\0MICROSOFT.COM \0", 24, 1160, ... {status=0x140178, info=1311096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103 02494 896 NtWaitForMultipleObjects (1, (236, ), 1, 0, 0x0, ... ) == 0x0 02495 896 NtClose (236, ... ) == 0x0 02496 896 NtOpenKey (0x2000000, {24, 32, 0x40, 0, 0, (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 236, ) }, ... 236, ) == 0x0 02497 896 NtQueryValueKey (236, (236, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (236, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0 02498 896 NtQueryValueKey (236, (236, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (236, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0 02499 896 NtQueryValueKey (236, (236, "AutodialDLL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02500 896 NtClose (236, ... ) == 0x0 02501 896 NtOpenSection (0xe, {24, 12, 0x40, 0, 0, (0xe, {24, 12, 0x40, 0, 0, "rasadhlp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02502 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\rasadhlp.dll"}, 1241712, ... ) }, 1241712, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02503 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rasadhlp.dll"}, 1241712, ... ) }, 1241712, ... ) == 0x0 02504 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rasadhlp.dll"}, 5, 96, ... 236, {status=0x0, info=1}, ) }, 5, 96, ... 236, {status=0x0, info=1}, ) == 0x0 02505 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 236, ... 240, ) == 0x0 02506 896 NtQuerySection (240, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 02507 896 NtClose (236, ... ) == 0x0 02508 896 NtMapViewOfSection (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fc0000), 0x0, 24576, ) == 0x0 02509 896 NtClose (240, ... ) == 0x0 02510 896 NtProtectVirtualMemory (-1, (0x76fc1000), 152, 4, ... (0x76fc1000), 4096, 32, ) == 0x0 02511 896 NtProtectVirtualMemory (-1, (0x76fc1000), 4096, 32, ... (0x76fc1000), 4096, 4, ) == 0x0 02512 896 NtFlushInstructionCache (-1, 1996230656, 152, ... ) == 0x0 02513 896 NtProtectVirtualMemory (-1, (0x76fc1000), 152, 4, ... (0x76fc1000), 4096, 32, ) == 0x0 02514 896 NtProtectVirtualMemory (-1, (0x76fc1000), 4096, 32, ... (0x76fc1000), 4096, 4, ) == 0x0 02515 896 NtFlushInstructionCache (-1, 1996230656, 152, ... ) == 0x0 02516 896 NtProtectVirtualMemory (-1, (0x76fc1000), 152, 4, ... (0x76fc1000), 4096, 32, ) == 0x0 02517 896 NtProtectVirtualMemory (-1, (0x76fc1000), 4096, 32, ... (0x76fc1000), 4096, 4, ) == 0x0 02518 896 NtFlushInstructionCache (-1, 1996230656, 152, ... ) == 0x0 02519 896 NtProtectVirtualMemory (-1, (0x76fc1000), 152, 4, ... (0x76fc1000), 4096, 32, ) == 0x0 02520 896 NtProtectVirtualMemory (-1, (0x76fc1000), 4096, 32, ... (0x76fc1000), 4096, 4, ) == 0x0 02521 896 NtFlushInstructionCache (-1, 1996230656, 152, ... ) == 0x0 02522 896 NtProtectVirtualMemory (-1, (0x76fc1000), 152, 4, ... (0x76fc1000), 4096, 32, ) == 0x0 02523 896 NtProtectVirtualMemory (-1, (0x76fc1000), 4096, 32, ... (0x76fc1000), 4096, 4, ) == 0x0 02524 896 NtFlushInstructionCache (-1, 1996230656, 152, ... ) == 0x0 02525 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasadhlp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02526 896 NtQueryPerformanceCounter (... {-1438799449, 16}, {3579545, 0}, ) == 0x0 02527 896 NtCreateFile (0x3, {24, 0, 0x40, 0, 0, (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 240, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 240, {status=0x0, info=0}, ) == 0x0 02528 896 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 236, ) == 0x0 02529 896 NtDeviceIoControlFile (240, 236, 0x0, 0x0, 0xf14014, (240, 236, 0x0, 0x0, 0xf14014, "\3\0\0\0microsoft.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL 02530 896 NtClose (236, ... ) == 0x0 02531 896 NtClose (240, ... ) == 0x0 02532 896 NtDelayExecution (0, {-1705032704, -2}, ...