Коллега прислал выдержку из декабрьского лога.
dwservice:
2016-Dec-29 16:10:09.652506 [1672] [INF] [1848] [arkdll]
id: 763, type: PsCreate (16), flags: 1 (wait: 1), cid: 200/2644:\Device\HarddiskVolume1\WINDOWS\explorer.exe
created process: \Device\HarddiskVolume1\WINDOWS\explorer.exe:200 --> \Device\HarddiskVolume1\Program Files\Common Files\Microsoft Shared\MODI\12.0\MSPSCAN.EXE:2652
type: 0, reason: 0, new: 0, dbg: 0, cmd:
status: signed_microsoft, spc (0x4000800) / signed_microsoft / clean
id: 763 ==> allowed [2], time: 0.972470 ms
2016-Dec-29 16:10:13.188460 [1668] [INF] [1832] [arkdll]
id: 880, type: PsCreate (16), flags: 1 (wait: 1), cid: 740/768:\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
created process: \Device\HarddiskVolume1\WINDOWS\system32\svchost.exe:740 --> \Device\HarddiskVolume1\Program Files\Common Files\Microsoft Shared\MODI\12.0\MSPOCRDC.EXE:2756
type: 0, reason: 0, new: 0, dbg: 0, cmd:
status: signed_microsoft, spc (0x4000800) / signed_microsoft / clean
id: 880 ==> allowed [2], time: 2.679949 ms
2016-Dec-29 16:11:02.775663 [1608] [INF] [1808] [arkdll]
id: 1007, type: PsCreate (16), flags: 1 (wait: 1), cid: 2756/2260:\Device\HarddiskVolume1\Program Files\Common Files\Microsoft Shared\MODI\12.0\MSPOCRDC.EXE
created process: \Device\HarddiskVolume1\Program Files\Common Files\Microsoft Shared\MODI\12.0\MSPOCRDC.EXE:2756 --> \Device\HarddiskVolume1\Program Files\Common Files\Microsoft Shared\MODI\12.0\MSPVIEW.EXE:3332
type: 0, reason: 0, new: 0, dbg: 0, cmd:
status: signed_microsoft, spc (0x4000800) / signed_microsoft / clean
id: 1007 ==> allowed [2], time: 15.331278 ms
2016-Dec-29 16:11:03.753990 [1612] [INF] [1864] [arkdll]
id: 1052, type: PsModifyActivity (45), flags: 1 (wait: 1), cid: 796/1488:\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
action: SetValueKey (3)
cmd: C:\WINDOWS\system32\svchost -k rpcss
id: 1052 ==> allowed [2], time: 0.063137 ms
2016-Dec-29 16:11:03.767966 [1612] [INF] [1860] [arkdll]
id: 1054, type: PsModifyActivity (45), flags: 1 (wait: 1), cid: 740/856:\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
action: SetValueKey (3)
cmd: C:\WINDOWS\system32\svchost -k DcomLaunch
id: 1054 ==> allowed [2], time: 0.078222 ms
2016-Dec-29 16:11:04.089416 [1676] [INF] [1864] [arkdll]
id: 1057, type: PsCreate (16), flags: 1 (wait: 1), cid: 740/856:\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
created process: \Device\HarddiskVolume1\WINDOWS\system32\svchost.exe:740 --> \Device\HarddiskVolume1\WINDOWS\system32\WISPTIS.EXE:3180
type: 0, reason: 0, new: 0, dbg: 0, cmd:
hash: 98ba08f49f4a8ea1675f6bdc9dc0894be85739a4 status: unsigned, pe32 (0x100400) / unsigned / unknown
id: 1057 ==> undefined [1], time: 284.933700 ms
2016-Dec-29 16:11:16.979140 [1584] [INF] [1820] [arkdll]
id: 1099, type: LoadKernelImage (39), flags: 1 (wait: 1), cid: 4/60:System Process
hips: type: 3, action: allow [2]
loaded driver: \Device\HarddiskVolume1\WINDOWS\system32\drivers\kmixer.sys
id: 1099 ==> allowed [2], time: 0.153651 ms
2016-Dec-29 16:11:17.009203 [1584] [INF] [1812] [arkdll]
id: 1100, type: LoadKernelImage (39), flags: 1 (wait: 1), cid: 4/60:System Process
hips: type: 3, action: allow [2]
loaded driver: \Device\HarddiskVolume1\WINDOWS\system32\drivers\kmixer.sys
id: 1100 ==> allowed [2], time: 0.131581 ms
2016-Dec-29 16:11:17.024234 [1584] [INF] [1832] [arkdll]
id: 1101, type: LoadKernelImage (39), flags: 1 (wait: 1), cid: 4/60:System Process
hips: type: 3, action: allow [2]
loaded driver: \Device\HarddiskVolume1\WINDOWS\system32\drivers\kmixer.sys
id: 1101 ==> allowed [2], time: 0.099454 ms
2016-Dec-29 16:11:18.331966 [1676] [INF] [1872] [arkdll]
id: 1107, type: PsDelete (17), flags: 0 (wait: 0), cid: 580/648:
terminated process: \Device\HarddiskVolume1\Program Files\Common Files\Microsoft Shared\MODI\12.0\MSPVIEW.EXE:3332
hash: status: signed_microsoft, spc (0x4000800) / signed_microsoft / clean
id: 1107 ==> undefined [1], time: 0.101130 ms
netfilter:
[29/12/2016 16:10:41 00000c0c] <DEBUG:1> Redirection: \Device\HarddiskVolume1\Program Files\Common Files\Microsoft Shared\MODI\12.0\MSPSCAN.EXE (PID=2652, user S-1-5-21-3573326507-1177045148-2740061471-1194): 1023 -> ( 1097 -> 1098 ) -> 10.65.2.15:514
[29/12/2016 16:10:41 00000c0c] <DEBUG:1> Trying to connect to: 10.65.2.15:514
[29/12/2016 16:10:41 00000c0c] <DEBUG:1> UNKNOWN PROTOCOL DETECTED
[29/12/2016 16:10:41 00000c0c] Unknown or not supported protocol. Skipped.
[29/12/2016 16:11:21 00000e3c] <DEBUG:1> Redirection: \Device\HarddiskVolume1\WINDOWS\system32\svchost.exe (PID=1032, user S-1-5-19): 1102 -> ( 1104 -> 1105 ) -> 10.65.2.11:445
[29/12/2016 16:11:25 00000e78] <DEBUG:1> Redirection: \Device\HarddiskVolume1\Program Files\Common Files\Microsoft Shared\MODI\12.0\MSPSCAN.EXE (PID=2652, user S-1-5-21-3573326507-1177045148-2740061471-1194): 1023 -> ( 1118 -> 1119 ) -> 10.65.2.15:514
[29/12/2016 16:11:25 00000e78] <DEBUG:1> Trying to connect to: 10.65.2.15:514
[29/12/2016 16:11:25 00000e78] <DEBUG:1> UNKNOWN PROTOCOL DETECTED
[29/12/2016 16:11:25 00000e78] Unknown or not supported protocol. Skipped.
[29/12/2016 16:12:05 00000394] <DEBUG:1> Redirection: System (PID=4, user S-1-5-18): 1125 -> ( 1126 -> 1127 ) -> 10.65.2.11:445
[29/12/2016 16:12:05 00000394] <DEBUG:1> Trying to connect to: 10.65.2.11:445
[29/12/2016 16:12:05 00000394] <DEBUG:1> UNKNOWN PROTOCOL DETECTED
[29/12/2016 16:12:05 00000394] Unknown or not supported protocol. Skipped.
[29/12/2016 16:12:05 0000039c] <DEBUG:1> Redirection: System (PID=4, user S-1-5-18): 1128 -> ( 1129 -> 1130 ) -> 10.65.2.11:139
[29/12/2016 16:12:09 00000aa8] <DEBUG:1> Redirection: \Device\HarddiskVolume1\WINDOWS\explorer.exe (PID=200, user S-1-5-21-3573326507-1177045148-2740061471-1194): 1134 -> ( 1135 -> 1136 ) -> 10.65.2.11:389
[29/12/2016 16:12:09 00000aa8] <DEBUG:1> Trying to connect to: 10.65.2.11:389
[29/12/2016 16:12:09 00000aa8] <DEBUG:1> UNKNOWN PROTOCOL DETECTED
[29/12/2016 16:12:09 00000aa8] Unknown or not supported protocol. Skipped.
[29/12/2016 16:12:19 00000e3c] <DEBUG:1> No incoming connection from the application...