Download Link: hxxp://209.9.170.171/MTgyOjUxMjo=/ucleaner_setup.exe File Name: ucleaner_setup.exe File size: 149800 bytes MD5: 91bdad2dc989af3433f0b82f667c23f3 SHA1: 243c245b67e8303feea27fe49626fc7b296adeaf PEiD: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser packers: UPX packers: UPX packers: PE_Patch.UPX, UPX VirusTotal Result: 19/32 (59.38%) AhnLab-V3: Win-AppCare/Ultimatedefender.149792 AntiVir: SPR/Dldr.UltimateFix.F AVG: Potentially harmful program Downloader.KL BitDefender: Adware.Udefender.T CAT-QuickHeal: Downloader.UltimateFix.f (Not a Virus) ClamAV: Adware.Downloader-48 eSafe: Downloader.MisleadAp F-Prot: W32/Adware.ABMO Ikarus: not-a-virus:.FraudTool.Win32.UltimateDefender.v Kaspersky: not-a-virus:Downloader.Win32.UltimateFix.f McAfee: potentially unwanted program Ultimate NOD32v2: Win32/Adware.UltimateCleaner Rising: Trojan.DL.Win32.UltimateFix.a Sophos: Ultimate Cleaner Sunbelt: Ultimate SecuritySuite (v) Symantec: Downloader.MisleadApp TheHacker: Aplicacion/UltimateFix.f VBA32: Downloader.Win32.UltimateFix.f Webwasher-Gateway: Riskware.Dldr.UltimateFix.F Analysis Report: http://malwareinfo.freeforums.org/209-9-170-171-mtgyojuxmjo-ucleaner-setup-exe-t14.html File Info: PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0003 Time/Date stamp: 47301931 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 010F Magic: 010B Linker version (major): 07 Linker version (minor): 0A Size of code: 00024000 Size of initialized data: 00001000 Size of uninitialized data: 0000C000 Address of entry point: 00030410 Base of code: 0000D000 Base of data: 00031000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00032000 Size of headers: 00001000 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0400 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags UPX0 0000C000 00001000 00000000 00000400 E0000080 UPX1 00024000 0000D000 00023600 00000400 E0000040 UPX2 00001000 00031000 00000200 00023A00 C0000040 Import table (libraries: 1) KERNEL32.DLL (imports: 4) LoadLibraryA GetProcAddress VirtualProtect ExitProcess Unpacking with UPX: File size Ratio Format Name -------------------- ------ ----------- ----------- 191784 <- 149800 78.11% win32/pe ucleaner_setup.exe Unpacked 1 file. File Info: File Name: ucleaner_setup.exe File size: 191784 bytes <-- After unpacking with UPX MD5: 97829a763321e1f4ee7ea925c42063ac SHA1: f684b53c33856f6a78e84057ede7ea56f549539e PEiD: - PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0003 Time/Date stamp: 47301931 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 010F Magic: 010B Linker version (major): 07 Linker version (minor): 0A Size of code: 00001000 Size of initialized data: 0002C000 Size of uninitialized data: 00000000 Address of entry point: 0000162B Base of code: 00001000 Base of data: 00002000 Image base: 00400000 Section alignment: 00001000 File alignment: 00001000 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 0002E000 Size of headers: 00001000 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0400 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags .text 00000784 00001000 00001000 00001000 60000020 .rdata 0000016A 00002000 00001000 00002000 40000040 .data 0002A450 00003000 0002B000 00003000 C0000040 Import table (libraries: 1) KERNEL32.DLL (imports: 12) VirtualAlloc VirtualProtect VirtualFree GetProcAddress HeapFree HeapSize HeapAlloc GetProcessHeap LoadLibraryA IsBadReadPtr FreeLibrary ExitProcess Network Activity: From SandBox:1037 to 69.5.91.144:80 Load Time DLL: Module Name Base Address Size C:\WINDOWS\system32\ntdll.dll 0x7C900000 0x000B0000 C:\WINDOWS\system32\kernel32.dll 0x7C800000 0x000F5000 Run Time DLL: Module Name Base Address Size C:\WINDOWS\system32\Normaliz.dll 0x003F0000 0x00009000 C:\WINDOWS\system32\iertutil.dll 0x42990000 0x00045000 C:\WINDOWS\system32\WinInet.dll 0x42C10000 0x000CF000 C:\WINDOWS\system32\urlmon.dll 0x42CF0000 0x00124000 C:\WINDOWS\system32\NETAPI32.dll 0x5B860000 0x00054000 C:\WINDOWS\system32\comctl32.dll 0x5D090000 0x0009A000 C:\WINDOWS\system32\WS2HELP.dll 0x71AA0000 0x00008000 C:\WINDOWS\system32\WS2_32.dll 0x71AB0000 0x00017000 C:\WINDOWS\system32\IMM32.DLL 0x76390000 0x0001D000 C:\WINDOWS\system32\WINMM.dll 0x76B40000 0x0002D000 C:\WINDOWS\system32\Iphlpapi.dll 0x76D60000 0x00019000 C:\WINDOWS\system32\rtutils.dll 0x76E80000 0x0000E000 C:\WINDOWS\system32\rasman.dll 0x76E90000 0x00012000 C:\WINDOWS\system32\TAPI32.dll 0x76EB0000 0x0002F000 C:\WINDOWS\system32\Rasapi32.dll 0x76EE0000 0x0003C000 C:\WINDOWS\system32\OLEAUT32.dll 0x77120000 0x0008B000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll 0x773D0000 0x00103000 C:\WINDOWS\system32\ole32.dll 0x774E0000 0x0013D000 C:\WINDOWS\system32\msvcrt.dll 0x77C10000 0x00058000 C:\WINDOWS\system32\msv1_0.dll 0x77C70000 0x00023000 C:\WINDOWS\system32\ADVAPI32.dll 0x77DD0000 0x0009B000 C:\WINDOWS\system32\RPCRT4.dll 0x77E70000 0x00092000 C:\WINDOWS\system32\GDI32.dll 0x77F10000 0x00047000 C:\WINDOWS\system32\SHLWAPI.dll 0x77F60000 0x00076000 C:\WINDOWS\system32\Secur32.dll 0x77FE0000 0x00011000 C:\WINDOWS\system32\SHELL32.dll 0x7C9C0000 0x00815000 C:\WINDOWS\system32\USER32.dll 0x7E410000 0x00090000 Registry Activities: Key Name Value Times HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage Bind 0x5c004400650076006900630065005c007b00420032004200350031003000 2 HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B2B51064-BBF5-4528-B62B-E6D62A782874} DhcpServer 255.255.255.255 2 HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B2B51064-BBF5-4528-B62B-E6D62A782874} EnableDHCP 0 1 HKLM\Software\Microsoft\Rpc\SecurityService 10 secur32.dll 1 HKLM\Software\Microsoft\Tracing EnableConsoleTracing 0 1 HKLM\Software\Microsoft\Tracing\RASAPI32 ConsoleTracingMask 4294901760 2 HKLM\Software\Microsoft\Tracing\RASAPI32 EnableConsoleTracing 0 2 HKLM\Software\Microsoft\Tracing\RASAPI32 EnableFileTracing 0 2 HKLM\Software\Microsoft\Tracing\RASAPI32 FileDirectory %windir%\tracing 4 HKLM\Software\Microsoft\Tracing\RASAPI32 FileTracingMask 4294901760 2 HKLM\Software\Microsoft\Tracing\RASAPI32 MaxFileSize 1048576 2 HKLM\Software\Microsoft\Windows\CurrentVersion ProgramFilesDir C:\Program Files 1 HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ComputerName USER 2 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll Capabilities 16464 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll Comment Digest SSPI Authentication Package 2 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll Name Digest 2 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll RpcId 65535 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll TokenSize 65535 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll Type 49 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll Version 1 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll Capabilities 55 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll Comment DPA Security Package 2 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll Name DPA 2 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll RpcId 17 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll TokenSize 768 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll Type 49 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll Version 1 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll Capabilities 55 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll Comment MSN Security Package 2 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll Name MSN 2 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll RpcId 18 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll TokenSize 768 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll Type 49 1 HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll Version 1 1 HKLM\System\CurrentControlSet\Control\SecurityProviders SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll 2 HKLM\System\CurrentControlSet\Control\SecurityProviders\SaslProfiles GSSAPI Kerberos 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters WinSock_Registry_Version 2.0 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 Num_Catalog_Entries 3 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 Serial_Access_Num 4 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 DisplayString Tcpip 4 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Enabled 1 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 LibraryPath %SystemRoot%\System32\mswsock.dll 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ProviderId 0x409d05229e7ecf11ae5a00aa00a7112b 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 StoresServiceClassInfo 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 SupportedNameSpace 12 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Version 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 DisplayString NTDS 4 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Enabled 1 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 LibraryPath %SystemRoot%\System32\winrnr.dll 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ProviderId 0xee37263b80e5cf11a55500c04fd8d4ac 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 StoresServiceClassInfo 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 SupportedNameSpace 32 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Version 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 DisplayString Network Location Awareness (NLA) Namespace 4 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Enabled 1 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 LibraryPath %SystemRoot%\System32\mswsock.dll 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ProviderId 0x3a244266a83ba64abaa52e0bd71fdd83 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 StoresServiceClassInfo 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 SupportedNameSpace 15 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Version 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 Next_Catalog_Entry_ID 1012 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 Num_Catalog_Entries 11 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 Serial_Access_Num 4 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 PackedCatalogItem %SystemRoot%\system32\rsvpsp.d 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 PackedCatalogItem %SystemRoot%\system32\rsvpsp.d 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 Monitored Registry Keys: Key Name Watch subtree Notify Filter Count HKLM\Software\Microsoft\Tracing\RASAPI32 0 Attributes Change,Value Change,Security Descriptor Change 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 0 Key Change 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 0 Key Change 1 Files Read: C:\ucleaner_setup.exe PIPE\ROUTER Files Modified: Create/Open File: \Device\Tcp (OPEN_ALWAYS) Create/Open File: \Device\Ip (OPEN_ALWAYS) Create/Open File: \Device\Ip (OPEN_ALWAYS) Open File: \\.\Ip (OPEN_EXISTING) Open File: \\.\PIPE\ROUTER (OPEN_EXISTING) Create/Open File: \Device\Tcp6 (OPEN_ALWAYS) Create/Open File: \Device\NetBT_Tcpip_{B3FF1D8B-F0BC-4E34-899F-222974ED04EB} (OPEN_ALWAYS) Folder Created: C:\Program Files\Ultimate Cleaner File System Communication: File Control Code Times PIPE\ROUTER 0x0011C017 11 Device Control Communication: File Control Code Times WMIDataDevice 0x00228144 2 \Device\Tcp 0x00120003 13 \Device\Ip 0x00120040 2 \Device\Ip 0x00120090 1 \Device\NetBT_Tcpip_{B2B51064-BBF5-4528-B62B-E6D62A782874} 0x0021009A 1 Creates Mutex: UCInstall_Mutex Creates Mutex: RasPbFile Service Started: RASMAN Process Started: Reason: NtConnectPort(\RPC Control\ntsvcs was called. Filename: services.exe MD5: c6ce6eec82f187615d1002bb3bb50ed4 SHA-1: b958912d139cb8dbfeeacdd38ba048c4f452174e File Size: 108032 Bytes Command Line: C:\WINDOWS\system32\services.exe Load Time DLL: Module Name Base Address Size C:\WINDOWS\system32\ntdll.dll 0x7C900000 0x000B0000 C:\WINDOWS\system32\kernel32.dll 0x7C800000 0x000F5000 C:\WINDOWS\system32\msvcrt.dll 0x77C10000 0x00058000 C:\WINDOWS\system32\ADVAPI32.dll 0x77DD0000 0x0009B000 C:\WINDOWS\system32\RPCRT4.dll 0x77E70000 0x00092000 C:\WINDOWS\system32\Secur32.dll 0x77FE0000 0x00011000 C:\WINDOWS\system32\USER32.dll 0x7E410000 0x00090000 C:\WINDOWS\system32\GDI32.dll 0x77F10000 0x00047000 C:\WINDOWS\system32\USERENV.dll 0x769C0000 0x000B3000 C:\WINDOWS\system32\SCESRV.dll 0x758E0000 0x00050000 C:\WINDOWS\system32\AUTHZ.dll 0x776C0000 0x00011000 C:\WINDOWS\system32\umpnpmgr.dll 0x7DBA0000 0x00021000 C:\WINDOWS\system32\WINSTA.dll 0x76360000 0x00010000 C:\WINDOWS\system32\NETAPI32.dll 0x5B860000 0x00054000 C:\WINDOWS\system32\NCObjAPI.DLL 0x5F770000 0x0000C000 C:\WINDOWS\system32\MSVCP60.dll 0x76080000 0x00065000 C:\WINDOWS\system32\ShimEng.dll 0x5CB70000 0x00026000 C:\WINDOWS\AppPatch\AcGenral.DLL 0x6F880000 0x001CA000 C:\WINDOWS\system32\WINMM.dll 0x76B40000 0x0002D000 C:\WINDOWS\system32\ole32.dll 0x774E0000 0x0013D000 C:\WINDOWS\system32\OLEAUT32.dll 0x77120000 0x0008B000 C:\WINDOWS\system32\MSACM32.dll 0x77BE0000 0x00015000 C:\WINDOWS\system32\VERSION.dll 0x77C00000 0x00008000 C:\WINDOWS\system32\SHELL32.dll 0x7C9C0000 0x00815000 C:\WINDOWS\system32\SHLWAPI.dll 0x77F60000 0x00076000 C:\WINDOWS\system32\UxTheme.dll 0x5AD70000 0x00038000 C:\WINDOWS\system32\IMM32.DLL 0x76390000 0x0001D000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll 0x773D0000 0x00103000 C:\WINDOWS\system32\comctl32.dll 0x5D090000 0x0009A000 C:\WINDOWS\system32\Apphelp.dll 0x77B40000 0x00022000 C:\WINDOWS\system32\eventlog.dll 0x77B70000 0x00011000 C:\WINDOWS\system32\WS2_32.dll 0x71AB0000 0x00017000 C:\WINDOWS\system32\WS2HELP.dll 0x71AA0000 0x00008000 C:\WINDOWS\system32\PSAPI.DLL 0x76BF0000 0x0000B000 C:\WINDOWS\system32\wtsapi32.dll 0x76F50000 0x00008000 Registry Created: HKLM\System\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control HKLM\System\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control Registry Values Changed: Key Name New Value HKLM\System\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control ActiveService RasMan HKLM\System\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control ActiveService TapiSrv Registry Read: Key Name Value Times HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0303\4&2C5A7332&0 ClassGUID {4D36E96B-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0400\4&2C5A7332&0 ClassGUID {4D36E978-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0501\1 ClassGUID {4D36E978-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0700\4&2C5A7332&0 ClassGUID {4D36E969-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0A03\1 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0F13\4&2C5A7332&0 ClassGUID {4D36E96F-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI_HAL\PNP0C08\0 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\DISPLAY\DEFAULT_MONITOR\4&2946A9FF&0&11223344&00&02 ClassGUID {4D36E96E-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\IDE\ CDROMQEMU_QEMU_CD-ROM________________________0.9.____\ 4D51303030302033202020202020202020202020 ClassGUID {4D36E965-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\IDE\ DISKQEMU_HARDDISK___________________________0.9.0___\ 4D51303030302031202020202020202020202020 ClassGUID {4D36E967-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ISAPNP\READDATAPORT\0 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\LPTENUM\MICROSOFTRAWPORT\5&34A37E9F&0&LPT1 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\PCIIDE\IDECHANNEL\4&3DE75EA&0&0 ClassGUID {4D36E96A-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\PCIIDE\IDECHANNEL\4&3DE75EA&0&1 ClassGUID {4D36E96A-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_1013&DEV_00B8&SUBSYS_00000000&REV_00\3&13C0B0C5&0&10 ClassGUID {4D36E968-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\3&13C0B0C5&0&18 ClassGUID {4D36E972-E325-11CE-BFC1-08002BE10318} 2 HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\3&13C0B0C5&0&18 DeviceDesc Realtek RTL8029(AS)-based Ethernet Adapter (Generic) 2 HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\3&13C0B0C5&0&18 Driver {4D36E972-E325-11CE-BFC1-08002BE10318}\0001 2 HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_1237&SUBSYS_00000000&REV_02\3&13C0B0C5&0&00 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_7000&SUBSYS_00000000&REV_00\3&13C0B0C5&0&08 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_7010&SUBSYS_00000000&REV_00\3&13C0B0C5&0&09 ClassGUID {4D36E96A-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\ACPI_HAL\0000 ClassGUID {4D36E966-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\DMIO\0000 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\FTDISK\0000 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_AFD\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_BEEP\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_DMBOOT\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_DMLOAD\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_FIPS\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_GPC\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_HTTP\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_IPNAT\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_IPSEC\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_KSECDD\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_MNMDD\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_MOUNTMGR\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDISTAPI\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDISUIO\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDIS\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDPROXY\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NETBT\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NULL\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_PARTMGR\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_PARVDM\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_RASACD\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_RDPCDD\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_TCPIP\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_VGASAVE\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_VOLSNAP\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_WANARP\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMACM ClassGUID {4D36E96C-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMDRV ClassGUID {4D36E96C-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMMCI ClassGUID {4D36E96C-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMVCD ClassGUID {4D36E96C-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMVID ClassGUID {4D36E96C-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MODEM\0000 Capabilities 0 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MODEM\0000 ClassGUID {4D36E96D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MODEM\0000 ConfigFlags 0 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MODEM\0000 Driver {4D36E96D-E325-11CE-BFC1-08002BE10318}\0000 2 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_L2TPMINIPORT\0000 ClassGUID {4D36E972-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANIP\0000 ClassGUID {4D36E972-E325-11CE-BFC1-08002BE10318} 2 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANIP\0000 DeviceDesc WAN Miniport (IP) 2 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANIP\0000 Driver {4D36E972-E325-11CE-BFC1-08002BE10318}\0008 2 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PPPOEMINIPORT\0000 ClassGUID {4D36E972-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PPTPMINIPORT\0000 ClassGUID {4D36E972-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PSCHEDMP\0000 ClassGUID {4D36E972-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PSCHEDMP\0001 ClassGUID {4D36E972-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PTIMINIPORT\0000 ClassGUID {4D36E972-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDPDR\0000 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDP_KBD\0000 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDP_MOU\0000 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0000 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0001 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0002 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0003 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0004 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\STORAGE\VOLUME\1&30A96598&0&SIGNATURE95619561OFFSET7E00LENGTH13F291800 ClassGUID {71A27CDD-812A-11D0-BEC7-08002BE2092F} 1 HKLM\SYSTEM\CONTROLSET001\SERVICES\PlugPlay PlugPlayServiceType 3 1 HKLM\SYSTEM\CONTROLSET001\SERVICES\RasMan\Enum 0 Root\LEGACY_RASMAN\0000 3 HKLM\SYSTEM\CONTROLSET001\SERVICES\RasMan\Enum Count 1 6 HKLM\SYSTEM\CONTROLSET001\SERVICES\RpcSs\Enum 0 Root\LEGACY_RPCSS\0000 1 HKLM\SYSTEM\CONTROLSET001\SERVICES\RpcSs\Enum Count 1 2 HKLM\SYSTEM\CONTROLSET001\SERVICES\TapiSrv\Enum 0 Root\LEGACY_TAPISRV\0000 2 HKLM\SYSTEM\CONTROLSET001\SERVICES\TapiSrv\Enum Count 1 4 HKLM\System\CurrentControlSet\Services\PlugPlay ObjectName LocalSystem 1 HKLM\System\CurrentControlSet\Services\RasMan ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs 1 HKLM\System\CurrentControlSet\Services\RasMan ObjectName LocalSystem 2 HKLM\System\CurrentControlSet\Services\RpcSs ObjectName NT AUTHORITY\NetworkService 1 HKLM\System\CurrentControlSet\Services\TapiSrv ImagePath %SystemRoot%\System32\svchost.exe -k netsvcs 1 HKLM\System\CurrentControlSet\Services\TapiSrv ObjectName LocalSystem Files Read: C:\ntsvcs, Flags: Named pipe Files Changed: C:\WINDOWS\system32\config\SysEvent.Evt C:\ntsvcs, Flags: Named pipe File System Communication: File Control Code Times C:\net\NtControlPipe4, Flags: Named pipe 0x0011C017 2 C:\ntsvcs, Flags: Named pipe 0x0011001C 4