Analysis Report for 50504865

Comment on this report

Summary:

Description	Risk
Write to foreign memory areas: This executable tampers with the execution of another process.
Change Windows Firewall settings: This executable changes some settings of windows firewall.
Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary.
AV Hit: This executable is detected by an antivirus software.
Autostart capabilities: This executable registers processes to be executed at system start. This could result in unwanted actions to be performed automatically.
Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web.
Execution did not terminate correctly: The executable crashed.
Modify system files: This executable modifies files in the windows system directories.
Spawns Processes: The executable produces processes during the execution.
Performs Registry Activities: The executable creates and/or modifies registry entries.

Table of Contents
expand all	collapse all
General information 50504865.exe C:\50504865.exe Primary Analysis Subject General Information a) Registry Activities b) File Activities c) Process Activities d) Other Activities Explorer.EXE C:\WINDOWS\Explorer.EXE 50504865.exe wrote to the virtual memory of this process General Information a) Registry Activities b) File Activities c) Other Activities netsh.exe C:\WINDOWS\system32\netsh.exe Started by 50504865.exe General Information a) Registry Activities b) File Activities ctfmon.exe C:\WINDOWS\system32\ctfmon.exe 50504865.exe wrote to the virtual memory of this process General Information a) Registry Activities b) File Activities c) Process Activities d) Network Activities e) Other Activities netsh.exe netsh.exe Started by ctfmon.exe General Information a) Registry Activities b) File Activities msmsgs.exe C:\Program Files\Messenger\msmsgs.exe 50504865.exe wrote to the virtual memory of this process General Information reader_sl.exe C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe 50504865.exe wrote to the virtual memory of this process General Information wscntfy.exe C:\WINDOWS\system32\wscntfy.exe 50504865.exe wrote to the virtual memory of this process General Information drlwszvxbeo.exe C:\Program Files\Common Files\drlwszvxbeo.exe 50504865.exe wrote to the virtual memory of this process General Information kxuckd.exe C:\Program Files\Common Files\kxuckd.exe 50504865.exe wrote to the virtual memory of this process General Information

1. General Information

	- Information about Anubis' invocation

Time needed:	253 s
Report created:	05/30/11, 13:09:17 UTC
Termination reason:	Timeout
Program version:	1.75.3394

2. 50504865.exe

	- General information about this executable

Analysis Reason:	Primary Analysis Subject
Filename:	50504865.exe
MD5:	20085fa00519f0005bb13d04a8624524
SHA-1:	1e841a375659157a3bba02fa532f2c4c77f7618e
File Size:	203776 Bytes
Command Line:	"C:\50504865.exe"
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\gdi32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\shell32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\MPR.dll	0x71B20000	0x00012000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\WININET.DLL	0x771B0000	0x000AA000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000

	- Ikarus Virus Scanner

P2P-Worm.Win32.Palevo (Sig-Id:1391487)

2.a) 50504865.exe - Registry Activities

	- Registry Keys Created:

HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\policies\system

HKLM\SOFTWARE\Microsoft\Security Center\Svc

HKU\S-1-5-21-842925246-1425521274-308236825-500\\

HKU\S-1-5-21-842925246-1425521274-308236825-500\\\

	- Registry Values Modified:

Key	Name	New Value
HKLM\SOFTWARE\Microsoft\Security Center	AntiVirusDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center	AntiVirusOverride	1
HKLM\SOFTWARE\Microsoft\Security Center	FirewallDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center	FirewallOverride	1
HKLM\SOFTWARE\Microsoft\Security Center	UacDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center	UpdatesDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center\Svc	AntiVirusDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center\Svc	AntiVirusOverride	1
HKLM\SOFTWARE\Microsoft\Security Center\Svc	FirewallDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center\Svc	FirewallOverride	1
HKLM\SOFTWARE\Microsoft\Security Center\Svc	UacDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center\Svc	UpdatesDisableNotify	1
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	C:\50504865.exe	C:\50504865.exe:*:Enabled:ipsec
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system	EnableLUA	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Hidden	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_0	316296286
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_1	2980259871
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_10	3058542535
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_11	1095967518
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_12	3212976836
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_13	1689872392
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_14	2943808580
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_15	2682062998
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_16	2339603787
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_17	375552664
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_18	3146908097
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_19	305550107
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_2	3273450715
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_20	2045230250
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_21	554636264
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_22	540682706
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_23	3594867860
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_24	1974588621
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_25	2448466700
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_26	2685949635
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_27	1683086866
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_28	1195078501
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_29	3688440843
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_3	2024051603
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_30	641715655
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_31	3569871535
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_32	3692316240
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_33	2441832618
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_34	3560253685
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_35	860929719
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_36	788749648
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_37	280518204
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_38	2901101003
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_39	834354858
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_4	3273423945
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_40	4138935395
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_41	1523151679
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_42	3252243223
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_43	3205810738
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_44	1876576099
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_45	1971343389
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_46	1929343731
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_47	2423928614
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_48	2425567086
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_49	1356733736
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_5	3987901696
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_50	1017100228
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_51	3711972518
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_52	3778450500
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_53	4168163864
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_54	1974003684
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_55	2994711470
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_56	3091619685
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_6	3716890450
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_7	4124721555
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_8	1014434897
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_9	1393678583
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_0	1743
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_1	1768776334
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_10	507900169
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_11	2276678650
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_12	4045449921
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_13	1519259324
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_14	3288031252
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_15	761842391
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_16	2530632154
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_17	4436989
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_18	1773214197
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_19	3541986559
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_2	3537558722
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_20	1015794796
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_21	2784569213
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_22	258378952
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_23	2027167931
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_24	3795941206
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_25	1269751362
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_26	3038525291
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_27	512329498
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_28	2281107044
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_29	4049895063
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_3	1011365721
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_30	1523689563
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_31	3292476761
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_32	766283836
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_33	2535063534
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_34	8864206
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_35	1777641693
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_36	3546416478
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_37	1020226208
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_38	2789013512
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_39	262818607
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_4	2780136370
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_40	2031597789
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_41	3800372859
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_42	1274178660
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_43	3042954932
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_44	516763397
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_45	2285538016
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_46	4054324331
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_47	1528133348
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_48	3296910684
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_49	770714514
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_5	253944120
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_50	2539487322
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_51	13296395
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_52	1782073836
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_53	3550862216
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_54	1024668842
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_55	2793447418
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_56	267255050
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_6	2022722766
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_7	3791498983
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_8	1265316336
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_9	3034094964
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_0	17001001
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_1	1752043112
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_10	524714147
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_11	2259690722
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_12	4028881189
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_13	1535999332
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_14	3271037351
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_15	745256422
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_16	2547330617
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_17	21021304
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_18	1756522171
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_19	3525122810
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_2	3554255531
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_20	1032372029
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_21	2767868796
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_22	241563583
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_23	2044161022
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_24	3812756529
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_25	1252892784
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_26	3021948083
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_27	529201394
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_28	2264243509
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_29	4033294708
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_3	1028343530
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_30	1540543927
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_31	3309062646
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_32	749724169
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_33	2518320712
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_34	25442955
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_35	1761074890
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_36	3529601805
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_37	1036785484
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_38	2805959567
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_39	245968846
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_4	2763455277
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_40	2014625793
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_41	3817235520
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_42	1257314435
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_43	3025976514
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_44	533614853
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_45	2302276932
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_46	4037765511
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_47	1511394758
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_48	3313608217
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_49	754145880
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_5	237084524
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_50	2522807963
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_51	29987546
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_52	1799042845
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_53	3534138204
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_54	1007701919
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_55	2810438622
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_56	250512401
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_6	2039690159
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_7	3774797806
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_8	1248348193
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_9	3051088992
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_0	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_1	1768776769
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_10	507898506
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_11	2276675275
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_12	4045452044
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_13	1519261517
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_14	3288038286
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_15	761847759
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_16	2530624528
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_17	4434001
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_18	1773210770
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_19	3541987539
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_2	3537553538
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_20	1015797012
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_21	2784573781
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_22	258383254
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_23	2027160023
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_24	3795936792
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_25	1269746265
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_26	3038523034
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_27	512332507
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_28	2281109276
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_29	4049886045
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_3	1011363011
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_30	1523695518
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_31	3292472287
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_32	766281760
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_33	2535058529
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_34	8868002
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_35	1777644771
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_36	3546421540
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_37	1020231013
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_38	2789007782
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_39	262817255
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_4	2780139780
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_40	2031594024
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_41	3800370793
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_42	1274180266
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_43	3042957035
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_44	516766508
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_45	2285543277
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_46	4054320046
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_47	1528129519
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_48	3296906288
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_49	770715761
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_5	253949253
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_50	2539492530
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_51	13302003
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_52	1782078772
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_53	3550855541
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_54	1024665014
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_55	2793441783
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_6	2022726022
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_7	3791502791
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_8	1265312264
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_9	3034089033
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	-1514827516	35
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	-503464505	8ACFD3504995158F14D603AF5E5504E3AF69C288E21448392A6CBF4E09C4E98A19367742C6D1330B5103B1143136A7FDA6BD36A1E35BDDB2F2964B052967D8FCCED6DB626D0C03AA14E5814F801CC48AB5C01FFBE77BBA469E623AC6D6E726AD64F6207EA78E2427089991D731CFFA86CD9A50D08E753C5ADF5C1E586BF96FCD
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	-757413758	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	1011363011	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	1768776769	237
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	2022726022	0B00687474703A2F2F7765626476636F6D70757465722E636F6D2F6C6F676F2E67696600687474703A2F2F6E6973737461722E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F7765636C696B6465762E636F2E756B2F6C6F676F2E67696600687474703A2F2F79686F63636F74727579656E686F6162696E682E636F6D2F6C6F676F2E67696600687474703A2F2F776F726B736F66742E696E662E62722F6C6F676F2E67696600687474703A2F2F6176727570616C696B6F6C656A692E6B31322E74722F6C6F676F2E67696600687474703A2F2F636C616E666F7263656B696C65722E7433352E636F6D2F6C6F676F2E67696600687474703A2F2F706F74656E63696172622E636F6D2E62722F6C6F676F2E67696600687474703A2F2F707265617766617368696F6E2E636F6D2F6C6F676F2E67696600687474703A2F2F717569636B2D6E2D666C792E636F6D2F6C6F676F2E67696600687474703A2F2F736166657265736F727473616E647069636E6963636C75622E636F6D2F696D672E676966
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	253949253	395
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings	GlobalUserOffline	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\policies\system	DisableRegistryTools	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\policies\system	DisableTaskMgr	1

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\SYSTEM\Setup	SystemSetupInProgress	0	1
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	PC	2
HKLM\System\CurrentControlSet\Control\Terminal Server	TSUserEnabled	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1020	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	13	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	6	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files	1

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1
HKLM\system\CurrentControlSet\control\NetworkProvider\HwOrder	0	Value Change	1

2.b) 50504865.exe - File Activities

	- Files Deleted:

C:\WINDOWS\hh.exe

	- Files Created:

C:\RECYCLER\S-1-5-21-7531990905-9260463597-602916908-3514

C:\RECYCLER\S-1-5-21-7531990905-9260463597-602916908-3514\Desktop.ini

	- Files Read:

C:\WINDOWS\SYSTEM.INI

PIPE\lsarpc

	- Files Modified:

C:\RECYCLER\S-1-5-21-7531990905-9260463597-602916908-3514\Desktop.ini

C:\WINDOWS\SYSTEM.INI

PIPE\lsarpc

	- Directories Created:

C:\RECYCLER\S-1-5-21-7531990905-9260463597-602916908-3514

	- File System Control Communication:

File	Control Code	Times
C:\Program Files\Common Files\	0x00090028	1
PIPE\lsarpc	0x0011C017	96

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	1

	- Memory Mapped Files:

File Name

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

C:\WINDOWS\WindowsShell.Manifest

C:\WINDOWS\system32\Apphelp.dll

C:\WINDOWS\system32\WININET.DLL

C:\WINDOWS\system32\WS2HELP.dll

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\comctl32.dll

C:\WINDOWS\system32\netsh.exe

C:\WINDOWS\system32\shell32.dll

C:\Windows\AppPatch\sysmain.sdb

2.c) 50504865.exe - Process Activities

	- Processes Created:

Executable	Command Line
C:\WINDOWS\system32\netsh.exe

	- Remote Threads Created:

Affected Process

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\netsh.exe

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Common Files\drlwszvxbeo.exe

C:\Program Files\Common Files\kxuckd.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\ctfmon.exe

	- Foreign Memory Regions Read:

Process: C:\WINDOWS\system32\netsh.exe

	- Foreign Memory Regions Written:

Process: C:\50504865.exe

Process: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

Process: C:\Program Files\Common Files\drlwszvxbeo.exe

Process: C:\Program Files\Common Files\kxuckd.exe

Process: C:\Program Files\Messenger\msmsgs.exe

Process: C:\WINDOWS\explorer.exe

Process: C:\WINDOWS\system32\ctfmon.exe

Process: C:\WINDOWS\system32\netsh.exe

Process: C:\WINDOWS\system32\wscntfy.exe

2.d) 50504865.exe - Other Activities

	- Mutexes Created:

50504865.exeM_1196_

Op1mutx9

alg.exeM_376_

csrss.exeM_332_

ctfmon.exeM_1744_

drlwszvxbeo.exeM_1172_

explorer.exeM_1372_

kxuckd.exeM_1184_

lsass.exeM_412_

mscorsvw.exeM_1428_

msmsgs.exeM_1752_

reader_sl.exeM_1764_

services.exeM_400_

smss.exeM_284_

spoolsv.exeM_912_

svchost.exeM_564_

svchost.exeM_612_

svchost.exeM_680_

svchost.exeM_780_

svchost.exeM_816_

winlogon.exeM_356_

wscntfy.exeM_1036_

wuauclt.exeM_1708_

	- Windows SEH exceptions:

Description	Times
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x4011cd	1
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x7c80be64	1

3. Explorer.EXE

	- General information about this executable

Analysis Reason:	50504865.exe wrote to the virtual memory of this process
Filename:	Explorer.EXE
Command Line:	C:\WINDOWS\Explorer.EXE
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\BROWSEUI.dll	0x75F80000	0x000FD000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\SHDOCVW.dll	0x7E290000	0x00171000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\CRYPTUI.dll	0x754D0000	0x00080000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\WININET.dll	0x771B0000	0x000AA000
C:\WINDOWS\system32\WINTRUST.dll	0x76C30000	0x0002E000
C:\WINDOWS\system32\IMAGEHLP.dll	0x76C90000	0x00028000
C:\WINDOWS\system32\WLDAP32.dll	0x76F60000	0x0002C000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\appHelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000
C:\WINDOWS\System32\cscui.dll	0x77A20000	0x00054000
C:\WINDOWS\System32\CSCDLL.dll	0x76600000	0x0001D000
C:\WINDOWS\system32\themeui.dll	0x5BA60000	0x00071000
C:\WINDOWS\system32\MSIMG32.dll	0x76380000	0x00005000
C:\WINDOWS\system32\xpsp2res.dll	0x00AC0000	0x002C5000
C:\WINDOWS\system32\actxprxy.dll	0x71D40000	0x0001B000
C:\WINDOWS\system32\msutb.dll	0x5FC10000	0x00033000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\urlmon.dll	0x7E1E0000	0x000A2000
C:\WINDOWS\system32\LINKINFO.dll	0x76980000	0x00008000
C:\WINDOWS\system32\ntshrui.dll	0x76990000	0x00025000
C:\WINDOWS\system32\ATL.DLL	0x76B20000	0x00011000
C:\WINDOWS\system32\rsaenh.dll	0x68000000	0x00036000
C:\WINDOWS\system32\msi.dll	0x7D1E0000	0x002BC000
C:\WINDOWS\system32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\webcheck.dll	0x74B30000	0x00046000
C:\WINDOWS\system32\WSOCK32.dll	0x71AD0000	0x00009000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\stobject.dll	0x76280000	0x00021000
C:\WINDOWS\system32\BatMeter.dll	0x74AF0000	0x0000A000
C:\WINDOWS\system32\POWRPROF.dll	0x74AD0000	0x00008000
C:\WINDOWS\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\WTSAPI32.dll	0x76F50000	0x00008000
C:\WINDOWS\system32\NETSHELL.dll	0x76400000	0x001A5000
C:\WINDOWS\system32\credui.dll	0x76C00000	0x0002E000
C:\WINDOWS\system32\dot3api.dll	0x478C0000	0x0000A000
C:\WINDOWS\system32\rtutils.dll	0x76E80000	0x0000E000
C:\WINDOWS\system32\dot3dlg.dll	0x736D0000	0x00006000
C:\WINDOWS\system32\OneX.DLL	0x5DCA0000	0x00028000
C:\WINDOWS\system32\eappcfg.dll	0x745B0000	0x00022000
C:\WINDOWS\system32\MSVCP60.dll	0x76080000	0x00065000
C:\WINDOWS\system32\eappprxy.dll	0x5DCD0000	0x0000E000
C:\WINDOWS\system32\iphlpapi.dll	0x76D60000	0x00019000
C:\WINDOWS\system32\MPR.dll	0x71B20000	0x00012000
C:\WINDOWS\System32\drprov.dll	0x75F60000	0x00007000
C:\WINDOWS\System32\ntlanman.dll	0x71C10000	0x0000E000
C:\WINDOWS\System32\NETUI0.dll	0x71CD0000	0x00017000
C:\WINDOWS\System32\NETUI1.dll	0x71C90000	0x00040000
C:\WINDOWS\System32\NETRAP.dll	0x71C80000	0x00007000
C:\WINDOWS\System32\SAMLIB.dll	0x71BF0000	0x00013000
C:\WINDOWS\System32\davclnt.dll	0x75F70000	0x0000A000
C:\WINDOWS\system32\comdlg32.dll	0x763B0000	0x00049000
C:\WINDOWS\system32\MSGINA.dll	0x75970000	0x000F8000
C:\WINDOWS\system32\ODBC32.dll	0x74320000	0x0003D000
C:\WINDOWS\system32\odbcint.dll	0x01350000	0x00017000
C:\WINDOWS\system32\browselc.dll	0x71600000	0x00012000
C:\WINDOWS\system32\shdoclc.dll	0x71800000	0x00088000

3.a) Explorer.EXE - Registry Activities

	- Registry Values Modified:

Key	Name	New Value
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	Taskman	C:\RECYCLER\S-1-5-21-7531990905-9260463597-602916908-3514\windll.exe

	- Registry Values Read:

Key	Name	Value	Times
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1020	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	13	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	6	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS	EnableNegotiate	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EnableHttp1_1	1	1

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1

3.b) Explorer.EXE - File Activities

	- Files Created:

C:\RECYCLER\S-1-5-21-7531990905-9260463597-602916908-3514\windll.exe

\Device\NamedPipe\Win32Pipes.0000055c.00000001

pipe\cdcpr55

	- Files Modified:

C:\RECYCLER\S-1-5-21-7531990905-9260463597-602916908-3514\windll.exe

	- Memory Mapped Files:

File Name

C:\50504865.exe

3.c) Explorer.EXE - Other Activities

	- Mutexes Created:

Op1mutx9

c____kdjcpeoij55

explorer.exeM_1372_

	- Keyboard Keys Monitored:

Virtual Key Code	Times
VK_LBUTTON (1)	76

4. netsh.exe

	- General information about this executable

Analysis Reason:	Started by 50504865.exe
Filename:	netsh.exe
Command Line:	netsh firewall set opmode disable
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\MPRAPI.dll	0x76D40000	0x00018000
C:\WINDOWS\system32\ACTIVEDS.dll	0x77CC0000	0x00032000
C:\WINDOWS\system32\adsldpc.dll	0x76E10000	0x00025000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\WLDAP32.dll	0x76F60000	0x0002C000
C:\WINDOWS\system32\ATL.DLL	0x76B20000	0x00011000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\rtutils.dll	0x76E80000	0x0000E000
C:\WINDOWS\system32\SAMLIB.dll	0x71BF0000	0x00013000
C:\WINDOWS\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\RASAPI32.dll	0x76EE0000	0x0003C000
C:\WINDOWS\system32\rasman.dll	0x76E90000	0x00012000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\TAPI32.dll	0x76EB0000	0x0002F000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\iphlpapi.dll	0x76D60000	0x00019000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\IPV6MON.DLL	0x661B0000	0x00012000
C:\WINDOWS\system32\IPMONTR.DLL	0x664E0000	0x0002A000

4.a) netsh.exe - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\Microsoft\NetSh	1	ipmontr.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	2	ifmon.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	ipv6mon	ipv6mon.dll	1
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\SYSTEM\Setup	OsLoaderPath	\	2
HKLM\SYSTEM\Setup	SystemPartition	\Device\HarddiskVolume1	2
HKLM\SYSTEM\Setup	SystemSetupInProgress	0	1
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	aFormatTagCache	0x01000000100000000204000014000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	aFormatTagCache	0x01000000100000001100000014000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	aFormatTagCache	0x0100000010000000550000001e000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	aFormatTagCache	0x01000000100000000200000032000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	aFormatTagCache	0x01000000120000006001000016000000610100001c000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFormatTags	3	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	aFormatTagCache	0x010000001000000006000000120000000700000012000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFormatTags	3	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	aFormatTagCache	0x0100000010000000420000001c000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	aFormatTagCache	0x01000000100000003100000014000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	aFormatTagCache	0x01000000100000003001000016000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	fdwSupport	1	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	aFormatTagCache	0x01000000100000002200000032000000	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFilterTags	0	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFormatTags	2	1
HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	fdwSupport	1	1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	midimapper		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.iac2	C:\WINDOWS\system32\iac25_32.ax	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.imaadpcm		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.l3acm	C:\WINDOWS\system32\l3codeca.acm	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msadpcm	msadp32.acm	3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msaudio1	msaud32.acm	3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg711		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg723		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msgsm610	msgsm32.acm	3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.sl_anet		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.trspch		3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.I420		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.M261		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.M263		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.cvid		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv31		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv32		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv41		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iv50		1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.iyuv		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.mrle		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.msvc		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.uyvy		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.yuy2		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.yvu9		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	vidc.yvyu		2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	wavemapper		2
HKLM\Software\Microsoft\Windows\CurrentVersion	DevicePath	%SystemRoot%\inf	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	DriverCachePath	%SystemRoot%\Driver Cache	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	LogLevel	0	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	ServicePackCachePath	c:\windows\ServicePackFiles\ServicePackCache	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	ServicePackSourcePath	D:\	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	SourcePath	D:\	2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	PC	1
HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	wheel	1	1
HKLM\System\CurrentControlSet\Control\ProductOptions	ProductType	WinNT	1
HKLM\System\CurrentControlSet\Services\LDAP	LdapClientIntegrity	1	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Domain		1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Hostname	pc	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1020	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	13	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	6	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\Setup	SystemSetupInProgress	0	1
HKLM\System\WPA\PnP	seed	1274198464	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Multimedia\Audio	SystemFormats	CD Quality,Radio Quality,Telephone Quality	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Local Settings	%USERPROFILE%\Local Settings	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Personal	%USERPROFILE%\My Documents	1

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1

4.b) netsh.exe - File Activities

	- Files Modified:

\Device\Ip

\Device\Tcp

	- File System Control Communication:

File	Control Code	Times
C:\Program Files\Common Files\	0x00090028	1

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	1
\Device\Tcp	0x00120003	6

	- Memory Mapped Files:

File Name

C:\WINDOWS\AppPatch\AcGenral.DLL

C:\WINDOWS\system32\ACTIVEDS.dll

C:\WINDOWS\system32\ATL.DLL

C:\WINDOWS\system32\CLUSAPI.dll

C:\WINDOWS\system32\DNSAPI.dll

C:\WINDOWS\system32\IFMON.DLL

C:\WINDOWS\system32\IPMONTR.DLL

C:\WINDOWS\system32\IPV6MON.DLL

C:\WINDOWS\system32\MPRAPI.dll

C:\WINDOWS\system32\MSACM32.dll

C:\WINDOWS\system32\RASAPI32.dll

C:\WINDOWS\system32\SAMLIB.dll

C:\WINDOWS\system32\SETUPAPI.dll

C:\WINDOWS\system32\SHELL32.dll

C:\WINDOWS\system32\ShimEng.dll

C:\WINDOWS\system32\TAPI32.dll

C:\WINDOWS\system32\UxTheme.dll

C:\WINDOWS\system32\WINMM.dll

C:\WINDOWS\system32\WS2HELP.dll

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\adsldpc.dll

C:\WINDOWS\system32\comctl32.dll

C:\WINDOWS\system32\credui.dll

C:\WINDOWS\system32\dot3api.dll

C:\WINDOWS\system32\dot3dlg.dll

C:\WINDOWS\system32\iphlpapi.dll

C:\WINDOWS\system32\netcfgx.dll

C:\WINDOWS\system32\netshell.dll

C:\WINDOWS\system32\rasman.dll

C:\WINDOWS\system32\rtutils.dll

C:\WINDOWS\system32\xpob2res.dll

C:\Windows\AppPatch\sysmain.sdb

5. ctfmon.exe

	- General information about this executable

Analysis Reason:	50504865.exe wrote to the virtual memory of this process
Filename:	ctfmon.exe
Command Line:	"C:\WINDOWS\system32\ctfmon.exe"
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\MSUTB.dll	0x5FC10000	0x00033000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\hnetcfg.dll	0x662B0000	0x00058000
C:\WINDOWS\system32\mswsock.dll	0x71A50000	0x0003F000
C:\WINDOWS\System32\wshtcpip.dll	0x71A90000	0x00008000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\MPR.dll	0x71B20000	0x00012000
C:\WINDOWS\system32\WININET.DLL	0x771B0000	0x000AA000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000

5.a) ctfmon.exe - Registry Activities

	- Registry Keys Deleted:

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmserver

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\EventLog

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\File system

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Filter

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SRService

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Browser

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CryptSvc

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dhcp

	- Registry Values Deleted:

Key	Name
HKLM\System\CurrentControlSet\Control\SafeBoot	AlternateShell
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmserver
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\EventLog
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\File system
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Filter
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SRService
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Browser
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CryptSvc
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dhcp
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmadmin

	- Registry Values Modified:

Key	Name	New Value
HKLM\SOFTWARE\Microsoft\Security Center	AntiVirusDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center	AntiVirusOverride	1
HKLM\SOFTWARE\Microsoft\Security Center	FirewallDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center	FirewallOverride	1
HKLM\SOFTWARE\Microsoft\Security Center	UacDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center	UpdatesDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center\Svc	AntiVirusDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center\Svc	AntiVirusOverride	1
HKLM\SOFTWARE\Microsoft\Security Center\Svc	FirewallDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center\Svc	FirewallOverride	1
HKLM\SOFTWARE\Microsoft\Security Center\Svc	UacDisableNotify	1
HKLM\SOFTWARE\Microsoft\Security Center\Svc	UpdatesDisableNotify	1
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	C:\WINDOWS\system32\ctfmon.exe	C:\WINDOWS\system32\ctfmon.exe:*:Enabled:ipsec
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system	EnableLUA	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Hidden	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings	GlobalUserOffline	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\policies\system	DisableRegistryTools	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\policies\system	DisableTaskMgr	1

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters	Transports	0x5400630070006900700000004e0065007400420049004f00530000000000	2
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	PC	2
HKLM\System\CurrentControlSet\Control\SafeBoot	AlternateShell	cmd.exe	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\EventLog	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\File system	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Filter	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SRService	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys	Driver	Driver	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys	Driver	Driver	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys	Driver	Driver	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmserver	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys	Driver	Driver	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys	FSFilter System Recovery	FSFilter System Recovery	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys	Driver	Driver	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys	Driver	Driver	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}	Universal Serial Bus controllers	Universal Serial Bus controllers	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}	CD-ROM Drive	CD-ROM Drive	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}	DiskDrive	DiskDrive	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}	Standard floppy disk controller	Standard floppy disk controller	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}	Hdc	Hdc	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}	Keyboard	Keyboard	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}	Mouse	Mouse	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}	PCMCIA Adapters	PCMCIA Adapters	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}	SCSIAdapter	SCSIAdapter	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}	System	System	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}	Floppy disk drive	Floppy disk drive	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}	Volume	Volume	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}	Human Interface Devices	Human Interface Devices	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system	Driver Group	Driver Group	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Browser	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CryptSvc	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dhcp	Service	Service	1
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmadmin	Service	Service	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	HelperDllName	%SystemRoot%\System32\wshtcpip.dll	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	Mapping	0x0b0000000300000002000000010000000600000002000000010000000000	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MaxSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MinSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	UseDelayedAcceptance	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1020	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	13	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	6	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_0	316296286	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_1	2980259871	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_10	3058542535	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_11	1095967518	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_12	3212976836	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_13	1689872392	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_14	2943808580	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_15	2682062998	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_16	2339603787	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_17	375552664	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_18	3146908097	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_19	305550107	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_2	3273450715	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_20	2045230250	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_21	554636264	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_22	540682706	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_23	3594867860	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_24	1974588621	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_25	2448466700	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_26	2685949635	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_27	1683086866	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_3	2024051603	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_4	3273423945	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_5	3987901696	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_6	3716890450	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_7	4124721555	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_8	1014434897	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A1_9	1393678583	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_0	1743	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_1	1768776334	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_10	507900169	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_11	2276678650	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_12	4045449921	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_13	1519259324	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_14	3288031252	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_15	761842391	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_16	2530632154	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_17	4436989	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_18	1773214197	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_19	3541986559	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_2	3537558722	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_20	1015794796	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_21	2784569213	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_22	258378952	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_23	2027167931	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_24	3795941206	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_25	1269751362	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_26	3038525291	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_27	512329498	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_3	1011365721	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_4	2780136370	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_5	253944120	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_6	2022722766	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_7	3791498983	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_8	1265316336	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A2_9	3034094964	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_0	17001001	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_1	1752043112	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_10	524714147	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_11	2259690722	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_12	4028881189	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_13	1535999332	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_14	3271037351	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_15	745256422	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_16	2547330617	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_17	21021304	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_18	1756522171	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_19	3525122810	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_2	3554255531	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_20	1032372029	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_21	2767868796	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_22	241563583	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_23	2044161022	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_24	3812756529	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_25	1252892784	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_26	3021948083	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_27	529201394	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_3	1028343530	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_4	2763455277	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_5	237084524	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_6	2039690159	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_7	3774797806	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_8	1248348193	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A3_9	3051088992	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_0	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_1	1768776769	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_10	507898506	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_11	2276675275	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_12	4045452044	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_13	1519261517	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_14	3288038286	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_15	761847759	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_16	2530624528	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_17	4434001	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_18	1773210770	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_19	3541987539	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_2	3537553538	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_20	1015797012	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_21	2784573781	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_22	258383254	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_23	2027160023	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_24	3795936792	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_25	1269746265	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_26	3038523034	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_27	512332507	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_3	1011363011	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_4	2780139780	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_5	253949253	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_6	2022726022	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_7	3791502791	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_8	1265312264	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\ADMINISTRATOR914	A4_9	3034089033	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_0	316296286	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_1	2980259871	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_10	3058542535	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_11	1095967518	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_12	3212976836	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_13	1689872392	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_14	2943808580	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_15	2682062998	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_16	2339603787	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_17	375552664	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_18	3146908097	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_19	305550107	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_2	3273450715	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_20	2045230250	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_21	554636264	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_22	540682706	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_23	3594867860	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_24	1974588621	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_25	2448466700	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_26	2685949635	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_27	1683086866	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_28	1195078501	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_29	3688440843	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_3	2024051603	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_30	641715655	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_31	3569871535	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_32	3692316240	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_33	2441832618	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_34	3560253685	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_35	860929719	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_36	788749648	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_37	280518204	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_38	2901101003	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_39	834354858	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_4	3273423945	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_40	4138935395	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_41	1523151679	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_42	3252243223	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_43	3205810738	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_44	1876576099	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_45	1971343389	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_46	1929343731	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_47	2423928614	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_48	2425567086	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_49	1356733736	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_5	3987901696	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_50	1017100228	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_51	3711972518	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_52	3778450500	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_53	4168163864	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_54	1974003684	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_55	2994711470	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_56	3091619685	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_6	3716890450	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_7	4124721555	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_8	1014434897	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A1_9	1393678583	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_0	1743	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_1	1768776334	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_10	507900169	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_11	2276678650	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_12	4045449921	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_13	1519259324	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_14	3288031252	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_15	761842391	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_16	2530632154	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_17	4436989	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_18	1773214197	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_19	3541986559	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_2	3537558722	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_20	1015794796	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_21	2784569213	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_22	258378952	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_23	2027167931	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_24	3795941206	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_25	1269751362	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_26	3038525291	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_27	512329498	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_28	2281107044	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_29	4049895063	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_3	1011365721	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_30	1523689563	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_31	3292476761	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_32	766283836	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_33	2535063534	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_34	8864206	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_35	1777641693	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_36	3546416478	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_37	1020226208	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_38	2789013512	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_39	262818607	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_4	2780136370	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_40	2031597789	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_41	3800372859	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_42	1274178660	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_43	3042954932	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_44	516763397	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_45	2285538016	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_46	4054324331	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_47	1528133348	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_48	3296910684	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_49	770714514	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_5	253944120	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_50	2539487322	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_51	13296395	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_52	1782073836	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_53	3550862216	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_54	1024668842	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_55	2793447418	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_56	267255050	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_6	2022722766	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_7	3791498983	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_8	1265316336	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A2_9	3034094964	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_0	17001001	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_1	1752043112	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_10	524714147	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_11	2259690722	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_12	4028881189	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_13	1535999332	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_14	3271037351	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_15	745256422	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_16	2547330617	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_17	21021304	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_18	1756522171	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_19	3525122810	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_2	3554255531	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_20	1032372029	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_21	2767868796	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_22	241563583	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_23	2044161022	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_24	3812756529	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_25	1252892784	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_26	3021948083	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_27	529201394	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_28	2264243509	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_29	4033294708	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_3	1028343530	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_30	1540543927	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_31	3309062646	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_32	749724169	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_33	2518320712	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_34	25442955	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_35	1761074890	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_36	3529601805	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_37	1036785484	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_38	2805959567	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_39	245968846	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_4	2763455277	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_40	2014625793	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_41	3817235520	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_42	1257314435	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_43	3025976514	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_44	533614853	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_45	2302276932	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_46	4037765511	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_47	1511394758	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_48	3313608217	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_49	754145880	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_5	237084524	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_50	2522807963	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_51	29987546	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_52	1799042845	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_53	3534138204	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_54	1007701919	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_55	2810438622	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_56	250512401	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_6	2039690159	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_7	3774797806	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_8	1248348193	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A3_9	3051088992	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_0	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_1	1768776769	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_10	507898506	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_11	2276675275	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_12	4045452044	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_13	1519261517	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_14	3288038286	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_15	761847759	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_16	2530624528	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_17	4434001	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_18	1773210770	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_19	3541987539	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_2	3537553538	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_20	1015797012	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_21	2784573781	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_22	258383254	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_23	2027160023	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_24	3795936792	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_25	1269746265	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_26	3038523034	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_27	512332507	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_28	2281109276	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_29	4049886045	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_3	1011363011	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_30	1523695518	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_31	3292472287	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_32	766281760	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_33	2535058529	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_34	8868002	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_35	1777644771	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_36	3546421540	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_37	1020231013	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_38	2789007782	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_39	262817255	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_4	2780139780	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_40	2031594024	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_41	3800370793	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_42	1274180266	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_43	3042957035	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_44	516766508	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_45	2285543277	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_46	4054320046	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_47	1528129519	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_48	3296906288	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_49	770715761	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_5	253949253	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_50	2539492530	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_51	13302003	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_52	1782078772	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_53	3550855541	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_54	1024665014	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_55	2793441783	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_56	267251256	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_6	2022726022	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_7	3791502791	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_8	1265312264	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914	A4_9	3034089033	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	-1514827516	35	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	-503464505	8ACFD3504995158F14D603AF5E5504E3AF69C288E21448392A6CBF4E09C4E98A19367742C6D1330B5103B1143136A7FDA6BD36A1E35BDDB2F2964B052967D8FCCED6DB626D0C03AA14E5814F801CC48AB5C01FFBE77BBA469E623AC6D6E726AD64F6207EA78E2427089991D731CFFA86CD9A50D08E753C5ADF5C1E586BF96FCD	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	-757413758	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	1011363011	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	1768776769	237	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	2022726022	0B00687474703A2F2F7765626476636F6D70757465722E636F6D2F6C6F676F2E67696600687474703A2F2F6E6973737461722E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F7765636C696B6465762E636F2E756B2F6C6F676F2E67696600687474703A2F2F79686F63636F74727579656E686F6162696E682E636F6D2F6C6F676F2E67696600687474703A2F2F776F726B736F66742E696E662E62722F6C6F676F2E67696600687474703A2F2F6176727570616C696B6F6C656A692E6B31322E74722F6C6F676F2E67696600687474703A2F2F636C616E666F7263656B696C65722E7433352E636F6D2F6C6F676F2E67696600687474703A2F2F706F74656E63696172622E636F6D2E62722F6C6F676F2E67696600687474703A2F2F707265617766617368696F6E2E636F6D2F6C6F676F2E67696600687474703A2F2F717569636B2D6E2D666C792E636F6D2F6C6F676F2E67696600687474703A2F2F736166657265736F727473616E647069636E6963636C75622E636F6D2F696D672E676966	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Administrator914\-993627007	253949253	395	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files	1

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1
HKLM\system\CurrentControlSet\control\NetworkProvider\HwOrder	0	Value Change	1

5.b) ctfmon.exe - File Activities

	- Files Read:

C:\WINDOWS\SYSTEM.INI

PIPE\lsarpc

	- Files Modified:

PIPE\lsarpc

\Device\Afd\Endpoint

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	84

	- Device Control Communication:

File	Control Code	Times
\Device\Afd\Endpoint	AFD_GET_INFO (0x0001207B)	2
\Device\Afd\Endpoint	AFD_SET_CONTEXT (0x00012047)	3
\Device\Afd\Endpoint	AFD_BIND (0x00012003)	1
\Device\Afd\Endpoint	AFD_GET_TDI_HANDLES (0x00012037)	1
\Device\Afd\Endpoint	AFD_SET_INFO (0x0001203B)	1
\Device\Afd\Endpoint	AFD_GET_SOCK_NAME (0x0001202F)	1
unnamed file	0x00390008	1

	- Memory Mapped Files:

File Name

C:\WINDOWS\System32\wshtcpip.dll

C:\WINDOWS\system32\Apphelp.dll

C:\WINDOWS\system32\WININET.DLL

C:\WINDOWS\system32\WS2HELP.dll

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\hnetcfg.dll

C:\WINDOWS\system32\mswsock.dll

C:\WINDOWS\system32\netsh.exe

C:\Windows\AppPatch\sysmain.sdb

5.c) ctfmon.exe - Process Activities

	- Processes Created:

Executable	Command Line
C:\WINDOWS\system32\netsh.exe

	- Remote Threads Created:

Affected Process

C:\WINDOWS\system32\netsh.exe

	- Foreign Memory Regions Read:

Process: C:\WINDOWS\explorer.exe

Process: C:\WINDOWS\system32\netsh.exe

	- Foreign Memory Regions Written:

Process: C:\WINDOWS\system32\netsh.exe

5.d) ctfmon.exe - Network Activity

5.e) ctfmon.exe - Other Activities

	- Mutexes Created:

Op1mutx9

alg.exeM_376_

csrss.exeM_332_

ctfmon.exeM_1744_

drlwszvxbeo.exeM_1172_

explorer.exeM_1372_

kxuckd.exeM_1184_

lsass.exeM_412_

mscorsvw.exeM_1428_

msmsgs.exeM_1752_

netsh.exeM_1232_

reader_sl.exeM_1764_

services.exeM_400_

smss.exeM_284_

spoolsv.exeM_912_

svchost.exeM_564_

svchost.exeM_612_

svchost.exeM_680_

svchost.exeM_780_

svchost.exeM_816_

winlogon.exeM_356_

wscntfy.exeM_1036_

wuauclt.exeM_1708_

	- Windows SEH exceptions:

Description	Times
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x7c80be64	1

6. msmsgs.exe

	- General information about this executable

Analysis Reason:	50504865.exe wrote to the virtual memory of this process
Filename:	msmsgs.exe
Command Line:	"C:\Program Files\Messenger\msmsgs.exe" /background
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\WSOCK32.dll	0x71AD0000	0x00009000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\comdlg32.dll	0x763B0000	0x00049000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\gdiplus.dll	0x4EC50000	0x001A6000
C:\WINDOWS\system32\MSIMG32.dll	0x76380000	0x00005000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\WININET.dll	0x771B0000	0x000AA000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\cryptdll.dll	0x76790000	0x0000C000
C:\WINDOWS\system32\iphlpapi.dll	0x76D60000	0x00019000
C:\WINDOWS\system32\XPOB2RES.DLL	0x10000000	0x0006C000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000
C:\WINDOWS\system32\xpsp2res.dll	0x00890000	0x002C5000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\SXS.DLL	0x7E720000	0x000B0000
C:\WINDOWS\system32\es.dll	0x77710000	0x00042000
C:\WINDOWS\system32\wtsapi32.dll	0x76F50000	0x00008000
C:\WINDOWS\system32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\credui.dll	0x76C00000	0x0002E000

7. reader_sl.exe

	- General information about this executable

Analysis Reason:	50504865.exe wrote to the virtual memory of this process
Filename:	reader_sl.exe
Command Line:	"C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCP80.dll	0x7C420000	0x00087000
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll	0x78130000	0x0009B000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000

8. wscntfy.exe

	- General information about this executable

Analysis Reason:	50504865.exe wrote to the virtual memory of this process
Filename:	wscntfy.exe
Command Line:	C:\WINDOWS\system32\wscntfy.exe
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\xpsp2res.dll	0x007C0000	0x002C5000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000

9. drlwszvxbeo.exe

	- General information about this executable

Analysis Reason:	50504865.exe wrote to the virtual memory of this process
Filename:	drlwszvxbeo.exe
Command Line:	"C:\Program Files\Common Files\drlwszvxbeo.exe"
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.DLL	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\PSAPI.DLL	0x76BF0000	0x0000B000

	- Program output

Stdout:

...........

10. kxuckd.exe

	- General information about this executable

Analysis Reason:	50504865.exe wrote to the virtual memory of this process
Filename:	kxuckd.exe
Command Line:	"C:\Program Files\Common Files\kxuckd.exe"
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\comdlg32.dll	0x763B0000	0x00049000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\MPR.dll	0x71B20000	0x00012000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\WSOCK32.dll	0x71AD0000	0x00009000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\uxtheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000

11. netsh.exe

	- General information about this executable

Analysis Reason:	Started by ctfmon.exe
Filename:	netsh.exe
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\MPRAPI.dll	0x76D40000	0x00018000
C:\WINDOWS\system32\ACTIVEDS.dll	0x77CC0000	0x00032000
C:\WINDOWS\system32\adsldpc.dll	0x76E10000	0x00025000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\WLDAP32.dll	0x76F60000	0x0002C000
C:\WINDOWS\system32\ATL.DLL	0x76B20000	0x00011000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\rtutils.dll	0x76E80000	0x0000E000
C:\WINDOWS\system32\SAMLIB.dll	0x71BF0000	0x00013000
C:\WINDOWS\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\RASAPI32.dll	0x76EE0000	0x0003C000
C:\WINDOWS\system32\rasman.dll	0x76E90000	0x00012000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\TAPI32.dll	0x76EB0000	0x0002F000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\iphlpapi.dll	0x76D60000	0x00019000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000

11.a) netsh.exe - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\System\CurrentControlSet\Services\LDAP	LdapClientIntegrity	1	1

11.b) netsh.exe - File Activities

	- File System Control Communication:

File	Control Code	Times
C:\Documents and Settings\Administrator\	0x00090028	1

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	1

	- Memory Mapped Files:

File Name

C:\WINDOWS\AppPatch\AcGenral.DLL

C:\WINDOWS\system32\ACTIVEDS.dll

C:\WINDOWS\system32\ATL.DLL

C:\WINDOWS\system32\MPRAPI.dll

C:\WINDOWS\system32\MSACM32.dll

C:\WINDOWS\system32\RASAPI32.dll

C:\WINDOWS\system32\SAMLIB.dll

C:\WINDOWS\system32\SETUPAPI.dll

C:\WINDOWS\system32\ShimEng.dll

C:\WINDOWS\system32\TAPI32.dll

C:\WINDOWS\system32\UxTheme.dll

C:\WINDOWS\system32\WINMM.dll

C:\WINDOWS\system32\WS2HELP.dll

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\adsldpc.dll

C:\WINDOWS\system32\iphlpapi.dll

C:\WINDOWS\system32\rasman.dll

C:\WINDOWS\system32\rtutils.dll

C:\Windows\AppPatch\sysmain.sdb

Analysis Report for 50504865

Summary:

Table of Contents