tarkanbounce
زيزوومى ذهبى
- إنضم
- 6 يناير 2010
- المشاركات
- 1,858
- مستوى التفاعل
- 5,263
- النقاط
- 1,070
- الإقامة
- المنصورة / جمهورية مصر العربية
غير متصل
الافيرا ينسف ولا يرحم الملف بعد فك الضغط مبدع الافيرا دائماً وبارك الله فيك على التشفيرة
-
[ يمنع ] طرح أي موضوع يحوي على كراكات أو باتشات او كيجنات من غير فحصها عبر موقع فيروس توتال [ virustotal.com ] وطرح رابط الفحص ضِمن الموضوع.
- بادئ الموضوع medo2013
- تاريخ البدء
- 2,319
- الحالة
Ali Ramadan
زيزوومي VIP
غير متصل
تم قنصه بالمدرع الروماني 
توقيع : Ali Ramadan
Ali Ramadan
زيزوومي VIP
غير متصل
يا زيزوومييين
لتجنب اضرار الملف كل ما عليك هو تحميل برنامج
Shadow Defender
وتجميد النظام بعدها جرب كما يحلو لك من فايروساات وكراكات وباتشات من دون الحاق ضرر بالجهاز
لتجنب اضرار الملف كل ما عليك هو تحميل برنامج
Shadow Defender
وتجميد النظام بعدها جرب كما يحلو لك من فايروساات وكراكات وباتشات من دون الحاق ضرر بالجهاز
توقيع : Ali Ramadan
Gone without a trace
زيزوومي VIP
- إنضم
- 25 أغسطس 2012
- المشاركات
- 4,795
- مستوى التفاعل
- 20,807
- النقاط
- 1,220
غير متصل
تشفيره حلوه ..
يا ليت فضلا احد الاخوان اصحاب الوهمي وجدران الحماية السماح للملف الاول بالعمل حتى نرى البرنامج الناتج عن الملف الام وقدرته على فتح البورت
يا ليت فضلا احد الاخوان اصحاب الوهمي وجدران الحماية السماح للملف الاول بالعمل حتى نرى البرنامج الناتج عن الملف الام وقدرته على فتح البورت
توقيع : Gone without a trace
alaa8iniesta
زيزوومى ذهبى
غير متصل
الافيرا ينسف ولا يرحم الملف بعد فك الضغط مبدع الافيرا دائماً وبارك الله فيك على التشفيرة
كنت متأكد ان الافيرا كدا كدا هيجيبه بالمحرك
توقيع : alaa8iniesta
alaa8iniesta
زيزوومى ذهبى
غير متصل
يا زيزوومييين
لتجنب اضرار الملف كل ما عليك هو تحميل برنامج
Shadow Defender
وتجميد النظام بعدها جرب كما يحلو لك من فايروساات وكراكات وباتشات من دون الحاق ضرر بالجهاز
بارك الله فيك اخي الكريم
ولكن انا اوجه مشاكل كثيره في تجميد قرص c بالشادو ديفندر
علي ويندوز 8
توقيع : alaa8iniesta
alaa8iniesta
زيزوومى ذهبى
غير متصل
توقيع : alaa8iniesta
Ali Ramadan
زيزوومي VIP
غير متصل
صرااحه اني لي مده استخدمه
افضل بمليوون مره من تنصيب نظاام وهمي + اني استخدمهه على وندوز 8 ولم اوجه مع مشاكل للان
افضل بمليوون مره من تنصيب نظاام وهمي + اني استخدمهه على وندوز 8 ولم اوجه مع مشاكل للان
توقيع : Ali Ramadan
black007
إداري سابق وداعم للمنتدى (خبير فحص ملفات)
داعــــم للمنتـــــدى
★★ نجم المنتدى ★★
عضوية موثوقة ✔️
كبار الشخصيات
غير متصل
alaa8iniesta
زيزوومى ذهبى
غير متصل
اخي انا استخدمه علي ويندوز 8.1
وهذا هو الاصدار الذي املكه
وهو كان يعمل معي جيدا علي ويندوز 7
ولكن عند التشغيل علي ويندوز 8.1 يقوم بتجميد الجهاز كله ولا يعمل الا بفصل التيار الكهربي عن الجهاز واعاده تشغيله مره اخري
ويوقف الماوس والكيبورد عن العمل
ارجو الحل من الاعضاء الكرام
توقيع : alaa8iniesta
alaa8iniesta
زيزوومى ذهبى
غير متصل
صاحب الموضوع حاول ذكر تفاصيل اكثر عن الملف
مكشوف من محرك النود قبل اكتمال التحميل
من وجهه نظري المتواضعه ان النود هو افضل محرك علي وجه الارض
توقيع : alaa8iniesta
Ali Ramadan
زيزوومي VIP
غير متصل
اخووي الغالياخي انا استخدمه علي ويندوز 8.1
وهذا هو الاصدار الذي املكه
وهو كان يعمل معي جيدا علي ويندوز 7
ولكن عند التشغيل علي ويندوز 8.1 يقوم بتجميد الجهاز كله ولا يعمل الا بفصل التيار الكهربي عن الجهاز واعاده تشغيله مره اخري
ويوقف الماوس والكيبورد عن العمل
ارجو الحل من الاعضاء الكرام
المشكله واضحه
الاصدار الذي تملكه قديم جدا جدا ولا يدعم وندوز 8
تفضل هذا الموضوع البرنامج في اخر اصداره + التفعيل والتعريب
http://forum.zyzoom.net/threads/216618/#post-3059879
توقيع : Ali Ramadan
بنادول
زيزوومي ماسى
- إنضم
- 27 مارس 2008
- المشاركات
- 2,553
- مستوى التفاعل
- 3,191
- النقاط
- 1,170
- الإقامة
- السعوديه
- الموقع الالكتروني
- forum.zyzoom.net
غير متصل
ف
فاعل الخير
Guest
غير متصل
الكيهو عند فك الضغط
والاكتشاف كان بالمحرك السحابي
مشكور جدا ... تحياتي انيستا
فعلا الكيهووو بطل
.. سبقتوني بالنتائج
Gone without a trace
زيزوومي VIP
- إنضم
- 25 أغسطس 2012
- المشاركات
- 4,795
- مستوى التفاعل
- 20,807
- النقاط
- 1,220
غير متصل
بارك الله فيك
التجربه على الكاسبر 2014
وندوز 8 64 بت
بالفحص غير مكتشف
بالتشغيل تم وضع الملف في خانة تقييد منخفض
يحاول الملف الإتصال بالنت ولكن الكاسبر منعه
توقيع : Gone without a trace
Gone without a trace
زيزوومي VIP
- إنضم
- 25 أغسطس 2012
- المشاركات
- 4,795
- مستوى التفاعل
- 20,807
- النقاط
- 1,220
غير متصل
- مفاتيح جديده تم انشاؤها
HKEY_CURRENT_USER\Software\593ab65c74a387455c88abf9911fe8d8
قيم جديده
[HKEY_CURRENT_USER]
di = "!"
[HKEY_CURRENT_USER\Environment]
SEE_MASK_NOZONECHECKS = "1"
[HKEY_CURRENT_USER\Software\593ab65c74a387455c88abf9911fe8d8]
[kl] = ""
port 1065 TCP idm.exe (%Temp%\idm
هذا تقرير مختصر لسلوك الملف اعتمادا على احد مختبرات التحليل
توقيع : Gone without a trace
عبدالرحمن نبهان
زيزوومى ذهبى
غير متصل
دا هو التحليل الكامل لسلود الفيروسات طبعا اعتماد على احد مواقع التحليل
كود:
- General information
- 9999.exe
a) Registry Activities
b) File Activities
c) Process Activities
d) Other Activities
- DW20.EXE
a) Registry Activities
b) File Activities
c) Process Activities
[#############################################################################]
1. General Information
[#############################################################################]
[=============================================================================]
Information about Anubis' invocation
[=============================================================================]
Time needed: 260 s
Report created: 12/21/13, 15:28:38 UTC
Termination reason: Timeout
Program version: 1.76.3886
[#############################################################################]
2. 9999.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: Primary Analysis Subject
Filename: 9999.exe
MD5: 6fc19dd2394cfc04603254f306670066
SHA-1: 5c6346fdaa0326ed3be40cdad63d853067185620
File Size: 422912 Bytes
Process-status
at analysis end: alive
Exit Code: 0
[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\mscoree.dll ],
Base Address: [0x79000000 ], Size: [0x0004A000 ]
Module Name: [ C:\WINDOWS\system32\KERNEL32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll ],
Base Address: [0x603B0000 ], Size: [0x00066000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\USER32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll ],
Base Address: [0x79E70000 ], Size: [0x0058F000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll ],
Base Address: [0x78130000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\shell32.dll ],
Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]
Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
Base Address: [0x5D090000 ], Size: [0x0009A000 ]
Module Name: [ C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\642534209e13d16e93b80a628742d2ee\mscorlib.ni.dll ],
Base Address: [0x790C0000 ], Size: [0x00B36000 ]
Module Name: [ C:\WINDOWS\system32\ole32.dll ],
Base Address: [0x774E0000 ], Size: [0x0013D000 ]
Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
Base Address: [0x74720000 ], Size: [0x0004C000 ]
Module Name: [ C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll ],
Base Address: [0x79060000 ], Size: [0x00056000 ]
Module Name: [ C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\36dbfcf62e07d819b3de533898868ecf\System.ni.dll ],
Base Address: [0x7A440000 ], Size: [0x007EA000 ]
Module Name: [ C:\WINDOWS\system32\rsaenh.dll ],
Base Address: [0x68000000 ], Size: [0x00036000 ]
Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
Base Address: [0x77C00000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\Apphelp.dll ],
Base Address: [0x77B40000 ], Size: [0x00022000 ]
[=============================================================================]
2.a) 9999.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ AppData ], New Value: [ C:\Documents and Settings\Administrator\Application Data ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Cache ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ],
Value Name: [ CUAS ], Value: [ 0 ], 1 time
Key: [ HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider ],
Value Name: [ Image Path ], Value: [ rsaenh.dll ], 12 times
Key: [ HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider ],
Value Name: [ Type ], Value: [ 1 ], 3 times
Key: [ HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting ],
Value Name: [ AllOrNone ], Value: [ 1 ], 1 time
Key: [ HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting ],
Value Name: [ DoReport ], Value: [ 1 ], 1 time
Key: [ HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting ],
Value Name: [ ShowUI ], Value: [ 1 ], 1 time
Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ],
Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
Key: [ HKLM\SYSTEM\WPA\MediaCenter ],
Value Name: [ Installed ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\.NETFramework ],
Value Name: [ InstallRoot ], Value: [ C:\WINDOWS\Microsoft.NET\Framework\ ], 9 times
Key: [ HKLM\Software\Microsoft\.NETFramework\Policy\\v4.0 ],
Value Name: [ 30319 ], Value: [ 30319-30319 ], 1 time
Key: [ HKLM\Software\Microsoft\Cryptography ],
Value Name: [ MachineGuid ], Value: [ 4604e8cc-5b9c-4ffb-a374-a62e6d0494fc ], 12 times
Key: [ HKLM\Software\Microsoft\Cryptography\Defaults\Provider Types\Type 001 ],
Value Name: [ Name ], Value: [ Microsoft Strong Cryptographic Provider ], 2 times
Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ],
Value Name: [ System,2.0.0.0,,b77a5c561934e089,MSIL ], Value: [ 0x8a57dea520cfcb01 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ],
Value Name: [ System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL ], Value: [ 0x18bb1ba420cfcb01 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ],
Value Name: [ System.Xml,2.0.0.0,,b77a5c561934e089,MSIL ], Value: [ 0xca1b97a220cfcb01 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ],
Value Name: [ mscorlib,2.0.0.0,,b77a5c561934e089,x86 ], Value: [ 0xa8ce1d9f20cfcb01 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32 ],
Value Name: [ LatestIndex ], Value: [ 117 ], 3 times
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\6 ],
Value Name: [ DisplayName ], Value: [ System.Xml,2.0.0.0,,b77a5c561934e089 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\6 ],
Value Name: [ LastModTime ], Value: [ 0xca1b97a220cfcb01 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\6 ],
Value Name: [ SIG ], Value: [ 0xe129b85668d5c94a83901a595a688da0546fb0968a3ad8f39d84fd920ec9 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\6 ],
Value Name: [ Status ], Value: [ 4098 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6e9ac653\7 ],
Value Name: [ DisplayName ], Value: [ System,2.0.0.0,,b77a5c561934e089 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6e9ac653\7 ],
Value Name: [ LastModTime ], Value: [ 0x8a57dea520cfcb01 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6e9ac653\7 ],
Value Name: [ SIG ], Value: [ 0x7739f7fe32588e438bd70fda47be005ca87ed832d6e6b76aa0302a427ffe ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6e9ac653\7 ],
Value Name: [ Status ], Value: [ 4098 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\5 ],
Value Name: [ DisplayName ], Value: [ System.Configuration,2.0.0.0,,b03f5f7f11d50a3a ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\5 ],
Value Name: [ LastModTime ], Value: [ 0x18bb1ba420cfcb01 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\5 ],
Value Name: [ SIG ], Value: [ 0x13b985b524af744ea7870ebe1b5d5d0658961b3f64a74093492875c9d8f1 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\5 ],
Value Name: [ Status ], Value: [ 4098 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\319545b3\8 ],
Value Name: [ DisplayName ], Value: [ mscorlib,2.0.0.0,,b77a5c561934e089 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\319545b3\8 ],
Value Name: [ LastModTime ], Value: [ 0xa8ce1d9f20cfcb01 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\319545b3\8 ],
Value Name: [ Modules ], Value: [ sortkey.nlp|sorttbls.nlp|big5.nlp|bopomofo.nlp|ksc.nlp|prc.nlp|prcp.nlp|xjis.nlp|normidna.nlp|normnfc.nlp|normnfd.nlp|normnfkc.nlp|normnfkd.nlp ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\319545b3\8 ],
Value Name: [ SIG ], Value: [ 0x61498a5bb093b143a337bdf5962ece99bd6c58fc8f03105a020331f4a600 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\319545b3\8 ],
Value Name: [ Status ], Value: [ 8198 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\8 ],
Value Name: [ ConfigMask ], Value: [ 4361 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\8 ],
Value Name: [ ConfigString ], Value: [ ZAP--0000-0000 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\8 ],
Value Name: [ DisplayName ], Value: [ mscorlib,2.0.0.0,,b77a5c561934e089 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\8 ],
Value Name: [ ILDependencies ], Value: [ 0xc5e25079b3459531080000000200000000000000 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\8 ],
Value Name: [ MVID ], Value: [ 0x642534209e13d16e93b80a628742d2ee ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\8 ],
Value Name: [ Status ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\7 ],
Value Name: [ ConfigMask ], Value: [ 4361 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\7 ],
Value Name: [ ConfigString ], Value: [ ZAP--0000-0000 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\7 ],
Value Name: [ DisplayName ], Value: [ System,2.0.0.0,,b77a5c561934e089 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\7 ],
Value Name: [ ILDependencies ], Value: [ 0xd8d44b425c3de667050000000200000000000000578dab19d0021a290600 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\7 ],
Value Name: [ MVID ], Value: [ 0x36dbfcf62e07d819b3de533898868ecf ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\7 ],
Value Name: [ NIDependencies ], Value: [ 0xc6381918a9e9743c080000000200000000000000 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\7 ],
Value Name: [ Status ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index75 ],
Value Name: [ ILUsageMask ], Value: [ 0xffffffffffffffffff01 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index75 ],
Value Name: [ NIUsageMask ], Value: [ 0xfffffffffffffffff1 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default ],
Value Name: [ Latest ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default ],
Value Name: [ LegacyPolicyTimeStamp ], Value: [ 0x0000000000000000 ], 1 time
Key: [ HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default ],
Value Name: [ index1 ], Value: [ 0x00 ], 1 time
Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting\DW\Installed ],
Value Name: [ DW0200 ], Value: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll ],
Value Name: [ CheckAppHelp ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dll ],
Value Name: [ CheckAppHelp ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows ],
Value Name: [ AppInit_DLLs ], Value: [ ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ PolicyScope ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ ItemSize ], Value: [ 779 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ ItemSize ], Value: [ 517 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ ItemSize ], Value: [ 918 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ ItemSize ], Value: [ 229 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ ItemSize ], Value: [ 370 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],
Value Name: [ TSAppCompat ], Value: [ 0 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ AppData ], Value: [ %USERPROFILE%\Application Data ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Cache ], Value: [ %USERPROFILE%\Local Settings\Temporary Internet Files ], 1 time
[=============================================================================]
2.b) 9999.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\machine.config ]
File Name: [ C:\WINDOWS\system32\rsaenh.dll ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\9999.exe ]
File Name: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ]
File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll ]
File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll ]
File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll ]
File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll ]
File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
File Name: [ C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp ]
File Name: [ C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp ]
File Name: [ C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\36dbfcf62e07d819b3de533898868ecf\System.ni.dll ]
File Name: [ C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\642534209e13d16e93b80a628742d2ee\mscorlib.ni.dll ]
File Name: [ C:\WINDOWS\system32\Apphelp.dll ]
File Name: [ C:\WINDOWS\system32\MSCTF.dll ]
File Name: [ C:\WINDOWS\system32\comctl32.dll ]
File Name: [ C:\WINDOWS\system32\crypt32.dll ]
File Name: [ C:\WINDOWS\system32\imm32.dll ]
File Name: [ C:\WINDOWS\system32\l_intl.nls ]
File Name: [ C:\WINDOWS\system32\mscoree.dll ]
File Name: [ C:\WINDOWS\system32\rpcss.dll ]
File Name: [ C:\WINDOWS\system32\rsaenh.dll ]
File Name: [ C:\WINDOWS\system32\shell32.dll ]
File Name: [ C:\Windows\AppPatch\sysmain.sdb ]
[=============================================================================]
2.c) 9999.exe - Process Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Processes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Executable: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ], Command Line: [ ]
Executable: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ], Command Line: [ dw20.exe -x -s 336 ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Remote Threads Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Affected Process: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Foreign Memory Regions Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Process: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Foreign Memory Regions Written:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Process: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ]
[=============================================================================]
2.d) 9999.exe - Other Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Mutexes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Mutex: [ CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
Mutex: [ CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
Mutex: [ CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
Mutex: [ CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
Mutex: [ CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
Mutex: [ CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500 ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Windows SEH exceptions:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Description: [ Exception 0xe0434f4d at 0x7c812aeb ], 1 time
[#############################################################################]
3. DW20.EXE
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: Started by 9999.exe
Filename: DW20.EXE
MD5: a981419c39cc02259b8f2da3974000d9
SHA-1: 905d359e2c5e8330d39b746132fa9779f52c0b93
File Size: 637272 Bytes
Command Line: dw20.exe -x -s 336
Process-status
at analysis end: alive
Exit Code: 0
[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]
Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\USER32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\system32\OLEACC.dll ],
Base Address: [0x74C80000 ], Size: [0x0002C000 ]
Module Name: [ C:\WINDOWS\system32\MSVCP60.dll ],
Base Address: [0x76080000 ], Size: [0x00065000 ]
Module Name: [ C:\WINDOWS\system32\ole32.dll ],
Base Address: [0x774E0000 ], Size: [0x0013D000 ]
Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],
Base Address: [0x77120000 ], Size: [0x0008B000 ]
Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],
Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
Module Name: [ C:\WINDOWS\system32\urlmon.dll ],
Base Address: [0x7E1E0000 ], Size: [0x000A2000 ]
Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
Base Address: [0x77C00000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\WININET.dll ],
Base Address: [0x771B0000 ], Size: [0x000AA000 ]
Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ],
Base Address: [0x77A80000 ], Size: [0x00095000 ]
Module Name: [ C:\WINDOWS\system32\MSASN1.dll ],
Base Address: [0x77B20000 ], Size: [0x00012000 ]
[=============================================================================]
Run-time Dlls
[=============================================================================]
Module Name: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\1033\dwintl20.dll ],
Base Address: [0x318A0000 ], Size: [0x0001C000 ]
Module Name: [ C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll ],
Base Address: [0x6BCE0000 ], Size: [0x000C9000 ]
Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
Base Address: [0x74720000 ], Size: [0x0004C000 ]
Module Name: [ C:\WINDOWS\system32\riched20.dll ],
Base Address: [0x74E30000 ], Size: [0x0006D000 ]
Module Name: [ C:\WINDOWS\system32\imm32.dll ],
Base Address: [0x76390000 ], Size: [0x0001D000 ]
Module Name: [ C:\WINDOWS\system32\shfolder.dll ],
Base Address: [0x76780000 ], Size: [0x00009000 ]
Module Name: [ C:\WINDOWS\system32\psapi.dll ],
Base Address: [0x76BF0000 ], Size: [0x0000B000 ]
Module Name: [ C:\WINDOWS\system32\mscoree.dll ],
Base Address: [0x79000000 ], Size: [0x0004A000 ]
[=============================================================================]
3.a) DW20.EXE - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths ],
Value Name: [ Directory ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths ],
Value Name: [ Paths ], New Value: [ 4 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 ],
Value Name: [ CacheLimit ], New Value: [ 40852 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 ],
Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache1 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 ],
Value Name: [ CacheLimit ], New Value: [ 40852 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 ],
Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache2 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 ],
Value Name: [ CacheLimit ], New Value: [ 40852 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 ],
Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache3 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 ],
Value Name: [ CacheLimit ], New Value: [ 40852 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 ],
Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache4 ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ AppData ], New Value: [ C:\Documents and Settings\Administrator\Application Data ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Cache ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Cookies ], New Value: [ C:\Documents and Settings\Administrator\Cookies ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ History ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\History ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Personal ], New Value: [ C:\Documents and Settings\Administrator\My Documents ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ],
Value Name: [ CUAS ], Value: [ 0 ], 1 time
Key: [ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ],
Value Name: [ UrlEncoding ], Value: [ 0x00000000 ], 2 times
Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ],
Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS ],
Value Name: [ * ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL ],
Value Name: [ * ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll ],
Value Name: [ CheckAppHelp ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\KnownManagedDebuggingDlls ],
Value Name: [ C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls ],
Value Name: [ C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll ], Value: [ C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows ],
Value Name: [ AppInit_DLLs ], Value: [ ], 1 time
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ],
Value Name: [ CommonFilesDir ], Value: [ C:\Program Files\Common Files ], 1 time
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ],
Value Name: [ ProgramFilesDir ], Value: [ C:\Program Files ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm ],
Value Name: [ wheel ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],
Value Name: [ TSAppCompat ], Value: [ 0 ], 3 times
Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],
Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time
Key: [ HKLM\System\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ],
Value Name: [ EnableHttp1_1 ], Value: [ 1 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ],
Value Name: [ EnableNegotiate ], Value: [ 1 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ],
Value Name: [ MimeExclusionListForCache ], Value: [ multipart/mixed multipart/x-mixed-replace multipart/x-byteranges ], 4 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ],
Value Name: [ WarnOnPost ], Value: [ 0x01000000 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Explorer\Settings ],
Value Name: [ Anchor Color ], Value: [ 0,0,255 ], 4 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ AppData ], Value: [ %USERPROFILE%\Application Data ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Cache ], Value: [ %USERPROFILE%\Local Settings\Temporary Internet Files ], 3 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Cookies ], Value: [ %USERPROFILE%\Cookies ], 3 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ History ], Value: [ %USERPROFILE%\Local Settings\History ], 3 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache ],
Value Name: [ Signature ], Value: [ Client UrlCache MMF Ver 5.2 ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ],
Value Name: [ CacheLimit ], Value: [ 163410 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ],
Value Name: [ CachePrefix ], Value: [ ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ],
Value Name: [ PerUserItem ], Value: [ 1 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ],
Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ],
Value Name: [ CachePrefix ], Value: [ Cookie: ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ],
Value Name: [ PerUserItem ], Value: [ 1 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ],
Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ],
Value Name: [ CacheOptions ], Value: [ 11 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ],
Value Name: [ CachePath ], Value: [ %USERPROFILE%\Local Settings\History\History.IE5\MSHist012011021720110218\ ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ],
Value Name: [ CachePrefix ], Value: [ :2011021720110218: ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ],
Value Name: [ CacheRepair ], Value: [ 0 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ],
Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ],
Value Name: [ CacheOptions ], Value: [ 11 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ],
Value Name: [ CachePath ], Value: [ %USERPROFILE%\Local Settings\History\History.IE5\MSHist012011021820110219\ ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ],
Value Name: [ CachePrefix ], Value: [ :2011021820110219: ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ],
Value Name: [ CacheRepair ], Value: [ 0 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ],
Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ],
Value Name: [ CachePrefix ], Value: [ Visited: ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ],
Value Name: [ PerUserItem ], Value: [ 1 ], 1 time
[=============================================================================]
3.b) DW20.EXE - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\707ED.dmp ]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dw.log ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\9999.exe ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\707ED.dmp ]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dw.log ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\9999.exe ]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\707ED.dmp ]
File Name: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\1033\dwintl20.dll ]
File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll ]
File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll ]
File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll ]
File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll ]
File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll ]
File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll ]
File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
File Name: [ C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\36dbfcf62e07d819b3de533898868ecf\System.ni.dll ]
File Name: [ C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\642534209e13d16e93b80a628742d2ee\mscorlib.ni.dll ]
File Name: [ C:\WINDOWS\system32\ADVAPI32.dll ]
File Name: [ C:\WINDOWS\system32\Apphelp.dll ]
File Name: [ C:\WINDOWS\system32\GDI32.dll ]
File Name: [ C:\WINDOWS\system32\KERNEL32.dll ]
File Name: [ C:\WINDOWS\system32\MSCTF.dll ]
File Name: [ C:\WINDOWS\system32\MSVCP60.dll ]
File Name: [ C:\WINDOWS\system32\OLEACC.dll ]
File Name: [ C:\WINDOWS\system32\OLEACCRC.DLL ]
File Name: [ C:\WINDOWS\system32\RASAPI32.DLL ]
File Name: [ C:\WINDOWS\system32\RPCRT4.dll ]
File Name: [ C:\WINDOWS\system32\SHELL32.dll ]
File Name: [ C:\WINDOWS\system32\SHLWAPI.dll ]
File Name: [ C:\WINDOWS\system32\Secur32.dll ]
File Name: [ C:\WINDOWS\system32\TAPI32.dll ]
File Name: [ C:\WINDOWS\system32\USER32.dll ]
File Name: [ C:\WINDOWS\system32\VERSION.dll ]
File Name: [ C:\WINDOWS\system32\WININET.dll ]
File Name: [ C:\WINDOWS\system32\WINMM.dll ]
File Name: [ C:\WINDOWS\system32\WS2HELP.dll ]
File Name: [ C:\WINDOWS\system32\WS2_32.dll ]
File Name: [ C:\WINDOWS\system32\comctl32.dll ]
File Name: [ C:\WINDOWS\system32\imm32.dll ]
File Name: [ C:\WINDOWS\system32\mscoree.dll ]
File Name: [ C:\WINDOWS\system32\msvcrt.dll ]
File Name: [ C:\WINDOWS\system32\ntdll.dll ]
File Name: [ C:\WINDOWS\system32\ole32.dll ]
File Name: [ C:\WINDOWS\system32\psapi.dll ]
File Name: [ C:\WINDOWS\system32\rasman.dll ]
File Name: [ C:\WINDOWS\system32\riched20.dll ]
File Name: [ C:\WINDOWS\system32\rsaenh.dll ]
File Name: [ C:\WINDOWS\system32\rtutils.dll ]
File Name: [ C:\WINDOWS\system32\shell32.dll ]
File Name: [ C:\WINDOWS\system32\shfolder.dll ]
File Name: [ C:\WINDOWS\system32\urlmon.dll ]
[=============================================================================]
3.c) DW20.EXE - Process Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Foreign Memory Regions Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Process: [ C:\9999.exe ]توقيع : عبدالرحمن نبهان
- الحالة