[#############################################################################]
Analysis Report for Adobe_License_Key_Order#1834-453.exe
MD5: 011573134b0c891c7cb2f9339530a45a
[#############################################################################]
Summary:
- Write to foreign memory areas:
This executable tampers with the execution of another process.
- Execution did not terminate correctly:
The executable crashed.
- Spawns Processes:
The executable produces processes during the execution.
- Performs Registry Activities:
The executable creates and/or modifies registry entries.
[=============================================================================]
Table of Contents
[=============================================================================]
- General information
- Adobe_Lice.exe
a) Registry Activities
b) File Activities
c) Process Activities
- svchost.exe
a) Registry Activities
b) File Activities
[#############################################################################]
1. General Information
[#############################################################################]
[=============================================================================]
Information about Anubis' invocation
[=============================================================================]
Time needed: 250 s
Report created: 06/29/12, 16:35:07 UTC
Termination reason: Timeout
Program version: 1.76.3886
[#############################################################################]
2. Adobe_Lice.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: Primary Analysis Subject
Filename: Adobe_Lice.exe
MD5: 011573134b0c891c7cb2f9339530a45a
SHA-1: bdc5e8b9ad8fcadfbc3a55184cff735db5e40ba9
File Size: 44032 Bytes
Command Line: "C:\Adobe_Lice.exe"
Process-status
at analysis end: dead
Exit Code: 0
[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\system32\USER32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\ole32.dll ],
Base Address: [0x774E0000 ], Size: [0x0013D000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
[=============================================================================]
Run-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ],
Base Address: [0x76FD0000 ], Size: [0x0007F000 ]
Module Name: [ C:\WINDOWS\system32\COMRes.dll ],
Base Address: [0x77050000 ], Size: [0x000C5000 ]
Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],
Base Address: [0x77120000 ], Size: [0x0008B000 ]
Module Name: [ C:\WINDOWS\system32\Apphelp.dll ],
Base Address: [0x77B40000 ], Size: [0x00022000 ]
Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
Base Address: [0x77C00000 ], Size: [0x00008000 ]
[=============================================================================]
2.a) Adobe_Lice.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ],
Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
Key: [ HKLM\SYSTEM\WPA\MediaCenter ],
Value Name: [ Installed ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\COM3 ],
Value Name: [ Com+Enabled ], Value: [ 1 ], 2 times
Key: [ HKLM\Software\Microsoft\COM3 ],
Value Name: [ REGDBVersion ], Value: [ 0x0b00000000000000 ], 2 times
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ PolicyScope ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ ItemSize ], Value: [ 779 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ ItemSize ], Value: [ 517 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ ItemSize ], Value: [ 918 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ ItemSize ], Value: [ 229 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ ItemSize ], Value: [ 370 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],
Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Monitored Registry Keys:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\Software\Classes ],
Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 3 times
Key: [ HKLM\Software\Classes\CLSID ],
Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 2 times
Key: [ HKLM\Software\Microsoft\COM3 ],
Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 6 times
Key: [ HKU ],
Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 3 times
[=============================================================================]
2.b) Adobe_Lice.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\WINDOWS\Registration\R00000000000b.clb ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\WINDOWS\system32\Apphelp.dll ]
File Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ]
File Name: [ C:\WINDOWS\system32\COMRes.dll ]
File Name: [ C:\WINDOWS\system32\svchost.exe ]
File Name: [ C:\Windows\AppPatch\sysmain.sdb ]
[=============================================================================]
2.c) Adobe_Lice.exe - Process Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Processes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Executable: [ C:\WINDOWS\system32\svchost.exe ], Command Line: [ ]
Executable: [ ], Command Line: [ svchost.exe ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Remote Threads Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Affected Process: [ C:\WINDOWS\system32\svchost.exe ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Foreign Memory Regions Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Process: [ C:\WINDOWS\system32\svchost.exe ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Foreign Memory Regions Written:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Process: [ C:\WINDOWS\system32\svchost.exe ]
[#############################################################################]
3. svchost.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: Started by Adobe_Lice.exe
Filename: svchost.exe
Process-status
at analysis end: alive
Exit Code: 0
[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\ShimEng.dll ],
Base Address: [0x5CB70000 ], Size: [0x00026000 ]
Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ],
Base Address: [0x6F880000 ], Size: [0x001CA000 ]
Module Name: [ C:\WINDOWS\system32\USER32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\WINMM.dll ],
Base Address: [0x76B40000 ], Size: [0x0002D000 ]
Module Name: [ C:\WINDOWS\system32\ole32.dll ],
Base Address: [0x774E0000 ], Size: [0x0013D000 ]
Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],
Base Address: [0x77120000 ], Size: [0x0008B000 ]
Module Name: [ C:\WINDOWS\system32\MSACM32.dll ],
Base Address: [0x77BE0000 ], Size: [0x00015000 ]
Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
Base Address: [0x77C00000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],
Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
Base Address: [0x769C0000 ], Size: [0x000B4000 ]
Module Name: [ C:\WINDOWS\system32\UxTheme.dll ],
Base Address: [0x5AD70000 ], Size: [0x00038000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]
Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
Base Address: [0x5D090000 ], Size: [0x0009A000 ]
Module Name: [ C:\WINDOWS\system32\urlmon.dll ],
Base Address: [0x7E1E0000 ], Size: [0x000A2000 ]
Module Name: [ C:\WINDOWS\system32\WININET.dll ],
Base Address: [0x771B0000 ], Size: [0x000AA000 ]
Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ],
Base Address: [0x77A80000 ], Size: [0x00095000 ]
Module Name: [ C:\WINDOWS\system32\MSASN1.dll ],
Base Address: [0x77B20000 ], Size: [0x00012000 ]
[=============================================================================]
3.a) svchost.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Local AppData ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Application Data ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ],
Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
Key: [ HKLM\SYSTEM\WPA\MediaCenter ],
Value Name: [ Installed ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000204000014000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000001100000014000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000550000001e000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000200000032000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000120000006001000016000000610100001c000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ cFormatTags ], Value: [ 3 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ aFormatTagCache ], Value: [ 0x010000001000000006000000120000000700000012000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ cFormatTags ], Value: [ 3 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000420000001c000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003100000014000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003001000016000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000002200000032000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS ],
Value Name: [ * ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL ],
Value Name: [ * ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ midimapper ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.iac2 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.imaadpcm ], Value: [ ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.l3acm ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msadpcm ], Value: [ msadp32.acm ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msaudio1 ], Value: [ ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msg711 ], Value: [ msg711.acm ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msg723 ], Value: [ ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msgsm610 ], Value: [ ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.sl_anet ], Value: [ sl_anet.acm ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.trspch ], Value: [ tssoft32.acm ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.I420 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.M261 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.M263 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.cvid ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iv31 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iv32 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iv41 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iv50 ], Value: [ ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iyuv ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.mrle ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.msvc ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.uyvy ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.yuy2 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.yvu9 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.yvyu ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ wavemapper ], Value: [ ], 2 times
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm ],
Value Name: [ wheel ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ],
Value Name: [ ProductType ], Value: [ WinNT ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Multimedia\Audio ],
Value Name: [ SystemFormats ], Value: [ CD Quality,Radio Quality,Telephone Quality ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Local AppData ], Value: [ %USERPROFILE%\Local Settings\Application Data ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Run ],
Value Name: [ CTFMON.EXE ], Value: [ C:\WINDOWS\system32\ctfmon.exe ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Run ],
Value Name: [ MSMSGS ], Value: [ "C:\Program Files\Messenger\msmsgs.exe" /background ], 2 times
[=============================================================================]
3.b) svchost.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ]
File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
File Name: [ C:\WINDOWS\system32\MSACM32.dll ]
File Name: [ C:\WINDOWS\system32\SHELL32.dll ]
File Name: [ C:\WINDOWS\system32\ShimEng.dll ]
File Name: [ C:\WINDOWS\system32\UxTheme.dll ]
File Name: [ C:\WINDOWS\system32\WININET.dll ]
File Name: [ C:\WINDOWS\system32\WINMM.dll ]
File Name: [ C:\WINDOWS\system32\comctl32.dll ]
File Name: [ C:\WINDOWS\system32\urlmon.dll ]
File Name: [ C:\Windows\AppPatch\sysmain.sdb ]
[#############################################################################]
International Secure Systems Lab
http://www.iseclab.org
Vienna University of Technology Eurecom France UC Santa Barbara
http://www.tuwien.ac.at http://www.eurecom.fr http://www.cs.ucsb.edu
Contact: anubis@iseclab.org |
楼主: 1109059127
[复制链接]
发表于 2012-6-29 21:07:28
发表于 2012-6-29 22:52:26
