Analysis Report for 50229926

Comment on this report

Summary:

Description	Risk
Write to foreign memory areas: This executable tampers with the execution of another process.
Change Windows Firewall settings: This executable changes some settings of windows firewall.
Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary.
Start/Install windows service: This executable starts a windows service. Services have the highest level of privilege in Windows, and are thus useful for a number of malicious purposes.
Load driver: This executable loads a driver into the windows kernel. Device drivers are used by advanced malware (rootkits) to operate stealthily and escape detection.
AV Hit: This executable is detected by an antivirus software.
Packed Binary: This executable is protected with a packer in order to prevent it from being reverse engineered.
Autostart capabilities: This executable registers processes to be executed at system start. This could result in unwanted actions to be performed automatically.
Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web.
Creates files in the Windows system directory: Malware often keeps copies of itself in the Windows directory to stay undetected by users.
Execution did not terminate correctly: The executable crashed.
Modify system files: This executable modifies files in the windows system directories.
Spawns Processes: The executable produces processes during the execution.
Performs Registry Activities: The executable creates and/or modifies registry entries.

Table of Contents
expand all	collapse all
General information 50229926.exe C:\50229926.exe Primary Analysis Subject General Information a) Registry Activities b) File Activities c) Process Activities d) Other Activities Explorer.EXE C:\WINDOWS\Explorer.EXE 50229926.exe wrote to the virtual memory of this process General Information a) Registry Activities b) File Activities c) Windows Service Activities d) Process Activities e) Network Activities f) Other Activities netsh.exe C:\WINDOWS\system32\netsh.exe Started by Explorer.EXE General Information a) Registry Activities b) File Activities c) Other Activities services.exe C:\WINDOWS\system32\services.exe A service was started. General Information a) Registry Activities b) File Activities c) Other Activities WINMINE.EXE C:\WINDOWS\system32\WINMINE.EXE Started by Explorer.EXE General Information a) Registry Activities b) File Activities winmine.exe winmine.exe Started by Explorer.EXE General Information a) Registry Activities b) File Activities ctfmon.exe C:\WINDOWS\system32\ctfmon.exe 50229926.exe wrote to the virtual memory of this process General Information a) Process Activities msmsgs.exe C:\Program Files\Messenger\msmsgs.exe 50229926.exe wrote to the virtual memory of this process General Information reader_sl.exe C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe 50229926.exe wrote to the virtual memory of this process General Information wscntfy.exe C:\WINDOWS\system32\wscntfy.exe 50229926.exe wrote to the virtual memory of this process General Information qfunmp.exe C:\Program Files\Common Files\qfunmp.exe 50229926.exe wrote to the virtual memory of this process General Information otlsxk.exe C:\Program Files\Common Files\otlsxk.exe 50229926.exe wrote to the virtual memory of this process General Information a) File Activities netsh.exe C:\WINDOWS\system32\netsh.exe Started by 50229926.exe General Information a) Registry Activities b) File Activities

1. General Information

	- Information about Anubis' invocation

Time needed:	249 s
Report created:	05/21/11, 10:54:38 UTC
Termination reason:	Timeout
Program version:	1.75.3394

	- Popups

Process	Window Name	Window Text	Screenshot	Number of Displayed Times
csrss.exe	netsh.exe - Unable To Locate Component	OK This application has failed to start because framedyn.dll was not found. Re-installing the application may fix this problem.		1

1.a) - Network Activity

	- DNS Queries:

Name	Query Type	Query Result	Successful	Protocol
shv4b.getmyip.com	DNS_TYPE_A	67.210.170.169 67.210.170.169	1	udp

2. 50229926.exe

	- General information about this executable

Analysis Reason:	Primary Analysis Subject
Filename:	50229926.exe
MD5:	ee45bdc1f842d8b5ece19fd37463b235
SHA-1:	92495d0dd6d851ecec8e4638b34c88540419d4ef
File Size:	195584 Bytes
Command Line:	"C:\50229926.exe"
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\gdi32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\shell32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\MPR.dll	0x71B20000	0x00012000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\WININET.DLL	0x771B0000	0x000AA000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000

	- Ikarus Virus Scanner

P2P-Worm.Win32.Palevo (Sig-Id:1391487)

2.a) 50229926.exe - Registry Activities

	- Registry Keys Created:

HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\policies\system

HKLM\SOFTWARE\Microsoft\Security Center\Svc

HKU\S-1-5-21-842925246-1425521274-308236825-500\\

HKU\S-1-5-21-842925246-1425521274-308236825-500\\\

	- Registry Values Modified:

Key	Name	New Value
HKLM\SOFTWARE\Microsoft\Security Center	AntiVirusDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center	AntiVirusOverride	1
HKLM\SOFTWARE\Microsoft\Security Center	FirewallDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center	FirewallOverride	1
HKLM\SOFTWARE\Microsoft\Security Center	UacDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center	UpdatesDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center\Svc	AntiVirusDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center\Svc	AntiVirusOverride	1
HKLM\SOFTWARE\Microsoft\Security Center\Svc	FirewallDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center\Svc	FirewallOverride	1
HKLM\SOFTWARE\Microsoft\Security Center\Svc	UacDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center\Svc	UpdatesDisableNotify	1
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	C:\50229926.exe	C:\50229926.exe:*:Enabled:ipsec
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system	EnableLUA	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Hidden	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_0	316296286
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_1	2980259871
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_10	4186747956
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_11	800785286
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_12	935386841
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_13	338462341
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_14	4258006219
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_15	1105547269
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_16	610505545
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_17	501639434
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_18	2140200539
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_19	20807040
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_2	3273450715
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_20	4255381212
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_21	3767881963
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_22	2341517099
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_23	1468577171
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_24	1288713051
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_25	3697178764
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_26	1866614735
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_27	1299598222
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_28	2465369925
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_29	2344359828
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_3	2024051603
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_30	2585541607
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_31	4001520777
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_32	1363343993
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_33	1214028324
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_34	276797906
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_35	2555148947
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_36	3589316079
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_37	3900507442
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_38	4237880306
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_39	4090167699
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_4	3273423945
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_40	1432390001
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_41	3897730564
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_42	1977813479
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_43	989550752
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_44	2793490042
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_45	2397749715
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_46	2072197651
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_47	1365146422
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_48	3046486143
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_49	2987987295
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_5	3987901696
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_50	1793547202
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_51	2208139694
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_52	2706836989
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_53	2276735531
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_54	1077741807
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_55	222472833
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_56	809842710
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_57	2765200940
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_58	1774616522
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_59	1742928278
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_6	3716890450
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_60	4246257006
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_61	200261924
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_62	1070986979
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_63	206304830
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_64	3979214834
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_65	1834549199
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_66	715217929
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_67	1319595700
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_68	4110779434
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_69	3918865116
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_7	4124721555
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_70	3994035060
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_71	1581647735
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_72	1819841087
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_73	667215061
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_74	2499270547
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_75	4098633047
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_76	2492577840
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_77	3426812116
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_78	2383650495
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_79	3021906616
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_8	1014434897
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_80	2373332780
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_81	4271239397
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_82	3354513570
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_83	2737061502
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_84	2014365965
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_85	724701743
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_86	3628290916
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_87	3674725493
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_88	2827861544
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_89	930445093
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_9	4059991830
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_90	605354415
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_91	3311563115
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_92	3577685405
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_93	446122436
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_94	2136348000
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_95	1468361840
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_96	3299212469
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_0	1743
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_1	1768776334
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_10	507900343
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_11	2276676936
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_12	4045448765
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_13	1519259264
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_14	3288031871
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_15	761840725
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_16	2530627848
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_17	4427163
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_18	1773213502
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_19	3541984692
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_2	3537558722
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_20	1015793976
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_21	2784567341
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_22	258376638
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_23	2027163785
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_24	3795928948
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_25	1269750551
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_26	3038526081
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_27	512330243
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_28	2281107181
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_29	4049882780
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_3	1011365721
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_30	1523689190
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_31	3292464661
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_32	766287845
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_33	2535063449
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_34	8865316
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_35	1777642751
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_36	3546417835
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_37	1020226569
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_38	2789014936
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_39	262822301
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_4	2780136370
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_40	2031599085
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_41	3800373191
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_42	1274182754
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_43	3042952222
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_44	516760382
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_45	2285537006
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_46	4054326624
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_47	1528135600
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_48	3296909337
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_49	770712847
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_5	253944120
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_50	2539487551
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_51	13299510
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_52	1782074431
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_53	3550859289
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_54	1024671317
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_55	2793446687
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_56	267252964
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_57	2036025729
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_58	3804799586
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_59	1278607366
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_6	2022722766
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_60	3047386656
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_61	521205104
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_62	2289980556
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_63	4058710331
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_64	1532560888
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_65	3301336925
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_66	775143718
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_67	2543922114
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_68	17740428
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_69	1786516861
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_7	3791498983
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_70	3555294215
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_71	1029100417
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_72	2797873837
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_73	271682364
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_74	2040457682
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_75	3809230969
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_76	1283053297
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_77	3051828764
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_78	525639603
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_79	2294407415
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_8	1265316336
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_80	4063186256
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_81	1536995051
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_82	3305768825
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_83	779589791
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_84	2548361374
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_85	22172289
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_86	1790951182
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_87	3559726646
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_88	1033530948
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_89	2802305064
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_9	3034092769
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_90	276111380
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_91	2044902255
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_92	3813676160
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_93	1287487008
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_94	3056260910
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_95	530067049
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_0	17001001
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_1	1752043112
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_10	524714147
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_11	2259690722
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_12	4028881189
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_13	1535999332
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_14	3271037351
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_15	745256422
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_16	2547330617
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_17	21021304
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_18	1756522171
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_19	3525122810
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_2	3554255531
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_20	1032372029
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_21	2767868796
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_22	241563583
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_23	2044161022
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_24	3812756529
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_25	1252892784
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_26	3021948083
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_27	529201394
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_28	2264243509
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_29	4033294708
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_3	1028343530
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_30	1540543927
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_31	3309062646
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_32	749724169
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_33	2518320712
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_34	25442955
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_35	1761074890
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_36	3529601805
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_37	1036785484
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_38	2805959567
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_39	245968846
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_4	2763455277
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_40	2014625793
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_41	3817235520
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_42	1257314435
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_43	3025976514
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_44	533614853
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_45	2302276932
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_46	4037765511
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_47	1511394758
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_48	3313608217
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_49	754145880
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_5	237084524
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_50	2522807963
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_51	29987546
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_52	1799042845
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_53	3534138204
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_54	1007701919
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_55	2810438622
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_56	250512401
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_57	2019047504
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_58	3821788307
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_59	1295347922
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_6	2039690159
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_60	3030390037
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_61	504596820
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_62	2306682263
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_63	4041785814
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_64	1515879017
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_65	3318029992
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_66	791720683
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_67	2527221546
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_68	904045
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_69	1803513772
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_7	3774797806
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_70	3538551791
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_71	1012245550
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_72	2814859361
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_73	288554144
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_74	2023592163
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_75	3792647458
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_76	1299884389
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_77	3034860964
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_78	509075943
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_79	2311232038
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_8	1248348193
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_80	4079763065
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_81	1520423608
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_82	3288954619
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_83	796191546
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_84	2531757949
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_85	5317564
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_86	1807534079
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_87	3576592446
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_88	1016667249
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_89	2785325232
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_9	3051088992
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_90	292967667
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_91	2028063026
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_92	3797118325
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_93	1304297908
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_94	3072959991
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_95	513498678
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_0	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_1	1768776769
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_10	507898506
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_11	2276675275
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_12	4045452044
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_13	1519261517
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_14	3288038286
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_15	761847759
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_16	2530624528
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_17	4434001
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_18	1773210770
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_19	3541987539
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_2	3537553538
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_20	1015797012
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_21	2784573781
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_22	258383254
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_23	2027160023
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_24	3795936792
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_25	1269746265
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_26	3038523034
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_27	512332507
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_28	2281109276
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_29	4049886045
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_3	1011363011
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_30	1523695518
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_31	3292472287
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_32	766281760
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_33	2535058529
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_34	8868002
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_35	1777644771
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_36	3546421540
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_37	1020231013
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_38	2789007782
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_39	262817255
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_4	2780139780
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_40	2031594024
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_41	3800370793
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_42	1274180266
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_43	3042957035
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_44	516766508
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_45	2285543277
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_46	4054320046
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_47	1528129519
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_48	3296906288
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_49	770715761
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_5	253949253
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_50	2539492530
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_51	13302003
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_52	1782078772
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_53	3550855541
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_54	1024665014
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_55	2793441783
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_56	267251256
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_57	2036028025
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_58	3804804794
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_59	1278614267
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_6	2022726022
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_60	3047391036
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_61	521200509
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_62	2289977278
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_63	4058754047
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_64	1532563520
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_65	3301340289
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_66	775149762
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_67	2543926531
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_68	17736004
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_69	1786512773
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_7	3791502791
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_70	3555289542
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_71	1029099015
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_72	2797875784
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_73	271685257
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_74	2040462026
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_75	3809238795
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_76	1283048268
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_77	3051825037
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_78	525634510
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_79	2294411279
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_8	1265312264
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_80	4063188048
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_81	1536997521
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_82	3305774290
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_83	779583763
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_84	2548360532
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_85	22170005
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_86	1790946774
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_87	3559723543
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_88	1033533016
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_89	2802309785
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_9	3034089033
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_90	276119258
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_91	2044896027
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_92	3813672796
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_93	1287482269
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_94	3056259038
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_95	530068511
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	-1514827516	35
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	-503464505	C1ABF7014852F9970C620D49B8A30A7A6F385BD8A1DA91200982C6E0E5EE2FD03D83956156A6B2471B7AFE742D594246D03312DA79E27F8A0AB69D3453CD4AC92C5552615306C2939ABD6A21BF9547689B09954D1AA5C801B1C36A7DC340A07F5DE048529E570576C3B67C1CED73FB3B016B361D56515445296B623FE6951C94
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	-757413758	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	1011363011	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	1768776769	236
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	2022726022	0900687474703A2F2F637572736F69757269732E636F6D2E62722F6C6F676F2E67696600687474703A2F2F6D6972692D652E636F6D2F6C6F676F2E67696600687474703A2F2F6C7476752E6564752E766E2F6C6F676F2E67696600687474703A2F2F736D632D79656D656E2E636F6D2F696D616765732F62616E6E65722E67696600687474703A2F2F6D697274687761792E636F6D2F6C6F676F2E67696600687474703A2F2F6D65766C616E61636963656B2E636F6D2F6C6F676F2E67696600687474703A2F2F6D766175746F6D6174696F6E696E6469612E636F6D2F6C6F676F2E67696600687474703A2F2F70656E7461676F6E726F74617279676F6C662E6F72672F6C6F676F2E67696600687474703A2F2F706F6E746F70726F6D2E636F6D2E62722F6C6F676F2E676966
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	253949253	302
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings	GlobalUserOffline	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\policies\system	DisableRegistryTools	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\policies\system	DisableTaskMgr	1

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\SYSTEM\Setup	SystemSetupInProgress	0	1
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	PC	2
HKLM\System\CurrentControlSet\Control\Terminal Server	TSUserEnabled	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1020	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	13	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	6	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files	1

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1
HKLM\system\CurrentControlSet\control\NetworkProvider\HwOrder	0	Value Change	1

2.b) 50229926.exe - File Activities

	- Files Created:

C:\RECYCLER\S-1-5-21-3443857196-8768964963-583494408-3131

C:\RECYCLER\S-1-5-21-3443857196-8768964963-583494408-3131\Desktop.ini

	- Files Read:

C:\WINDOWS\SYSTEM.INI

PIPE\lsarpc

	- Files Modified:

C:\RECYCLER\S-1-5-21-3443857196-8768964963-583494408-3131\Desktop.ini

C:\WINDOWS\SYSTEM.INI

PIPE\lsarpc

	- Directories Created:

C:\RECYCLER\S-1-5-21-3443857196-8768964963-583494408-3131

	- File System Control Communication:

File	Control Code	Times
C:\Program Files\Common Files\	0x00090028	1
PIPE\lsarpc	0x0011C017	111

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	1

	- Memory Mapped Files:

File Name

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

C:\WINDOWS\WindowsShell.Manifest

C:\WINDOWS\system32\Apphelp.dll

C:\WINDOWS\system32\WININET.DLL

C:\WINDOWS\system32\WS2HELP.dll

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\comctl32.dll

C:\WINDOWS\system32\netsh.exe

C:\WINDOWS\system32\shell32.dll

C:\Windows\AppPatch\sysmain.sdb

2.c) 50229926.exe - Process Activities

	- Processes Created:

Executable	Command Line
C:\WINDOWS\system32\netsh.exe

	- Remote Threads Created:

Affected Process

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Common Files\qfunmp.exe

C:\Program Files\Common Files\otlsxk.exe

C:\WINDOWS\system32\netsh.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\ctfmon.exe

	- Foreign Memory Regions Read:

Process: C:\WINDOWS\system32\netsh.exe

	- Foreign Memory Regions Written:

Process: C:\50229926.exe

Process: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

Process: C:\Program Files\Common Files\otlsxk.exe

Process: C:\Program Files\Common Files\qfunmp.exe

Process: C:\Program Files\Messenger\msmsgs.exe

Process: C:\WINDOWS\explorer.exe

Process: C:\WINDOWS\system32\ctfmon.exe

Process: C:\WINDOWS\system32\netsh.exe

Process: C:\WINDOWS\system32\wscntfy.exe

2.d) 50229926.exe - Other Activities

	- Mutexes Created:

50229926.exeM_1196_

Op1mutx9

alg.exeM_376_

csrss.exeM_332_

ctfmon.exeM_1744_

explorer.exeM_1372_

lsass.exeM_412_

mscorsvw.exeM_1428_

msmsgs.exeM_1752_

netsh.exeM_1360_

otlsxk.exeM_1180_

qfunmp.exeM_1168_

reader_sl.exeM_1764_

services.exeM_400_

smss.exeM_284_

spoolsv.exeM_912_

svchost.exeM_564_

svchost.exeM_612_

svchost.exeM_680_

svchost.exeM_780_

svchost.exeM_816_

winlogon.exeM_356_

wscntfy.exeM_1036_

wuauclt.exeM_1708_

	- Windows SEH exceptions:

Description	Times
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x7c80be64	1
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x4011cd	1

3. Explorer.EXE

	- General information about this executable

Analysis Reason:	50229926.exe wrote to the virtual memory of this process
Filename:	Explorer.EXE
MD5:	12896823fb95bfb3dc9b46bcaedc9923
SHA-1:	9d2bf84874abc5b6e9a2744b7865c193c08d362f
File Size:	1033728 Bytes
Command Line:	C:\WINDOWS\Explorer.EXE
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\BROWSEUI.dll	0x75F80000	0x000FD000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\SHDOCVW.dll	0x7E290000	0x00171000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\CRYPTUI.dll	0x754D0000	0x00080000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\WININET.dll	0x771B0000	0x000AA000
C:\WINDOWS\system32\WINTRUST.dll	0x76C30000	0x0002E000
C:\WINDOWS\system32\IMAGEHLP.dll	0x76C90000	0x00028000
C:\WINDOWS\system32\WLDAP32.dll	0x76F60000	0x0002C000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\appHelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000
C:\WINDOWS\System32\cscui.dll	0x77A20000	0x00054000
C:\WINDOWS\System32\CSCDLL.dll	0x76600000	0x0001D000
C:\WINDOWS\system32\themeui.dll	0x5BA60000	0x00071000
C:\WINDOWS\system32\MSIMG32.dll	0x76380000	0x00005000
C:\WINDOWS\system32\xpsp2res.dll	0x00AC0000	0x002C5000
C:\WINDOWS\system32\actxprxy.dll	0x71D40000	0x0001B000
C:\WINDOWS\system32\msutb.dll	0x5FC10000	0x00033000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\urlmon.dll	0x7E1E0000	0x000A2000
C:\WINDOWS\system32\LINKINFO.dll	0x76980000	0x00008000
C:\WINDOWS\system32\ntshrui.dll	0x76990000	0x00025000
C:\WINDOWS\system32\ATL.DLL	0x76B20000	0x00011000
C:\WINDOWS\system32\rsaenh.dll	0x68000000	0x00036000
C:\WINDOWS\system32\msi.dll	0x7D1E0000	0x002BC000
C:\WINDOWS\system32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\webcheck.dll	0x74B30000	0x00046000
C:\WINDOWS\system32\WSOCK32.dll	0x71AD0000	0x00009000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\stobject.dll	0x76280000	0x00021000
C:\WINDOWS\system32\BatMeter.dll	0x74AF0000	0x0000A000
C:\WINDOWS\system32\POWRPROF.dll	0x74AD0000	0x00008000
C:\WINDOWS\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\WTSAPI32.dll	0x76F50000	0x00008000
C:\WINDOWS\system32\NETSHELL.dll	0x76400000	0x001A5000
C:\WINDOWS\system32\credui.dll	0x76C00000	0x0002E000
C:\WINDOWS\system32\dot3api.dll	0x478C0000	0x0000A000
C:\WINDOWS\system32\rtutils.dll	0x76E80000	0x0000E000
C:\WINDOWS\system32\dot3dlg.dll	0x736D0000	0x00006000
C:\WINDOWS\system32\OneX.DLL	0x5DCA0000	0x00028000
C:\WINDOWS\system32\eappcfg.dll	0x745B0000	0x00022000
C:\WINDOWS\system32\MSVCP60.dll	0x76080000	0x00065000
C:\WINDOWS\system32\eappprxy.dll	0x5DCD0000	0x0000E000
C:\WINDOWS\system32\iphlpapi.dll	0x76D60000	0x00019000
C:\WINDOWS\system32\MPR.dll	0x71B20000	0x00012000
C:\WINDOWS\System32\drprov.dll	0x75F60000	0x00007000
C:\WINDOWS\System32\ntlanman.dll	0x71C10000	0x0000E000
C:\WINDOWS\System32\NETUI0.dll	0x71CD0000	0x00017000
C:\WINDOWS\System32\NETUI1.dll	0x71C90000	0x00040000
C:\WINDOWS\System32\NETRAP.dll	0x71C80000	0x00007000
C:\WINDOWS\System32\SAMLIB.dll	0x71BF0000	0x00013000
C:\WINDOWS\System32\davclnt.dll	0x75F70000	0x0000A000
C:\WINDOWS\system32\comdlg32.dll	0x763B0000	0x00049000
C:\WINDOWS\system32\MSGINA.dll	0x75970000	0x000F8000
C:\WINDOWS\system32\ODBC32.dll	0x74320000	0x0003D000
C:\WINDOWS\system32\odbcint.dll	0x01350000	0x00017000
C:\WINDOWS\system32\browselc.dll	0x71600000	0x00012000
C:\WINDOWS\system32\shdoclc.dll	0x71800000	0x00088000

	- Run-time Dlls

Module Name	Base Address	Size
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\enmth.exe	0x035A0000	0x00216680
C:\WINDOWS\system32\hnetcfg.dll	0x662B0000	0x00058000
C:\WINDOWS\system32\mswsock.dll	0x71A50000	0x0003F000
C:\WINDOWS\System32\wshtcpip.dll	0x71A90000	0x00008000
C:\WINDOWS\system32\sfc.dll	0x76BB0000	0x00005000
C:\WINDOWS\system32\sfc_os.dll	0x76C60000	0x0002A000
C:\WINDOWS\system32\DNSAPI.dll	0x76F20000	0x00027000
C:\WINDOWS\System32\winrnr.dll	0x76FB0000	0x00008000
C:\WINDOWS\system32\rasadhlp.dll	0x76FC0000	0x00006000

3.a) Explorer.EXE - Registry Activities

	- Registry Keys Deleted:

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmserver

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\EventLog

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\File system

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Filter

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SRService

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Browser

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CryptSvc

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dhcp

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmadmin

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmio.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmload.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmserver

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DnsCache

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\EventLog

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\File system

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Filter

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\HelpSvc

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanServer

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LmHosts

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Messenger

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Ndisuio

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOS

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBT

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Netlogon

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetMan

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Network

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PlugPlay

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP Filter

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Primary disk

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\RpcSs

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SCSI Class

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SharedAccess

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sr.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SRService

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Tcpip

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\TDI

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\termservice

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vga.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WinMgmt

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WZCSVC

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}

HKLM\System\CurrentControlSet\Control\SafeBoot\Network

	- Registry Values Deleted:

Key	Name
HKLM\System\CurrentControlSet\Control\SafeBoot	AlternateShell
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmserver
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\EventLog
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\File system
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Filter
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SRService
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Browser
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CryptSvc
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dhcp
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmadmin
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmio.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmload.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmserver
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DnsCache
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\EventLog
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\File system
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Filter
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\HelpSvc
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanServer
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LmHosts
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Messenger
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Ndisuio
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOS
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBT
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Netlogon
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetMan
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Network
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PlugPlay
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP Filter
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Primary disk
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\RpcSs
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SCSI Class
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SharedAccess
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sr.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SRService
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Tcpip
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\TDI
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\termservice
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vga.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WinMgmt
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WZCSVC
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}

	- Registry Values Modified:

Key	Name	New Value
HKLM\SOFTWARE\Microsoft\Security Center	AntiVirusDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center	AntiVirusOverride	1
HKLM\SOFTWARE\Microsoft\Security Center	FirewallDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center	FirewallOverride	1
HKLM\SOFTWARE\Microsoft\Security Center	UacDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center	UpdatesDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center\Svc	AntiVirusDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center\Svc	AntiVirusOverride	1
HKLM\SOFTWARE\Microsoft\Security Center\Svc	FirewallDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center\Svc	FirewallOverride	1
HKLM\SOFTWARE\Microsoft\Security Center\Svc	UacDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center\Svc	UpdatesDisableNotify	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	Taskman	C:\RECYCLER\S-1-5-21-3443857196-8768964963-583494408-3131\windll.exe
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	C:\WINDOWS\Explorer.EXE	C:\WINDOWS\Explorer.EXE:*:Enabled:ipsec
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system	EnableLUA	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Hidden	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\SessionInformation	ProgramCount	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings	GlobalUserOffline	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\policies\system	DisableRegistryTools	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\policies\system	DisableTaskMgr	1

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	UrlEncoding	0x00000000	2
HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\WINSOCK	Mapping	0x0b0000000300000002000000010000000600000002000000010000000000	1
HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters	Transports	0x5400630070006900700000004e0065007400420049004f00530000000000	2
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	3
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	PC	2
HKLM\System\CurrentControlSet\Control\SafeBoot	AlternateShell	cmd.exe	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\EventLog	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\File system	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Filter	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SRService	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys	Driver	Driver	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys	Driver	Driver	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys	Driver	Driver	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmserver	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys	Driver	Driver	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys	FSFilter System Recovery	FSFilter System Recovery	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys	Driver	Driver	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys	Driver	Driver	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}	Universal Serial Bus controllers	Universal Serial Bus controllers	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}	CD-ROM Drive	CD-ROM Drive	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}	DiskDrive	DiskDrive	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}	Standard floppy disk controller	Standard floppy disk controller	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}	Hdc	Hdc	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}	Keyboard	Keyboard	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}	Mouse	Mouse	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}	PCMCIA Adapters	PCMCIA Adapters	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}	SCSIAdapter	SCSIAdapter	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}	System	System	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}	Floppy disk drive	Floppy disk drive	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}	Volume	Volume	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}	Human Interface Devices	Human Interface Devices	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Browser	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CryptSvc	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dhcp	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DnsCache	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\EventLog	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\File system	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Filter	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\HelpSvc	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanServer	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LmHosts	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Messenger	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Ndisuio	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOS	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBT	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetMan	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Netlogon	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Network	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP Filter	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PlugPlay	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Primary disk	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\RpcSs	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SCSI Class	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SRService	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SharedAccess	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\TDI	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Tcpip	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WZCSVC	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WinMgmt	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmadmin	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys	Driver	Driver	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmio.sys	Driver	Driver	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmload.sys	Driver	Driver	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmserver	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys	Driver	Driver	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys	Driver	Driver	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys	Driver	Driver	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys	Driver	Driver	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys	Driver	Driver	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys	Driver	Driver	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sr.sys	FSFilter System Recovery	FSFilter System Recovery	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys	Driver	Driver	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys	Driver	Driver	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\termservice	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vga.sys	Driver	Driver	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys	Driver	Driver	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}	Universal Serial Bus controllers	Universal Serial Bus controllers	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}	CD-ROM Drive	CD-ROM Drive	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}	DiskDrive	DiskDrive	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}	Standard floppy disk controller	Standard floppy disk controller	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}	Hdc	Hdc	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}	Keyboard	Keyboard	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}	Mouse	Mouse	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}	Net	Net	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}	NetClient	NetClient	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}	NetService	NetService	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}	NetTrans	NetTrans	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}	PCMCIA Adapters	PCMCIA Adapters	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}	SCSIAdapter	SCSIAdapter	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}	System	System	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}	Floppy disk drive	Floppy disk drive	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}	Volume	Volume	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}	Human Interface Devices	Human Interface Devices	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Domain		3
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Hostname	pc	3
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	UseDomainNameDevolution	0	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	HelperDllName	%SystemRoot%\System32\wshtcpip.dll	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MaxSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MinSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	UseDelayedAcceptance	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1020	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	13	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	6	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\Setup	SystemSetupInProgress	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS	EnableNegotiate	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS	GlobalUserOffline	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS	MimeExclusionListForCache	multipart/mixed multipart/x-mixed-replace multipart/x-byteranges	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS	WarnOnPost	0x01000000	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EnableHttp1_1	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_0	316296286	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_1	2980259871	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_10	4186747956	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_11	800785286	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_12	935386841	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_13	338462341	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_14	4258006219	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_15	1105547269	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_16	610505545	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_17	501639434	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_18	2140200539	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_19	20807040	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_2	3273450715	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_20	4255381212	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_21	3767881963	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_22	2341517099	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_23	1468577171	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_24	1288713051	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_25	3697178764	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_26	1866614735	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_27	1299598222	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_28	2465369925	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_29	2344359828	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_3	2024051603	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_30	2585541607	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_31	4001520777	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_32	1363343993	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_33	1214028324	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_34	276797906	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_35	2555148947	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_36	3589316079	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_37	3900507442	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_38	4237880306	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_39	4090167699	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_4	3273423945	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_40	1432390001	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_41	3897730564	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_42	1977813479	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_43	989550752	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_44	2793490042	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_45	2397749715	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_46	2072197651	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_47	1365146422	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_48	3046486143	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_49	2987987295	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_5	3987901696	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_50	1793547202	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_51	2208139694	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_52	2706836989	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_53	2276735531	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_54	1077741807	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_55	222472833	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_56	809842710	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_57	2765200940	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_58	1774616522	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_59	1742928278	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_6	3716890450	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_60	4246257006	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_61	200261924	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_62	1070986979	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_63	206304830	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_64	3979214834	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_65	1834549199	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_66	715217929	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_67	1319595700	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_68	4110779434	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_69	3918865116	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_7	4124721555	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_70	3994035060	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_71	1581647735	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_72	1819841087	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_73	667215061	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_74	2499270547	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_75	4098633047	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_76	2492577840	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_77	3426812116	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_78	2383650495	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_79	3021906616	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_8	1014434897	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_80	2373332780	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_81	4271239397	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_82	3354513570	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_83	2737061502	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_84	2014365965	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_85	724701743	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_86	3628290916	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_87	3674725493	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_88	2827861544	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_89	930445093	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_9	4059991830	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_90	605354415	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_91	3311563115	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_92	3577685405	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_93	446122436	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_94	2136348000	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_95	1468361840	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_96	3299212469	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_0	1743	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_1	1768776334	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_10	507900343	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_11	2276676936	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_12	4045448765	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_13	1519259264	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_14	3288031871	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_15	761840725	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_16	2530627848	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_17	4427163	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_18	1773213502	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_19	3541984692	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_2	3537558722	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_20	1015793976	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_21	2784567341	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_22	258376638	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_23	2027163785	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_24	3795928948	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_25	1269750551	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_26	3038526081	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_27	512330243	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_28	2281107181	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_29	4049882780	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_3	1011365721	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_30	1523689190	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_31	3292464661	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_32	766287845	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_33	2535063449	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_34	8865316	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_35	1777642751	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_36	3546417835	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_37	1020226569	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_38	2789014936	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_39	262822301	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_4	2780136370	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_40	2031599085	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_41	3800373191	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_42	1274182754	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_43	3042952222	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_44	516760382	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_45	2285537006	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_46	4054326624	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_47	1528135600	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_48	3296909337	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_49	770712847	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_5	253944120	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_50	2539487551	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_51	13299510	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_52	1782074431	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_53	3550859289	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_54	1024671317	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_55	2793446687	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_56	267252964	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_57	2036025729	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_58	3804799586	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_59	1278607366	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_6	2022722766	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_60	3047386656	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_61	521205104	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_62	2289980556	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_63	4058710331	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_64	1532560888	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_65	3301336925	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_66	775143718	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_67	2543922114	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_68	17740428	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_69	1786516861	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_7	3791498983	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_70	3555294215	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_71	1029100417	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_72	2797873837	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_73	271682364	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_74	2040457682	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_75	3809230969	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_76	1283053297	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_77	3051828764	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_78	525639603	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_79	2294407415	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_8	1265316336	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_80	4063186256	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_81	1536995051	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_82	3305768825	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_83	779589791	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_84	2548361374	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_85	22172289	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_86	1790951182	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_87	3559726646	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_88	1033530948	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_89	2802305064	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_9	3034092769	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_90	276111380	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_91	2044902255	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_92	3813676160	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_93	1287487008	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_94	3056260910	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_95	530067049	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_0	17001001	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_1	1752043112	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_10	524714147	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_11	2259690722	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_12	4028881189	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_13	1535999332	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_14	3271037351	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_15	745256422	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_16	2547330617	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_17	21021304	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_18	1756522171	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_19	3525122810	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_2	3554255531	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_20	1032372029	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_21	2767868796	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_22	241563583	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_23	2044161022	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_24	3812756529	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_25	1252892784	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_26	3021948083	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_27	529201394	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_28	2264243509	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_29	4033294708	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_3	1028343530	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_30	1540543927	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_31	3309062646	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_32	749724169	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_33	2518320712	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_34	25442955	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_35	1761074890	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_36	3529601805	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_37	1036785484	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_38	2805959567	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_39	245968846	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_4	2763455277	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_40	2014625793	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_41	3817235520	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_42	1257314435	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_43	3025976514	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_44	533614853	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_45	2302276932	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_46	4037765511	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_47	1511394758	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_48	3313608217	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_49	754145880	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_5	237084524	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_50	2522807963	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_51	29987546	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_52	1799042845	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_53	3534138204	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_54	1007701919	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_55	2810438622	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_56	250512401	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_57	2019047504	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_58	3821788307	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_59	1295347922	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_6	2039690159	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_60	3030390037	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_61	504596820	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_62	2306682263	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_63	4041785814	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_64	1515879017	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_65	3318029992	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_66	791720683	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_67	2527221546	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_68	904045	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_69	1803513772	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_7	3774797806	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_70	3538551791	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_71	1012245550	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_72	2814859361	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_73	288554144	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_74	2023592163	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_75	3792647458	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_76	1299884389	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_77	3034860964	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_78	509075943	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_79	2311232038	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_8	1248348193	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_80	4079763065	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_81	1520423608	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_82	3288954619	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_83	796191546	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_84	2531757949	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_85	5317564	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_86	1807534079	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_87	3576592446	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_88	1016667249	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_89	2785325232	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_9	3051088992	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_90	292967667	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_91	2028063026	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_92	3797118325	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_93	1304297908	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_94	3072959991	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_95	513498678	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_0	0	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_1	1768776769	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_10	507898506	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_11	2276675275	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_12	4045452044	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_13	1519261517	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_14	3288038286	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_15	761847759	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_16	2530624528	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_17	4434001	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_18	1773210770	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_19	3541987539	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_2	3537553538	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_20	1015797012	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_21	2784573781	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_22	258383254	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_23	2027160023	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_24	3795936792	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_25	1269746265	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_26	3038523034	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_27	512332507	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_28	2281109276	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_29	4049886045	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_3	1011363011	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_30	1523695518	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_31	3292472287	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_32	766281760	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_33	2535058529	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_34	8868002	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_35	1777644771	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_36	3546421540	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_37	1020231013	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_38	2789007782	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_39	262817255	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_4	2780139780	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_40	2031594024	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_41	3800370793	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_42	1274180266	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_43	3042957035	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_44	516766508	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_45	2285543277	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_46	4054320046	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_47	1528129519	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_48	3296906288	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_49	770715761	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_5	253949253	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_50	2539492530	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_51	13302003	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_52	1782078772	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_53	3550855541	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_54	1024665014	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_55	2793441783	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_56	267251256	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_57	2036028025	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_58	3804804794	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_59	1278614267	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_6	2022726022	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_60	3047391036	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_61	521200509	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_62	2289977278	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_63	4058754047	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_64	1532563520	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_65	3301340289	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_66	775149762	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_67	2543926531	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_68	17736004	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_69	1786512773	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_7	3791502791	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_70	3555289542	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_71	1029099015	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_72	2797875784	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_73	271685257	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_74	2040462026	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_75	3809238795	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_76	1283048268	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_77	3051825037	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_78	525634510	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_79	2294411279	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_8	1265312264	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_80	4063188048	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_81	1536997521	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_82	3305774290	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_83	779583763	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_84	2548360532	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_85	22170005	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_86	1790946774	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_87	3559723543	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_88	1033533016	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_89	2802309785	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_9	3034089033	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_90	276119258	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_91	2044896027	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_92	3813672796	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_93	1287482269	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_94	3056259038	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_95	530068511	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	-1514827516	35	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	-503464505	C1ABF7014852F9970C620D49B8A30A7A6F385BD8A1DA91200982C6E0E5EE2FD03D83956156A6B2471B7AFE742D594246D03312DA79E27F8A0AB69D3453CD4AC92C5552615306C2939ABD6A21BF9547689B09954D1AA5C801B1C36A7DC340A07F5DE048529E570576C3B67C1CED73FB3B016B361D56515445296B623FE6951C94	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	-757413758	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	1011363011	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	1768776769	236	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	2022726022	0900687474703A2F2F637572736F69757269732E636F6D2E62722F6C6F676F2E67696600687474703A2F2F6D6972692D652E636F6D2F6C6F676F2E67696600687474703A2F2F6C7476752E6564752E766E2F6C6F676F2E67696600687474703A2F2F736D632D79656D656E2E636F6D2F696D616765732F62616E6E65722E67696600687474703A2F2F6D697274687761792E636F6D2F6C6F676F2E67696600687474703A2F2F6D65766C616E61636963656B2E636F6D2F6C6F676F2E67696600687474703A2F2F6D766175746F6D6174696F6E696E6469612E636F6D2F6C6F676F2E67696600687474703A2F2F70656E7461676F6E726F74617279676F6C662E6F72672F6C6F676F2E67696600687474703A2F2F706F6E746F70726F6D2E636F6D2E62722F6C6F676F2E676966	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	253949253	302	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Run	CTFMON.EXE	C:\WINDOWS\system32\ctfmon.exe	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Run	MSMSGS	"C:\Program Files\Messenger\msmsgs.exe" /background	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\ShellNoRoam\MUICache	@C:\WINDOWS\system32\SHELL32.dll,-9216	My Computer	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\ShellNoRoam\MUICache	@xpsp3res.dll,-20001	Diagnose Connection Problems...	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\ShellNoRoam\MUICache	C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe	Adobe Reader 8.0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\ShellNoRoam\MUICache	C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe	Adobe Updater	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\ShellNoRoam\MUICache	LangID	0x0904	1

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1

3.b) Explorer.EXE - File Activities

	- Files Deleted:

C:\74479

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\enmth.exe

C:\WINDOWS\system32\drivers\jlrnkn.sys

	- Files Created:

C:\74479

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\enmth.exe

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winynsur.exe

C:\RECYCLER\S-1-5-21-3443857196-8768964963-583494408-3131\windll.exe

C:\WINDOWS\system32\drivers\jlrnkn.sys

\Device\NamedPipe\Win32Pipes.0000055c.00000001

pipe\cdcpr55

	- Files Read:

C:\WINDOWS\SYSTEM.INI

C:\WINDOWS\system32\ntoskrnl.exe

PIPE\SfcApi

PIPE\lsarpc

	- Files Modified:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\enmth.exe

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winynsur.exe

C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

C:\RECYCLER\S-1-5-21-3443857196-8768964963-583494408-3131\windll.exe

C:\WINDOWS\system32\drivers\jlrnkn.sys

PIPE\SfcApi

PIPE\lsarpc

\Device\Afd\Endpoint

\Device\RasAcd

dac970nt

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	138
PIPE\SfcApi	0x0011C017	9

	- Device Control Communication:

File	Control Code	Times
unnamed file	0x00228144	1
\Device\Afd\Endpoint	AFD_GET_INFO (0x0001207B)	2
\Device\Afd\Endpoint	AFD_SET_CONTEXT (0x00012047)	5
\Device\Afd\Endpoint	AFD_BIND (0x00012003)	2
\Device\Afd\Endpoint	AFD_GET_TDI_HANDLES (0x00012037)	3
\Device\Afd\Endpoint	AFD_SET_INFO (0x0001203B)	2
\Device\Afd\Endpoint	AFD_GET_SOCK_NAME (0x0001202F)	2
\Device\Afd\Endpoint	AFD_RECV_DATAGRAM (0x0001201B)	1
\Device\RasAcd	0x00F14014	1
\Device\Afd\Endpoint	AFD_SEND_DATAGRAM (0x00012023)	1

	- Memory Mapped Files:

File Name

C:\50229926.exe

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\enmth.exe

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winynsur.exe

C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

C:\WINDOWS\System32\winrnr.dll

C:\WINDOWS\System32\wshtcpip.dll

C:\WINDOWS\system32\DNSAPI.dll

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\WINMINE.EXE

C:\WINDOWS\system32\hnetcfg.dll

C:\WINDOWS\system32\mswsock.dll

C:\WINDOWS\system32\netsh.exe

C:\WINDOWS\system32\rasadhlp.dll

C:\WINDOWS\system32\sfc.dll

C:\WINDOWS\system32\sfc_os.dll

C:\WINDOWS\system32\winmine.exe

C:\Windows\AppPatch\sysmain.sdb

3.c) Explorer.EXE - Windows Service Activities

	- Services Started:

IPFILTERDRIVER

dac970nt

	- Services Created:

Name	Type	Path
dac970nt	SERVICE_DEMAND_START	C:\WINDOWS\system32\drivers\jlrnkn.sys

	- Services Deleted:

ALG

	- Control Codes Sent to Other Services:

Service	Control Code
ALG	SERVICE_CONTROL_STOP

3.d) Explorer.EXE - Process Activities

	- Processes Created:

Executable	Command Line
C:\WINDOWS\system32\netsh.exe
C:\WINDOWS\system32\WINMINE.EXE
C:\WINDOWS\system32\WINMINE.EXE
C:\WINDOWS\system32\WINMINE.EXE
C:\WINDOWS\system32\WINMINE.EXE

	- Processes Killed:

C:\WINDOWS\system32\winmine.exe

	- Remote Threads Created:

Affected Process

C:\WINDOWS\system32\netsh.exe

C:\WINDOWS\system32\WINMINE.EXE

C:\WINDOWS\system32\winmine.exe

C:\WINDOWS\system32\WINMINE.EXE

C:\WINDOWS\system32\winmine.exe

	- Foreign Memory Regions Read:

Process: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\

Process: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

Process: C:\Program Files\Common Files\otlsxk.exe

Process: C:\Program Files\Common Files\qfunmp.exe

Process: C:\Program Files\Messenger\msmsgs.exe

Process: C:\WINDOWS\system32\WINMINE.EXE

Process: C:\WINDOWS\system32\ctfmon.exe

Process: C:\WINDOWS\system32\netsh.exe

Process: C:\WINDOWS\system32\winmine.exe

Process: C:\WINDOWS\system32\wscntfy.exe

	- Foreign Memory Regions Written:

Process: C:\WINDOWS\system32\WINMINE.EXE

Process: C:\WINDOWS\system32\netsh.exe

Process: C:\WINDOWS\system32\winmine.exe

3.e) Explorer.EXE - Network Activity

	- DNS Queries:

Name	Query Type	Query Result	Successful	Protocol
shv4.no-ip.biz	DNS_TYPE_A	67.210.170.164	YES	udp

3.f) Explorer.EXE - Other Activities

	- Mutexes Created:

Op1mutx9

alg.exeM_376_

c____kdjcpeoij55

csrss.exeM_332_

ctfmon.exeM_1744_

explorer.exeM_1372_

lsass.exeM_412_

mscorsvw.exeM_1428_

msmsgs.exeM_1752_

netsh.exeM_1360_

netsh.exeM_1604_

otlsxk.exeM_1180_

qfunmp.exeM_1168_

reader_sl.exeM_1764_

services.exeM_400_

smss.exeM_284_

spoolsv.exeM_912_

svchost.exeM_564_

svchost.exeM_612_

svchost.exeM_680_

svchost.exeM_780_

svchost.exeM_816_

winlogon.exeM_356_

winmine.exeM_2012_

winmine.exeM_2016_

wmiprvse.exeM_264_

wscntfy.exeM_1036_

wuauclt.exeM_1708_

	- Keyboard Keys Monitored:

Virtual Key Code	Times
VK_LBUTTON (1)	198
VK_CONTROL (17)	2

	- Windows SEH exceptions:

Description	Times
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x7c80be64	1

4. ctfmon.exe

	- General information about this executable

Analysis Reason:	50229926.exe wrote to the virtual memory of this process
Filename:	ctfmon.exe
MD5:	5f1d5f88303d4a4dbc8e5f97ba967cc3
SHA-1:	99cb7370f16773c8e2d0c86fe805ec638ab126e9
File Size:	15360 Bytes
Command Line:	"C:\WINDOWS\system32\ctfmon.exe"
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\MSUTB.dll	0x5FC10000	0x00033000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000

4.a) ctfmon.exe - Process Activities

	- Foreign Memory Regions Read:

Process: C:\WINDOWS\explorer.exe

5. msmsgs.exe

	- General information about this executable

Analysis Reason:	50229926.exe wrote to the virtual memory of this process
Filename:	msmsgs.exe
MD5:	3e930c641079443d4de036167a69caa2
SHA-1:	ac40479e28fb680aff76e41fa14ebe18b3392629
File Size:	1695232 Bytes
Command Line:	"C:\Program Files\Messenger\msmsgs.exe" /background
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\WSOCK32.dll	0x71AD0000	0x00009000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\comdlg32.dll	0x763B0000	0x00049000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\gdiplus.dll	0x4EC50000	0x001A6000
C:\WINDOWS\system32\MSIMG32.dll	0x76380000	0x00005000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\WININET.dll	0x771B0000	0x000AA000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\cryptdll.dll	0x76790000	0x0000C000
C:\WINDOWS\system32\iphlpapi.dll	0x76D60000	0x00019000
C:\WINDOWS\system32\XPOB2RES.DLL	0x10000000	0x0006C000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000
C:\WINDOWS\system32\xpsp2res.dll	0x00890000	0x002C5000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\SXS.DLL	0x7E720000	0x000B0000
C:\WINDOWS\system32\es.dll	0x77710000	0x00042000
C:\WINDOWS\system32\wtsapi32.dll	0x76F50000	0x00008000
C:\WINDOWS\system32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\credui.dll	0x76C00000	0x0002E000

6. reader_sl.exe

	- General information about this executable

Analysis Reason:	50229926.exe wrote to the virtual memory of this process
Filename:	reader_sl.exe
MD5:	54c88bfbd055621e2306534f445c0c8d
SHA-1:	960a171e826c077187fe634103874644327a6110
File Size:	40048 Bytes
Command Line:	"C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCP80.dll	0x7C420000	0x00087000
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll	0x78130000	0x0009B000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000

7. wscntfy.exe

	- General information about this executable

Analysis Reason:	50229926.exe wrote to the virtual memory of this process
Filename:	wscntfy.exe
MD5:	f92e1076c42fcd6db3d72d8cfe9816d5
SHA-1:	549f0a01848375d03159fc74171ed97790fa9650
File Size:	13824 Bytes
Command Line:	C:\WINDOWS\system32\wscntfy.exe
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\xpsp2res.dll	0x007C0000	0x002C5000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000

8. qfunmp.exe

	- General information about this executable

Analysis Reason:	50229926.exe wrote to the virtual memory of this process
Filename:	qfunmp.exe
MD5:	ec95a4d3adc866c53bfafc3ba177d905
SHA-1:	78d7358cebb7681ba22b1ec453eb98308eadd619
File Size:	1256684 Bytes
Command Line:	"C:\Program Files\Common Files\qfunmp.exe"
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.DLL	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\PSAPI.DLL	0x76BF0000	0x0000B000

	- Program output

Stdout:

.................

9. otlsxk.exe

	- General information about this executable

Analysis Reason:	50229926.exe wrote to the virtual memory of this process
Filename:	otlsxk.exe
MD5:	ed22e108cca63fab4ad592f04b117289
SHA-1:	a11b96e200594f19b8e67af04797b61267710fec
File Size:	327901 Bytes
Command Line:	"C:\Program Files\Common Files\otlsxk.exe"
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\comdlg32.dll	0x763B0000	0x00049000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\MPR.dll	0x71B20000	0x00012000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\WSOCK32.dll	0x71AD0000	0x00009000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\uxtheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\GDIPlus.dll	0x4EC50000	0x001A6000

	- SigBuster Output

UPX All_Versions SN:1634

9.a) otlsxk.exe - File Activities

	- Files Created:

C:\images\1.bmp

	- Files Modified:

C:\autoit.txt

C:\images\1.bmp

	- Memory Mapped Files:

File Name

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\GDIPlus.dll

10. netsh.exe

	- General information about this executable

Analysis Reason:	Started by 50229926.exe
Filename:	netsh.exe
MD5:	6309955f8a1bdd10a8467c50ed3f023e
SHA-1:	1bc8e086b5e5d62c9d4edff100bd563e3e990927
File Size:	86016 Bytes
Command Line:	netsh firewall set opmode disable
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\MPRAPI.dll	0x76D40000	0x00018000
C:\WINDOWS\system32\ACTIVEDS.dll	0x77CC0000	0x00032000
C:\WINDOWS\system32\adsldpc.dll	0x76E10000	0x00025000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\WLDAP32.dll	0x76F60000	0x0002C000
C:\WINDOWS\system32\ATL.DLL	0x76B20000	0x00011000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\rtutils.dll	0x76E80000	0x0000E000
C:\WINDOWS\system32\SAMLIB.dll	0x71BF0000	0x00013000
C:\WINDOWS\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\RASAPI32.dll	0x76EE0000	0x0003C000
C:\WINDOWS\system32\rasman.dll	0x76E90000	0x00012000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\TAPI32.dll	0x76EB0000	0x0002F000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\iphlpapi.dll	0x76D60000	0x00019000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\xpsp2res.dll	0x01400000	0x002C5000
C:\WINDOWS\system32\dot3api.dll	0x478C0000	0x0000A000
C:\WINDOWS\system32\FWCFG.DLL	0x4BCF0000	0x00011000
C:\WINDOWS\system32\NAPMONTR.DLL	0x5A900000	0x00032000
C:\WINDOWS\system32\RASMONTR.DLL	0x5DBA0000	0x00025000
C:\WINDOWS\system32\OneX.DLL	0x5DCA0000	0x00028000
C:\WINDOWS\system32\eappprxy.dll	0x5DCD0000	0x0000E000
C:\WINDOWS\system32\DOT3CFG.DLL	0x5EF50000	0x00011000
C:\WINDOWS\system32\IPPROMON.DLL	0x602B0000	0x00053000
C:\WINDOWS\system32\IPXPROMN.DLL	0x66170000	0x00014000
C:\WINDOWS\system32\IPXMONTR.DLL	0x66190000	0x00017000
C:\WINDOWS\system32\IPV6MON.DLL	0x661B0000	0x00012000
C:\WINDOWS\system32\IPMONTR.DLL	0x664E0000	0x0002A000
C:\WINDOWS\system32\IFMON.DLL	0x66DF0000	0x00024000
C:\WINDOWS\system32\HNETMON.DLL	0x68870000	0x00007000
C:\WINDOWS\system32\MSWSOCK.dll	0x71A50000	0x0003F000
C:\WINDOWS\system32\QUtil.dll	0x726C0000	0x00016000
C:\WINDOWS\system32\dot3dlg.dll	0x736D0000	0x00006000
C:\WINDOWS\system32\eappcfg.dll	0x745B0000	0x00022000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\wbem\wbemsvc.dll	0x74ED0000	0x0000E000
C:\WINDOWS\system32\wbem\wbemprox.dll	0x74EF0000	0x00008000
C:\WINDOWS\system32\wbem\wbemcomn.dll	0x75290000	0x00037000
C:\WINDOWS\system32\netcfgx.dll	0x755F0000	0x0009A000
C:\WINDOWS\system32\wbem\fastprox.dll	0x75690000	0x00076000
C:\WINDOWS\system32\MSVCP60.dll	0x76080000	0x00065000
C:\WINDOWS\system32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\netshell.dll	0x76400000	0x001A5000
C:\WINDOWS\system32\NTDSAPI.dll	0x767A0000	0x00013000
C:\WINDOWS\system32\credui.dll	0x76C00000	0x0002E000
C:\WINDOWS\system32\CLUSAPI.dll	0x76D10000	0x00012000
C:\WINDOWS\system32\DNSAPI.dll	0x76F20000	0x00027000
C:\WINDOWS\system32\WTSAPI32.dll	0x76F50000	0x00008000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000

	- Program output

Stdout:

The following helper DLL cannot be loaded: DGNET.DLL.

10.a) netsh.exe - Registry Activities

	- Registry Keys Created:

HKLM\Software\Microsoft\Tracing\FWCFG

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr

	- Registry Values Modified:

Key	Name	New Value
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh	Active	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh	ControlFlags	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh	LogSessionName	stdout
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr	BitNames	NAP_TRACE_BASE NAP_TRACE_NETSH
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr	Guid	710adbf0-ce88-40b4-a50d-231ada6593f0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil	Active	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil	ControlFlags	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil	LogSessionName	stdout
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier	BitNames	Error Unusual Info Debug
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier	Guid	8aefce96-4618-42ff-a057-3536aa78233e
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg	Active	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg	ControlFlags	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg	LogSessionName	stdout
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier	BitNames	Error Unusual Info Debug
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier	Guid	5f31090b-d990-4e91-b16d-46121d0255aa
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy	Active	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy	ControlFlags	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy	LogSessionName	stdout
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier	BitNames	Error Unusual Info Debug
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier	Guid	5f31090b-d990-4e91-b16d-46121d0255aa
HKLM\Software\Microsoft\Tracing\FWCFG	ConsoleTracingMask	4294901760
HKLM\Software\Microsoft\Tracing\FWCFG	EnableConsoleTracing	0
HKLM\Software\Microsoft\Tracing\FWCFG	EnableFileTracing	0
HKLM\Software\Microsoft\Tracing\FWCFG	FileDirectory	%windir%\tracing
HKLM\Software\Microsoft\Tracing\FWCFG	FileTracingMask	4294901760
HKLM\Software\Microsoft\Tracing\FWCFG	MaxFileSize	1048576

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\CLASSES\APPID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}	LocalService	winmgmt	1
HKLM\SOFTWARE\CLASSES\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\INPROCSERVER32		C:\WINDOWS\system32\wbem\wbemprox.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\INPROCSERVER32		C:\WINDOWS\system32\wbem\wbemsvc.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}	AppID	{8BC3F05E-D86B-11D0-A075-00C04FB68820}	1
HKLM\SOFTWARE\CLASSES\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\INPROCSERVER32		C:\WINDOWS\system32\wbem\fastprox.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{9556DC99-828C-11CF-A37E-00AA003240C7}\PROXYSTUBCLSID32		{D68AF00A-29CB-43FA-8504-CE99A996D9EA}	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\PROXYSTUBCLSID32		{7C857801-7381-11CF-884D-00AA004B2E24}	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{F309AD18-D86A-11D0-A075-00C04FB68820}\PROXYSTUBCLSID32		{7C857801-7381-11CF-884D-00AA004B2E24}	1
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\	CUAS	0	1
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Gemplus GemSAFE Card CSP v1.0	Type	1	12
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Infineon SICRYPT Base Smart Card CSP	Type	1	12
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0	Type	1	12
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base DSS Cryptographic Provider	Type	3	12
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base DSS and Diffie-Hellman Cryptographic Provider	Type	13	12
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft DH SChannel Cryptographic Provider	Type	18	12
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced Cryptographic Provider v1.0	Type	1	12
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider	Type	13	12
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)	Type	24	12
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft RSA SChannel Cryptographic Provider	Type	12	12
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider	Type	1	12
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Schlumberger Cryptographic Service Provider	Type	1	12
HKLM\SOFTWARE\Microsoft\NetSh	1	ipmontr.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	2	ifmon.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	3	ippromon.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	4	rasmontr.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	5	ipxmontr.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	6	ipxpromn.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	FWCFG	fwcfg.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	dgnet	dgnet.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	dot3cfg	dot3cfg.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	hnetmon	hnetmon.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	ipv6mon	ipv6mon.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	napmontr	napmontr.dll	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion	CurrentBuildNumber	2600	1
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\SYSTEM\Setup	OsLoaderPath	\	2
HKLM\SYSTEM\Setup	SystemPartition	\Device\HarddiskVolume1	2
HKLM\SYSTEM\Setup	SystemSetupInProgress	0	1
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	aFormatTagCache	0x01000000100000000204000014000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	aFormatTagCache	0x01000000100000001100000014000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	aFormatTagCache	0x0100000010000000550000001e000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	aFormatTagCache	0x01000000100000000200000032000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	aFormatTagCache	0x01000000120000006001000016000000610100001c000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFormatTags	3	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	aFormatTagCache	0x010000001000000006000000120000000700000012000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFormatTags	3	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	aFormatTagCache	0x0100000010000000420000001c000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	aFormatTagCache	0x01000000100000003100000014000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	aFormatTagCache	0x01000000100000003001000016000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	aFormatTagCache	0x01000000100000002200000032000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	fdwSupport	1	1
HKLM\Software\Microsoft\COM3	Com+Enabled	1	2
HKLM\Software\Microsoft\Tracing	EnableConsoleTracing	0	1
HKLM\Software\Microsoft\Tracing\FWCFG	ConsoleTracingMask	4294901760	2
HKLM\Software\Microsoft\Tracing\FWCFG	EnableConsoleTracing	0	2
HKLM\Software\Microsoft\Tracing\FWCFG	EnableFileTracing	0	2
HKLM\Software\Microsoft\Tracing\FWCFG	FileDirectory	%windir%\tracing	4
HKLM\Software\Microsoft\Tracing\FWCFG	FileTracingMask	4294901760	2
HKLM\Software\Microsoft\Tracing\FWCFG	MaxFileSize	1048576	2
HKLM\Software\Microsoft\WBEM\CIMOM	Log File Max Size	65536	1
HKLM\Software\Microsoft\WBEM\CIMOM	Logging	1	1
HKLM\Software\Microsoft\WBEM\CIMOM	Logging Directory	C:\WINDOWS\system32\WBEM\Logs\	2
HKLM\Software\Microsoft\WBEM\CIMOM	ProcessID	680	1
HKLM\Software\Microsoft\WBEM\CIMOM	Repository Directory	%SystemRoot%\system32\WBEM\Repository	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	midimapper		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.iac2	C:\WINDOWS\system32\iac25_32.ax	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.imaadpcm	imaadp32.acm	3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.l3acm	C:\WINDOWS\system32\l3codeca.acm	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msadpcm	msadp32.acm	3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msaudio1		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg711	msg711.acm	3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg723	msg723.acm	3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msgsm610		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.sl_anet		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.trspch	tssoft32.acm	3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.I420		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.M261		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.M263		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.cvid		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv31		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv32		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv41		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv50		1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iyuv		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.mrle		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.msvc		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.uyvy		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.yuy2		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.yvu9		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.yvyu		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	wavemapper		2
HKLM\Software\Microsoft\Windows\CurrentVersion	DevicePath	%SystemRoot%\inf	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	DriverCachePath	%SystemRoot%\Driver Cache	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	LogLevel	0	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	ServicePackCachePath	c:\windows\ServicePackFiles\ServicePackCache	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	ServicePackSourcePath	D:\	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	SourcePath	D:\	2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	PC	4
HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	wheel	1	1
HKLM\System\CurrentControlSet\Control\ProductOptions	ProductType	WinNT	1
HKLM\System\CurrentControlSet\Services\LDAP	LdapClientIntegrity	1	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Domain		3
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Hostname	pc	3
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	UseDomainNameDevolution	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1020	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	13	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	6	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\Setup	SystemSetupInProgress	0	2
HKLM\System\WPA\PnP	seed	1274198464	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle	Language Hotkey	1	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle	Layout Hotkey	2	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Multimedia\Audio	SystemFormats	CD Quality,Radio Quality,Telephone Quality	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Local Settings	%USERPROFILE%\Local Settings	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Personal	%USERPROFILE%\My Documents	1

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\Software\Classes	1	Key Change,Value Change	3
HKLM\Software\Classes\CLSID	1	Key Change,Value Change	2
HKLM\Software\Microsoft\COM3	1	Key Change,Value Change	6
HKLM\Software\Microsoft\Tracing\FWCFG	0	Attributes Change,Value Change,Security Descriptor Change	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1
HKU	1	Key Change,Value Change	3

10.b) netsh.exe - File Activities

	- Files Read:

PIPE\lsarpc

	- Files Modified:

PIPE\lsarpc

WMIDataDevice

\Device\Ip

\Device\Tcp

	- File System Control Communication:

File	Control Code	Times
C:\Program Files\Common Files\	0x00090028	1
PIPE\lsarpc	0x0011C017	6

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	8
\Device\Tcp	0x00120003	6
WMIDataDevice	0x0022414C	4
WMIDataDevice	0x00228144	4

	- Memory Mapped Files:

File Name

C:\WINDOWS\AppPatch\AcGenral.DLL

C:\WINDOWS\WindowsShell.Manifest

C:\WINDOWS\system32\ACTIVEDS.dll

C:\WINDOWS\system32\ATL.DLL

C:\WINDOWS\system32\CLBCATQ.DLL

C:\WINDOWS\system32\CLUSAPI.dll

C:\WINDOWS\system32\COMRes.dll

C:\WINDOWS\system32\DGNET.DLL

C:\WINDOWS\system32\DNSAPI.dll

C:\WINDOWS\system32\DOT3CFG.DLL

C:\WINDOWS\system32\FWCFG.DLL

C:\WINDOWS\system32\HNETMON.DLL

C:\WINDOWS\system32\IFMON.DLL

C:\WINDOWS\system32\IPMONTR.DLL

C:\WINDOWS\system32\IPPROMON.DLL

C:\WINDOWS\system32\IPV6MON.DLL

C:\WINDOWS\system32\IPXMONTR.DLL

C:\WINDOWS\system32\IPXPROMN.DLL

C:\WINDOWS\system32\MPRAPI.dll

C:\WINDOWS\system32\MSACM32.dll

C:\WINDOWS\system32\MSCTF.dll

C:\WINDOWS\system32\MSVCP60.dll

C:\WINDOWS\system32\MSWSOCK.dll

C:\WINDOWS\system32\NAPMONTR.DLL

C:\WINDOWS\system32\NTDSAPI.dll

C:\WINDOWS\system32\OneX.DLL

C:\WINDOWS\system32\QUtil.dll

C:\WINDOWS\system32\RASAPI32.dll

C:\WINDOWS\system32\RASMONTR.DLL

C:\WINDOWS\system32\SAMLIB.dll

C:\WINDOWS\system32\SETUPAPI.dll

C:\WINDOWS\system32\SHELL32.dll

C:\WINDOWS\system32\ShimEng.dll

C:\WINDOWS\system32\TAPI32.dll

C:\WINDOWS\system32\UxTheme.dll

C:\WINDOWS\system32\WINMM.dll

C:\WINDOWS\system32\WINSTA.dll

C:\WINDOWS\system32\WS2HELP.dll

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\WTSAPI32.dll

C:\WINDOWS\system32\adsldpc.dll

C:\WINDOWS\system32\comctl32.dll

C:\WINDOWS\system32\credui.dll

C:\WINDOWS\system32\dot3api.dll

C:\WINDOWS\system32\dot3dlg.dll

C:\WINDOWS\system32\eappcfg.dll

C:\WINDOWS\system32\eappprxy.dll

C:\WINDOWS\system32\imm32.dll

C:\WINDOWS\system32\iphlpapi.dll

C:\WINDOWS\system32\netcfgx.dll

C:\WINDOWS\system32\netshell.dll

C:\WINDOWS\system32\rasman.dll

C:\WINDOWS\system32\rpcss.dll

C:\WINDOWS\system32\rtutils.dll

C:\WINDOWS\system32\wbem\fastprox.dll

C:\WINDOWS\system32\wbem\wbemcomn.dll

C:\WINDOWS\system32\wbem\wbemprox.dll

C:\WINDOWS\system32\wbem\wbemsvc.dll

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\xpob2res.dll

C:\WINDOWS\system32\xpsp2res.dll

C:\Windows\AppPatch\sysmain.sdb

11. netsh.exe

	- General information about this executable

Analysis Reason:	Started by Explorer.EXE
Filename:	netsh.exe
Command Line:	netsh firewall set opmode disable
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\MPRAPI.dll	0x76D40000	0x00018000
C:\WINDOWS\system32\ACTIVEDS.dll	0x77CC0000	0x00032000
C:\WINDOWS\system32\adsldpc.dll	0x76E10000	0x00025000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\WLDAP32.dll	0x76F60000	0x0002C000
C:\WINDOWS\system32\ATL.DLL	0x76B20000	0x00011000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\rtutils.dll	0x76E80000	0x0000E000
C:\WINDOWS\system32\SAMLIB.dll	0x71BF0000	0x00013000
C:\WINDOWS\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\RASAPI32.dll	0x76EE0000	0x0003C000
C:\WINDOWS\system32\rasman.dll	0x76E90000	0x00012000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\TAPI32.dll	0x76EB0000	0x0002F000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\iphlpapi.dll	0x76D60000	0x00019000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\xpsp2res.dll	0x01820000	0x002C5000
C:\WINDOWS\system32\dot3api.dll	0x478C0000	0x0000A000
C:\WINDOWS\system32\FWCFG.DLL	0x4BCF0000	0x00011000
C:\WINDOWS\System32\qagent.dll	0x4DA60000	0x00028000
C:\WINDOWS\system32\NAPMONTR.DLL	0x5A900000	0x00032000
C:\WINDOWS\system32\RASMONTR.DLL	0x5DBA0000	0x00025000
C:\WINDOWS\system32\OneX.DLL	0x5DCA0000	0x00028000
C:\WINDOWS\system32\eappprxy.dll	0x5DCD0000	0x0000E000
C:\WINDOWS\system32\DOT3CFG.DLL	0x5EF50000	0x00011000
C:\WINDOWS\system32\IPPROMON.DLL	0x602B0000	0x00053000
C:\WINDOWS\system32\IPXPROMN.DLL	0x66170000	0x00014000
C:\WINDOWS\system32\IPXMONTR.DLL	0x66190000	0x00017000
C:\WINDOWS\system32\IPV6MON.DLL	0x661B0000	0x00012000
C:\WINDOWS\system32\IPMONTR.DLL	0x664E0000	0x0002A000
C:\WINDOWS\system32\IFMON.DLL	0x66DF0000	0x00024000
C:\WINDOWS\system32\HNETMON.DLL	0x68870000	0x00007000
C:\WINDOWS\System32\Wbem\framedyn.dll	0x692C0000	0x00030000
C:\WINDOWS\system32\DGNET.DLL	0x6D240000	0x00025000
C:\WINDOWS\system32\MSWSOCK.dll	0x71A50000	0x0003F000
C:\WINDOWS\system32\QUtil.dll	0x726C0000	0x00016000
C:\WINDOWS\system32\dot3dlg.dll	0x736D0000	0x00006000
C:\WINDOWS\system32\eappcfg.dll	0x745B0000	0x00022000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\wbem\wbemsvc.dll	0x74ED0000	0x0000E000
C:\WINDOWS\system32\wbem\wbemprox.dll	0x74EF0000	0x00008000
C:\WINDOWS\system32\wbem\wbemcomn.dll	0x75290000	0x00037000
C:\WINDOWS\system32\netcfgx.dll	0x755F0000	0x0009A000
C:\WINDOWS\system32\wbem\fastprox.dll	0x75690000	0x00076000
C:\WINDOWS\system32\MSVCP60.dll	0x76080000	0x00065000
C:\WINDOWS\system32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\netshell.dll	0x76400000	0x001A5000
C:\WINDOWS\system32\NTDSAPI.dll	0x767A0000	0x00013000
C:\WINDOWS\system32\credui.dll	0x76C00000	0x0002E000
C:\WINDOWS\system32\CLUSAPI.dll	0x76D10000	0x00012000
C:\WINDOWS\system32\DNSAPI.dll	0x76F20000	0x00027000
C:\WINDOWS\system32\WTSAPI32.dll	0x76F50000	0x00008000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000

11.a) netsh.exe - Registry Activities

	- Registry Keys Created:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier

HKLM\System\CurrentControlSet\Services\NapAgent\LocalConfig\\Enroll

HKLM\System\CurrentControlSet\Services\NapAgent\LocalConfig\\Enroll\HcsGroups

HKLM\System\CurrentControlSet\Services\NapAgent\LocalConfig\\UI

	- Registry Values Modified:

Key	Name	New Value
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh	Active	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh	ControlFlags	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh	LogSessionName	stdout
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr	BitNames	NAP_TRACE_BASE NAP_TRACE_NETSH
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr	Guid	710adbf0-ce88-40b4-a50d-231ada6593f0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil	Active	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil	ControlFlags	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil	LogSessionName	stdout
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier	BitNames	Error Unusual Info Debug
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier	Guid	8aefce96-4618-42ff-a057-3536aa78233e
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg	Active	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg	ControlFlags	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg	LogSessionName	stdout
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier	BitNames	Error Unusual Info Debug
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier	Guid	5f31090b-d990-4e91-b16d-46121d0255aa
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy	Active	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy	ControlFlags	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy	LogSessionName	stdout
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier	BitNames	Error Unusual Info Debug
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier	Guid	5f31090b-d990-4e91-b16d-46121d0255aa
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent	Active	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent	ControlFlags	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent	LogSessionName	stdout
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier	BitNames	Error Unusual Info Debug
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier	Guid	b0278a28-76f1-4e15-b1df-14b209a12613

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\CLASSES\APPID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}	LocalService	winmgmt	1
HKLM\SOFTWARE\CLASSES\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\INPROCSERVER32		C:\WINDOWS\system32\wbem\wbemprox.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\INPROCSERVER32		C:\WINDOWS\system32\wbem\wbemsvc.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}	AppID	{8BC3F05E-D86B-11D0-A075-00C04FB68820}	1
HKLM\SOFTWARE\CLASSES\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\INPROCSERVER32		C:\WINDOWS\system32\wbem\fastprox.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\CLSID\{EA4A0A43-1C8F-4C7B-A4B1-28ECBD96BA8C}\INPROCSERVER32		%SystemRoot%\System32\qagent.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{EA4A0A43-1C8F-4C7B-A4B1-28ECBD96BA8C}\INPROCSERVER32	ThreadingModel	Apartment	1
HKLM\SOFTWARE\CLASSES\CLSID\{EB082BA1-DF8A-46BE-82F3-35BF9E9BE52F}\INPROCSERVER32		%SystemRoot%\System32\qagent.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{EB082BA1-DF8A-46BE-82F3-35BF9E9BE52F}\INPROCSERVER32	ThreadingModel	Apartment	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{9556DC99-828C-11CF-A37E-00AA003240C7}\PROXYSTUBCLSID32		{D68AF00A-29CB-43FA-8504-CE99A996D9EA}	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\PROXYSTUBCLSID32		{7C857801-7381-11CF-884D-00AA004B2E24}	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{F309AD18-D86A-11D0-A075-00C04FB68820}\PROXYSTUBCLSID32		{7C857801-7381-11CF-884D-00AA004B2E24}	1
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\	CUAS	0	1
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Gemplus GemSAFE Card CSP v1.0	Type	1	16
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Infineon SICRYPT Base Smart Card CSP	Type	1	16
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0	Type	1	16
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base DSS Cryptographic Provider	Type	3	16
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base DSS and Diffie-Hellman Cryptographic Provider	Type	13	16
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft DH SChannel Cryptographic Provider	Type	18	16
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced Cryptographic Provider v1.0	Type	1	16
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider	Type	13	16
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)	Type	24	16
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft RSA SChannel Cryptographic Provider	Type	12	16
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider	Type	1	16
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Schlumberger Cryptographic Service Provider	Type	1	16
HKLM\SOFTWARE\Microsoft\NetSh	1	ipmontr.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	2	ifmon.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	3	ippromon.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	4	rasmontr.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	5	ipxmontr.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	6	ipxpromn.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	FWCFG	fwcfg.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	dgnet	dgnet.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	dot3cfg	dot3cfg.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	hnetmon	hnetmon.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	ipv6mon	ipv6mon.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	napmontr	napmontr.dll	1
HKLM\SOFTWARE\Microsoft\WBEM\CIMOM	Log File Max Size	65536	4
HKLM\SOFTWARE\Microsoft\WBEM\CIMOM	Logging	1	2
HKLM\SOFTWARE\Microsoft\WBEM\CIMOM	Logging Directory	C:\WINDOWS\system32\WBEM\Logs\	4
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion	CurrentBuildNumber	2600	1
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\SYSTEM\Setup	OsLoaderPath	\	2
HKLM\SYSTEM\Setup	SystemPartition	\Device\HarddiskVolume1	2
HKLM\SYSTEM\Setup	SystemSetupInProgress	0	1
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	aFormatTagCache	0x01000000100000000204000014000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	aFormatTagCache	0x01000000100000001100000014000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	aFormatTagCache	0x0100000010000000550000001e000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	aFormatTagCache	0x01000000100000000200000032000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	aFormatTagCache	0x01000000120000006001000016000000610100001c000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFormatTags	3	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	aFormatTagCache	0x010000001000000006000000120000000700000012000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFormatTags	3	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	aFormatTagCache	0x0100000010000000420000001c000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	aFormatTagCache	0x01000000100000003100000014000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	aFormatTagCache	0x01000000100000003001000016000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	aFormatTagCache	0x01000000100000002200000032000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	fdwSupport	1	1
HKLM\Software\Microsoft\COM3	Com+Enabled	1	2
HKLM\Software\Microsoft\COM3	REGDBVersion	0x0b00000000000000	12
HKLM\Software\Microsoft\Tracing	EnableConsoleTracing	0	1
HKLM\Software\Microsoft\Tracing\FWCFG	ConsoleTracingMask	4294901760	2
HKLM\Software\Microsoft\Tracing\FWCFG	EnableConsoleTracing	0	2
HKLM\Software\Microsoft\Tracing\FWCFG	EnableFileTracing	0	2
HKLM\Software\Microsoft\Tracing\FWCFG	FileDirectory	%windir%\tracing	4
HKLM\Software\Microsoft\Tracing\FWCFG	FileTracingMask	4294901760	2
HKLM\Software\Microsoft\Tracing\FWCFG	MaxFileSize	1048576	2
HKLM\Software\Microsoft\WBEM\CIMOM	Log File Max Size	65536	1
HKLM\Software\Microsoft\WBEM\CIMOM	Logging	1	1
HKLM\Software\Microsoft\WBEM\CIMOM	Logging Directory	C:\WINDOWS\system32\WBEM\Logs\	2
HKLM\Software\Microsoft\WBEM\CIMOM	ProcessID	680	1
HKLM\Software\Microsoft\WBEM\CIMOM	Repository Directory	%SystemRoot%\system32\WBEM\Repository	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	midimapper		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.iac2		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.imaadpcm		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.l3acm	C:\WINDOWS\system32\l3codeca.acm	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msadpcm		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msaudio1		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg711		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg723		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msgsm610		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.sl_anet	sl_anet.acm	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.trspch		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.I420		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.M261		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.M263		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.cvid		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv31		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv32		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv41		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv50		1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iyuv		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.mrle		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.msvc		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.uyvy		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.yuy2		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.yvu9		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.yvyu		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	wavemapper		2
HKLM\Software\Microsoft\Windows\CurrentVersion	DevicePath	%SystemRoot%\inf	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	DriverCachePath	%SystemRoot%\Driver Cache	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	LogLevel	0	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	ServicePackCachePath	c:\windows\ServicePackFiles\ServicePackCache	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	ServicePackSourcePath	D:\	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	SourcePath	D:\	2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	PC	4
HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	wheel	1	1
HKLM\System\CurrentControlSet\Control\ProductOptions	ProductType	WinNT	1
HKLM\System\CurrentControlSet\Services\LDAP	LdapClientIntegrity	1	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79617	Description	Provides DHCP based enforcement for NAP	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79617	Enabled	1	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79617	Friendly Name	DHCP Quarantine Enforcement Client	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79617	Vendor Name	Microsoft Corporation	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79617	Version	1.0	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79618	Description	Provides the quarantine enforcement for RAS Client	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79618	Enabled	1	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79618	Friendly Name	Remote Access Quarantine Enforcement Client	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79618	Vendor Name	Microsoft Corporation	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79618	Version	1.0	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79619	Component Type	2	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79619	Description	Provides IPSec based enforcement for Network Access Protection	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79619	Enabled	1	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79619	Friendly Name	IPSec Relying Party	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79619	Vendor Name	Microsoft Corporation	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79619	Version	1.0	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79620	Description	Provides wireless Eapol based enforcement for NAP	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79620	Enabled	1	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79620	Friendly Name	Wireless Eapol Quarantine Enforcement Client	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79620	Vendor Name	Microsoft Corporation	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79620	Version	1.0	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79621	Description	Provides TS Gateway enforcement for NAP	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79621	Enabled	1	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79621	Friendly Name	TS Gateway Quarantine Enforcement Client	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79621	Vendor Name	Microsoft Corporation	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79621	Version	1.0	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79623	Description	Provides EAP based enforcement for NAP	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79623	Enabled	1	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79623	Friendly Name	EAP Quarantine Enforcement Client	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79623	Vendor Name	Microsoft Corporation	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79623	Version	1.0	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Domain		3
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Hostname	pc	3
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	UseDomainNameDevolution	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1020	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	13	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	6	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogIt

Analysis Report for 50229926

Summary:

Table of Contents