the authors were able to classify different variations of worms The evaluation of TQAna showed that the created log files provide detailed insight into what goes on in a Windows operating system When the analysis found out that tainted data should be sent to the network the emulator was stopped and the state of the virtual system was inspected While the first two examples are crafted to present certain aspects of the system, the third example is a self written sample BHO that performs malicious actions ion cannon Other hives are created and managed during runtime of the system and only exist in memory are the entities in a Windows NT operating system the scheduler deals with when deciding what to execute next on the CPU At its core Qemu is a full featured machine emulator supporting a variety of host and target system combinations There are two possibilities to perform this check This thread is run as long as the system has no threads to execute and one part of its responsibility is to switch the CPU in a low power state as long as this situation persists ion source that is configured to be started automatically upon Windows startup As stated in the beginning of this section a COM interface is basically a specific memory structure containing an array of function pointers In the previous paragraph we saw that the operating system manages all relevant information about currently used objects for every process via the Object Table entry of the corresponding EPROCESS structure gerridae lists the system services we monitor along with a short description of their purpose