API tools faq
paste
Advertisement
unixfreaxjp

DFIR - TcpAdaptorService.exe - kickstart

unixfreaxjp
Jan 31st, 2013
169
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 17.11 KB | None | 0 0
raw download clone embed print report
  1. TcpAdaptorService.exe - kickstart
  2. =====================================
  3. "20:55:46.4402141","TcpAdaptorService.exe","1856","Thread Create","","SUCCESS","Thread ID: 2564"
  4. "20:55:46.4414148","TcpAdaptorService.exe","1856","QueryNameInformationFile","C:\Documents and Settings\%USER%\%DESKTOP%\TcpAdaptorService.exe","SUCCESS","Name: \Documents and Settings\%USER%\%DESKTOP%\TcpAdaptorService.exe"
  5. "20:55:46.4417486","TcpAdaptorService.exe","1856","Load Image","C:\Documents and Settings\RIK\%DESKTOP%\TcpAdaptorService.exe","SUCCESS","Image Base: 0x400000, Image Size: 0x14000"
  6. "20:55:46.4420386","TcpAdaptorService.exe","1856","Load Image","C:\WINDOWS\System32\ntdll.dll","SUCCESS","Image Base: 0x7c940000, Image Size: 0x9c000"
  7. "20:55:46.4420716","TcpAdaptorService.exe","1856","QueryNameInformationFile","C:\Documents and Settings\%USER%\%DESKTOP%\TcpAdaptorService.exe","SUCCESS","Name: \Documents and Settings\RIK\%DESKTOP%\TcpAdaptorService.exe"
  8. "20:55:46.4423959","TcpAdaptorService.exe","1856","CreateFile","C:\WINDOWS\Prefetch\TCPADAPTORSERVICE0.EXE-396BBFEC.pf","NAME NOT FOUND","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: None, AllocationSize: n/a"
  9. "20:55:46.4428353","TcpAdaptorService.exe","1856","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TcpAdaptorService.exe","NAME NOT FOUND","Desired Access: Read"
  10. "20:55:46.4474854","TcpAdaptorService.exe","1856","CreateFile","C:\Documents and Settings\%USER%\%DESKTOP%","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  11. "20:55:46.4483690","TcpAdaptorService.exe","1856","FileSystemControl","C:\Documents and Settings\%USER%\%DESKTOP%","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  12. "20:55:46.4487098","TcpAdaptorService.exe","1856","CreateFile","C:\Documents and Settings\%USER%\%DESKTOP%\TcpAdaptorService.exe.Local","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  13. "20:55:46.4495457","TcpAdaptorService.exe","1856","Load Image","C:\WINDOWS\System32\KERNEL32.DLL","SUCCESS","Image Base: 0x7c800000, Image Size: 0x133000"
  14. "20:55:46.4499745","TcpAdaptorService.exe","1856","RegOpenKey","HKLM\System\CurrentControlSet\Control\Terminal Server","SUCCESS","Desired Access: Read"
  15. "20:55:46.4500449","TcpAdaptorService.exe","1856","ReadFile","C:\WINDOWS\System32\Config\SYSTEM","SUCCESS","Offset: 405,504, Length: 4,096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  16. "20:55:46.5030282","TcpAdaptorService.exe","1856","RegQueryValue","HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
  17. "20:55:46.5030676","TcpAdaptorService.exe","1856","RegCloseKey","HKLM\System\CurrentControlSet\Control\Terminal Server","SUCCESS",""
  18. "20:55:46.5042286","TcpAdaptorService.exe","1856","Load Image","C:\WINDOWS\System32\ADVAPI32.DLL","SUCCESS","Image Base: 0x77d80000, Image Size: 0xa9000"
  19. "20:55:46.5046295","TcpAdaptorService.exe","1856","Load Image","C:\WINDOWS\System32\RPCRT4.DLL","SUCCESS","Image Base: 0x77e30000, Image Size: 0x92000"
  20. "20:55:46.5050050","TcpAdaptorService.exe","1856","Load Image","C:\WINDOWS\System32\SECUR32.DLL","SUCCESS","Image Base: 0x77fa0000, Image Size: 0x11000"
  21. "20:55:46.5057260","TcpAdaptorService.exe","1856","CreateFile","C:\Documents and Settings\%USER%\%DESKTOP%\PSAPI.DLL","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  22. "20:55:46.5113533","TcpAdaptorService.exe","1856","CreateFile","C:\WINDOWS\system32\psapi.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  23. "20:55:46.5116592","TcpAdaptorService.exe","1856","QueryBasicInformationFile","C:\WINDOWS\system32\psapi.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/31 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  24. "20:55:46.5119503","TcpAdaptorService.exe","1856","CloseFile","C:\WINDOWS\system32\psapi.dll","SUCCESS",""
  25. "20:55:46.5133203","TcpAdaptorService.exe","1856","CreateFile","C:\WINDOWS\system32\psapi.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  26. "20:55:46.5136259","TcpAdaptorService.exe","1856","CreateFileMapping","C:\WINDOWS\system32\psapi.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  27. "20:55:46.5137086","TcpAdaptorService.exe","1856","CreateFileMapping","C:\WINDOWS\SYSTEM32\PSAPI.DLL","SUCCESS","SyncType: SyncTypeOther"
  28. "20:55:46.5137558","TcpAdaptorService.exe","1856","RegOpenKey","HKLM\System\CurrentControlSet\Control\SafeBoot\Option","NAME NOT FOUND","Desired Access: Query Value, Set Value"
  29. "20:55:46.5137966","TcpAdaptorService.exe","1856","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers","SUCCESS","Desired Access: Query Value"
  30. "20:55:46.5138446","TcpAdaptorService.exe","1856","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
  31. "20:55:46.5138812","TcpAdaptorService.exe","1856","RegCloseKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers","SUCCESS",""
  32. "20:55:46.5139148","TcpAdaptorService.exe","1856","RegOpenKey","HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers","NAME NOT FOUND","Desired Access: Query Value"
  33. "20:55:46.5142243","TcpAdaptorService.exe","1856","CloseFile","C:\WINDOWS\system32\psapi.dll","SUCCESS",""
  34. "20:55:46.5158698","TcpAdaptorService.exe","1856","Load Image","C:\WINDOWS\System32\PSAPI.DLL","SUCCESS","Image Base: 0x76ba0000, Image Size: 0xb000"
  35. "20:55:46.5165098","TcpAdaptorService.exe","1856","CreateFile","C:\Documents and Settings\%USER%\%DESKTOP%\WS2_32.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  36. "20:55:46.5180164","TcpAdaptorService.exe","1856","CreateFile","C:\WINDOWS\system32\ws2_32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  37. "20:55:46.5182997","TcpAdaptorService.exe","1856","QueryBasicInformationFile","C:\WINDOWS\system32\ws2_32.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/31 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  38. "20:55:46.5185679","TcpAdaptorService.exe","1856","CloseFile","C:\WINDOWS\system32\ws2_32.dll","SUCCESS",""
  39. "20:55:46.5189520","TcpAdaptorService.exe","1856","CreateFile","C:\WINDOWS\system32\ws2_32.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  40. "20:55:46.5192403","TcpAdaptorService.exe","1856","CreateFileMapping","C:\WINDOWS\system32\ws2_32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  41. "20:55:46.5193182","TcpAdaptorService.exe","1856","CreateFileMapping","C:\WINDOWS\SYSTEM32\WS2_32.DLL","SUCCESS","SyncType: SyncTypeOther"
  42. "20:55:46.5206556","TcpAdaptorService.exe","1856","CloseFile","C:\WINDOWS\system32\ws2_32.dll","SUCCESS",""
  43. "20:55:46.5210288","TcpAdaptorService.exe","1856","Load Image","C:\WINDOWS\System32\WS2_32.DLL","SUCCESS","Image Base: 0x719e0000, Image Size: 0x17000"
  44. "20:55:46.5214431","TcpAdaptorService.exe","1856","Load Image","C:\WINDOWS\System32\MSVCRT.DLL","SUCCESS","Image Base: 0x77bc0000, Image Size: 0x58000"
  45. "20:55:46.5221245","TcpAdaptorService.exe","1856","CreateFile","C:\Documents and Settings\%USER%\%DESKTOP%\WS2HELP.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  46. "20:55:46.5242826","TcpAdaptorService.exe","1856","CreateFile","C:\WINDOWS\system32\ws2help.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  47. "20:55:46.5245658","TcpAdaptorService.exe","1856","QueryBasicInformationFile","C:\WINDOWS\system32\ws2help.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/31 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  48. "20:55:46.5248323","TcpAdaptorService.exe","1856","CloseFile","C:\WINDOWS\system32\ws2help.dll","SUCCESS",""
  49. "20:55:46.5260431","TcpAdaptorService.exe","1856","CreateFile","C:\WINDOWS\system32\ws2help.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  50. "20:55:46.5263742","TcpAdaptorService.exe","1856","CreateFileMapping","C:\WINDOWS\system32\ws2help.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  51. "20:55:46.5264515","TcpAdaptorService.exe","1856","CreateFileMapping","C:\WINDOWS\SYSTEM32\WS2HELP.DLL","SUCCESS","SyncType: SyncTypeOther"
  52. "20:55:46.5267443","TcpAdaptorService.exe","1856","CloseFile","C:\WINDOWS\system32\ws2help.dll","SUCCESS",""
  53. "20:55:46.5272950","TcpAdaptorService.exe","1856","Load Image","C:\WINDOWS\System32\WS2HELP.DLL","SUCCESS","Image Base: 0x719d0000, Image Size: 0x8000"
  54. "20:55:46.5275738","TcpAdaptorService.exe","1856","RegOpenKey","HKLM\System\CurrentControlSet\Control\Terminal Server","SUCCESS","Desired Access: Read"
  55. "20:55:46.5276327","TcpAdaptorService.exe","1856","RegQueryValue","HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
  56. "20:55:46.5276701","TcpAdaptorService.exe","1856","RegCloseKey","HKLM\System\CurrentControlSet\Control\Terminal Server","SUCCESS",""
  57. "20:55:46.5278227","TcpAdaptorService.exe","1856","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll","NAME NOT FOUND","Desired Access: Read"
  58. "20:55:46.5278878","TcpAdaptorService.exe","1856","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll","NAME NOT FOUND","Desired Access: Read"
  59. "20:55:46.5279294","TcpAdaptorService.exe","1856","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll","NAME NOT FOUND","Desired Access: Read"
  60. "20:55:46.5279721","TcpAdaptorService.exe","1856","RegOpenKey","HKLM\System\CurrentControlSet\Control\Terminal Server","SUCCESS","Desired Access: Read"
  61. "20:55:46.5280193","TcpAdaptorService.exe","1856","RegQueryValue","HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
  62. "20:55:46.5280409","TcpAdaptorService.exe","1856","RegQueryValue","HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
  63. "20:55:46.5280713","TcpAdaptorService.exe","1856","RegCloseKey","HKLM\System\CurrentControlSet\Control\Terminal Server","SUCCESS",""
  64. "20:55:46.5280920","TcpAdaptorService.exe","1856","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon","SUCCESS","Desired Access: Read"
  65. "20:55:46.5281356","TcpAdaptorService.exe","1856","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LeakTrack","NAME NOT FOUND","Length: 144"
  66. "20:55:46.5281696","TcpAdaptorService.exe","1856","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon","SUCCESS",""
  67. "20:55:46.5281856","TcpAdaptorService.exe","1856","RegOpenKey","HKLM","SUCCESS","Desired Access: Maximum Allowed"
  68. "20:55:46.5282188","TcpAdaptorService.exe","1856","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics","NAME NOT FOUND","Desired Access: Read"
  69. "20:55:46.5282677","TcpAdaptorService.exe","1856","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSAPI.DLL","NAME NOT FOUND","Desired Access: Read"
  70. "20:55:46.5282968","TcpAdaptorService.exe","1856","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll","NAME NOT FOUND","Desired Access: Read"
  71. "20:55:46.5289088","TcpAdaptorService.exe","1856","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll","NAME NOT FOUND","Desired Access: Read"
  72. "20:55:46.5289415","TcpAdaptorService.exe","1856","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll","NAME NOT FOUND","Desired Access: Read"
  73. "20:55:46.5289834","TcpAdaptorService.exe","1856","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll","NAME NOT FOUND","Desired Access: Read"
  74. "20:55:46.5290103","TcpAdaptorService.exe","1856","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll","NAME NOT FOUND","Desired Access: Read"
  75. "20:55:46.5290625","TcpAdaptorService.exe","1856","ReadFile","C:\Documents and Settings\%USER%\%DESKTOP%\TcpAdaptorService.exe","SUCCESS","Offset: 20,480, Length: 32,768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  76. "20:55:46.5923230","TcpAdaptorService.exe","1856","ReadFile","C:\Documents and Settings\%USER%\%DESKTOP%\TcpAdaptorService.exe","SUCCESS","Offset: 4,096, Length: 16,384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  77. "20:55:46.5935430","TcpAdaptorService.exe","1856","ReadFile","C:\Documents and Settings\%USER%\%DESKTOP%\TcpAdaptorService.exe","SUCCESS","Offset: 69,632, Length: 4,096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  78. "20:55:46.6387700","TcpAdaptorService.exe","1856","ReadFile","C:\Documents and Settings\%USER%\%DESKTOP%\TcpAdaptorService.exe","SUCCESS","Offset: 53,248, Length: 4,096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  79. "20:55:46.6502701","TcpAdaptorService.exe","1856","RegOpenKey","HKLM\System\CurrentControlSet\Control\ServiceCurrent","SUCCESS","Desired Access: Query Value"
  80. "20:55:46.6503279","TcpAdaptorService.exe","1856","RegQueryValue","HKLM\System\CurrentControlSet\Control\ServiceCurrent\(Default)","SUCCESS","Type: REG_DWORD, Length: 4, Data: 13"
  81. "20:55:46.6503595","TcpAdaptorService.exe","1856","RegCloseKey","HKLM\System\CurrentControlSet\Control\ServiceCurrent","SUCCESS",""
  82. "20:56:01.6479374","TcpAdaptorService.exe","1856","RegOpenKey","HKLM\Software\Microsoft\Rpc\PagedBuffers","NAME NOT FOUND","Desired Access: Read"
  83. "20:56:01.6479692","TcpAdaptorService.exe","1856","RegOpenKey","HKLM\Software\Microsoft\Rpc","SUCCESS","Desired Access: Read"
  84. "20:56:01.6482201","TcpAdaptorService.exe","1856","RegQueryValue","HKLM\SOFTWARE\Microsoft\Rpc\MaxRpcSize","NAME NOT FOUND","Length: 144"
  85. "20:56:01.6482533","TcpAdaptorService.exe","1856","RegCloseKey","HKLM\SOFTWARE\Microsoft\Rpc","SUCCESS",""
  86. "20:56:01.6482743","TcpAdaptorService.exe","1856","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TcpAdaptorService.exe\RpcThreadPoolThrottle","NAME NOT FOUND","Desired Access: Read"
  87. "20:56:01.6483659","TcpAdaptorService.exe","1856","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows NT\Rpc","NAME NOT FOUND","Desired Access: Read"
  88. "20:56:01.6484087","TcpAdaptorService.exe","1856","RegOpenKey","HKLM\System\CurrentControlSet\Control\Session Manager","SUCCESS","Desired Access: Query Value"
  89. "20:56:01.6484598","TcpAdaptorService.exe","1856","RegQueryValue","HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode","NAME NOT FOUND","Length: 16"
  90. "20:56:01.6484916","TcpAdaptorService.exe","1856","RegCloseKey","HKLM\System\CurrentControlSet\Control\Session Manager","SUCCESS",""
  91. "20:56:01.6489526","TcpAdaptorService.exe","1856","RegSetValue","HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed","SUCCESS","Type: REG_BINARY, Length: 80, Data: 6D 7B CA A8 FF C8 F9 02 99 7F B6 FD 9C 12 11 DE"
  92. "20:56:01.7667407","TcpAdaptorService.exe","1856","SetEndOfFileInformationFile","C:\WINDOWS\system32\config\software.LOG","SUCCESS","EndOfFile: 8,192"
  93. "20:56:01.7670511","TcpAdaptorService.exe","1856","SetEndOfFileInformationFile","C:\WINDOWS\system32\config\software.LOG","SUCCESS","EndOfFile: 8,192"
  94. "20:56:01.7681071","TcpAdaptorService.exe","1856","Thread Exit","","SUCCESS","Thread ID: 2564, User Time: 0.0000000, Kernel Time: 0.0156250"
  95. "20:56:01.7685611","TcpAdaptorService.exe","1856","Process Exit","","SUCCESS","Exit Status: 0, User Time: 0.0156250 seconds, Kernel Time: 0.0156250 seconds, Private Bytes: 278,528, Peak Private Bytes: 282,624, Working Set: 1,179,648, Peak Working Set: 1,183,744"
  96. "20:56:01.7686857","TcpAdaptorService.exe","1856","CloseFile","C:\Documents and Settings\%USER%\%DESKTOP%","SUCCESS",""
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!