Нубяцкий квестион

[Desoxyn]

Соовсем че то башка не варит, ночь не спал еще. В общем суть:
залился на таргет, (WinServer 2012 Datacenter Editiion), в процессах висит TeamViewer_Service.exe и TeamViewer.exe, как узнать логин пасс к тимке?
Должны по идее в HKCU\Software\TeamViewer\Version* в переменной BuddyLoginPWAES, но в реестре в HKCU\Software\ ветки тимки нет ваще =(
Пичаль одолевает, виндовс маздай, хотелось бы лечь спать уже доделав, но чет не судьба и рубит уже невыносима.
Про кофе забыл епт! =)

 

[Aldesa]

в памяти смотри, хуле ещё делать

 

[Desoxyn]

Надо проще епт, если я на этом этапе тормоз дикий. Или проснуться, доделать уже...

 

[Aldesa]

Надо проще епт, если я на этом этапе тормоз дикий. Или проснуться, доделать уже...

проще никак

 

[Desoxyn]

Как вроде. BackDoor.TeamViewer.49 надо найти. Псс, поцаны, есть че? =)

 

[zxc21]

(Win7-10 64)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version\ClientID - здесь ID

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\SRPPasswordMachineIdentifier
Только это всё в двоичных данных в шестнадцатеричном формате

 

[Desoxyn]

Эти пути я пробивал в самую первую очередь,с теми что в первом посте, cmd -> req query search не ищет ветку TM, но тимка там висит, при чем активно используется. Я не могу понять как так, может портабл версия (если такие существуют)? Портабл пишут в реестр, или где то в темпах хранят? Я с ней не работал, хз...

 

[zxc21]

Портабл пишут в реестр, или где то в темпах хранят?

Разница до и после портабл тима

Спойлер

Regshot 1.9.0 x64 Unicode
Комментарий:
Текущая дата:2019/1/11 13:59:47  ,  2019/1/11 14:00:52
Имя компьютера:VIRTUAL-ПК , VIRTUAL-ПК
Имя пользователя:Virtual , Virtual

----------------------------------
Новые разделы:4
----------------------------------
HKLM\SOFTWARE\Wow6432Node\TeamViewer
HKLM\SOFTWARE\Wow6432Node\TeamViewer\DefaultSettings
HKLM\SOFTWARE\Wow6432Node\TeamViewer\DeviceManagement
HKLM\SOFTWARE\Wow6432Node\TeamViewer\RemoteAccessAPI

----------------------------------
Новые параметры:6
----------------------------------
HKLM\SOFTWARE\Wow6432Node\TeamViewer\DefaultSettings\Autostart_GUI: 0x00000000
HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\2A\B1A07F78\@C:\Windows\System32\setupapi.dll,-2000: "Сведения для установки"
HKU\S-1-5-21-2975038441-3606118385-840574971-1000\Software\Microsoft\Direct3D\MostRecentApplication\Name: "TeamViewer.exe"
HKU\S-1-5-21-2975038441-3606118385-840574971-1000\Software\Classes\Local Settings\MuiCache\2A\B1A07F78\@C:\Windows\System32\setupapi.dll,-2000: "Сведения для установки"
HKU\S-1-5-21-2975038441-3606118385-840574971-1000_Classes\Local Settings\MuiCache\2A\B1A07F78\@C:\Windows\System32\setupapi.dll,-2000: "Сведения для установки"
HKU\S-1-5-18\Software\Classes\Local Settings\MuiCache\2A\B1A07F78\@C:\Windows\System32\setupapi.dll,-2000: "Сведения для установки"

----------------------------------
Измененные параметры:14
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{180FCFD7-3C9C-4015-814B-56F4F55505F9}\DynamicInfo:  03 00 00 00 4E E4 4C 9C 6E 4F D4 01 A4 0E 14 AA B5 A9 D4 01 1F 13 04 80 00 00 00 00
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{180FCFD7-3C9C-4015-814B-56F4F55505F9}\DynamicInfo:  03 00 00 00 4E E4 4C 9C 6E 4F D4 01 EB 3A 1D F1 B5 A9 D4 01 1F 13 04 80 00 00 00 00
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2542F780-FF0C-448D-8F60-2B69ECEE7EC3}\Hash:  E0 10 86 38 99 AA 60 0C 74 DA D4 CF 5B 87 52 8A EC 1E 93 26 3F 7D 56 E4 DA F4 76 E9 41 7C DD 86
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2542F780-FF0C-448D-8F60-2B69ECEE7EC3}\Hash:  65 C4 68 47 C9 B5 A9 14 FF B7 74 74 08 BF 0C 95 B0 41 B6 2E 9E C7 48 26 AA 59 83 A7 99 F2 87 40
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2542F780-FF0C-448D-8F60-2B69ECEE7EC3}\Triggers:  15 00 00 00 00 00 00 00 01 8A E3 01 00 00 00 00 00 C0 5F 98 40 A9 D4 01 00 8A E3 01 00 00 00 00 FF FF FF FF FF FF FF FF 38 21 41 00 48 48 48 48 F5 4C D6 0B 48 48 48 48 00 48 48 48 48 48 48 48 00 48 48 48 48 48 48 48 01 00 00 00 48 48 48 48 1C 00 00 00 48 48 48 48 01 05 00 00 00 00 00 05 15 00 00 00 E9 7B 53 B1 F1 FF F0 D6 FB 27 1A 32 E8 03 00 00 48 48 48 48 2A 00 00 00 48 48 48 48 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 2D 00 1F 04 1A 04 5C 00 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 00 00 00 00 00 00 48 48 48 48 48 48 38 00 00 00 48 48 48 48 58 02 00 00 10 0E 00 00 80 F4 03 00 FF FF FF FF 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 DD DD 00 00 00 00 00 00 01 8A E3 01 00 00 00 00 00 C0 5F 98 40 A9 D4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 3C 00 00 00 C4 50 25 02 FF FF FF FF 01 00 00 00 01 00 00 00 00 00 00 00 00 01 00 00 01 00 00 00 00 00 00 00 00 00 00 00
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2542F780-FF0C-448D-8F60-2B69ECEE7EC3}\Triggers:  15 00 00 00 00 00 00 00 01 8A E3 01 00 00 00 00 00 C0 5F 98 40 A9 D4 01 00 8A E3 01 00 00 00 00 FF FF FF FF FF FF FF FF 38 21 41 00 48 48 48 48 77 D7 C6 1E 48 48 48 48 00 48 48 48 48 48 48 48 00 48 48 48 48 48 48 48 01 00 00 00 48 48 48 48 1C 00 00 00 48 48 48 48 01 05 00 00 00 00 00 05 15 00 00 00 E9 7B 53 B1 F1 FF F0 D6 FB 27 1A 32 E8 03 00 00 48 48 48 48 2A 00 00 00 48 48 48 48 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 2D 00 1F 04 1A 04 5C 00 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 00 00 00 00 00 00 48 48 48 48 48 48 38 00 00 00 48 48 48 48 58 02 00 00 10 0E 00 00 80 F4 03 00 FF FF FF FF 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 DD DD 00 00 00 00 00 00 01 8A E3 01 00 00 00 00 00 C0 5F 98 40 A9 D4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 3C 00 00 00 C4 50 25 02 FF FF FF FF 01 00 00 00 01 00 00 00 00 00 00 00 00 01 00 00 01 00 00 00 00 00 00 00 00 00 00 00
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2542F780-FF0C-448D-8F60-2B69ECEE7EC3}\DynamicInfo:  03 00 00 00 DC A3 1B 26 41 99 D4 01 B7 49 1E CD B5 A9 D4 01 01 00 00 00 00 00 00 00
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2542F780-FF0C-448D-8F60-2B69ECEE7EC3}\DynamicInfo:  03 00 00 00 DC A3 1B 26 41 99 D4 01 EB 3A 1D F1 B5 A9 D4 01 01 00 00 00 00 00 00 00
HKLM\SYSTEM\ControlSet001\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\24\ffffffffffffffffffffffffffffff01:  01 00 00 00 F4 00 00 00 22 27 01 00 FF FF FF FF FF FF FF FF FF FF FF FF
HKLM\SYSTEM\ControlSet001\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\24\ffffffffffffffffffffffffffffff01:  01 00 00 00 F4 00 00 00 29 27 01 00 FF FF FF FF FF FF FF FF FF FF FF FF
HKLM\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{7F391A11-7829-4B86-AC57-09458CD82825}\DhcpInterfaceOptions:  36 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 83 F2 39 5C 0A 00 02 02 33 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 83 F2 39 5C 00 01 51 80 06 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 83 F2 39 5C 0A 00 02 03 03 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 83 F2 39 5C 0A 00 02 02 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 83 F2 39 5C FF FF FF 00 35 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 83 F2 39 5C 05 00 00 00 FC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FB A0 38 5C
HKLM\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{7F391A11-7829-4B86-AC57-09458CD82825}\DhcpInterfaceOptions:  36 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 03 F3 39 5C 0A 00 02 02 33 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 03 F3 39 5C 00 01 51 80 06 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 03 F3 39 5C 0A 00 02 03 03 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 03 F3 39 5C 0A 00 02 02 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 03 F3 39 5C FF FF FF 00 35 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 03 F3 39 5C 05 00 00 00 FC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3F A1 38 5C
HKLM\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\24\ffffffffffffffffffffffffffffff01:  01 00 00 00 F4 00 00 00 22 27 01 00 FF FF FF FF FF FF FF FF FF FF FF FF
HKLM\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\24\ffffffffffffffffffffffffffffff01:  01 00 00 00 F4 00 00 00 29 27 01 00 FF FF FF FF FF FF FF FF FF FF FF FF
HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{7F391A11-7829-4B86-AC57-09458CD82825}\DhcpInterfaceOptions:  36 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 83 F2 39 5C 0A 00 02 02 33 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 83 F2 39 5C 00 01 51 80 06 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 83 F2 39 5C 0A 00 02 03 03 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 83 F2 39 5C 0A 00 02 02 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 83 F2 39 5C FF FF FF 00 35 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 83 F2 39 5C 05 00 00 00 FC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FB A0 38 5C
HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{7F391A11-7829-4B86-AC57-09458CD82825}\DhcpInterfaceOptions:  36 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 03 F3 39 5C 0A 00 02 02 33 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 03 F3 39 5C 00 01 51 80 06 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 03 F3 39 5C 0A 00 02 03 03 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 03 F3 39 5C 0A 00 02 02 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 03 F3 39 5C FF FF FF 00 35 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 03 F3 39 5C 05 00 00 00 FC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3F A1 38 5C
HKU\S-1-5-21-2975038441-3606118385-840574971-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx:  00 00 00 00 19 00 00 00 16 00 00 00 17 00 00 00 13 00 00 00 03 00 00 00 1D 00 00 00 18 00 00 00 1A 00 00 00 1C 00 00 00 14 00 00 00 06 00 00 00 02 00 00 00 1B 00 00 00 15 00 00 00 0E 00 00 00 0C 00 00 00 0F 00 00 00 12 00 00 00 11 00 00 00 10 00 00 00 0D 00 00 00 0B 00 00 00 05 00 00 00 0A 00 00 00 07 00 00 00 09 00 00 00 08 00 00 00 04 00 00 00 01 00 00 00 FF FF FF FF
HKU\S-1-5-21-2975038441-3606118385-840574971-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx:  02 00 00 00 00 00 00 00 19 00 00 00 16 00 00 00 17 00 00 00 13 00 00 00 03 00 00 00 1D 00 00 00 18 00 00 00 1A 00 00 00 1C 00 00 00 14 00 00 00 06 00 00 00 1B 00 00 00 15 00 00 00 0E 00 00 00 0C 00 00 00 0F 00 00 00 12 00 00 00 11 00 00 00 10 00 00 00 0D 00 00 00 0B 00 00 00 05 00 00 00 0A 00 00 00 07 00 00 00 09 00 00 00 08 00 00 00 04 00 00 00 01 00 00 00 FF FF FF FF
HKU\S-1-5-21-2975038441-3606118385-840574971-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\2\0\MRUListEx:  01 00 00 00 07 00 00 00 06 00 00 00 05 00 00 00 04 00 00 00 02 00 00 00 0C 00 00 00 03 00 00 00 0B 00 00 00 0A 00 00 00 09 00 00 00 08 00 00 00 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-2975038441-3606118385-840574971-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\2\0\MRUListEx:  07 00 00 00 06 00 00 00 05 00 00 00 04 00 00 00 02 00 00 00 0C 00 00 00 01 00 00 00 03 00 00 00 0B 00 00 00 0A 00 00 00 09 00 00 00 08 00 00 00 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-2975038441-3606118385-840574971-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx:  01 00 00 00 03 00 00 00 02 00 00 00 04 00 00 00 05 00 00 00 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-2975038441-3606118385-840574971-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx:  00 00 00 00 01 00 00 00 03 00 00 00 02 00 00 00 04 00 00 00 05 00 00 00 FF FF FF FF
HKU\S-1-5-21-2975038441-3606118385-840574971-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx:  00 00 00 00 19 00 00 00 16 00 00 00 17 00 00 00 13 00 00 00 03 00 00 00 1D 00 00 00 18 00 00 00 1A 00 00 00 1C 00 00 00 14 00 00 00 06 00 00 00 02 00 00 00 1B 00 00 00 15 00 00 00 0E 00 00 00 0C 00 00 00 0F 00 00 00 12 00 00 00 11 00 00 00 10 00 00 00 0D 00 00 00 0B 00 00 00 05 00 00 00 0A 00 00 00 07 00 00 00 09 00 00 00 08 00 00 00 04 00 00 00 01 00 00 00 FF FF FF FF
HKU\S-1-5-21-2975038441-3606118385-840574971-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx:  02 00 00 00 00 00 00 00 19 00 00 00 16 00 00 00 17 00 00 00 13 00 00 00 03 00 00 00 1D 00 00 00 18 00 00 00 1A 00 00 00 1C 00 00 00 14 00 00 00 06 00 00 00 1B 00 00 00 15 00 00 00 0E 00 00 00 0C 00 00 00 0F 00 00 00 12 00 00 00 11 00 00 00 10 00 00 00 0D 00 00 00 0B 00 00 00 05 00 00 00 0A 00 00 00 07 00 00 00 09 00 00 00 08 00 00 00 04 00 00 00 01 00 00 00 FF FF FF FF
HKU\S-1-5-21-2975038441-3606118385-840574971-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\2\0\MRUListEx:  01 00 00 00 07 00 00 00 06 00 00 00 05 00 00 00 04 00 00 00 02 00 00 00 0C 00 00 00 03 00 00 00 0B 00 00 00 0A 00 00 00 09 00 00 00 08 00 00 00 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-2975038441-3606118385-840574971-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\2\0\MRUListEx:  07 00 00 00 06 00 00 00 05 00 00 00 04 00 00 00 02 00 00 00 0C 00 00 00 01 00 00 00 03 00 00 00 0B 00 00 00 0A 00 00 00 09 00 00 00 08 00 00 00 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-2975038441-3606118385-840574971-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx:  01 00 00 00 03 00 00 00 02 00 00 00 04 00 00 00 05 00 00 00 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-2975038441-3606118385-840574971-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx:  00 00 00 00 01 00 00 00 03 00 00 00 02 00 00 00 04 00 00 00 05 00 00 00 FF FF FF FF

----------------------------------
Всего изменений:24
----------------------------------

Или уже как проснёшься добьёшь =)

 

[Desoxyn]

Ай да молодца, заморочался. Я нашел благодаря тебе xD А серч там сука просто не работает по чему то, или не выводит, я проверил на обычных кеях, выводит онли по полному пути. Спасибо большое! +
Вопрос больше нет, тема не актуальна. Я уже сам думал ставить, отвечаю, но было тааак лень, ты мне уменьшил время до сна вдвое =) Спс от души.