|
|
|
|||||||
Курилка / Yak floor
Описание темы:  Удаленный доступ к консоли
|
 |
| Опции темы |
17.03.2012, 23:54
|
#1 |
|
Клиент-сервер
Последний раз редактировалось Zeratyl; 18.03.2012 в 19:12. |
    
|
|
|
18.03.2012, 00:00
|
#2 |
|
Регистрация: 15.03.2012
Возраст: 35
Сообщений: 61
Отблагодарили 4 раз(а)
Рейтинг мнений:
|
Re: Клиент-сервер
Размер: 28 Кб
 Что за сервер? Что за тест? Хочется больше конкретики.. |
|
|
|
|
18.03.2012, 00:05
|
#3 |
|
|
Re: Клиент-сервер
Последний раз редактировалось Zeratyl; 18.03.2012 в 01:13. |
|
|
|
|
18.03.2012, 00:11
|
#4 |
|
Эксперт
Регистрация: 02.10.2009
Возраст: 34
Сообщений: 1,831
Отблагодарили 1 раз(а)
Рейтинг мнений:
|
Re: Клиент-сервер
Вы думаете кто-то в здравом уме будет это тестить без исходников?
 //Если интересуетесь этой тематикой, то для вас специальный форум есть с кучей сорцов, примеров и единомышленников https://www.opensc.ws/forum.php |
|
|
|
|
18.03.2012, 00:14
|
#5 |
|
|
Re: Клиент-сервер
ReaM, гм, месье. Я понимаю, что это похоже на развод, да... Маленький размер сабжа дает о себе знать
 Но вы попробуете скомпилить что-нибудь большего размера из под C++ Builder 6. Я гарантирую, что ничего вредоносного не содержится.Добавлено через 1 минуту Ну, можете запустить в виртуалке, в конце концов. Последний раз редактировалось Zeratyl; 18.03.2012 в 00:16. Причина: Добавлено сообщение |
|
|
|
|
18.03.2012, 00:19
|
#6 |
|
Регистрация: 18.03.2012
Возраст: 32
Сообщений: 49
Отблагодарили 3 раз(а)
Рейтинг мнений:
|
Re: Клиент-сервер
|
|
|
|
|
18.03.2012, 00:22
|
#7 |
|
|
Re: Клиент-сервер
|
|
|
|
|
18.03.2012, 00:22
|
#8 |
|
Эксперт
Регистрация: 02.10.2009
Возраст: 34
Сообщений: 1,831
Отблагодарили 1 раз(а)
Рейтинг мнений:
|
Re: Клиент-сервер
Оба процесса крэшнулись с ошибкой на виртуалке.
Код:
___ __ _
+ /- / | ____ __ __/ /_ (_)____ -\ +
/s h- / /| | / __ \/ / / / __ \/ / ___/ -h s\
oh-:d/ / ___ |/ / / / /_/ / /_/ / (__ ) /d:-ho
shh+hy- /_/ |_/_/ /_/\__,_/_.___/_/____/ -yh+hhs
-:+hhdhyys/- -\syyhdhh+:-
-//////dhhhhhddhhyss- Analysis Report -ssyhhddhhhhhd\\\\\\-
/++/////oydddddhhyys/ ooooooooooooooooooooo \syyhhdddddyo\\\\\++\
-+++///////odh/- -+hdo\\\\\\\+++-
+++++++++//yy+/: :\+yy\\+++++++++
/+soss+sys//yyo/os++o+: :+o++so\oyy\\sys+ssos+\
+oyyyys++o/+yss/+/oyyyy: :yyyyo\+\ssy+\o++syyyyo+
+oyyyyyyso+os/o/+yyyyyy/ \yyyyyy+\o\so+osyyyyyyo+
[#############################################################################]
Analysis Report for RConsole.exe
MD5: f1592fce77eefcf2e8a1270e17a1df42
[#############################################################################]
Summary:
- Write to foreign memory areas:
This executable tampers with the execution of another process.
- Execution did not terminate correctly:
The executable crashed.
- Changes security settings of Internet Explorer:
This system alteration could seriously affect safety surfing the World
Wide Web.
- Spawns Processes:
The executable produces processes during the execution.
- Performs Registry Activities:
The executable creates and/or modifies registry entries.
[=============================================================================]
Table of Contents
[=============================================================================]
- General information
- RConsole.e.exe
a) Registry Activities
b) File Activities
c) Process Activities
d) Other Activities
- dwwin.exe
a) Registry Activities
b) File Activities
c) Process Activities
- drwtsn32.exe
a) Registry Activities
b) File Activities
[#############################################################################]
1. General Information
[#############################################################################]
[=============================================================================]
Information about Anubis' invocation
[=============================================================================]
Time needed: 251 s
Report created: 03/17/12, 20:56:14 UTC
Termination reason: Timeout
Program version: 1.75.3394
[#############################################################################]
2. RConsole.e.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: Primary Analysis Subject
Filename: RConsole.e.exe
MD5: f1592fce77eefcf2e8a1270e17a1df42
SHA-1: 6a5270b3cb8a1b1988edf17dd2ed3eeb3477d48d
File Size: 19600 Bytes
Command Line: "C:\RConsole.e.exe"
Process-status
at analysis end: alive
Exit Code: 0
[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
[=============================================================================]
Run-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],
Base Address: [0x5B860000 ], Size: [0x00055000 ]
Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
Base Address: [0x5D090000 ], Size: [0x0009A000 ]
Module Name: [ C:\WINDOWS\system32\faultrep.dll ],
Base Address: [0x69450000 ], Size: [0x00016000 ]
Module Name: [ C:\WINDOWS\system32\WINSTA.dll ],
Base Address: [0x76360000 ], Size: [0x00010000 ]
Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
Base Address: [0x769C0000 ], Size: [0x000B4000 ]
Module Name: [ C:\WINDOWS\system32\WTSAPI32.dll ],
Base Address: [0x76F50000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]
Module Name: [ C:\WINDOWS\system32\SETUPAPI.dll ],
Base Address: [0x77920000 ], Size: [0x000F3000 ]
Module Name: [ C:\WINDOWS\system32\apphelp.dll ],
Base Address: [0x77B40000 ], Size: [0x00022000 ]
Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
Base Address: [0x77C00000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\shell32.dll ],
Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
Module Name: [ C:\WINDOWS\system32\USER32.DLL ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
[=============================================================================]
2.a) RConsole.e.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ OsLoaderPath ], Value: [ \ ], 2 times
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ SystemPartition ], Value: [ \Device\HarddiskVolume1 ], 2 times
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 2 times
Key: [ HKLM\SYSTEM\WPA\MediaCenter ],
Value Name: [ Installed ], Value: [ 0 ], 2 times
Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
Value Name: [ AllOrNone ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
Value Name: [ DoReport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
Value Name: [ IncludeKernelFaults ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
Value Name: [ IncludeMicrosoftApps ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
Value Name: [ IncludeWindowsApps ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
Value Name: [ ShowUI ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ],
Value Name: [ Auto ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ],
Value Name: [ Debugger ], Value: [ drwtsn32 -p %ld -e %ld -g ], 1 time
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ],
Value Name: [ DevicePath ], Value: [ %SystemRoot%\inf ], 1 time
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
Value Name: [ DriverCachePath ], Value: [ %SystemRoot%\Driver Cache ], 2 times
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
Value Name: [ LogLevel ], Value: [ 0 ], 2 times
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
Value Name: [ ServicePackCachePath ], Value: [ c:\windows\ServicePackFiles\ServicePackCache ], 2 times
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
Value Name: [ ServicePackSourcePath ], Value: [ D:\ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
Value Name: [ SourcePath ], Value: [ D:\ ], 2 times
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ PolicyScope ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ ItemSize ], Value: [ 779 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ ItemSize ], Value: [ 517 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ ItemSize ], Value: [ 918 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ ItemSize ], Value: [ 229 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ ItemSize ], Value: [ 370 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ],
Value Name: [ ComputerName ], Value: [ PC ], 2 times
Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ],
Value Name: [ ProductType ], Value: [ WinNT ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],
Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ],
Value Name: [ Domain ], Value: [ ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ],
Value Name: [ Hostname ], Value: [ pc ], 1 time
Key: [ HKLM\System\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 2 times
Key: [ HKLM\System\WPA\PnP ],
Value Name: [ seed ], Value: [ 1274198464 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time
[=============================================================================]
2.b) RConsole.e.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\860c_appcompat.txt ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\WINDOWS\system32\winsock.dll ]
File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\860c_appcompat.txt ]
File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time
File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 6 times
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
File Name: [ C:\WINDOWS\system32\Apphelp.dll ]
File Name: [ C:\WINDOWS\system32\SETUPAPI.dll ]
File Name: [ C:\WINDOWS\system32\WINSTA.dll ]
File Name: [ C:\WINDOWS\system32\WTSAPI32.dll ]
File Name: [ C:\WINDOWS\system32\advapi32.dll ]
File Name: [ C:\WINDOWS\system32\apphelp.dll ]
File Name: [ C:\WINDOWS\system32\comctl32.dll ]
File Name: [ C:\WINDOWS\system32\drwtsn32.exe ]
File Name: [ C:\WINDOWS\system32\dwwin.exe ]
File Name: [ C:\WINDOWS\system32\faultrep.dll ]
File Name: [ C:\WINDOWS\system32\gdi32.dll ]
File Name: [ C:\WINDOWS\system32\kernel32.dll ]
File Name: [ C:\WINDOWS\system32\ntdll.dll ]
File Name: [ C:\WINDOWS\system32\ole32.dll ]
File Name: [ C:\WINDOWS\system32\oleaut32.dll ]
File Name: [ C:\WINDOWS\system32\shell32.dll ]
File Name: [ C:\WINDOWS\system32\user32.dll ]
File Name: [ C:\WINDOWS\system32\wininet.dll ]
File Name: [ C:\WINDOWS\system32\winsock.dll ]
File Name: [ C:\Windows\AppPatch\sysmain.sdb ]
[=============================================================================]
2.c) RConsole.e.exe - Process Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Processes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Executable: [ C:\WINDOWS\system32\dwwin.exe ], Command Line: [ ]
Executable: [ ], Command Line: [ C:\WINDOWS\system32\dwwin.exe -x -s 156 ]
Executable: [ C:\WINDOWS\system32\drwtsn32.exe ], Command Line: [ ]
Executable: [ ], Command Line: [ C:\WINDOWS\system32\drwtsn32 -p 1196 -e 120 -g ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Remote Threads Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Affected Process: [ C:\WINDOWS\system32\dwwin.exe ]
Affected Process: [ C:\WINDOWS\system32\drwtsn32.exe ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Foreign Memory Regions Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Process: [ C:\WINDOWS\system32\drwtsn32.exe ]
Process: [ C:\WINDOWS\system32\dwwin.exe ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Foreign Memory Regions Written:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Process: [ C:\WINDOWS\system32\drwtsn32.exe ]
Process: [ C:\WINDOWS\system32\dwwin.exe ]
[=============================================================================]
2.d) RConsole.e.exe - Other Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Windows SEH exceptions:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x403406 ], 1 time
[#############################################################################]
3. dwwin.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: Started by RConsole.e.exe
Filename: dwwin.exe
MD5: 86042f6f6a5287eaf9379c91d0bf72b6
SHA-1: 532bf74e6aead7438aa7264d01759a065410ee68
File Size: 180224 Bytes
Command Line: C:\WINDOWS\system32\dwwin.exe -x -s 156
Process-status
at analysis end: dead
Exit Code: 0
[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.DLL ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\COMCTL32.DLL ],
Base Address: [0x5D090000 ], Size: [0x0009A000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\USER32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\OLEAUT32.DLL ],
Base Address: [0x77120000 ], Size: [0x0008B000 ]
Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\ole32.dll ],
Base Address: [0x774E0000 ], Size: [0x0013D000 ]
Module Name: [ C:\WINDOWS\system32\SHELL32.DLL ],
Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\system32\URLMON.DLL ],
Base Address: [0x7E1E0000 ], Size: [0x000A2000 ]
Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
Base Address: [0x77C00000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\WININET.DLL ],
Base Address: [0x771B0000 ], Size: [0x000AA000 ]
Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ],
Base Address: [0x77A80000 ], Size: [0x00095000 ]
Module Name: [ C:\WINDOWS\system32\MSASN1.dll ],
Base Address: [0x77B20000 ], Size: [0x00012000 ]
Module Name: [ C:\WINDOWS\system32\ShimEng.dll ],
Base Address: [0x5CB70000 ], Size: [0x00026000 ]
Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ],
Base Address: [0x6F880000 ], Size: [0x001CA000 ]
Module Name: [ C:\WINDOWS\system32\WINMM.dll ],
Base Address: [0x76B40000 ], Size: [0x0002D000 ]
Module Name: [ C:\WINDOWS\system32\MSACM32.dll ],
Base Address: [0x77BE0000 ], Size: [0x00015000 ]
Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
Base Address: [0x769C0000 ], Size: [0x000B4000 ]
Module Name: [ C:\WINDOWS\system32\UxTheme.dll ],
Base Address: [0x5AD70000 ], Size: [0x00038000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]
[=============================================================================]
Run-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\1033\dwintl.dll ],
Base Address: [0x314C0000 ], Size: [0x0000C000 ]
Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],
Base Address: [0x5B860000 ], Size: [0x00055000 ]
Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ],
Base Address: [0x71AA0000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\WS2_32.dll ],
Base Address: [0x71AB0000 ], Size: [0x00017000 ]
Module Name: [ C:\WINDOWS\system32\sensapi.dll ],
Base Address: [0x722B0000 ], Size: [0x00005000 ]
Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
Base Address: [0x74720000 ], Size: [0x0004C000 ]
Module Name: [ C:\WINDOWS\system32\riched20.dll ],
Base Address: [0x74E30000 ], Size: [0x0006D000 ]
Module Name: [ C:\WINDOWS\system32\imm32.dll ],
Base Address: [0x76390000 ], Size: [0x0001D000 ]
Module Name: [ C:\WINDOWS\system32\shfolder.dll ],
Base Address: [0x76780000 ], Size: [0x00009000 ]
Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ],
Base Address: [0x76BF0000 ], Size: [0x0000B000 ]
Module Name: [ C:\WINDOWS\system32\rtutils.dll ],
Base Address: [0x76E80000 ], Size: [0x0000E000 ]
Module Name: [ C:\WINDOWS\system32\rasman.dll ],
Base Address: [0x76E90000 ], Size: [0x00012000 ]
Module Name: [ C:\WINDOWS\system32\TAPI32.dll ],
Base Address: [0x76EB0000 ], Size: [0x0002F000 ]
Module Name: [ C:\WINDOWS\system32\RASAPI32.DLL ],
Base Address: [0x76EE0000 ], Size: [0x0003C000 ]
[=============================================================================]
Popups
[=============================================================================]
Window Name: RConsole.e.exe
Displayed Times: 1
Window Text:
&Don't Send
RConsole.e.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
RConsole.e.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
If you were in the middle of something, the information you were working on might be lost.
Please tell Microsoft about this problem.
We have created an error report that you can send to us. We will treat this report as confidential and anonymous.
To see what data this error report contains,
Details
&Send Error Report
[=============================================================================]
3.a) dwwin.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings ],
Value Name: [ ProxyEnable ], New Value: [ 0 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Common AppData ], New Value: [ C:\Documents and Settings\All Users\Application Data ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths ],
Value Name: [ Directory ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths ],
Value Name: [ Paths ], New Value: [ 4 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 ],
Value Name: [ CacheLimit ], New Value: [ 40852 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 ],
Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache1 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 ],
Value Name: [ CacheLimit ], New Value: [ 40852 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 ],
Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache2 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 ],
Value Name: [ CacheLimit ], New Value: [ 40852 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 ],
Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache3 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 ],
Value Name: [ CacheLimit ], New Value: [ 40852 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 ],
Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache4 ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ AppData ], New Value: [ C:\Documents and Settings\Administrator\Application Data ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Cache ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Cookies ], New Value: [ C:\Documents and Settings\Administrator\Cookies ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ History ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\History ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Personal ], New Value: [ C:\Documents and Settings\Administrator\My Documents ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ],
Value Name: [ MigrateProxy ], New Value: [ 1 ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ],
Value Name: [ ProxyEnable ], New Value: [ 0 ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ],
Value Name: [ SavedLegacySettings ], New Value: [ 0x3c0000001600000001000000000000000000000000000000040000000000 ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ],
Value Name: [ CUAS ], Value: [ 0 ], 1 time
Key: [ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ],
Value Name: [ UrlEncoding ], Value: [ 0x00000000 ], 2 times
Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ],
Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
Key: [ HKLM\SYSTEM\WPA\MediaCenter ],
Value Name: [ Installed ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000204000014000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000001100000014000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000550000001e000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000200000032000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000120000006001000016000000610100001c000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ cFormatTags ], Value: [ 3 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ aFormatTagCache ], Value: [ 0x010000001000000006000000120000000700000012000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ cFormatTags ], Value: [ 3 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000420000001c000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003100000014000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003001000016000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000002200000032000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS ],
Value Name: [ * ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL ],
Value Name: [ * ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Tracing ],
Value Name: [ EnableConsoleTracing ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ],
Value Name: [ ConsoleTracingMask ], Value: [ 4294901760 ], 2 times
Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ],
Value Name: [ EnableConsoleTracing ], Value: [ 0 ], 2 times
Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ],
Value Name: [ EnableFileTracing ], Value: [ 0 ], 2 times
Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ],
Value Name: [ FileDirectory ], Value: [ %windir%\tracing ], 4 times
Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ],
Value Name: [ FileTracingMask ], Value: [ 4294901760 ], 2 times
Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ],
Value Name: [ MaxFileSize ], Value: [ 1048576 ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion ],
Value Name: [ DigitalProductId ], Value: [ 0xa40000000300000037363438372d3634302d313435373233362d32333833 ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ],
Value Name: [ Debugger ], Value: [ drwtsn32 -p %ld -e %ld -g ], 4 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ midimapper ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.iac2 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.imaadpcm ], Value: [ imaadp32.acm ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.l3acm ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msadpcm ], Value: [ ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msaudio1 ], Value: [ ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msg711 ], Value: [ ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msg723 ], Value: [ ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msgsm610 ], Value: [ ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.sl_anet ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.trspch ], Value: [ ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.I420 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.M261 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.M263 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.cvid ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iv31 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iv32 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iv41 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iv50 ], Value: [ ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iyuv ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.mrle ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.msvc ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.uyvy ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.yuy2 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.yvu9 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.yvyu ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ wavemapper ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ],
Value Name: [ AllUsersProfile ], Value: [ All Users ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ],
Value Name: [ DefaultUserProfile ], Value: [ Default User ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ],
Value Name: [ ProfilesDirectory ], Value: [ %SystemDrive%\Documents and Settings ], 4 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-842925246-1425521274-308236825-500 ],
Value Name: [ ProfileImagePath ], Value: [ %SystemDrive%\Documents and Settings\Administrator ], 2 times
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ],
Value Name: [ CommonFilesDir ], Value: [ C:\Program Files\Common Files ], 3 times
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ],
Value Name: [ ProgramFilesDir ], Value: [ C:\Program Files ], 3 times
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Common AppData ], Value: [ %ALLUSERSPROFILE%\Application Data ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ],
Value Name: [ ComputerName ], Value: [ PC ], 5 times
Key: [ HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm ],
Value Name: [ wheel ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ],
Value Name: [ ProductType ], Value: [ WinNT ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ ComSpec ], Value: [ %SystemRoot%\system32\cmd.exe ], 4 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ FP_NO_HOST_CHECK ], Value: [ NO ], 4 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ NUMBER_OF_PROCESSORS ], Value: [ 1 ], 4 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ OS ], Value: [ Windows_NT ], 4 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ PATHEXT ], Value: [ .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH ], 4 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ PROCESSOR_ARCHITECTURE ], Value: [ x86 ], 4 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ PROCESSOR_IDENTIFIER ], Value: [ x86 Family 6 Model 3 Stepping 3, GenuineIntel ], 4 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ PROCESSOR_LEVEL ], Value: [ 6 ], 4 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ PROCESSOR_REVISION ], Value: [ 0303 ], 4 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ Path ], Value: [ %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem ], 4 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ TEMP ], Value: [ %SystemRoot%\TEMP ], 4 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ TMP ], Value: [ %SystemRoot%\TEMP ], 4 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ windir ], Value: [ %SystemRoot% ], 4 times
Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],
Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time
Key: [ HKLM\System\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Environment ],
Value Name: [ TEMP ], Value: [ %USERPROFILE%\Local Settings\Temp ], 4 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Environment ],
Value Name: [ TMP ], Value: [ %USERPROFILE%\Local Settings\Temp ], 4 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
Value Name: [ Language Hotkey ], Value: [ 1 ], 6 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
Value Name: [ Layout Hotkey ], Value: [ 2 ], 6 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ],
Value Name: [ EnableHttp1_1 ], Value: [ 1 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ],
Value Name: [ EnableNegotiate ], Value: [ 1 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ],
Value Name: [ MimeExclusionListForCache ], Value: [ multipart/mixed multipart/x-mixed-replace multipart/x-byteranges ], 4 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ],
Value Name: [ WarnOnPost ], Value: [ 0x01000000 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Explorer\Settings ],
Value Name: [ Anchor Color ], Value: [ 0,0,255 ], 4 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Multimedia\Audio ],
Value Name: [ SystemFormats ], Value: [ CD Quality,Radio Quality,Telephone Quality ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ],
Value Name: [ ParseAutoexec ], Value: [ 1 ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ AppData ], Value: [ %USERPROFILE%\Application Data ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Cache ], Value: [ %USERPROFILE%\Local Settings\Temporary Internet Files ], 3 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Cookies ], Value: [ %USERPROFILE%\Cookies ], 3 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ History ], Value: [ %USERPROFILE%\Local Settings\History ], 3 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache ],
Value Name: [ Signature ], Value: [ Client UrlCache MMF Ver 5.2 ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ],
Value Name: [ CacheLimit ], Value: [ 163410 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ],
Value Name: [ CachePrefix ], Value: [ ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ],
Value Name: [ PerUserItem ], Value: [ 1 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ],
Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ],
Value Name: [ CachePrefix ], Value: [ Cookie: ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ],
Value Name: [ PerUserItem ], Value: [ 1 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ],
Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ],
Value Name: [ CacheOptions ], Value: [ 11 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ],
Value Name: [ CachePath ], Value: [ %USERPROFILE%\Local Settings\History\History.IE5\MSHist012011021720110218\ ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ],
Value Name: [ CachePrefix ], Value: [ :2011021720110218: ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ],
Value Name: [ CacheRepair ], Value: [ 0 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ],
Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ],
Value Name: [ CacheOptions ], Value: [ 11 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ],
Value Name: [ CachePath ], Value: [ %USERPROFILE%\Local Settings\History\History.IE5\MSHist012011021820110219\ ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ],
Value Name: [ CachePrefix ], Value: [ :2011021820110219: ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ],
Value Name: [ CacheRepair ], Value: [ 0 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ],
Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ],
Value Name: [ CachePrefix ], Value: [ Visited: ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ],
Value Name: [ PerUserItem ], Value: [ 1 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ],
Value Name: [ MigrateProxy ], Value: [ 1 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ],
Value Name: [ ProxyEnable ], Value: [ 0 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ],
Value Name: [ DefaultConnectionSettings ], Value: [ 0x3c0000000300000001000000000000000000000000000000040000000000 ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ],
Value Name: [ SavedLegacySettings ], Value: [ 0x3c0000001500000001000000000000000000000000000000040000000000 ], 4 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ],
Value Name: [ APPDATA ], Value: [ C:\Documents and Settings\Administrator\Application Data ], 4 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ],
Value Name: [ CLIENTNAME ], Value: [ Console ], 4 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ],
Value Name: [ HOMEDRIVE ], Value: [ C: ], 4 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ],
Value Name: [ HOMEPATH ], Value: [ \Documents and Settings\Administrator ], 4 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ],
Value Name: [ HOMESHARE ], Value: [ ], 4 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ],
Value Name: [ LOGONSERVER ], Value: [ \\PC ], 4 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ],
Value Name: [ SESSIONNAME ], Value: [ Console ], 4 times
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Monitored Registry Keys:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ],
Watch subtree: [ 0 ], Notify Filter: [ Attributes Change,Value Change,Security Descriptor Change ], 2 times
[=============================================================================]
3.b) dwwin.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Deleted:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6C3B0.dmp ]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\860c_appcompat.txt ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6C3B0.dmp ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\RConsole.e.exe ]
File Name: [ C:\WINDOWS\win.ini ]
File Name: [ PIPE\lsarpc ]
File Name: [ c:\autoexec.bat ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6C3B0.dmp ]
File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ C:\WINDOWS\system32 ], Control Code: [ 0x00090028 ], 1 time
File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 16 times
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6C3B0.dmp ]
File Name: [ C:\RConsole.e.exe ]
File Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ]
File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
File Name: [ C:\WINDOWS\system32\1033\dwintl.dll ]
File Name: [ C:\WINDOWS\system32\ADVAPI32.dll ]
File Name: [ C:\WINDOWS\system32\Apphelp.dll ]
File Name: [ C:\WINDOWS\system32\COMCTL32.DLL ]
File Name: [ C:\WINDOWS\system32\GDI32.dll ]
File Name: [ C:\WINDOWS\system32\MSACM32.dll ]
File Name: [ C:\WINDOWS\system32\MSCTF.dll ]
File Name: [ C:\WINDOWS\system32\NETAPI32.dll ]
File Name: [ C:\WINDOWS\system32\PSAPI.DLL ]
File Name: [ C:\WINDOWS\system32\RASAPI32.DLL ]
File Name: [ C:\WINDOWS\system32\RPCRT4.dll ]
File Name: [ C:\WINDOWS\system32\SETUPAPI.dll ]
File Name: [ C:\WINDOWS\system32\SHELL32.DLL ]
File Name: [ C:\WINDOWS\system32\SHLWAPI.dll ]
File Name: [ C:\WINDOWS\system32\Secur32.dll ]
File Name: [ C:\WINDOWS\system32\ShimEng.dll ]
File Name: [ C:\WINDOWS\system32\TAPI32.dll ]
File Name: [ C:\WINDOWS\system32\URLMON.DLL ]
File Name: [ C:\WINDOWS\system32\USER32.DLL ]
File Name: [ C:\WINDOWS\system32\USERENV.dll ]
File Name: [ C:\WINDOWS\system32\UxTheme.dll ]
File Name: [ C:\WINDOWS\system32\VERSION.dll ]
File Name: [ C:\WINDOWS\system32\WININET.DLL ]
File Name: [ C:\WINDOWS\system32\WINMM.dll ]
File Name: [ C:\WINDOWS\system32\WINSTA.dll ]
File Name: [ C:\WINDOWS\system32\WS2HELP.dll ]
File Name: [ C:\WINDOWS\system32\WS2_32.dll ]
File Name: [ C:\WINDOWS\system32\WTSAPI32.dll ]
File Name: [ C:\WINDOWS\system32\comctl32.dll ]
File Name: [ C:\WINDOWS\system32\faultrep.dll ]
File Name: [ C:\WINDOWS\system32\imm32.dll ]
File Name: [ C:\WINDOWS\system32\kernel32.dll ]
File Name: [ C:\WINDOWS\system32\msvcrt.dll ]
File Name: [ C:\WINDOWS\system32\ntdll.dll ]
File Name: [ C:\WINDOWS\system32\rasman.dll ]
File Name: [ C:\WINDOWS\system32\riched20.dll ]
File Name: [ C:\WINDOWS\system32\rtutils.dll ]
File Name: [ C:\WINDOWS\system32\sensapi.dll ]
File Name: [ C:\WINDOWS\system32\shfolder.dll ]
File Name: [ C:\Windows\AppPatch\sysmain.sdb ]
[=============================================================================]
3.c) dwwin.exe - Process Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Foreign Memory Regions Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Process: [ C:\RConsole.e.exe ]
[#############################################################################]
4. drwtsn32.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: Started by RConsole.e.exe
Filename: drwtsn32.exe
Process-status
at analysis end: alive
Exit Code: 0
[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\USER32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\dbgeng.dll ],
Base Address: [0x6D590000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\system32\DBGHELP.dll ],
Base Address: [0x59A60000 ], Size: [0x000A1000 ]
Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
Base Address: [0x77C00000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\ShimEng.dll ],
Base Address: [0x5CB70000 ], Size: [0x00026000 ]
Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ],
Base Address: [0x6F880000 ], Size: [0x001CA000 ]
Module Name: [ C:\WINDOWS\system32\WINMM.dll ],
Base Address: [0x76B40000 ], Size: [0x0002D000 ]
Module Name: [ C:\WINDOWS\system32\ole32.dll ],
Base Address: [0x774E0000 ], Size: [0x0013D000 ]
Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],
Base Address: [0x77120000 ], Size: [0x0008B000 ]
Module Name: [ C:\WINDOWS\system32\MSACM32.dll ],
Base Address: [0x77BE0000 ], Size: [0x00015000 ]
Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],
Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
Base Address: [0x769C0000 ], Size: [0x000B4000 ]
Module Name: [ C:\WINDOWS\system32\UxTheme.dll ],
Base Address: [0x5AD70000 ], Size: [0x00038000 ]
[=============================================================================]
4.a) drwtsn32.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ],
Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
Key: [ HKLM\SYSTEM\WPA\MediaCenter ],
Value Name: [ Installed ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000204000014000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000001100000014000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000550000001e000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000200000032000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000120000006001000016000000610100001c000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ cFormatTags ], Value: [ 3 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ aFormatTagCache ], Value: [ 0x010000001000000006000000120000000700000012000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ cFormatTags ], Value: [ 3 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000420000001c000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003100000014000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003001000016000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000002200000032000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ midimapper ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.iac2 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.imaadpcm ], Value: [ imaadp32.acm ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.l3acm ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msadpcm ], Value: [ msadp32.acm ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msaudio1 ], Value: [ ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msg711 ], Value: [ msg711.acm ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msg723 ], Value: [ ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msgsm610 ], Value: [ ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.sl_anet ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.trspch ], Value: [ ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.I420 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.M261 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.M263 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.cvid ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iv31 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iv32 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iv41 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iv50 ], Value: [ ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iyuv ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.mrle ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.msvc ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.uyvy ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.yuy2 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.yvu9 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.yvyu ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ wavemapper ], Value: [ ], 2 times
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm ],
Value Name: [ wheel ], Value: [ 1 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Multimedia\Audio ],
Value Name: [ SystemFormats ], Value: [ CD Quality,Radio Quality,Telephone Quality ], 1 time
[=============================================================================]
4.b) drwtsn32.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ]
File Name: [ C:\WINDOWS\system32\DBGHELP.dll ]
File Name: [ C:\WINDOWS\system32\MSACM32.dll ]
File Name: [ C:\WINDOWS\system32\SHELL32.dll ]
File Name: [ C:\WINDOWS\system32\ShimEng.dll ]
File Name: [ C:\WINDOWS\system32\UxTheme.dll ]
File Name: [ C:\WINDOWS\system32\WINMM.dll ]
File Name: [ C:\WINDOWS\system32\dbgeng.dll ]
File Name: [ C:\Windows\AppPatch\sysmain.sdb ]
[#############################################################################]
International Secure Systems Lab
http://www.iseclab.org
Vienna University of Technology Eurecom France UC Santa Barbara
http://www.tuwien.ac.at http://www.eurecom.fr http://www.cs.ucsb.edu
Contact: anubis@iseclab.org
Код:
___ __ _
+ /- / | ____ __ __/ /_ (_)____ -\ +
/s h- / /| | / __ \/ / / / __ \/ / ___/ -h s\
oh-:d/ / ___ |/ / / / /_/ / /_/ / (__ ) /d:-ho
shh+hy- /_/ |_/_/ /_/\__,_/_.___/_/____/ -yh+hhs
-:+hhdhyys/- -\syyhdhh+:-
-//////dhhhhhddhhyss- Analysis Report -ssyhhddhhhhhd\\\\\\-
/++/////oydddddhhyys/ ooooooooooooooooooooo \syyhhdddddyo\\\\\++\
-+++///////odh/- -+hdo\\\\\\\+++-
+++++++++//yy+/: :\+yy\\+++++++++
/+soss+sys//yyo/os++o+: :+o++so\oyy\\sys+ssos+\
+oyyyys++o/+yss/+/oyyyy: :yyyyo\+\ssy+\o++syyyyo+
+oyyyyyyso+os/o/+yyyyyy/ \yyyyyy+\o\so+osyyyyyyo+
[#############################################################################]
Analysis Report for StartRCS.exe
MD5: 16913127ceb1178fb477b30e83de23fc
[#############################################################################]
Summary:
- Write to foreign memory areas:
This executable tampers with the execution of another process.
- Execution did not terminate correctly:
The executable crashed.
- Changes security settings of Internet Explorer:
This system alteration could seriously affect safety surfing the World
Wide Web.
- Spawns Processes:
The executable produces processes during the execution.
- Performs Registry Activities:
The executable creates and/or modifies registry entries.
[=============================================================================]
Table of Contents
[=============================================================================]
- General information
- StartRCS.e.exe
a) Registry Activities
b) File Activities
c) Process Activities
d) Other Activities
- dwwin.exe
a) Registry Activities
b) File Activities
c) Process Activities
- drwtsn32.exe
a) Registry Activities
b) File Activities
[#############################################################################]
1. General Information
[#############################################################################]
[=============================================================================]
Information about Anubis' invocation
[=============================================================================]
Time needed: 250 s
Report created: 03/17/12, 21:03:46 UTC
Termination reason: Timeout
Program version: 1.75.3394
[#############################################################################]
2. StartRCS.e.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: Primary Analysis Subject
Filename: StartRCS.e.exe
MD5: 16913127ceb1178fb477b30e83de23fc
SHA-1: b757e071e5160c1b7e5708fcc19a61d8cda24fa9
File Size: 10724 Bytes
Command Line: "C:\StartRCS.e.exe"
Process-status
at analysis end: alive
Exit Code: 0
[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
[=============================================================================]
Run-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],
Base Address: [0x5B860000 ], Size: [0x00055000 ]
Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
Base Address: [0x5D090000 ], Size: [0x0009A000 ]
Module Name: [ C:\WINDOWS\system32\faultrep.dll ],
Base Address: [0x69450000 ], Size: [0x00016000 ]
Module Name: [ C:\WINDOWS\system32\WINSTA.dll ],
Base Address: [0x76360000 ], Size: [0x00010000 ]
Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
Base Address: [0x769C0000 ], Size: [0x000B4000 ]
Module Name: [ C:\WINDOWS\system32\WTSAPI32.dll ],
Base Address: [0x76F50000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]
Module Name: [ C:\WINDOWS\system32\SETUPAPI.dll ],
Base Address: [0x77920000 ], Size: [0x000F3000 ]
Module Name: [ C:\WINDOWS\system32\apphelp.dll ],
Base Address: [0x77B40000 ], Size: [0x00022000 ]
Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
Base Address: [0x77C00000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\shell32.dll ],
Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
Module Name: [ C:\WINDOWS\system32\USER32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
[=============================================================================]
2.a) StartRCS.e.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ OsLoaderPath ], Value: [ \ ], 2 times
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ SystemPartition ], Value: [ \Device\HarddiskVolume1 ], 2 times
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 2 times
Key: [ HKLM\SYSTEM\WPA\MediaCenter ],
Value Name: [ Installed ], Value: [ 0 ], 2 times
Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
Value Name: [ AllOrNone ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
Value Name: [ DoReport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
Value Name: [ IncludeKernelFaults ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
Value Name: [ IncludeMicrosoftApps ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
Value Name: [ IncludeWindowsApps ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
Value Name: [ ShowUI ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ],
Value Name: [ Auto ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ],
Value Name: [ Debugger ], Value: [ drwtsn32 -p %ld -e %ld -g ], 1 time
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ],
Value Name: [ DevicePath ], Value: [ %SystemRoot%\inf ], 1 time
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
Value Name: [ DriverCachePath ], Value: [ %SystemRoot%\Driver Cache ], 2 times
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
Value Name: [ LogLevel ], Value: [ 0 ], 2 times
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
Value Name: [ ServicePackCachePath ], Value: [ c:\windows\ServicePackFiles\ServicePackCache ], 2 times
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
Value Name: [ ServicePackSourcePath ], Value: [ D:\ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
Value Name: [ SourcePath ], Value: [ D:\ ], 2 times
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ PolicyScope ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ ItemSize ], Value: [ 779 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ ItemSize ], Value: [ 517 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ ItemSize ], Value: [ 918 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ ItemSize ], Value: [ 229 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ ItemSize ], Value: [ 370 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ],
Value Name: [ ComputerName ], Value: [ PC ], 2 times
Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ],
Value Name: [ ProductType ], Value: [ WinNT ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],
Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ],
Value Name: [ Domain ], Value: [ ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ],
Value Name: [ Hostname ], Value: [ pc ], 1 time
Key: [ HKLM\System\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 2 times
Key: [ HKLM\System\WPA\PnP ],
Value Name: [ seed ], Value: [ 1274198464 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time
[=============================================================================]
2.b) StartRCS.e.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7b0a_appcompat.txt ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\WINDOWS\system32\winsock.dll ]
File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7b0a_appcompat.txt ]
File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time
File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 6 times
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
File Name: [ C:\WINDOWS\system32\Apphelp.dll ]
File Name: [ C:\WINDOWS\system32\SETUPAPI.dll ]
File Name: [ C:\WINDOWS\system32\WINSTA.dll ]
File Name: [ C:\WINDOWS\system32\WTSAPI32.dll ]
File Name: [ C:\WINDOWS\system32\advapi32.dll ]
File Name: [ C:\WINDOWS\system32\apphelp.dll ]
File Name: [ C:\WINDOWS\system32\comctl32.dll ]
File Name: [ C:\WINDOWS\system32\drwtsn32.exe ]
File Name: [ C:\WINDOWS\system32\dwwin.exe ]
File Name: [ C:\WINDOWS\system32\faultrep.dll ]
File Name: [ C:\WINDOWS\system32\gdi32.dll ]
File Name: [ C:\WINDOWS\system32\kernel32.dll ]
File Name: [ C:\WINDOWS\system32\ntdll.dll ]
File Name: [ C:\WINDOWS\system32\ole32.dll ]
File Name: [ C:\WINDOWS\system32\oleaut32.dll ]
File Name: [ C:\WINDOWS\system32\shell32.dll ]
File Name: [ C:\WINDOWS\system32\user32.dll ]
File Name: [ C:\WINDOWS\system32\wininet.dll ]
File Name: [ C:\WINDOWS\system32\winsock.dll ]
File Name: [ C:\Windows\AppPatch\sysmain.sdb ]
[=============================================================================]
2.c) StartRCS.e.exe - Process Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Processes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Executable: [ C:\WINDOWS\system32\dwwin.exe ], Command Line: [ ]
Executable: [ ], Command Line: [ C:\WINDOWS\system32\dwwin.exe -x -s 160 ]
Executable: [ C:\WINDOWS\system32\drwtsn32.exe ], Command Line: [ ]
Executable: [ ], Command Line: [ C:\WINDOWS\system32\drwtsn32 -p 1192 -e 124 -g ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Remote Threads Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Affected Process: [ C:\WINDOWS\system32\dwwin.exe ]
Affected Process: [ C:\WINDOWS\system32\drwtsn32.exe ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Foreign Memory Regions Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Process: [ C:\WINDOWS\system32\drwtsn32.exe ]
Process: [ C:\WINDOWS\system32\dwwin.exe ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Foreign Memory Regions Written:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Process: [ C:\WINDOWS\system32\drwtsn32.exe ]
Process: [ C:\WINDOWS\system32\dwwin.exe ]
[=============================================================================]
2.d) StartRCS.e.exe - Other Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Windows SEH exceptions:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x4013a2 ], 1 time
[#############################################################################]
3. dwwin.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: Started by StartRCS.e.exe
Filename: dwwin.exe
MD5: 86042f6f6a5287eaf9379c91d0bf72b6
SHA-1: 532bf74e6aead7438aa7264d01759a065410ee68
File Size: 180224 Bytes
Command Line: C:\WINDOWS\system32\dwwin.exe -x -s 160
Process-status
at analysis end: dead
Exit Code: 0
[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.DLL ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\COMCTL32.DLL ],
Base Address: [0x5D090000 ], Size: [0x0009A000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\USER32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\OLEAUT32.DLL ],
Base Address: [0x77120000 ], Size: [0x0008B000 ]
Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\ole32.dll ],
Base Address: [0x774E0000 ], Size: [0x0013D000 ]
Module Name: [ C:\WINDOWS\system32\SHELL32.DLL ],
Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\system32\URLMON.DLL ],
Base Address: [0x7E1E0000 ], Size: [0x000A2000 ]
Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
Base Address: [0x77C00000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\WININET.DLL ],
Base Address: [0x771B0000 ], Size: [0x000AA000 ]
Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ],
Base Address: [0x77A80000 ], Size: [0x00095000 ]
Module Name: [ C:\WINDOWS\system32\MSASN1.dll ],
Base Address: [0x77B20000 ], Size: [0x00012000 ]
Module Name: [ C:\WINDOWS\system32\ShimEng.dll ],
Base Address: [0x5CB70000 ], Size: [0x00026000 ]
Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ],
Base Address: [0x6F880000 ], Size: [0x001CA000 ]
Module Name: [ C:\WINDOWS\system32\WINMM.dll ],
Base Address: [0x76B40000 ], Size: [0x0002D000 ]
Module Name: [ C:\WINDOWS\system32\MSACM32.dll ],
Base Address: [0x77BE0000 ], Size: [0x00015000 ]
Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
Base Address: [0x769C0000 ], Size: [0x000B4000 ]
Module Name: [ C:\WINDOWS\system32\UxTheme.dll ],
Base Address: [0x5AD70000 ], Size: [0x00038000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]
[=============================================================================]
Run-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\1033\dwintl.dll ],
Base Address: [0x314C0000 ], Size: [0x0000C000 ]
Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],
Base Address: [0x5B860000 ], Size: [0x00055000 ]
Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ],
Base Address: [0x71AA0000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\WS2_32.dll ],
Base Address: [0x71AB0000 ], Size: [0x00017000 ]
Module Name: [ C:\WINDOWS\system32\sensapi.dll ],
Base Address: [0x722B0000 ], Size: [0x00005000 ]
Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
Base Address: [0x74720000 ], Size: [0x0004C000 ]
Module Name: [ C:\WINDOWS\system32\riched20.dll ],
Base Address: [0x74E30000 ], Size: [0x0006D000 ]
Module Name: [ C:\WINDOWS\system32\imm32.dll ],
Base Address: [0x76390000 ], Size: [0x0001D000 ]
Module Name: [ C:\WINDOWS\system32\shfolder.dll ],
Base Address: [0x76780000 ], Size: [0x00009000 ]
Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ],
Base Address: [0x76BF0000 ], Size: [0x0000B000 ]
Module Name: [ C:\WINDOWS\system32\rtutils.dll ],
Base Address: [0x76E80000 ], Size: [0x0000E000 ]
Module Name: [ C:\WINDOWS\system32\rasman.dll ],
Base Address: [0x76E90000 ], Size: [0x00012000 ]
Module Name: [ C:\WINDOWS\system32\TAPI32.dll ],
Base Address: [0x76EB0000 ], Size: [0x0002F000 ]
Module Name: [ C:\WINDOWS\system32\RASAPI32.DLL ],
Base Address: [0x76EE0000 ], Size: [0x0003C000 ]
[=============================================================================]
Popups
[=============================================================================]
Window Name: StartRCS.e.exe
Displayed Times: 1
Window Text:
&Don't Send
StartRCS.e.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
StartRCS.e.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
If you were in the middle of something, the information you were working on might be lost.
Please tell Microsoft about this problem.
We have created an error report that you can send to us. We will treat this report as confidential and anonymous.
To see what data this error report contains,
Details
&Send Error Report
[=============================================================================]
3.a) dwwin.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings ],
Value Name: [ ProxyEnable ], New Value: [ 0 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Common AppData ], New Value: [ C:\Documents and Settings\All Users\Application Data ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths ],
Value Name: [ Directory ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths ],
Value Name: [ Paths ], New Value: [ 4 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 ],
Value Name: [ CacheLimit ], New Value: [ 40852 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 ],
Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache1 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 ],
Value Name: [ CacheLimit ], New Value: [ 40852 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 ],
Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache2 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 ],
Value Name: [ CacheLimit ], New Value: [ 40852 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 ],
Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache3 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 ],
Value Name: [ CacheLimit ], New Value: [ 40852 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 ],
Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache4 ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ AppData ], New Value: [ C:\Documents and Settings\Administrator\Application Data ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Cache ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Cookies ], New Value: [ C:\Documents and Settings\Administrator\Cookies ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ History ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\History ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Personal ], New Value: [ C:\Documents and Settings\Administrator\My Documents ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ],
Value Name: [ MigrateProxy ], New Value: [ 1 ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ],
Value Name: [ ProxyEnable ], New Value: [ 0 ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ],
Value Name: [ SavedLegacySettings ], New Value: [ 0x3c0000001600000001000000000000000000000000000000040000000000 ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ],
Value Name: [ CUAS ], Value: [ 0 ], 1 time
Key: [ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ],
Value Name: [ UrlEncoding ], Value: [ 0x00000000 ], 2 times
Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ],
Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
Key: [ HKLM\SYSTEM\WPA\MediaCenter ],
Value Name: [ Installed ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000204000014000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000001100000014000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000550000001e000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000200000032000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000120000006001000016000000610100001c000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ cFormatTags ], Value: [ 3 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ aFormatTagCache ], Value: [ 0x010000001000000006000000120000000700000012000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ cFormatTags ], Value: [ 3 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
|
|
|
|
|
18.03.2012, 00:23
|
#9 | |
|
Регистрация: 18.03.2012
Возраст: 32
Сообщений: 49
Отблагодарили 3 раз(а)
Рейтинг мнений:
|
Re: Клиент-сервер
Цитата:
|
|
|
|
|
|
18.03.2012, 00:24
|
#10 |
|
Эксперт
Регистрация: 02.10.2009
Возраст: 34
Сообщений: 1,831
Отблагодарили 1 раз(а)
Рейтинг мнений:
|
Re: Клиент-сервер
Второй процесс:
Код:
___ __ _
+ /- / | ____ __ __/ /_ (_)____ -\ +
/s h- / /| | / __ \/ / / / __ \/ / ___/ -h s\
oh-:d/ / ___ |/ / / / /_/ / /_/ / (__ ) /d:-ho
shh+hy- /_/ |_/_/ /_/\__,_/_.___/_/____/ -yh+hhs
-:+hhdhyys/- -\syyhdhh+:-
-//////dhhhhhddhhyss- Analysis Report -ssyhhddhhhhhd\\\\\\-
/++/////oydddddhhyys/ ooooooooooooooooooooo \syyhhdddddyo\\\\\++\
-+++///////odh/- -+hdo\\\\\\\+++-
+++++++++//yy+/: :\+yy\\+++++++++
/+soss+sys//yyo/os++o+: :+o++so\oyy\\sys+ssos+\
+oyyyys++o/+yss/+/oyyyy: :yyyyo\+\ssy+\o++syyyyo+
+oyyyyyyso+os/o/+yyyyyy/ \yyyyyy+\o\so+osyyyyyyo+
[#############################################################################]
Analysis Report for StartRCS.exe
MD5: 16913127ceb1178fb477b30e83de23fc
[#############################################################################]
Summary:
- Write to foreign memory areas:
This executable tampers with the execution of another process.
- Execution did not terminate correctly:
The executable crashed.
- Changes security settings of Internet Explorer:
This system alteration could seriously affect safety surfing the World
Wide Web.
- Spawns Processes:
The executable produces processes during the execution.
- Performs Registry Activities:
The executable creates and/or modifies registry entries.
[=============================================================================]
Table of Contents
[=============================================================================]
- General information
- StartRCS.e.exe
a) Registry Activities
b) File Activities
c) Process Activities
d) Other Activities
- dwwin.exe
a) Registry Activities
b) File Activities
c) Process Activities
- drwtsn32.exe
a) Registry Activities
b) File Activities
[#############################################################################]
1. General Information
[#############################################################################]
[=============================================================================]
Information about Anubis' invocation
[=============================================================================]
Time needed: 250 s
Report created: 03/17/12, 21:03:46 UTC
Termination reason: Timeout
Program version: 1.75.3394
[#############################################################################]
2. StartRCS.e.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: Primary Analysis Subject
Filename: StartRCS.e.exe
MD5: 16913127ceb1178fb477b30e83de23fc
SHA-1: b757e071e5160c1b7e5708fcc19a61d8cda24fa9
File Size: 10724 Bytes
Command Line: "C:\StartRCS.e.exe"
Process-status
at analysis end: alive
Exit Code: 0
[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
[=============================================================================]
Run-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],
Base Address: [0x5B860000 ], Size: [0x00055000 ]
Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
Base Address: [0x5D090000 ], Size: [0x0009A000 ]
Module Name: [ C:\WINDOWS\system32\faultrep.dll ],
Base Address: [0x69450000 ], Size: [0x00016000 ]
Module Name: [ C:\WINDOWS\system32\WINSTA.dll ],
Base Address: [0x76360000 ], Size: [0x00010000 ]
Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
Base Address: [0x769C0000 ], Size: [0x000B4000 ]
Module Name: [ C:\WINDOWS\system32\WTSAPI32.dll ],
Base Address: [0x76F50000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]
Module Name: [ C:\WINDOWS\system32\SETUPAPI.dll ],
Base Address: [0x77920000 ], Size: [0x000F3000 ]
Module Name: [ C:\WINDOWS\system32\apphelp.dll ],
Base Address: [0x77B40000 ], Size: [0x00022000 ]
Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
Base Address: [0x77C00000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\shell32.dll ],
Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
Module Name: [ C:\WINDOWS\system32\USER32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
[=============================================================================]
2.a) StartRCS.e.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ OsLoaderPath ], Value: [ \ ], 2 times
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ SystemPartition ], Value: [ \Device\HarddiskVolume1 ], 2 times
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 2 times
Key: [ HKLM\SYSTEM\WPA\MediaCenter ],
Value Name: [ Installed ], Value: [ 0 ], 2 times
Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
Value Name: [ AllOrNone ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
Value Name: [ DoReport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
Value Name: [ IncludeKernelFaults ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
Value Name: [ IncludeMicrosoftApps ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
Value Name: [ IncludeWindowsApps ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
Value Name: [ ShowUI ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ],
Value Name: [ Auto ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ],
Value Name: [ Debugger ], Value: [ drwtsn32 -p %ld -e %ld -g ], 1 time
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ],
Value Name: [ DevicePath ], Value: [ %SystemRoot%\inf ], 1 time
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
Value Name: [ DriverCachePath ], Value: [ %SystemRoot%\Driver Cache ], 2 times
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
Value Name: [ LogLevel ], Value: [ 0 ], 2 times
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
Value Name: [ ServicePackCachePath ], Value: [ c:\windows\ServicePackFiles\ServicePackCache ], 2 times
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
Value Name: [ ServicePackSourcePath ], Value: [ D:\ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
Value Name: [ SourcePath ], Value: [ D:\ ], 2 times
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ PolicyScope ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ ItemSize ], Value: [ 779 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ ItemSize ], Value: [ 517 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ ItemSize ], Value: [ 918 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ ItemSize ], Value: [ 229 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ ItemSize ], Value: [ 370 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ],
Value Name: [ ComputerName ], Value: [ PC ], 2 times
Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ],
Value Name: [ ProductType ], Value: [ WinNT ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],
Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ],
Value Name: [ Domain ], Value: [ ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ],
Value Name: [ Hostname ], Value: [ pc ], 1 time
Key: [ HKLM\System\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 2 times
Key: [ HKLM\System\WPA\PnP ],
Value Name: [ seed ], Value: [ 1274198464 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time
[=============================================================================]
2.b) StartRCS.e.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7b0a_appcompat.txt ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\WINDOWS\system32\winsock.dll ]
File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7b0a_appcompat.txt ]
File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time
File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 6 times
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
File Name: [ C:\WINDOWS\system32\Apphelp.dll ]
File Name: [ C:\WINDOWS\system32\SETUPAPI.dll ]
File Name: [ C:\WINDOWS\system32\WINSTA.dll ]
File Name: [ C:\WINDOWS\system32\WTSAPI32.dll ]
File Name: [ C:\WINDOWS\system32\advapi32.dll ]
File Name: [ C:\WINDOWS\system32\apphelp.dll ]
File Name: [ C:\WINDOWS\system32\comctl32.dll ]
File Name: [ C:\WINDOWS\system32\drwtsn32.exe ]
File Name: [ C:\WINDOWS\system32\dwwin.exe ]
File Name: [ C:\WINDOWS\system32\faultrep.dll ]
File Name: [ C:\WINDOWS\system32\gdi32.dll ]
File Name: [ C:\WINDOWS\system32\kernel32.dll ]
File Name: [ C:\WINDOWS\system32\ntdll.dll ]
File Name: [ C:\WINDOWS\system32\ole32.dll ]
File Name: [ C:\WINDOWS\system32\oleaut32.dll ]
File Name: [ C:\WINDOWS\system32\shell32.dll ]
File Name: [ C:\WINDOWS\system32\user32.dll ]
File Name: [ C:\WINDOWS\system32\wininet.dll ]
File Name: [ C:\WINDOWS\system32\winsock.dll ]
File Name: [ C:\Windows\AppPatch\sysmain.sdb ]
[=============================================================================]
2.c) StartRCS.e.exe - Process Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Processes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Executable: [ C:\WINDOWS\system32\dwwin.exe ], Command Line: [ ]
Executable: [ ], Command Line: [ C:\WINDOWS\system32\dwwin.exe -x -s 160 ]
Executable: [ C:\WINDOWS\system32\drwtsn32.exe ], Command Line: [ ]
Executable: [ ], Command Line: [ C:\WINDOWS\system32\drwtsn32 -p 1192 -e 124 -g ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Remote Threads Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Affected Process: [ C:\WINDOWS\system32\dwwin.exe ]
Affected Process: [ C:\WINDOWS\system32\drwtsn32.exe ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Foreign Memory Regions Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Process: [ C:\WINDOWS\system32\drwtsn32.exe ]
Process: [ C:\WINDOWS\system32\dwwin.exe ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Foreign Memory Regions Written:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Process: [ C:\WINDOWS\system32\drwtsn32.exe ]
Process: [ C:\WINDOWS\system32\dwwin.exe ]
[=============================================================================]
2.d) StartRCS.e.exe - Other Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Windows SEH exceptions:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x4013a2 ], 1 time
[#############################################################################]
3. dwwin.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: Started by StartRCS.e.exe
Filename: dwwin.exe
MD5: 86042f6f6a5287eaf9379c91d0bf72b6
SHA-1: 532bf74e6aead7438aa7264d01759a065410ee68
File Size: 180224 Bytes
Command Line: C:\WINDOWS\system32\dwwin.exe -x -s 160
Process-status
at analysis end: dead
Exit Code: 0
[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.DLL ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\COMCTL32.DLL ],
Base Address: [0x5D090000 ], Size: [0x0009A000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\USER32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\OLEAUT32.DLL ],
Base Address: [0x77120000 ], Size: [0x0008B000 ]
Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\ole32.dll ],
Base Address: [0x774E0000 ], Size: [0x0013D000 ]
Module Name: [ C:\WINDOWS\system32\SHELL32.DLL ],
Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\system32\URLMON.DLL ],
Base Address: [0x7E1E0000 ], Size: [0x000A2000 ]
Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
Base Address: [0x77C00000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\WININET.DLL ],
Base Address: [0x771B0000 ], Size: [0x000AA000 ]
Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ],
Base Address: [0x77A80000 ], Size: [0x00095000 ]
Module Name: [ C:\WINDOWS\system32\MSASN1.dll ],
Base Address: [0x77B20000 ], Size: [0x00012000 ]
Module Name: [ C:\WINDOWS\system32\ShimEng.dll ],
Base Address: [0x5CB70000 ], Size: [0x00026000 ]
Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ],
Base Address: [0x6F880000 ], Size: [0x001CA000 ]
Module Name: [ C:\WINDOWS\system32\WINMM.dll ],
Base Address: [0x76B40000 ], Size: [0x0002D000 ]
Module Name: [ C:\WINDOWS\system32\MSACM32.dll ],
Base Address: [0x77BE0000 ], Size: [0x00015000 ]
Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
Base Address: [0x769C0000 ], Size: [0x000B4000 ]
Module Name: [ C:\WINDOWS\system32\UxTheme.dll ],
Base Address: [0x5AD70000 ], Size: [0x00038000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]
[=============================================================================]
Run-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\1033\dwintl.dll ],
Base Address: [0x314C0000 ], Size: [0x0000C000 ]
Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],
Base Address: [0x5B860000 ], Size: [0x00055000 ]
Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ],
Base Address: [0x71AA0000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\WS2_32.dll ],
Base Address: [0x71AB0000 ], Size: [0x00017000 ]
Module Name: [ C:\WINDOWS\system32\sensapi.dll ],
Base Address: [0x722B0000 ], Size: [0x00005000 ]
Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
Base Address: [0x74720000 ], Size: [0x0004C000 ]
Module Name: [ C:\WINDOWS\system32\riched20.dll ],
Base Address: [0x74E30000 ], Size: [0x0006D000 ]
Module Name: [ C:\WINDOWS\system32\imm32.dll ],
Base Address: [0x76390000 ], Size: [0x0001D000 ]
Module Name: [ C:\WINDOWS\system32\shfolder.dll ],
Base Address: [0x76780000 ], Size: [0x00009000 ]
Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ],
Base Address: [0x76BF0000 ], Size: [0x0000B000 ]
Module Name: [ C:\WINDOWS\system32\rtutils.dll ],
Base Address: [0x76E80000 ], Size: [0x0000E000 ]
Module Name: [ C:\WINDOWS\system32\rasman.dll ],
Base Address: [0x76E90000 ], Size: [0x00012000 ]
Module Name: [ C:\WINDOWS\system32\TAPI32.dll ],
Base Address: [0x76EB0000 ], Size: [0x0002F000 ]
Module Name: [ C:\WINDOWS\system32\RASAPI32.DLL ],
Base Address: [0x76EE0000 ], Size: [0x0003C000 ]
[=============================================================================]
Popups
[=============================================================================]
Window Name: StartRCS.e.exe
Displayed Times: 1
Window Text:
&Don't Send
StartRCS.e.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
StartRCS.e.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
If you were in the middle of something, the information you were working on might be lost.
Please tell Microsoft about this problem.
We have created an error report that you can send to us. We will treat this report as confidential and anonymous.
To see what data this error report contains,
Details
&Send Error Report
[=============================================================================]
3.a) dwwin.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings ],
Value Name: [ ProxyEnable ], New Value: [ 0 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Common AppData ], New Value: [ C:\Documents and Settings\All Users\Application Data ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths ],
Value Name: [ Directory ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths ],
Value Name: [ Paths ], New Value: [ 4 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 ],
Value Name: [ CacheLimit ], New Value: [ 40852 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 ],
Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache1 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 ],
Value Name: [ CacheLimit ], New Value: [ 40852 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 ],
Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache2 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 ],
Value Name: [ CacheLimit ], New Value: [ 40852 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 ],
Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache3 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 ],
Value Name: [ CacheLimit ], New Value: [ 40852 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 ],
Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache4 ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ AppData ], New Value: [ C:\Documents and Settings\Administrator\Application Data ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Cache ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Cookies ], New Value: [ C:\Documents and Settings\Administrator\Cookies ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ History ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\History ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Personal ], New Value: [ C:\Documents and Settings\Administrator\My Documents ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ],
Value Name: [ MigrateProxy ], New Value: [ 1 ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ],
Value Name: [ ProxyEnable ], New Value: [ 0 ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ],
Value Name: [ SavedLegacySettings ], New Value: [ 0x3c0000001600000001000000000000000000000000000000040000000000 ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ],
Value Name: [ CUAS ], Value: [ 0 ], 1 time
Key: [ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ],
Value Name: [ UrlEncoding ], Value: [ 0x00000000 ], 2 times
Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ],
Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
Key: [ HKLM\SYSTEM\WPA\MediaCenter ],
Value Name: [ Installed ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000204000014000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000001100000014000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000550000001e000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000200000032000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000120000006001000016000000610100001c000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ cFormatTags ], Value: [ 3 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ aFormatTagCache ], Value: [ 0x010000001000000006000000120000000700000012000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ cFormatTags ], Value: [ 3 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
|
|
|
|
|
| Здесь присутствуют: 1 (пользователей: 0 , гостей: 1) | |
| Опции темы | |
|
|
Похожие темы
|
||||
| Тема | Автор | Раздел | Ответов | Последнее сообщение |
| клиент и сервер | winner-iii | Серверная часть | 12 | 28.12.2011 16:09 |
| Клиент 2.5 под сервер 2.1 | Romanz | Aion | 13 | 24.04.2011 14:41 |
| Сервер под клиент v.1.5.1.9 | romonn | Серверная часть | 6 | 30.07.2010 12:42 |
| Клиент и сервер | xMETTx | Серверная часть | 2 | 07.02.2010 06:02 |
| Клиент - Сервер | laitar | Lineage II | 4 | 15.02.2009 20:31 |
