Anwendungen Trojaner in Update Datei von Real Player11 ?

habe mir auf meinem WinXP Pro Sp3 den real player 11 installiert.

Nach abgeschlossener Installation und anschliessendem Start von Real Player

wies mich das Programm auf ein Update hin, welche allen Nutzern angeraten wurde.

Das update war etwa ~400KB groß. (muss wohl der WebInstaller gewesen sein, denn danach km das hauptfile)

Doch als es fertig gedownloadet war sprang Kaspersky an und meldete den

Trojaner-Fund "rnsetup0". Deklariert als Trojaner Win32.Agent.Boy.

Kaspersky hat die Datei aus dem Temp-Ordner genommen, und in

"Backup" (also nicht Quarantäne) verschoben.

kann da jemand was zu sagen? Konnte über google keine wirklichen infos kriegen.

Für jede Hilfe dankbar ......

 

Warum schickst du die nicht an Kaspersky?
Die prüfen das nach. Kann ja auch eine Falschmeldung sein.
mfg
csmulo

 

Wie muss ich das machen?

 

Uh, der ist aber verdammt alt. Sicher das es ein Update vom Realplayer war?

Denn dieser Wurm/Virus/Malware Downloader stammt aus dem Jahre von 2005.

Virus Description: Trojan-Downloader:W32/Agent.BOY

Scheint aber eher eine Art von Rootkit zu sein und hat nichts mit dem Update von Realplayer zu tun.

 

Probier mal den online-Scan von Kaspersky, vielleicht bieten die danach ein Tool zum desinfizieren.
Kaspersky Lab: Anti-Virus, Internet Security, Mobile Security & Antiviren-Software und Services für Unternehmen

@Protector: Gibt auch noch nen Backdoor!

mfg
csmulo

PS: Scheinen noch mehr das Problem zu haben:
http://real.lithium.com/real/board/...thread.id=29739&view=by_date_ascending&page=1
http://real.lithium.com/real/board/message?board.id=realplayer&message.id=29789

Ist ein Fehlalarm, sofern du aus real-quelle gezogen hast.

 

ja, das war ein Update Fenster vom realPlayer.
Nach dem Starten des Programms RealPlayer11 öffnete sich ein fenster mit dem hinweis.

Win XP und kasperksy sind aktuell gehalten.

Der Kaspersky hat die Datei verschoben in "Backup".
Da kann ich sie löschen oder wiederherstellen.

Wie kriege ich sie zum OnlineScanner ?

 

Wenn du sie noch nicht gelöscht hast, dann aus dem Backupordner von Kaspersky.

Falls es aber echt ein Rootkit ist, dann bist du bestens mit Blacklight dran den loszuwerden.

Wenn es ein Backdoor ist...ouh, dann würd schnell handeln.

ftp://pcwelt:dl4pcwftp@download.pcwelt.de/0/76/fsbl.exe

 

@La Bou
Ist definitiv ein Fehlalarm.
Denke mal bei der nächsten Aktualisierung der Datenbanken ist es behoben.
Geb einfach mal den Dateinamen in Google ein und du findest jede Menge Treffer bei Real.
Teilweise soll erneute Installation des Players geholfen haben.
Ach so der Realplayer telefoniert gerne nach Hause. (Erklärung)
mfg
csmulo

 

Eine Prüfung kann dennoch nicht schaden , du kennst doch Windows :p

 

Ok, ich danke euch beiden.

Ich werde die Datei mal prüfen, wenn ich heut abend zu Haus bin.

Hoffe nur, wenn ich das ding aus Kaspersky wiederherstelle,

das ich mir dann kein Shice einfange oer gar noch mehr verbreitet wird.

 

Wie gesagt in den real-foren haben sich die Meldungen auch gehäuft.
Wenn die Datei aus einer sicheren Quelle stammt (real) ist es eine Falschmeldung.
mfg
csmulo

 

So, habe jetzt mehrere OnlineScans gemacht.
Dafür die Datei als *zip gepackt, damit ich sie überhaupt hochgeladen kriege.
Kaspersky ist auch nach Update noch der Meinung es ist ein Trojaner.

KASPERSKY FILE SCANNER

Code:

[COLOR="Red"]Attention![/COLOR]
Kaspersky Anti-Virus has detected a virus in the file you have submitted.

Scanned file:   rnsetup0.zip  - Infected
rnsetup0.zip/rnsetup0.exe - infected by Trojan-Downloader.Win32.Agent.boys 

Known viruses:	2043433  	Updated:	14-04-2009
File size (Kb):	196 	Virus bodies:	1
Files:	1 	Warnings:	0
Archives:	1 	Suspicious:	0

VIRUSTOTAL

Code:

 Datei rnsetup0.zip empfangen 2009.04.14 16:59:17 (CET)

Antivirus 	Version 	letzte aktualisierung 	Ergebnis
a-squared	4.0.0.101	2009.04.14	-
AhnLab-V3	5.0.0.2	2009.04.14	[COLOR="Red"]Win-Trojan/Agent.390676[/COLOR]
AntiVir	7.9.0.138	2009.04.14	-
Antiy-AVL	2.0.3.1	2009.04.14	-
Authentium	5.1.2.4	2009.04.14	-
Avast	4.8.1335.0	2009.04.14	-
AVG	8.5.0.285	2009.04.14	-
CAT-QuickHeal	10.00	2009.04.14	-
ClamAV	0.94.1	2009.04.14	-
Comodo	1113	2009.04.14	-
DrWeb	4.44.0.09170	2009.04.14	-
eSafe	7.0.17.0	2009.04.13	-
eTrust-Vet	31.6.6455	2009.04.14	-
F-Prot	4.4.4.56	2009.04.14	-
F-Secure	8.0.14470.0	2009.04.14	[COLOR="Red"]Trojan-Downloader.Win32.Agent.boys[/COLOR]
Fortinet	3.117.0.0	2009.04.14	-
GData	19	2009.04.14	-
Ikarus	T3.1.1.49.0	2009.04.14	-
K7AntiVirus	7.10.700	2009.04.11	-
Kaspersky	7.0.0.125	2009.04.14	[COLOR="Red"]Trojan-Downloader.Win32.Agent.boys[/COLOR]
McAfee	5583	2009.04.13	-
McAfee+Artemis	5583	2009.04.13	-
McAfee-GW-Edition	6.7.6	2009.04.14	-
Microsoft	1.4502	2009.04.14	-
NOD32	4006	2009.04.14	-
Norman	6.00.06	2009.04.14	-
nProtect	2009.1.8.0	2009.04.14	-
Panda	10.0.0.14	2009.04.14	-
PCTools	4.4.2.0	2009.04.14	-
Prevx1	V2	2009.04.14	-
Rising	21.25.14.00	2009.04.14	-
Sophos	4.40.0	2009.04.14	-
Sunbelt	3.2.1858.2	2009.04.13	-
Symantec	1.4.4.12	2009.04.14	-
TheHacker	6.3.4.0.306	2009.04.12	-
TrendMicro	8.700.0.1004	2009.04.14	-
VBA32	3.12.10.2	2009.04.12	[COLOR="Red"]suspected of Win32.Trojan.Downloader[/COLOR]
ViRobot	2009.4.14.1692	2009.04.14	-
VirusBuster	4.6.5.0	2009.04.14	-

File size: 200382 bytes

VIRUSSCAN JOTTI

Code:

A-Squared  	[COLOR="Lime"]Found nothing[/COLOR]
AntiVir 	        [COLOR="Lime"]Found nothing[/COLOR]
ArcaVir 	        [COLOR="Lime"]Found nothing[/COLOR]
Avast 	        [COLOR="Lime"]Found nothing[/COLOR]
AVG Antivirus 	[COLOR="Lime"]Found nothing[/COLOR]
BitDefender 	[COLOR="Lime"]Found nothing[/COLOR]
ClamAV 	        [COLOR="Lime"]Found nothing[/COLOR]
CPsecure 	[COLOR="Lime"]Found nothing[/COLOR]
Dr.Web 	       [COLOR="Lime"] Found nothing[/COLOR]
F-Prot Antivirus [COLOR="Lime"] Found nothing[/COLOR]
F-Secure Anti-Virus [COLOR="Red"]Found Trojan-Downloader.Win32.Agent.boys[/COLOR]
Ikarus 	       [COLOR="Lime"]Found nothing[/COLOR]
Kaspersky Anti-Virus 	[COLOR="Red"]Found Trojan-Downloader.Win32.Agent.boys[/COLOR]
NOD32 	    [COLOR="Lime"]  Found nothing[/COLOR]
Norman Virus Control 	Found nothing
Panda Antivirus 	[COLOR="Lime"]Found nothing[/COLOR]
Quick Heal 	        [COLOR="Lime"]Found nothing[/COLOR]
Sophos Antivirus 	[COLOR="Lime"]Found nothing[/COLOR]
VirusBuster 	        [COLOR="Lime"]Found nothing[/COLOR]
VBA32 	                [COLOR="Red"]Found Win32.Trojan.Downloader (probable variant)[/COLOR] 

AVAST

Code:

rnsetup0.zip/rnsetup0.exe	   [COLOR="Green"]clear[/COLOR]
 rnsetup0.zip	   [COLOR="Green"]clear[/COLOR]

Nun bin ich auch nicht schlauer als vorher ...

 

Lade es mal bitte hier hoch:

Anubis: Analyzing Unknown Binaries

Und poste dann den Log.


Oder schick sie mir mal per Mail.
Wills mir mal anschauen

fknpwned@hushmail.com

 

Was sagte der Support von real.
Falschmeldung, wie du gesehen hast sind 4 Programme der Auffassung es handelt sich um einen Trojaner.
laut real ist es aber keiner, sofern du das update dort bezogen hast.
mfg
csmulo

 

Hier der Log von Anubis:

Code:

                           ___                __    _                          
         +  /-            /   |  ____  __  __/ /_  (_)____       -\  +         
        /s  h-           / /| | / __ \/ / / / __ \/ / ___/       -h  s\        
        oh-:d/          / ___ |/ / / / /_/ / /_/ / (__  )        /d:-ho        
        shh+hy-        /_/  |_/_/ /_/\__,_/_.___/_/____/        -yh+hhs        
      -:+hhdhyys/-                                           -\syyhdhh+:-      
    -//////dhhhhhddhhyss-       Analysis Report       -ssyhhddhhhhhd\\\\\\-    
   /++/////oydddddhhyys/     ooooooooooooooooooooo     \syyhhdddddyo\\\\\++\   
 -+++///////odh/-                                             -+hdo\\\\\\\+++- 
 +++++++++//yy+/:                                             :\+yy\\+++++++++ 
/+soss+sys//yyo/os++o+:                                 :+o++so\oyy\\sys+ssos+\
+oyyyys++o/+yss/+/oyyyy:                               :yyyyo\+\ssy+\o++syyyyo+
+oyyyyyyso+os/o/+yyyyyy/                               \yyyyyy+\o\so+osyyyyyyo+


[#############################################################################]
    Analysis Report for rnsetup0.exe
                   MD5: 9b8d58baf3cc52d48141bbbc85c83cad
[#############################################################################]

Summary: 
    - Changes security settings of Internet Explorer:
        This system alteration could seriously affect safety surfing the World
        Wide Web.

    - Performs File Modification and Destruction:
        The executable modifiesand destructs files which are not temporary.

    - Performs Registry Activities:
        The executable reads and modifies registry values. It also creates and
        monitors registry keys.

[=============================================================================]
    Table of Contents
[=============================================================================]

- General information
- sample.exe
  a) Registry Activities
  b) File Activities
  c) Windows Service Activities
  d) Process Activities
  e) Network Activities
    - services.exe
      a) Registry Activities
      b) File Activities


[#############################################################################]
    1. General Information
[#############################################################################]
[=============================================================================]
    Information about Anubis' invocation
[=============================================================================]
        Time needed:        242 s
        Report created:     04/14/09, 15:34:04 UTC
        Termination reason: Timeout
        Program version:    1.67.0

[=============================================================================]
    Global Network Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Unknown UDP Traffic:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        From ANUBIS:1025 to 192.168.0.1:53
             State: [ Normal establishment and termination ],
             Outbound Bytes: [ 150 ], Inbound Bytes: [ 598 ]



[#############################################################################]
    2. sample.exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Primary Analysis Subject
        Filename:        sample.exe
        MD5:             9b8d58baf3cc52d48141bbbc85c83cad
        SHA-1:           e192a059f57bffa3996bacf7abe1b594f1ed3e0b
        File Size:       390676 Bytes
        Command Line:    "C:\sample.exe"
        Process-status
        at analysis end: alive
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\ole32.dll ],
               Base Address: [0x774E0000 ], Size: [0x0013D000 ]
        Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
               Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
        Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
               Base Address: [0x77E70000 ], Size: [0x00092000 ]
        Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
               Base Address: [0x77FE0000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]
        Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
               Base Address: [0x77F60000 ], Size: [0x00076000 ]
        Module Name: [ C:\WINDOWS\system32\WININET.dll ],
               Base Address: [0x42C10000 ], Size: [0x000CF000 ]
        Module Name: [ C:\WINDOWS\system32\Normaliz.dll ],
               Base Address: [0x00350000 ], Size: [0x00009000 ]
        Module Name: [ C:\WINDOWS\system32\iertutil.dll ],
               Base Address: [0x42990000 ], Size: [0x00045000 ]
        Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],
               Base Address: [0x77120000 ], Size: [0x0008B000 ]
        Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],
               Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
        Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
               Base Address: [0x77C00000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\IMM32.DLL ],
               Base Address: [0x76390000 ], Size: [0x0001D000 ]
        Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
               Base Address: [0x773D0000 ], Size: [0x00103000 ]

[=============================================================================]
    Run-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\urlmon.dll ],
               Base Address: [0x42CF0000 ], Size: [0x00127000 ]
        Module Name: [ C:\WINDOWS\system32\UxTheme.dll ],
               Base Address: [0x5AD70000 ], Size: [0x00038000 ]
        Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],
               Base Address: [0x5B860000 ], Size: [0x00055000 ]
        Module Name: [ C:\WINDOWS\system32\hnetcfg.dll ],
               Base Address: [0x662B0000 ], Size: [0x00058000 ]
        Module Name: [ C:\WINDOWS\System32\mswsock.dll ],
               Base Address: [0x71A50000 ], Size: [0x0003F000 ]
        Module Name: [ C:\WINDOWS\System32\wshtcpip.dll ],
               Base Address: [0x71A90000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ],
               Base Address: [0x71AA0000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\ws2_32.dll ],
               Base Address: [0x71AB0000 ], Size: [0x00017000 ]
        Module Name: [ C:\WINDOWS\system32\sensapi.dll ],
               Base Address: [0x722B0000 ], Size: [0x00005000 ]
        Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
               Base Address: [0x74720000 ], Size: [0x0004C000 ]
        Module Name: [ C:\WINDOWS\system32\msctfime.ime ],
               Base Address: [0x755C0000 ], Size: [0x0002E000 ]
        Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
               Base Address: [0x769C0000 ], Size: [0x000B4000 ]
        Module Name: [ C:\WINDOWS\system32\WINMM.dll ],
               Base Address: [0x76B40000 ], Size: [0x0002D000 ]
        Module Name: [ C:\WINDOWS\system32\iphlpapi.dll ],
               Base Address: [0x76D60000 ], Size: [0x00019000 ]
        Module Name: [ C:\WINDOWS\system32\rtutils.dll ],
               Base Address: [0x76E80000 ], Size: [0x0000E000 ]
        Module Name: [ C:\WINDOWS\system32\rasman.dll ],
               Base Address: [0x76E90000 ], Size: [0x00012000 ]
        Module Name: [ C:\WINDOWS\system32\TAPI32.dll ],
               Base Address: [0x76EB0000 ], Size: [0x0002F000 ]
        Module Name: [ C:\WINDOWS\system32\RASAPI32.dll ],
               Base Address: [0x76EE0000 ], Size: [0x0003C000 ]
        Module Name: [ C:\WINDOWS\system32\DNSAPI.dll ],
               Base Address: [0x76F20000 ], Size: [0x00027000 ]
        Module Name: [ C:\WINDOWS\system32\rasadhlp.dll ],
               Base Address: [0x76FC0000 ], Size: [0x00006000 ]
        Module Name: [ C:\WINDOWS\system32\msv1_0.dll ],
               Base Address: [0x77C70000 ], Size: [0x00024000 ]

[=============================================================================]
    Popups
[=============================================================================]
        Window Name:     Vorbereitung zur Installation von RealPlayer
        Displayed Times: 1
        Window Text:     

        Window Name:     Vorbereitung zur Installation von RealPlayer
        Displayed Times: 4
        Window Text:     


[=============================================================================]
    2.a) sample.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings ], 
             Value Name: [ ProxyEnable ], New Value: [ 0 ]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], 
             Value Name: [ Common AppData ], New Value: [ C:\Documents and Settings\All Users\Application Data ]
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], 
             Value Name: [ AppData ], New Value: [ C:\Documents and Settings\user\Application Data ]
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], 
             Value Name: [ Cache ], New Value: [ C:\Documents and Settings\user\Local Settings\Temporary Internet Files ]
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], 
             Value Name: [ Cookies ], New Value: [ C:\Documents and Settings\user\Cookies ]
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], 
             Value Name: [ History ], New Value: [ C:\Documents and Settings\user\Local Settings\History ]
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ], 
             Value Name: [ AutoDetect ], New Value: [ 1 ]
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ], 
             Value Name: [ IntranetName ], New Value: [ 1 ]
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ], 
             Value Name: [ ProxyBypass ], New Value: [ 1 ]
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ], 
             Value Name: [ UNCAsIntranet ], New Value: [ 1 ]
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings ], 
             Value Name: [ MigrateProxy ], New Value: [ 1 ]
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings ], 
             Value Name: [ ProxyEnable ], New Value: [ 0 ]
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ], 
             Value Name: [ SavedLegacySettings ], New Value: [ 0x460000006800000001000000000000000000000000000000040000000000 ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SOFTWARE\CLASSES\MIME\DATABASE\CONTENT TYPE\TEXT/PLAIN ], 
             Value Name: [ Extension ], Value: [ .txt ], 4 times
        Key: [ HKLM\SOFTWARE\CLASSES\MIME\DATABASE\CONTENT TYPE\TEXT/XML ], 
             Value Name: [ Extension ], Value: [ .xml ], 4 times
        Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ], 
             Value Name: [ CUAS ], Value: [ 0 ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe ], 
             Value Name: [  ], Value: [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ], 4 times
        Key: [ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], 
             Value Name: [ EnablePunycode ], Value: [ 1 ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], 
             Value Name: [ UrlEncoding ], Value: [ 0x00000000 ], 2 times
        Key: [ HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters ], 
             Value Name: [ Transports ], Value: [ 0x5400630070006900700000004e0065007400420049004f00530000000000 ], 2 times
        Key: [ HKLM\Software\Microsoft\CTF\SystemShared ], 
             Value Name: [ CUAS ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS ], 
             Value Name: [ * ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL ], 
             Value Name: [ * ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\Rpc\SecurityService ], 
             Value Name: [ 10 ], Value: [ secur32.dll ], 1 time
        Key: [ HKLM\Software\Microsoft\Tracing ], 
             Value Name: [ EnableConsoleTracing ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], 
             Value Name: [ ConsoleTracingMask ], Value: [ 4294901760 ], 2 times
        Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], 
             Value Name: [ EnableConsoleTracing ], Value: [ 0 ], 2 times
        Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], 
             Value Name: [ EnableFileTracing ], Value: [ 0 ], 2 times
        Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], 
             Value Name: [ FileDirectory ], Value: [ %windir%\tracing ], 4 times
        Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], 
             Value Name: [ FileTracingMask ], Value: [ 4294901760 ], 2 times
        Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], 
             Value Name: [ MaxFileSize ], Value: [ 1048576 ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\IMM ], 
             Value Name: [ Ime File ], Value: [ msctfime.ime ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ], 
             Value Name: [ AllUsersProfile ], Value: [ All Users ], 8 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ], 
             Value Name: [ DefaultUserProfile ], Value: [ Default User ], 8 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ], 
             Value Name: [ ProfilesDirectory ], Value: [ %SystemDrive%\Documents and Settings ], 16 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1229272821-1004336348-527237240-1003 ], 
             Value Name: [ ProfileImagePath ], Value: [ %SystemDrive%\Documents and Settings\user ], 8 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], 
             Value Name: [ CommonFilesDir ], Value: [ C:\Program Files\Common Files ], 8 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], 
             Value Name: [ ProgramFilesDir ], Value: [ C:\Program Files ], 8 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Common AppData ], Value: [ %ALLUSERSPROFILE%\Application Data ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ], 
             Value Name: [ PerUserItem ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ], 
             Value Name: [ PerUserItem ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ], 
             Value Name: [ PerUserItem ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\msn.com ], 
             Value Name: [  ], Value: [  ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\msn.com\related ], 
             Value Name: [ http ], Value: [ 4 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], 
             Value Name: [ ComputerName ], Value: [ USER ], 10 times
        Key: [ HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll ], 
             Value Name: [ Capabilities ], Value: [ 16464 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll ], 
             Value Name: [ Comment ], Value: [ Digest SSPI Authentication Package ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll ], 
             Value Name: [ Name ], Value: [ Digest ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll ], 
             Value Name: [ RpcId ], Value: [ 65535 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll ], 
             Value Name: [ TokenSize ], Value: [ 65535 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll ], 
             Value Name: [ Type ], Value: [ 49 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll ], 
             Value Name: [ Version ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll ], 
             Value Name: [ Capabilities ], Value: [ 55 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll ], 
             Value Name: [ Comment ], Value: [ DPA Security Package ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll ], 
             Value Name: [ Name ], Value: [ DPA ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll ], 
             Value Name: [ RpcId ], Value: [ 17 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll ], 
             Value Name: [ TokenSize ], Value: [ 768 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll ], 
             Value Name: [ Type ], Value: [ 49 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll ], 
             Value Name: [ Version ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll ], 
             Value Name: [ Capabilities ], Value: [ 55 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll ], 
             Value Name: [ Comment ], Value: [ MSN Security Package ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll ], 
             Value Name: [ Name ], Value: [ MSN ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll ], 
             Value Name: [ RpcId ], Value: [ 18 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll ], 
             Value Name: [ TokenSize ], Value: [ 768 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll ], 
             Value Name: [ Type ], Value: [ 49 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll ], 
             Value Name: [ Version ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm ], 
             Value Name: [ wheel ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ], 
             Value Name: [ ProductType ], Value: [ WinNT ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\SecurityProviders ], 
             Value Name: [ SecurityProviders ], Value: [ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Control\SecurityProviders\SaslProfiles ], 
             Value Name: [ GSSAPI ], Value: [ Kerberos ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], 
             Value Name: [ ComSpec ], Value: [ %SystemRoot%\system32\cmd.exe ], 16 times
        Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], 
             Value Name: [ FP_NO_HOST_CHECK ], Value: [ NO ], 16 times
        Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], 
             Value Name: [ NUMBER_OF_PROCESSORS ], Value: [ 1 ], 16 times
        Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], 
             Value Name: [ OS ], Value: [ Windows_NT ], 16 times
        Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], 
             Value Name: [ PATHEXT ], Value: [ .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH ], 16 times
        Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], 
             Value Name: [ PROCESSOR_ARCHITECTURE ], Value: [ x86 ], 16 times
        Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], 
             Value Name: [ PROCESSOR_IDENTIFIER ], Value: [ x86 Family 6 Model 3 Stepping 3, GenuineIntel ], 16 times
        Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], 
             Value Name: [ PROCESSOR_LEVEL ], Value: [ 6 ], 16 times
        Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], 
             Value Name: [ PROCESSOR_REVISION ], Value: [ 0303 ], 16 times
        Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], 
             Value Name: [ Path ], Value: [ %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem ], 16 times
        Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], 
             Value Name: [ TEMP ], Value: [ %SystemRoot%\TEMP ], 16 times
        Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], 
             Value Name: [ TMP ], Value: [ %SystemRoot%\TEMP ], 16 times
        Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], 
             Value Name: [ windir ], Value: [ %SystemRoot% ], 16 times
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], 
             Value Name: [ Domain ], Value: [  ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], 
             Value Name: [ Hostname ], Value: [ user ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], 
             Value Name: [ UseDomainNameDevolution ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock ], 
             Value Name: [ HelperDllName ], Value: [ %SystemRoot%\System32\wshtcpip.dll ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock ], 
             Value Name: [ Mapping ], Value: [ 0x0b0000000300000002000000010000000600000002000000010000000000 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock ], 
             Value Name: [ MaxSockaddrLength ], Value: [ 16 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock ], 
             Value Name: [ MinSockaddrLength ], Value: [ 16 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock ], 
             Value Name: [ UseDelayedAcceptance ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters ], 
             Value Name: [ WinSock_Registry_Version ], Value: [ 2.0 ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], 
             Value Name: [ Num_Catalog_Entries ], Value: [ 3 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], 
             Value Name: [ Serial_Access_Num ], Value: [ 4 ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ DisplayString ], Value: [ Tcpip ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ Enabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ ProviderId ], Value: [ 0x409d05229e7ecf11ae5a00aa00a7112b ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ SupportedNameSpace ], Value: [ 12 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ Version ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ DisplayString ], Value: [ NTDS ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ Enabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\winrnr.dll ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ ProviderId ], Value: [ 0xee37263b80e5cf11a55500c04fd8d4ac ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ SupportedNameSpace ], Value: [ 32 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ Version ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ DisplayString ], Value: [ Network Location Awareness (NLA) Namespace ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ Enabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ ProviderId ], Value: [ 0x3a244266a83ba64abaa52e0bd71fdd83 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ SupportedNameSpace ], Value: [ 15 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ Version ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 
             Value Name: [ Next_Catalog_Entry_ID ], Value: [ 1012 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 
             Value Name: [ Num_Catalog_Entries ], Value: [ 11 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 
             Value Name: [ Serial_Access_Num ], Value: [ 4 ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\Setup ], 
             Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 3 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Environment ], 
             Value Name: [ TEMP ], Value: [ %USERPROFILE%\Local Settings\Temp ], 16 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Environment ], 
             Value Name: [ TMP ], Value: [ %USERPROFILE%\Local Settings\Temp ], 16 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS ], 
             Value Name: [ EnableHttp1_1 ], Value: [ 1 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS ], 
             Value Name: [ EnableNegotiate ], Value: [ 1 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS ], 
             Value Name: [ MimeExclusionListForCache ], Value: [ multipart/mixed multipart/x-mixed-replace multipart/x-byteranges  ], 4 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS ], 
             Value Name: [ PrivacyAdvanced ], Value: [ 0 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS ], 
             Value Name: [ SecureProtocols ], Value: [ 160 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS ], 
             Value Name: [ WarnOnPost ], Value: [ 0x01000000 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS ], 
             Value Name: [ WarnOnZoneCrossing ], Value: [ 0 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], 
             Value Name: [ CertificateRevocation ], Value: [ 0 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], 
             Value Name: [ DisableCachingOfSSLPages ], Value: [ 0 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ], 
             Value Name: [ ParseAutoexec ], Value: [ 1 ], 8 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ AppData ], Value: [ %USERPROFILE%\Application Data ], 7 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Cache ], Value: [ %USERPROFILE%\Local Settings\Temporary Internet Files ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Cookies ], Value: [ %USERPROFILE%\Cookies ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ History ], Value: [ %USERPROFILE%\Local Settings\History ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache ], 
             Value Name: [ Signature ], Value: [ Client UrlCache MMF Ver 5.2 ], 2 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ], 
             Value Name: [ CacheLimit ], Value: [ 163410 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ], 
             Value Name: [ CachePrefix ], Value: [  ], 2 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ], 
             Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ], 
             Value Name: [ CachePrefix ], Value: [ Cookie: ], 2 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008051620080517 ], 
             Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008051620080517 ], 
             Value Name: [ CacheOptions ], Value: [ 11 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008051620080517 ], 
             Value Name: [ CachePath ], Value: [ %USERPROFILE%\Local Settings\History\History.IE5\MSHist012008051620080517 ], 2 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008051620080517 ], 
             Value Name: [ CachePrefix ], Value: [ :2008051620080517:  ], 2 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008051620080517 ], 
             Value Name: [ CacheRepair ], Value: [ 0 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData ], 
             Value Name: [ CacheLimit ], Value: [ 1000 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData ], 
             Value Name: [ CacheOptions ], Value: [ 8 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData ], 
             Value Name: [ CachePath ], Value: [ %USERPROFILE%\UserData ], 2 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData ], 
             Value Name: [ CachePrefix ], Value: [ UserData ], 2 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData ], 
             Value Name: [ CacheRepair ], Value: [ 0 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat ], 
             Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat ], 
             Value Name: [ CacheOptions ], Value: [ 0 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat ], 
             Value Name: [ CachePath ], Value: [ %USERPROFILE%\Local Settings\Application Data\Microsoft\Feeds Cache ], 2 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat ], 
             Value Name: [ CachePrefix ], Value: [ feedplat: ], 2 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat ], 
             Value Name: [ CacheRepair ], Value: [ 0 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ], 
             Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ], 
             Value Name: [ CachePrefix ], Value: [ Visited: ], 2 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ], 
             Value Name: [ AutoDetect ], Value: [ 1 ], 4 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ ], 
             Value Name: [  ], Value: [  ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ ], 
             Value Name: [ @ivt ], Value: [ 1 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ ], 
             Value Name: [ file ], Value: [ 3 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ ], 
             Value Name: [ ftp ], Value: [ 3 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ ], 
             Value Name: [ http ], Value: [ 3 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ ], 
             Value Name: [ https ], Value: [ 3 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ ], 
             Value Name: [ shell ], Value: [ 0 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 ], 
             Value Name: [ Flags ], Value: [ 33 ], 2 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 ], 
             Value Name: [ Flags ], Value: [ 475 ], 2 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 ], 
             Value Name: [ Flags ], Value: [ 71 ], 2 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 ], 
             Value Name: [ 1A00 ], Value: [ 131072 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 ], 
             Value Name: [ 1A10 ], Value: [ 1 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 ], 
             Value Name: [ Flags ], Value: [ 1 ], 2 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 ], 
             Value Name: [ {AEBA21FA-782A-4A90-978D-B72164C80120} ], Value: [ 0x1a3761592352350c7a5f20172f1e1a190e2b01731e281a041b0c3bc22127 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 ], 
             Value Name: [ Flags ], Value: [ 3 ], 2 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings ], 
             Value Name: [ MigrateProxy ], Value: [ 1 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings ], 
             Value Name: [ ProxyEnable ], Value: [ 0 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ], 
             Value Name: [ DefaultConnectionSettings ], Value: [ 0x3c0000000200000001000000000000000000000000000000040000000000 ], 2 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ], 
             Value Name: [ SavedLegacySettings ], Value: [ 0x460000006700000001000000000000000000000000000000040000000000 ], 4 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment ], 
             Value Name: [ APPDATA ], Value: [ C:\Documents and Settings\user\Application Data ], 16 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment ], 
             Value Name: [ CLIENTNAME ], Value: [  ], 16 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment ], 
             Value Name: [ HOMEDRIVE ], Value: [ C: ], 16 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment ], 
             Value Name: [ HOMEPATH ], Value: [ \Documents and Settings\user ], 16 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment ], 
             Value Name: [ HOMESHARE ], Value: [  ], 16 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment ], 
             Value Name: [ LOGONSERVER ], Value: [ \\USER ], 16 times
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment ], 
             Value Name: [ SESSIONNAME ], Value: [ Console ], 16 times

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Monitored Registry Keys:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], 
             Watch subtree: [ 0 ], Notify Filter: [ Attributes Change,Value Change,Security Descriptor Change ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], 
             Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 
             Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time


[=============================================================================]
    2.b) sample.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Deleted:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\DOCUME~1\user\LOCALS~1\Temp\rninst~0\RUP\ ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\DOCUME~1\user\LOCALS~1\Temp\rninst~0\ ]
        File Name: [ C:\DOCUME~1\user\LOCALS~1\Temp\rninst~0\RUP\ ]
        File Name: [ C:\DOCUME~1\user\LOCALS~1\Temp\rninst~0\RUP\stubinst_pkg_de.rup ]
        File Name: [ C:\Documents and Settings\user\Cookies\user@real[1].txt ]
        File Name: [ C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\5E7EYQDH\extended[1].xml ]
        File Name: [ C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\5E7EYQDH\log[1].txt ]
        File Name: [ C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\BNPHK11H\log[1].txt ]
        File Name: [ C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\C4H05OWL\stubinst_config_de[1].xml ]
        File Name: [ C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\MBYNVPWZ\stubinst_pkg_de[1].rup ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\DOCUME~1\user\LOCALS~1\Temp\rninst~0\RUP\stubinst_pkg_de.rup ]
        File Name: [ PIPE\ROUTER ]
        File Name: [ PIPE\lsarpc ]
        File Name: [ c:\autoexec.bat ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\DOCUME~1\user\LOCALS~1\Temp\rninst~0\RUP\stubinst_pkg_de.rup ]
        File Name: [ C:\Documents and Settings\user\Cookies\user@real[1].txt ]
        File Name: [ C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\5E7EYQDH\extended[1].xml ]
        File Name: [ C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\5E7EYQDH\log[1].txt ]
        File Name: [ C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\BNPHK11H\log[1].txt ]
        File Name: [ C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\C4H05OWL\stubinst_config_de[1].xml ]
        File Name: [ C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\MBYNVPWZ\stubinst_pkg_de[1].rup ]
        File Name: [ Ip ]
        File Name: [ PIPE\ROUTER ]
        File Name: [ PIPE\lsarpc ]
        File Name: [ \Device\Afd\AsyncConnectHlp ]
        File Name: [ \Device\Afd\Endpoint ]
        File Name: [ \Device\Ip ]
        File Name: [ \Device\RasAcd ]
        File Name: [ \Device\Tcp ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Directories Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Directory: [ C:\DOCUME~1\user\LOCALS~1\Temp\rninst~0\ ]
        Directory: [ C:\DOCUME~1\user\LOCALS~1\Temp\rninst~0\RUP\ ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Directories Removed:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Directory: [ C:\DOCUME~1\user\LOCALS~1\Temp\rninst~0\RUP\ ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 56 times
        File: [ PIPE\ROUTER ], Control Code: [ 0x0011C017 ], 3 times

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ unnamed file ], Control Code: [ 0x00390008 ], 7 times
        File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_GET_INFO (0x0001207B) ], 2 times
        File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_SET_CONTEXT (0x00012047) ], 40 times
        File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_BIND (0x00012003) ], 5 times
        File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_GET_TDI_HANDLES (0x00012037) ], 10 times
        File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_GET_SOCK_NAME (0x0001202F) ], 5 times
        File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_SET_INFO (0x0001203B) ], 23 times
        File: [ \Device\Afd\AsyncConnectHlp ], Control Code: [ AFD_CONNECT (0x00012007) ], 5 times
        File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_SELECT (0x00012024) ], 5 times
        File: [ unnamed file ], Control Code: [ 0x00120028 ], 10 times
        File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_SEND (0x0001201F) ], 6 times
        File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_RECV (0x00012017) ], 376 times
        File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_DISCONNECT (0x0001202B) ], 2 times
        File: [ \Device\Tcp ], Control Code: [ 0x00120003 ], 6 times

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ]
        File Name: [ C:\WINDOWS\System32\mswsock.dll ]
        File Name: [ C:\WINDOWS\System32\wshtcpip.dll ]
        File Name: [ C:\WINDOWS\system32\DNSAPI.dll ]
        File Name: [ C:\WINDOWS\system32\MSCTF.dll ]
        File Name: [ C:\WINDOWS\system32\Msimtf.dll ]
        File Name: [ C:\WINDOWS\system32\RASAPI32.dll ]
        File Name: [ C:\WINDOWS\system32\TAPI32.dll ]
        File Name: [ C:\WINDOWS\system32\UxTheme.dll ]
        File Name: [ C:\WINDOWS\system32\WINMM.dll ]
        File Name: [ C:\WINDOWS\system32\WS2HELP.dll ]
        File Name: [ C:\WINDOWS\system32\hnetcfg.dll ]
        File Name: [ C:\WINDOWS\system32\iphlpapi.dll ]
        File Name: [ C:\WINDOWS\system32\msctfime.ime ]
        File Name: [ C:\WINDOWS\system32\msv1_0.dll ]
        File Name: [ C:\WINDOWS\system32\rasadhlp.dll ]
        File Name: [ C:\WINDOWS\system32\rasman.dll ]
        File Name: [ C:\WINDOWS\system32\rpcss.dll ]
        File Name: [ C:\WINDOWS\system32\rtutils.dll ]
        File Name: [ C:\WINDOWS\system32\sensapi.dll ]
        File Name: [ C:\WINDOWS\system32\ws2_32.dll ]

[=============================================================================]
    2.c) sample.exe - Windows Service Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Services Started:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Service: [ RASMAN ]

[=============================================================================]
    2.d) sample.exe - Process Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Thread Overview:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        After 33 seconds, Number of threads: 1
        After 218 seconds, Number of threads: 0


[=============================================================================]
    2.e) sample.exe - Network Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    DNS Queries:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Name: [ log.realone.com ], Query Type: [ DNS_TYPE_A ],
            Query Result: [  ], Successful: [ 1 ], Protocol: [  ]
        Name: [ firstrun.real.com ], Query Type: [ DNS_TYPE_A ],
            Query Result: [ 207.188.5.80 ], Successful: [ 1 ], Protocol: [  ]
        Name: [ switchboard.real.com ], Query Type: [ DNS_TYPE_A ],
            Query Result: [  ], Successful: [ 1 ], Protocol: [  ]
        Name: [ software-download.real.com ], Query Type: [ DNS_TYPE_A ],
            Query Result: [  ], Successful: [ 1 ], Protocol: [  ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    HTTP Conversations:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        From ANUBIS:1032 to 66.203.123.27:80 - [ log.realone.com ]
             Request: [ GET /rpinst/log.txt?prod=stub&version=1.0.9.91&payload=RealPlayer&li=de&distcode=R41DEY1&os=5.1.2600|SP3|en&ie=7.00.6000.16574&bw=unknown&loc=none&action=installerstarted ], Response: [ 200 "OK" ]
             Request: [ GET /rpinst/log.txt?prod=stub&version=1.0.9.91&payload=RealPlayer&li=de&distcode=R41DEY1&os=5.1.2600|SP3|en&ie=7.00.6000.16574&bw=unknown&loc=at&action=stubstarted ], Response: [ 200 "OK" ]
        From ANUBIS:1033 to 207.188.5.80:80 - [ firstrun.real.com ]
             Request: [ GET /geoloc/extended ], Response: [ 200 "OK" ]
        From ANUBIS:1035 to 207.188.7.81:80 - [ switchboard.real.com ]
             Request: [ GET /player/installer.html?cd=configuration_xml&distcode=R41DEY1&prod=RealPlayer&prod_dist=R41DEY1&prod_orig=R41DEY1&ver=11.0&li=de&oem=rp11_de&loc=at ], Response: [ 302 "Temporary Relocation" ]
        From ANUBIS:1036 to 198.78.202.124:80 - [ software-download.real.com ]
             Request: [ GET /free/windows/installer/stubinst/xml/rp11/stubinst_config_de.xml ], Response: [ 200 "OK" ]
             Request: [ GET /free/windows/installer/stubinst/pkg/rp11/stubinst_pkg_de.rup?distcode=R41DEY1&prod=RealPlayer&prod_dist=R41DEY1&prod_orig=R41DEY1&ver=11.0&li=de&oem=rp11_de&loc=at ], Response: [ 200 "OK" ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    TCP Connection Attempts:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        From ANUBIS:1034 to 66.203.123.27:80



[#############################################################################]
    3. services.exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: NtConnectPort(\RPC Control\ntsvcs was called.
        Filename:        services.exe
        MD5:             0e776ed5f7cc9f94299e70461b7b8185
        SHA-1:           cb5a33cec4c7b8ef4bd5dc8c241005b66b26cbbf
        File Size:       108544 Bytes
        Command Line:    C:\WINDOWS\system32\services.exe
        Process-status
        at analysis end: alive
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
               Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
        Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
               Base Address: [0x77E70000 ], Size: [0x00092000 ]
        Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
               Base Address: [0x77FE0000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]
        Module Name: [ C:\WINDOWS\system32\NCObjAPI.DLL ],
               Base Address: [0x5F770000 ], Size: [0x0000C000 ]
        Module Name: [ C:\WINDOWS\system32\MSVCP60.dll ],
               Base Address: [0x76080000 ], Size: [0x00065000 ]
        Module Name: [ C:\WINDOWS\system32\SCESRV.dll ],
               Base Address: [0x7DBD0000 ], Size: [0x00051000 ]
        Module Name: [ C:\WINDOWS\system32\AUTHZ.dll ],
               Base Address: [0x776C0000 ], Size: [0x00012000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
               Base Address: [0x769C0000 ], Size: [0x000B4000 ]
        Module Name: [ C:\WINDOWS\system32\umpnpmgr.dll ],
               Base Address: [0x7DBA0000 ], Size: [0x00021000 ]
        Module Name: [ C:\WINDOWS\system32\WINSTA.dll ],
               Base Address: [0x76360000 ], Size: [0x00010000 ]
        Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],
               Base Address: [0x5B860000 ], Size: [0x00055000 ]
        Module Name: [ C:\WINDOWS\system32\ShimEng.dll ],
               Base Address: [0x5CB70000 ], Size: [0x00026000 ]
        Module Name: [ C:\WINDOWS\AppPatch\AcAdProc.dll ],
               Base Address: [0x47260000 ], Size: [0x0000F000 ]
        Module Name: [ C:\WINDOWS\system32\IMM32.DLL ],
               Base Address: [0x76390000 ], Size: [0x0001D000 ]
        Module Name: [ C:\WINDOWS\system32\Apphelp.dll ],
               Base Address: [0x77B40000 ], Size: [0x00022000 ]
        Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
               Base Address: [0x77C00000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\eventlog.dll ],
               Base Address: [0x77B70000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ],
               Base Address: [0x76BF0000 ], Size: [0x0000B000 ]
        Module Name: [ C:\WINDOWS\system32\WS2_32.dll ],
               Base Address: [0x71AB0000 ], Size: [0x00017000 ]
        Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ],
               Base Address: [0x71AA0000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\wtsapi32.dll ],
               Base Address: [0x76F50000 ], Size: [0x00008000 ]

[=============================================================================]
    3.a) services.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Keys Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\System\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control ]
        Key: [ HKLM\System\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\System\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control ], 
             Value Name: [ ActiveService ], New Value: [ RasMan ]
        Key: [ HKLM\System\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control ], 
             Value Name: [ ActiveService ], New Value: [ TapiSrv ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0303\4&2C5A7332&0 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E96B-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0400\4&2C5A7332&0 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E978-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0501\1 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E978-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0700\4&2C5A7332&0 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E969-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0A03\1 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0F13\4&2C5A7332&0 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E96F-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI_HAL\PNP0C08\0 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\DISPLAY\DEFAULT_MONITOR\4&2946A9FF&0&11223344&00&02 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E96E-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\IDE\CDROMQEMU_QEMU_CD-ROM________________________0.9.____\4D51303030302033202020202020202020202020 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E965-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\IDE\DISKQEMU_HARDDISK___________________________0.9.1___\4D51303030302031202020202020202020202020 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E967-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ISAPNP\READDATAPORT\0 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\LPTENUM\MICROSOFTRAWPORT\5&34A37E9F&0&LPT1 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\PCIIDE\IDECHANNEL\4&3DE75EA&0&0 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E96A-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\PCIIDE\IDECHANNEL\4&3DE75EA&0&1 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E96A-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_1013&DEV_00B8&SUBSYS_00000000&REV_00\3&13C0B0C5&0&10 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E968-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\3&13C0B0C5&0&18 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318} ], 2 times
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\3&13C0B0C5&0&18 ], 
             Value Name: [ DeviceDesc ], Value: [ Realtek RTL8029(AS)-based Ethernet Adapter (Generic) ], 2 times
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\3&13C0B0C5&0&18 ], 
             Value Name: [ Driver ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318}\0001 ], 2 times
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_1237&SUBSYS_00000000&REV_02\3&13C0B0C5&0&00 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_7000&SUBSYS_00000000&REV_00\3&13C0B0C5&0&08 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_7010&SUBSYS_00000000&REV_00\3&13C0B0C5&0&09 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E96A-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\ACPI_HAL\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E966-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\DMIO\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\FTDISK\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_AFD\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_BEEP\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_DMBOOT\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_DMLOAD\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_FIPS\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_GPC\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_HTTP\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_IPNAT\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_IPSEC\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_KSECDD\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_MNMDD\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_MOUNTMGR\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDISTAPI\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDISUIO\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDIS\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDPROXY\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NETBT\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NULL\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_PARTMGR\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_PARVDM\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_RASACD\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_RDPCDD\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_TCPIP\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_VGASAVE\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_VOLSNAP\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_WANARP\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMACM ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E96C-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMDRV ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E96C-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMMCI ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E96C-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMVCD ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E96C-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMVID ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E96C-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_L2TPMINIPORT\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANIP\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318} ], 2 times
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANIP\0000 ], 
             Value Name: [ DeviceDesc ], Value: [ WAN Miniport (IP) ], 2 times
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANIP\0000 ], 
             Value Name: [ Driver ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318}\0008 ], 2 times
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PPPOEMINIPORT\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PPTPMINIPORT\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PSCHEDMP\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PSCHEDMP\0001 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PTIMINIPORT\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDPDR\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDP_KBD\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDP_MOU\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0001 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0002 ], 
             Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\STORAGE\VOLUME\1&30A96598&0&SIGNATURE95619561OFFSET7E00LENGTH13F291800 ], 
             Value Name: [ ClassGUID ], Value: [ {71A27CDD-812A-11D0-BEC7-08002BE2092F} ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\PlugPlay ], 
             Value Name: [ PlugPlayServiceType ], Value: [ 3 ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\RasMan\Enum ], 
             Value Name: [ 0 ], Value: [ Root\LEGACY_RASMAN\0000 ], 3 times
        Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\RasMan\Enum ], 
             Value Name: [ Count ], Value: [ 1 ], 6 times
        Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\RpcSs\Enum ], 
             Value Name: [ 0 ], Value: [ Root\LEGACY_RPCSS\0000 ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\RpcSs\Enum ], 
             Value Name: [ Count ], Value: [ 1 ], 2 times
        Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\TapiSrv\Enum ], 
             Value Name: [ 0 ], Value: [ Root\LEGACY_TAPISRV\0000 ], 2 times
        Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\TapiSrv\Enum ], 
             Value Name: [ Count ], Value: [ 1 ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Services\PlugPlay ], 
             Value Name: [ ObjectName ], Value: [ LocalSystem ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\RasMan ], 
             Value Name: [ ImagePath ], Value: [ %SystemRoot%\system32\svchost.exe -k netsvcs ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\RasMan ], 
             Value Name: [ ObjectName ], Value: [ LocalSystem ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\RpcSs ], 
             Value Name: [ ObjectName ], Value: [ NT Authority\NetworkService ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\TapiSrv ], 
             Value Name: [ ImagePath ], Value: [ %SystemRoot%\System32\svchost.exe -k netsvcs ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\TapiSrv ], 
             Value Name: [ ObjectName ], Value: [ LocalSystem ], 2 times


[=============================================================================]
    3.b) services.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\ntsvcs, Flags: Named pipe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER, Flags: Named pipe ]
        File Name: [ C:\WINDOWS\system32\config\SysEvent.Evt ]
        File Name: [ C:\ntsvcs, Flags: Named pipe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ C:\net\NtControlPipe4, Flags: Named pipe ], Control Code: [ 0x0011C017 ], 2 times
        File: [ C:\ntsvcs, Flags: Named pipe ], Control Code: [ 0x0011001C ], 4 times



[#############################################################################]
                       International Secure Systems Lab                        
                            http://www.iseclab.org                             

Vienna University of Technology     Eurecom France            UC Santa Barbara
http://www.tuwien.ac.at          http://www.eurecom.fr  http://www.cs.ucsb.edu

                          Contact: anubis@iseclab.org                          
 

 

Im übrigen würde ich den Player komplett busten und nur die Codecs installieren, dann kann auch jeder Player real-Dateien abspielen, ohne den Real überhaupt installiert zu haben.