Рейтинг темы:
  • 0 Голос(ов) - 0 в среднем
  • 1
  • 2
  • 3
  • 4
  • 5
Клиент-сервер
#1
Собственно, сабжик. Нужен небольшой тест-драйв совместимости на разных машинах. Если у кого есть желание - ссылка на дампе: http://dump.ru/file/5654923

По умолчанию конфигурирован на localhost, но может работать с любым видимым адресом.

Ах, чуть не забыл - сервер включается "втихую", поэтому отрубать из диспетчера задач. Ну, или православным эксплоррером от руссиновича. В теории - должен чихать на всякие UAC'и и прочее. Фактически - бэкдор.
Ответ
#2
Размер: 28 Кб :eek:
Что за сервер? Что за тест? Хочется больше конкретики..
Ответ
#3
Сервер удаленного доступа к консоли. Запускаем на одном компьютере.
В Settings.ini клиента пишем адрес компьютера, где стоит сервер. Запускаем клиент.
Все, что мы туда напишем, будет исполняться на стороне сервера.

Тест - ну, предположим, у меня сейчас только ноутбук под рукой с семеркой, я хочу узнать - будет ли на XP все тип-топ, или же есть непонятки. Например. Тестить можно хоть на лине по вайном.
Ответ
#4
Вы думаете кто-то в здравом уме будет это тестить без исходников?Smile
//Если интересуетесь этой тематикой, то для вас специальный форум есть с кучей сорцов, примеров и единомышленниковSmile
https://www.opensc.ws/forum.php
Ответ
#5
ReaM, гм, месье. Я понимаю, что это похоже на развод, да... Маленький размер сабжа дает о себе знатьBig Grin Но вы попробуете скомпилить что-нибудь большего размера из под C++ Builder 6. Я гарантирую, что ничего вредоносного не содержится.

Добавлено через 1 минуту
Ну, можете запустить в виртуалке, в конце концов.
Ответ
#6
никогда не думал что линейщики сидят на OpenSc . ReaM - можешь скинуть свои контакты или никнейм на форуме Оск?


Автору темы - твой клиент\сервер не работают на Windows XP.
Ответ
#7
Stanislav, не исполняются команды, не устанавливается соединение, или же что-то другого рода?
Ответ
#8
Оба процесса крэшнулись с ошибкой на виртуалке.
[CODE] ___ __ _
+ /- / | ____ __ __/ /_ (_)____ -\ +
/s h- / /| | / __ \/ / / / __ \/ / ___/ -h s\
oh-:d/ / ___ |/ / / / /_/ / /_/ / (__ ) /d:-ho
shh+hy- /_/ |_/_/ /_/\__,_/_.___/_/____/ -yh+hhs
-:+hhdhyys/- -\syyhdhh+:-
-//////dhhhhhddhhyss- Analysis Report -ssyhhddhhhhhd\\\\\\-
/++/////oydddddhhyys/ ooooooooooooooooooooo \syyhhdddddyo\\\\\++\
-+++///////odh/- -+hdo\\\\\\\+++-
+++++++++//yy+/: :\+yy\\+++++++++
/+soss+sys//yyo/os++o+: :+o++so\oyy\\sys+ssos+\
+oyyyys++o/+yss/+/oyyyy: :yyyyo\+\ssy+\o++syyyyo+
+oyyyyyyso+os/o/+yyyyyy/ \yyyyyy+\o\so+osyyyyyyo+


[#############################################################################]
Analysis Report for RConsole.exe
MD5: f1592fce77eefcf2e8a1270e17a1df42
[#############################################################################]

Summary:
- Write to foreign memory areas:
This executable tampers with the execution of another process.

- Execution did not terminate correctly:
The executable crashed.

- Changes security settings of Internet Explorer:
This system alteration could seriously affect safety surfing the World
Wide Web.

- Spawns Processes:
The executable produces processes during the execution.

- Performs Registry Activities:
The executable creates and/or modifies registry entries.

[=============================================================================]
Table of Contents
[=============================================================================]

- General information
- RConsole.e.exe
a) Registry Activities
b) File Activities
c) Process Activities
d) Other Activities
- dwwin.exe
a) Registry Activities
b) File Activities
c) Process Activities
- drwtsn32.exe
a) Registry Activities
b) File Activities


[#############################################################################]
1. General Information
[#############################################################################]
[=============================================================================]
Information about Anubis' invocation
[=============================================================================]
Time needed: 251 s
Report created: 03/17/12, 20:56:14 UTC
Termination reason: Timeout
Program version: 1.75.3394


[#############################################################################]
2. RConsole.e.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: Primary Analysis Subject
Filename: RConsole.e.exe
MD5: f1592fce77eefcf2e8a1270e17a1df42
SHA-1: 6a5270b3cb8a1b1988edf17dd2ed3eeb3477d48d
File Size: 19600 Bytes
Command Line: "C:\RConsole.e.exe"
Process-status
at analysis end: alive
Exit Code: 0

[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]

[=============================================================================]
Run-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],
Base Address: [0x5B860000 ], Size: [0x00055000 ]
Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
Base Address: [0x5D090000 ], Size: [0x0009A000 ]
Module Name: [ C:\WINDOWS\system32\faultrep.dll ],
Base Address: [0x69450000 ], Size: [0x00016000 ]
Module Name: [ C:\WINDOWS\system32\WINSTA.dll ],
Base Address: [0x76360000 ], Size: [0x00010000 ]
Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
Base Address: [0x769C0000 ], Size: [0x000B4000 ]
Module Name: [ C:\WINDOWS\system32\WTSAPI32.dll ],
Base Address: [0x76F50000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]
Module Name: [ C:\WINDOWS\system32\SETUPAPI.dll ],
Base Address: [0x77920000 ], Size: [0x000F3000 ]
Module Name: [ C:\WINDOWS\system32\apphelp.dll ],
Base Address: [0x77B40000 ], Size: [0x00022000 ]
Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
Base Address: [0x77C00000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\shell32.dll ],
Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
Module Name: [ C:\WINDOWS\system32\USER32.DLL ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]

[=============================================================================]
2.a) RConsole.e.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ OsLoaderPath ], Value: [ \ ], 2 times
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ SystemPartition ], Value: [ \Device\HarddiskVolume1 ], 2 times
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 2 times
Key: [ HKLM\SYSTEM\WPA\MediaCenter ],
Value Name: [ Installed ], Value: [ 0 ], 2 times
Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
Value Name: [ AllOrNone ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
Value Name: [ DoReport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
Value Name: [ IncludeKernelFaults ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
Value Name: [ IncludeMicrosoftApps ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
Value Name: [ IncludeWindowsApps ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
Value Name: [ ShowUI ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ],
Value Name: [ Auto ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ],
Value Name: [ Debugger ], Value: [ drwtsn32 -p %ld -e %ld -g ], 1 time
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ],
Value Name: [ DevicePath ], Value: [ %SystemRoot%\inf ], 1 time
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
Value Name: [ DriverCachePath ], Value: [ %SystemRoot%\Driver Cache ], 2 times
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
Value Name: [ LogLevel ], Value: [ 0 ], 2 times
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
Value Name: [ ServicePackCachePath ], Value: [ c:\windows\ServicePackFiles\ServicePackCache ], 2 times
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
Value Name: [ ServicePackSourcePath ], Value: [ D:\ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
Value Name: [ SourcePath ], Value: [ D:\ ], 2 times
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ PolicyScope ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ ItemSize ], Value: [ 779 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ ItemSize ], Value: [ 517 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ ItemSize ], Value: [ 918 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ ItemSize ], Value: [ 229 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ ItemSize ], Value: [ 370 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ],
Value Name: [ ComputerName ], Value: [ PC ], 2 times
Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ],
Value Name: [ ProductType ], Value: [ WinNT ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],
Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ],
Value Name: [ Domain ], Value: [ ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ],
Value Name: [ Hostname ], Value: [ pc ], 1 time
Key: [ HKLM\System\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 2 times
Key: [ HKLM\System\WPA\PnP ],
Value Name: [ seed ], Value: [ 1274198464 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time


[=============================================================================]
2.b) RConsole.e.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\860c_appcompat.txt ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\WINDOWS\system32\winsock.dll ]
File Name: [ PIPE\lsarpc ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\860c_appcompat.txt ]
File Name: [ PIPE\lsarpc ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time
File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 6 times

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
File Name: [ C:\WINDOWS\system32\Apphelp.dll ]
File Name: [ C:\WINDOWS\system32\SETUPAPI.dll ]
File Name: [ C:\WINDOWS\system32\WINSTA.dll ]
File Name: [ C:\WINDOWS\system32\WTSAPI32.dll ]
File Name: [ C:\WINDOWS\system32\advapi32.dll ]
File Name: [ C:\WINDOWS\system32\apphelp.dll ]
File Name: [ C:\WINDOWS\system32\comctl32.dll ]
File Name: [ C:\WINDOWS\system32\drwtsn32.exe ]
File Name: [ C:\WINDOWS\system32\dwwin.exe ]
File Name: [ C:\WINDOWS\system32\faultrep.dll ]
File Name: [ C:\WINDOWS\system32\gdi32.dll ]
File Name: [ C:\WINDOWS\system32\kernel32.dll ]
File Name: [ C:\WINDOWS\system32\ntdll.dll ]
File Name: [ C:\WINDOWS\system32\ole32.dll ]
File Name: [ C:\WINDOWS\system32\oleaut32.dll ]
File Name: [ C:\WINDOWS\system32\shell32.dll ]
File Name: [ C:\WINDOWS\system32\user32.dll ]
File Name: [ C:\WINDOWS\system32\wininet.dll ]
File Name: [ C:\WINDOWS\system32\winsock.dll ]
File Name: [ C:\Windows\AppPatch\sysmain.sdb ]

[=============================================================================]
2.c) RConsole.e.exe - Process Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Processes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Executable: [ C:\WINDOWS\system32\dwwin.exe ], Command Line: [ ]
Executable: [ ], Command Line: [ C:\WINDOWS\system32\dwwin.exe -x -s 156 ]
Executable: [ C:\WINDOWS\system32\drwtsn32.exe ], Command Line: [ ]
Executable: [ ], Command Line: [ C:\WINDOWS\system32\drwtsn32 -p 1196 -e 120 -g ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Remote Threads Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Affected Process: [ C:\WINDOWS\system32\dwwin.exe ]
Affected Process: [ C:\WINDOWS\system32\drwtsn32.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Foreign Memory Regions Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Process: [ C:\WINDOWS\system32\drwtsn32.exe ]
Process: [ C:\WINDOWS\system32\dwwin.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Foreign Memory Regions Written:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Process: [ C:\WINDOWS\system32\drwtsn32.exe ]
Process: [ C:\WINDOWS\system32\dwwin.exe ]


[=============================================================================]
2.d) RConsole.e.exe - Other Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Windows SEH exceptions:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x403406 ], 1 time




[#############################################################################]
3. dwwin.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: Started by RConsole.e.exe
Filename: dwwin.exe
MD5: 86042f6f6a5287eaf9379c91d0bf72b6
SHA-1: 532bf74e6aead7438aa7264d01759a065410ee68
File Size: 180224 Bytes
Command Line: C:\WINDOWS\system32\dwwin.exe -x -s 156
Process-status
at analysis end: dead
Exit Code: 0

[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.DLL ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\COMCTL32.DLL ],
Base Address: [0x5D090000 ], Size: [0x0009A000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\USER32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\OLEAUT32.DLL ],
Base Address: [0x77120000 ], Size: [0x0008B000 ]
Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\ole32.dll ],
Base Address: [0x774E0000 ], Size: [0x0013D000 ]
Module Name: [ C:\WINDOWS\system32\SHELL32.DLL ],
Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\system32\URLMON.DLL ],
Base Address: [0x7E1E0000 ], Size: [0x000A2000 ]
Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
Base Address: [0x77C00000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\WININET.DLL ],
Base Address: [0x771B0000 ], Size: [0x000AA000 ]
Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ],
Base Address: [0x77A80000 ], Size: [0x00095000 ]
Module Name: [ C:\WINDOWS\system32\MSASN1.dll ],
Base Address: [0x77B20000 ], Size: [0x00012000 ]
Module Name: [ C:\WINDOWS\system32\ShimEng.dll ],
Base Address: [0x5CB70000 ], Size: [0x00026000 ]
Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ],
Base Address: [0x6F880000 ], Size: [0x001CA000 ]
Module Name: [ C:\WINDOWS\system32\WINMM.dll ],
Base Address: [0x76B40000 ], Size: [0x0002D000 ]
Module Name: [ C:\WINDOWS\system32\MSACM32.dll ],
Base Address: [0x77BE0000 ], Size: [0x00015000 ]
Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
Base Address: [0x769C0000 ], Size: [0x000B4000 ]
Module Name: [ C:\WINDOWS\system32\UxTheme.dll ],
Base Address: [0x5AD70000 ], Size: [0x00038000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]

[=============================================================================]
Run-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\1033\dwintl.dll ],
Base Address: [0x314C0000 ], Size: [0x0000C000 ]
Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],
Base Address: [0x5B860000 ], Size: [0x00055000 ]
Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ],
Base Address: [0x71AA0000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\WS2_32.dll ],
Base Address: [0x71AB0000 ], Size: [0x00017000 ]
Module Name: [ C:\WINDOWS\system32\sensapi.dll ],
Base Address: [0x722B0000 ], Size: [0x00005000 ]
Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
Base Address: [0x74720000 ], Size: [0x0004C000 ]
Module Name: [ C:\WINDOWS\system32\riched20.dll ],
Base Address: [0x74E30000 ], Size: [0x0006D000 ]
Module Name: [ C:\WINDOWS\system32\imm32.dll ],
Base Address: [0x76390000 ], Size: [0x0001D000 ]
Module Name: [ C:\WINDOWS\system32\shfolder.dll ],
Base Address: [0x76780000 ], Size: [0x00009000 ]
Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ],
Base Address: [0x76BF0000 ], Size: [0x0000B000 ]
Module Name: [ C:\WINDOWS\system32\rtutils.dll ],
Base Address: [0x76E80000 ], Size: [0x0000E000 ]
Module Name: [ C:\WINDOWS\system32\rasman.dll ],
Base Address: [0x76E90000 ], Size: [0x00012000 ]
Module Name: [ C:\WINDOWS\system32\TAPI32.dll ],
Base Address: [0x76EB0000 ], Size: [0x0002F000 ]
Module Name: [ C:\WINDOWS\system32\RASAPI32.DLL ],
Base Address: [0x76EE0000 ], Size: [0x0003C000 ]

[=============================================================================]
Popups
[=============================================================================]
Window Name: RConsole.e.exe
Displayed Times: 1
Window Text:
&Don't Send
RConsole.e.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
RConsole.e.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
If you were in the middle of something, the information you were working on might be lost.
Please tell Microsoft about this problem.
We have created an error report that you can send to us. We will treat this report as confidential and anonymous.
To see what data this error report contains,
Details
&Send Error Report



[=============================================================================]
3.a) dwwin.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings ],
Value Name: [ ProxyEnable ], New Value: [ 0 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Common AppData ], New Value: [ C:\Documents and Settings\All Users\Application Data ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths ],
Value Name: [ Directory ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths ],
Value Name: [ Paths ], New Value: [ 4 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 ],
Value Name: [ CacheLimit ], New Value: [ 40852 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 ],
Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache1 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 ],
Value Name: [ CacheLimit ], New Value: [ 40852 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 ],
Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache2 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 ],
Value Name: [ CacheLimit ], New Value: [ 40852 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 ],
Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache3 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 ],
Value Name: [ CacheLimit ], New Value: [ 40852 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 ],
Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache4 ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ AppData ], New Value: [ C:\Documents and Settings\Administrator\Application Data ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Cache ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Cookies ], New Value: [ C:\Documents and Settings\Administrator\Cookies ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ History ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\History ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Personal ], New Value: [ C:\Documents and Settings\Administrator\My Documents ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ],
Value Name: [ MigrateProxy ], New Value: [ 1 ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ],
Value Name: [ ProxyEnable ], New Value: [ 0 ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ],
Value Name: [ SavedLegacySettings ], New Value: [ 0x3c0000001600000001000000000000000000000000000000040000000000 ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ],
Value Name: [ CUAS ], Value: [ 0 ], 1 time
Key: [ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ],
Value Name: [ UrlEncoding ], Value: [ 0x00000000 ], 2 times
Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ],
Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
Key: [ HKLM\SYSTEM\WPA\MediaCenter ],
Value Name: [ Installed ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000204000014000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000001100000014000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000550000001e000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000200000032000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000120000006001000016000000610100001c000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ cFormatTags ], Value: [ 3 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ aFormatTagCache ], Value: [ 0x010000001000000006000000120000000700000012000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ cFormatTags ], Value: [ 3 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000420000001c000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003100000014000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003001000016000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000002200000032000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS ],
Value Name: [ * ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL ],
Value Name: [ * ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Tracing ],
Value Name: [ EnableConsoleTracing ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ],
Value Name: [ ConsoleTracingMask ], Value: [ 4294901760 ], 2 times
Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ],
Value Name: [ EnableConsoleTracing ], Value: [ 0 ], 2 times
Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ],
Value Name: [ EnableFileTracing ], Value: [ 0 ], 2 times
Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ],
Value Name: [ FileDirectory ], Value: [ %windir%\tracing ], 4 times
Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ],
Value Name: [ FileTracingMask ], Value: [ 4294901760 ], 2 times
Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ],
Value Name: [ MaxFileSize ], Value: [ 1048576 ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion ],
Value Name: [ DigitalProductId ], Value: [ 0xa40000000300000037363438372d3634302d313435373233362d32333833 ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ],
Value Name: [ Debugger ], Value: [ drwtsn32 -p %ld -e %ld -g ], 4 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ midimapper ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.iac2 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.imaadpcm ], Value: [ imaadp32.acm ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.l3acm ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msadpcm ], Value: [ ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msaudio1 ], Value: [ ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msg711 ], Value: [ ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msg723 ], Value: [ ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msgsm610 ], Value: [ ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.sl_anet ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.trspch ], Value: [ ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.I420 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.M261 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.M263 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.cvid ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iv31 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iv32 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iv41 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iv50 ], Value: [ ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iyuv ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.mrle ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.msvc ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.uyvy ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.yuy2 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.yvu9 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.yvyu ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ wavemapper ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ],
Value Name: [ AllUsersProfile ], Value: [ All Users ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ],
Value Name: [ DefaultUserProfile ], Value: [ Default User ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ],
Value Name: [ ProfilesDirectory ], Value: [ %SystemDrive%\Documents and Settings ], 4 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-842925246-1425521274-308236825-500 ],
Value Name: [ ProfileImagePath ], Value: [ %SystemDrive%\Documents and Settings\Administrator ], 2 times
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ],
Value Name: [ CommonFilesDir ], Value: [ C:\Program Files\Common Files ], 3 times
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ],
Value Name: [ ProgramFilesDir ], Value: [ C:\Program Files ], 3 times
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Common AppData ], Value: [ %ALLUSERSPROFILE%\Application Data ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ],
Value Name: [ ComputerName ], Value: [ PC ], 5 times
Key: [ HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm ],
Value Name: [ wheel ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ],
Value Name: [ ProductType ], Value: [ WinNT ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ ComSpec ], Value: [ %SystemRoot%\system32\cmd.exe ], 4 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ FP_NO_HOST_CHECK ], Value: [ NO ], 4 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ NUMBER_OF_PROCESSORS ], Value: [ 1 ], 4 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ OS ], Value: [ Windows_NT ], 4 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ PATHEXT ], Value: [ .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH ], 4 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ PROCESSOR_ARCHITECTURE ], Value: [ x86 ], 4 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ PROCESSOR_IDENTIFIER ], Value: [ x86 Family 6 Model 3 Stepping 3, GenuineIntel ], 4 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ PROCESSOR_LEVEL ], Value: [ 6 ], 4 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ PROCESSOR_REVISION ], Value: [ 0303 ], 4 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ Path ], Value: [ %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem ], 4 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ TEMP ], Value: [ %SystemRoot%\TEMP ], 4 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ TMP ], Value: [ %SystemRoot%\TEMP ], 4 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ windir ], Value: [ %SystemRoot% ], 4 times
Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],
Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time
Key: [ HKLM\System\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Environment ],
Value Name: [ TEMP ], Value: [ %USERPROFILE%\Local Settings\Temp ], 4 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Environment ],
Value Name: [ TMP ], Value: [ %USERPROFILE%\Local Settings\Temp ], 4 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
Value Name: [ Language Hotkey ], Value: [ 1 ], 6 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
Value Name: [ Layout Hotkey ], Value: [ 2 ], 6 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ],
Value Name: [ EnableHttp1_1 ], Value: [ 1 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ],
Value Name: [ EnableNegotiate ], Value: [ 1 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ],
Value Name: [ MimeExclusionListForCache ], Value: [ multipart/mixed multipart/x-mixed-replace multipart/x-byteranges ], 4 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ],
Value Name: [ WarnOnPost ], Value: [ 0x01000000 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Explorer\Settings ],
Value Name: [ Anchor Color ], Value: [ 0,0,255 ], 4 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Multimedia\Audio ],
Value Name: [ SystemFormats ], Value: [ CD Quality,Radio Quality,Telephone Quality ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ],
Value Name: [ ParseAutoexec ], Value: [ 1 ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ AppData ], Value: [ %USERPROFILE%\Application Data ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Cache ], Value: [ %USERPROFILE%\Local Settings\Temporary Internet Files ], 3 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Cookies ], Value: [ %USERPROFILE%\Cookies ], 3 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ History ], Value: [ %USERPROFILE%\Local Settings\History ], 3 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache ],
Value Name: [ Signature ], Value: [ Client UrlCache MMF Ver 5.2 ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ],
Value Name: [ CacheLimit ], Value: [ 163410 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ],
Value Name: [ CachePrefix ], Value: [ ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ],
Value Name: [ PerUserItem ], Value: [ 1 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ],
Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ],
Value Name: [ CachePrefix ], Value: [ Cookie: ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ],
Value Name: [ PerUserItem ], Value: [ 1 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ],
Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ],
Value Name: [ CacheOptions ], Value: [ 11 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ],
Value Name: [ CachePath ], Value: [ %USERPROFILE%\Local Settings\History\History.IE5\MSHist012011021720110218\ ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ],
Value Name: [ CachePrefix ], Value: [ :2011021720110218: ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ],
Value Name: [ CacheRepair ], Value: [ 0 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ],
Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ],
Value Name: [ CacheOptions ], Value: [ 11 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ],
Value Name: [ CachePath ], Value: [ %USERPROFILE%\Local Settings\History\History.IE5\MSHist012011021820110219\ ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ],
Value Name: [ CachePrefix ], Value: [ :2011021820110219: ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ],
Value Name: [ CacheRepair ], Value: [ 0 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ],
Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ],
Value Name: [ CachePrefix ], Value: [ Visited: ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ],
Value Name: [ PerUserItem ], Value: [ 1 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ],
Value Name: [ MigrateProxy ], Value: [ 1 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ],
Value Name: [ ProxyEnable ], Value: [ 0 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ],
Value Name: [ DefaultConnectionSettings ], Value: [ 0x3c0000000300000001000000000000000000000000000000040000000000 ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ],
Value Name: [ SavedLegacySettings ], Value: [ 0x3c0000001500000001000000000000000000000000000000040000000000 ], 4 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ],
Value Name: [ APPDATA ], Value: [ C:\Documents and Settings\Administrator\Application Data ], 4 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ],
Value Name: [ CLIENTNAME ], Value: [ Console ], 4 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ],
Value Name: [ HOMEDRIVE ], Value: [ C: ], 4 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ],
Value Name: [ HOMEPATH ], Value: [ \Documents and Settings\Administrator ], 4 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ],
Value Name: [ HOMESHARE ], Value: [ ], 4 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ],
Value Name: [ LOGONSERVER ], Value: [ \\PC ], 4 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ],
Value Name: [ SESSIONNAME ], Value: [ Console ], 4 times

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Monitored Registry Keys:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ],
Watch subtree: [ 0 ], Notify Filter: [ Attributes Change,Value Change,Security Descriptor Change ], 2 times


[=============================================================================]
3.b) dwwin.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Deleted:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6C3B0.dmp ]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\860c_appcompat....
Ответ
#9
Zeratyl Написал:Stanislav, не исполняются команды, не устанавливается соединение, или же что-то другого рода?

Вообще не запускается в сендбоксе Big Grin
Ответ
#10
Второй процесс:
Код:
___                __    _                          
         +  /-            /   |  ____  __  __/ /_  (_)____       -\  +        
        /s  h-           / /| | / __ \/ / / / __ \/ / ___/       -h  s\        
        oh-:d/          / ___ |/ / / / /_/ / /_/ / (__  )        /d:-ho        
        shh+hy-        /_/  |_/_/ /_/\__,_/_.___/_/____/        -yh+hhs        
      -:+hhdhyys/-                                           -\syyhdhh+:-      
    -//////dhhhhhddhhyss-       Analysis Report       -ssyhhddhhhhhd\\\\\\-    
   /++/////oydddddhhyys/     ooooooooooooooooooooo     \syyhhdddddyo\\\\\++\  
-+++///////odh/-                                             -+hdo\\\\\\\+++-
+++++++++//yy+/:                                             :\+yy\\+++++++++
/+soss+sys//yyo/os++o+:                                 :+o++so\oyy\\sys+ssos+\
+oyyyys++o/+yss/+/oyyyy:                               :yyyyo\+\ssy+\o++syyyyo+
+oyyyyyyso+os/o/+yyyyyy/                               \yyyyyy+\o\so+osyyyyyyo+


[#############################################################################]
    Analysis Report for StartRCS.exe
                   MD5: 16913127ceb1178fb477b30e83de23fc
[#############################################################################]

Summary:
    - Write to foreign memory areas:
        This executable tampers with the execution of another process.

    - Execution did not terminate correctly:
        The executable crashed.

    - Changes security settings of Internet Explorer:
        This system alteration could seriously affect safety surfing the World
        Wide Web.

    - Spawns Processes:
        The executable produces processes during the execution.

    - Performs Registry Activities:
        The executable creates and/or modifies registry entries.

[=============================================================================]
    Table of Contents
[=============================================================================]

- General information
- StartRCS.e.exe
  a) Registry Activities
  b) File Activities
  c) Process Activities
  d) Other Activities
    - dwwin.exe
      a) Registry Activities
      b) File Activities
      c) Process Activities
    - drwtsn32.exe
      a) Registry Activities
      b) File Activities


[#############################################################################]
    1. General Information
[#############################################################################]
[=============================================================================]
    Information about Anubis' invocation
[=============================================================================]
        Time needed:        250 s
        Report created:     03/17/12, 21:03:46 UTC
        Termination reason: Timeout
        Program version:    1.75.3394


[#############################################################################]
    2. StartRCS.e.exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Primary Analysis Subject
        Filename:        StartRCS.e.exe
        MD5:             16913127ceb1178fb477b30e83de23fc
        SHA-1:           b757e071e5160c1b7e5708fcc19a61d8cda24fa9
        File Size:       10724 Bytes
        Command Line:    "C:\StartRCS.e.exe"
        Process-status
        at analysis end: alive
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]

[=============================================================================]
    Run-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],
               Base Address: [0x5B860000 ], Size: [0x00055000 ]
        Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
               Base Address: [0x5D090000 ], Size: [0x0009A000 ]
        Module Name: [ C:\WINDOWS\system32\faultrep.dll ],
               Base Address: [0x69450000 ], Size: [0x00016000 ]
        Module Name: [ C:\WINDOWS\system32\WINSTA.dll ],
               Base Address: [0x76360000 ], Size: [0x00010000 ]
        Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
               Base Address: [0x769C0000 ], Size: [0x000B4000 ]
        Module Name: [ C:\WINDOWS\system32\WTSAPI32.dll ],
               Base Address: [0x76F50000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
               Base Address: [0x773D0000 ], Size: [0x00103000 ]
        Module Name: [ C:\WINDOWS\system32\SETUPAPI.dll ],
               Base Address: [0x77920000 ], Size: [0x000F3000 ]
        Module Name: [ C:\WINDOWS\system32\apphelp.dll ],
               Base Address: [0x77B40000 ], Size: [0x00022000 ]
        Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
               Base Address: [0x77C00000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]
        Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
               Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
        Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
               Base Address: [0x77E70000 ], Size: [0x00092000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
               Base Address: [0x77F60000 ], Size: [0x00076000 ]
        Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
               Base Address: [0x77FE0000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\shell32.dll ],
               Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]

[=============================================================================]
    2.a) StartRCS.e.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SYSTEM\Setup ],
             Value Name: [ OsLoaderPath ], Value: [ \ ], 2 times
        Key: [ HKLM\SYSTEM\Setup ],
             Value Name: [ SystemPartition ], Value: [ \Device\HarddiskVolume1 ], 2 times
        Key: [ HKLM\SYSTEM\Setup ],
             Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 2 times
        Key: [ HKLM\SYSTEM\WPA\MediaCenter ],
             Value Name: [ Installed ], Value: [ 0 ], 2 times
        Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
             Value Name: [ AllOrNone ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
             Value Name: [ DoReport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
             Value Name: [ IncludeKernelFaults ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
             Value Name: [ IncludeMicrosoftApps ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
             Value Name: [ IncludeWindowsApps ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
             Value Name: [ ShowUI ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ],
             Value Name: [ Auto ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ],
             Value Name: [ Debugger ], Value: [ drwtsn32 -p %ld -e %ld -g ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ],
             Value Name: [ DevicePath ], Value: [ %SystemRoot%\inf ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
             Value Name: [ DriverCachePath ], Value: [ %SystemRoot%\Driver Cache ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
             Value Name: [ LogLevel ], Value: [ 0 ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
             Value Name: [ ServicePackCachePath ], Value: [ c:\windows\ServicePackFiles\ServicePackCache ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
             Value Name: [ ServicePackSourcePath ], Value: [ D:\ ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
             Value Name: [ SourcePath ], Value: [ D:\ ], 2 times
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
             Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
             Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
             Value Name: [ PolicyScope ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
             Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
             Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
             Value Name: [ ItemSize ], Value: [ 779 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
             Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
             Value Name: [ ItemSize ], Value: [ 517 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
             Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
             Value Name: [ ItemSize ], Value: [ 918 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
             Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
             Value Name: [ ItemSize ], Value: [ 229 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
             Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
             Value Name: [ ItemSize ], Value: [ 370 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
             Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ],
             Value Name: [ ComputerName ], Value: [ PC ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ],
             Value Name: [ ProductType ], Value: [ WinNT ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],
             Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ],
             Value Name: [ Domain ], Value: [  ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ],
             Value Name: [ Hostname ], Value: [ pc ], 1 time
        Key: [ HKLM\System\Setup ],
             Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 2 times
        Key: [ HKLM\System\WPA\PnP ],
             Value Name: [ seed ], Value: [ 1274198464 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
             Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
             Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
             Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time


[=============================================================================]
    2.b) StartRCS.e.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7b0a_appcompat.txt ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\WINDOWS\system32\winsock.dll ]
        File Name: [ PIPE\lsarpc ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7b0a_appcompat.txt ]
        File Name: [ PIPE\lsarpc ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time
        File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 6 times

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
        File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
        File Name: [ C:\WINDOWS\system32\Apphelp.dll ]
        File Name: [ C:\WINDOWS\system32\SETUPAPI.dll ]
        File Name: [ C:\WINDOWS\system32\WINSTA.dll ]
        File Name: [ C:\WINDOWS\system32\WTSAPI32.dll ]
        File Name: [ C:\WINDOWS\system32\advapi32.dll ]
        File Name: [ C:\WINDOWS\system32\apphelp.dll ]
        File Name: [ C:\WINDOWS\system32\comctl32.dll ]
        File Name: [ C:\WINDOWS\system32\drwtsn32.exe ]
        File Name: [ C:\WINDOWS\system32\dwwin.exe ]
        File Name: [ C:\WINDOWS\system32\faultrep.dll ]
        File Name: [ C:\WINDOWS\system32\gdi32.dll ]
        File Name: [ C:\WINDOWS\system32\kernel32.dll ]
        File Name: [ C:\WINDOWS\system32\ntdll.dll ]
        File Name: [ C:\WINDOWS\system32\ole32.dll ]
        File Name: [ C:\WINDOWS\system32\oleaut32.dll ]
        File Name: [ C:\WINDOWS\system32\shell32.dll ]
        File Name: [ C:\WINDOWS\system32\user32.dll ]
        File Name: [ C:\WINDOWS\system32\wininet.dll ]
        File Name: [ C:\WINDOWS\system32\winsock.dll ]
        File Name: [ C:\Windows\AppPatch\sysmain.sdb ]

[=============================================================================]
    2.c) StartRCS.e.exe - Process Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Processes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Executable: [ C:\WINDOWS\system32\dwwin.exe ], Command Line: [  ]
        Executable: [  ], Command Line: [ C:\WINDOWS\system32\dwwin.exe -x -s 160 ]
        Executable: [ C:\WINDOWS\system32\drwtsn32.exe ], Command Line: [  ]
        Executable: [  ], Command Line: [ C:\WINDOWS\system32\drwtsn32 -p 1192 -e 124 -g ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Remote Threads Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Affected Process: [ C:\WINDOWS\system32\dwwin.exe ]
        Affected Process: [ C:\WINDOWS\system32\drwtsn32.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Foreign Memory Regions Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Process: [ C:\WINDOWS\system32\drwtsn32.exe ]
        Process: [ C:\WINDOWS\system32\dwwin.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Foreign Memory Regions Written:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Process: [ C:\WINDOWS\system32\drwtsn32.exe ]
        Process: [ C:\WINDOWS\system32\dwwin.exe ]


[=============================================================================]
    2.d) StartRCS.e.exe - Other Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Windows SEH exceptions:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x4013a2 ], 1 time




[#############################################################################]
    3. dwwin.exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Started by StartRCS.e.exe
        Filename:        dwwin.exe
        MD5:             86042f6f6a5287eaf9379c91d0bf72b6
        SHA-1:           532bf74e6aead7438aa7264d01759a065410ee68
        File Size:       180224 Bytes
        Command Line:    C:\WINDOWS\system32\dwwin.exe -x -s 160
        Process-status
        at analysis end: dead
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\ADVAPI32.DLL ],
               Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
        Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
               Base Address: [0x77E70000 ], Size: [0x00092000 ]
        Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
               Base Address: [0x77FE0000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\COMCTL32.DLL ],
               Base Address: [0x5D090000 ], Size: [0x0009A000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\OLEAUT32.DLL ],
               Base Address: [0x77120000 ], Size: [0x0008B000 ]
        Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]
        Module Name: [ C:\WINDOWS\system32\ole32.dll ],
               Base Address: [0x774E0000 ], Size: [0x0013D000 ]
        Module Name: [ C:\WINDOWS\system32\SHELL32.DLL ],
               Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
        Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
               Base Address: [0x77F60000 ], Size: [0x00076000 ]
        Module Name: [ C:\WINDOWS\system32\URLMON.DLL ],
               Base Address: [0x7E1E0000 ], Size: [0x000A2000 ]
        Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
               Base Address: [0x77C00000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\WININET.DLL ],
               Base Address: [0x771B0000 ], Size: [0x000AA000 ]
        Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ],
               Base Address: [0x77A80000 ], Size: [0x00095000 ]
        Module Name: [ C:\WINDOWS\system32\MSASN1.dll ],
               Base Address: [0x77B20000 ], Size: [0x00012000 ]
        Module Name: [ C:\WINDOWS\system32\ShimEng.dll ],
               Base Address: [0x5CB70000 ], Size: [0x00026000 ]
        Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ],
               Base Address: [0x6F880000 ], Size: [0x001CA000 ]
        Module Name: [ C:\WINDOWS\system32\WINMM.dll ],
               Base Address: [0x76B40000 ], Size: [0x0002D000 ]
        Module Name: [ C:\WINDOWS\system32\MSACM32.dll ],
               Base Address: [0x77BE0000 ], Size: [0x00015000 ]
        Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
               Base Address: [0x769C0000 ], Size: [0x000B4000 ]
        Module Name: [ C:\WINDOWS\system32\UxTheme.dll ],
               Base Address: [0x5AD70000 ], Size: [0x00038000 ]
        Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
               Base Address: [0x773D0000 ], Size: [0x00103000 ]

[=============================================================================]
    Run-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\1033\dwintl.dll ],
               Base Address: [0x314C0000 ], Size: [0x0000C000 ]
        Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],
               Base Address: [0x5B860000 ], Size: [0x00055000 ]
        Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ],
               Base Address: [0x71AA0000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\WS2_32.dll ],
               Base Address: [0x71AB0000 ], Size: [0x00017000 ]
        Module Name: [ C:\WINDOWS\system32\sensapi.dll ],
               Base Address: [0x722B0000 ], Size: [0x00005000 ]
        Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
               Base Address: [0x74720000 ], Size: [0x0004C000 ]
        Module Name: [ C:\WINDOWS\system32\riched20.dll ],
               Base Address: [0x74E30000 ], Size: [0x0006D000 ]
        Module Name: [ C:\WINDOWS\system32\imm32.dll ],
               Base Address: [0x76390000 ], Size: [0x0001D000 ]
        Module Name: [ C:\WINDOWS\system32\shfolder.dll ],
               Base Address: [0x76780000 ], Size: [0x00009000 ]
        Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ],
               Base Address: [0x76BF0000 ], Size: [0x0000B000 ]
        Module Name: [ C:\WINDOWS\system32\rtutils.dll ],
               Base Address: [0x76E80000 ], Size: [0x0000E000 ]
        Module Name: [ C:\WINDOWS\system32\rasman.dll ],
               Base Address: [0x76E90000 ], Size: [0x00012000 ]
        Module Name: [ C:\WINDOWS\system32\TAPI32.dll ],
               Base Address: [0x76EB0000 ], Size: [0x0002F000 ]
        Module Name: [ C:\WINDOWS\system32\RASAPI32.DLL ],
               Base Address: [0x76EE0000 ], Size: [0x0003C000 ]

[=============================================================================]
    Popups
[=============================================================================]
        Window Name:     StartRCS.e.exe
        Displayed Times: 1
        Window Text:    
&Don't Send
StartRCS.e.exe has encountered a problem and needs to close.  We are sorry for the inconvenience.
StartRCS.e.exe has encountered a problem and needs to close.  We are sorry for the inconvenience.
If you were in the middle of something, the information you were working on might be lost.
Please tell Microsoft about this problem.
We have created an error report that you can send to us.  We will treat this report as confidential and anonymous.
To see what data this error report contains,
Details
&Send Error Report

            

[=============================================================================]
    3.a) dwwin.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings ],
             Value Name: [ ProxyEnable ], New Value: [ 0 ]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
             Value Name: [ Common AppData ], New Value: [ C:\Documents and Settings\All Users\Application Data ]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths ],
             Value Name: [ Directory ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5 ]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths ],
             Value Name: [ Paths ], New Value: [ 4 ]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 ],
             Value Name: [ CacheLimit ], New Value: [ 40852 ]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 ],
             Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache1 ]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 ],
             Value Name: [ CacheLimit ], New Value: [ 40852 ]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 ],
             Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache2 ]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 ],
             Value Name: [ CacheLimit ], New Value: [ 40852 ]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 ],
             Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache3 ]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 ],
             Value Name: [ CacheLimit ], New Value: [ 40852 ]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 ],
             Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache4 ]
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
             Value Name: [ AppData ], New Value: [ C:\Documents and Settings\Administrator\Application Data ]
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
             Value Name: [ Cache ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ]
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
             Value Name: [ Cookies ], New Value: [ C:\Documents and Settings\Administrator\Cookies ]
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
             Value Name: [ History ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\History ]
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
             Value Name: [ Personal ], New Value: [ C:\Documents and Settings\Administrator\My Documents ]
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ],
             Value Name: [ MigrateProxy ], New Value: [ 1 ]
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ],
             Value Name: [ ProxyEnable ], New Value: [ 0 ]
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ],
             Value Name: [ SavedLegacySettings ], New Value: [ 0x3c0000001600000001000000000000000000000000000000040000000000 ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ],
             Value Name: [ CUAS ], Value: [ 0 ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ],
             Value Name: [ UrlEncoding ], Value: [ 0x00000000 ], 2 times
        Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ],
             Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
        Key: [ HKLM\SYSTEM\Setup ],
             Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
        Key: [ HKLM\SYSTEM\WPA\MediaCenter ],
             Value Name: [ Installed ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
             Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000204000014000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
             Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000001100000014000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
             Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000550000001e000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
             Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000200000032000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
             Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
             Value Name: [ aFormatTagCache ], Value: [ 0x01000000120000006001000016000000610100001c000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
             Value Name: [ cFormatTags ], Value: [ 3 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
             Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
             Value Name: [ aFormatTagCache ], Value: [ 0x010000001000000006000000120000000700000012000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
             Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
             Value Name: [ cFormatTags ], Value: [ 3 ], 1 time
        Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
[Изображение: 03.18.12_01:24:38_5458d0d4.png]
Ответ


Возможно похожие темы ...
Тема Автор Ответы Просмотры Последний пост
  Ищу сервер и клиент старенькой русской MMO-шки Shadow Worlds/Epoch of shadows Spectre 0 1,113 06-26-2022, 04:21 PM
Последний пост: Spectre
  Сервер х1 demonizers 2 1,160 08-29-2020, 05:12 PM
Последний пост: demonizers
  Когда начинаем пилить Lineage2m сервер? hamho 1 1,741 11-03-2019, 09:21 PM
Последний пост: Zeratyl
  сервер ТС3 Russ1aStar 1 1,266 10-12-2019, 12:42 AM
Последний пост: Russ1aStar
  кто пилит сервер эсенса Russ1aStar 2 1,434 05-14-2019, 11:05 AM
Последний пост: Emperor
  клиент interlude чистыи Russ1aStar 1 1,382 11-21-2018, 09:28 PM
Последний пост: MrShyr
  где арендовать сервер? rmos 27 6,560 01-30-2017, 06:49 AM
Последний пост: Brother
  Ищу пвп хф сервер без защиты Zubastic 3 1,767 09-21-2016, 10:26 PM
Последний пост: Emperor
  Клиент/Патч Infinite Odyssey Psych_O 1 1,725 09-17-2016, 09:39 PM
Последний пост: Zubastic
  Ищу рабочий сервер Donatte 1 1,211 11-09-2015, 05:15 PM
Последний пост: iFailed

Перейти к форуму:


Пользователи, просматривающие эту тему: 1 Гость(ей)