概要
volatilityの作法、調べてみた。
winxpsp3のスナップショット、取ってみた。
systeminfo
Date/Time (UTC) Type Summary Source
2020-02-15 20:30:56 UTC+0000 Image: DateTime
2020-02-03 23:19:28 UTC+0000 Registry: LastWrite TESTUSER-D7P72A ComputerName | SYSTEM\ControlSet001\Control\ComputerName\ComputerName
2020-02-03 23:19:28 UTC+0000 Registry: LastWrite None TimeZoneKeyName | SYSTEM\ControlSet001\Control\TimeZoneInformation
2020-02-03 00:47:24 Registry: LastWrite InstallDate | SOFTWARE\Microsoft\Windows NT\CurrentVersion
2020-02-03 23:19:28 UTC+0000 Registry: LastWrite 4294966756 ActiveTimeBias | SYSTEM\ControlSet001\Control\TimeZoneInformation
2020-02-15 20:25:56 UTC+0000 Registry: LastWrite testuser-d7p72a Hostname | SYSTEM\ControlSet001\Services\Tcpip\Parameters
2020-02-15 20:26:25 UTC+0000 Registry: LastWrite Service Pack 3 CSDVersion | SOFTWARE\Microsoft\Windows NT\CurrentVersion
2020-02-03 23:19:28 UTC+0000 Registry: LastWrite None DisableAutoDaylightTimeSet | SYSTEM\ControlSet001\Control\TimeZoneInformation
2020-02-03 02:58:42 UTC+0000 Registry: LastWrite None LastComputerName | SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability
2020-02-03 23:27:36 UTC+0000 Registry: LastWrite \Device\HarddiskVolume1SystemPartition | SYSTEM\Setup
2020-02-03 23:19:28 UTC+0000 Registry: LastWrite 0 StandardBias | SYSTEM\ControlSet001\Control\TimeZoneInformation
2020-02-15 20:25:56 UTC+0000 Registry: LastWrite Domain | SYSTEM\ControlSet001\Services\Tcpip\Parameters
2020-02-15 14:16:54 UTC+0000 Registry: LastWrite ShutdownTime | SYSTEM\ControlSet001\Control\Windows
2020-02-15 20:26:25 UTC+0000 Registry: LastWrite Microsoft Windows XP ProductName | SOFTWARE\Microsoft\Windows NT\CurrentVersion
2020-02-03 23:19:28 UTC+0000 Registry: LastWrite x86 PROCESSOR_ARCHITECTURE | SYSTEM\ControlSet001\Control\Session Manager\Environment
2020-02-03 23:19:28 UTC+0000 Registry: LastWrite 4294966756 Bias | SYSTEM\ControlSet001\Control\TimeZoneInformation
autoruns
WARNING:volatility.debug:NoneObject as string: Value data is unreadable
Autoruns==========================================
Hive: \Device\HarddiskVolume1\WINDOWS\system32\config\software
Microsoft\Windows\CurrentVersion\Run (Last modified: 2020-02-03 01:01:52 UTC+0000)
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 : IMJPMIG8.1 (PIDs: )
Hive: \Device\HarddiskVolume1\WINDOWS\system32\config\software
Microsoft\Windows\CurrentVersion\Run (Last modified: 2020-02-03 01:01:52 UTC+0000)
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC : PHIME2002ASync (PIDs: )
Hive: \Device\HarddiskVolume1\WINDOWS\system32\config\software
Microsoft\Windows\CurrentVersion\Run (Last modified: 2020-02-03 01:01:52 UTC+0000)
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName : PHIME2002A (PIDs: )
Hive: \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2020-02-03 00:54:05 UTC+0000)
ctfmon.exe : ctfmon.exe (PIDs: 428)
Hive: \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2020-02-03 00:54:08 UTC+0000)
ctfmon.exe : ctfmon.exe (PIDs: 428)
Hive: \Device\HarddiskVolume1\Documents and Settings\testuser\NTUSER.DAT
Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2020-02-03 02:59:40 UTC+0000)
C:\WINDOWS\system32\ctfmon.exe : ctfmon.exe (PIDs: 428)
Winlogon (Notify)=================================
WlNotify.dll (Last write time: 2020-02-02 23:09:49 UTC+0000)
PIDs: 408
Hooks: SensLockEvent, SensLogonEvent, SensLogoffEvent, SensStartScreenSaverEvent, SensStopScreenSaverEvent, SensStartupEvent, SensShutdownEvent, SensStartShellEvent, SensUnlockEvent
Winlogon (Shell)==================================
Shell: Explorer.exe
Default value: Explorer.exe
PIDs: 1508
Last write time: 2020-02-15 20:25:15 UTC+0000
Winlogon (Userinit)===============================
Userinit: C:\WINDOWS\system32\userinit.exe,
Default value: userinit.exe
PIDs:
Last write time: 2020-02-15 20:25:15 UTC+0000
Winlogon (VmApplet)===============================
VmApplet: rundll32 shell32,Control_RunDLL "sysdm.cpl"
Default value: rundll32 shell32,Control_RunDLL "sysdm.cpl"
PIDs:
Last write time: 2020-02-15 20:25:15 UTC+0000
Active Setup======================================
Command line: C:\WINDOWS\system32\ieudinit.exe
Last-written: 2020-02-03 23:30:08 UTC+0000 (PIDs: )
Command line: C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
Last-written: 2020-02-03 23:30:08 UTC+0000 (PIDs: )
Command line: "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
Last-written: 2020-02-03 23:30:08 UTC+0000 (PIDs: )
Command line: RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
Last-written: 2020-02-03 00:09:36 UTC+0000 (PIDs: )
Command line: %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
Last-written: 2020-02-02 23:50:22 UTC+0000 (PIDs: )
Command line: %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
Last-written: 2020-02-03 00:11:39 UTC+0000 (PIDs: )
Command line: "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
Last-written: 2020-02-03 23:25:53 UTC+0000 (PIDs: )
Command line: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
Last-written: 2020-02-03 00:10:19 UTC+0000 (PIDs: )
Command line: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
Last-written: 2020-02-03 23:25:53 UTC+0000 (PIDs: )
Command line: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
Last-written: 2020-02-03 23:28:00 UTC+0000 (PIDs: )
Command line: "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
Last-written: 2020-02-03 23:25:53 UTC+0000 (PIDs: )
Command line: regsvr32.exe /s /n /i:U shell32.dll
Last-written: 2020-02-03 23:25:53 UTC+0000 (PIDs: )
Command line: C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
Last-written: 2020-02-03 23:30:08 UTC+0000 (PIDs: )
printkey
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
Key name: $$$PROTO.HIV (S)
Last updated: 2020-02-03 00:54:08 UTC+0000
Subkeys:
(S) AppEvents
(S) Console
(S) Control Panel
(S) Environment
(S) EUDC
(S) Identities
(S) Keyboard Layout
(S) Printers
(S) Software
(S) UNICODE Program Groups
Values:
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\testuser\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Key name: S-1-5-21-1957994488-2052111302-1078081533-1004_Classes (S)
Last updated: 2020-02-03 02:57:27 UTC+0000
Subkeys:
(S) Software
Values:
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
Key name: SAM (S)
Last updated: 2020-02-02 22:49:03 UTC+0000
Subkeys:
(S) SAM
Values:
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\system
Key name: $$$PROTO.HIV (S)
Last updated: 2020-02-16 12:52:42 UTC+0000
Subkeys:
(S) ControlSet001
(S) ControlSet002
(S) LastKnownGoodRecovery
(S) MountedDevices
(S) Select
(S) Setup
(S) WPA
(V) CurrentControlSet
Values:
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Key name: S-1-5-19_Classes (S)
Last updated: 2020-02-03 00:54:09 UTC+0000
Subkeys:
Values:
----------------------------
Registry: [no name]
Key name: REGISTRY (S)
Last updated: 2020-02-16 12:52:41 UTC+0000
Subkeys:
(S) MACHINE
(S) USER
Values:
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Key name: S-1-5-20_Classes (S)
Last updated: 2020-02-03 00:54:05 UTC+0000
Subkeys:
Values:
----------------------------
Registry: [no name]
Key name: HARDWARE (S)
Last updated: 2020-02-16 12:52:44 UTC+0000
Subkeys:
(S) ACPI
(S) DESCRIPTION
(S) DEVICEMAP
(V) RESOURCEMAP
Values:
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
Key name: $$$PROTO.HIV (S)
Last updated: 2020-02-03 00:54:04 UTC+0000
Subkeys:
(S) AppEvents
(S) Console
(S) Control Panel
(S) Environment
(S) EUDC
(S) Identities
(S) Keyboard Layout
(S) Printers
(S) Software
(S) UNICODE Program Groups
Values:
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
Key name: SECURITY (S)
Last updated: 2020-02-16 12:53:06 UTC+0000
Subkeys:
(S) Policy
(S) RXACT
(V) SAM
Values:
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\testuser\NTUSER.DAT
Key name: $$$PROTO.HIV (S)
Last updated: 2020-02-16 12:53:58 UTC+0000
Subkeys:
(S) AppEvents
(S) Console
(S) Control Panel
(S) Environment
(S) EUDC
(S) Identities
(S) Keyboard Layout
(S) Printers
(S) Software
(S) UNICODE Program Groups
(S) Windows 3.1 Migration Status
(V) Volatile Environment
Values:
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\default
Key name: $$$PROTO.HIV (S)
Last updated: 2020-02-03 00:13:54 UTC+0000
Subkeys:
(S) AppEvents
(S) Console
(S) Control Panel
(S) Environment
(S) EUDC
(S) Identities
(S) Keyboard Layout
(S) Printers
(S) Software
(S) UNICODE Program Groups
Values:
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\software
Key name: $$$PROTO.HIV (S)
Last updated: 2020-02-03 00:56:21 UTC+0000
Subkeys:
(S) C07ft5Y
(S) Classes
(S) Clients
(S) Gemplus
(S) Microsoft
(S) ODBC
(S) Policies
(S) Program Groups
(S) Schlumberger
(S) Secure
(S) Windows 3.1 Migration Status
Values:
hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:7cc71d465e42044aceedc4554091c6a7:a9ef3e21804aa2795d0d44e7fc58f675:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:e7a99c8717d2a0a2a15a1e21ff810706:::
testuser:1004:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
userassist
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\testuser\NTUSER.DAT
Path: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Last updated: 2020-02-15 14:48:18 UTC+0000
Subkeys:
Values:
REG_BINARY UEME_CTLSESSION : Raw Data:
0x00000000 77 20 af 0e 05 00 00 00 w.......
REG_BINARY UEME_CTLCUACount:ctor :
ID: 1
Count: 2
Last updated: 1970-01-01 00:00:00 UTC+0000
Raw Data:
0x00000000 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................
REG_BINARY UEME_UITOOLBAR :
ID: 4
Count: 8
Last updated: 2020-02-14 14:23:11 UTC+0000
Raw Data:
0x00000000 04 00 00 00 0d 00 00 00 90 cf 68 49 42 e3 d5 01 ..........hIB...
REG_BINARY UEME_UITOOLBAR:0x1,120 :
ID: 1
Count: 4
Last updated: 2020-02-03 02:34:23 UTC+0000
Raw Data:
0x00000000 01 00 00 00 09 00 00 00 40 48 50 72 3a da d5 01 ........@HPr:...
REG_BINARY UEME_UITOOLBAR:0x1,12e :
ID: 1
Count: 1
Last updated: 2020-02-03 23:09:18 UTC+0000
Raw Data:
0x00000000 01 00 00 00 06 00 00 00 d0 c4 f4 f5 e6 da d5 01 ................
REG_BINARY UEME_UITOOLBAR:0x1,126 :
ID: 1
Count: 1
Last updated: 2020-02-03 23:14:39 UTC+0000
Raw Data:
0x00000000 01 00 00 00 06 00 00 00 90 55 93 b5 e7 da d5 01 .........U......
REG_BINARY UEME_UITOOLBAR:0x1,130 :
ID: 4
Count: 3
Last updated: 2020-02-14 14:23:11 UTC+0000
Raw Data:
0x00000000 04 00 00 00 08 00 00 00 90 cf 68 49 42 e3 d5 01 ..........hIB...
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\testuser\NTUSER.DAT
Path: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Last updated: 2020-02-15 14:48:02 UTC+0000
Subkeys:
Values:
REG_BINARY UEME_CTLSESSION : Raw Data:
0x00000000 d0 1f af 0e 07 00 00 00 ........
REG_BINARY U :
ID: 1
Count: 14
Last updated: 2020-02-03 00:59:00 UTC+0000
Raw Data:
0x00000000 01 00 00 00 13 00 00 00 9e 4e d5 1e 2d da d5 01 .........N..-...
REG_BINARY UEME_RUNPIDL:%csidl2%\MSN Explorer.lnk :
ID: 1
Count: 13
Last updated: 2020-02-03 00:59:00 UTC+0000
Raw Data:
0x00000000 01 00 00 00 12 00 00 00 9e 4e d5 1e 2d da d5 01 .........N..-...
REG_BINARY UEME_RUNPIDL:%csidl2%\Windows Media Player.lnk :
ID: 1
Count: 12
Last updated: 2020-02-03 00:59:00 UTC+0000
Raw Data:
0x00000000 01 00 00 00 11 00 00 00 9e 4e d5 1e 2d da d5 01 .........N..-...
REG_BINARY UEME_RUNPIDL:%csidl2%\Windows Messenger.lnk :
ID: 1
Count: 11
Last updated: 2020-02-03 00:59:00 UTC+0000
Raw Data:
0x00000000 01 00 00 00 10 00 00 00 9e 4e d5 1e 2d da d5 01 .........N..-...
REG_BINARY U :
ID: 1
Count: 10
Last updated: 2020-02-03 00:59:00 UTC+0000
Raw Data:
0x00000000 01 00 00 00 0f 00 00 00 9e 4e d5 1e 2d da d5 01 .........N..-...
REG_BINARY U :
ID: 1
Count: 9
Last updated: 2020-02-03 00:59:00 UTC+0000
Raw Data:
0x00000000 01 00 00 00 0e 00 00 00 9e 4e d5 1e 2d da d5 01 .........N..-...
REG_BINARY UEME_CTLCUACount:ctor :
ID: 1
Count: 2
Last updated: 1970-01-01 00:00:00 UTC+0000
Raw Data:
0x00000000 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................
REG_BINARY UEME_RUNPIDL :
ID: 7
Count: 47
Last updated: 2020-02-15 14:47:49 UTC+0000
Raw Data:
0x00000000 07 00 00 00 34 00 00 00 50 2b 7b e4 0e e4 d5 01 ....4...P+{.....
REG_BINARY U :
ID: 1
Count: 1
Last updated: 2020-02-03 01:02:12 UTC+0000
Raw Data:
0x00000000 01 00 00 00 06 00 00 00 d0 d4 2b 91 2d da d5 01 ..........+.-...
REG_BINARY U :
ID: 6
Count: 8
Last updated: 2020-02-14 14:24:10 UTC+0000
Raw Data:
0x00000000 06 00 00 00 0d 00 00 00 50 40 79 6c 42 e3 d5 01 ........P@ylB...
REG_BINARY UEME_RUNPATH :
ID: 7
Count: 76
Last updated: 2020-02-15 14:48:02 UTC+0000
Raw Data:
0x00000000 07 00 00 00 51 00 00 00 c0 14 a6 ec 0e e4 d5 01 ....Q...........
REG_BINARY UEME_RUNPATH:C:\WINDOWS\explorer.exe :
ID: 6
Count: 10
Last updated: 2020-02-14 14:26:27 UTC+0000
Raw Data:
0x00000000 06 00 00 00 0f 00 00 00 f0 72 13 be 42 e3 d5 01 .........r..B...
REG_BINARY UEME_RUNCPL :
ID: 2
Count: 4
Last updated: 2020-02-04 13:53:45 UTC+0000
Raw Data:
0x00000000 02 00 00 00 09 00 00 00 30 cd cc 84 62 db d5 01 ........0...b...
REG_BINARY UEME_RUNCPL:SYSDM.CPL :
ID: 2
Count: 4
Last updated: 2020-02-04 13:53:45 UTC+0000
Raw Data:
0x00000000 02 00 00 00 09 00 00 00 30 cd cc 84 62 db d5 01 ........0...b...
REG_BINARY UEME_UISCUT :
ID: 7
Count: 13
Last updated: 2020-02-15 14:47:56 UTC+0000
Raw Data:
0x00000000 07 00 00 00 12 00 00 00 c0 ab 0d e9 0e e4 d5 01 ................
REG_BINARY U :
ID: 6
Count: 9
Last updated: 2020-02-14 14:26:26 UTC+0000
Raw Data:
0x00000000 06 00 00 00 0e 00 00 00 40 ef 8d bd 42 e3 d5 01 ........@...B...
REG_BINARY UEME_RUNPATH:C:\Program Files\Internet Explorer\iexplore.exe :
ID: 7
Count: 14
Last updated: 2020-02-15 14:16:23 UTC+0000
Raw Data:
0x00000000 07 00 00 00 13 00 00 00 60 cb 4c 80 0a e4 d5 01 ........`.L.....
REG_BINARY UEME_RUNPIDL:::{2559A1F4-21D7-11D4-BDAF-00C04F60B9F0} :
ID: 7
Count: 13
Last updated: 2020-02-15 14:16:23 UTC+0000
Raw Data:
0x00000000 07 00 00 00 12 00 00 00 60 cb 4c 80 0a e4 d5 01 ........`.L.....
REG_BINARY UEME_RUNPATH:D:\setup.exe :
ID: 1
Count: 8
Last updated: 2020-02-03 02:38:35 UTC+0000
Raw Data:
0x00000000 01 00 00 00 0d 00 00 00 d0 c4 48 08 3b da d5 01 ..........H.;...
REG_BINARY UEME_RUNPATH:D:\XPSP2.CMD :
ID: 1
Count: 1
Last updated: 2020-02-03 02:42:27 UTC+0000
Raw Data:
0x00000000 01 00 00 00 06 00 00 00 d0 0a 96 92 3b da d5 01 ............;...
REG_BINARY UEME_RUNPATH:::{450D8FBA-AD25-11D0-98A8-0800361B1103} :
ID: 6
Count: 2
Last updated: 2020-02-14 14:21:51 UTC+0000
Raw Data:
0x00000000 06 00 00 00 07 00 00 00 30 7c dd 19 42 e3 d5 01 ........0|..B...
REG_BINARY UEME_RUNPATH:C:\Documents and Settings\testuser\My Documents\windowsxp-kb936929-sp3-x86-jpn_e0fc34cfa52d270b3c79a68af8fa358244f7419e.exe :
ID: 1
Count: 1
Last updated: 2020-02-03 23:15:52 UTC+0000
Raw Data:
0x00000000 01 00 00 00 06 00 00 00 c0 20 d1 e0 e7 da d5 01 ................
REG_BINARY UEME_RUNPATH:C:\Documents and Settings\testuser\My Documents\IE8-WindowsXP-x86-JPN.exe :
ID: 1
Count: 1
Last updated: 2020-02-03 23:28:54 UTC+0000
Raw Data:
0x00000000 01 00 00 00 06 00 00 00 80 1a 07 b3 e9 da d5 01 ................
REG_BINARY U :
ID: 6
Count: 3
Last updated: 2020-02-14 14:24:10 UTC+0000
Raw Data:
0x00000000 06 00 00 00 08 00 00 00 a0 46 5a 6c 42 e3 d5 01 .........FZlB...
REG_BINARY UEME_RUNPATH:C:\WINDOWS\system32\cmd.exe :
ID: 6
Count: 3
Last updated: 2020-02-14 14:24:12 UTC+0000
Raw Data:
0x00000000 06 00 00 00 08 00 00 00 00 4e 65 6d 42 e3 d5 01 .........NemB...
REG_BINARY U :
ID: 7
Count: 16
Last updated: 2020-02-15 14:47:49 UTC+0000
Raw Data:
0x00000000 07 00 00 00 15 00 00 00 50 2b 7b e4 0e e4 d5 01 ........P+{.....
REG_BINARY UEME_RUNPATH:C:\WINDOWS\system32\calc.exe :
ID: 7
Count: 16
Last updated: 2020-02-15 14:47:49 UTC+0000
Raw Data:
0x00000000 07 00 00 00 15 00 00 00 50 2b 7b e4 0e e4 d5 01 ........P+{.....
REG_BINARY U :
ID: 5
Count: 3
Last updated: 2020-02-13 19:18:44 UTC+0000
Raw Data:
0x00000000 05 00 00 00 08 00 00 00 30 c8 a1 68 a2 e2 d5 01 ........0..h....
REG_BINARY UEME_RUNPATH:C:\WINDOWS\system32\notepad.exe :
ID: 5
Count: 3
Last updated: 2020-02-13 19:18:44 UTC+0000
Raw Data:
0x00000000 05 00 00 00 08 00 00 00 30 c8 a1 68 a2 e2 d5 01 ........0..h....
REG_BINARY UEME_RUNPATH:C:\temp.exe :
ID: 7
Count: 2
Last updated: 2020-02-15 14:48:02 UTC+0000
Raw Data:
0x00000000 07 00 00 00 07 00 00 00 c0 14 a6 ec 0e e4 d5 01 ................
REG_BINARY UEME_RUNPATH:::{20D04FE0-3AEA-1069-A2D8-08002B30309D} :
ID: 7
Count: 1
Last updated: 2020-02-15 14:47:56 UTC+0000
Raw Data:
0x00000000 07 00 00 00 06 00 00 00 c0 8d 12 e9 0e e4 d5 01 ................
threads
------
ETHREAD: 0x815f2ab0 Pid: 844 Tid: 1276
Tags: Impersonation
Created: 2020-02-16 13:42:55 UTC+0000
Exited: 1970-01-01 00:00:00 UTC+0000
Owning Process: svchost.exe
Attached Process: svchost.exe
State: Waiting:UserRequest
BasePriority: 0x8
Priority: 0x8
TEB: 0x7ff9e000
StartAddress: 0x7c8106e9 kernel32.dll
ServiceTable: 0x8055c220
[0] 0x804e46a8
[1] 0x00000000
[2] 0x00000000
[3] 0x00000000
Win32Thread: 0x00000000
CrossThreadFlags: PS_CROSS_THREAD_FLAGS_IMPERSONATING
Eip: 0x7c94e4f4
eax=0x00000000 ebx=0x01b8fe7c ecx=0x02660000 edx=0x7c94e4f4 esi=0x00000000 edi=0x7ffdd000
eip=0x7c94e4f4 esp=0x01b8fe54 ebp=0x01b8fef0 err=0x00000000
cs=0x1b ss=0x23 ds=0x23 es=0x23 gs=0x00 fs=0x3b efl=0x00000246
dr0=0x00000000 dr1=0x00000000 dr2=0x00000000 dr3=0x00000000 dr6=0x00000000 dr7=0x00000000
0x7c8106e9 33ed XOR EBP, EBP
0x7c8106eb 53 PUSH EBX
0x7c8106ec 50 PUSH EAX
0x7c8106ed 6a00 PUSH 0x0
0x7c8106ef e9e8afffff JMP 0x7c80b6dc
0x7c8106f4 90 NOP
0x7c8106f5 33ed XOR EBP, EBP
0x7c8106f7 50 PUSH EAX
0x7c8106f8 6a00 PUSH 0x0
0x7c8106fa e945690000 JMP 0x7c817044
0x7c8106ff 90 NOP
0x7c810700 8b DB 0x8b
------
ETHREAD: 0x81600b30 Pid: 4 Tid: 1460
Tags: SystemThread
Created: 2020-02-16 13:43:07 UTC+0000
Exited: 1970-01-01 00:00:00 UTC+0000
Owning Process: System
Attached Process: System
State: Waiting:WrQueue
BasePriority: 0x8
Priority: 0x8
TEB: 0x00000000
StartAddress: 0xf8ed35a8 mrxdav.sys
ServiceTable: 0x8055c220
[0] 0x804e46a8
[1] 0x00000000
[2] 0x00000000
[3] 0x00000000
Win32Thread: 0x00000000
CrossThreadFlags: PS_CROSS_THREAD_FLAGS_SYSTEM
0xf8ed35a8 8bff MOV EDI, EDI
0xf8ed35aa 55 PUSH EBP
0xf8ed35ab 8bec MOV EBP, ESP
0xf8ed35ad 6a00 PUSH 0x0
0xf8ed35af ff7508 PUSH DWORD [EBP+0x8]
0xf8ed35b2 e82324feff CALL 0xf8eb59da
0xf8ed35b7 5d POP EBP
0xf8ed35b8 c20400 RET 0x4
0xf8ed35bb cc INT 3
0xf8ed35bc cc INT 3
0xf8ed35bd cc INT 3
0xf8ed35be cc INT 3
0xf8ed35bf cc INT 3
callbacks
Type Callback Module Details
------------------------------------ ---------- -------------------- -------
IoRegisterShutdownNotification 0xf96fbc6a VIDEOPRT.SYS \Driver\mnmdd
IoRegisterShutdownNotification 0xf96fbc6a VIDEOPRT.SYS \Driver\VgaSave
IoRegisterShutdownNotification 0xf9f585be Fs_Rec.SYS \FileSystem\Fs_Rec
IoRegisterShutdownNotification 0xf96fbc6a VIDEOPRT.SYS \Driver\RDPCDD
IoRegisterShutdownNotification 0xf9f585be Fs_Rec.SYS \FileSystem\Fs_Rec
IoRegisterShutdownNotification 0xf9c3fc74 Cdfs.SYS \FileSystem\Cdfs
IoRegisterShutdownNotification 0xf9f585be Fs_Rec.SYS \FileSystem\Fs_Rec
IoRegisterShutdownNotification 0xf98a98f1 Mup.sys \FileSystem\Mup
IoRegisterShutdownNotification 0xf9f585be Fs_Rec.SYS \FileSystem\Fs_Rec
IoRegisterShutdownNotification 0xf9a5c73a MountMgr.sys \Driver\MountMgr
IoRegisterShutdownNotification 0xf99ce2be ftdisk.sys \Driver\Ftdisk
IoRegisterShutdownNotification 0xf9f585be Fs_Rec.SYS \FileSystem\Fs_Rec
IoRegisterShutdownNotification 0x806323d5 ntoskrnl.exe \FileSystem\RAW
IoRegisterShutdownNotification 0x80641d57 ntoskrnl.exe \Driver\WMIxWDM
IoRegisterFsRegistrationChange 0xf998e876 sr.sys -
KeBugCheckCallbackListHead 0xf98b65ef NDIS.sys Ndis miniport
KeBugCheckCallbackListHead 0x806f77cc hal.dll ACPI 1.0 - APIC platform UP
KeRegisterBugCheckReasonCallback 0xf96ef522 VIDEOPRT.SYS Videoprt
KeRegisterBugCheckReasonCallback 0xf9ef0ab8 mssmbios.sys SMBiosDa
KeRegisterBugCheckReasonCallback 0xf9ef0a70 mssmbios.sys SMBiosRe
KeRegisterBugCheckReasonCallback 0xf9ef0a28 mssmbios.sys SMBiosDa
以上。