Command

Type of function

netdom

This command-line tool enables

administrators to manage Windows
Server2003 and Windows2000 domains
and trust relationships from the command
line.

netdom /?
netdom ADD

Displays the help message

Adds a workstation or server account to
the domain. (machine is the name of the
computer to be added

netdom ADD /Domain

Specifies the domain in which to create

the machine account

netdom ADD /UserD

User account used to make the connection

with the domain specified by the /Domain
argument.

netdom ADD /PasswordD

Password of the user account specified

with /UserD. A * means to prompt for the
password

netdom ADD /Server

Name of a specific domain controller that

should be used to perform the Add.

netdom ADD /OU

Organization unit under which to create

the machine account. This must be a fully
qualified RFC 1799 DN for the OU. If not
specified, the account will be created
under the default organizational unit for
machine objects for that domain.

netdom ADD /DC

Specifies that a domain controller's

machine account is to be created. This
option cannot be used with the /OU
option.

netdom QUERY
netdom QUERY /Domain

Queries the domain for information

Specifies the domain on which to query for
the information

netdom QUERY /UserD

User account used to make the connection

with the domain specified by the /Domain
argument.

netdom QUERY /PasswordD

Password of the user account specified

with /UserD. A * means to prompt for the
password

netdom QUERY /Server

Name of a specific domain controller that

should be used to perform the query.

netdom QUERY /Verify

For trusts, verifies that the trust between

domains is operating properly; for
computers, verifies that the secure
channel between the computer and the
domain controller is operating properly

netdom QUERY /RESEt

Resets the secure channel between the

computer and the domain controller; valid
for only computer enumeration.

netdom QUERY /Direct

Applies only for a TRUST query, lists only

the direct trust links and omits the
domains indirectly trusted through
transitive links.

netdom QUERY WORKSTATION

Query the domain for the list of

workstations.

netdom QUERY SERVER

Query the domain for the list of servers.

netdom QUERY DC

Query the domain for the list of Domain

Controllers.

netdom QUERY OU

Query the domain for the list of

Organizational Units under which the
specified user can create a machine
object.

netdom QUERY PDC

Query the domain for the current Primary

Domain Controller

netdom QUERY FSMO

Query the domain for the current list of

FSMO owners

netdom QUERY TRUST

Query the domain for a list of its trusts.

netdom TRUST

Manages or verifies the trust relationship

between domains

netdom TRUST /Domain

Specifies the name of the trusted domain

netdom TRUST /UserD

User account used to make the connection

with the domain specified by the /Domain
argument.

netdom TRUST /PasswordD

Password of the user account specified

with /UserD. A * means to prompt for the
password

netdom TRUST /USER0

User account for making the connection

with the trusting domain.

netdom TRUST /Password0

Password of the user account specified

with /User0. A * means to prompt for the
password.

netdom TRUST /Verify

Verifies that the trust is operating

properly.

netdom TRUST /RESEt

Resets the trust passwords between two

domains. The domains can be named in
any order. RESEt is not valid on a trust to
a Kerberos realm unless the /PASSWORDT
parameter is included.

netdom TRUST /PasswordT

New trust password, valid only with the

/ADD or the /RESET options and only if one
of the domains specified is a non-Windows
Kerberos realm. The trust password is set
on the Windows domain only and thus
credentials are not needed for the nonWindows domain.

netdom TRUST /Add

Specifies that a trust should be created.

netdom TRUST /Remove

Specifies that a trust should be removed.

netdom TRUST /Twoway

Specifies that a trust should be

bidirectional.

netdom TRUST /Oneway

Denotes that the trust object should only

be created on one domain. The 'trusted'
keyword indicates that the trust object is
created on the trusted domain ( the one
named with the /D parameter). The
'trusting' keyword indicates that the trust
object is to be created on the trusting
domain. Valid only with the /ADD option.
The /PasswordT option is required.

netdom TRUST /REALm

Indicates that the trust is to be created to

a non-Windows Kerberos realm. Valid only
with the /ADD option. The /PasswordT
option is requried.

netdom TRUST /TRANSitive

Valid only for a non-Windows Kerberos

realm. Specifying "yes" sets it to a
transitive trust. Specifying "no" sets it to
a non-transitive trust. If neither is
specified, then the current transitivity
state will be displayed.

netdom TRUST /Kerberos

Specifies that the Kerberos authentication

protocol should be verified between a
domain or workstation and a target
domain; You must supply user accounts
and passwords for both the object and the
target domain.

netdom TRUST /Force

Valid with the /Remove option. Forces the

removal the trust (and cross-ref) on one
domain even if the other domain is not
found or does not contain matching trust
objects. You must use the full DNS name
to specify the domain. CAUTION: This
option will completely remove a child
domain.

netdom REMOVE

Removes a workstation or server from the

domain

netdom REMOVE /Domain

Specifies the domain in which to remove

the machine.

netdom REMOVE /UserD

User account used to make the connection

with the domain specified by the /Domain
argument.

netdom REMOVE /PasswordD

Password of the user account specified

by /UserD. A * means to prompt for the
password.

netdom REMOVE /User0

User account used to make the connection

with the machine to be removed.

netdom REMOVE /Password0

Password of the user account specified

by /User0. A * means to prompt for the
password.

netdom REMOVE /REBoot

Specifies that the machine should be

shutdown and automatically rebooted
after the Remove has been completed.
The number of seconds before automatic
shutdown can also be provided. Default is
20 seconds.

netdom VERIFY

Verifies the secure connection between a

workstation and a domain controller.

netdom VERIFY /Domain

Specifies the domain with which to verify

the secure connection.

netdom VERIFY /User0

User account used to make the connection

with the machine to be reset.

netdom VERIFY /Password0

Password of the user account specified

by /User0. A * means to prompt for the
password.

netdom JOIN

Joins a workstation or member server to

the domain.

netdom JOIN /Domain

Specifies the domain which the machine

should join.

netdom JOIN /UserD

User account used to make the connection

with the domain specified by the /Domain
argument.

netdom JOIN /PasswordD

Password of the user account specified

by /UserD. A * means to prompt for the
password.

netdom JOIN /User0

User account used to make the connection

with the machine to be joined.

netdom JOIN /Password0

Password of the user account specified

by /User0. A * means to prompt for the
password.

netdom JOIN /OU

Organization unit under which to create

the machine account. This must be a fully
qualified RFC 1799 DN for the OU. If not
specified, the account will be created
under the default organizational unit for
machine objects for that domain.

netdom JOIN /REBoot

Specifies that the machine should be

shutdown and automatically rebooted
after the Remove has been completed.
The number of seconds before automatic
shutdown can also be provided. Default is
20 seconds.

netdom RENAME

Renames NT4 backup domain controllers

netdom RENAME /Domain

Specifies the new name of the domain

netdom RENAME /REBoot

Specifies that the machine should be

shutdown and automatically rebooted
after the Remove has been completed.
The number of seconds before automatic
shutdown can also be provided. Default is
20 seconds.

netdom TIME

Verifies or resets the time between a

workstation and a domain controller

netdom TIME /Domain

Specifies the domian which to verify/reset

the time

netdom TIME /UserD

User account used to make the connection

with the /Domain argument.

netdom TIME /PasswordD

Password of the user account specified

by /UserD. A * means to prompt for the
password.

netdom TIME /User0

User account used to make the conneciton

with the machine to which the time
operation will be performed.

netdom TIME /Password0

Password of the user account specified

by /User0. A * means to prompt for the
password.

netdom TIME /Verify

Verify the time against the domain

controller.

netdom TIME /RESEt

Reset the time against the domain

controller.

netdom TIME WORKSTATION

Reset/verify the time for all the

workstations in a domain.

netdom TIME SERVER

Reset/Verify the time for all the domain

controllers in a domain.

netdom MOVE

Moves a workstation or member server to

a new domain

netdom MOVE /Domain

Specifies the domain to which the

machine should be moved

netdom MOVE /UserD

User account used to make the connection

with the domain specified by the /Domain
argument.

netdom MOVE /PasswordD

Password of the user account specified by

/UserD. A * means to prompt for the
password

netdom MOVE /User0

User account used to make the connection

with the machine to be used.

netdom MOVE /PasswordO

Password of the user account specified

by /User0. A * means to prompt for the
password.

netdom MOVE /OU

Organization unit under which to create

the machine account. This must be a fully
qualified RFC 1779 DN for the OU. If not
specified, the account will be created
under the default organizational unit for
the machine objects for that domain.

netdom MOVE /REBoot

Specifies that the machine should be

shutdown automatically rebooted after the
Move has completed. The number of
seconds before automatic shutdown can
also be provided. Default is 20 seconds.

netdom RESET

Resets the secure connection between a

workstation and a domain controller

netdom RESET /Domain

Specifies the domain with which to

establish the secure connection.

netdom RESET /SERVER

Name of a specific domain controller that

should be used to establish the secure
connection.

netdom RESET /User0

User account used to make the connection

with the machine to be reset.

netdom RESET /Password0

Password of the user account specified by

/User0. A * means to prompt for the
password.

netdom RESETPWD

Resets the machine account password on

the machine for which this command is
run. Currently there is no support for
resetting machine password of a remote
machine.

netdom RESETPWD /Server

Name of a specific domain controller that

should be used for setting machine
account password.

Able to perform function

Notes

NETDOM ADD machine /Domain: domain [User/user]

Write File Delete File

0

When joining a downlevel (Windows NT version 4 or before)

machine to the domain the operation is not transacted. Thus, a
failure during the operation could leave the machine in an
undetermined state with respect to the domain it is joined to.n

When moving downlevel (Windows NT version 4 or before)

machine to a new domain, the operation is not transacted.
Thus, a failure during the operation could leave the machine in
an undetermined state with respect to the domain it is joined to.
When moving a machine to a new domain,the old computer
account in the previous domain is not deleted. If the prior
domain is an NT5 domain, the old computer account will be
disabled

The act of moving a machine to a new domain will create an

account for the machine on the domain if it does not already
exist.

RegDeleteKey RegDeleteValue RegSetValue Full Output

0

link

link

Time of Day
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3

Process Name
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe

PID
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712

Operation
Load Image
CreateFile
RegOpenKey
Load Image
RegOpenKey
RegQueryValue
RegCloseKey
Load Image
Load Image
Load Image
Load Image
Load Image
QueryOpen
CreateFile
CreateFileMapping
CreateFileMapping
RegOpenKey
RegOpenKey
RegQueryValue
RegCloseKey
RegOpenKey
CloseFile
Load Image
Load Image
QueryOpen
CreateFile
CreateFileMapping
CreateFileMapping
CloseFile
Load Image
Load Image
QueryOpen
CreateFile
CreateFileMapping
CreateFileMapping
CloseFile
Load Image
QueryOpen
CreateFile
CreateFileMapping
CreateFileMapping
CloseFile
Load Image
QueryOpen

57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3

netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe

2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712

CreateFile
CreateFileMapping
CreateFileMapping
CloseFile
Load Image
QueryOpen
CreateFile
CreateFileMapping
CreateFileMapping
CloseFile
Load Image
QueryOpen
CreateFile
CreateFileMapping
CreateFileMapping
CloseFile
Load Image
RegOpenKey
RegOpenKey
RegOpenKey
RegOpenKey
RegQueryValue
RegCloseKey
RegOpenKey
RegOpenKey
RegOpenKey
RegOpenKey
RegOpenKey
RegOpenKey
RegQueryValue
RegCloseKey
RegOpenKey
RegQueryValue
RegCloseKey
RegOpenKey
RegQueryValue
RegCloseKey
RegOpenKey
RegOpenKey
RegOpenKey
RegOpenKey
RegOpenKey
RegQueryValue
RegCloseKey
RegOpenKey

57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3

netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe

2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712

RegOpenKey
RegOpenKey
RegCreateKey
RegOpenKey
RegOpenKey
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue

57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.3
57:21.4
57:21.4
57:21.4
57:21.4
57:21.4
57:21.4
57:21.4
57:21.4

netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe

2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712

RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegOpenKey
RegQueryValue
RegCloseKey
RegCloseKey
RegCloseKey
RegOpenKey
RegQueryValue
RegQueryValue
RegQueryValue
RegCloseKey
RegOpenKey
RegOpenKey
RegOpenKey
RegOpenKey
RegOpenKey
RegOpenKey
RegOpenKey
RegQueryValue
RegQueryValue
RegOpenKey
RegQueryValue
RegCloseKey

Path
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\Prefetch\NETDOM.EXE-1A8D18D0.pf
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netdom.exe
C:\WINDOWS\system32\kernel32.dll
HKLM\System\CurrentControlSet\Control\Terminal Server
HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat
HKLM\System\CurrentControlSet\Control\Terminal Server
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\rpcrt4.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\gdi32.dll
C:\WINDOWS\system32\secur32.dll
C:\WINDOWS\system32\secur32.dll
C:\WINDOWS\system32\secur32.dll
C:\WINDOWS\system32\secur32.dll
HKLM\System\CurrentControlSet\Control\SafeBoot\Option
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled
HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
C:\WINDOWS\system32\secur32.dll
C:\WINDOWS\system32\secur32.dll
C:\WINDOWS\system32\netapi32.dll
C:\WINDOWS\system32\samlib.dll
C:\WINDOWS\system32\samlib.dll
C:\WINDOWS\system32\samlib.dll
C:\WINDOWS\system32\samlib.dll
C:\WINDOWS\system32\samlib.dll
C:\WINDOWS\system32\samlib.dll
C:\WINDOWS\system32\wldap32.dll
C:\WINDOWS\system32\ntdsapi.dll
C:\WINDOWS\system32\ntdsapi.dll
C:\WINDOWS\system32\ntdsapi.dll
C:\WINDOWS\system32\ntdsapi.dll
C:\WINDOWS\system32\ntdsapi.dll
C:\WINDOWS\system32\ntdsapi.dll
C:\WINDOWS\system32\dnsapi.dll
C:\WINDOWS\system32\dnsapi.dll
C:\WINDOWS\system32\dnsapi.dll
C:\WINDOWS\system32\dnsapi.dll
C:\WINDOWS\system32\dnsapi.dll
C:\WINDOWS\system32\dnsapi.dll
C:\WINDOWS\system32\ws2_32.dll

C:\WINDOWS\system32\ws2_32.dll
C:\WINDOWS\system32\ws2_32.dll
C:\WINDOWS\system32\ws2_32.dll
C:\WINDOWS\system32\ws2_32.dll
C:\WINDOWS\system32\ws2_32.dll
C:\WINDOWS\system32\ws2help.dll
C:\WINDOWS\system32\ws2help.dll
C:\WINDOWS\system32\ws2help.dll
C:\WINDOWS\system32\ws2help.dll
C:\WINDOWS\system32\ws2help.dll
C:\WINDOWS\system32\ws2help.dll
C:\WINDOWS\system32\cryptdll.dll
C:\WINDOWS\system32\cryptdll.dll
C:\WINDOWS\system32\cryptdll.dll
C:\WINDOWS\system32\cryptdll.dll
C:\WINDOWS\system32\cryptdll.dll
C:\WINDOWS\system32\cryptdll.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSVCRT.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LeakTrack
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKLM
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll
HKLM\System\CurrentControlSet\Control\Error Message Instrument
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility32\netdom
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility32
HKLM\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IME Compatibility\netdom
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IME Compatibility
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NETAPI32.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SAMLIB.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll
HKLM\System\CurrentControlSet\Services\LDAP
HKLM\System\CurrentControlSet\Services\ldap\LdapClientIntegrity
HKLM\System\CurrentControlSet\Services\ldap
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
HKLM\System\CurrentControlSet\Services\DnsCache\Parameters
HKLM\Software\Policies\Microsoft\Windows NT\DnsClient
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\QueryAdapterName
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableAdapterDomainName
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\UseDomainNameDevolution
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\PrioritizeRecordData
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\PrioritizeRecordData
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\AllowUnqualifiedQuery
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\AllowUnqualifiedQuery
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\AppendToMultiLabelName
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\ScreenBadTlds
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\ScreenUnreachableServers
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\FilterClusterIp
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\WaitForNameErrorOnAll
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\UseEdns
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\QueryIpMatching
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\UseHostsFile
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\RegistrationEnabled
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableDynamicUpdate
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\RegisterPrimaryName
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\RegisterAdapterName
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableAdapterDomainNameRegistration
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\RegisterReverseLookup
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableReverseAddressRegistrations
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\RegisterWanAdapters
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableWanDynamicUpdate
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\RegistrationTtl
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DefaultRegistrationTTL
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\RegistrationRefreshInterval
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DefaultRegistrationRefreshInterval
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\RegistrationMaxAddressCount
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\MaxNumberOfAddressesToRegister
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\UpdateSecurityLevel
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\UpdateSecurityLevel
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\UpdateZoneExcludeFile
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\UpdateTopLevelDomainZones
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\DnsTest
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\MaxCacheSize
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\MaxCacheTtl
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\MaxNegativeCacheTtl
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\AdapterTimeoutLimit

HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\ServerPriorityTimeLimit
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\MaxCachedSockets
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\MulticastListenLevel
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\MulticastSendLevel
HKLM\System\Setup
HKLM\SYSTEM\Setup\SystemSetupInProgress
HKLM\SYSTEM\Setup
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DnsQueryTimeouts
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DnsQuickQueryTimeouts
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DnsMulticastQueryTimeouts
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NTDSAPI.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cryptdll.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll
HKLM\System\CurrentControlSet\Control\Nls\Locale
HKLM\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKLM\System\CurrentControlSet\Control\Nls\Language Groups
HKLM\System\CurrentControlSet\Control\Nls\Locale\00000409
HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1
HKLM\System\CurrentControlSet\Control\Session Manager
HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode
HKLM\System\CurrentControlSet\Control\Session Manager
SUMMARY

Result
SUCCESS
NAME NOT
NAME NOT
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
NAME NOT
SUCCESS
SUCCESS
SUCCESS
NAME NOT
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS

FOUND
FOUND

FOUND

FOUND

SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
NAME NOT
NAME NOT
NAME NOT
SUCCESS
NAME NOT
SUCCESS
SUCCESS
NAME NOT
NAME NOT
NAME NOT
NAME NOT
SUCCESS
NAME NOT
SUCCESS
SUCCESS
NAME NOT
SUCCESS
SUCCESS
SUCCESS
SUCCESS
NAME NOT
NAME NOT
NAME NOT
NAME NOT
SUCCESS
SUCCESS
SUCCESS
NAME NOT

FOUND
FOUND
FOUND
FOUND

FOUND
FOUND
FOUND
FOUND
FOUND

FOUND

FOUND
FOUND
FOUND
FOUND

FOUND

NAME NOT
NAME NOT
SUCCESS
SUCCESS
NAME NOT
NAME NOT
NAME NOT
NAME NOT
SUCCESS
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT

FOUND
FOUND

FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND

NAME NOT
NAME NOT
NAME NOT
NAME NOT
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
NAME NOT
NAME NOT
NAME NOT
SUCCESS
NAME NOT
NAME NOT
NAME NOT
NAME NOT
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
NAME NOT
SUCCESS

FOUND
FOUND
FOUND
FOUND

FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND

FOUND

Detail
Image Base: 0x7c900000, Image Size: 0xb0000
Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, S
Desired Access: Read
Image Base: 0x7c800000, Image Size: 0xf4000
Desired Access: Read
Type: REG_DWORD, Length: 4, Data: 0

Image Base: 0x77c10000, Image Size: 0x58000

Image Base: 0x77dd0000, Image Size: 0x9b000
Image Base: 0x77e70000, Image Size: 0x91000
Image Base: 0x77d40000, Image Size: 0x90000
Image Base: 0x77f10000, Image Size: 0x46000
CreationTime: 8/4/2004 12:56:46 AM, LastAccessTime: 8/25/2009 8:54:55 AM, LastWriteTime: 8/4/200
Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert
SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther
Desired Access: Query Value, Set Value
Desired Access: Query Value
Type: REG_DWORD, Length: 4, Data: 1
Desired Access: Query Value

Image Base: 0x77fe0000, Image Size: 0x11000

Image Base: 0x5b860000, Image Size: 0x54000
CreationTime: 8/4/2004 12:56:46 AM, LastAccessTime: 8/25/2009 8:45:17 AM, LastWriteTime: 8/4/200
Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert
SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther

Image Base: 0x71bf0000, Image Size: 0x13000

Image Base: 0x76f60000, Image Size: 0x2c000
CreationTime: 8/4/2004 12:56:46 AM, LastAccessTime: 8/25/2009 8:51:33 AM, LastWriteTime: 8/4/200
Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert
SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther

Image Base: 0x767a0000, Image Size: 0x13000

CreationTime: 8/4/2004 12:56:44 AM, LastAccessTime: 8/25/2009 8:51:33 AM, LastWriteTime: 8/4/200
Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert
SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther

Image Base: 0x76f20000, Image Size: 0x27000

CreationTime: 8/4/2004 12:56:48 AM, LastAccessTime: 8/25/2009 8:51:33 AM, LastWriteTime: 8/4/200

Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert

SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther

Image Base: 0x71ab0000, Image Size: 0x17000

CreationTime: 8/4/2004 12:56:48 AM, LastAccessTime: 8/25/2009 8:51:33 AM, LastWriteTime: 8/4/200
Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert
SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther

Image Base: 0x71aa0000, Image Size: 0x8000

CreationTime: 8/4/2004 12:56:42 AM, LastAccessTime: 8/25/2009 7:56:01 AM, LastWriteTime: 8/4/200
Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert
SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther
Image Base: 0x76790000, Image Size: 0xc000
Desired Access: Read
Desired Access: Read
Desired Access: Read
Desired Access: Read
Length: 144
Desired Access:
Desired Access:
Desired Access:
Desired Access:
Desired Access:
Desired Access:
Length: 172

Maximum Allowed
Read
Read
Read
Read
Read

Desired Access: Read

Length: 172
Desired Access: Read
Type: REG_SZ, Length: 2, Data:
Desired Access: Read
Desired Access: Read
Desired Access: Read
Desired Access: Read
Desired Access: Read
Type: REG_DWORD, Length: 4, Data: 1
Desired Access: Read

Desired Access: Read

Desired Access: Read
Desired Access: Read
Desired Access: Read
Desired Access: Read
Length: 144
Length: 144
Length: 144
Type: REG_DWORD, Length: 4, Data: 1
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144

Length: 144
Length: 144
Length: 144
Length: 144
Desired Access: Query Value
Type: REG_DWORD, Length: 4, Data: 0

Desired Access: Query Value

Length: 144
Length: 144
Length: 144
Desired Access: Read
Desired Access: Read
Desired Access: Read
Desired Access: Read
Desired Access: Read
Desired Access: Read
Desired Access: Read
Type: REG_SZ, Length: 4, Data: 1
Type: REG_SZ, Length: 4, Data: 1
Desired Access: Query Value
Length: 16

Time of Day
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3

Process Name
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe

PID
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088

Operation
Load Image
CreateFile
QueryStandardInformationFile
ReadFile
CloseFile
CreateFile
QueryDirectory
QueryDirectory
CloseFile
CreateFile
QueryDirectory
QueryDirectory
CloseFile
CreateFile
QueryDirectory
QueryDirectory
QueryDirectory
QueryDirectory
QueryDirectory
QueryDirectory
CloseFile
CreateFile
CreateFileMapping
QueryStandardInformationFile
CreateFileMapping
CreateFile
CreateFileMapping
QueryStandardInformationFile
CreateFileMapping
CreateFile
CreateFileMapping
QueryStandardInformationFile
CreateFileMapping
CreateFile
CreateFileMapping
QueryStandardInformationFile
CreateFileMapping
CreateFile
CreateFileMapping
QueryStandardInformationFile
CreateFileMapping
CreateFile
CreateFileMapping
QueryStandardInformationFile

57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3

netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe

4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088

CreateFileMapping
CreateFile
CreateFileMapping
QueryStandardInformationFile
CreateFileMapping
CreateFile
CreateFileMapping
QueryStandardInformationFile
CreateFileMapping
CreateFile
CreateFileMapping
QueryStandardInformationFile
CreateFileMapping
CreateFile
CreateFileMapping
QueryStandardInformationFile
CreateFileMapping
CreateFile
CreateFileMapping
QueryStandardInformationFile
CreateFileMapping
CreateFile
CreateFileMapping
QueryStandardInformationFile
CreateFileMapping
CreateFile
CreateFileMapping
QueryStandardInformationFile
CreateFileMapping
CreateFile
CreateFileMapping
QueryStandardInformationFile
CreateFileMapping
CreateFile
CreateFileMapping
QueryStandardInformationFile
CreateFileMapping
CreateFile
CreateFileMapping
QueryStandardInformationFile
CreateFileMapping
CreateFile
CreateFileMapping
QueryStandardInformationFile
CreateFileMapping

57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3

netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe

4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088

CreateFile
CreateFileMapping
QueryStandardInformationFile
CreateFileMapping
CreateFile
CreateFileMapping
QueryStandardInformationFile
CreateFileMapping
CreateFile
CreateFileMapping
QueryStandardInformationFile
CreateFileMapping
CloseFile
CloseFile
CloseFile
CloseFile
CloseFile
CloseFile
CloseFile
CloseFile
CloseFile
CloseFile
CloseFile
CloseFile
CloseFile
CloseFile
CloseFile
CloseFile
CloseFile
CloseFile
CloseFile
CloseFile
CreateFile
CreateFileMapping
CreateFileMapping
CreateFile
CreateFileMapping
CreateFileMapping
CreateFile
CreateFileMapping
CreateFileMapping
CreateFile
CreateFileMapping
CreateFileMapping
CreateFile

57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3

netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe

4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088

CreateFileMapping
CreateFileMapping
CreateFile
CreateFileMapping
CreateFileMapping
CreateFile
CreateFileMapping
CreateFileMapping
CreateFile
CreateFileMapping
CreateFileMapping
CreateFile
CreateFileMapping
CreateFileMapping
CreateFile
CreateFileMapping
CreateFileMapping
CreateFile
CreateFileMapping
CreateFileMapping
CreateFile
CreateFileMapping
CreateFileMapping
CreateFile
CreateFileMapping
CreateFileMapping
CreateFile
CreateFileMapping
CreateFileMapping
CreateFile
CreateFileMapping
CreateFileMapping
CreateFile
CreateFileMapping
CreateFileMapping
CloseFile
CloseFile
CloseFile
CloseFile
CloseFile
CloseFile
CloseFile
CloseFile
CloseFile
CloseFile

57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3

netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe

4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088

CloseFile
CloseFile
CloseFile
CloseFile
CloseFile
CloseFile
RegOpenKey
Load Image
RegOpenKey
RegQueryValue
RegCloseKey
Load Image
Load Image
Load Image
Load Image
Load Image
QueryOpen
CreateFile
CreateFileMapping
CreateFileMapping
RegOpenKey
RegOpenKey
RegQueryValue
RegCloseKey
RegOpenKey
CloseFile
Load Image
Load Image
QueryOpen
CreateFile
CreateFileMapping
CreateFileMapping
CloseFile
Load Image
Load Image
QueryOpen
CreateFile
CreateFileMapping
CreateFileMapping
CloseFile
Load Image
QueryOpen
CreateFile
CreateFileMapping
CreateFileMapping

57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3

netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe

4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088

CloseFile
Load Image
QueryOpen
CreateFile
CreateFileMapping
CreateFileMapping
CloseFile
Load Image
QueryOpen
CreateFile
CreateFileMapping
CreateFileMapping
CloseFile
Load Image
QueryOpen
CreateFile
CreateFileMapping
CreateFileMapping
CloseFile
Load Image
RegOpenKey
RegOpenKey
RegOpenKey
RegOpenKey
RegQueryValue
RegCloseKey
RegOpenKey
RegOpenKey
RegOpenKey
RegOpenKey
RegOpenKey
RegOpenKey
RegQueryValue
RegCloseKey
RegOpenKey
RegQueryValue
RegCloseKey
RegOpenKey
RegQueryValue
RegCloseKey
RegOpenKey
RegOpenKey
RegOpenKey
RegOpenKey
RegOpenKey

57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3

netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe

4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088

RegQueryValue
RegCloseKey
RegOpenKey
RegOpenKey
RegOpenKey
RegCreateKey
RegOpenKey
RegOpenKey
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue

57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3
57:45.3

netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe
netdom.exe

4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088
4088

RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegQueryValue
RegOpenKey
RegQueryValue
RegCloseKey
RegCloseKey
RegCloseKey
RegOpenKey
RegQueryValue
RegQueryValue
RegQueryValue
RegCloseKey
RegOpenKey
RegOpenKey
RegOpenKey
RegOpenKey
RegOpenKey
RegOpenKey
RegOpenKey
RegQueryValue
RegQueryValue
RegOpenKey
RegQueryValue
RegCloseKey

Path
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\Prefetch\NETDOM.EXE-1A8D18D0.pf
C:\WINDOWS\Prefetch\NETDOM.EXE-1A8D18D0.pf
C:\WINDOWS\Prefetch\NETDOM.EXE-1A8D18D0.pf
C:\WINDOWS\Prefetch\NETDOM.EXE-1A8D18D0.pf
C:\
C:\
C:\
C:\
C:\WINDOWS
C:\WINDOWS
C:\WINDOWS
C:\WINDOWS
C:\WINDOWS\system32
C:\WINDOWS\system32
C:\WINDOWS\system32
C:\WINDOWS\system32
C:\WINDOWS\system32
C:\WINDOWS\system32
C:\WINDOWS\system32
C:\WINDOWS\system32
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\unicode.nls
C:\WINDOWS\system32\unicode.nls
C:\WINDOWS\system32\unicode.nls
C:\WINDOWS\system32\unicode.nls
C:\WINDOWS\system32\locale.nls
C:\WINDOWS\system32\locale.nls
C:\WINDOWS\system32\locale.nls
C:\WINDOWS\system32\locale.nls
C:\WINDOWS\system32\sorttbls.nls
C:\WINDOWS\system32\sorttbls.nls
C:\WINDOWS\system32\sorttbls.nls
C:\WINDOWS\system32\sorttbls.nls
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\msvcrt.dll

C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\rpcrt4.dll
C:\WINDOWS\system32\rpcrt4.dll
C:\WINDOWS\system32\rpcrt4.dll
C:\WINDOWS\system32\rpcrt4.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\gdi32.dll
C:\WINDOWS\system32\gdi32.dll
C:\WINDOWS\system32\gdi32.dll
C:\WINDOWS\system32\gdi32.dll
C:\WINDOWS\system32\secur32.dll
C:\WINDOWS\system32\secur32.dll
C:\WINDOWS\system32\secur32.dll
C:\WINDOWS\system32\secur32.dll
C:\WINDOWS\system32\netapi32.dll
C:\WINDOWS\system32\netapi32.dll
C:\WINDOWS\system32\netapi32.dll
C:\WINDOWS\system32\netapi32.dll
C:\WINDOWS\system32\samlib.dll
C:\WINDOWS\system32\samlib.dll
C:\WINDOWS\system32\samlib.dll
C:\WINDOWS\system32\samlib.dll
C:\WINDOWS\system32\wldap32.dll
C:\WINDOWS\system32\wldap32.dll
C:\WINDOWS\system32\wldap32.dll
C:\WINDOWS\system32\wldap32.dll
C:\WINDOWS\system32\ntdsapi.dll
C:\WINDOWS\system32\ntdsapi.dll
C:\WINDOWS\system32\ntdsapi.dll
C:\WINDOWS\system32\ntdsapi.dll
C:\WINDOWS\system32\dnsapi.dll
C:\WINDOWS\system32\dnsapi.dll
C:\WINDOWS\system32\dnsapi.dll
C:\WINDOWS\system32\dnsapi.dll
C:\WINDOWS\system32\ws2_32.dll
C:\WINDOWS\system32\ws2_32.dll
C:\WINDOWS\system32\ws2_32.dll
C:\WINDOWS\system32\ws2_32.dll

C:\WINDOWS\system32\ws2help.dll
C:\WINDOWS\system32\ws2help.dll
C:\WINDOWS\system32\ws2help.dll
C:\WINDOWS\system32\ws2help.dll
C:\WINDOWS\system32\cryptdll.dll
C:\WINDOWS\system32\cryptdll.dll
C:\WINDOWS\system32\cryptdll.dll
C:\WINDOWS\system32\cryptdll.dll
C:\WINDOWS\system32\ctype.nls
C:\WINDOWS\system32\ctype.nls
C:\WINDOWS\system32\ctype.nls
C:\WINDOWS\system32\ctype.nls
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\unicode.nls
C:\WINDOWS\system32\locale.nls
C:\WINDOWS\system32\sorttbls.nls
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\rpcrt4.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\gdi32.dll
C:\WINDOWS\system32\secur32.dll
C:\WINDOWS\system32\netapi32.dll
C:\WINDOWS\system32\samlib.dll
C:\WINDOWS\system32\wldap32.dll
C:\WINDOWS\system32\ntdsapi.dll
C:\WINDOWS\system32\dnsapi.dll
C:\WINDOWS\system32\ws2_32.dll
C:\WINDOWS\system32\ws2help.dll
C:\WINDOWS\system32\cryptdll.dll
C:\WINDOWS\system32\ctype.nls
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\rpcrt4.dll

C:\WINDOWS\system32\rpcrt4.dll
C:\WINDOWS\system32\rpcrt4.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\gdi32.dll
C:\WINDOWS\system32\gdi32.dll
C:\WINDOWS\system32\gdi32.dll
C:\WINDOWS\system32\secur32.dll
C:\WINDOWS\system32\secur32.dll
C:\WINDOWS\system32\secur32.dll
C:\WINDOWS\system32\netapi32.dll
C:\WINDOWS\system32\netapi32.dll
C:\WINDOWS\system32\netapi32.dll
C:\WINDOWS\system32\samlib.dll
C:\WINDOWS\system32\samlib.dll
C:\WINDOWS\system32\samlib.dll
C:\WINDOWS\system32\wldap32.dll
C:\WINDOWS\system32\wldap32.dll
C:\WINDOWS\system32\wldap32.dll
C:\WINDOWS\system32\ntdsapi.dll
C:\WINDOWS\system32\ntdsapi.dll
C:\WINDOWS\system32\ntdsapi.dll
C:\WINDOWS\system32\dnsapi.dll
C:\WINDOWS\system32\dnsapi.dll
C:\WINDOWS\system32\dnsapi.dll
C:\WINDOWS\system32\ws2_32.dll
C:\WINDOWS\system32\ws2_32.dll
C:\WINDOWS\system32\ws2_32.dll
C:\WINDOWS\system32\ws2help.dll
C:\WINDOWS\system32\ws2help.dll
C:\WINDOWS\system32\ws2help.dll
C:\WINDOWS\system32\cryptdll.dll
C:\WINDOWS\system32\cryptdll.dll
C:\WINDOWS\system32\cryptdll.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\rpcrt4.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\gdi32.dll
C:\WINDOWS\system32\secur32.dll
C:\WINDOWS\system32\netapi32.dll
C:\WINDOWS\system32\samlib.dll

C:\WINDOWS\system32\wldap32.dll
C:\WINDOWS\system32\ntdsapi.dll
C:\WINDOWS\system32\dnsapi.dll
C:\WINDOWS\system32\ws2_32.dll
C:\WINDOWS\system32\ws2help.dll
C:\WINDOWS\system32\cryptdll.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netdom.exe
C:\WINDOWS\system32\kernel32.dll
HKLM\System\CurrentControlSet\Control\Terminal Server
HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat
HKLM\System\CurrentControlSet\Control\Terminal Server
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\rpcrt4.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\gdi32.dll
C:\WINDOWS\system32\secur32.dll
C:\WINDOWS\system32\secur32.dll
C:\WINDOWS\system32\secur32.dll
C:\WINDOWS\system32\secur32.dll
HKLM\System\CurrentControlSet\Control\SafeBoot\Option
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled
HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
C:\WINDOWS\system32\secur32.dll
C:\WINDOWS\system32\secur32.dll
C:\WINDOWS\system32\netapi32.dll
C:\WINDOWS\system32\samlib.dll
C:\WINDOWS\system32\samlib.dll
C:\WINDOWS\system32\samlib.dll
C:\WINDOWS\system32\samlib.dll
C:\WINDOWS\system32\samlib.dll
C:\WINDOWS\system32\samlib.dll
C:\WINDOWS\system32\wldap32.dll
C:\WINDOWS\system32\ntdsapi.dll
C:\WINDOWS\system32\ntdsapi.dll
C:\WINDOWS\system32\ntdsapi.dll
C:\WINDOWS\system32\ntdsapi.dll
C:\WINDOWS\system32\ntdsapi.dll
C:\WINDOWS\system32\ntdsapi.dll
C:\WINDOWS\system32\dnsapi.dll
C:\WINDOWS\system32\dnsapi.dll
C:\WINDOWS\system32\dnsapi.dll
C:\WINDOWS\system32\dnsapi.dll

C:\WINDOWS\system32\dnsapi.dll
C:\WINDOWS\system32\dnsapi.dll
C:\WINDOWS\system32\ws2_32.dll
C:\WINDOWS\system32\ws2_32.dll
C:\WINDOWS\system32\ws2_32.dll
C:\WINDOWS\system32\ws2_32.dll
C:\WINDOWS\system32\ws2_32.dll
C:\WINDOWS\system32\ws2_32.dll
C:\WINDOWS\system32\ws2help.dll
C:\WINDOWS\system32\ws2help.dll
C:\WINDOWS\system32\ws2help.dll
C:\WINDOWS\system32\ws2help.dll
C:\WINDOWS\system32\ws2help.dll
C:\WINDOWS\system32\ws2help.dll
C:\WINDOWS\system32\cryptdll.dll
C:\WINDOWS\system32\cryptdll.dll
C:\WINDOWS\system32\cryptdll.dll
C:\WINDOWS\system32\cryptdll.dll
C:\WINDOWS\system32\cryptdll.dll
C:\WINDOWS\system32\cryptdll.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSVCRT.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LeakTrack
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKLM
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll
HKLM\System\CurrentControlSet\Control\Error Message Instrument
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility32\netdom
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility32
HKLM\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IME Compatibility\netdom
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IME Compatibility
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NETAPI32.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SAMLIB.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll
HKLM\System\CurrentControlSet\Services\LDAP

HKLM\System\CurrentControlSet\Services\ldap\LdapClientIntegrity
HKLM\System\CurrentControlSet\Services\ldap
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
HKLM\System\CurrentControlSet\Services\DnsCache\Parameters
HKLM\Software\Policies\Microsoft\Windows NT\DnsClient
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\QueryAdapterName
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableAdapterDomainName
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\UseDomainNameDevolution
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\PrioritizeRecordData
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\PrioritizeRecordData
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\AllowUnqualifiedQuery
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\AllowUnqualifiedQuery
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\AppendToMultiLabelName
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\ScreenBadTlds
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\ScreenUnreachableServers
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\FilterClusterIp
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\WaitForNameErrorOnAll
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\UseEdns
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\QueryIpMatching
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\UseHostsFile
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\RegistrationEnabled
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableDynamicUpdate
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\RegisterPrimaryName
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\RegisterAdapterName
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableAdapterDomainNameRegistration
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\RegisterReverseLookup
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableReverseAddressRegistrations
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\RegisterWanAdapters
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableWanDynamicUpdate
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\RegistrationTtl
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DefaultRegistrationTTL
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\RegistrationRefreshInterval
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DefaultRegistrationRefreshInterval
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\RegistrationMaxAddressCount
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\MaxNumberOfAddressesToRegister
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\UpdateSecurityLevel
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\UpdateSecurityLevel
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\UpdateZoneExcludeFile
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\UpdateTopLevelDomainZones
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\DnsTest
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\MaxCacheSize

HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\MaxCacheTtl
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\MaxNegativeCacheTtl
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\AdapterTimeoutLimit
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\ServerPriorityTimeLimit
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\MaxCachedSockets
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\MulticastListenLevel
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\MulticastSendLevel
HKLM\System\Setup
HKLM\SYSTEM\Setup\SystemSetupInProgress
HKLM\SYSTEM\Setup
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
HKLM\System\CurrentControlSet\Services\Dnscache\Parameters
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DnsQueryTimeouts
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DnsQuickQueryTimeouts
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DnsMulticastQueryTimeouts
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NTDSAPI.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cryptdll.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll
HKLM\System\CurrentControlSet\Control\Nls\Locale
HKLM\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKLM\System\CurrentControlSet\Control\Nls\Language Groups
HKLM\System\CurrentControlSet\Control\Nls\Locale\00000409
HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1
HKLM\System\CurrentControlSet\Control\Session Manager
HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode
HKLM\System\CurrentControlSet\Control\Session Manager
SUMMARY

Result
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
NO MORE FILES
SUCCESS
SUCCESS
SUCCESS
NO MORE FILES
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
NO MORE FILES
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS

SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS

SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS

SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS

SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
NAME NOT FOUND
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
NAME NOT FOUND
SUCCESS
SUCCESS
SUCCESS
NAME NOT FOUND
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS

SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
NAME NOT
NAME NOT
NAME NOT
SUCCESS
NAME NOT
SUCCESS
SUCCESS
NAME NOT
NAME NOT
NAME NOT
NAME NOT
SUCCESS
NAME NOT
SUCCESS
SUCCESS
NAME NOT
SUCCESS
SUCCESS
SUCCESS
SUCCESS
NAME NOT
NAME NOT
NAME NOT
NAME NOT
SUCCESS

FOUND
FOUND
FOUND
FOUND

FOUND
FOUND
FOUND
FOUND
FOUND

FOUND

FOUND
FOUND
FOUND
FOUND

SUCCESS
SUCCESS
NAME NOT
NAME NOT
NAME NOT
SUCCESS
SUCCESS
NAME NOT
NAME NOT
NAME NOT
NAME NOT
SUCCESS
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT

FOUND
FOUND
FOUND

FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND

NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
NAME NOT
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
NAME NOT
NAME NOT
NAME NOT
SUCCESS
NAME NOT
NAME NOT
NAME NOT
NAME NOT
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
NAME NOT
SUCCESS

FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND

FOUND
FOUND
FOUND
FOUND
FOUND
FOUND
FOUND

FOUND

Detail
Image Base: 0x7c900000, Image Size: 0xb0000
Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, S
AllocationSize: 8,192, EndOfFile: 6,614, NumberOfLinks: 1, DeletePending: False, Directory: False
Offset: 0, Length: 6,614

Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchro
0: AUTOEXEC.BAT, 1: boot.ini, 2: Config.Msi, 3: CONFIG.SYS, 4: dell, 5: Documents and Settings, 6: IO.

Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchro
0: ., 1: .., 2: $MSI31Uninstall_KB893803v2$, 3: $NtUninstallKB835221WXP$, 4: 0.log, 5: addins, 6: App

Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchro
0: ., 1: .., 2: $winnt$.inf, 3: 1025, 4: 1028, 5: 1031, 6: 1033, 7: 1037, 8: 1041, 9: 1042, 10: 1054, 11: 1
0: exe2bin.exe, 1: expand.exe, 2: export, 3: expsrv.dll, 4: extmgr.dll, 5: extrac32.exe, 6: exts.dll, 7: fas
0: msadp32.acm, 1: msafd.dll, 2: msapsspc.dll, 3: msasn1.dll, 4: msaud32.acm, 5: msaudite.dll, 6: ms
0: qappsrv.exe, 1: qasf.dll, 2: qcap.dll, 3: qdv.dll, 4: qdvd.dll, 5: qedit.dll, 6: qedwipes.dll, 7: qmgr.dll, 8
0: webcheck.dll, 1: webclnt.dll, 2: webfldrs.msi, 3: webhits.dll, 4: webvw.dll, 5: wextract.exe, 6: wfwne

Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory F
SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE
AllocationSize: 708,608, EndOfFile: 708,096, NumberOfLinks: 1, DeletePending: False, Directory: False
SyncType: SyncTypeOther
Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory F
SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE
AllocationSize: 987,136, EndOfFile: 983,552, NumberOfLinks: 1, DeletePending: False, Directory: False
SyncType: SyncTypeOther
Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory F
SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE
AllocationSize: 90,112, EndOfFile: 89,588, NumberOfLinks: 1, DeletePending: False, Directory: False
SyncType: SyncTypeOther
Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory F
SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE
AllocationSize: 249,856, EndOfFile: 249,270, NumberOfLinks: 1, DeletePending: False, Directory: False
SyncType: SyncTypeOther
Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory F
SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE
AllocationSize: 24,576, EndOfFile: 22,040, NumberOfLinks: 1, DeletePending: False, Directory: False
SyncType: SyncTypeOther
Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory F
SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE
AllocationSize: 344,064, EndOfFile: 343,040, NumberOfLinks: 1, DeletePending: False, Directory: False

SyncType: SyncTypeOther
Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory F
SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE
AllocationSize: 618,496, EndOfFile: 616,960, NumberOfLinks: 1, DeletePending: False, Directory: False
SyncType: SyncTypeOther
Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory F
SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE
AllocationSize: 581,632, EndOfFile: 581,120, NumberOfLinks: 1, DeletePending: False, Directory: False
SyncType: SyncTypeOther
Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory F
SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE
AllocationSize: 577,536, EndOfFile: 577,024, NumberOfLinks: 1, DeletePending: False, Directory: False
SyncType: SyncTypeOther
Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory F
SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE
AllocationSize: 278,528, EndOfFile: 278,016, NumberOfLinks: 1, DeletePending: False, Directory: False
SyncType: SyncTypeOther
Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory F
SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE
AllocationSize: 57,344, EndOfFile: 55,808, NumberOfLinks: 1, DeletePending: False, Directory: False
SyncType: SyncTypeOther
Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory F
SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE
AllocationSize: 335,872, EndOfFile: 332,288, NumberOfLinks: 1, DeletePending: False, Directory: False
SyncType: SyncTypeOther
Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory F
SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE
AllocationSize: 65,536, EndOfFile: 64,000, NumberOfLinks: 1, DeletePending: False, Directory: False
SyncType: SyncTypeOther
Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory F
SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE
AllocationSize: 172,032, EndOfFile: 172,032, NumberOfLinks: 1, DeletePending: False, Directory: False
SyncType: SyncTypeOther
Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory F
SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE
AllocationSize: 69,632, EndOfFile: 67,072, NumberOfLinks: 1, DeletePending: False, Directory: False
SyncType: SyncTypeOther
Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory F
SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE
AllocationSize: 151,552, EndOfFile: 148,480, NumberOfLinks: 1, DeletePending: False, Directory: False
SyncType: SyncTypeOther
Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory F
SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE
AllocationSize: 86,016, EndOfFile: 82,944, NumberOfLinks: 1, DeletePending: False, Directory: False
SyncType: SyncTypeOther

Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory F
SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE
AllocationSize: 20,480, EndOfFile: 19,968, NumberOfLinks: 1, DeletePending: False, Directory: False
SyncType: SyncTypeOther
Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory F
SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE
AllocationSize: 36,864, EndOfFile: 33,280, NumberOfLinks: 1, DeletePending: False, Directory: False
SyncType: SyncTypeOther
Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory F
SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE
AllocationSize: 12,288, EndOfFile: 8,386, NumberOfLinks: 1, DeletePending: False, Directory: False
SyncType: SyncTypeOther

Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory

SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther
Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory
SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther
Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory
SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther
Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory
SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther
Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory

File, Attributes: N, ShareM

File, Attributes: N, ShareM

File, Attributes: N, ShareM

File, Attributes: N, ShareM

File, Attributes: N, ShareM

SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE

SyncType: SyncTypeOther
Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory
SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther
Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory
SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther
Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory
SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther
Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory
SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther
Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory
SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther
Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory
SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther
Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory
SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther
Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory
SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther
Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory
SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther
Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory
SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther
Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory
SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther

File, Attributes: N, ShareM

File, Attributes: N, ShareM

File, Attributes: N, ShareM

File, Attributes: N, ShareM

File, Attributes: N, ShareM

File, Attributes: N, ShareM

File, Attributes: N, ShareM

File, Attributes: N, ShareM

File, Attributes: N, ShareM

File, Attributes: N, ShareM

File, Attributes: N, ShareM

Desired Access: Read

Image Base: 0x7c800000, Image Size: 0xf4000
Desired Access: Read
Type: REG_DWORD, Length: 4, Data: 0

Image Base: 0x77c10000, Image Size: 0x58000

Image Base: 0x77dd0000, Image Size: 0x9b000
Image Base: 0x77e70000, Image Size: 0x91000
Image Base: 0x77d40000, Image Size: 0x90000
Image Base: 0x77f10000, Image Size: 0x46000
CreationTime: 8/4/2004 12:56:46 AM, LastAccessTime: 8/25/2009 8:57:45 AM, LastWriteTime: 8/4/200
Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert
SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther
Desired Access: Query Value, Set Value
Desired Access: Query Value
Type: REG_DWORD, Length: 4, Data: 1
Desired Access: Query Value

Image Base: 0x77fe0000, Image Size: 0x11000

Image Base: 0x5b860000, Image Size: 0x54000
CreationTime: 8/4/2004 12:56:46 AM, LastAccessTime: 8/25/2009 8:57:45 AM, LastWriteTime: 8/4/200
Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert
SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther

Image Base: 0x71bf0000, Image Size: 0x13000

Image Base: 0x76f60000, Image Size: 0x2c000
CreationTime: 8/4/2004 12:56:46 AM, LastAccessTime: 8/25/2009 8:57:45 AM, LastWriteTime: 8/4/200
Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert
SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther

Image Base: 0x767a0000, Image Size: 0x13000

CreationTime: 8/4/2004 12:56:44 AM, LastAccessTime: 8/25/2009 8:57:45 AM, LastWriteTime: 8/4/200
Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert
SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther

Image Base: 0x76f20000, Image Size: 0x27000

CreationTime: 8/4/2004 12:56:48 AM, LastAccessTime: 8/25/2009 8:57:45 AM, LastWriteTime: 8/4/200
Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert
SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther

Image Base: 0x71ab0000, Image Size: 0x17000

CreationTime: 8/4/2004 12:56:48 AM, LastAccessTime: 8/25/2009 8:57:45 AM, LastWriteTime: 8/4/200
Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert
SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther

Image Base: 0x71aa0000, Image Size: 0x8000

CreationTime: 8/4/2004 12:56:42 AM, LastAccessTime: 8/25/2009 8:57:45 AM, LastWriteTime: 8/4/200
Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert
SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
SyncType: SyncTypeOther
Image Base: 0x76790000, Image Size: 0xc000
Desired Access: Read
Desired Access: Read
Desired Access: Read
Desired Access: Read
Length: 144
Desired Access:
Desired Access:
Desired Access:
Desired Access:
Desired Access:
Desired Access:
Length: 172

Maximum Allowed
Read
Read
Read
Read
Read

Desired Access: Read

Length: 172
Desired Access: Read
Type: REG_SZ, Length: 2, Data:
Desired
Desired
Desired
Desired
Desired

Access:
Access:
Access:
Access:
Access:

Read
Read
Read
Read
Read

Type: REG_DWORD, Length: 4, Data: 1

Desired Access: Read
Desired Access: Read
Desired Access: Read
Desired Access: Read
Desired Access: Read
Desired Access: Read
Length: 144
Length: 144
Length: 144
Type: REG_DWORD, Length: 4, Data: 1
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144

Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Length: 144
Desired Access: Query Value
Type: REG_DWORD, Length: 4, Data: 0

Desired Access: Query Value

Length: 144
Length: 144
Length: 144
Desired Access: Read
Desired Access: Read
Desired Access: Read
Desired Access: Read
Desired Access: Read
Desired Access: Read
Desired Access: Read
Type: REG_SZ, Length: 4, Data: 1
Type: REG_SZ, Length: 4, Data: 1
Desired Access: Query Value
Length: 16

ownloaded Program Files, 20: DPINST.LOG, 21: Driver Cache, 22: DtcInstall.log, 23: ehome, 24: explorer.exe, 25:

5: activeds.tlb, 26: actmovie.exe, 27: actxprxy.dll, 28: admparse.dll, 29: adptif.dll, 30: adsldp.dll, 31: adsldpc.dll,
22: FM20.DLL, 23: FM20ENU.DLL, 24: fmifs.dll, 25: FNTCACHE.DAT, 26: fontext.dll, 27: fontsub.dll, 28: fontview.e
art.dll, 19: msdatsrc.tlb, 20: msdmo.dll, 21: MsDtc, 22: msdtc.exe, 23: msdtclog.dll, 24: msdtcprf.h, 25: msdtcprf
m.h, 22: rasctrs.dll, 23: rasctrs.ini, 24: rasdial.exe, 25: rasdlg.dll, 26: rasman.dll, 27: rasmans.dll, 28: rasmontr.d
: win87em.dll, 21: winbrand.dll, 22: winchat.exe, 23: WindowsLogon.manifest, 24: winfax.dll, 25: winhelp.hlp, 26

: ehome, 24: explorer.exe, 25: explorer.scf, 26: FaxSetup.log, 27: FeatherTexture.bmp, 28: Fonts, 29: Gone Fishin

30: adsldp.dll, 31: adsldpc.dll, 32: adsmsext.dll, 33: adsnds.dll, 34: adsnt.dll, 35: adsnw.dll, 36: advapi32.dll, 37
, 27: fontsub.dll, 28: fontview.exe, 29: forcedos.exe, 30: format.com, 31: framebuf.dll, 32: freecell.exe, 33: fsmg
l, 24: msdtcprf.h, 25: msdtcprf.ini, 26: msdtcprx.dll, 27: msdtctm.dll, 28: msdtcuiu.dll, 29: msdxm.ocx, 30: msdx
27: rasmans.dll, 28: rasmontr.dll, 29: rasmxs.dll, 30: rasphone.exe, 31: rasppp.dll, 32: rasrad.dll, 33: rassapi.dll,
: winfax.dll, 25: winhelp.hlp, 26: winhlp32.exe, 27: winhttp.dll, 28: wininet.dll, 29: winipsec.dll, 30: winlogon.exe

bmp, 28: Fonts, 29: Gone Fishing.bmp, 30: Greenstone.bmp, 31: Help, 32: hh.exe, 33: iis6.log, 34: ime, 35: imsin

adsnw.dll, 36: advapi32.dll, 37: advpack.dll, 38: ahui.exe, 39: alg.exe, 40: alrsvc.dll, 41: amcompat.tlb, 42: ams
f.dll, 32: freecell.exe, 33: fsmgmt.msc, 34: fsquirt.exe, 35: fsusd.dll, 36: fsutil.exe, 37: ftp.exe, 38: ftsrch.dll, 39:
u.dll, 29: msdxm.ocx, 30: msdxmlc.dll, 31: msencode.dll, 32: msexch40.dll, 33: msexcl40.dll, 34: msftedit.dll, 35
, 32: rasrad.dll, 33: rassapi.dll, 34: rasser.dll, 35: rastapi.dll, 36: rastls.dll, 37: rcbdyctl.dll, 38: RcdScan.dll, 39: rc
winipsec.dll, 30: winlogon.exe, 31: winmine.exe, 32: winmm.dll, 33: winmsd.exe, 34: winnls.dll, 35: winntbbu.d

33: iis6.log, 34: ime, 35: imsins.BAK, 36: imsins.log, 37: inf, 38: Installer, 39: java, 40: KB835221.log, 41: KB893

dll, 41: amcompat.tlb, 42: amstream.dll, 43: ansi.sys, 44: apcups.dll, 45: append.exe, 46: apphelp.dll, 47: appm
, 37: ftp.exe, 38: ftsrch.dll, 39: fwcfg.dll, 40: g711codc.ax, 41: gb2312.uce, 42: gcdef.dll, 43: gdi.exe, 44: gdi32.d
sexcl40.dll, 34: msftedit.dll, 35: msg.exe, 36: msg711.acm, 37: msg723.acm, 38: msgina.dll, 39: msgsm32.acm
dyctl.dll, 38: RcdScan.dll, 39: rcimlby.exe, 40: rcp.exe, 41: rdchost.dll, 42: rdpcfgex.dll, 43: rdpclip.exe, 44: rdpdd
34: winnls.dll, 35: winntbbu.dll, 36: winoldap.mod, 37: winrnr.dll, 38: wins, 39: winscard.dll, 40: winshfhc.dll, 41

a, 40: KB835221.log, 41: KB893803v2.log, 42: MedCtrOC.log, 43: Media, 44: msagent, 45: msapps, 46: msdfmap

exe, 46: apphelp.dll, 47: appmgmts.dll, 48: appmgr.dll, 49: appwiz.cpl, 50: arp.exe, 51: asctrls.ocx, 52: asferror.d
def.dll, 43: gdi.exe, 44: gdi32.dll, 45: geo.nls, 46: getmac.exe, 47: getuname.dll, 48: glmf32.dll, 49: glu32.dll, 50
msgina.dll, 39: msgsm32.acm, 40: msgsvc.dll, 41: msh261.drv, 42: msh263.drv, 43: mshearts.exe, 44: mshta.e
x.dll, 43: rdpclip.exe, 44: rdpdd.dll, 45: rdpsnd.dll, 46: rdpwsx.dll, 47: rdsaddin.exe, 48: rdshost.exe, 49: recover.
nscard.dll, 40: winshfhc.dll, 41: winsock.dll, 42: winspool.drv, 43: winspool.exe, 44: winsrv.dll, 45: winsta.dll, 46

gent, 45: msapps, 46: msdfmap.ini, 47: msgsocm.log, 48: msmqinst.log, 49: mui, 50: netfxocm.log, 51: NOTEPAD

e, 51: asctrls.ocx, 52: asferror.dll, 53: asr_fmt.exe, 54: asr_ldm.exe, 55: asr_pfu.exe, 56: asycfilt.dll, 57: at.exe, 5
48: glmf32.dll, 49: glu32.dll, 50: gpedit.dll, 51: gpedit.msc, 52: gpkcsp.dll, 53: gpkrsrc.dll, 54: gpresult.exe, 55: g
43: mshearts.exe, 44: mshta.exe, 45: mshtml.dll, 46: mshtml.tlb, 47: mshtmled.dll, 48: mshtmler.dll, 49: msi.dl
e, 48: rdshost.exe, 49: recover.exe, 50: redir.exe, 51: reg.exe, 52: regapi.dll, 53: regedt32.exe, 54: regini.exe, 55
4: winsrv.dll, 45: winsta.dll, 46: winstrm.dll, 47: wintrust.dll, 48: winver.exe, 49: WISPTIS.EXE, 50: wkssvc.dll, 51

50: netfxocm.log, 51: NOTEPAD.EXE, 52: ntdtcsetup.log, 53: nview, 54: ocgen.log, 55: ocmsn.log, 56: ODBCINST

xe, 56: asycfilt.dll, 57: at.exe, 58: atkctrs.dll, 59: atl.dll, 60: atmadm.exe, 61: atmfd.dll, 62: atmlib.dll, 63: atmpv
krsrc.dll, 54: gpresult.exe, 55: gptext.dll, 56: gpupdate.exe, 57: graftabl.com, 58: graphics.com, 59: graphics.pro
dll, 48: mshtmler.dll, 49: msi.dll, 50: msident.dll, 51: msidle.dll, 52: msidntld.dll, 53: msieftp.dll, 54: msiexec.exe
egedt32.exe, 54: regini.exe, 55: regsvc.dll, 56: regsvr32.exe, 57: regwiz.exe, 58: regwizc.dll, 59: ReinstallBackup
WISPTIS.EXE, 50: wkssvc.dll, 51: wldap32.dll, 52: wlnotify.dll, 53: wmadmod.dll, 54: wmadmoe.dll, 55: wmasf.dll,

, 55: ocmsn.log, 56: ODBCINST.INI, 57: OEWABLog.txt, 58: Offline Web Pages, 59: oobeact.log, 60: pchealth, 61:

d.dll, 62: atmlib.dll, 63: atmpvcno.dll, 64: atrace.dll, 65: attrib.exe, 66: audiosrv.dll, 67: auditusr.exe, 68: authz.d
graphics.com, 59: graphics.pro, 60: grpconv.exe, 61: h323.tsp, 62: h323log.txt, 63: h323msp.dll, 64: hal.dll, 65:
3: msieftp.dll, 54: msiexec.exe, 55: msihnd.dll, 56: msimg32.dll, 57: msimsg.dll, 58: MSIMTF.dll, 59: msisip.dll, 6
egwizc.dll, 59: ReinstallBackups, 60: relog.exe, 61: remotepg.dll, 62: remotesp.tsp, 63: rend.dll, 64: replace.exe
: wmadmoe.dll, 55: wmasf.dll, 56: wmdmlog.dll, 57: wmdmps.dll, 58: wmerrenu.dll, 59: wmerror.dll, 60: wmi.dll,

oobeact.log, 60: pchealth, 61: PeerNet, 62: Prairie Wind.bmp, 63: Prefetch, 64: Provisioning, 65: pss, 66: regedi

ll, 67: auditusr.exe, 68: authz.dll, 69: autochk.exe, 70: autoconv.exe, 71: autodisc.dll, 72: AUTOEXEC.NT, 73: aut
3: h323msp.dll, 64: hal.dll, 65: hccoin.dll, 66: Hdaudprop.dll, 67: Hdaudpropres.dll, 68: Hdaudpropshortcut.exe,
58: MSIMTF.dll, 59: msisip.dll, 60: msjet40.dll, 61: msjetoledb40.dll, 62: msjint40.dll, 63: msjter40.dll, 64: msjtes
p, 63: rend.dll, 64: replace.exe, 65: reset.exe, 66: Restore, 67: results.txt, 68: resutils.dll, 69: rexec.exe, 70: riche
ll, 59: wmerror.dll, 60: wmi.dll, 61: wmidx.dll, 62: wmimgmt.msc, 63: wmiprop.dll, 64: wmiscmgr.dll, 65: wmnet

rovisioning, 65: pss, 66: regedit.exe, 67: Registration, 68: REGLOCS.OLD, 69: regopt.log, 70: repair, 71: Resource

.dll, 72: AUTOEXEC.NT, 73: autofmt.exe, 74: autolfn.exe, 75: avicap.dll, 76: avicap32.dll, 77: avifil32.dll, 78: avifi
l, 68: Hdaudpropshortcut.exe, 69: hdwwiz.cpl, 70: help.exe, 71: hhactivex.dll, 72: hhctrl.ocx, 73: hhsetup.dll, 74
dll, 63: msjter40.dll, 64: msjtes40.dll, 65: mslbui.dll, 66: msls31.dll, 67: msltus40.dll, 68: msnetobj.dll, 69: msnss
utils.dll, 69: rexec.exe, 70: riched20.dll, 71: riched32.dll, 72: RMDevice.dll, 73: rnr20.dll, 74: route.exe, 75: routem
, 64: wmiscmgr.dll, 65: wmnetmgr.dll, 66: wmp.dll, 67: wmp.ocx, 68: wmpasf.dll, 69: wmpcd.dll, 70: wmpcore.dl

pt.log, 70: repair, 71: Resources, 72: Rhododendron.bmp, 73: River Sumida.bmp, 74: Santa Fe Stucco.bmp, 75:

p32.dll, 77: avifil32.dll, 78: avifile.dll, 79: avmeter.dll, 80: avtapi.dll, 81: avwav.dll, 82: basesrv.dll, 83: batmeter.
hhctrl.ocx, 73: hhsetup.dll, 74: hid.dll, 75: hidphone.tsp, 76: himem.sys, 77: hlink.dll, 78: hnetcfg.dll, 79: hnetm
dll, 68: msnetobj.dll, 69: msnsspc.dll, 70: msobjs.dll, 71: msoeacct.dll, 72: msoert2.dll, 73: msonpmon.dll, 74: m
20.dll, 74: route.exe, 75: routemon.exe, 76: routetab.dll, 77: rpcns4.dll, 78: rpcrt4.dll, 79: rpcss.dll, 80: rsaci.rat,
69: wmpcd.dll, 70: wmpcore.dll, 71: wmpdxm.dll, 72: wmploc.dll, 73: wmpshell.dll, 74: wmpui.dll, 75: wmsdmod

74: Santa Fe Stucco.bmp, 75: SchedLgU.Txt, 76: security, 77: sessmgr.setup.log, 78: SET3.tmp, 79: SET4.tmp, 8

, 82: basesrv.dll, 83: batmeter.dll, 84: batt.dll, 85: bidispl.dll, 86: bios1.rom, 87: bios4.rom, 88: bitsprx2.dll, 89: b
k.dll, 78: hnetcfg.dll, 79: hnetmon.dll, 80: hnetwiz.dll, 81: homepage.inf, 82: hostname.exe, 83: hotplug.dll, 84:
2.dll, 73: msonpmon.dll, 74: msorc32r.dll, 75: msorcl32.dll, 76: mspaint.exe, 77: mspatcha.dll, 78: mspbde40.dl
.dll, 79: rpcss.dll, 80: rsaci.rat, 81: rsaenh.dll, 82: rsfsaps.dll, 83: rsh.exe, 84: rshx32.dll, 85: rsm.exe, 86: rsmps
l, 74: wmpui.dll, 75: wmsdmod.dll, 76: wmsdmoe.dll, 77: wmsdmoe2.dll, 78: wmspdmod.dll, 79: wmspdmoe.dll

78: SET3.tmp, 79: SET4.tmp, 80: SET8.tmp, 81: setupact.log, 82: setupapi.log, 83: setuperr.log, 84: setuplog.tx

os4.rom, 88: bitsprx2.dll, 89: bitsprx3.dll, 90: blackbox.dll, 91: blastcln.exe, 92: bootcfg.exe, 93: bootok.exe, 94
name.exe, 83: hotplug.dll, 84: hticons.dll, 85: html.iec, 86: httpapi.dll, 87: htui.dll, 88: hypertrm.dll, 89: iac25_32
mspatcha.dll, 78: mspbde40.dll, 79: mspmsnsv.dll, 80: mspmsp.dll, 81: msports.dll, 82: msprivs.dll, 83: msr2c.dl
x32.dll, 85: rsm.exe, 86: rsmps.dll, 87: rsmsink.exe, 88: rsmui.exe, 89: rsnotify.exe, 90: rsop.msc, 91: rsopprov.e
spdmod.dll, 79: wmspdmoe.dll, 80: wmstream.dll, 81: wmv8ds32.ax, 82: wmvcore.dll, 83: wmvdmod.dll, 84: wm

3: setuperr.log, 84: setuplog.txt, 85: SHELLNEW, 86: Soap Bubbles.bmp, 87: SoftwareDistribution, 88: srchasst, 8

ootcfg.exe, 93: bootok.exe, 94: bootvid.dll, 95: bootvrfy.exe, 96: bopomofo.uce, 97: browselc.dll, 98: browser.dll
88: hypertrm.dll, 89: iac25_32.ax, 90: ias, 91: iasacct.dll, 92: iasads.dll, 93: iashlpr.dll, 94: iasnap.dll, 95: iaspol
ll, 82: msprivs.dll, 83: msr2c.dll, 84: msr2cenu.dll, 85: msratelc.dll, 86: msrating.dll, 87: msrclr40.dll, 88: msrd2x
e, 90: rsop.msc, 91: rsopprov.exe, 92: rsvp.exe, 93: rsvp.ini, 94: rsvpcnts.h, 95: rsvpmsg.dll, 96: rsvpperf.dll, 97:
e.dll, 83: wmvdmod.dll, 84: wmvdmoe2.dll, 85: wmvds32.ax, 86: wow32.dll, 87: wowdeb.exe, 88: wowexec.exe,

wareDistribution, 88: srchasst, 89: Sti_Trace.log, 90: stsystra.exe, 91: system, 92: system.ini, 93: system32, 94: t

7: browselc.dll, 98: browser.dll, 99: browseui.dll, 100: browsewm.dll, 101: bthci.dll, 102: bthprops.cpl, 103: bths
pr.dll, 94: iasnap.dll, 95: iaspolcy.dll, 96: iasrad.dll, 97: iasrecst.dll, 98: iassam.dll, 99: iassdo.dll, 100: iassvcs.dll
dll, 87: msrclr40.dll, 88: msrd2x40.dll, 89: msrd3x40.dll, 90: msrecr40.dll, 91: msrepl40.dll, 92: msrle32.dll, 93: m
vpmsg.dll, 96: rsvpperf.dll, 97: rsvpsp.dll, 98: rtcshare.exe, 99: rtipxmib.dll, 100: rtm.dll, 101: rtutils.dll, 102: run
wowdeb.exe, 88: wowexec.exe, 89: wowfax.dll, 90: wowfaxui.dll, 91: wpa.dbl, 92: wpabaln.exe, 93: wpnpinst.exe

system.ini, 93: system32, 94: tabletoc.log, 95: TASKMAN.EXE, 96: Tasks, 97: Temp, 98: tsoc.log, 99: twain.dll, 10

l, 102: bthprops.cpl, 103: bthserv.dll, 104: btpanui.dll, 105: cabinet.dll, 106: cabview.dll, 107: cacls.exe, 108: ca
99: iassdo.dll, 100: iassvcs.dll, 101: icaapi.dll, 102: iccvid.dll, 103: icfgnt5.dll, 104: icm32.dll, 105: icmp.dll, 106
epl40.dll, 92: msrle32.dll, 93: mssap.dll, 94: msscds32.ax, 95: msscp.dll, 96: msscript.ocx, 97: mssign32.dll, 98
rtm.dll, 101: rtutils.dll, 102: runas.exe, 103: rundll32.exe, 104: runonce.exe, 105: rwinsta.exe, 106: s24NCfg.dll,
wpabaln.exe, 93: wpnpinst.exe, 94: write.exe, 95: ws2help.dll, 96: ws2_32.dll, 97: wscntfy.exe, 98: wscript.exe, 9

p, 98: tsoc.log, 99: twain.dll, 100: twain_32, 101: twain_32.dll, 102: twunk_16.exe, 103: twunk_32.exe, 104: vb.in

iew.dll, 107: cacls.exe, 108: calc.exe, 109: camocx.dll, 110: capesnpn.dll, 111: cards.dll, 112: CatRoot, 113: CatR
4: icm32.dll, 105: icmp.dll, 106: icmui.dll, 107: icsxml, 108: icwdial.dll, 109: icwphbk.dll, 110: ideograf.uce, 111:
cript.ocx, 97: mssign32.dll, 98: mssip32.dll, 99: MSSTDFMT.DLL, 100: msswch.dll, 101: msswchx.exe, 102: msta
rwinsta.exe, 106: s24NCfg.dll, 107: safrcdlg.dll, 108: safrdm.dll, 109: safrslv.dll, 110: samlib.dll, 111: samsrv.dll,
wscntfy.exe, 98: wscript.exe, 99: wscsvc.dll, 100: wscui.cpl, 101: wsecedit.dll, 102: wshatm.dll, 103: wshbth.dll

103: twunk_32.exe, 104: vb.ini, 105: vbaddin.ini, 106: vmmreg32.dll, 107: Web, 108: wiadebug.log, 109: wiase

rds.dll, 112: CatRoot, 113: CatRoot2, 114: catsrv.dll, 115: catsrvps.dll, 116: catsrvut.dll, 117: ccfgnt.dll, 118: cdf
hbk.dll, 110: ideograf.uce, 111: idq.dll, 112: ie4uinit.exe, 113: ieakeng.dll, 114: ieaksie.dll, 115: ieakui.dll, 116: ie
101: msswchx.exe, 102: mstask.dll, 103: mstext40.dll, 104: mstime.dll, 105: mstinit.exe, 106: mstlsapi.dll, 107
10: samlib.dll, 111: samsrv.dll, 112: sapi.cpl.manifest, 113: savedump.exe, 114: sbe.dll, 115: sbeio.dll, 116: sc.e
2: wshatm.dll, 103: wshbth.dll, 104: wshcon.dll, 105: wshext.dll, 106: wship6.dll, 107: wshisn.dll, 108: wshnetbs

108: wiadebug.log, 109: wiaservc.log, 110: win.ini, 111: WindowsShell.Manifest, 112: WindowsUpdate.log, 113:

ut.dll, 117: ccfgnt.dll, 118: cdfview.dll, 119: cdm.dll, 120: cdmodem.dll, 121: cdosys.dll, 122: cdplayer.exe.mani
aksie.dll, 115: ieakui.dll, 116: iedkcs32.dll, 117: ieencode.dll, 118: iepeers.dll, 119: iernonce.dll, 120: iesetup.dll
init.exe, 106: mstlsapi.dll, 107: mstsc.exe, 108: mstscax.dll, 109: msutb.dll, 110: msv1_0.dll, 111: msvbvm50.d
sbe.dll, 115: sbeio.dll, 116: sc.exe, 117: scarddlg.dll, 118: scardssp.dll, 119: scardsvr.exe, 120: sccbase.dll, 121:
107: wshisn.dll, 108: wshnetbs.dll, 109: wshom.ocx, 110: WshRm.dll, 111: wshtcpip.dll, 112: wsnmp32.dll, 113:

112: WindowsUpdate.log, 113: winhelp.exe, 114: winhlp32.exe, 115: winnt.bmp, 116: winnt256.bmp, 117: WinS

sys.dll, 122: cdplayer.exe.manifest, 123: certcli.dll, 124: certmgr.dll, 125: certmgr.msc, 126: cewmdm.dll, 127: c
9: iernonce.dll, 120: iesetup.dll, 121: ieuinit.inf, 122: iexpress.exe, 123: ifmon.dll, 124: ifsutil.dll, 125: igmpagnt.d
msv1_0.dll, 111: msvbvm50.dll, 112: msvbvm60.dll, 113: msvcirt.dll, 114: msvcp50.dll, 115: msvcp60.dll, 116:
svr.exe, 120: sccbase.dll, 121: sccsccp.dll, 122: scecli.dll, 123: scesrv.dll, 124: schannel.dll, 125: schedsvc.dll, 12
pip.dll, 112: wsnmp32.dll, 113: wsock32.dll, 114: wstdecod.dll, 115: wstpager.ax, 116: wstrenderer.ax, 117: wtsa

116: winnt256.bmp, 117: WinSxS, 118: wmsetup.log, 119: WMSysPr9.prx, 120: Zapotec.bmp, 121: _default.pif

msc, 126: cewmdm.dll, 127: cfgbkend.dll, 128: cfgmgr32.dll, 129: charmap.exe, 130: chcp.com, 131: chkdsk.ex
124: ifsutil.dll, 125: igmpagnt.dll, 126: iissuba.dll, 127: ils.dll, 128: imaadp32.acm, 129: imagehlp.dll, 130: imap
p50.dll, 115: msvcp60.dll, 116: msvcrt.dll, 117: msvcrt20.dll, 118: msvcrt40.dll, 119: msvfw32.dll, 120: msvidc3
hannel.dll, 125: schedsvc.dll, 126: schtasks.exe, 127: sclgntfy.dll, 128: SCP32.DLL, 129: scredir.dll, 130: scriptpw
116: wstrenderer.ax, 117: wtsapi32.dll, 118: wuapi.dll, 119: wuauclt.exe, 120: wuauclt1.exe, 121: wuaucpl.cpl, 1

potec.bmp, 121: _default.pif

130: chcp.com, 131: chkdsk.exe, 132: chkntfs.exe, 133: ciadmin.dll, 134: ciadv.msc, 135: cic.dll, 136: cidaemon
, 129: imagehlp.dll, 130: imapi.exe, 131: IME, 132: imeshare.dll, 133: imgutil.dll, 134: imm32.dll, 135: inetcfg.d
19: msvfw32.dll, 120: msvidc32.dll, 121: msvidctl.dll, 122: msvideo.dll, 123: msw3prt.dll, 124: mswdat10.dll, 12
129: scredir.dll, 130: scriptpw.dll, 131: scrnsave.scr, 132: scrobj.dll, 133: scrrun.dll, 134: sdbinst.exe, 135: sdhc
auclt1.exe, 121: wuaucpl.cpl, 122: wuaucpl.cpl.manifest, 123: wuaueng.dll, 124: wuaueng1.dll, 125: wuauserv.d

sc, 135: cic.dll, 136: cidaemon.exe, 137: ciodm.dll, 138: cipher.exe, 139: cisvc.exe, 140: ckcnv.exe, 141: clb.dll,
134: imm32.dll, 135: inetcfg.dll, 136: inetcomm.dll, 137: inetcpl.cpl, 138: inetcplc.dll, 139: inetmib1.dll, 140: ine
3prt.dll, 124: mswdat10.dll, 125: mswebdvd.dll, 126: mswmdm.dll, 127: mswsock.dll, 128: mswstr10.dll, 129: m
dll, 134: sdbinst.exe, 135: sdhcinst.dll, 136: sdpblb.dll, 137: secedit.exe, 138: seclogon.dll, 139: secpol.msc, 140
wuaueng1.dll, 125: wuauserv.dll, 126: wucltui.dll, 127: wupdmgr.exe, 128: wups.dll, 129: wuweb.dll, 130: wzcdl

e, 140: ckcnv.exe, 141: clb.dll, 142: clbcatex.dll, 143: clbcatq.dll, 144: cleanmgr.exe, 145: cliconf.chm, 146: clico
c.dll, 139: inetmib1.dll, 140: inetpp.dll, 141: inetppui.dll, 142: inetres.dll, 143: inetsrv, 144: infosoft.dll, 145: initp
.dll, 128: mswstr10.dll, 129: msxbde40.dll, 130: msxml.dll, 131: msxml2.dll, 132: msxml2r.dll, 133: msxml3.dll,
ogon.dll, 139: secpol.msc, 140: secupd.dat, 141: secupd.sig, 142: secur32.dll, 143: security.dll, 144: sendcmsg.
dll, 129: wuweb.dll, 130: wzcdlg.dll, 131: wzcsapi.dll, 132: wzcsvc.dll, 133: xactsrv.dll, 134: xcopy.exe, 135: xenr

xe, 145: cliconf.chm, 146: cliconfg.dll, 147: cliconfg.exe, 148: cliconfg.rll, 149: clipbrd.exe, 150: clipsrv.exe, 151:
tsrv, 144: infosoft.dll, 145: initpki.dll, 146: INKED.DLL, 147: input.dll, 148: inseng.dll, 149: instcat.sql, 150: intl.cp
msxml2r.dll, 133: msxml3.dll, 134: msxml3r.dll, 135: msxml4.dll, 136: msxml4r.dll, 137: msxmlr.dll, 138: msyu
3: security.dll, 144: sendcmsg.dll, 145: sendmail.dll, 146: sens.dll, 147: sensapi.dll, 148: senscfg.dll, 149: serialu
v.dll, 134: xcopy.exe, 135: xenroll.dll, 136: xircom, 137: xmlprov.dll, 138: xmlprovi.dll, 139: xolehlp.dll, 140: xpob

pbrd.exe, 150: clipsrv.exe, 151: clusapi.dll, 152: cmcfg32.dll, 153: cmd.exe, 154: cmdial32.dll, 155: cmdl32.exe,
dll, 149: instcat.sql, 150: intl.cpl, 151: iologmsg.dll, 152: ipconf.tsp, 153: ipconfig.exe, 154: iphlpapi.dll, 155: ipm
dll, 137: msxmlr.dll, 138: msyuv.dll, 139: mtxclu.dll, 140: mtxdm.dll, 141: mtxex.dll, 142: mtxlegih.dll, 143: mtxo
l, 148: senscfg.dll, 149: serialui.dll, 150: servdeps.dll, 151: services.exe, 152: services.msc, 153: serwvdrv.dll, 1
.dll, 139: xolehlp.dll, 140: xpob2res.dll, 141: xpsp1res.dll, 142: xpsp2res.dll, 143: zipfldr.dll

cmdial32.dll, 155: cmdl32.exe, 156: cmdlib.wsc, 157: cmmgr32.hlp, 158: cmmon32.exe, 159: cmos.ram, 160: cm
exe, 154: iphlpapi.dll, 155: ipmontr.dll, 156: ipnathlp.dll, 157: ippromon.dll, 158: iprop.dll, 159: iprtprio.dll, 160:
ll, 142: mtxlegih.dll, 143: mtxoci.dll, 144: mui, 145: mycomput.dll, 146: mydocs.dll, 147: narrator.exe, 148: narr
vices.msc, 153: serwvdrv.dll, 154: sessmgr.exe, 155: sethc.exe, 156: Setup, 157: setup.bmp, 158: setup.exe, 15
zipfldr.dll