• When did Microsoft acquire the Sysinternals tools? 

Answer : 2006

• I deployed the attached virtual machine and I'm ready to move on...
  

No Answer

• What is the last tool listed within the Sysinternals Suite? 

 Answer : ZoomIt

• What service needs to be enabled on the local host to interact with live.sysinternals.com? 

 Answer : webclient

• There is a txt file on the desktop named file.txt. Using one of the three discussed tools in this task, what is the text within the ADS? 

C:\Users\Administrator\Desktop>streams file.txt -accepteula

streams v1.60 - Reveal NTFS alternate streams.
Copyright (C) 2005-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\Users\Administrator\Desktop\file.txt:
         :ads.txt:$DATA 26

C:\Users\Administrator\Desktop>notepad .\file.txt:ads.txt
                  

Answer : I am hiding in the stream.

• Using WHOIS tools, what is the ISP/Organization for the remote address in the screenshots above? 

Using whois or online tools.

Answer : Microsoft Corporation

• Run Autoruns and inspect what are the new entries in the Image Hijacks tab compared to the screenshots above. 

 No Answer

• What entry was updated?

 

Answer : taskmgr.exe

• What is the updated value?

 Answer : c:\tools\sysint\procexp.exe

• You will check out the Sysmon room if you haven't done so already... 

No Answer

• Moving along...

  No Answer

•  Run the Strings tool on ZoomIt.exe. What is the full path to the .pdb file?
  

c:\Tools\sysint>strings .\ZoomIt.exe | findstr /i zoomit.pdb*
C:\agent\_work\112\s\Win32\Release\ZoomIt.pdb

Answer : C:\agent\_work\112\s\Win32\Release\ZoomIt.pdb