                           ___                __    _                          
         +  /-            /   |  ____  __  __/ /_  (_)____       -\  +         
        /s  h-           / /| | / __ \/ / / / __ \/ / ___/       -h  s\        
        oh-:d/          / ___ |/ / / / /_/ / /_/ / (__  )        /d:-ho        
        shh+hy-        /_/  |_/_/ /_/\__,_/_.___/_/____/        -yh+hhs        
      -:+hhdhyys/-                                           -\syyhdhh+:-      
    -//////dhhhhhddhhyss-       Analysis Report       -ssyhhddhhhhhd\\\\\\-    
   /++/////oydddddhhyys/     ooooooooooooooooooooo     \syyhhdddddyo\\\\\++\   
 -+++///////odh/-                                             -+hdo\\\\\\\+++- 
 +++++++++//yy+/:                                             :\+yy\\+++++++++ 
/+soss+sys//yyo/os++o+:                                 :+o++so\oyy\\sys+ssos+\
+oyyyys++o/+yss/+/oyyyy:                               :yyyyo\+\ssy+\o++syyyyo+
+oyyyyyyso+os/o/+yyyyyy/                               \yyyyyy+\o\so+osyyyyyyo+


[#############################################################################]
    Analysis Report for Flash-Player.exe
                   MD5: 14d6a017c333d7608224f1d1d515182f
[#############################################################################]

Summary: 
    - Write to foreign memory areas: 
        This executable tampers with the execution of another process.

    - Start/Install windows service: 
        This executable starts a windows service. Services have the 
        highest level of privilege in Windows, and are thus useful 
        for a number of malicious purposes.

    - Change Windows Firewall settings: 
        This executable changes some settings of windows firewall.

    - Packed Binary: 
        This executable is protected with a packer in order to prevent it 
        from being reverse engineered.

    - Execution did not terminate correctly: 
        The executable crashed.

    - Modify system files: 
        This executable modifies files in the windows system directories.

    - Autostart capabilities: 
        This executable registers processes to be executed at system start.
        This could result in unwanted actions to be performed automatically.

    - Changes security settings of Internet Explorer:
        This system alteration could seriously affect safety surfing the World
        Wide Web.

    - Creates files in the Windows system directory:
        Malware often keepscopies of itself in the Windows directory to stay
        undetected by users.

    - Terminates services or processes of anti virus programs:
        In order to perform tasks that would be prohibited by anti virus 
        software, viruses sometimes try to kill anti virus programs previously.

    - Downloads Executable Code:
        The executable issues HTTP Requests and downloads potential malicious
        executable code.

    - Performs File Modification and Destruction:
        The executable modifiesand destructs files which are not temporary.

    - Spawns Processes:
        The executable produces processes during the execution.

    - Performs Registry Activities:
        The executable creates and/or modifies registry entries.

[=============================================================================]
    Table of Contents
[=============================================================================]

- General information
- Flash-Play.exe
  a) Registry Activities
  b) File Activities
  c) Windows Service Activities
  d) Process Activities
  e) Network Activities
  f) Other Activities
    - cmd.exe
      a) Registry Activities
      b) File Activities
    - netsh.exe
      a) Registry Activities
      b) File Activities
    - flash32.exe
      a) Registry Activities
      b) File Activities
      c) Process Activities
      d) Network Activities
      e) Other Activities
        - flash32.exe
          a) Registry Activities
          b) File Activities
          c) Other Activities
    - netsh.exe
      a) Registry Activities
      b) File Activities
    - netsh.exe
      a) Registry Activities
      b) File Activities
    - cmd.exe
      a) File Activities
    - svchost.exe
      a) Registry Activities
    - services.exe
      a) Registry Activities
      b) File Activities
      c) Process Activities
        - svchost.exe
          a) Registry Activities


[#############################################################################]
    1. General Information
[#############################################################################]
[=============================================================================]
    Information about Anubis' invocation
[=============================================================================]
        Time needed:        251 s
        Report created:     07/16/11, 21:43:13 UTC
        Termination reason: Timeout
        Program version:    1.75.3394

[=============================================================================]
    Global Network Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    DNS Queries:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Name: [ mysmallhomespace.com ], Query Type: [ DNS_TYPE_A ],
            Query Result: [ 188.72.230.129 188.72.230.129 ], Successful: [ 1 ], Protocol: [ udp ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    HTTP Conversations:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        From ANUBIS:1034 to 91.217.153.62:80 - [ driver-portal-x86.com ]
             Request: [ GET /distrib_serv/ip_list_2.php ], Response: [ 200 "OK" ]
        From ANUBIS:1037 to 46.118.66.163:8080 - [ 46.118.66.163 ]
             Request: [ GET /search=error ], Response: [ 200 "OK" ]
        From ANUBIS:1038 to 188.72.230.129:80 - [ mysmallhomespace.com ]
             Request: [ GET /blog/images/3521.jpg?v5=62&tq=gKZEtzyMv5rJqxG1J42pzMffBv0o0+jbwvgS917W65rJqlLfgPiWW1cg ], Response: [ 200 "OK" ]
        From ANUBIS:1039 to 46.118.66.163:8080 - [ 46.118.66.163 ]
             Request: [ GET /search=loader2.exe.txt ], Response: [ 200 "OK" ]
        From ANUBIS:1040 to 46.118.66.163:8080 - [ 46.118.66.163 ]
             Request: [ GET /search=loader2.exe ], Response: [ 200 "OK" ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Unknown TCP Traffic:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        From ANUBIS:1036 to 46.118.66.163:8080
             State: [ Normal establishment and termination ],
             Outbound Bytes: [ 0 ], Inbound Bytes: [ 0 ]
        From ANUBIS:1041 to 109.200.242.85:8080
             State: [ Connection established, not terminated ],
             Outbound Bytes: [ 0 ], Inbound Bytes: [ 0 ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    TCP Connection Attempts:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        From ANUBIS:1035 to 109.200.242.85:8080



[#############################################################################]
    2. Flash-Play.exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Primary Analysis Subject
        Filename:        Flash-Play.exe
        MD5:             14d6a017c333d7608224f1d1d515182f
        SHA-1:           164b1c9b76105ebb345e7b26472404b178a86fe1
        File Size:       1154048 Bytes
        Command Line:    "C:\Flash-Play.exe"
        Process-status
        at analysis end: alive
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.DLL ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\SHLWAPI.DLL ],
               Base Address: [0x77F60000 ], Size: [0x00076000 ]
        Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
               Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
        Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
               Base Address: [0x77E70000 ], Size: [0x00092000 ]
        Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
               Base Address: [0x77FE0000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]

[=============================================================================]
    Run-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\uxtheme.dll ],
               Base Address: [0x5AD70000 ], Size: [0x00038000 ]
        Module Name: [ C:\WINDOWS\system32\netapi32.dll ],
               Base Address: [0x5B860000 ], Size: [0x00055000 ]
        Module Name: [ C:\WINDOWS\system32\hnetcfg.dll ],
               Base Address: [0x662B0000 ], Size: [0x00058000 ]
        Module Name: [ C:\WINDOWS\System32\mswsock.dll ],
               Base Address: [0x71A50000 ], Size: [0x0003F000 ]
        Module Name: [ C:\WINDOWS\System32\wshtcpip.dll ],
               Base Address: [0x71A90000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ],
               Base Address: [0x71AA0000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\WS2_32.dll ],
               Base Address: [0x71AB0000 ], Size: [0x00017000 ]
        Module Name: [ C:\WINDOWS\system32\wsock32.dll ],
               Base Address: [0x71AD0000 ], Size: [0x00009000 ]
        Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
               Base Address: [0x74720000 ], Size: [0x0004C000 ]
        Module Name: [ C:\WINDOWS\system32\RichEd20.dll ],
               Base Address: [0x74E30000 ], Size: [0x0006D000 ]
        Module Name: [ C:\WINDOWS\system32\CRYPTUI.dll ],
               Base Address: [0x754D0000 ], Size: [0x00080000 ]
        Module Name: [ C:\WINDOWS\system32\WINTRUST.dll ],
               Base Address: [0x76C30000 ], Size: [0x0002E000 ]
        Module Name: [ C:\WINDOWS\system32\IMAGEHLP.dll ],
               Base Address: [0x76C90000 ], Size: [0x00028000 ]
        Module Name: [ C:\WINDOWS\system32\DNSAPI.dll ],
               Base Address: [0x76F20000 ], Size: [0x00027000 ]
        Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ],
               Base Address: [0x76F60000 ], Size: [0x0002C000 ]
        Module Name: [ C:\WINDOWS\System32\winrnr.dll ],
               Base Address: [0x76FB0000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\rasadhlp.dll ],
               Base Address: [0x76FC0000 ], Size: [0x00006000 ]
        Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ],
               Base Address: [0x76FD0000 ], Size: [0x0007F000 ]
        Module Name: [ C:\WINDOWS\system32\COMRes.dll ],
               Base Address: [0x77050000 ], Size: [0x000C5000 ]
        Module Name: [ C:\WINDOWS\system32\oleaut32.dll ],
               Base Address: [0x77120000 ], Size: [0x0008B000 ]
        Module Name: [ C:\WINDOWS\system32\WININET.dll ],
               Base Address: [0x771B0000 ], Size: [0x000AA000 ]
        Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
               Base Address: [0x773D0000 ], Size: [0x00103000 ]
        Module Name: [ C:\WINDOWS\system32\ole32.dll ],
               Base Address: [0x774E0000 ], Size: [0x0013D000 ]
        Module Name: [ C:\WINDOWS\system32\SETUPAPI.dll ],
               Base Address: [0x77920000 ], Size: [0x000F3000 ]
        Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ],
               Base Address: [0x77A80000 ], Size: [0x00095000 ]
        Module Name: [ C:\WINDOWS\system32\MSASN1.dll ],
               Base Address: [0x77B20000 ], Size: [0x00012000 ]
        Module Name: [ C:\WINDOWS\system32\Apphelp.dll ],
               Base Address: [0x77B40000 ], Size: [0x00022000 ]
        Module Name: [ C:\WINDOWS\system32\version.dll ],
               Base Address: [0x77C00000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\shell32.dll ],
               Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
        Module Name: [ C:\WINDOWS\system32\shdocvw.dll ],
               Base Address: [0x7E290000 ], Size: [0x00171000 ]

[=============================================================================]
    SigBuster Output
[=============================================================================]
        UPX All_Versions SN:1634

[=============================================================================]
    Popups
[=============================================================================]
        Window Name:     Flash-play
        Displayed Times: 1
        Window Text:     
OK

			

[=============================================================================]
    2.a) Flash-Play.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Keys Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SOFTWARE\services32.exe ]
        Key: [ HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Associations ]
        Key: [ HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Policies\Associations ]
        Key: [ HKU\\Software ]
        Key: [ HKU\\Software\Microsoft ]
        Key: [ HKU\\Software\Microsoft\Windows ]
        Key: [ HKU\\Software\Microsoft\Windows\ ]
        Key: [ HKU\\Software\Microsoft\Windows\\Policies ]
        Key: [ HKU\\Software\Microsoft\Windows\\Policies\Associati ]
        Key: [ HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Policies\Associations ]
        Key: [ HKU\\Software ]
        Key: [ HKU\\Software\Microsoft ]
        Key: [ HKU\\Software\Microsoft\Windows ]
        Key: [ HKU\\Software\Microsoft\Windows\CurrentVe ]
        Key: [ HKU\\Software\Microsoft\Windows\CurrentVe\Policies ]
        Key: [ HKU\\Software\Microsoft\Windows\CurrentVe\Policies\Associati ]
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Policies\Associations ]
        Key: [ HKU\\Software\Microsoft\Windows ]
        Key: [ HKU\\Software\Microsoft\Windows\CurrentVe ]
        Key: [ HKU\\Software\Microsoft\Windows\CurrentVe\Policies ]
        Key: [ HKU\\Software\Microsoft\Windows\CurrentVe\Policies\Associati ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SOFTWARE\Microsoft\Security Center ], 
             Value Name: [ AntiVirusDisableNotify ], New Value: [ 1 ]
        Key: [ HKLM\SOFTWARE\Microsoft\Security Center ], 
             Value Name: [ DisableThumbnailCache ], New Value: [ 1 ]
        Key: [ HKLM\SOFTWARE\Microsoft\Security Center ], 
             Value Name: [ FirewallDisableNotify ], New Value: [ 1 ]
        Key: [ HKLM\SOFTWARE\Microsoft\Security Center ], 
             Value Name: [ FirewallOverride ], New Value: [ 1 ]
        Key: [ HKLM\SOFTWARE\Microsoft\Security Center ], 
             Value Name: [ UpdatesDisableNotify ], New Value: [ 1 ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ], 
             Value Name: [ wxpdrv ], New Value: [ C:\WINDOWS\update.1\svchost.exe ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ], 
             Value Name: [ EnableLUA ], New Value: [ 0 ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ], 
             Value Name: [ EnableSecureUIAPaths ], New Value: [ 0 ]
        Key: [ HKLM\SOFTWARE\services32.exe ], 
             Value Name: [ close ], New Value: [ 0 ]
        Key: [ HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List ], 
             Value Name: [ C:\Flash-Play.exe ], New Value: [ C:\Flash-Play.exe:*:Enabled:C:\Flash-Play.exe ]
        Key: [ HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List ], 
             Value Name: [ C:\WINDOWS\update.1\svchost.exe ], New Value: [ C:\WINDOWS\update.1\svchost.exe:*:Enabled:C:\WINDOWS\update.1\svchost.exe ]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], 
             Value Name: [ Common AppData ], New Value: [ C:\Documents and Settings\All Users\Application Data ]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], 
             Value Name: [ Common Desktop ], New Value: [ C:\Documents and Settings\All Users\Desktop ]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], 
             Value Name: [ Common Documents ], New Value: [ C:\Documents and Settings\All Users\Documents ]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], 
             Value Name: [ Common Programs ], New Value: [ C:\Documents and Settings\All Users\Start Menu\Programs ]
        Key: [ HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Associations ], 
             Value Name: [ ModRiskFileTypes ], New Value: [ *.exe ]
        Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\Associations ], 
             Value Name: [ ModRiskFileTypes ], New Value: [ *.exe ]
        Key: [ HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Policies\Associations ], 
             Value Name: [ ModRiskFileTypes ], New Value: [ *.exe ]
        Key: [ HKU\S-1-5-19_Classes\Software\Microsoft\Windows\CurrentVersion\Policies\Associations ], 
             Value Name: [ ModRiskFileTypes ], New Value: [ *.exe ]
        Key: [ HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Policies\Associations ], 
             Value Name: [ ModRiskFileTypes ], New Value: [ *.exe ]
        Key: [ HKU\S-1-5-20_Classes\Software\Microsoft\Windows\CurrentVersion\Policies\Associations ], 
             Value Name: [ ModRiskFileTypes ], New Value: [ *.exe ]
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1094da8-30a0-11dd-817b-806d6172696f}\ ], 
             Value Name: [ BaseClass ], New Value: [ Drive ]
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1094daa-30a0-11dd-817b-806d6172696f}\ ], 
             Value Name: [ BaseClass ], New Value: [ Drive ]
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], 
             Value Name: [ Desktop ], New Value: [ C:\Documents and Settings\Administrator\Desktop ]
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], 
             Value Name: [ Personal ], New Value: [ C:\Documents and Settings\Administrator\My Documents ]
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], 
             Value Name: [ Programs ], New Value: [ C:\Documents and Settings\Administrator\Start Menu\Programs ]
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Policies\Associations ], 
             Value Name: [ ModRiskFileTypes ], New Value: [ *.exe ]
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\ ], 
             Value Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flash32.exe ], New Value: [ flash32 ]
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\ ], 
             Value Name: [ C:\WINDOWS\system32\netsh.exe ], New Value: [ Network Command Shell ]
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\ ], 
             Value Name: [ C:\WINDOWS\update.1\svchost.exe ], New Value: [ svchost ]
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500_Classes\Software\Microsoft\Windows\CurrentVersion\Policies\Associations ], 
             Value Name: [ ModRiskFileTypes ], New Value: [ *.exe ]
        Key: [ HKU\\Software\Microsoft\Windows\CurrentVe\Policies\Associati ], 
             Value Name: [ ModRiskFileTypes ], New Value: [ *.exe ]
        Key: [ HKU\\Software\Microsoft\Windows\\Policies\Associati ], 
             Value Name: [ ModRiskFileTypes ], New Value: [ *.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SOFTWARE\CLASSES\.EXE ], 
             Value Name: [  ], Value: [ exefile ], 6 times
        Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\INPROCSERVER32 ], 
             Value Name: [  ], Value: [ %SystemRoot%\system32\SHELL32.dll ], 3 times
        Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\INPROCSERVER32 ], 
             Value Name: [  ], Value: [ %SystemRoot%\system32\shdocvw.dll ], 6 times
        Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\INPROCSERVER32 ], 
             Value Name: [ ThreadingModel ], Value: [ Apartment ], 3 times
        Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\SHELLFOLDER ], 
             Value Name: [ WantsParseDisplayName ], Value: [  ], 3 times
        Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\INPROCSERVER32 ], 
             Value Name: [  ], Value: [ shell32.dll ], 5 times
        Key: [ HKLM\SOFTWARE\CLASSES\DIRECTORY ], 
             Value Name: [ AlwaysShowExt ], Value: [  ], 2 times
        Key: [ HKLM\SOFTWARE\CLASSES\DRIVE\SHELLEX\FOLDEREXTENSIONS\{FBEB8A05-BEEE-4442-804E-409D6C4515E9} ], 
             Value Name: [ DriveMask ], Value: [ 32 ], 5 times
        Key: [ HKLM\SOFTWARE\CLASSES\EXEFILE\SHELL\OPEN\COMMAND ], 
             Value Name: [  ], Value: [ "%1" %* ], 10 times
        Key: [ HKLM\SOFTWARE\CLASSES\INTERFACE\{000214E6-0000-0000-C000-000000000046}\PROXYSTUBCLSID32 ], 
             Value Name: [  ], Value: [ {bf50b68e-29b8-4386-ae9c-9734d5117cd5} ], 3 times
        Key: [ HKLM\SOFTWARE\CLASSES\INTERFACE\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\PROXYSTUBCLSID32 ], 
             Value Name: [  ], Value: [ {B8DA6310-E19B-11D0-933C-00A0C90DCAA9} ], 3 times
        Key: [ HKLM\SOFTWARE\CLASSES\INTERFACE\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\PROXYSTUBCLSID32 ], 
             Value Name: [  ], Value: [ {bf50b68e-29b8-4386-ae9c-9734d5117cd5} ], 3 times
        Key: [ HKLM\SOFTWARE\CLASSES\INTERFACE\{B722BCCB-4E68-101B-A2BC-00AA00404770}\PROXYSTUBCLSID32 ], 
             Value Name: [  ], Value: [ {B8DA6310-E19B-11D0-933C-00A0C90DCAA9} ], 3 times
        Key: [ HKLM\SOFTWARE\CLASSES\INTERFACE\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TYPELIB ], 
             Value Name: [  ], Value: [ {EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B} ], 3 times
        Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ], 
             Value Name: [ CUAS ], Value: [ 0 ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion ], 
             Value Name: [ CommonFilesDir ], Value: [ C:\Program Files\Common Files ], 4 times
        Key: [ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion ], 
             Value Name: [ ProgramFilesDir ], Value: [ C:\Program Files ], 4 times
        Key: [ HKLM\SOFTWARE\services32.exe ], 
             Value Name: [ close ], Value: [ 0 ], 244 times
        Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language ], 
             Value Name: [ Default ], Value: [ 0c07 ], 12 times
        Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language ], 
             Value Name: [ InstallLanguage ], Value: [ 0409 ], 12 times
        Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], 
             Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
        Key: [ HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters ], 
             Value Name: [ Transports ], Value: [ 0x5400630070006900700000004e0065007400420049004f00530000000000 ], 2 times
        Key: [ HKLM\SYSTEM\Setup ], 
             Value Name: [ OsLoaderPath ], Value: [ \ ], 2 times
        Key: [ HKLM\SYSTEM\Setup ], 
             Value Name: [ SystemPartition ], Value: [ \Device\HarddiskVolume1 ], 2 times
        Key: [ HKLM\SYSTEM\Setup ], 
             Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
        Key: [ HKLM\SYSTEM\WPA\MediaCenter ], 
             Value Name: [ Installed ], Value: [ 0 ], 7 times
        Key: [ HKLM\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32 ], 
             Value Name: [  ], Value: [ %SystemRoot%\system32\shdocvw.dll ], 3 times
        Key: [ HKLM\Software\Microsoft\COM3 ], 
             Value Name: [ Com+Enabled ], Value: [ 1 ], 2 times
        Key: [ HKLM\Software\Microsoft\COM3 ], 
             Value Name: [ REGDBVersion ], Value: [ 0x0b00000000000000 ], 6 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], 
             Value Name: [ DevicePath ], Value: [ %SystemRoot%\inf ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation ], 
             Value Name: [ CutList ], Value: [ 0x4100700070006c00690063006100740069006f006e002000460069006c00 ], 6 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ], 
             Value Name: [ {AEB6717E-7E19-11d0-97EE-00C04FD91972} ], Value: [  ], 5 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Common AppData ], Value: [ %ALLUSERSPROFILE%\Application Data ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Common Desktop ], Value: [ %ALLUSERSPROFILE%\Desktop ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Common Documents ], Value: [ %ALLUSERSPROFILE%\Documents ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Common Programs ], Value: [ %ALLUSERSPROFILE%\Start Menu\Programs ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ DriverCachePath ], Value: [ %SystemRoot%\Driver Cache ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ LogLevel ], Value: [ 0 ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ ServicePackCachePath ], Value: [ c:\windows\ServicePackFiles\ServicePackCache ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ ServicePackSourcePath ], Value: [ D:\ ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ SourcePath ], Value: [ D:\ ], 2 times
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ PolicyScope ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ TransparentEnabled ], Value: [ 1 ], 7 times
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ ItemSize ], Value: [ 779 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ ItemSize ], Value: [ 517 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ ItemSize ], Value: [ 918 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ ItemSize ], Value: [ 229 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ ItemSize ], Value: [ 370 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], 
             Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], 
             Value Name: [ ComputerName ], Value: [ PC ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], 
             Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\LDAP ], 
             Value Name: [ LdapClientIntegrity ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], 
             Value Name: [ Domain ], Value: [  ], 11 times
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], 
             Value Name: [ Hostname ], Value: [ pc ], 13 times
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], 
             Value Name: [ UseDomainNameDevolution ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock ], 
             Value Name: [ HelperDllName ], Value: [ %SystemRoot%\System32\wshtcpip.dll ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock ], 
             Value Name: [ Mapping ], Value: [ 0x0b0000000300000002000000010000000600000002000000010000000000 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock ], 
             Value Name: [ MaxSockaddrLength ], Value: [ 16 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock ], 
             Value Name: [ MinSockaddrLength ], Value: [ 16 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock ], 
             Value Name: [ UseDelayedAcceptance ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters ], 
             Value Name: [ WinSock_Registry_Version ], Value: [ 2.0 ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], 
             Value Name: [ Num_Catalog_Entries ], Value: [ 3 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], 
             Value Name: [ Serial_Access_Num ], Value: [ 4 ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ DisplayString ], Value: [ Tcpip ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ Enabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ ProviderId ], Value: [ 0x409d05229e7ecf11ae5a00aa00a7112b ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ SupportedNameSpace ], Value: [ 12 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ Version ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ DisplayString ], Value: [ NTDS ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ Enabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\winrnr.dll ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ ProviderId ], Value: [ 0xee37263b80e5cf11a55500c04fd8d4ac ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ SupportedNameSpace ], Value: [ 32 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ Version ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ DisplayString ], Value: [ Network Location Awareness (NLA) Namespace ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ Enabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ ProviderId ], Value: [ 0x3a244266a83ba64abaa52e0bd71fdd83 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ SupportedNameSpace ], Value: [ 15 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ Version ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 
             Value Name: [ Next_Catalog_Entry_ID ], Value: [ 1020 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 
             Value Name: [ Num_Catalog_Entries ], Value: [ 13 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 
             Value Name: [ Serial_Access_Num ], Value: [ 6 ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\Setup ], 
             Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 2 times
        Key: [ HKLM\System\WPA\PnP ], 
             Value Name: [ seed ], Value: [ 1274198464 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], 
             Value Name: [ Locale ], Value: [ 00000C07 ], 12 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], 
             Value Name: [ Language Hotkey ], Value: [ 1 ], 4 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], 
             Value Name: [ Layout Hotkey ], Value: [ 2 ], 4 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ ], 
             Value Name: [ ShellState ], Value: [ 0x2400000038080000000000000000000000000000010000000d0000000000 ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], 
             Value Name: [ DontPrettyPath ], Value: [ 0 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], 
             Value Name: [ Filter ], Value: [ 0 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], 
             Value Name: [ Hidden ], Value: [ 1 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], 
             Value Name: [ HideFileExt ], Value: [ 0 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], 
             Value Name: [ HideIcons ], Value: [ 0 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], 
             Value Name: [ MapNetDrvBtn ], Value: [ 0 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], 
             Value Name: [ NoNetCrawling ], Value: [ 1 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], 
             Value Name: [ SeparateProcess ], Value: [ 0 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], 
             Value Name: [ ShowCompColor ], Value: [ 1 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], 
             Value Name: [ ShowInfoTip ], Value: [ 1 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], 
             Value Name: [ ShowSuperHidden ], Value: [ 1 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], 
             Value Name: [ WebView ], Value: [ 0 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094da8-30a0-11dd-817b-806d6172696f}\ ], 
             Value Name: [ Data ], Value: [ 0x000000005c005c003f005c0049004400450023004300640052006f006d00 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094da8-30a0-11dd-817b-806d6172696f}\ ], 
             Value Name: [ Generation ], Value: [ 1 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094daa-30a0-11dd-817b-806d6172696f}\ ], 
             Value Name: [ Data ], Value: [ 0x000000005c005c003f005c00530054004f00520041004700450023005600 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094daa-30a0-11dd-817b-806d6172696f}\ ], 
             Value Name: [ Generation ], Value: [ 1 ], 8 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], 
             Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Desktop ], Value: [ %USERPROFILE%\Desktop ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Programs ], Value: [ %USERPROFILE%\Start Menu\Programs ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Policies\Associations ], 
             Value Name: [ ModRiskFileTypes ], Value: [ *.exe ], 5 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached ], 
             Value Name: [ {871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0x401 ], Value: [ 0x010000007c6c9c7cc0da56ab0ac5c801 ], 3 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\ShellNoRoam\MUICache ], 
             Value Name: [ LangID ], Value: [ 0x0904 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\ ], 
             Value Name: [ C:\WINDOWS\system32\netsh.exe ], Value: [ Network Command Shell ], 2 times

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Monitored Registry Keys:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\Software\Classes ], 
             Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 3 times
        Key: [ HKLM\Software\Classes\CLSID ], 
             Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 2 times
        Key: [ HKLM\Software\Microsoft\COM3 ], 
             Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 6 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], 
             Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 
             Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time
        Key: [ HKU ], 
             Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 5 times


[=============================================================================]
    2.b) Flash-Play.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\11345145.bat ]
        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\51452382.bat ]
        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flash32.exe ]
        File Name: [ C:\WINDOWS\proc_list1.log ]
        File Name: [ C:\WINDOWS\update.1 ]
        File Name: [ C:\WINDOWS\update.1\svchost.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flash32.exe ]
        File Name: [ C:\Documents and Settings\Administrator\My Documents\desktop.ini ]
        File Name: [ C:\Documents and Settings\All Users\Documents\desktop.ini ]
        File Name: [ C:\Flash-Play.exe ]
        File Name: [ C:\WINDOWS\Registration\R00000000000b.clb ]
        File Name: [ C:\WINDOWS\system32\netsh.exe ]
        File Name: [ C:\WINDOWS\update.1\svchost.exe ]
        File Name: [ PIPE\lsarpc ]
        File Name: [ PIPE\wkssvc ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\11345145.bat ]
        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\51452382.bat ]
        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flash32.exe ]
        File Name: [ C:\WINDOWS\proc_list1.log ]
        File Name: [ C:\WINDOWS\update.1\svchost.exe ]
        File Name: [ MountPointManager ]
        File Name: [ PIPE\lsarpc ]
        File Name: [ PIPE\wkssvc ]
        File Name: [ \Device\Afd\AsyncConnectHlp ]
        File Name: [ \Device\Afd\Endpoint ]
        File Name: [ \Device\RasAcd ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Directories Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Directory: [ C:\WINDOWS\update.1 ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time
        File: [ PIPE\wkssvc ], Control Code: [ 0x0011C017 ], 1 time
        File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 6 times

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times
        File: [ \Device\RasAcd ], Control Code: [ 0x00F14014 ], 4 times
        File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_GET_INFO (0x0001207B) ], 2 times
        File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_SET_CONTEXT (0x00012047) ], 16 times
        File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_SET_INFO (0x0001203B) ], 4 times
        File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_BIND (0x00012003) ], 6 times
        File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_GET_TDI_HANDLES (0x00012037) ], 12 times
        File: [ \Device\Afd\AsyncConnectHlp ], Control Code: [ AFD_CONNECT (0x00012007) ], 2 times
        File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_SELECT (0x00012024) ], 323 times
        File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_CONNECT (0x00012007) ], 4 times
        File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_SEND (0x0001201F) ], 4 times
        File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_RECV (0x00012017) ], 321 times
        File: [ IDE#CdRomQEMU_QEMU_CD-ROM________________________0.9.____#4d51303030302033202020202020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} ], Control Code: [ 0x004D0008 ], 1 time
        File: [ MountPointManager ], Control Code: [ 0x006D0008 ], 2 times
        File: [ STORAGE#Volume#1&30a96598&0&SignatureB15FB15FOffset7E00Length13F291800#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} ], Control Code: [ 0x004D0008 ], 1 time
        File: [ MountPointManager ], Control Code: [ 0x006D0034 ], 4 times

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\11345145.bat ]
        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\51452382.bat ]
        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flash32.exe ]
        File Name: [ C:\WINDOWS\System32\mswsock.dll ]
        File Name: [ C:\WINDOWS\System32\winrnr.dll ]
        File Name: [ C:\WINDOWS\System32\wshtcpip.dll ]
        File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
        File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
        File Name: [ C:\WINDOWS\system32\Apphelp.dll ]
        File Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ]
        File Name: [ C:\WINDOWS\system32\COMRes.dll ]
        File Name: [ C:\WINDOWS\system32\DNSAPI.dll ]
        File Name: [ C:\WINDOWS\system32\MSCTF.dll ]
        File Name: [ C:\WINDOWS\system32\RichEd20.dll ]
        File Name: [ C:\WINDOWS\system32\SETUPAPI.dll ]
        File Name: [ C:\WINDOWS\system32\WININET.dll ]
        File Name: [ C:\WINDOWS\system32\WS2HELP.dll ]
        File Name: [ C:\WINDOWS\system32\WS2_32.dll ]
        File Name: [ C:\WINDOWS\system32\cmd.exe ]
        File Name: [ C:\WINDOWS\system32\hnetcfg.dll ]
        File Name: [ C:\WINDOWS\system32\imm32.dll ]
        File Name: [ C:\WINDOWS\system32\netsh.exe ]
        File Name: [ C:\WINDOWS\system32\rasadhlp.dll ]
        File Name: [ C:\WINDOWS\system32\rpcss.dll ]
        File Name: [ C:\WINDOWS\system32\shdocvw.dll ]
        File Name: [ C:\WINDOWS\system32\shell32.dll ]
        File Name: [ C:\WINDOWS\system32\uxtheme.dll ]
        File Name: [ C:\WINDOWS\system32\wsock32.dll ]
        File Name: [ C:\WINDOWS\update.1\svchost.exe ]
        File Name: [ C:\Windows\AppPatch\sysmain.sdb ]

[=============================================================================]
    2.c) Flash-Play.exe - Windows Service Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Services Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Name: [ wxpdrivers ], Type: [ SERVICE_AUTO_START ], Path: [ C:\WINDOWS\update.1\svchost.exe srv ]

[=============================================================================]
    2.d) Flash-Play.exe - Process Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Processes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Executable: [ C:\WINDOWS\system32\cmd.exe ], Command Line: [  ]
        Executable: [  ], Command Line: [ "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\51452382.bat" ]
        Executable: [ C:\WINDOWS\system32\netsh.exe ], Command Line: [  ]
        Executable: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flash32.exe ], Command Line: [  ]
        Executable: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flash32.exe ], Command Line: [ "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flash32.exe"  ]
        Executable: [ C:\WINDOWS\system32\netsh.exe ], Command Line: [ "C:\WINDOWS\system32\netsh.exe" firewall set opmode mode=disable ]
        Executable: [ C:\WINDOWS\system32\netsh.exe ], Command Line: [  ]
        Executable: [ C:\WINDOWS\system32\netsh.exe ], Command Line: [ "C:\WINDOWS\system32\netsh.exe" firewall set opmode mode=disable ]
        Executable: [ C:\WINDOWS\system32\netsh.exe ], Command Line: [  ]
        Executable: [ C:\WINDOWS\system32\netsh.exe ], Command Line: [ "C:\WINDOWS\system32\netsh.exe" firewall set opmode mode=disable ]
        Executable: [ C:\WINDOWS\system32\cmd.exe ], Command Line: [  ]
        Executable: [  ], Command Line: [ "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\11345145.bat" ]
        Executable: [ C:\WINDOWS\update.1\svchost.exe ], Command Line: [  ]
        Executable: [ C:\WINDOWS\update.1\svchost.exe ], Command Line: [ "C:\WINDOWS\update.1\svchost.exe"  ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Remote Threads Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Affected Process: [ C:\WINDOWS\system32\cmd.exe ]
        Affected Process: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flash32.exe ]
        Affected Process: [ C:\WINDOWS\system32\netsh.exe ]
        Affected Process: [ C:\WINDOWS\system32\netsh.exe ]
        Affected Process: [ C:\WINDOWS\system32\netsh.exe ]
        Affected Process: [ C:\WINDOWS\system32\cmd.exe ]
        Affected Process: [ C:\WINDOWS\update.1\svchost.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Foreign Memory Regions Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Process: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flash32.exe ]
        Process: [ C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe ]
        Process: [ C:\Program Files\Common Files\drlwszvxbeo.exe ]
        Process: [ C:\Program Files\Common Files\kxuckd.exe ]
        Process: [ C:\Program Files\Messenger\msmsgs.exe ]
        Process: [ C:\WINDOWS\explorer.exe ]
        Process: [ C:\WINDOWS\system32\cmd.exe ]
        Process: [ C:\WINDOWS\system32\ctfmon.exe ]
        Process: [ C:\WINDOWS\system32\netsh.exe ]
        Process: [ C:\WINDOWS\system32\wscntfy.exe ]
        Process: [ C:\WINDOWS\update.1\svchost.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Foreign Memory Regions Written:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Process: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flash32.exe ]
        Process: [ C:\WINDOWS\system32\cmd.exe ]
        Process: [ C:\WINDOWS\system32\netsh.exe ]
        Process: [ C:\WINDOWS\update.1\svchost.exe ]


[=============================================================================]
    2.e) Flash-Play.exe - Network Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    DNS Queries:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Name: [ google.com ], Query Type: [ DNS_TYPE_A ],
            Query Result: [ 209.85.148.106 209.85.148.147 209.85.148.104 209.85.148.99 209.85.148.105 209.85.148.103 ], Successful: [ YES ], Protocol: [ udp ]
        Name: [ driver-portal-x86.com ], Query Type: [ DNS_TYPE_A ],
            Query Result: [ 91.217.153.62 ], Successful: [ YES ], Protocol: [ udp ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    HTTP Conversations:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        From ANUBIS:1029 to 93.100.19.181:8080 - [ 93.100.19.181 ]
             Request: [ GET /search=error ], Response: [ 200 "OK" ]
        From ANUBIS:1030 to 93.100.19.181:8080 - [ 93.100.19.181 ]
             Request: [ GET /search=flash32.exe.txt ], Response: [ 200 "OK" ]
        From ANUBIS:1031 to 93.100.19.181:8080 - [ 93.100.19.181 ]
             Request: [ GET /search=flash32.exe ], Response: [ 200 "OK" ]
        From ANUBIS:1033 to 91.217.153.62:80 - [ driver-portal-x86.com ]
             Request: [ GET /distrib_serv/ip_list_3.php ], Response: [ 200 "OK" ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Unknown TCP Traffic:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        From ANUBIS:1028 to 93.100.19.181:8080
             State: [ Normal establishment and termination ],
             Outbound Bytes: [ 0 ], Inbound Bytes: [ 0 ]
        From ANUBIS:1032 to 91.217.153.62:80
             State: [ Normal establishment and termination ],
             Outbound Bytes: [ 0 ], Inbound Bytes: [ 0 ]


[=============================================================================]
    2.f) Flash-Play.exe - Other Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Mutexes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Mutex: [ CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
        Mutex: [ CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
        Mutex: [ CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
        Mutex: [ CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
        Mutex: [ CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
        Mutex: [ CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500 ]
        Mutex: [ MSCTF.Shared.MUTEX.IFG ]
        Mutex: [ xpdrvsd ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Windows SEH exceptions:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Description: [ Exception 0xeedfade at 0x7c812aeb ], 1 time




[#############################################################################]
    3. cmd.exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Started by Flash-Play.exe
        Filename:        cmd.exe
        MD5:             6d778e0f95447e6546553eeea709d03c
        SHA-1:           811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1
        File Size:       389120 Bytes
        Command Line:    cmd /c ""C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\51452382.bat""
        Process-status
        at analysis end: alive
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]

[=============================================================================]
    Run-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
               Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
        Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
               Base Address: [0x77E70000 ], Size: [0x00092000 ]
        Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
               Base Address: [0x77FE0000 ], Size: [0x00011000 ]

[=============================================================================]
    3.a) cmd.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\Software\Microsoft\Command Processor ], 
             Value Name: [ AutoRun ], Value: [  ], 1 time
        Key: [ HKLM\Software\Microsoft\Command Processor ], 
             Value Name: [ CompletionChar ], Value: [ 64 ], 1 time
        Key: [ HKLM\Software\Microsoft\Command Processor ], 
             Value Name: [ DefaultColor ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\Command Processor ], 
             Value Name: [ EnableExtensions ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\Command Processor ], 
             Value Name: [ PathCompletionChar ], Value: [ 64 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ ItemSize ], Value: [ 779 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ ItemSize ], Value: [ 517 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ ItemSize ], Value: [ 918 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], 
             Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Language Groups ], 
             Value Name: [ 1 ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 
             Value Name: [ 00000C07 ], Value: [ 1 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ], 
             Value Name: [ CompletionChar ], Value: [ 9 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ], 
             Value Name: [ DefaultColor ], Value: [ 0 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ], 
             Value Name: [ EnableExtensions ], Value: [ 1 ], 1 time


[=============================================================================]
    3.b) cmd.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time


[#############################################################################]
    4. netsh.exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Started by Flash-Play.exe
        Filename:        netsh.exe
        MD5:             6309955f8a1bdd10a8467c50ed3f023e
        SHA-1:           1bc8e086b5e5d62c9d4edff100bd563e3e990927
        File Size:       86016 Bytes
        Command Line:    "C:\WINDOWS\system32\netsh.exe" firewall set opmode mode=disable
        Process-status
        at analysis end: alive
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]
        Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
               Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
        Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
               Base Address: [0x77E70000 ], Size: [0x00092000 ]
        Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
               Base Address: [0x77FE0000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\MPRAPI.dll ],
               Base Address: [0x76D40000 ], Size: [0x00018000 ]
        Module Name: [ C:\WINDOWS\system32\ACTIVEDS.dll ],
               Base Address: [0x77CC0000 ], Size: [0x00032000 ]
        Module Name: [ C:\WINDOWS\system32\adsldpc.dll ],
               Base Address: [0x76E10000 ], Size: [0x00025000 ]
        Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],
               Base Address: [0x5B860000 ], Size: [0x00055000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ],
               Base Address: [0x76F60000 ], Size: [0x0002C000 ]
        Module Name: [ C:\WINDOWS\system32\ATL.DLL ],
               Base Address: [0x76B20000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\ole32.dll ],
               Base Address: [0x774E0000 ], Size: [0x0013D000 ]
        Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],
               Base Address: [0x77120000 ], Size: [0x0008B000 ]
        Module Name: [ C:\WINDOWS\system32\rtutils.dll ],
               Base Address: [0x76E80000 ], Size: [0x0000E000 ]
        Module Name: [ C:\WINDOWS\system32\SAMLIB.dll ],
               Base Address: [0x71BF0000 ], Size: [0x00013000 ]
        Module Name: [ C:\WINDOWS\system32\SETUPAPI.dll ],
               Base Address: [0x77920000 ], Size: [0x000F3000 ]
        Module Name: [ C:\WINDOWS\system32\RASAPI32.dll ],
               Base Address: [0x76EE0000 ], Size: [0x0003C000 ]
        Module Name: [ C:\WINDOWS\system32\rasman.dll ],
               Base Address: [0x76E90000 ], Size: [0x00012000 ]
        Module Name: [ C:\WINDOWS\system32\WS2_32.dll ],
               Base Address: [0x71AB0000 ], Size: [0x00017000 ]
        Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ],
               Base Address: [0x71AA0000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\TAPI32.dll ],
               Base Address: [0x76EB0000 ], Size: [0x0002F000 ]
        Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
               Base Address: [0x77F60000 ], Size: [0x00076000 ]
        Module Name: [ C:\WINDOWS\system32\WINMM.dll ],
               Base Address: [0x76B40000 ], Size: [0x0002D000 ]
        Module Name: [ C:\WINDOWS\system32\iphlpapi.dll ],
               Base Address: [0x76D60000 ], Size: [0x00019000 ]
        Module Name: [ C:\WINDOWS\system32\ShimEng.dll ],
               Base Address: [0x5CB70000 ], Size: [0x00026000 ]
        Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ],
               Base Address: [0x6F880000 ], Size: [0x001CA000 ]
        Module Name: [ C:\WINDOWS\system32\MSACM32.dll ],
               Base Address: [0x77BE0000 ], Size: [0x00015000 ]
        Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
               Base Address: [0x77C00000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],
               Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
        Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
               Base Address: [0x769C0000 ], Size: [0x000B4000 ]
        Module Name: [ C:\WINDOWS\system32\UxTheme.dll ],
               Base Address: [0x5AD70000 ], Size: [0x00038000 ]
        Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
               Base Address: [0x773D0000 ], Size: [0x00103000 ]
        Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
               Base Address: [0x5D090000 ], Size: [0x0009A000 ]

[=============================================================================]
    Run-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\dot3api.dll ],
               Base Address: [0x478C0000 ], Size: [0x0000A000 ]
        Module Name: [ C:\WINDOWS\system32\RASMONTR.DLL ],
               Base Address: [0x5DBA0000 ], Size: [0x00025000 ]
        Module Name: [ C:\WINDOWS\system32\OneX.DLL ],
               Base Address: [0x5DCA0000 ], Size: [0x00028000 ]
        Module Name: [ C:\WINDOWS\system32\eappprxy.dll ],
               Base Address: [0x5DCD0000 ], Size: [0x0000E000 ]
        Module Name: [ C:\WINDOWS\system32\IPPROMON.DLL ],
               Base Address: [0x602B0000 ], Size: [0x00053000 ]
        Module Name: [ C:\WINDOWS\system32\IPXPROMN.DLL ],
               Base Address: [0x66170000 ], Size: [0x00014000 ]
        Module Name: [ C:\WINDOWS\system32\IPXMONTR.DLL ],
               Base Address: [0x66190000 ], Size: [0x00017000 ]
        Module Name: [ C:\WINDOWS\system32\IPV6MON.DLL ],
               Base Address: [0x661B0000 ], Size: [0x00012000 ]
        Module Name: [ C:\WINDOWS\system32\IPMONTR.DLL ],
               Base Address: [0x664E0000 ], Size: [0x0002A000 ]
        Module Name: [ C:\WINDOWS\system32\IFMON.DLL ],
               Base Address: [0x66DF0000 ], Size: [0x00024000 ]
        Module Name: [ C:\WINDOWS\System32\Wbem\framedyn.dll ],
               Base Address: [0x692C0000 ], Size: [0x00030000 ]
        Module Name: [ C:\WINDOWS\system32\DGNET.DLL ],
               Base Address: [0x6D240000 ], Size: [0x00025000 ]
        Module Name: [ C:\WINDOWS\system32\MSWSOCK.dll ],
               Base Address: [0x71A50000 ], Size: [0x0003F000 ]
        Module Name: [ C:\WINDOWS\system32\dot3dlg.dll ],
               Base Address: [0x736D0000 ], Size: [0x00006000 ]
        Module Name: [ C:\WINDOWS\system32\eappcfg.dll ],
               Base Address: [0x745B0000 ], Size: [0x00022000 ]
        Module Name: [ C:\WINDOWS\system32\netcfgx.dll ],
               Base Address: [0x755F0000 ], Size: [0x0009A000 ]
        Module Name: [ C:\WINDOWS\system32\MSVCP60.dll ],
               Base Address: [0x76080000 ], Size: [0x00065000 ]
        Module Name: [ C:\WINDOWS\system32\WINSTA.dll ],
               Base Address: [0x76360000 ], Size: [0x00010000 ]
        Module Name: [ C:\WINDOWS\system32\netshell.dll ],
               Base Address: [0x76400000 ], Size: [0x001A5000 ]
        Module Name: [ C:\WINDOWS\system32\credui.dll ],
               Base Address: [0x76C00000 ], Size: [0x0002E000 ]
        Module Name: [ C:\WINDOWS\system32\CLUSAPI.dll ],
               Base Address: [0x76D10000 ], Size: [0x00012000 ]
        Module Name: [ C:\WINDOWS\system32\DNSAPI.dll ],
               Base Address: [0x76F20000 ], Size: [0x00027000 ]
        Module Name: [ C:\WINDOWS\system32\WTSAPI32.dll ],
               Base Address: [0x76F50000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ],
               Base Address: [0x77A80000 ], Size: [0x00095000 ]
        Module Name: [ C:\WINDOWS\system32\MSASN1.dll ],
               Base Address: [0x77B20000 ], Size: [0x00012000 ]

[=============================================================================]
    4.a) netsh.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg ], 
             Value Name: [ Active ], New Value: [ 1 ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg ], 
             Value Name: [ ControlFlags ], New Value: [ 1 ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg ], 
             Value Name: [ LogSessionName ], New Value: [ stdout ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier ], 
             Value Name: [ BitNames ], New Value: [  Error Unusual Info Debug ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier ], 
             Value Name: [ Guid ], New Value: [ 5f31090b-d990-4e91-b16d-46121d0255aa ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy ], 
             Value Name: [ Active ], New Value: [ 1 ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy ], 
             Value Name: [ ControlFlags ], New Value: [ 1 ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy ], 
             Value Name: [ LogSessionName ], New Value: [ stdout ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier ], 
             Value Name: [ BitNames ], New Value: [  Error Unusual Info Debug ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier ], 
             Value Name: [ Guid ], New Value: [ 5f31090b-d990-4e91-b16d-46121d0255aa ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SOFTWARE\Microsoft\NetSh ], 
             Value Name: [ 1 ], Value: [ ipmontr.dll ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\NetSh ], 
             Value Name: [ 2 ], Value: [ ifmon.dll ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\NetSh ], 
             Value Name: [ 3 ], Value: [ ippromon.dll ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\NetSh ], 
             Value Name: [ 4 ], Value: [ rasmontr.dll ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\NetSh ], 
             Value Name: [ 5 ], Value: [ ipxmontr.dll ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\NetSh ], 
             Value Name: [ 6 ], Value: [ ipxpromn.dll ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\NetSh ], 
             Value Name: [ dgnet ], Value: [ dgnet.dll ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\NetSh ], 
             Value Name: [ ipv6mon ], Value: [ ipv6mon.dll ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\WBEM\CIMOM ], 
             Value Name: [ Log File Max Size ], Value: [ 65536 ], 4 times
        Key: [ HKLM\SOFTWARE\Microsoft\WBEM\CIMOM ], 
             Value Name: [ Logging ], Value: [ 1 ], 2 times
        Key: [ HKLM\SOFTWARE\Microsoft\WBEM\CIMOM ], 
             Value Name: [ Logging Directory ], Value: [ C:\WINDOWS\system32\WBEM\Logs\ ], 4 times
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion ], 
             Value Name: [ CurrentBuildNumber ], Value: [ 2600 ], 1 time
        Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], 
             Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
        Key: [ HKLM\SYSTEM\Setup ], 
             Value Name: [ OsLoaderPath ], Value: [ \ ], 2 times
        Key: [ HKLM\SYSTEM\Setup ], 
             Value Name: [ SystemPartition ], Value: [ \Device\HarddiskVolume1 ], 2 times
        Key: [ HKLM\SYSTEM\Setup ], 
             Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
        Key: [ HKLM\SYSTEM\WPA\MediaCenter ], 
             Value Name: [ Installed ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000204000014000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], 
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000001100000014000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], 
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000550000001e000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], 
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000200000032000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], 
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x01000000120000006001000016000000610100001c000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], 
             Value Name: [ cFormatTags ], Value: [ 3 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x010000001000000006000000120000000700000012000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], 
             Value Name: [ cFormatTags ], Value: [ 3 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000420000001c000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], 
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003100000014000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], 
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003001000016000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], 
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000002200000032000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], 
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ midimapper ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.iac2 ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.imaadpcm ], Value: [  ], 3 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.l3acm ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.msadpcm ], Value: [  ], 3 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.msaudio1 ], Value: [  ], 3 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.msg711 ], Value: [  ], 3 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.msg723 ], Value: [  ], 3 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.msgsm610 ], Value: [  ], 3 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.sl_anet ], Value: [ sl_anet.acm ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.trspch ], Value: [  ], 3 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.I420 ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.M261 ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.M263 ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.cvid ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.iv31 ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.iv32 ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.iv41 ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.iv50 ], Value: [  ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.iyuv ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.mrle ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.msvc ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.uyvy ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.yuy2 ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.yvu9 ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.yvyu ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ wavemapper ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], 
             Value Name: [ DevicePath ], Value: [ %SystemRoot%\inf ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ DriverCachePath ], Value: [ %SystemRoot%\Driver Cache ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ LogLevel ], Value: [ 0 ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ ServicePackCachePath ], Value: [ c:\windows\ServicePackFiles\ServicePackCache ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ ServicePackSourcePath ], Value: [ D:\ ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ SourcePath ], Value: [ D:\ ], 2 times
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], 
             Value Name: [ ComputerName ], Value: [ PC ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm ], 
             Value Name: [ wheel ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ], 
             Value Name: [ ProductType ], Value: [ WinNT ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\LDAP ], 
             Value Name: [ LdapClientIntegrity ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], 
             Value Name: [ Domain ], Value: [  ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], 
             Value Name: [ Hostname ], Value: [ pc ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], 
             Value Name: [ UseDomainNameDevolution ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters ], 
             Value Name: [ WinSock_Registry_Version ], Value: [ 2.0 ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], 
             Value Name: [ Num_Catalog_Entries ], Value: [ 3 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], 
             Value Name: [ Serial_Access_Num ], Value: [ 4 ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ DisplayString ], Value: [ Tcpip ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ Enabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ ProviderId ], Value: [ 0x409d05229e7ecf11ae5a00aa00a7112b ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ SupportedNameSpace ], Value: [ 12 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ Version ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ DisplayString ], Value: [ NTDS ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ Enabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\winrnr.dll ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ ProviderId ], Value: [ 0xee37263b80e5cf11a55500c04fd8d4ac ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ SupportedNameSpace ], Value: [ 32 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ Version ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ DisplayString ], Value: [ Network Location Awareness (NLA) Namespace ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ Enabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ ProviderId ], Value: [ 0x3a244266a83ba64abaa52e0bd71fdd83 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ SupportedNameSpace ], Value: [ 15 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ Version ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 
             Value Name: [ Next_Catalog_Entry_ID ], Value: [ 1020 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 
             Value Name: [ Num_Catalog_Entries ], Value: [ 13 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 
             Value Name: [ Serial_Access_Num ], Value: [ 6 ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\Setup ], 
             Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 2 times
        Key: [ HKLM\System\WPA\PnP ], 
             Value Name: [ seed ], Value: [ 1274198464 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Multimedia\Audio ], 
             Value Name: [ SystemFormats ], Value: [ CD Quality,Radio Quality,Telephone Quality ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Monitored Registry Keys:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], 
             Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 
             Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time


[=============================================================================]
    4.b) netsh.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ Ip ]
        File Name: [ WMIDataDevice ]
        File Name: [ \Device\Ip ]
        File Name: [ \Device\Tcp ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ C:\Program Files\Common Files ], Control Code: [ 0x00090028 ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times
        File: [ \Device\Tcp ], Control Code: [ 0x00120003 ], 6 times
        File: [ WMIDataDevice ], Control Code: [ 0x0022414C ], 2 times
        File: [ WMIDataDevice ], Control Code: [ 0x00228144 ], 2 times

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ]
        File Name: [ C:\WINDOWS\System32\Wbem\framedyn.dll ]
        File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
        File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
        File Name: [ C:\WINDOWS\system32\ACTIVEDS.dll ]
        File Name: [ C:\WINDOWS\system32\ATL.DLL ]
        File Name: [ C:\WINDOWS\system32\CLUSAPI.dll ]
        File Name: [ C:\WINDOWS\system32\DGNET.DLL ]
        File Name: [ C:\WINDOWS\system32\DNSAPI.dll ]
        File Name: [ C:\WINDOWS\system32\IFMON.DLL ]
        File Name: [ C:\WINDOWS\system32\IPMONTR.DLL ]
        File Name: [ C:\WINDOWS\system32\IPPROMON.DLL ]
        File Name: [ C:\WINDOWS\system32\IPV6MON.DLL ]
        File Name: [ C:\WINDOWS\system32\IPXMONTR.DLL ]
        File Name: [ C:\WINDOWS\system32\IPXPROMN.DLL ]
        File Name: [ C:\WINDOWS\system32\MPRAPI.dll ]
        File Name: [ C:\WINDOWS\system32\MSACM32.dll ]
        File Name: [ C:\WINDOWS\system32\MSCTF.dll ]
        File Name: [ C:\WINDOWS\system32\MSVCP60.dll ]
        File Name: [ C:\WINDOWS\system32\MSWSOCK.dll ]
        File Name: [ C:\WINDOWS\system32\OneX.DLL ]
        File Name: [ C:\WINDOWS\system32\RASAPI32.dll ]
        File Name: [ C:\WINDOWS\system32\RASMONTR.DLL ]
        File Name: [ C:\WINDOWS\system32\SAMLIB.dll ]
        File Name: [ C:\WINDOWS\system32\SETUPAPI.dll ]
        File Name: [ C:\WINDOWS\system32\SHELL32.dll ]
        File Name: [ C:\WINDOWS\system32\ShimEng.dll ]
        File Name: [ C:\WINDOWS\system32\TAPI32.dll ]
        File Name: [ C:\WINDOWS\system32\UxTheme.dll ]
        File Name: [ C:\WINDOWS\system32\WINMM.dll ]
        File Name: [ C:\WINDOWS\system32\WINSTA.dll ]
        File Name: [ C:\WINDOWS\system32\WS2HELP.dll ]
        File Name: [ C:\WINDOWS\system32\WS2_32.dll ]
        File Name: [ C:\WINDOWS\system32\WTSAPI32.dll ]
        File Name: [ C:\WINDOWS\system32\adsldpc.dll ]
        File Name: [ C:\WINDOWS\system32\comctl32.dll ]
        File Name: [ C:\WINDOWS\system32\credui.dll ]
        File Name: [ C:\WINDOWS\system32\dot3api.dll ]
        File Name: [ C:\WINDOWS\system32\dot3dlg.dll ]
        File Name: [ C:\WINDOWS\system32\eappcfg.dll ]
        File Name: [ C:\WINDOWS\system32\eappprxy.dll ]
        File Name: [ C:\WINDOWS\system32\imm32.dll ]
        File Name: [ C:\WINDOWS\system32\iphlpapi.dll ]
        File Name: [ C:\WINDOWS\system32\netcfgx.dll ]
        File Name: [ C:\WINDOWS\system32\netshell.dll ]
        File Name: [ C:\WINDOWS\system32\rasman.dll ]
        File Name: [ C:\WINDOWS\system32\rpcss.dll ]
        File Name: [ C:\WINDOWS\system32\rtutils.dll ]
        File Name: [ C:\WINDOWS\system32\xpob2res.dll ]
        File Name: [ C:\Windows\AppPatch\sysmain.sdb ]


[#############################################################################]
    5. flash32.exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Started by Flash-Play.exe
        Filename:        flash32.exe
        MD5:             e40b304353f5680c658591dc03745c11
        SHA-1:           66c58e157201802d7434d8249dbb171dcb7a7c04
        File Size:       171520 Bytes
        Command Line:    "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flash32.exe" 
        Process-status
        at analysis end: alive
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\MSIMG32.dll ],
               Base Address: [0x76380000 ], Size: [0x00005000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\ole32.dll ],
               Base Address: [0x774E0000 ], Size: [0x0013D000 ]
        Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
               Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
        Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
               Base Address: [0x77E70000 ], Size: [0x00092000 ]
        Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
               Base Address: [0x77FE0000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]

[=============================================================================]
    Run-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\WINHTTP.dll ],
               Base Address: [0x4D4F0000 ], Size: [0x00059000 ]
        Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],
               Base Address: [0x5B860000 ], Size: [0x00055000 ]
        Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
               Base Address: [0x5D090000 ], Size: [0x0009A000 ]
        Module Name: [ C:\WINDOWS\system32\hnetcfg.dll ],
               Base Address: [0x662B0000 ], Size: [0x00058000 ]
        Module Name: [ C:\WINDOWS\System32\mswsock.dll ],
               Base Address: [0x71A50000 ], Size: [0x0003F000 ]
        Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ],
               Base Address: [0x71AA0000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\WS2_32.dll ],
               Base Address: [0x71AB0000 ], Size: [0x00017000 ]
        Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
               Base Address: [0x74720000 ], Size: [0x0004C000 ]
        Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
               Base Address: [0x769C0000 ], Size: [0x000B4000 ]
        Module Name: [ C:\WINDOWS\system32\WINMM.dll ],
               Base Address: [0x76B40000 ], Size: [0x0002D000 ]
        Module Name: [ C:\WINDOWS\system32\rtutils.dll ],
               Base Address: [0x76E80000 ], Size: [0x0000E000 ]
        Module Name: [ C:\WINDOWS\system32\rasman.dll ],
               Base Address: [0x76E90000 ], Size: [0x00012000 ]
        Module Name: [ C:\WINDOWS\system32\TAPI32.dll ],
               Base Address: [0x76EB0000 ], Size: [0x0002F000 ]
        Module Name: [ C:\WINDOWS\system32\RASAPI32.dll ],
               Base Address: [0x76EE0000 ], Size: [0x0003C000 ]
        Module Name: [ C:\WINDOWS\system32\DNSAPI.dll ],
               Base Address: [0x76F20000 ], Size: [0x00027000 ]
        Module Name: [ C:\WINDOWS\system32\rasadhlp.dll ],
               Base Address: [0x76FC0000 ], Size: [0x00006000 ]
        Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ],
               Base Address: [0x76FD0000 ], Size: [0x0007F000 ]
        Module Name: [ C:\WINDOWS\system32\COMRes.dll ],
               Base Address: [0x77050000 ], Size: [0x000C5000 ]
        Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],
               Base Address: [0x77120000 ], Size: [0x0008B000 ]
        Module Name: [ C:\WINDOWS\system32\WININET.dll ],
               Base Address: [0x771B0000 ], Size: [0x000AA000 ]
        Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
               Base Address: [0x773D0000 ], Size: [0x00103000 ]
        Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ],
               Base Address: [0x77A80000 ], Size: [0x00095000 ]
        Module Name: [ C:\WINDOWS\system32\MSASN1.dll ],
               Base Address: [0x77B20000 ], Size: [0x00012000 ]
        Module Name: [ C:\WINDOWS\system32\Apphelp.dll ],
               Base Address: [0x77B40000 ], Size: [0x00022000 ]
        Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
               Base Address: [0x77C00000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
               Base Address: [0x77F60000 ], Size: [0x00076000 ]
        Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],
               Base Address: [0x7C9C0000 ], Size: [0x00817000 ]

[=============================================================================]
    5.a) flash32.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], 
             Value Name: [ Common AppData ], New Value: [ C:\Documents and Settings\All Users\Application Data ]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths ], 
             Value Name: [ Directory ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5 ]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths ], 
             Value Name: [ Paths ], New Value: [ 4 ]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 ], 
             Value Name: [ CacheLimit ], New Value: [ 40852 ]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 ], 
             Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache1 ]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 ], 
             Value Name: [ CacheLimit ], New Value: [ 40852 ]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 ], 
             Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache2 ]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 ], 
             Value Name: [ CacheLimit ], New Value: [ 40852 ]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 ], 
             Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache3 ]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 ], 
             Value Name: [ CacheLimit ], New Value: [ 40852 ]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 ], 
             Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache4 ]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Run ], 
             Value Name: [ conhost ], New Value: [ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe ]
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], 
             Value Name: [ Cache ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ]
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], 
             Value Name: [ Cookies ], New Value: [ C:\Documents and Settings\Administrator\Cookies ]
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], 
             Value Name: [ History ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\History ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\INPROCSERVER32 ], 
             Value Name: [  ], Value: [ C:\WINDOWS\system32\hnetcfg.dll ], 1 time
        Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\INPROCSERVER32 ], 
             Value Name: [ ThreadingModel ], Value: [ Both ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ], 
             Value Name: [ CUAS ], Value: [ 0 ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], 
             Value Name: [ UrlEncoding ], Value: [ 0x00000000 ], 2 times
        Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], 
             Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
        Key: [ HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile ], 
             Value Name: [ EnableFirewall ], Value: [ 0 ], 1 time
        Key: [ HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters ], 
             Value Name: [ Transports ], Value: [ 0x5400630070006900700000004e0065007400420049004f00530000000000 ], 2 times
        Key: [ HKLM\SYSTEM\Setup ], 
             Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
        Key: [ HKLM\SYSTEM\WPA\MediaCenter ], 
             Value Name: [ Installed ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\COM3 ], 
             Value Name: [ Com+Enabled ], Value: [ 1 ], 2 times
        Key: [ HKLM\Software\Microsoft\COM3 ], 
             Value Name: [ REGDBVersion ], Value: [ 0x0b00000000000000 ], 2 times
        Key: [ HKLM\Software\Microsoft\Tracing ], 
             Value Name: [ EnableConsoleTracing ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], 
             Value Name: [ ConsoleTracingMask ], Value: [ 4294901760 ], 2 times
        Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], 
             Value Name: [ EnableConsoleTracing ], Value: [ 0 ], 2 times
        Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], 
             Value Name: [ EnableFileTracing ], Value: [ 0 ], 2 times
        Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], 
             Value Name: [ FileDirectory ], Value: [ %windir%\tracing ], 4 times
        Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], 
             Value Name: [ FileTracingMask ], Value: [ 4294901760 ], 2 times
        Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], 
             Value Name: [ MaxFileSize ], Value: [ 1048576 ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkCards\2 ], 
             Value Name: [ Description ], Value: [ Realtek RTL8029(AS)-based Ethernet Adapter (Generic) ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkCards\2 ], 
             Value Name: [ ServiceName ], Value: [ {1AD45B38-4060-4F73-BB1E-A0439A2D97EB} ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkCards\9 ], 
             Value Name: [ Description ], Value: [ Realtek RTL8029(AS)-based Ethernet Adapter (Generic) ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkCards\9 ], 
             Value Name: [ ServiceName ], Value: [ {101AD58A-72E3-4831-9F1E-01C7C72E2FAB} ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ], 
             Value Name: [ AllUsersProfile ], Value: [ All Users ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ], 
             Value Name: [ DefaultUserProfile ], Value: [ Default User ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ], 
             Value Name: [ ProfilesDirectory ], Value: [ %SystemDrive%\Documents and Settings ], 4 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-842925246-1425521274-308236825-500 ], 
             Value Name: [ ProfileImagePath ], Value: [ %SystemDrive%\Documents and Settings\Administrator ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], 
             Value Name: [ CommonFilesDir ], Value: [ C:\Program Files\Common Files ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], 
             Value Name: [ ProgramFilesDir ], Value: [ C:\Program Files ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Common AppData ], Value: [ %ALLUSERSPROFILE%\Application Data ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ PolicyScope ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ ItemSize ], Value: [ 779 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ ItemSize ], Value: [ 517 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ ItemSize ], Value: [ 918 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ ItemSize ], Value: [ 229 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ ItemSize ], Value: [ 370 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], 
             Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], 
             Value Name: [ ComputerName ], Value: [ PC ], 3 times
        Key: [ HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm ], 
             Value Name: [ wheel ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ], 
             Value Name: [ ProductType ], Value: [ WinNT ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], 
             Value Name: [ ComSpec ], Value: [ %SystemRoot%\system32\cmd.exe ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], 
             Value Name: [ FP_NO_HOST_CHECK ], Value: [ NO ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], 
             Value Name: [ NUMBER_OF_PROCESSORS ], Value: [ 1 ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], 
             Value Name: [ OS ], Value: [ Windows_NT ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], 
             Value Name: [ PATHEXT ], Value: [ .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], 
             Value Name: [ PROCESSOR_ARCHITECTURE ], Value: [ x86 ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], 
             Value Name: [ PROCESSOR_IDENTIFIER ], Value: [ x86 Family 6 Model 3 Stepping 3, GenuineIntel ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], 
             Value Name: [ PROCESSOR_LEVEL ], Value: [ 6 ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], 
             Value Name: [ PROCESSOR_REVISION ], Value: [ 0303 ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], 
             Value Name: [ Path ], Value: [ %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], 
             Value Name: [ TEMP ], Value: [ %SystemRoot%\TEMP ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], 
             Value Name: [ TMP ], Value: [ %SystemRoot%\TEMP ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], 
             Value Name: [ windir ], Value: [ %SystemRoot% ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], 
             Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], 
             Value Name: [ Domain ], Value: [  ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], 
             Value Name: [ Hostname ], Value: [ pc ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], 
             Value Name: [ UseDomainNameDevolution ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock ], 
             Value Name: [ Mapping ], Value: [ 0x0b0000000300000002000000010000000600000002000000010000000000 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters ], 
             Value Name: [ WinSock_Registry_Version ], Value: [ 2.0 ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], 
             Value Name: [ Num_Catalog_Entries ], Value: [ 3 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], 
             Value Name: [ Serial_Access_Num ], Value: [ 4 ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ DisplayString ], Value: [ Tcpip ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ Enabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ ProviderId ], Value: [ 0x409d05229e7ecf11ae5a00aa00a7112b ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ SupportedNameSpace ], Value: [ 12 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ Version ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ DisplayString ], Value: [ NTDS ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ Enabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\winrnr.dll ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ ProviderId ], Value: [ 0xee37263b80e5cf11a55500c04fd8d4ac ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ SupportedNameSpace ], Value: [ 32 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ Version ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ DisplayString ], Value: [ Network Location Awareness (NLA) Namespace ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ Enabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ ProviderId ], Value: [ 0x3a244266a83ba64abaa52e0bd71fdd83 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ SupportedNameSpace ], Value: [ 15 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ Version ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 
             Value Name: [ Next_Catalog_Entry_ID ], Value: [ 1020 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 
             Value Name: [ Num_Catalog_Entries ], Value: [ 13 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 
             Value Name: [ Serial_Access_Num ], Value: [ 6 ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\Setup ], 
             Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Environment ], 
             Value Name: [ TEMP ], Value: [ %USERPROFILE%\Local Settings\Temp ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Environment ], 
             Value Name: [ TMP ], Value: [ %USERPROFILE%\Local Settings\Temp ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], 
             Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], 
             Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], 
             Value Name: [ EnableHttp1_1 ], Value: [ 1 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], 
             Value Name: [ EnableNegotiate ], Value: [ 1 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], 
             Value Name: [ MimeExclusionListForCache ], Value: [ multipart/mixed multipart/x-mixed-replace multipart/x-byteranges  ], 4 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], 
             Value Name: [ WarnOnPost ], Value: [ 0x01000000 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ], 
             Value Name: [ ParseAutoexec ], Value: [ 1 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], 
             Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ AppData ], Value: [ %USERPROFILE%\Application Data ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Cache ], Value: [ %USERPROFILE%\Local Settings\Temporary Internet Files ], 3 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Cookies ], Value: [ %USERPROFILE%\Cookies ], 3 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ History ], Value: [ %USERPROFILE%\Local Settings\History ], 3 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache ], 
             Value Name: [ Signature ], Value: [ Client UrlCache MMF Ver 5.2 ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ], 
             Value Name: [ CacheLimit ], Value: [ 163410 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ], 
             Value Name: [ CachePrefix ], Value: [  ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ], 
             Value Name: [ PerUserItem ], Value: [ 1 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ], 
             Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ], 
             Value Name: [ CachePrefix ], Value: [ Cookie: ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ], 
             Value Name: [ PerUserItem ], Value: [ 1 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ], 
             Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ], 
             Value Name: [ CacheOptions ], Value: [ 11 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ], 
             Value Name: [ CachePath ], Value: [ %USERPROFILE%\Local Settings\History\History.IE5\MSHist012011021720110218\ ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ], 
             Value Name: [ CachePrefix ], Value: [ :2011021720110218:  ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ], 
             Value Name: [ CacheRepair ], Value: [ 0 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ], 
             Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ], 
             Value Name: [ CacheOptions ], Value: [ 11 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ], 
             Value Name: [ CachePath ], Value: [ %USERPROFILE%\Local Settings\History\History.IE5\MSHist012011021820110219\ ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ], 
             Value Name: [ CachePrefix ], Value: [ :2011021820110219:  ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ], 
             Value Name: [ CacheRepair ], Value: [ 0 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ], 
             Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ], 
             Value Name: [ CachePrefix ], Value: [ Visited: ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ], 
             Value Name: [ PerUserItem ], Value: [ 1 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ], 
             Value Name: [ MigrateProxy ], Value: [ 1 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], 
             Value Name: [ APPDATA ], Value: [ C:\Documents and Settings\Administrator\Application Data ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], 
             Value Name: [ CLIENTNAME ], Value: [ Console ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], 
             Value Name: [ HOMEDRIVE ], Value: [ C: ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], 
             Value Name: [ HOMEPATH ], Value: [ \Documents and Settings\Administrator ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], 
             Value Name: [ HOMESHARE ], Value: [  ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], 
             Value Name: [ LOGONSERVER ], Value: [ \\PC ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], 
             Value Name: [ SESSIONNAME ], Value: [ Console ], 2 times

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Monitored Registry Keys:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\Software\Classes ], 
             Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 3 times
        Key: [ HKLM\Software\Classes\CLSID ], 
             Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 2 times
        Key: [ HKLM\Software\Microsoft\COM3 ], 
             Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 6 times
        Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], 
             Watch subtree: [ 0 ], Notify Filter: [ Attributes Change,Value Change,Security Descriptor Change ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], 
             Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 
             Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time
        Key: [ HKU ], 
             Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 3 times


[=============================================================================]
    5.b) flash32.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\Documents and Settings\Administrator\Application Data\A9E0.279 ]
        File Name: [ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flash32.exe ]
        File Name: [ C:\WINDOWS\Registration\R00000000000b.clb ]
        File Name: [ PIPE\lsarpc ]
        File Name: [ c:\autoexec.bat ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\Documents and Settings\Administrator\Application Data\A9E0.279 ]
        File Name: [ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe ]
        File Name: [ PIPE\lsarpc ]
        File Name: [ \Device\RasAcd ]
        File Name: [ {1AD45B38-4060-4F73-BB1E-A0439A2D97EB} ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ C:\Program Files\Common Files ], Control Code: [ 0x00090028 ], 1 time
        File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 16 times

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times
        File: [ {1AD45B38-4060-4F73-BB1E-A0439A2D97EB} ], Control Code: [ 0x00170002 ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flash32.exe ]
        File Name: [ C:\Documents and Settings\Administrator\Application Data\A9E0.279 ]
        File Name: [ C:\WINDOWS\System32\mswsock.dll ]
        File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
        File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
        File Name: [ C:\WINDOWS\system32\Apphelp.dll ]
        File Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ]
        File Name: [ C:\WINDOWS\system32\COMRes.dll ]
        File Name: [ C:\WINDOWS\system32\DNSAPI.dll ]
        File Name: [ C:\WINDOWS\system32\MSCTF.dll ]
        File Name: [ C:\WINDOWS\system32\MSIMG32.dll ]
        File Name: [ C:\WINDOWS\system32\RASAPI32.dll ]
        File Name: [ C:\WINDOWS\system32\SHELL32.dll ]
        File Name: [ C:\WINDOWS\system32\TAPI32.dll ]
        File Name: [ C:\WINDOWS\system32\WINHTTP.dll ]
        File Name: [ C:\WINDOWS\system32\WININET.dll ]
        File Name: [ C:\WINDOWS\system32\WINMM.dll ]
        File Name: [ C:\WINDOWS\system32\WS2HELP.dll ]
        File Name: [ C:\WINDOWS\system32\WS2_32.dll ]
        File Name: [ C:\WINDOWS\system32\comctl32.dll ]
        File Name: [ C:\WINDOWS\system32\hnetcfg.dll ]
        File Name: [ C:\WINDOWS\system32\imm32.dll ]
        File Name: [ C:\WINDOWS\system32\rasadhlp.dll ]
        File Name: [ C:\WINDOWS\system32\rasman.dll ]
        File Name: [ C:\WINDOWS\system32\rpcss.dll ]
        File Name: [ C:\WINDOWS\system32\rtutils.dll ]
        File Name: [ C:\Windows\AppPatch\sysmain.sdb ]

[=============================================================================]
    5.c) flash32.exe - Process Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Processes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Executable: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flash32.exe ], Command Line: [  ]
        Executable: [  ], Command Line: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flash32.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Remote Threads Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Affected Process: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flash32.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Foreign Memory Regions Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Process: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flash32.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Foreign Memory Regions Written:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Process: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flash32.exe ]


[=============================================================================]
    5.d) flash32.exe - Network Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    DNS Queries:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Name: [ greenherbalteaonline.com ], Query Type: [ DNS_TYPE_A ],
            Query Result: [  ], Successful: [ NO ], Protocol: [ udp ]


[=============================================================================]
    5.e) flash32.exe - Other Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Mutexes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Mutex: [ CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
        Mutex: [ CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
        Mutex: [ CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
        Mutex: [ CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
        Mutex: [ CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
        Mutex: [ CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500 ]
        Mutex: [ {0ECE180F-6E9E-4FA6-A154-6876D9DB8906} ]
        Mutex: [ {1ACD3490-8843-47EB-867B-EDDDD7FA37FD} ]
        Mutex: [ {61B98B86-5F44-42b3-BCA1-33904B067B81} ]
        Mutex: [ {A5B35993-9674-43cd-8AC7-5BC5013E617B} ]
        Mutex: [ {B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78} ]
        Mutex: [ {B37C48AF-B05C-4520-8B38-2FE181D5DC78} ]
        Mutex: [ {B5B35993-9674-43cd-8AC7-5BC5013E617B} ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Windows SEH exceptions:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x40bb64 ], 1 time




[#############################################################################]
    6. netsh.exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Started by Flash-Play.exe
        Filename:        netsh.exe
        Command Line:    "C:\WINDOWS\system32\netsh.exe" firewall set opmode mode=disable
        Process-status
        at analysis end: alive
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]
        Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
               Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
        Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
               Base Address: [0x77E70000 ], Size: [0x00092000 ]
        Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
               Base Address: [0x77FE0000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\MPRAPI.dll ],
               Base Address: [0x76D40000 ], Size: [0x00018000 ]
        Module Name: [ C:\WINDOWS\system32\ACTIVEDS.dll ],
               Base Address: [0x77CC0000 ], Size: [0x00032000 ]
        Module Name: [ C:\WINDOWS\system32\adsldpc.dll ],
               Base Address: [0x76E10000 ], Size: [0x00025000 ]
        Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],
               Base Address: [0x5B860000 ], Size: [0x00055000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ],
               Base Address: [0x76F60000 ], Size: [0x0002C000 ]
        Module Name: [ C:\WINDOWS\system32\ATL.DLL ],
               Base Address: [0x76B20000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\ole32.dll ],
               Base Address: [0x774E0000 ], Size: [0x0013D000 ]
        Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],
               Base Address: [0x77120000 ], Size: [0x0008B000 ]
        Module Name: [ C:\WINDOWS\system32\rtutils.dll ],
               Base Address: [0x76E80000 ], Size: [0x0000E000 ]
        Module Name: [ C:\WINDOWS\system32\SAMLIB.dll ],
               Base Address: [0x71BF0000 ], Size: [0x00013000 ]
        Module Name: [ C:\WINDOWS\system32\SETUPAPI.dll ],
               Base Address: [0x77920000 ], Size: [0x000F3000 ]
        Module Name: [ C:\WINDOWS\system32\RASAPI32.dll ],
               Base Address: [0x76EE0000 ], Size: [0x0003C000 ]
        Module Name: [ C:\WINDOWS\system32\rasman.dll ],
               Base Address: [0x76E90000 ], Size: [0x00012000 ]
        Module Name: [ C:\WINDOWS\system32\WS2_32.dll ],
               Base Address: [0x71AB0000 ], Size: [0x00017000 ]
        Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ],
               Base Address: [0x71AA0000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\TAPI32.dll ],
               Base Address: [0x76EB0000 ], Size: [0x0002F000 ]
        Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
               Base Address: [0x77F60000 ], Size: [0x00076000 ]
        Module Name: [ C:\WINDOWS\system32\WINMM.dll ],
               Base Address: [0x76B40000 ], Size: [0x0002D000 ]
        Module Name: [ C:\WINDOWS\system32\iphlpapi.dll ],
               Base Address: [0x76D60000 ], Size: [0x00019000 ]
        Module Name: [ C:\WINDOWS\system32\ShimEng.dll ],
               Base Address: [0x5CB70000 ], Size: [0x00026000 ]
        Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ],
               Base Address: [0x6F880000 ], Size: [0x001CA000 ]
        Module Name: [ C:\WINDOWS\system32\MSACM32.dll ],
               Base Address: [0x77BE0000 ], Size: [0x00015000 ]
        Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
               Base Address: [0x77C00000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],
               Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
        Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
               Base Address: [0x769C0000 ], Size: [0x000B4000 ]
        Module Name: [ C:\WINDOWS\system32\UxTheme.dll ],
               Base Address: [0x5AD70000 ], Size: [0x00038000 ]
        Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
               Base Address: [0x773D0000 ], Size: [0x00103000 ]
        Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
               Base Address: [0x5D090000 ], Size: [0x0009A000 ]

[=============================================================================]
    Run-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\dot3api.dll ],
               Base Address: [0x478C0000 ], Size: [0x0000A000 ]
        Module Name: [ C:\WINDOWS\system32\RASMONTR.DLL ],
               Base Address: [0x5DBA0000 ], Size: [0x00025000 ]
        Module Name: [ C:\WINDOWS\system32\OneX.DLL ],
               Base Address: [0x5DCA0000 ], Size: [0x00028000 ]
        Module Name: [ C:\WINDOWS\system32\eappprxy.dll ],
               Base Address: [0x5DCD0000 ], Size: [0x0000E000 ]
        Module Name: [ C:\WINDOWS\system32\IPPROMON.DLL ],
               Base Address: [0x602B0000 ], Size: [0x00053000 ]
        Module Name: [ C:\WINDOWS\system32\IPXPROMN.DLL ],
               Base Address: [0x66170000 ], Size: [0x00014000 ]
        Module Name: [ C:\WINDOWS\system32\IPXMONTR.DLL ],
               Base Address: [0x66190000 ], Size: [0x00017000 ]
        Module Name: [ C:\WINDOWS\system32\IPV6MON.DLL ],
               Base Address: [0x661B0000 ], Size: [0x00012000 ]
        Module Name: [ C:\WINDOWS\system32\IPMONTR.DLL ],
               Base Address: [0x664E0000 ], Size: [0x0002A000 ]
        Module Name: [ C:\WINDOWS\system32\IFMON.DLL ],
               Base Address: [0x66DF0000 ], Size: [0x00024000 ]
        Module Name: [ C:\WINDOWS\System32\Wbem\framedyn.dll ],
               Base Address: [0x692C0000 ], Size: [0x00030000 ]
        Module Name: [ C:\WINDOWS\system32\DGNET.DLL ],
               Base Address: [0x6D240000 ], Size: [0x00025000 ]
        Module Name: [ C:\WINDOWS\system32\MSWSOCK.dll ],
               Base Address: [0x71A50000 ], Size: [0x0003F000 ]
        Module Name: [ C:\WINDOWS\system32\dot3dlg.dll ],
               Base Address: [0x736D0000 ], Size: [0x00006000 ]
        Module Name: [ C:\WINDOWS\system32\eappcfg.dll ],
               Base Address: [0x745B0000 ], Size: [0x00022000 ]
        Module Name: [ C:\WINDOWS\system32\netcfgx.dll ],
               Base Address: [0x755F0000 ], Size: [0x0009A000 ]
        Module Name: [ C:\WINDOWS\system32\MSVCP60.dll ],
               Base Address: [0x76080000 ], Size: [0x00065000 ]
        Module Name: [ C:\WINDOWS\system32\WINSTA.dll ],
               Base Address: [0x76360000 ], Size: [0x00010000 ]
        Module Name: [ C:\WINDOWS\system32\netshell.dll ],
               Base Address: [0x76400000 ], Size: [0x001A5000 ]
        Module Name: [ C:\WINDOWS\system32\credui.dll ],
               Base Address: [0x76C00000 ], Size: [0x0002E000 ]
        Module Name: [ C:\WINDOWS\system32\CLUSAPI.dll ],
               Base Address: [0x76D10000 ], Size: [0x00012000 ]
        Module Name: [ C:\WINDOWS\system32\DNSAPI.dll ],
               Base Address: [0x76F20000 ], Size: [0x00027000 ]
        Module Name: [ C:\WINDOWS\system32\WTSAPI32.dll ],
               Base Address: [0x76F50000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ],
               Base Address: [0x77A80000 ], Size: [0x00095000 ]
        Module Name: [ C:\WINDOWS\system32\MSASN1.dll ],
               Base Address: [0x77B20000 ], Size: [0x00012000 ]

[=============================================================================]
    6.a) netsh.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg ], 
             Value Name: [ Active ], New Value: [ 1 ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg ], 
             Value Name: [ ControlFlags ], New Value: [ 1 ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg ], 
             Value Name: [ LogSessionName ], New Value: [ stdout ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier ], 
             Value Name: [ BitNames ], New Value: [  Error Unusual Info Debug ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier ], 
             Value Name: [ Guid ], New Value: [ 5f31090b-d990-4e91-b16d-46121d0255aa ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy ], 
             Value Name: [ Active ], New Value: [ 1 ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy ], 
             Value Name: [ ControlFlags ], New Value: [ 1 ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy ], 
             Value Name: [ LogSessionName ], New Value: [ stdout ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier ], 
             Value Name: [ BitNames ], New Value: [  Error Unusual Info Debug ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier ], 
             Value Name: [ Guid ], New Value: [ 5f31090b-d990-4e91-b16d-46121d0255aa ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SOFTWARE\Microsoft\NetSh ], 
             Value Name: [ 1 ], Value: [ ipmontr.dll ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\NetSh ], 
             Value Name: [ 2 ], Value: [ ifmon.dll ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\NetSh ], 
             Value Name: [ 3 ], Value: [ ippromon.dll ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\NetSh ], 
             Value Name: [ 4 ], Value: [ rasmontr.dll ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\NetSh ], 
             Value Name: [ 5 ], Value: [ ipxmontr.dll ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\NetSh ], 
             Value Name: [ 6 ], Value: [ ipxpromn.dll ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\NetSh ], 
             Value Name: [ dgnet ], Value: [ dgnet.dll ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\NetSh ], 
             Value Name: [ ipv6mon ], Value: [ ipv6mon.dll ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\WBEM\CIMOM ], 
             Value Name: [ Log File Max Size ], Value: [ 65536 ], 4 times
        Key: [ HKLM\SOFTWARE\Microsoft\WBEM\CIMOM ], 
             Value Name: [ Logging ], Value: [ 1 ], 2 times
        Key: [ HKLM\SOFTWARE\Microsoft\WBEM\CIMOM ], 
             Value Name: [ Logging Directory ], Value: [ C:\WINDOWS\system32\WBEM\Logs\ ], 4 times
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion ], 
             Value Name: [ CurrentBuildNumber ], Value: [ 2600 ], 1 time
        Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], 
             Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
        Key: [ HKLM\SYSTEM\Setup ], 
             Value Name: [ OsLoaderPath ], Value: [ \ ], 2 times
        Key: [ HKLM\SYSTEM\Setup ], 
             Value Name: [ SystemPartition ], Value: [ \Device\HarddiskVolume1 ], 2 times
        Key: [ HKLM\SYSTEM\Setup ], 
             Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
        Key: [ HKLM\SYSTEM\WPA\MediaCenter ], 
             Value Name: [ Installed ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000204000014000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], 
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000001100000014000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], 
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000550000001e000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], 
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000200000032000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], 
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x01000000120000006001000016000000610100001c000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], 
             Value Name: [ cFormatTags ], Value: [ 3 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x010000001000000006000000120000000700000012000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], 
             Value Name: [ cFormatTags ], Value: [ 3 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000420000001c000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], 
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003100000014000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], 
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003001000016000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], 
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000002200000032000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], 
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ midimapper ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.iac2 ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.imaadpcm ], Value: [  ], 3 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.l3acm ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.msadpcm ], Value: [  ], 3 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.msaudio1 ], Value: [  ], 3 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.msg711 ], Value: [  ], 3 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.msg723 ], Value: [  ], 3 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.msgsm610 ], Value: [  ], 3 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.sl_anet ], Value: [ sl_anet.acm ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.trspch ], Value: [  ], 3 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.I420 ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.M261 ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.M263 ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.cvid ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.iv31 ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.iv32 ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.iv41 ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.iv50 ], Value: [  ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.iyuv ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.mrle ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.msvc ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.uyvy ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.yuy2 ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.yvu9 ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.yvyu ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ wavemapper ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], 
             Value Name: [ DevicePath ], Value: [ %SystemRoot%\inf ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ DriverCachePath ], Value: [ %SystemRoot%\Driver Cache ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ LogLevel ], Value: [ 0 ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ ServicePackCachePath ], Value: [ c:\windows\ServicePackFiles\ServicePackCache ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ ServicePackSourcePath ], Value: [ D:\ ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ SourcePath ], Value: [ D:\ ], 2 times
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], 
             Value Name: [ ComputerName ], Value: [ PC ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm ], 
             Value Name: [ wheel ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ], 
             Value Name: [ ProductType ], Value: [ WinNT ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\LDAP ], 
             Value Name: [ LdapClientIntegrity ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], 
             Value Name: [ Domain ], Value: [  ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], 
             Value Name: [ Hostname ], Value: [ pc ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], 
             Value Name: [ UseDomainNameDevolution ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters ], 
             Value Name: [ WinSock_Registry_Version ], Value: [ 2.0 ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], 
             Value Name: [ Num_Catalog_Entries ], Value: [ 3 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], 
             Value Name: [ Serial_Access_Num ], Value: [ 4 ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ DisplayString ], Value: [ Tcpip ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ Enabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ ProviderId ], Value: [ 0x409d05229e7ecf11ae5a00aa00a7112b ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ SupportedNameSpace ], Value: [ 12 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ Version ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ DisplayString ], Value: [ NTDS ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ Enabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\winrnr.dll ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ ProviderId ], Value: [ 0xee37263b80e5cf11a55500c04fd8d4ac ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ SupportedNameSpace ], Value: [ 32 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ Version ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ DisplayString ], Value: [ Network Location Awareness (NLA) Namespace ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ Enabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ ProviderId ], Value: [ 0x3a244266a83ba64abaa52e0bd71fdd83 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ SupportedNameSpace ], Value: [ 15 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ Version ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 
             Value Name: [ Next_Catalog_Entry_ID ], Value: [ 1020 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 
             Value Name: [ Num_Catalog_Entries ], Value: [ 13 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 
             Value Name: [ Serial_Access_Num ], Value: [ 6 ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\Setup ], 
             Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 2 times
        Key: [ HKLM\System\WPA\PnP ], 
             Value Name: [ seed ], Value: [ 1274198464 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Multimedia\Audio ], 
             Value Name: [ SystemFormats ], Value: [ CD Quality,Radio Quality,Telephone Quality ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Monitored Registry Keys:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], 
             Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 
             Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time


[=============================================================================]
    6.b) netsh.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ Ip ]
        File Name: [ WMIDataDevice ]
        File Name: [ \Device\Ip ]
        File Name: [ \Device\Tcp ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ C:\Program Files\Common Files ], Control Code: [ 0x00090028 ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times
        File: [ \Device\Tcp ], Control Code: [ 0x00120003 ], 6 times
        File: [ WMIDataDevice ], Control Code: [ 0x0022414C ], 2 times
        File: [ WMIDataDevice ], Control Code: [ 0x00228144 ], 2 times

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ]
        File Name: [ C:\WINDOWS\System32\Wbem\framedyn.dll ]
        File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
        File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
        File Name: [ C:\WINDOWS\system32\ACTIVEDS.dll ]
        File Name: [ C:\WINDOWS\system32\ATL.DLL ]
        File Name: [ C:\WINDOWS\system32\CLUSAPI.dll ]
        File Name: [ C:\WINDOWS\system32\DGNET.DLL ]
        File Name: [ C:\WINDOWS\system32\DNSAPI.dll ]
        File Name: [ C:\WINDOWS\system32\IFMON.DLL ]
        File Name: [ C:\WINDOWS\system32\IPMONTR.DLL ]
        File Name: [ C:\WINDOWS\system32\IPPROMON.DLL ]
        File Name: [ C:\WINDOWS\system32\IPV6MON.DLL ]
        File Name: [ C:\WINDOWS\system32\IPXMONTR.DLL ]
        File Name: [ C:\WINDOWS\system32\IPXPROMN.DLL ]
        File Name: [ C:\WINDOWS\system32\MPRAPI.dll ]
        File Name: [ C:\WINDOWS\system32\MSACM32.dll ]
        File Name: [ C:\WINDOWS\system32\MSVCP60.dll ]
        File Name: [ C:\WINDOWS\system32\MSWSOCK.dll ]
        File Name: [ C:\WINDOWS\system32\OneX.DLL ]
        File Name: [ C:\WINDOWS\system32\RASAPI32.dll ]
        File Name: [ C:\WINDOWS\system32\RASMONTR.DLL ]
        File Name: [ C:\WINDOWS\system32\SAMLIB.dll ]
        File Name: [ C:\WINDOWS\system32\SETUPAPI.dll ]
        File Name: [ C:\WINDOWS\system32\SHELL32.dll ]
        File Name: [ C:\WINDOWS\system32\ShimEng.dll ]
        File Name: [ C:\WINDOWS\system32\TAPI32.dll ]
        File Name: [ C:\WINDOWS\system32\UxTheme.dll ]
        File Name: [ C:\WINDOWS\system32\WINMM.dll ]
        File Name: [ C:\WINDOWS\system32\WINSTA.dll ]
        File Name: [ C:\WINDOWS\system32\WS2HELP.dll ]
        File Name: [ C:\WINDOWS\system32\WS2_32.dll ]
        File Name: [ C:\WINDOWS\system32\WTSAPI32.dll ]
        File Name: [ C:\WINDOWS\system32\adsldpc.dll ]
        File Name: [ C:\WINDOWS\system32\comctl32.dll ]
        File Name: [ C:\WINDOWS\system32\credui.dll ]
        File Name: [ C:\WINDOWS\system32\dot3api.dll ]
        File Name: [ C:\WINDOWS\system32\dot3dlg.dll ]
        File Name: [ C:\WINDOWS\system32\eappcfg.dll ]
        File Name: [ C:\WINDOWS\system32\eappprxy.dll ]
        File Name: [ C:\WINDOWS\system32\iphlpapi.dll ]
        File Name: [ C:\WINDOWS\system32\netcfgx.dll ]
        File Name: [ C:\WINDOWS\system32\netshell.dll ]
        File Name: [ C:\WINDOWS\system32\rasman.dll ]
        File Name: [ C:\WINDOWS\system32\rpcss.dll ]
        File Name: [ C:\WINDOWS\system32\rtutils.dll ]
        File Name: [ C:\WINDOWS\system32\xpob2res.dll ]
        File Name: [ C:\Windows\AppPatch\sysmain.sdb ]


[#############################################################################]
    7. netsh.exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Started by Flash-Play.exe
        Filename:        netsh.exe
        Command Line:    "C:\WINDOWS\system32\netsh.exe" firewall set opmode mode=disable
        Process-status
        at analysis end: alive
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]
        Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
               Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
        Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
               Base Address: [0x77E70000 ], Size: [0x00092000 ]
        Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
               Base Address: [0x77FE0000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\MPRAPI.dll ],
               Base Address: [0x76D40000 ], Size: [0x00018000 ]
        Module Name: [ C:\WINDOWS\system32\ACTIVEDS.dll ],
               Base Address: [0x77CC0000 ], Size: [0x00032000 ]
        Module Name: [ C:\WINDOWS\system32\adsldpc.dll ],
               Base Address: [0x76E10000 ], Size: [0x00025000 ]
        Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],
               Base Address: [0x5B860000 ], Size: [0x00055000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ],
               Base Address: [0x76F60000 ], Size: [0x0002C000 ]
        Module Name: [ C:\WINDOWS\system32\ATL.DLL ],
               Base Address: [0x76B20000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\ole32.dll ],
               Base Address: [0x774E0000 ], Size: [0x0013D000 ]
        Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],
               Base Address: [0x77120000 ], Size: [0x0008B000 ]
        Module Name: [ C:\WINDOWS\system32\rtutils.dll ],
               Base Address: [0x76E80000 ], Size: [0x0000E000 ]
        Module Name: [ C:\WINDOWS\system32\SAMLIB.dll ],
               Base Address: [0x71BF0000 ], Size: [0x00013000 ]
        Module Name: [ C:\WINDOWS\system32\SETUPAPI.dll ],
               Base Address: [0x77920000 ], Size: [0x000F3000 ]
        Module Name: [ C:\WINDOWS\system32\RASAPI32.dll ],
               Base Address: [0x76EE0000 ], Size: [0x0003C000 ]
        Module Name: [ C:\WINDOWS\system32\rasman.dll ],
               Base Address: [0x76E90000 ], Size: [0x00012000 ]
        Module Name: [ C:\WINDOWS\system32\WS2_32.dll ],
               Base Address: [0x71AB0000 ], Size: [0x00017000 ]
        Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ],
               Base Address: [0x71AA0000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\TAPI32.dll ],
               Base Address: [0x76EB0000 ], Size: [0x0002F000 ]
        Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
               Base Address: [0x77F60000 ], Size: [0x00076000 ]
        Module Name: [ C:\WINDOWS\system32\WINMM.dll ],
               Base Address: [0x76B40000 ], Size: [0x0002D000 ]
        Module Name: [ C:\WINDOWS\system32\iphlpapi.dll ],
               Base Address: [0x76D60000 ], Size: [0x00019000 ]
        Module Name: [ C:\WINDOWS\system32\ShimEng.dll ],
               Base Address: [0x5CB70000 ], Size: [0x00026000 ]
        Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ],
               Base Address: [0x6F880000 ], Size: [0x001CA000 ]
        Module Name: [ C:\WINDOWS\system32\MSACM32.dll ],
               Base Address: [0x77BE0000 ], Size: [0x00015000 ]
        Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
               Base Address: [0x77C00000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],
               Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
        Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
               Base Address: [0x769C0000 ], Size: [0x000B4000 ]
        Module Name: [ C:\WINDOWS\system32\UxTheme.dll ],
               Base Address: [0x5AD70000 ], Size: [0x00038000 ]
        Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
               Base Address: [0x773D0000 ], Size: [0x00103000 ]
        Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
               Base Address: [0x5D090000 ], Size: [0x0009A000 ]

[=============================================================================]
    Run-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\dot3api.dll ],
               Base Address: [0x478C0000 ], Size: [0x0000A000 ]
        Module Name: [ C:\WINDOWS\system32\RASMONTR.DLL ],
               Base Address: [0x5DBA0000 ], Size: [0x00025000 ]
        Module Name: [ C:\WINDOWS\system32\OneX.DLL ],
               Base Address: [0x5DCA0000 ], Size: [0x00028000 ]
        Module Name: [ C:\WINDOWS\system32\eappprxy.dll ],
               Base Address: [0x5DCD0000 ], Size: [0x0000E000 ]
        Module Name: [ C:\WINDOWS\system32\IPPROMON.DLL ],
               Base Address: [0x602B0000 ], Size: [0x00053000 ]
        Module Name: [ C:\WINDOWS\system32\IPXPROMN.DLL ],
               Base Address: [0x66170000 ], Size: [0x00014000 ]
        Module Name: [ C:\WINDOWS\system32\IPXMONTR.DLL ],
               Base Address: [0x66190000 ], Size: [0x00017000 ]
        Module Name: [ C:\WINDOWS\system32\IPV6MON.DLL ],
               Base Address: [0x661B0000 ], Size: [0x00012000 ]
        Module Name: [ C:\WINDOWS\system32\IPMONTR.DLL ],
               Base Address: [0x664E0000 ], Size: [0x0002A000 ]
        Module Name: [ C:\WINDOWS\system32\IFMON.DLL ],
               Base Address: [0x66DF0000 ], Size: [0x00024000 ]
        Module Name: [ C:\WINDOWS\System32\Wbem\framedyn.dll ],
               Base Address: [0x692C0000 ], Size: [0x00030000 ]
        Module Name: [ C:\WINDOWS\system32\DGNET.DLL ],
               Base Address: [0x6D240000 ], Size: [0x00025000 ]
        Module Name: [ C:\WINDOWS\system32\MSWSOCK.dll ],
               Base Address: [0x71A50000 ], Size: [0x0003F000 ]
        Module Name: [ C:\WINDOWS\system32\dot3dlg.dll ],
               Base Address: [0x736D0000 ], Size: [0x00006000 ]
        Module Name: [ C:\WINDOWS\system32\eappcfg.dll ],
               Base Address: [0x745B0000 ], Size: [0x00022000 ]
        Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
               Base Address: [0x74720000 ], Size: [0x0004C000 ]
        Module Name: [ C:\WINDOWS\system32\netcfgx.dll ],
               Base Address: [0x755F0000 ], Size: [0x0009A000 ]
        Module Name: [ C:\WINDOWS\system32\MSVCP60.dll ],
               Base Address: [0x76080000 ], Size: [0x00065000 ]
        Module Name: [ C:\WINDOWS\system32\WINSTA.dll ],
               Base Address: [0x76360000 ], Size: [0x00010000 ]
        Module Name: [ C:\WINDOWS\system32\netshell.dll ],
               Base Address: [0x76400000 ], Size: [0x001A5000 ]
        Module Name: [ C:\WINDOWS\system32\credui.dll ],
               Base Address: [0x76C00000 ], Size: [0x0002E000 ]
        Module Name: [ C:\WINDOWS\system32\CLUSAPI.dll ],
               Base Address: [0x76D10000 ], Size: [0x00012000 ]
        Module Name: [ C:\WINDOWS\system32\DNSAPI.dll ],
               Base Address: [0x76F20000 ], Size: [0x00027000 ]
        Module Name: [ C:\WINDOWS\system32\WTSAPI32.dll ],
               Base Address: [0x76F50000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ],
               Base Address: [0x76FD0000 ], Size: [0x0007F000 ]
        Module Name: [ C:\WINDOWS\system32\COMRes.dll ],
               Base Address: [0x77050000 ], Size: [0x000C5000 ]
        Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ],
               Base Address: [0x77A80000 ], Size: [0x00095000 ]
        Module Name: [ C:\WINDOWS\system32\MSASN1.dll ],
               Base Address: [0x77B20000 ], Size: [0x00012000 ]

[=============================================================================]
    7.a) netsh.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg ], 
             Value Name: [ Active ], New Value: [ 1 ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg ], 
             Value Name: [ ControlFlags ], New Value: [ 1 ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg ], 
             Value Name: [ LogSessionName ], New Value: [ stdout ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier ], 
             Value Name: [ BitNames ], New Value: [  Error Unusual Info Debug ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier ], 
             Value Name: [ Guid ], New Value: [ 5f31090b-d990-4e91-b16d-46121d0255aa ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy ], 
             Value Name: [ Active ], New Value: [ 1 ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy ], 
             Value Name: [ ControlFlags ], New Value: [ 1 ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy ], 
             Value Name: [ LogSessionName ], New Value: [ stdout ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier ], 
             Value Name: [ BitNames ], New Value: [  Error Unusual Info Debug ]
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier ], 
             Value Name: [ Guid ], New Value: [ 5f31090b-d990-4e91-b16d-46121d0255aa ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ], 
             Value Name: [ CUAS ], Value: [ 0 ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\NetSh ], 
             Value Name: [ 1 ], Value: [ ipmontr.dll ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\NetSh ], 
             Value Name: [ 2 ], Value: [ ifmon.dll ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\NetSh ], 
             Value Name: [ 3 ], Value: [ ippromon.dll ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\NetSh ], 
             Value Name: [ 4 ], Value: [ rasmontr.dll ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\NetSh ], 
             Value Name: [ 5 ], Value: [ ipxmontr.dll ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\NetSh ], 
             Value Name: [ 6 ], Value: [ ipxpromn.dll ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\NetSh ], 
             Value Name: [ dgnet ], Value: [ dgnet.dll ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\NetSh ], 
             Value Name: [ ipv6mon ], Value: [ ipv6mon.dll ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\WBEM\CIMOM ], 
             Value Name: [ Log File Max Size ], Value: [ 65536 ], 4 times
        Key: [ HKLM\SOFTWARE\Microsoft\WBEM\CIMOM ], 
             Value Name: [ Logging ], Value: [ 1 ], 2 times
        Key: [ HKLM\SOFTWARE\Microsoft\WBEM\CIMOM ], 
             Value Name: [ Logging Directory ], Value: [ C:\WINDOWS\system32\WBEM\Logs\ ], 4 times
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion ], 
             Value Name: [ CurrentBuildNumber ], Value: [ 2600 ], 1 time
        Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], 
             Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
        Key: [ HKLM\SYSTEM\Setup ], 
             Value Name: [ OsLoaderPath ], Value: [ \ ], 2 times
        Key: [ HKLM\SYSTEM\Setup ], 
             Value Name: [ SystemPartition ], Value: [ \Device\HarddiskVolume1 ], 2 times
        Key: [ HKLM\SYSTEM\Setup ], 
             Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
        Key: [ HKLM\SYSTEM\WPA\MediaCenter ], 
             Value Name: [ Installed ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000204000014000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], 
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000001100000014000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], 
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000550000001e000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], 
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000200000032000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], 
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x01000000120000006001000016000000610100001c000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], 
             Value Name: [ cFormatTags ], Value: [ 3 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x010000001000000006000000120000000700000012000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], 
             Value Name: [ cFormatTags ], Value: [ 3 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000420000001c000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], 
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003100000014000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], 
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003001000016000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], 
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], 
             Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000002200000032000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], 
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], 
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], 
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\COM3 ], 
             Value Name: [ Com+Enabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ midimapper ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.iac2 ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.imaadpcm ], Value: [ imaadp32.acm ], 3 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.l3acm ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.msadpcm ], Value: [  ], 3 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.msaudio1 ], Value: [  ], 3 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.msg711 ], Value: [ msg711.acm ], 3 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.msg723 ], Value: [ msg723.acm ], 3 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.msgsm610 ], Value: [ msgsm32.acm ], 3 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.sl_anet ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ msacm.trspch ], Value: [  ], 3 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.I420 ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.M261 ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.M263 ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.cvid ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.iv31 ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.iv32 ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.iv41 ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.iv50 ], Value: [  ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.iyuv ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.mrle ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.msvc ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.uyvy ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.yuy2 ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.yvu9 ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ vidc.yvyu ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], 
             Value Name: [ wavemapper ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], 
             Value Name: [ DevicePath ], Value: [ %SystemRoot%\inf ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ DriverCachePath ], Value: [ %SystemRoot%\Driver Cache ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ LogLevel ], Value: [ 0 ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ ServicePackCachePath ], Value: [ c:\windows\ServicePackFiles\ServicePackCache ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ ServicePackSourcePath ], Value: [ D:\ ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ SourcePath ], Value: [ D:\ ], 2 times
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], 
             Value Name: [ ComputerName ], Value: [ PC ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm ], 
             Value Name: [ wheel ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ], 
             Value Name: [ ProductType ], Value: [ WinNT ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\LDAP ], 
             Value Name: [ LdapClientIntegrity ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], 
             Value Name: [ Domain ], Value: [  ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], 
             Value Name: [ Hostname ], Value: [ pc ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], 
             Value Name: [ UseDomainNameDevolution ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters ], 
             Value Name: [ WinSock_Registry_Version ], Value: [ 2.0 ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], 
             Value Name: [ Num_Catalog_Entries ], Value: [ 3 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], 
             Value Name: [ Serial_Access_Num ], Value: [ 4 ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ DisplayString ], Value: [ Tcpip ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ Enabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ ProviderId ], Value: [ 0x409d05229e7ecf11ae5a00aa00a7112b ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ SupportedNameSpace ], Value: [ 12 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 
             Value Name: [ Version ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ DisplayString ], Value: [ NTDS ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ Enabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\winrnr.dll ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ ProviderId ], Value: [ 0xee37263b80e5cf11a55500c04fd8d4ac ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ SupportedNameSpace ], Value: [ 32 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 
             Value Name: [ Version ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ DisplayString ], Value: [ Network Location Awareness (NLA) Namespace ], 4 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ Enabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ ProviderId ], Value: [ 0x3a244266a83ba64abaa52e0bd71fdd83 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ SupportedNameSpace ], Value: [ 15 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 
             Value Name: [ Version ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 
             Value Name: [ Next_Catalog_Entry_ID ], Value: [ 1020 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 
             Value Name: [ Num_Catalog_Entries ], Value: [ 13 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 
             Value Name: [ Serial_Access_Num ], Value: [ 6 ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 ], 
             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
        Key: [ HKLM\System\Setup ], 
             Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 2 times
        Key: [ HKLM\System\WPA\PnP ], 
             Value Name: [ seed ], Value: [ 1274198464 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], 
             Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], 
             Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Multimedia\Audio ], 
             Value Name: [ SystemFormats ], Value: [ CD Quality,Radio Quality,Telephone Quality ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Monitored Registry Keys:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], 
             Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 
             Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time


[=============================================================================]
    7.b) netsh.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ Ip ]
        File Name: [ WMIDataDevice ]
        File Name: [ \Device\Ip ]
        File Name: [ \Device\Tcp ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ C:\Program Files\Common Files ], Control Code: [ 0x00090028 ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times
        File: [ \Device\Tcp ], Control Code: [ 0x00120003 ], 6 times
        File: [ WMIDataDevice ], Control Code: [ 0x0022414C ], 2 times
        File: [ WMIDataDevice ], Control Code: [ 0x00228144 ], 2 times

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ]
        File Name: [ C:\WINDOWS\System32\Wbem\framedyn.dll ]
        File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
        File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
        File Name: [ C:\WINDOWS\system32\ACTIVEDS.dll ]
        File Name: [ C:\WINDOWS\system32\ATL.DLL ]
        File Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ]
        File Name: [ C:\WINDOWS\system32\CLUSAPI.dll ]
        File Name: [ C:\WINDOWS\system32\COMRes.dll ]
        File Name: [ C:\WINDOWS\system32\DGNET.DLL ]
        File Name: [ C:\WINDOWS\system32\DNSAPI.dll ]
        File Name: [ C:\WINDOWS\system32\IFMON.DLL ]
        File Name: [ C:\WINDOWS\system32\IPMONTR.DLL ]
        File Name: [ C:\WINDOWS\system32\IPPROMON.DLL ]
        File Name: [ C:\WINDOWS\system32\IPV6MON.DLL ]
        File Name: [ C:\WINDOWS\system32\IPXMONTR.DLL ]
        File Name: [ C:\WINDOWS\system32\IPXPROMN.DLL ]
        File Name: [ C:\WINDOWS\system32\MPRAPI.dll ]
        File Name: [ C:\WINDOWS\system32\MSACM32.dll ]
        File Name: [ C:\WINDOWS\system32\MSCTF.dll ]
        File Name: [ C:\WINDOWS\system32\MSVCP60.dll ]
        File Name: [ C:\WINDOWS\system32\MSWSOCK.dll ]
        File Name: [ C:\WINDOWS\system32\OneX.DLL ]
        File Name: [ C:\WINDOWS\system32\RASAPI32.dll ]
        File Name: [ C:\WINDOWS\system32\RASMONTR.DLL ]
        File Name: [ C:\WINDOWS\system32\SAMLIB.dll ]
        File Name: [ C:\WINDOWS\system32\SETUPAPI.dll ]
        File Name: [ C:\WINDOWS\system32\SHELL32.dll ]
        File Name: [ C:\WINDOWS\system32\ShimEng.dll ]
        File Name: [ C:\WINDOWS\system32\TAPI32.dll ]
        File Name: [ C:\WINDOWS\system32\UxTheme.dll ]
        File Name: [ C:\WINDOWS\system32\WINMM.dll ]
        File Name: [ C:\WINDOWS\system32\WINSTA.dll ]
        File Name: [ C:\WINDOWS\system32\WS2HELP.dll ]
        File Name: [ C:\WINDOWS\system32\WS2_32.dll ]
        File Name: [ C:\WINDOWS\system32\WTSAPI32.dll ]
        File Name: [ C:\WINDOWS\system32\adsldpc.dll ]
        File Name: [ C:\WINDOWS\system32\comctl32.dll ]
        File Name: [ C:\WINDOWS\system32\credui.dll ]
        File Name: [ C:\WINDOWS\system32\dot3api.dll ]
        File Name: [ C:\WINDOWS\system32\dot3dlg.dll ]
        File Name: [ C:\WINDOWS\system32\eappcfg.dll ]
        File Name: [ C:\WINDOWS\system32\eappprxy.dll ]
        File Name: [ C:\WINDOWS\system32\imm32.dll ]
        File Name: [ C:\WINDOWS\system32\iphlpapi.dll ]
        File Name: [ C:\WINDOWS\system32\netcfgx.dll ]
        File Name: [ C:\WINDOWS\system32\netshell.dll ]
        File Name: [ C:\WINDOWS\system32\rasman.dll ]
        File Name: [ C:\WINDOWS\system32\rpcss.dll ]
        File Name: [ C:\WINDOWS\system32\rtutils.dll ]
        File Name: [ C:\WINDOWS\system32\xpob2res.dll ]
        File Name: [ C:\Windows\AppPatch\sysmain.sdb ]


[#############################################################################]
    8. cmd.exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Started by Flash-Play.exe
        Filename:        cmd.exe
        Process-status
        at analysis end: alive
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]

[=============================================================================]
    8.a) cmd.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time


[#############################################################################]
    9. svchost.exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Started by Flash-Play.exe
        Filename:        svchost.exe
        MD5:             14d6a017c333d7608224f1d1d515182f
        SHA-1:           164b1c9b76105ebb345e7b26472404b178a86fe1
        File Size:       1154048 Bytes
        Command Line:    "C:\WINDOWS\update.1\svchost.exe" 
        Process-status
        at analysis end: alive
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.DLL ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\SHLWAPI.DLL ],
               Base Address: [0x77F60000 ], Size: [0x00076000 ]
        Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
               Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
        Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
               Base Address: [0x77E70000 ], Size: [0x00092000 ]
        Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
               Base Address: [0x77FE0000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]

[=============================================================================]
    SigBuster Output
[=============================================================================]
        UPX All_Versions SN:1634

[=============================================================================]
    9.a) svchost.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], 
             Value Name: [ TSAppCompat ], Value: [ 0 ], 3 times
        Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], 
             Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time



[#############################################################################]
    10. services.exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: A service was started.
        Filename:        services.exe
        MD5:             0e776ed5f7cc9f94299e70461b7b8185
        SHA-1:           cb5a33cec4c7b8ef4bd5dc8c241005b66b26cbbf
        File Size:       108544 Bytes
        Command Line:    C:\WINDOWS\system32\services.exe
        Process-status
        at analysis end: alive
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
               Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
        Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
               Base Address: [0x77E70000 ], Size: [0x00092000 ]
        Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
               Base Address: [0x77FE0000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]
        Module Name: [ C:\WINDOWS\system32\NCObjAPI.DLL ],
               Base Address: [0x5F770000 ], Size: [0x0000C000 ]
        Module Name: [ C:\WINDOWS\system32\MSVCP60.dll ],
               Base Address: [0x76080000 ], Size: [0x00065000 ]
        Module Name: [ C:\WINDOWS\system32\SCESRV.dll ],
               Base Address: [0x7DBD0000 ], Size: [0x00051000 ]
        Module Name: [ C:\WINDOWS\system32\AUTHZ.dll ],
               Base Address: [0x776C0000 ], Size: [0x00012000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
               Base Address: [0x769C0000 ], Size: [0x000B4000 ]
        Module Name: [ C:\WINDOWS\system32\umpnpmgr.dll ],
               Base Address: [0x7DBA0000 ], Size: [0x00021000 ]
        Module Name: [ C:\WINDOWS\system32\WINSTA.dll ],
               Base Address: [0x76360000 ], Size: [0x00010000 ]
        Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],
               Base Address: [0x5B860000 ], Size: [0x00055000 ]
        Module Name: [ C:\WINDOWS\system32\ShimEng.dll ],
               Base Address: [0x5CB70000 ], Size: [0x00026000 ]
        Module Name: [ C:\WINDOWS\AppPatch\AcAdProc.dll ],
               Base Address: [0x47260000 ], Size: [0x0000F000 ]
        Module Name: [ C:\WINDOWS\system32\Apphelp.dll ],
               Base Address: [0x77B40000 ], Size: [0x00022000 ]
        Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
               Base Address: [0x77C00000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\eventlog.dll ],
               Base Address: [0x77B70000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ],
               Base Address: [0x76BF0000 ], Size: [0x0000B000 ]
        Module Name: [ C:\WINDOWS\system32\WS2_32.dll ],
               Base Address: [0x71AB0000 ], Size: [0x00017000 ]
        Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ],
               Base Address: [0x71AA0000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\wtsapi32.dll ],
               Base Address: [0x76F50000 ], Size: [0x00008000 ]

[=============================================================================]
    10.a) services.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SYSTEM\CONTROLSET001\CONTROL\SERVICECURRENT ], 
             Value Name: [  ], New Value: [ 10 ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\wxpdrivers\Enum ], 
             Value Name: [ 0 ], Value: [ Root\LEGACY_WXPDRIVERS\0000 ], 1 time
        Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\wxpdrivers\Enum ], 
             Value Name: [ Count ], Value: [ 1 ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\wxpdrivers ], 
             Value Name: [ ImagePath ], Value: [ C:\WINDOWS\update.1\svchost.exe srv ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\wxpdrivers ], 
             Value Name: [ ObjectName ], Value: [ LocalSystem ], 2 times


[=============================================================================]
    10.b) services.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ pipe\net\NtControlPipe10 ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER, Flags: Named pipe ]
        File Name: [ C:\WINDOWS\Debug\UserMode\userenv.log ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ pipe\net\NtControlPipe10 ], Control Code: [ 0x00110008 ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\WINDOWS\update.1\svchost.exe ]

[=============================================================================]
    10.c) services.exe - Process Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Processes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Executable: [ C:\WINDOWS\update.1\svchost.exe ], Command Line: [  ]
        Executable: [  ], Command Line: [ C:\WINDOWS\update.1\svchost.exe srv ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Processes Killed:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Process: [ C:\WINDOWS\update.1\svchost.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Remote Threads Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Affected Process: [ C:\WINDOWS\update.1\svchost.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Foreign Memory Regions Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Process: [ C:\WINDOWS\update.1\svchost.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Foreign Memory Regions Written:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Process: [ C:\WINDOWS\update.1\svchost.exe ]



[#############################################################################]
    11. svchost.exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Started by services.exe
        Filename:        svchost.exe
        Command Line:    C:\WINDOWS\update.1\svchost.exe srv
        Process-status
        at analysis end: dead
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.DLL ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\SHLWAPI.DLL ],
               Base Address: [0x77F60000 ], Size: [0x00076000 ]
        Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
               Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
        Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
               Base Address: [0x77E70000 ], Size: [0x00092000 ]
        Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
               Base Address: [0x77FE0000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]

[=============================================================================]
    11.a) svchost.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], 
             Value Name: [ TSAppCompat ], Value: [ 0 ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], 
             Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time



[#############################################################################]
    12. flash32.exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Started by flash32.exe
        Filename:        flash32.exe
        Command Line:    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flash32.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
        Process-status
        at analysis end: alive
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\MSIMG32.dll ],
               Base Address: [0x76380000 ], Size: [0x00005000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\ole32.dll ],
               Base Address: [0x774E0000 ], Size: [0x0013D000 ]
        Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
               Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
        Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
               Base Address: [0x77E70000 ], Size: [0x00092000 ]
        Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
               Base Address: [0x77FE0000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]

[=============================================================================]
    12.a) flash32.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], 
             Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], 
             Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time


[=============================================================================]
    12.b) flash32.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp ], Control Code: [ 0x00090028 ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\WINDOWS\system32\MSIMG32.dll ]

[=============================================================================]
    12.c) flash32.exe - Other Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Windows SEH exceptions:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x40bb64 ], 1 time





[#############################################################################]
                       International Secure Systems Lab                        
                            http://www.iseclab.org                             

Vienna University of Technology     Eurecom France            UC Santa Barbara
http://www.tuwien.ac.at          http://www.eurecom.fr  http://www.cs.ucsb.edu

                          Contact: anubis@iseclab.org                 