SHOW:
|
|
- or go back to the newest paste.
1 | [#############################################################################] | |
2 | Analysis Report for MW3sa Reporting tool.exe | |
3 | MD5: 517e2d8869c36c0dca8e2dfef4e3255e | |
4 | [#############################################################################] | |
5 | ||
6 | Summary: | |
7 | - Write to foreign memory areas: | |
8 | This executable tampers with the execution of another process. | |
9 | ||
10 | - Execution did not terminate correctly: | |
11 | The executable crashed. | |
12 | ||
13 | - Performs File Modification and Destruction: | |
14 | The executable modifies and destructs files which are not temporary. | |
15 | ||
16 | - Spawns Processes: | |
17 | The executable produces processes during the execution. | |
18 | ||
19 | [=============================================================================] | |
20 | Table of Contents | |
21 | [=============================================================================] | |
22 | ||
23 | - General information | |
24 | - MW3sa Repo.exe | |
25 | a) Registry Activities | |
26 | b) File Activities | |
27 | c) Process Activities | |
28 | d) Other Activities | |
29 | - DW20.EXE | |
30 | a) Registry Activities | |
31 | b) File Activities | |
32 | ||
33 | ||
34 | [#############################################################################] | |
35 | 1. General Information | |
36 | [#############################################################################] | |
37 | [=============================================================================] | |
38 | Information about Anubis' invocation | |
39 | [=============================================================================] | |
40 | Time needed: 252 s | |
41 | Report created: 05/11/12, 00:42:08 UTC | |
42 | Termination reason: Timeout | |
43 | Program version: 1.76.3886 | |
44 | ||
45 | ||
46 | [#############################################################################] | |
47 | 2. MW3sa Repo.exe | |
48 | [#############################################################################] | |
49 | [=============================================================================] | |
50 | General information about this executable | |
51 | [=============================================================================] | |
52 | Analysis Reason: Primary Analysis Subject | |
53 | Filename: MW3sa Repo.exe | |
54 | MD5: 517e2d8869c36c0dca8e2dfef4e3255e | |
55 | SHA-1: 76fe8c9291fd48d1a5ab647172a7feb86d805c8e | |
56 | File Size: 38912 Bytes | |
57 | Process-status | |
58 | at analysis end: alive | |
59 | Exit Code: 0 | |
60 | ||
61 | [=============================================================================] | |
62 | Load-time Dlls | |
63 | [=============================================================================] | |
64 | Module Name: [ C:\WINDOWS\system32\ntdll.dll ], | |
65 | Base Address: [0x7C900000 ], Size: [0x000AF000 ] | |
66 | Module Name: [ C:\WINDOWS\system32\mscoree.dll ], | |
67 | Base Address: [0x79000000 ], Size: [0x0004A000 ] | |
68 | Module Name: [ C:\WINDOWS\system32\KERNEL32.dll ], | |
69 | Base Address: [0x7C800000 ], Size: [0x000F6000 ] | |
70 | Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], | |
71 | Base Address: [0x77DD0000 ], Size: [0x0009B000 ] | |
72 | Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], | |
73 | Base Address: [0x77E70000 ], Size: [0x00092000 ] | |
74 | Module Name: [ C:\WINDOWS\system32\Secur32.dll ], | |
75 | Base Address: [0x77FE0000 ], Size: [0x00011000 ] | |
76 | Module Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll ], | |
77 | Base Address: [0x603B0000 ], Size: [0x00066000 ] | |
78 | Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], | |
79 | Base Address: [0x77F60000 ], Size: [0x00076000 ] | |
80 | Module Name: [ C:\WINDOWS\system32\GDI32.dll ], | |
81 | Base Address: [0x77F10000 ], Size: [0x00049000 ] | |
82 | Module Name: [ C:\WINDOWS\system32\USER32.dll ], | |
83 | Base Address: [0x7E410000 ], Size: [0x00091000 ] | |
84 | Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], | |
85 | Base Address: [0x77C10000 ], Size: [0x00058000 ] | |
86 | Module Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\clr.dll ], | |
87 | Base Address: [0x79140000 ], Size: [0x0066F000 ] | |
88 | Module Name: [ C:\WINDOWS\system32\MSVCR100_CLR0400.dll ], | |
89 | Base Address: [0x79060000 ], Size: [0x000BE000 ] | |
90 | Module Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\mscorlib\4ff1f12a08d455f195ba996fe77497c6\mscorlib.ni.dll ], | |
91 | Base Address: [0x79880000 ], Size: [0x00DC3000 ] | |
92 | Module Name: [ C:\WINDOWS\system32\ole32.dll ], | |
93 | Base Address: [0x774E0000 ], Size: [0x0013D000 ] | |
94 | Module Name: [ C:\WINDOWS\system32\MSCTF.dll ], | |
95 | Base Address: [0x74720000 ], Size: [0x0004C000 ] | |
96 | Module Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\culture.dll ], | |
97 | Base Address: [0x60340000 ], Size: [0x0000D000 ] | |
98 | Module Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll ], | |
99 | Base Address: [0x60930000 ], Size: [0x00010000 ] | |
100 | Module Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\clrjit.dll ], | |
101 | Base Address: [0x79810000 ], Size: [0x00060000 ] | |
102 | Module Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System\161c6f80ad93b0505054d244f1c6243c\System.ni.dll ], | |
103 | Base Address: [0x7A820000 ], Size: [0x00898000 ] | |
104 | Module Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Drawing\2fe09cc54a8390b20e380239db34228f\System.Drawing.ni.dll ], | |
105 | Base Address: [0x7B1D0000 ], Size: [0x00196000 ] | |
106 | Module Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\f3cdd09fc0acc85c7febbd2e2ef9c4e5\System.Windows.Forms.ni.dll ], | |
107 | Base Address: [0x7B370000 ], Size: [0x00C6B000 ] | |
108 | Module Name: [ C:\WINDOWS\system32\uxtheme.dll ], | |
109 | Base Address: [0x5AD70000 ], Size: [0x00038000 ] | |
110 | Module Name: [ C:\WINDOWS\system32\comctl32.dll ], | |
111 | Base Address: [0x5D090000 ], Size: [0x0009A000 ] | |
112 | Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], | |
113 | Base Address: [0x773D0000 ], Size: [0x00103000 ] | |
114 | Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\gdiplus.dll ], | |
115 | Base Address: [0x4EC50000 ], Size: [0x001A6000 ] | |
116 | Module Name: [ C:\WINDOWS\system32\dciman32.dll ], | |
117 | Base Address: [0x73BC0000 ], Size: [0x00006000 ] | |
118 | Module Name: [ C:\WINDOWS\system32\VERSION.dll ], | |
119 | Base Address: [0x77C00000 ], Size: [0x00008000 ] | |
120 | Module Name: [ C:\WINDOWS\system32\Apphelp.dll ], | |
121 | Base Address: [0x77B40000 ], Size: [0x00022000 ] | |
122 | ||
123 | [=============================================================================] | |
124 | 2.a) MW3sa Repo.exe - Registry Activities | |
125 | [=============================================================================] | |
126 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
127 | Registry Values Read: | |
128 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
129 | Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ], | |
130 | Value Name: [ CUAS ], Value: [ 0 ], 1 time | |
131 | Key: [ HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting ], | |
132 | Value Name: [ AllOrNone ], Value: [ 1 ], 1 time | |
133 | Key: [ HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting ], | |
134 | Value Name: [ DoReport ], Value: [ 1 ], 1 time | |
135 | Key: [ HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting ], | |
136 | Value Name: [ ShowUI ], Value: [ 1 ], 1 time | |
137 | Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug ], | |
138 | Value Name: [ Auto ], Value: [ 1 ], 2 times | |
139 | Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug ], | |
140 | Value Name: [ Debugger ], Value: [ drwtsn32 -p %ld -e %ld -g ], 6 times | |
141 | Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], | |
142 | Value Name: [ Arial Baltic,186 ], Value: [ Arial,186 ], 1 time | |
143 | Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], | |
144 | Value Name: [ Arial CE,238 ], Value: [ Arial,238 ], 1 time | |
145 | Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], | |
146 | Value Name: [ Arial CYR,204 ], Value: [ Arial,204 ], 1 time | |
147 | Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], | |
148 | Value Name: [ Arial Greek,161 ], Value: [ Arial,161 ], 1 time | |
149 | Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], | |
150 | Value Name: [ Arial TUR,162 ], Value: [ Arial,162 ], 1 time | |
151 | Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], | |
152 | Value Name: [ Courier New Baltic,186 ], Value: [ Courier New,186 ], 1 time | |
153 | Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], | |
154 | Value Name: [ Courier New CE,238 ], Value: [ Courier New,238 ], 1 time | |
155 | Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], | |
156 | Value Name: [ Courier New CYR,204 ], Value: [ Courier New,204 ], 1 time | |
157 | Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], | |
158 | Value Name: [ Courier New Greek,161 ], Value: [ Courier New,161 ], 1 time | |
159 | Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], | |
160 | Value Name: [ Courier New TUR,162 ], Value: [ Courier New,162 ], 1 time | |
161 | Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], | |
162 | Value Name: [ Helv ], Value: [ MS Sans Serif ], 1 time | |
163 | Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], | |
164 | Value Name: [ Helvetica ], Value: [ Arial ], 1 time | |
165 | Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], | |
166 | Value Name: [ MS Shell Dlg ], Value: [ Microsoft Sans Serif ], 1 time | |
167 | Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], | |
168 | Value Name: [ MS Shell Dlg 2 ], Value: [ Tahoma ], 1 time | |
169 | Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], | |
170 | Value Name: [ Times ], Value: [ Times New Roman ], 1 time | |
171 | Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], | |
172 | Value Name: [ Times New Roman Baltic,186 ], Value: [ Times New Roman,186 ], 1 time | |
173 | Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], | |
174 | Value Name: [ Times New Roman CE,238 ], Value: [ Times New Roman,238 ], 1 time | |
175 | Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], | |
176 | Value Name: [ Times New Roman CYR,204 ], Value: [ Times New Roman,204 ], 1 time | |
177 | Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], | |
178 | Value Name: [ Times New Roman Greek,161 ], Value: [ Times New Roman,161 ], 1 time | |
179 | Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], | |
180 | Value Name: [ Times New Roman TUR,162 ], Value: [ Times New Roman,162 ], 1 time | |
181 | Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], | |
182 | Value Name: [ Tms Rmn ], Value: [ MS Serif ], 1 time | |
183 | Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], | |
184 | Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time | |
185 | Key: [ HKLM\SYSTEM\WPA\MediaCenter ], | |
186 | Value Name: [ Installed ], Value: [ 0 ], 1 time | |
187 | Key: [ HKLM\Software\Microsoft\.NETFramework ], | |
188 | Value Name: [ InstallRoot ], Value: [ C:\WINDOWS\Microsoft.NET\Framework\ ], 9 times | |
189 | Key: [ HKLM\Software\Microsoft\.NETFramework\Policy\\v4.0 ], | |
190 | Value Name: [ 30319 ], Value: [ 30319-30319 ], 1 time | |
191 | Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ], | |
192 | Value Name: [ Accessibility,4.0.0.0,,b03f5f7f11d50a3a,MSIL ], Value: [ 0xb0b518f748cecb01 ], 1 time | |
193 | Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ], | |
194 | Value Name: [ System,4.0.0.0,,b77a5c561934e089,MSIL ], Value: [ 0x923ed9fd48cecb01 ], 1 time | |
195 | Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ], | |
196 | Value Name: [ System.Configuration,4.0.0.0,,b03f5f7f11d50a3a,MSIL ], Value: [ 0x189984f948cecb01 ], 1 time | |
197 | Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ], | |
198 | Value Name: [ System.Deployment,4.0.0.0,,b03f5f7f11d50a3a,MSIL ], Value: [ 0x5607dbfb48cecb01 ], 1 time | |
199 | Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ], | |
200 | Value Name: [ System.Drawing,4.0.0.0,,b03f5f7f11d50a3a,MSIL ], Value: [ 0x820dabfe48cecb01 ], 1 time | |
201 | Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ], | |
202 | Value Name: [ System.Runtime.Serialization.Formatters.Soap,4.0.0.0,,b03f5f7f11d50a3a,MSIL ], Value: [ 0xccc2561749cecb01 ], 1 time | |
203 | Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ], | |
204 | Value Name: [ System.Security,4.0.0.0,,b03f5f7f11d50a3a,MSIL ], Value: [ 0x2029aaff48cecb01 ], 1 time | |
205 | Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ], | |
206 | Value Name: [ System.Windows.Forms,4.0.0.0,,b77a5c561934e089,MSIL ], Value: [ 0xc2b2590149cecb01 ], 1 time | |
207 | Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ], | |
208 | Value Name: [ System.Xml,4.0.0.0,,b77a5c561934e089,MSIL ], Value: [ 0xa019a50249cecb01 ], 1 time | |
209 | Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ], | |
210 | Value Name: [ mscorlib,4.0.0.0,,b77a5c561934e089,x86 ], Value: [ 0x7af6f1f448cecb01 ], 1 time | |
211 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32 ], | |
212 | Value Name: [ LatestIndex ], Value: [ 128 ], 4 times | |
213 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\1499ca42\653465f8\1 ], | |
214 | Value Name: [ DisplayName ], Value: [ mscorlib,4.0.0.0,,b77a5c561934e089 ], 2 times | |
215 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\1499ca42\653465f8\1 ], | |
216 | Value Name: [ LastModTime ], Value: [ 0x7af6f1f448cecb01 ], 2 times | |
217 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\1499ca42\653465f8\1 ], | |
218 | Value Name: [ Modules ], Value: [ normidna.nlp|normnfc.nlp|normnfd.nlp|normnfkc.nlp|normnfkd.nlp ], 2 times | |
219 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\1499ca42\653465f8\1 ], | |
220 | Value Name: [ SIG ], Value: [ 0xd74ebd98377318409551ee0825ada7bad7d8789378521e6bea0d6e989d21 ], 2 times | |
221 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\1499ca42\653465f8\1 ], | |
222 | Value Name: [ Status ], Value: [ 8198 ], 2 times | |
223 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\1499ca42\653465f8\1 ], | |
224 | Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 2 times | |
225 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\27e1f7e2\4e1b5ff2\28 ], | |
226 | Value Name: [ DisplayName ], Value: [ System.Windows.Forms,4.0.0.0,,b77a5c561934e089 ], 1 time | |
227 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\27e1f7e2\4e1b5ff2\28 ], | |
228 | Value Name: [ LastModTime ], Value: [ 0xc2b2590149cecb01 ], 1 time | |
229 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\27e1f7e2\4e1b5ff2\28 ], | |
230 | Value Name: [ SIG ], Value: [ 0x79b04eec0f762c4bad3017bac4150f5920332fc7d1d63954cd26fedf1009 ], 1 time | |
231 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\27e1f7e2\4e1b5ff2\28 ], | |
232 | Value Name: [ Status ], Value: [ 4098 ], 1 time | |
233 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\27e1f7e2\4e1b5ff2\28 ], | |
234 | Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 1 time | |
235 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\34f474d5\65246f3f\7 ], | |
236 | Value Name: [ DisplayName ], Value: [ System.Xml,4.0.0.0,,b77a5c561934e089 ], 1 time | |
237 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\34f474d5\65246f3f\7 ], | |
238 | Value Name: [ LastModTime ], Value: [ 0xa019a50249cecb01 ], 1 time | |
239 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\34f474d5\65246f3f\7 ], | |
240 | Value Name: [ SIG ], Value: [ 0xc5001c24e7b69a47b45f038d12d280c5a05ed9d07250af4dfda78fa43f6f ], 1 time | |
241 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\34f474d5\65246f3f\7 ], | |
242 | Value Name: [ Status ], Value: [ 4098 ], 1 time | |
243 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\34f474d5\65246f3f\7 ], | |
244 | Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 1 time | |
245 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\491f93ce\3fe97dbf\17 ], | |
246 | Value Name: [ DisplayName ], Value: [ Accessibility,4.0.0.0,,b03f5f7f11d50a3a ], 1 time | |
247 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\491f93ce\3fe97dbf\17 ], | |
248 | Value Name: [ LastModTime ], Value: [ 0xb0b518f748cecb01 ], 1 time | |
249 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\491f93ce\3fe97dbf\17 ], | |
250 | Value Name: [ SIG ], Value: [ 0x57ceb6d0aebee44a86da4080b3cee6719172a9d7469f0bdaa99f1daf6c55 ], 1 time | |
251 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\491f93ce\3fe97dbf\17 ], | |
252 | Value Name: [ Status ], Value: [ 4098 ], 1 time | |
253 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\491f93ce\3fe97dbf\17 ], | |
254 | Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 1 time | |
255 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\58364143\24da33f5\16 ], | |
256 | Value Name: [ DisplayName ], Value: [ System.Deployment,4.0.0.0,,b03f5f7f11d50a3a ], 1 time | |
257 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\58364143\24da33f5\16 ], | |
258 | Value Name: [ LastModTime ], Value: [ 0x5607dbfb48cecb01 ], 1 time | |
259 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\58364143\24da33f5\16 ], | |
260 | Value Name: [ SIG ], Value: [ 0x30a1e4cabbcfa643b2c1db433397519b93fcf9ca788e7b63b5de5a6140e4 ], 1 time | |
261 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\58364143\24da33f5\16 ], | |
262 | Value Name: [ Status ], Value: [ 4098 ], 1 time | |
263 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\58364143\24da33f5\16 ], | |
264 | Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 1 time | |
265 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5a99e5cd\6598e7b6\8 ], | |
266 | Value Name: [ DisplayName ], Value: [ System,4.0.0.0,,b77a5c561934e089 ], 1 time | |
267 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5a99e5cd\6598e7b6\8 ], | |
268 | Value Name: [ LastModTime ], Value: [ 0x923ed9fd48cecb01 ], 1 time | |
269 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5a99e5cd\6598e7b6\8 ], | |
270 | Value Name: [ SIG ], Value: [ 0x317b4fe04715534ba83d8704c85662619cb5d7d82f52e76c37ce1d20af69 ], 1 time | |
271 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5a99e5cd\6598e7b6\8 ], | |
272 | Value Name: [ Status ], Value: [ 4098 ], 1 time | |
273 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5a99e5cd\6598e7b6\8 ], | |
274 | Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 1 time | |
275 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d0933fc\a425901\27 ], | |
276 | Value Name: [ DisplayName ], Value: [ System.Runtime.Serialization.Formatters.Soap,4.0.0.0,,b03f5f7f11d50a3a ], 1 time | |
277 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d0933fc\a425901\27 ], | |
278 | Value Name: [ LastModTime ], Value: [ 0xccc2561749cecb01 ], 1 time | |
279 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d0933fc\a425901\27 ], | |
280 | Value Name: [ SIG ], Value: [ 0x111e988ed985ba478d919c3054b95e4e26a34e9fec62bc33acb451c286f9 ], 1 time | |
281 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d0933fc\a425901\27 ], | |
282 | Value Name: [ Status ], Value: [ 4098 ], 1 time | |
283 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d0933fc\a425901\27 ], | |
284 | Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 1 time | |
285 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d94bc56\3b150cef\6 ], | |
286 | Value Name: [ DisplayName ], Value: [ System.Configuration,4.0.0.0,,b03f5f7f11d50a3a ], 1 time | |
287 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d94bc56\3b150cef\6 ], | |
288 | Value Name: [ LastModTime ], Value: [ 0x189984f948cecb01 ], 1 time | |
289 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d94bc56\3b150cef\6 ], | |
290 | Value Name: [ SIG ], Value: [ 0x15fa5d2766c57d40893a33ef21db2cef56a8a5d4c0ca417d1533e9b0d7b0 ], 1 time | |
291 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d94bc56\3b150cef\6 ], | |
292 | Value Name: [ Status ], Value: [ 4098 ], 1 time | |
293 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d94bc56\3b150cef\6 ], | |
294 | Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 1 time | |
295 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\62a6b5be\32040726\e ], | |
296 | Value Name: [ DisplayName ], Value: [ System.Security,4.0.0.0,,b03f5f7f11d50a3a ], 1 time | |
297 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\62a6b5be\32040726\e ], | |
298 | Value Name: [ LastModTime ], Value: [ 0x2029aaff48cecb01 ], 1 time | |
299 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\62a6b5be\32040726\e ], | |
300 | Value Name: [ SIG ], Value: [ 0x1d175efd3ba191438dec6514f010658c6257289cff6e1d0690f3714305a6 ], 1 time | |
301 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\62a6b5be\32040726\e ], | |
302 | Value Name: [ Status ], Value: [ 4098 ], 1 time | |
303 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\62a6b5be\32040726\e ], | |
304 | Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 1 time | |
305 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\910bc3f\306db89e\18 ], | |
306 | Value Name: [ DisplayName ], Value: [ System.Drawing,4.0.0.0,,b03f5f7f11d50a3a ], 1 time | |
307 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\910bc3f\306db89e\18 ], | |
308 | Value Name: [ LastModTime ], Value: [ 0x820dabfe48cecb01 ], 1 time | |
309 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\910bc3f\306db89e\18 ], | |
310 | Value Name: [ SIG ], Value: [ 0x08151e88e059db47a143982f9ad099a80b66942d7261045bb91131a930c6 ], 1 time | |
311 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\910bc3f\306db89e\18 ], | |
312 | Value Name: [ Status ], Value: [ 4098 ], 1 time | |
313 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\910bc3f\306db89e\18 ], | |
314 | Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 1 time | |
315 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\181938c6\1499ca42\1 ], | |
316 | Value Name: [ ConfigMask ], Value: [ 4361 ], 2 times | |
317 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\181938c6\1499ca42\1 ], | |
318 | Value Name: [ ConfigString ], Value: [ ], 2 times | |
319 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\181938c6\1499ca42\1 ], | |
320 | Value Name: [ DisplayName ], Value: [ mscorlib,4.0.0.0,,b77a5c561934e089 ], 2 times | |
321 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\181938c6\1499ca42\1 ], | |
322 | Value Name: [ ILDependencies ], Value: [ 0x42ca9914f8653465010000000400000000000000 ], 2 times | |
323 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\181938c6\1499ca42\1 ], | |
324 | Value Name: [ MVID ], Value: [ 0x4ff1f12a08d455f195ba996fe77497c6 ], 2 times | |
325 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\181938c6\1499ca42\1 ], | |
326 | Value Name: [ Status ], Value: [ 0 ], 2 times | |
327 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\30bc7c4f\5a99e5cd\8 ], | |
328 | Value Name: [ ConfigMask ], Value: [ 4361 ], 1 time | |
329 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\30bc7c4f\5a99e5cd\8 ], | |
330 | Value Name: [ ConfigString ], Value: [ ], 1 time | |
331 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\30bc7c4f\5a99e5cd\8 ], | |
332 | Value Name: [ DisplayName ], Value: [ System,4.0.0.0,,b77a5c561934e089 ], 1 time | |
333 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\30bc7c4f\5a99e5cd\8 ], | |
334 | Value Name: [ ILDependencies ], Value: [ 0x56bc945def0c153b060000000400000000000000d574f4343f6f24650700 ], 1 time | |
335 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\30bc7c4f\5a99e5cd\8 ], | |
336 | Value Name: [ MVID ], Value: [ 0x161c6f80ad93b0505054d244f1c6243c ], 1 time | |
337 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\30bc7c4f\5a99e5cd\8 ], | |
338 | Value Name: [ NIDependencies ], Value: [ 0xc638191842ca9914010000000400000000000000c638191842ca99140100 ], 1 time | |
339 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\30bc7c4f\5a99e5cd\8 ], | |
340 | Value Name: [ Status ], Value: [ 0 ], 1 time | |
341 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\3cca06a0\910bc3f\18 ], | |
342 | Value Name: [ ConfigMask ], Value: [ 4361 ], 1 time | |
343 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\3cca06a0\910bc3f\18 ], | |
344 | Value Name: [ ConfigString ], Value: [ ], 1 time | |
345 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\3cca06a0\910bc3f\18 ], | |
346 | Value Name: [ DisplayName ], Value: [ System.Drawing,4.0.0.0,,b03f5f7f11d50a3a ], 1 time | |
347 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\3cca06a0\910bc3f\18 ], | |
348 | Value Name: [ ILDependencies ], Value: [ 0x3fbc10099eb86d30180000000400000000000000 ], 1 time | |
349 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\3cca06a0\910bc3f\18 ], | |
350 | Value Name: [ MVID ], Value: [ 0x2fe09cc54a8390b20e380239db34228f ], 1 time | |
351 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\3cca06a0\910bc3f\18 ], | |
352 | Value Name: [ NIDependencies ], Value: [ 0xc638191842ca99140100000004000000000000004f7cbc30cde5995a0800 ], 1 time | |
353 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\3cca06a0\910bc3f\18 ], | |
354 | Value Name: [ Status ], Value: [ 0 ], 1 time | |
355 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\61e7e666\27e1f7e2\16 ], | |
356 | Value Name: [ ConfigMask ], Value: [ 4361 ], 1 time | |
357 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\61e7e666\27e1f7e2\16 ], | |
358 | Value Name: [ ConfigString ], Value: [ ], 1 time | |
359 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\61e7e666\27e1f7e2\16 ], | |
360 | Value Name: [ DisplayName ], Value: [ System.Windows.Forms,4.0.0.0,,b77a5c561934e089 ], 1 time | |
361 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\61e7e666\27e1f7e2\16 ], | |
362 | Value Name: [ ILDependencies ], Value: [ 0xce931f49bf7de93f17000000040000000000000056bc945def0c153b0600 ], 1 time | |
363 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\61e7e666\27e1f7e2\16 ], | |
364 | Value Name: [ MVID ], Value: [ 0xf3cdd09fc0acc85c7febbd2e2ef9c4e5 ], 1 time | |
365 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\61e7e666\27e1f7e2\16 ], | |
366 | Value Name: [ NIDependencies ], Value: [ 0xc638191842ca9914010000000400000000000000a006ca3c3fbc10091800 ], 1 time | |
367 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\61e7e666\27e1f7e2\16 ], | |
368 | Value Name: [ Status ], Value: [ 0 ], 1 time | |
369 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\index80 ], | |
370 | Value Name: [ ILUsageMask ], Value: [ 0xffffffffffffffffffffffffffffffff ], 2 times | |
371 | Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\index80 ], | |
372 | Value Name: [ NIUsageMask ], Value: [ 0xffffffffffffffffffffffffffffffff ], 2 times | |
373 | Key: [ HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default ], | |
374 | Value Name: [ Latest ], Value: [ 1 ], 1 time | |
375 | Key: [ HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default ], | |
376 | Value Name: [ LegacyPolicyTimeStamp ], Value: [ 0x0000000000000000 ], 1 time | |
377 | Key: [ HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default ], | |
378 | Value Name: [ index1 ], Value: [ 0x00 ], 1 time | |
379 | Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting\DW\Installed ], | |
380 | Value Name: [ DW0200 ], Value: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ], 1 time | |
381 | Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll ], | |
382 | Value Name: [ CheckAppHelp ], Value: [ 1 ], 1 time | |
383 | Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], | |
384 | Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time | |
385 | Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], | |
386 | Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time | |
387 | Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], | |
388 | Value Name: [ PolicyScope ], Value: [ 0 ], 1 time | |
389 | Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], | |
390 | Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times | |
391 | Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], | |
392 | Value Name: [ HashAlg ], Value: [ 32771 ], 1 time | |
393 | Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], | |
394 | Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time | |
395 | Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], | |
396 | Value Name: [ ItemSize ], Value: [ 779 ], 1 time | |
397 | Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], | |
398 | Value Name: [ SaferFlags ], Value: [ 0 ], 1 time | |
399 | Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], | |
400 | Value Name: [ HashAlg ], Value: [ 32771 ], 1 time | |
401 | Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], | |
402 | Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time | |
403 | Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], | |
404 | Value Name: [ ItemSize ], Value: [ 517 ], 1 time | |
405 | Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], | |
406 | Value Name: [ SaferFlags ], Value: [ 0 ], 1 time | |
407 | Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], | |
408 | Value Name: [ HashAlg ], Value: [ 32771 ], 1 time | |
409 | Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], | |
410 | Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time | |
411 | Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], | |
412 | Value Name: [ ItemSize ], Value: [ 918 ], 1 time | |
413 | Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], | |
414 | Value Name: [ SaferFlags ], Value: [ 0 ], 1 time | |
415 | Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], | |
416 | Value Name: [ HashAlg ], Value: [ 32771 ], 1 time | |
417 | Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], | |
418 | Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time | |
419 | Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], | |
420 | Value Name: [ ItemSize ], Value: [ 229 ], 1 time | |
421 | Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], | |
422 | Value Name: [ SaferFlags ], Value: [ 0 ], 1 time | |
423 | Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], | |
424 | Value Name: [ HashAlg ], Value: [ 32771 ], 1 time | |
425 | Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], | |
426 | Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time | |
427 | Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], | |
428 | Value Name: [ ItemSize ], Value: [ 370 ], 1 time | |
429 | Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], | |
430 | Value Name: [ SaferFlags ], Value: [ 0 ], 1 time | |
431 | Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], | |
432 | Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time | |
433 | Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], | |
434 | Value Name: [ SaferFlags ], Value: [ 0 ], 1 time | |
435 | Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], | |
436 | Value Name: [ ComputerName ], Value: [ PC ], 3 times | |
437 | Key: [ HKLM\System\CurrentControlSet\Control\Nls\Language Groups ], | |
438 | Value Name: [ 1 ], Value: [ 1 ], 5 times | |
439 | Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], | |
440 | Value Name: [ 00000409 ], Value: [ 1 ], 2 times | |
441 | Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], | |
442 | Value Name: [ 00000C07 ], Value: [ 1 ], 3 times | |
443 | Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], | |
444 | Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time | |
445 | Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], | |
446 | Value Name: [ NumShape ], Value: [ 1 ], 1 time | |
447 | Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], | |
448 | Value Name: [ iCurrDigits ], Value: [ 2 ], 1 time | |
449 | Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], | |
450 | Value Name: [ iCurrency ], Value: [ 2 ], 1 time | |
451 | Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], | |
452 | Value Name: [ iDigits ], Value: [ 2 ], 1 time | |
453 | Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], | |
454 | Value Name: [ iNegCurr ], Value: [ 9 ], 1 time | |
455 | Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], | |
456 | Value Name: [ iNegNumber ], Value: [ 1 ], 1 time | |
457 | Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], | |
458 | Value Name: [ sCurrency ], Value: [ ], 1 time | |
459 | Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], | |
460 | Value Name: [ sDecimal ], Value: [ , ], 1 time | |
461 | Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], | |
462 | Value Name: [ sGrouping ], Value: [ 3;0 ], 1 time | |
463 | Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], | |
464 | Value Name: [ sMonDecimalSep ], Value: [ , ], 1 time | |
465 | Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], | |
466 | Value Name: [ sMonGrouping ], Value: [ 3;0 ], 1 time | |
467 | Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], | |
468 | Value Name: [ sMonThousandSep ], Value: [ . ], 1 time | |
469 | Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], | |
470 | Value Name: [ sNativeDigits ], Value: [ 0123456789 ], 1 time | |
471 | Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], | |
472 | Value Name: [ sNegativeSign ], Value: [ - ], 1 time | |
473 | Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], | |
474 | Value Name: [ sPositiveSign ], Value: [ ], 1 time | |
475 | Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], | |
476 | Value Name: [ sThousand ], Value: [ . ], 1 time | |
477 | Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], | |
478 | Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times | |
479 | Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], | |
480 | Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times | |
481 | Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\GDIPlus ], | |
482 | Value Name: [ FontCachePath ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Application Data ], 1 time | |
483 | Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], | |
484 | Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time | |
485 | ||
486 | ||
487 | [=============================================================================] | |
488 | 2.b) MW3sa Repo.exe - File Activities | |
489 | [=============================================================================] | |
490 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
491 | Files Read: | |
492 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
493 | File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\config\machine.config ] | |
494 | File Name: [ PIPE\lsarpc ] | |
495 | ||
496 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
497 | Files Modified: | |
498 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
499 | File Name: [ PIPE\lsarpc ] | |
500 | File Name: [ WMIDataDevice ] | |
501 | ||
502 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
503 | File System Control Communication: | |
504 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
505 | File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time | |
506 | File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 4 times | |
507 | ||
508 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
509 | Device Control Communication: | |
510 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
511 | File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times | |
512 | File: [ WMIDataDevice ], Control Code: [ 0x0022414C ], 1 time | |
513 | File: [ WMIDataDevice ], Control Code: [ 0x00228144 ], 2 times | |
514 | ||
515 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
516 | Memory Mapped Files: | |
517 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
518 | File Name: [ C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT ] | |
519 | File Name: [ C:\MW3sa Repo.exe ] | |
520 | File Name: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ] | |
521 | File Name: [ C:\WINDOWS\FONTS\MICROSS.TTF ] | |
522 | File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp ] | |
523 | File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\clr.dll ] | |
524 | File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\clrjit.dll ] | |
525 | File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\culture.dll ] | |
526 | File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\locale.nlp ] | |
527 | File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll ] | |
528 | File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll ] | |
529 | File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll ] | |
530 | File Name: [ C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll ] | |
531 | File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ] | |
532 | File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\gdiplus.dll ] | |
533 | File Name: [ C:\WINDOWS\WindowsShell.Manifest ] | |
534 | File Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Drawing\2fe09cc54a8390b20e380239db34228f\System.Drawing.ni.dll ] | |
535 | File Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\f3cdd09fc0acc85c7febbd2e2ef9c4e5\System.Windows.Forms.ni.dll ] | |
536 | File Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System\161c6f80ad93b0505054d244f1c6243c\System.ni.dll ] | |
537 | File Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\mscorlib\4ff1f12a08d455f195ba996fe77497c6\mscorlib.ni.dll ] | |
538 | File Name: [ C:\WINDOWS\system32\Apphelp.dll ] | |
539 | File Name: [ C:\WINDOWS\system32\MSCTF.dll ] | |
540 | File Name: [ C:\WINDOWS\system32\MSVCR100_CLR0400.dll ] | |
541 | File Name: [ C:\WINDOWS\system32\comctl32.dll ] | |
542 | File Name: [ C:\WINDOWS\system32\dciman32.dll ] | |
543 | File Name: [ C:\WINDOWS\system32\imm32.dll ] | |
544 | File Name: [ C:\WINDOWS\system32\mscoree.dll ] | |
545 | File Name: [ C:\WINDOWS\system32\rpcss.dll ] | |
546 | File Name: [ C:\WINDOWS\system32\uxtheme.dll ] | |
547 | File Name: [ C:\Windows\AppPatch\sysmain.sdb ] | |
548 | ||
549 | [=============================================================================] | |
550 | 2.c) MW3sa Repo.exe - Process Activities | |
551 | [=============================================================================] | |
552 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
553 | Processes Created: | |
554 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
555 | Executable: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ], Command Line: [ ] | |
556 | Executable: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ], Command Line: [ dw20.exe -x -s 444 ] | |
557 | ||
558 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
559 | Remote Threads Created: | |
560 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
561 | Affected Process: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ] | |
562 | ||
563 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
564 | Foreign Memory Regions Read: | |
565 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
566 | Process: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ] | |
567 | ||
568 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
569 | Foreign Memory Regions Written: | |
570 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
571 | Process: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ] | |
572 | ||
573 | ||
574 | [=============================================================================] | |
575 | 2.d) MW3sa Repo.exe - Other Activities | |
576 | [=============================================================================] | |
577 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
578 | Mutexes Created: | |
579 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
580 | Mutex: [ CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] | |
581 | Mutex: [ CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] | |
582 | Mutex: [ CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] | |
583 | Mutex: [ CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] | |
584 | Mutex: [ CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] | |
585 | Mutex: [ CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500 ] | |
586 | ||
587 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
588 | Windows SEH exceptions: | |
589 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
590 | Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x30744bd ], 1 time | |
591 | ||
592 | Description: [ Exception 0xc000001e at 0x79aa8108 ], 278 times | |
593 | ||
594 | Description: [ Exception 0xc00000fd (STATUS_STACK_OVERFLOW) at 0x79495bc5 ], 1 time | |
595 | ||
596 | ||
597 | ||
598 | ||
599 | [#############################################################################] | |
600 | 3. DW20.EXE | |
601 | [#############################################################################] | |
602 | [=============================================================================] | |
603 | General information about this executable | |
604 | [=============================================================================] | |
605 | Analysis Reason: Started by MW3sa Repo.exe | |
606 | Filename: DW20.EXE | |
607 | MD5: a981419c39cc02259b8f2da3974000d9 | |
608 | SHA-1: 905d359e2c5e8330d39b746132fa9779f52c0b93 | |
609 | File Size: 637272 Bytes | |
610 | Command Line: dw20.exe -x -s 444 | |
611 | Process-status | |
612 | at analysis end: alive | |
613 | Exit Code: 0 | |
614 | ||
615 | [=============================================================================] | |
616 | Load-time Dlls | |
617 | [=============================================================================] | |
618 | Module Name: [ C:\WINDOWS\system32\ntdll.dll ], | |
619 | Base Address: [0x7C900000 ], Size: [0x000AF000 ] | |
620 | Module Name: [ C:\WINDOWS\system32\kernel32.dll ], | |
621 | Base Address: [0x7C800000 ], Size: [0x000F6000 ] | |
622 | Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], | |
623 | Base Address: [0x77DD0000 ], Size: [0x0009B000 ] | |
624 | Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], | |
625 | Base Address: [0x77E70000 ], Size: [0x00092000 ] | |
626 | Module Name: [ C:\WINDOWS\system32\Secur32.dll ], | |
627 | Base Address: [0x77FE0000 ], Size: [0x00011000 ] | |
628 | Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll ], | |
629 | Base Address: [0x773D0000 ], Size: [0x00103000 ] | |
630 | Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], | |
631 | Base Address: [0x77C10000 ], Size: [0x00058000 ] | |
632 | Module Name: [ C:\WINDOWS\system32\GDI32.dll ], | |
633 | Base Address: [0x77F10000 ], Size: [0x00049000 ] | |
634 | Module Name: [ C:\WINDOWS\system32\USER32.dll ], | |
635 | Base Address: [0x7E410000 ], Size: [0x00091000 ] | |
636 | Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], | |
637 | Base Address: [0x77F60000 ], Size: [0x00076000 ] | |
638 | Module Name: [ C:\WINDOWS\system32\OLEACC.dll ], | |
639 | Base Address: [0x74C80000 ], Size: [0x0002C000 ] | |
640 | Module Name: [ C:\WINDOWS\system32\MSVCP60.dll ], | |
641 | Base Address: [0x76080000 ], Size: [0x00065000 ] | |
642 | Module Name: [ C:\WINDOWS\system32\ole32.dll ], | |
643 | Base Address: [0x774E0000 ], Size: [0x0013D000 ] | |
644 | Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], | |
645 | Base Address: [0x77120000 ], Size: [0x0008B000 ] | |
646 | Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], | |
647 | Base Address: [0x7C9C0000 ], Size: [0x00817000 ] | |
648 | Module Name: [ C:\WINDOWS\system32\urlmon.dll ], | |
649 | Base Address: [0x7E1E0000 ], Size: [0x000A2000 ] | |
650 | Module Name: [ C:\WINDOWS\system32\VERSION.dll ], | |
651 | Base Address: [0x77C00000 ], Size: [0x00008000 ] | |
652 | Module Name: [ C:\WINDOWS\system32\WININET.dll ], | |
653 | Base Address: [0x771B0000 ], Size: [0x000AA000 ] | |
654 | Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], | |
655 | Base Address: [0x77A80000 ], Size: [0x00095000 ] | |
656 | Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], | |
657 | Base Address: [0x77B20000 ], Size: [0x00012000 ] | |
658 | ||
659 | [=============================================================================] | |
660 | 3.a) DW20.EXE - Registry Activities | |
661 | [=============================================================================] | |
662 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
663 | Registry Values Read: | |
664 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
665 | Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], | |
666 | Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time | |
667 | Key: [ HKLM\SYSTEM\Setup ], | |
668 | Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time | |
669 | Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS ], | |
670 | Value Name: [ * ], Value: [ 1 ], 1 time | |
671 | Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL ], | |
672 | Value Name: [ * ], Value: [ 1 ], 1 time | |
673 | Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], | |
674 | Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time | |
675 | Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], | |
676 | Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time | |
677 | ||
678 | ||
679 | [=============================================================================] | |
680 | 3.b) DW20.EXE - File Activities | |
681 | [=============================================================================] | |
682 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
683 | Device Control Communication: | |
684 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
685 | File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time | |
686 | ||
687 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
688 | Memory Mapped Files: | |
689 | [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] | |
690 | File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll ] | |
691 | File Name: [ C:\WINDOWS\WindowsShell.Manifest ] | |
692 | File Name: [ C:\WINDOWS\system32\MSVCP60.dll ] | |
693 | File Name: [ C:\WINDOWS\system32\OLEACC.dll ] | |
694 | File Name: [ C:\WINDOWS\system32\OLEACCRC.DLL ] | |
695 | File Name: [ C:\WINDOWS\system32\SHELL32.dll ] | |
696 | File Name: [ C:\WINDOWS\system32\WININET.dll ] | |
697 | File Name: [ C:\WINDOWS\system32\urlmon.dll ] |