Ir para conteúdo

POWERED BY:

Arquivado

Este tópico foi arquivado e está fechado para novas respostas.

Alexandre Kruger

Programa Espião

Por , em Algoritmos & Outras Tecnologias

Recommended Posts

Alexandre Kruger    0

Alexandre Kruger
Postado
Alguém poderia explicar o que esse programa faz?



+ /- / | ____ __ __/ /_ (_)____ -\ +

/s h- / /| | / __ \/ / / / __ \/ / ___/ -h s\

oh-:d/ / ___ |/ / / / /_/ / /_/ / (__ ) /d:-ho

shh+hy- /_/ |_/_/ /_/\__,_/_.___/_/____/ -yh+hhs

-:+hhdhyys/- -\syyhdhh+:-

-//////dhhhhhddhhyss- Analysis Report -ssyhhddhhhhhd\\\\\\-

/++/////oydddddhhyys/ ooooooooooooooooooooo \syyhhdddddyo\\\\\++\

-+++///////odh/- -+hdo\\\\\\\+++-

+++++++++//yy+/: :\+yy\\+++++++++

/+soss+sys//yyo/os++o+: :+o++so\oyy\\sys+ssos+\

+oyyyys++o/+yss/+/oyyyy: :yyyyo\+\ssy+\o++syyyyo+

+oyyyyyyso+os/o/+yyyyyy/ \yyyyyy+\o\so+osyyyyyyo+



[#############################################################################]

Analysis Report for Info - Pc.exe

MD5: 33c69fd3c14bd38d2f82cbb1b4bac65a

[#############################################################################]



[=============================================================================]

Table of Contents

[=============================================================================]


- General information

- Info - Pc..exe

a) Registry Activities

b) File Activities

c) Process Activities

d) Other Activities

- DW20.EXE

a) Registry Activities

b) File Activities

c) Process Activities



[#############################################################################]

1. General Information

[#############################################################################]

[=============================================================================]

Information about Anubis' invocation

[=============================================================================]

Time needed: 260 s

Report created: 09/29/14, 17:33:59 UTC

Termination reason: Timeout

Program version: 1.76.3886



[#############################################################################]

2. Info - Pc..exe

[#############################################################################]

[=============================================================================]

General information about this executable

[=============================================================================]

Analysis Reason: Primary Analysis Subject

Filename: Info - Pc..exe

MD5: 33c69fd3c14bd38d2f82cbb1b4bac65a

SHA-1: bcadac496172804781d252c8104a2037a0f8102d

File Size: 442368 Bytes

Process-status

at analysis end: alive

Exit Code: 0


[=============================================================================]

Load-time Dlls

[=============================================================================]

Module Name: [ C:\WINDOWS\system32\ntdll.dll ],

Base Address: [0x7C900000 ], Size: [0x000AF000 ]

Module Name: [ C:\WINDOWS\system32\mscoree.dll ],

Base Address: [0x79000000 ], Size: [0x0004A000 ]

Module Name: [ C:\WINDOWS\system32\KERNEL32.dll ],

Base Address: [0x7C800000 ], Size: [0x000F6000 ]

Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],

Base Address: [0x77DD0000 ], Size: [0x0009B000 ]

Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],

Base Address: [0x77E70000 ], Size: [0x00092000 ]

Module Name: [ C:\WINDOWS\system32\Secur32.dll ],

Base Address: [0x77FE0000 ], Size: [0x00011000 ]

Module Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll ],

Base Address: [0x603B0000 ], Size: [0x00066000 ]

Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],

Base Address: [0x77F60000 ], Size: [0x00076000 ]

Module Name: [ C:\WINDOWS\system32\GDI32.dll ],

Base Address: [0x77F10000 ], Size: [0x00049000 ]

Module Name: [ C:\WINDOWS\system32\USER32.dll ],

Base Address: [0x7E410000 ], Size: [0x00091000 ]

Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],

Base Address: [0x77C10000 ], Size: [0x00058000 ]

Module Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\clr.dll ],

Base Address: [0x79140000 ], Size: [0x0066F000 ]

Module Name: [ C:\WINDOWS\system32\MSVCR100_CLR0400.dll ],

Base Address: [0x79060000 ], Size: [0x000BE000 ]

Module Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\mscorlib\4ff1f12a08d455f195ba996fe77497c6\mscorlib.ni.dll ],

Base Address: [0x79880000 ], Size: [0x00DC3000 ]

Module Name: [ C:\WINDOWS\system32\ole32.dll ],

Base Address: [0x774E0000 ], Size: [0x0013D000 ]

Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],

Base Address: [0x74720000 ], Size: [0x0004C000 ]

Module Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\culture.dll ],

Base Address: [0x60340000 ], Size: [0x0000D000 ]

Module Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll ],

Base Address: [0x60930000 ], Size: [0x00010000 ]

Module Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\clrjit.dll ],

Base Address: [0x79810000 ], Size: [0x00060000 ]

Module Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System\161c6f80ad93b0505054d244f1c6243c\System.ni.dll ],

Base Address: [0x7A820000 ], Size: [0x00898000 ]

Module Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Drawing\2fe09cc54a8390b20e380239db34228f\System.Drawing.ni.dll ],

Base Address: [0x7B1D0000 ], Size: [0x00196000 ]

Module Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\f3cdd09fc0acc85c7febbd2e2ef9c4e5\System.Windows.Forms.ni.dll ],

Base Address: [0x7B370000 ], Size: [0x00C6B000 ]

Module Name: [ C:\WINDOWS\system32\uxtheme.dll ],

Base Address: [0x5AD70000 ], Size: [0x00038000 ]

Module Name: [ C:\WINDOWS\system32\comctl32.dll ],

Base Address: [0x5D090000 ], Size: [0x0009A000 ]

Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],

Base Address: [0x773D0000 ], Size: [0x00103000 ]

Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\gdiplus.dll ],

Base Address: [0x4EC50000 ], Size: [0x001A6000 ]

Module Name: [ C:\WINDOWS\system32\VERSION.dll ],

Base Address: [0x77C00000 ], Size: [0x00008000 ]

Module Name: [ C:\WINDOWS\system32\Apphelp.dll ],

Base Address: [0x77B40000 ], Size: [0x00022000 ]


[=============================================================================]

2.a) Info - Pc..exe - Registry Activities

[=============================================================================]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Registry Values Read:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ],

Value Name: [ CUAS ], Value: [ 0 ], 1 time

Key: [ HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting ],

Value Name: [ AllOrNone ], Value: [ 1 ], 1 time

Key: [ HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting ],

Value Name: [ DoReport ], Value: [ 1 ], 1 time

Key: [ HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting ],

Value Name: [ ShowUI ], Value: [ 1 ], 1 time

Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug ],

Value Name: [ Auto ], Value: [ 1 ], 2 times

Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug ],

Value Name: [ Debugger ], Value: [ drwtsn32 -p %ld -e %ld -g ], 6 times

Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ],

Value Name: [ Arial Baltic,186 ], Value: [ Arial,186 ], 1 time

Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ],

Value Name: [ Arial CE,238 ], Value: [ Arial,238 ], 1 time

Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ],

Value Name: [ Arial CYR,204 ], Value: [ Arial,204 ], 1 time

Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ],

Value Name: [ Arial Greek,161 ], Value: [ Arial,161 ], 1 time

Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ],

Value Name: [ Arial TUR,162 ], Value: [ Arial,162 ], 1 time

Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ],

Value Name: [ Courier New Baltic,186 ], Value: [ Courier New,186 ], 1 time

Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ],

Value Name: [ Courier New CE,238 ], Value: [ Courier New,238 ], 1 time

Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ],

Value Name: [ Courier New CYR,204 ], Value: [ Courier New,204 ], 1 time

Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ],

Value Name: [ Courier New Greek,161 ], Value: [ Courier New,161 ], 1 time

Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ],

Value Name: [ Courier New TUR,162 ], Value: [ Courier New,162 ], 1 time

Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ],

Value Name: [ Helv ], Value: [ MS Sans Serif ], 1 time

Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ],

Value Name: [ Helvetica ], Value: [ Arial ], 1 time

Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ],

Value Name: [ MS Shell Dlg ], Value: [ Microsoft Sans Serif ], 1 time

Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ],

Value Name: [ MS Shell Dlg 2 ], Value: [ Tahoma ], 1 time

Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ],

Value Name: [ Times ], Value: [ Times New Roman ], 1 time

Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ],

Value Name: [ Times New Roman Baltic,186 ], Value: [ Times New Roman,186 ], 1 time

Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ],

Value Name: [ Times New Roman CE,238 ], Value: [ Times New Roman,238 ], 1 time

Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ],

Value Name: [ Times New Roman CYR,204 ], Value: [ Times New Roman,204 ], 1 time

Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ],

Value Name: [ Times New Roman Greek,161 ], Value: [ Times New Roman,161 ], 1 time

Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ],

Value Name: [ Times New Roman TUR,162 ], Value: [ Times New Roman,162 ], 1 time

Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ],

Value Name: [ Tms Rmn ], Value: [ MS Serif ], 1 time

Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ],

Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time

Key: [ HKLM\SYSTEM\WPA\MediaCenter ],

Value Name: [ Installed ], Value: [ 0 ], 1 time

Key: [ HKLM\Software\Microsoft\.NETFramework ],

Value Name: [ InstallRoot ], Value: [ C:\WINDOWS\Microsoft.NET\Framework\ ], 9 times

Key: [ HKLM\Software\Microsoft\.NETFramework\Policy\\v4.0 ],

Value Name: [ 30319 ], Value: [ 30319-30319 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ],

Value Name: [ Accessibility,4.0.0.0,,b03f5f7f11d50a3a,MSIL ], Value: [ 0xb0b518f748cecb01 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ],

Value Name: [ System,4.0.0.0,,b77a5c561934e089,MSIL ], Value: [ 0x923ed9fd48cecb01 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ],

Value Name: [ System.Configuration,4.0.0.0,,b03f5f7f11d50a3a,MSIL ], Value: [ 0x189984f948cecb01 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ],

Value Name: [ System.Deployment,4.0.0.0,,b03f5f7f11d50a3a,MSIL ], Value: [ 0x5607dbfb48cecb01 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ],

Value Name: [ System.Drawing,4.0.0.0,,b03f5f7f11d50a3a,MSIL ], Value: [ 0x820dabfe48cecb01 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ],

Value Name: [ System.Runtime.Serialization.Formatters.Soap,4.0.0.0,,b03f5f7f11d50a3a,MSIL ], Value: [ 0xccc2561749cecb01 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ],

Value Name: [ System.Security,4.0.0.0,,b03f5f7f11d50a3a,MSIL ], Value: [ 0x2029aaff48cecb01 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ],

Value Name: [ System.Windows.Forms,4.0.0.0,,b77a5c561934e089,MSIL ], Value: [ 0xc2b2590149cecb01 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ],

Value Name: [ System.Xml,4.0.0.0,,b77a5c561934e089,MSIL ], Value: [ 0xa019a50249cecb01 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ],

Value Name: [ mscorlib,4.0.0.0,,b77a5c561934e089,x86 ], Value: [ 0x7af6f1f448cecb01 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32 ],

Value Name: [ LatestIndex ], Value: [ 128 ], 4 times

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\1499ca42\653465f8\1 ],

Value Name: [ DisplayName ], Value: [ mscorlib,4.0.0.0,,b77a5c561934e089 ], 2 times

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\1499ca42\653465f8\1 ],

Value Name: [ LastModTime ], Value: [ 0x7af6f1f448cecb01 ], 2 times

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\1499ca42\653465f8\1 ],

Value Name: [ Modules ], Value: [ normidna.nlp|normnfc.nlp|normnfd.nlp|normnfkc.nlp|normnfkd.nlp ], 2 times

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\1499ca42\653465f8\1 ],

Value Name: [ SIG ], Value: [ 0xd74ebd98377318409551ee0825ada7bad7d8789378521e6bea0d6e989d21 ], 2 times

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\1499ca42\653465f8\1 ],

Value Name: [ Status ], Value: [ 8198 ], 2 times

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\1499ca42\653465f8\1 ],

Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 2 times

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\27e1f7e2\4e1b5ff2\28 ],

Value Name: [ DisplayName ], Value: [ System.Windows.Forms,4.0.0.0,,b77a5c561934e089 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\27e1f7e2\4e1b5ff2\28 ],

Value Name: [ LastModTime ], Value: [ 0xc2b2590149cecb01 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\27e1f7e2\4e1b5ff2\28 ],

Value Name: [ SIG ], Value: [ 0x79b04eec0f762c4bad3017bac4150f5920332fc7d1d63954cd26fedf1009 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\27e1f7e2\4e1b5ff2\28 ],

Value Name: [ Status ], Value: [ 4098 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\27e1f7e2\4e1b5ff2\28 ],

Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\34f474d5\65246f3f\7 ],

Value Name: [ DisplayName ], Value: [ System.Xml,4.0.0.0,,b77a5c561934e089 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\34f474d5\65246f3f\7 ],

Value Name: [ LastModTime ], Value: [ 0xa019a50249cecb01 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\34f474d5\65246f3f\7 ],

Value Name: [ SIG ], Value: [ 0xc5001c24e7b69a47b45f038d12d280c5a05ed9d07250af4dfda78fa43f6f ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\34f474d5\65246f3f\7 ],

Value Name: [ Status ], Value: [ 4098 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\34f474d5\65246f3f\7 ],

Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\491f93ce\3fe97dbf\17 ],

Value Name: [ DisplayName ], Value: [ Accessibility,4.0.0.0,,b03f5f7f11d50a3a ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\491f93ce\3fe97dbf\17 ],

Value Name: [ LastModTime ], Value: [ 0xb0b518f748cecb01 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\491f93ce\3fe97dbf\17 ],

Value Name: [ SIG ], Value: [ 0x57ceb6d0aebee44a86da4080b3cee6719172a9d7469f0bdaa99f1daf6c55 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\491f93ce\3fe97dbf\17 ],

Value Name: [ Status ], Value: [ 4098 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\491f93ce\3fe97dbf\17 ],

Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\58364143\24da33f5\16 ],

Value Name: [ DisplayName ], Value: [ System.Deployment,4.0.0.0,,b03f5f7f11d50a3a ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\58364143\24da33f5\16 ],

Value Name: [ LastModTime ], Value: [ 0x5607dbfb48cecb01 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\58364143\24da33f5\16 ],

Value Name: [ SIG ], Value: [ 0x30a1e4cabbcfa643b2c1db433397519b93fcf9ca788e7b63b5de5a6140e4 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\58364143\24da33f5\16 ],

Value Name: [ Status ], Value: [ 4098 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\58364143\24da33f5\16 ],

Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5a99e5cd\6598e7b6\8 ],

Value Name: [ DisplayName ], Value: [ System,4.0.0.0,,b77a5c561934e089 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5a99e5cd\6598e7b6\8 ],

Value Name: [ LastModTime ], Value: [ 0x923ed9fd48cecb01 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5a99e5cd\6598e7b6\8 ],

Value Name: [ SIG ], Value: [ 0x317b4fe04715534ba83d8704c85662619cb5d7d82f52e76c37ce1d20af69 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5a99e5cd\6598e7b6\8 ],

Value Name: [ Status ], Value: [ 4098 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5a99e5cd\6598e7b6\8 ],

Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d0933fc\a425901\27 ],

Value Name: [ DisplayName ], Value: [ System.Runtime.Serialization.Formatters.Soap,4.0.0.0,,b03f5f7f11d50a3a ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d0933fc\a425901\27 ],

Value Name: [ LastModTime ], Value: [ 0xccc2561749cecb01 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d0933fc\a425901\27 ],

Value Name: [ SIG ], Value: [ 0x111e988ed985ba478d919c3054b95e4e26a34e9fec62bc33acb451c286f9 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d0933fc\a425901\27 ],

Value Name: [ Status ], Value: [ 4098 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d0933fc\a425901\27 ],

Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d94bc56\3b150cef\6 ],

Value Name: [ DisplayName ], Value: [ System.Configuration,4.0.0.0,,b03f5f7f11d50a3a ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d94bc56\3b150cef\6 ],

Value Name: [ LastModTime ], Value: [ 0x189984f948cecb01 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d94bc56\3b150cef\6 ],

Value Name: [ SIG ], Value: [ 0x15fa5d2766c57d40893a33ef21db2cef56a8a5d4c0ca417d1533e9b0d7b0 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d94bc56\3b150cef\6 ],

Value Name: [ Status ], Value: [ 4098 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d94bc56\3b150cef\6 ],

Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\62a6b5be\32040726\e ],

Value Name: [ DisplayName ], Value: [ System.Security,4.0.0.0,,b03f5f7f11d50a3a ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\62a6b5be\32040726\e ],

Value Name: [ LastModTime ], Value: [ 0x2029aaff48cecb01 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\62a6b5be\32040726\e ],

Value Name: [ SIG ], Value: [ 0x1d175efd3ba191438dec6514f010658c6257289cff6e1d0690f3714305a6 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\62a6b5be\32040726\e ],

Value Name: [ Status ], Value: [ 4098 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\62a6b5be\32040726\e ],

Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\910bc3f\306db89e\18 ],

Value Name: [ DisplayName ], Value: [ System.Drawing,4.0.0.0,,b03f5f7f11d50a3a ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\910bc3f\306db89e\18 ],

Value Name: [ LastModTime ], Value: [ 0x820dabfe48cecb01 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\910bc3f\306db89e\18 ],

Value Name: [ SIG ], Value: [ 0x08151e88e059db47a143982f9ad099a80b66942d7261045bb91131a930c6 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\910bc3f\306db89e\18 ],

Value Name: [ Status ], Value: [ 4098 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\910bc3f\306db89e\18 ],

Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\181938c6\1499ca42\1 ],

Value Name: [ ConfigMask ], Value: [ 4361 ], 2 times

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\181938c6\1499ca42\1 ],

Value Name: [ ConfigString ], Value: [ ], 2 times

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\181938c6\1499ca42\1 ],

Value Name: [ DisplayName ], Value: [ mscorlib,4.0.0.0,,b77a5c561934e089 ], 2 times

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\181938c6\1499ca42\1 ],

Value Name: [ ILDependencies ], Value: [ 0x42ca9914f8653465010000000400000000000000 ], 2 times

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\181938c6\1499ca42\1 ],

Value Name: [ MVID ], Value: [ 0x4ff1f12a08d455f195ba996fe77497c6 ], 2 times

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\181938c6\1499ca42\1 ],

Value Name: [ Status ], Value: [ 0 ], 2 times

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\30bc7c4f\5a99e5cd\8 ],

Value Name: [ ConfigMask ], Value: [ 4361 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\30bc7c4f\5a99e5cd\8 ],

Value Name: [ ConfigString ], Value: [ ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\30bc7c4f\5a99e5cd\8 ],

Value Name: [ DisplayName ], Value: [ System,4.0.0.0,,b77a5c561934e089 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\30bc7c4f\5a99e5cd\8 ],

Value Name: [ ILDependencies ], Value: [ 0x56bc945def0c153b060000000400000000000000d574f4343f6f24650700 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\30bc7c4f\5a99e5cd\8 ],

Value Name: [ MVID ], Value: [ 0x161c6f80ad93b0505054d244f1c6243c ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\30bc7c4f\5a99e5cd\8 ],

Value Name: [ NIDependencies ], Value: [ 0xc638191842ca9914010000000400000000000000c638191842ca99140100 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\30bc7c4f\5a99e5cd\8 ],

Value Name: [ Status ], Value: [ 0 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\3cca06a0\910bc3f\18 ],

Value Name: [ ConfigMask ], Value: [ 4361 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\3cca06a0\910bc3f\18 ],

Value Name: [ ConfigString ], Value: [ ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\3cca06a0\910bc3f\18 ],

Value Name: [ DisplayName ], Value: [ System.Drawing,4.0.0.0,,b03f5f7f11d50a3a ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\3cca06a0\910bc3f\18 ],

Value Name: [ ILDependencies ], Value: [ 0x3fbc10099eb86d30180000000400000000000000 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\3cca06a0\910bc3f\18 ],

Value Name: [ MVID ], Value: [ 0x2fe09cc54a8390b20e380239db34228f ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\3cca06a0\910bc3f\18 ],

Value Name: [ NIDependencies ], Value: [ 0xc638191842ca99140100000004000000000000004f7cbc30cde5995a0800 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\3cca06a0\910bc3f\18 ],

Value Name: [ Status ], Value: [ 0 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\61e7e666\27e1f7e2\16 ],

Value Name: [ ConfigMask ], Value: [ 4361 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\61e7e666\27e1f7e2\16 ],

Value Name: [ ConfigString ], Value: [ ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\61e7e666\27e1f7e2\16 ],

Value Name: [ DisplayName ], Value: [ System.Windows.Forms,4.0.0.0,,b77a5c561934e089 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\61e7e666\27e1f7e2\16 ],

Value Name: [ ILDependencies ], Value: [ 0xce931f49bf7de93f17000000040000000000000056bc945def0c153b0600 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\61e7e666\27e1f7e2\16 ],

Value Name: [ MVID ], Value: [ 0xf3cdd09fc0acc85c7febbd2e2ef9c4e5 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\61e7e666\27e1f7e2\16 ],

Value Name: [ NIDependencies ], Value: [ 0xc638191842ca9914010000000400000000000000a006ca3c3fbc10091800 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\61e7e666\27e1f7e2\16 ],

Value Name: [ Status ], Value: [ 0 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\index80 ],

Value Name: [ ILUsageMask ], Value: [ 0xffffffffffffffffffffffffffffffff ], 2 times

Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\index80 ],

Value Name: [ NIUsageMask ], Value: [ 0xffffffffffffffffffffffffffffffff ], 2 times

Key: [ HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default ],

Value Name: [ Latest ], Value: [ 1 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default ],

Value Name: [ LegacyPolicyTimeStamp ], Value: [ 0x0000000000000000 ], 1 time

Key: [ HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default ],

Value Name: [ index1 ], Value: [ 0x00 ], 1 time

Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting\DW\Installed ],

Value Name: [ DW0200 ], Value: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ], 1 time

Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll ],

Value Name: [ CheckAppHelp ], Value: [ 1 ], 1 time

Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows ],

Value Name: [ AppInit_DLLs ], Value: [ ], 1 time

Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],

Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time

Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],

Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time

Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],

Value Name: [ PolicyScope ], Value: [ 0 ], 1 time

Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],

Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times

Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],

Value Name: [ HashAlg ], Value: [ 32771 ], 1 time

Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],

Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time

Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],

Value Name: [ ItemSize ], Value: [ 779 ], 1 time

Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],

Value Name: [ SaferFlags ], Value: [ 0 ], 1 time

Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],

Value Name: [ HashAlg ], Value: [ 32771 ], 1 time

Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],

Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time

Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],

Value Name: [ ItemSize ], Value: [ 517 ], 1 time

Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],

Value Name: [ SaferFlags ], Value: [ 0 ], 1 time

Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],

Value Name: [ HashAlg ], Value: [ 32771 ], 1 time

Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],

Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time

Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],

Value Name: [ ItemSize ], Value: [ 918 ], 1 time

Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],

Value Name: [ SaferFlags ], Value: [ 0 ], 1 time

Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],

Value Name: [ HashAlg ], Value: [ 32771 ], 1 time

Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],

Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time

Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],

Value Name: [ ItemSize ], Value: [ 229 ], 1 time

Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],

Value Name: [ SaferFlags ], Value: [ 0 ], 1 time

Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],

Value Name: [ HashAlg ], Value: [ 32771 ], 1 time

Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],

Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time

Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],

Value Name: [ ItemSize ], Value: [ 370 ], 1 time

Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],

Value Name: [ SaferFlags ], Value: [ 0 ], 1 time

Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],

Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time

Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],

Value Name: [ SaferFlags ], Value: [ 0 ], 1 time

Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ],

Value Name: [ ComputerName ], Value: [ PC ], 3 times

Key: [ HKLM\System\CurrentControlSet\Control\Nls\Language Groups ],

Value Name: [ 1 ], Value: [ 1 ], 2 times

Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ],

Value Name: [ 00000409 ], Value: [ 1 ], 1 time

Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ],

Value Name: [ 00000C07 ], Value: [ 1 ], 1 time

Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],

Value Name: [ TSAppCompat ], Value: [ 0 ], 1 time

Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ],

Value Name: [ NumShape ], Value: [ 1 ], 1 time

Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ],

Value Name: [ iCurrDigits ], Value: [ 2 ], 1 time

Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ],

Value Name: [ iCurrency ], Value: [ 2 ], 1 time

Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ],

Value Name: [ iDigits ], Value: [ 2 ], 1 time

Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ],

Value Name: [ iNegCurr ], Value: [ 9 ], 1 time

Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ],

Value Name: [ iNegNumber ], Value: [ 1 ], 1 time

Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ],

Value Name: [ sCurrency ], Value: [ ], 1 time

Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ],

Value Name: [ sDecimal ], Value: [ , ], 1 time

Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ],

Value Name: [ sGrouping ], Value: [ 3;0 ], 1 time

Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ],

Value Name: [ sMonDecimalSep ], Value: [ , ], 1 time

Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ],

Value Name: [ sMonGrouping ], Value: [ 3;0 ], 1 time

Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ],

Value Name: [ sMonThousandSep ], Value: [ . ], 1 time

Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ],

Value Name: [ sNativeDigits ], Value: [ 0123456789 ], 1 time

Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ],

Value Name: [ sNegativeSign ], Value: [ - ], 1 time

Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ],

Value Name: [ sPositiveSign ], Value: [ ], 1 time

Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ],

Value Name: [ sThousand ], Value: [ . ], 1 time

Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],

Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times

Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],

Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times

Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\GDIPlus ],

Value Name: [ FontCachePath ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Application Data ], 1 time

Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],

Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time



[=============================================================================]

2.b) Info - Pc..exe - File Activities

[=============================================================================]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Files Read:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\config\machine.config ]

File Name: [ PIPE\lsarpc ]


[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Files Modified:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

File Name: [ PIPE\lsarpc ]

File Name: [ WMIDataDevice ]


[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

File System Control Communication:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time

File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 4 times


[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Device Control Communication:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times

File: [ WMIDataDevice ], Control Code: [ 0x0022414C ], 1 time

File: [ WMIDataDevice ], Control Code: [ 0x00228144 ], 2 times


[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Memory Mapped Files:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

File Name: [ C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT ]

File Name: [ C:\Info - Pc..exe ]

File Name: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ]

File Name: [ C:\WINDOWS\FONTS\MICROSS.TTF ]

File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp ]

File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\clr.dll ]

File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\clrjit.dll ]

File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\culture.dll ]

File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\locale.nlp ]

File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll ]

File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll ]

File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll ]

File Name: [ C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll ]

File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]

File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\gdiplus.dll ]

File Name: [ C:\WINDOWS\WindowsShell.Manifest ]

File Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Drawing\2fe09cc54a8390b20e380239db34228f\System.Drawing.ni.dll ]

File Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\f3cdd09fc0acc85c7febbd2e2ef9c4e5\System.Windows.Forms.ni.dll ]

File Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System\161c6f80ad93b0505054d244f1c6243c\System.ni.dll ]

File Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\mscorlib\4ff1f12a08d455f195ba996fe77497c6\mscorlib.ni.dll ]

File Name: [ C:\WINDOWS\system32\Apphelp.dll ]

File Name: [ C:\WINDOWS\system32\MSCTF.dll ]

File Name: [ C:\WINDOWS\system32\MSVCR100_CLR0400.dll ]

File Name: [ C:\WINDOWS\system32\comctl32.dll ]

File Name: [ C:\WINDOWS\system32\imm32.dll ]

File Name: [ C:\WINDOWS\system32\mscoree.dll ]

File Name: [ C:\WINDOWS\system32\rpcss.dll ]

File Name: [ C:\WINDOWS\system32\uxtheme.dll ]

File Name: [ C:\Windows\AppPatch\sysmain.sdb ]


[=============================================================================]

2.c) Info - Pc..exe - Process Activities

[=============================================================================]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Processes Created:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Executable: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ], Command Line: [ ]

Executable: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ], Command Line: [ dw20.exe -x -s 440 ]


[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Remote Threads Created:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Affected Process: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ]


[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Foreign Memory Regions Read:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Process: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ]


[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Foreign Memory Regions Written:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Process: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ]



[=============================================================================]

2.d) Info - Pc..exe - Other Activities

[=============================================================================]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Mutexes Created:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Mutex: [ CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]

Mutex: [ CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]

Mutex: [ CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]

Mutex: [ CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]

Mutex: [ CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]

Mutex: [ CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500 ]


[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Windows SEH exceptions:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Description: [ Exception 0xc000001e at 0x79ab0407 ], 1 time


Description: [ Exception 0xc000001e at 0x79aa8108 ], 278 times


Description: [ Exception 0xc00000fd (STATUS_STACK_OVERFLOW) at 0x79495bc5 ], 1 time





[#############################################################################]

3. DW20.EXE

[#############################################################################]

[=============================================================================]

General information about this executable

[=============================================================================]

Analysis Reason: Started by Info - Pc..exe

Filename: DW20.EXE

MD5: a981419c39cc02259b8f2da3974000d9

SHA-1: 905d359e2c5e8330d39b746132fa9779f52c0b93

File Size: 637272 Bytes

Command Line: dw20.exe -x -s 440

Process-status

at analysis end: alive

Exit Code: 0


[=============================================================================]

Load-time Dlls

[=============================================================================]

Module Name: [ C:\WINDOWS\system32\ntdll.dll ],

Base Address: [0x7C900000 ], Size: [0x000AF000 ]

Module Name: [ C:\WINDOWS\system32\kernel32.dll ],

Base Address: [0x7C800000 ], Size: [0x000F6000 ]

Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],

Base Address: [0x77DD0000 ], Size: [0x0009B000 ]

Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],

Base Address: [0x77E70000 ], Size: [0x00092000 ]

Module Name: [ C:\WINDOWS\system32\Secur32.dll ],

Base Address: [0x77FE0000 ], Size: [0x00011000 ]

Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll ],

Base Address: [0x773D0000 ], Size: [0x00103000 ]

Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],

Base Address: [0x77C10000 ], Size: [0x00058000 ]

Module Name: [ C:\WINDOWS\system32\GDI32.dll ],

Base Address: [0x77F10000 ], Size: [0x00049000 ]

Module Name: [ C:\WINDOWS\system32\USER32.dll ],

Base Address: [0x7E410000 ], Size: [0x00091000 ]

Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],

Base Address: [0x77F60000 ], Size: [0x00076000 ]

Module Name: [ C:\WINDOWS\system32\OLEACC.dll ],

Base Address: [0x74C80000 ], Size: [0x0002C000 ]

Module Name: [ C:\WINDOWS\system32\MSVCP60.dll ],

Base Address: [0x76080000 ], Size: [0x00065000 ]

Module Name: [ C:\WINDOWS\system32\ole32.dll ],

Base Address: [0x774E0000 ], Size: [0x0013D000 ]

Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],

Base Address: [0x77120000 ], Size: [0x0008B000 ]

Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],

Base Address: [0x7C9C0000 ], Size: [0x00817000 ]

Module Name: [ C:\WINDOWS\system32\urlmon.dll ],

Base Address: [0x7E1E0000 ], Size: [0x000A2000 ]

Module Name: [ C:\WINDOWS\system32\VERSION.dll ],

Base Address: [0x77C00000 ], Size: [0x00008000 ]

Module Name: [ C:\WINDOWS\system32\WININET.dll ],

Base Address: [0x771B0000 ], Size: [0x000AA000 ]

Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ],

Base Address: [0x77A80000 ], Size: [0x00095000 ]

Module Name: [ C:\WINDOWS\system32\MSASN1.dll ],

Base Address: [0x77B20000 ], Size: [0x00012000 ]


[=============================================================================]

Run-time Dlls

[=============================================================================]

Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],

Base Address: [0x5B860000 ], Size: [0x00055000 ]

Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],

Base Address: [0x74720000 ], Size: [0x0004C000 ]

Module Name: [ C:\WINDOWS\system32\riched20.dll ],

Base Address: [0x74E30000 ], Size: [0x0006D000 ]

Module Name: [ C:\WINDOWS\system32\WINSTA.dll ],

Base Address: [0x76360000 ], Size: [0x00010000 ]

Module Name: [ C:\WINDOWS\system32\imm32.dll ],

Base Address: [0x76390000 ], Size: [0x0001D000 ]

Module Name: [ C:\WINDOWS\system32\shfolder.dll ],

Base Address: [0x76780000 ], Size: [0x00009000 ]

Module Name: [ C:\WINDOWS\system32\psapi.dll ],

Base Address: [0x76BF0000 ], Size: [0x0000B000 ]

Module Name: [ C:\WINDOWS\system32\WTSAPI32.dll ],

Base Address: [0x76F50000 ], Size: [0x00008000 ]

Module Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll ],

Base Address: [0x7A820000 ], Size: [0x00120000 ]


[=============================================================================]

3.a) DW20.EXE - Registry Activities

[=============================================================================]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Registry Values Modified:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],

Value Name: [ AppData ], New Value: [ C:\Documents and Settings\Administrator\Application Data ]

Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],

Value Name: [ Personal ], New Value: [ C:\Documents and Settings\Administrator\My Documents ]


[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Registry Values Read:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ],

Value Name: [ CUAS ], Value: [ 0 ], 1 time

Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ],

Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time

Key: [ HKLM\SYSTEM\Setup ],

Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time

Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS ],

Value Name: [ * ], Value: [ 1 ], 1 time

Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL ],

Value Name: [ * ], Value: [ 1 ], 1 time

Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\KnownManagedDebuggingDlls ],

Value Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll ], Value: [ 0 ], 1 time

Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls ],

Value Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\clr.dll ], Value: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll ], 1 time

Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows ],

Value Name: [ AppInit_DLLs ], Value: [ ], 1 time

Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ],

Value Name: [ CommonFilesDir ], Value: [ C:\Program Files\Common Files ], 1 time

Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ],

Value Name: [ ProgramFilesDir ], Value: [ C:\Program Files ], 1 time

Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],

Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time

Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],

Value Name: [ TSAppCompat ], Value: [ 0 ], 3 times

Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],

Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time

Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],

Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times

Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],

Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times

Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Explorer\Settings ],

Value Name: [ Anchor Color ], Value: [ 0,0,255 ], 4 times

Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],

Value Name: [ AppData ], Value: [ %USERPROFILE%\Application Data ], 1 time

Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],

Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time



[=============================================================================]

3.b) DW20.EXE - File Activities

[=============================================================================]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Files Created:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\70695.dmp ]

File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dw.log ]


[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Files Read:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

File Name: [ C:\Info - Pc..exe ]


[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Files Modified:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dw.log ]


[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Device Control Communication:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time


[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Memory Mapped Files:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

File Name: [ C:\Info - Pc..exe ]

File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\clr.dll ]

File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\clrjit.dll ]

File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\culture.dll ]

File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll ]

File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll ]

File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll ]

File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll ]

File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]

File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\gdiplus.dll ]

File Name: [ C:\WINDOWS\WindowsShell.Manifest ]

File Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Drawing\2fe09cc54a8390b20e380239db34228f\System.Drawing.ni.dll ]

File Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\f3cdd09fc0acc85c7febbd2e2ef9c4e5\System.Windows.Forms.ni.dll ]

File Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System\161c6f80ad93b0505054d244f1c6243c\System.ni.dll ]

File Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\mscorlib\4ff1f12a08d455f195ba996fe77497c6\mscorlib.ni.dll ]

File Name: [ C:\WINDOWS\system32\ADVAPI32.dll ]

File Name: [ C:\WINDOWS\system32\Apphelp.dll ]

File Name: [ C:\WINDOWS\system32\GDI32.dll ]

File Name: [ C:\WINDOWS\system32\KERNEL32.dll ]

File Name: [ C:\WINDOWS\system32\MSCTF.dll ]

File Name: [ C:\WINDOWS\system32\MSVCP60.dll ]

File Name: [ C:\WINDOWS\system32\MSVCR100_CLR0400.dll ]

File Name: [ C:\WINDOWS\system32\OLEACC.dll ]

File Name: [ C:\WINDOWS\system32\OLEACCRC.DLL ]

File Name: [ C:\WINDOWS\system32\RPCRT4.dll ]

File Name: [ C:\WINDOWS\system32\SHELL32.dll ]

File Name: [ C:\WINDOWS\system32\SHLWAPI.dll ]

File Name: [ C:\WINDOWS\system32\Secur32.dll ]

File Name: [ C:\WINDOWS\system32\USER32.dll ]

File Name: [ C:\WINDOWS\system32\VERSION.dll ]

File Name: [ C:\WINDOWS\system32\WININET.dll ]

File Name: [ C:\WINDOWS\system32\WINSTA.dll ]

File Name: [ C:\WINDOWS\system32\WTSAPI32.dll ]

File Name: [ C:\WINDOWS\system32\comctl32.dll ]

File Name: [ C:\WINDOWS\system32\imm32.dll ]

File Name: [ C:\WINDOWS\system32\mscoree.dll ]

File Name: [ C:\WINDOWS\system32\msvcrt.dll ]

File Name: [ C:\WINDOWS\system32\ntdll.dll ]

File Name: [ C:\WINDOWS\system32\ole32.dll ]

File Name: [ C:\WINDOWS\system32\psapi.dll ]

File Name: [ C:\WINDOWS\system32\riched20.dll ]

File Name: [ C:\WINDOWS\system32\shfolder.dll ]

File Name: [ C:\WINDOWS\system32\urlmon.dll ]

File Name: [ C:\WINDOWS\system32\uxtheme.dll ]


[=============================================================================]

3.c) DW20.EXE - Process Activities

[=============================================================================]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Foreign Memory Regions Read:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

Process: [ C:\Info - Pc..exe ]





[#############################################################################]

International Secure Systems Lab



Vienna University of Technology Eurecom France UC Santa Barbara



Contact: anubis@iseclab.org

Compartilhar este post

Link para o post
Compartilhar em outros sites

Alexandre Kruger    0

Alexandre Kruger
Postado

é que tem uma pessoa aqui pedindo pra rodar um executável que faz essa varredura na maquina. Minha duvida é o que esta buscando na minha maquina?

 

Software?

Hardware?

Conversar?

E-mails passados?

O que tem na pasta temp?

Tudo que navego na web?

 

Essas coisas! O que esta raquiando esse programa. Queres que passe o .exe pra vc dar uma olhada?


É um programa que pega informações da minha maquina, usei o sitio do Anubis para ver o que o programa fazia.

Compartilhar este post

Link para o post
Compartilhar em outros sites

Lord Enigm@    34

Lord Enigm@
Postado

Olá.

 

Não entendi. Você está verificando sua máquina com algúm analista? Onde você gerou essas informações?

 

Os ditos sitios são para varredura de malwares.

 

Caso tenhas algúma dúvida com algúm binário, recomendo que o envie para o virus total ou solicite ajuda de algúm analista de malwares.

 

[ ]'s

Compartilhar este post

Link para o post
Compartilhar em outros sites

KhaosDoctor    242

KhaosDoctor
Postado

O Anubis é um sistema de analise de malwares para programas desconhecidos, em geral, ele só esta verificando se o seu binário é um arquivo potencialmente perigoso.

Compartilhar este post

Link para o post
Compartilhar em outros sites

Domenike    6

Domenike
Postado

Serve para verficar seu AV, hotfixes do windows, detalhes do software e etc.

Está associado a segurança, você pode utilizar para várias máquinas na sua rede.

Ainda prefiro a análise manual do que automatizada!

Compartilhar este post

Link para o post
Compartilhar em outros sites
Ir para a lista de tópicos Algoritmos & Outras Tecnologias
×

Informação importante

Ao usar o fórum, você concorda com nossos Termos e condições.

  Aceito