docAnubis - Analysis Report
download 
Şikayet Transkript
Anubis - Analysis Report
Anubis - Analysis Report Analysis Report for ajan.exe MD5: c23c3ef4f27c27f7fb015e7b7c16a464 International Secure Systems Lab Vienna University of Technology , Eurecom France , UC Santa Barbara Contact: [email protected] Dependency overview: ajan.exe ajan.exe Analysis reason: Primary Analysis Subject Table of Contents: 1. General Information.............................................................................................................................................................................................. 4 2. ajan.exe................................................................................................................................................................................................................. 4 a) Registry Activities............................................................................................................................................................................................. 4 b) File Activities.................................................................................................................................................................................................. 12 c) Other Activities............................................................................................................................................................................................... 13 Analysis Report for ajan.exe - submitted on 01/15/16, 15:31:33 UTC 1. General Information Information about Anubis' invocation Time needed: 250 s Report created: 01/15/16, 15:31:33 UTC Termination reason: Timeout Program version: 1.76.3886 2. ajan.exe General information about this executable Analysis Reason: Primary Analysis Subject Filename: ajan.exe MD5: c23c3ef4f27c27f7fb015e7b7c16a464 SHA-1: 6289ff502af82897fb567cb9d68ef8c6438e6ab4 File Size: 454656 Process-status at analysis end: alive Exit Code: 0 Load-time Dlls Module Name Base Address Size C:\WINDOWS\system32\ntdll.dll 0x7C900000 0x000AF000 C:\WINDOWS\system32\mscoree.dll 0x79000000 0x0004A000 C:\WINDOWS\system32\KERNEL32.dll 0x7C800000 0x000F6000 C:\WINDOWS\system32\ADVAPI32.dll 0x77DD0000 0x0009B000 C:\WINDOWS\system32\RPCRT4.dll 0x77E70000 0x00092000 C:\WINDOWS\system32\Secur32.dll 0x77FE0000 0x00011000 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll 0x603B0000 0x00066000 C:\WINDOWS\system32\SHLWAPI.dll 0x77F60000 0x00076000 C:\WINDOWS\system32\GDI32.dll 0x77F10000 0x00049000 C:\WINDOWS\system32\USER32.dll 0x7E410000 0x00091000 C:\WINDOWS\system32\msvcrt.dll 0x77C10000 0x00058000 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll 0x79E70000 0x0058F000 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_xww_5cf844d2\MSVCR80.dll 0x78130000 0x0009B000 C:\WINDOWS\system32\shell32.dll 0x7C9C0000 0x00817000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CommonControls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 0x773D0000 0x00103000 C:\WINDOWS\system32\comctl32.dll 0x5D090000 0x0009A000 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ 642534209e13d16e93b80a628742d2ee\mscorlib.ni.dll 0x790C0000 0x00B36000 C:\WINDOWS\system32\ole32.dll 0x774E0000 0x0013D000 C:\WINDOWS\system32\MSCTF.dll 0x74720000 0x0004C000 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll 0x79060000 0x00056000 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\ 36dbfcf62e07d819b3de533898868ecf\System.ni.dll 0x7A440000 0x007EA000 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\ c91f68c2920882e02aec00eeabb6b415\System.Drawing.ni.dll 0x7ADE0000 0x0019C000 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\ 900525e192ca3d523143207ac11ae5f5\Microsoft.VisualBasic.ni.dll 0x5E430000 0x001AE000 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\culture.dll 0x60340000 0x00008000 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ 0c70e5d82578be2f6c0dde89182261c5\System.Windows.Forms.ni.dll 0x7AFD0000 0x00C9C000 C:\WINDOWS\system32\shfolder.dll 0x76780000 0x00009000 2.a) ajan.exe - Registry Activities http://anubis.iseclab.org/ Page 4 of 13 Analysis Report for ajan.exe - submitted on 01/15/16, 15:31:33 UTC Registry Values Modified: Key Name New Value HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ Microsoft\Windows\CurrentVersion\Explorer\Shell Folders AppData C:\Documents and Settings\Administrator\ Application Data HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cache C:\Documents and Settings\Administrator\ Local Settings\Temporary Internet Files Registry Values Read: Key Name HKLM\SOFTWARE\Classes\Installer\Assemblies\Global Accessibility,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileV 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global CustomMarshalers,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutra 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global IEExecRemote,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",Fi 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global IEHost,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersio 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global IIEHost,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersio 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global ISymWrapper,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",File 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global Microsoft.Build.Conversion.v3.5,version="3.5.0.0",publicKeyToken="b03f5f7f11d50a3a",process 0x70002100560045003300360030004b006 4 630034004b006a00540044003400 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global Microsoft.Build.Engine,version="3.5.0.0",publicKeyToken="b03f5f7f11d50a3a",processorArchite 0x70002100560045003300360030004b006 4 630034004b006a00540044003400 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global Microsoft.Build.Framework,version="3.5.0.0",publicKeyToken="b03f5f7f11d50a3a",processorAr 0x70002100560045003300360030004b006 4 630034004b006a00540044003400 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global Microsoft.Build.Tasks.v3.5,version="3.5.0.0",publicKeyToken="b03f5f7f11d50a3a",processorArc 0x70002100560045003300360030004b006 4 630034004b006a00540044003400 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global Microsoft.Build.Utilities.v3.5,version="3.5.0.0",publicKeyToken="b03f5f7f11d50a3a",processorA 0x70002100560045003300360030004b006 4 630034004b006a00540044003400 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global Microsoft.JScript,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",F 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global Microsoft.Transactions.Bridge,Version="3.0.0.0",Culture="neutral",PublicKeyToken="b03f5f7f11 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global Microsoft.Transactions.Bridge.Dtc,Version="3.0.0.0",Culture="neutral",PublicKeyToken="b03f5f 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global Microsoft.VisualBasic,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neu 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global Microsoft.VisualBasic.Vsa,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture= 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global Microsoft.VisualC,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral" 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global Microsoft.VisualC.STLCLR,version="1.0.0.0",publicKeyToken="b03f5f7f11d50a3a",processorAr 0x70002100560045003300360030004b006 4 630034004b006a00540044003400 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global Microsoft.Vsa,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",File 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global Microsoft.Vsa.Vb.CodeDOMProcessor,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global Microsoft_VsaVb,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral", 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global PresentationBuildTasks,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e 0x29006d0066002a0065005d0061006b007 4 7b0040004f0069006c0024005700 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global PresentationBuildTasks,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global PresentationCFFRasterizer,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad3 0x29006d0066002a0065005d0061006b007 4 7b0040004f0069006c0024005700 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global PresentationCFFRasterizer,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad3 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global PresentationCore,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",Pr 0x29006d0066002a0065005d0061006b007 4 7b0040004f0069006c0024005700 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global PresentationCore,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",Pr 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global PresentationFramework,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e 0x29006d0066002a0065005d0061006b007 4 7b0040004f0069006c0024005700 http://anubis.iseclab.org/ Value Times Page 5 of 13 Analysis Report for ajan.exe - submitted on 01/15/16, 15:31:33 UTC Registry Values Read: Key Name HKLM\SOFTWARE\Classes\Installer\Assemblies\Global PresentationFramework,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global PresentationFramework.Aero,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad 0x29006d0066002a0065005d0061006b007 4 7b0040004f0069006c0024005700 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global PresentationFramework.Aero,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global PresentationFramework.Classic,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856 0x29006d0066002a0065005d0061006b007 4 7b0040004f0069006c0024005700 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global PresentationFramework.Classic,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global PresentationFramework.Luna,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856a 0x29006d0066002a0065005d0061006b007 4 7b0040004f0069006c0024005700 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global PresentationFramework.Luna,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856a 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global PresentationFramework.Royale,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856 0x29006d0066002a0065005d0061006b007 4 7b0040004f0069006c0024005700 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global PresentationFramework.Royale,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global PresentationUI,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",Proc 0x29006d0066002a0065005d0061006b007 4 7b0040004f0069006c0024005700 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global PresentationUI,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",Proc 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global ReachFramework,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",P 0x29006d0066002a0065005d0061006b007 4 7b0040004f0069006c0024005700 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global ReachFramework,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",P 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global Regcode,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVers 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global SMDiagnostics,Version="3.0.0.0",Culture="neutral",PublicKeyToken="b77a5c561934e089",Proc 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",FileVers 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.AddIn,version="3.5.0.0",publicKeyToken="b77a5c561934e089",processorArchitecture= 0x70002100560045003300360030004b006 4 630034004b006a00540044003400 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.AddIn.Contract,version="2.0.0.0",publicKeyToken="b03f5f7f11d50a3a",processorArchit 0x70002100560045003300360030004b006 4 630034004b006a00540044003400 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Configuration.Install,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Core,version="3.5.0.0",publicKeyToken="b77a5c561934e089",processorArchitecture=" 0x70002100560045003300360030004b006 4 630034004b006a00540044003400 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Data,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",Fil 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Data.DataSetExtensions,version="3.5.0.0",publicKeyToken="b77a5c561934e089",proc 0x70002100560045003300360030004b006 4 630034004b006a00540044003400 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Data.Linq,version="3.5.0.0",publicKeyToken="b77a5c561934e089",processorArchitectu 0x70002100560045003300360030004b006 4 630034004b006a00540044003400 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Data.OracleClient,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Design,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",Fi 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.DirectoryServices,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture=" 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.DirectoryServices.AccountManagement,version="3.5.0.0",publicKeyToken="b77a5c561 0x70002100560045003300360030004b006 4 630034004b006a00540044003400 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Drawing,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",F 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Drawing.Design,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="n 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.EnterpriseServices,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture= 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.IO.Log,Version="3.0.0.0",Culture="neutral",PublicKeyToken="b03f5f7f11d50a3a",Proce 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.IdentityModel,Version="3.0.0.0",Culture="neutral",PublicKeyToken="b77a5c561934e08 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 http://anubis.iseclab.org/ Value Times Page 6 of 13 Analysis Report for ajan.exe - submitted on 01/15/16, 15:31:33 UTC Registry Values Read: Key Name HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.IdentityModel.Selectors,Version="3.0.0.0",Culture="neutral",PublicKeyToken="b77a5c5 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Management,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neu 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Management.Instrumentation,version="3.5.0.0",publicKeyToken="b77a5c561934e089", 0x70002100560045003300360030004b006 4 630034004b006a00540044003400 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Messaging,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutra 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Net,version="3.5.0.0",publicKeyToken="b03f5f7f11d50a3a",processorArchitecture="MS 0x70002100560045003300360030004b006 4 630034004b006a00540044003400 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Printing,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",Pro 0x29006d0066002a0065005d0061006b007 4 7b0040004f0069006c0024005700 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Printing,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",Pro 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Runtime.Remoting,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Cultur 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Runtime.Serialization,Version="3.0.0.0",Culture="neutral",PublicKeyToken="b77a5c561 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Runtime.Serialization.Formatters.Soap,Version="1.0.5000.0",PublicKeyToken="b03f5f7 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Security,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",F 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.ServiceModel,Version="3.0.0.0",Culture="neutral",PublicKeyToken="b77a5c561934e08 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.ServiceModel.Install,Version="3.0.0.0",Culture="neutral",PublicKeyToken="b77a5c5619 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.ServiceModel.WasHosting,Version="3.0.0.0",Culture="neutral",PublicKeyToken="b77a5 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.ServiceModel.Web,version="3.5.0.0",publicKeyToken="31bf3856ad364e35",processorA 0x70002100560045003300360030004b006 4 630034004b006a00540044003400 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.ServiceProcess,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="n 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Speech,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",Pro 0x29006d0066002a0065005d0061006b007 4 7b0040004f0069006c0024005700 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Speech,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",Pro 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Web,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileV 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Web.Extensions,version="3.5.0.0",publicKeyToken="31bf3856ad364e35",processorArc 0x70002100560045003300360030004b006 4 630034004b006a00540044003400 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Web.Extensions.Design,version="3.5.0.0",publicKeyToken="31bf3856ad364e35",proce 0x70002100560045003300360030004b006 4 630034004b006a00540044003400 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Web.Mobile,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutr 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Web.RegularExpressions,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",C 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Web.Services,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neu 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Windows.Forms,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture= 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Windows.Presentation,version="3.5.0.0",publicKeyToken="b77a5c561934e089",proces 0x70002100560045003300360030004b006 4 630034004b006a00540044003400 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Workflow.Activities,processorArchitecture="MSIL",publicKeyToken="31BF3856AD364E 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Workflow.ComponentModel,processorArchitecture="MSIL",publicKeyToken="31BF3856 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Workflow.Runtime,processorArchitecture="MSIL",publicKeyToken="31BF3856AD364E3 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.WorkflowServices,version="3.5.0.0",publicKeyToken="31bf3856ad364e35",processorAr 0x70002100560045003300360030004b006 4 630034004b006a00540044003400 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Xml,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",File 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global System.Xml.Linq,version="3.5.0.0",publicKeyToken="b77a5c561934e089",processorArchitectur 0x70002100560045003300360030004b006 4 630034004b006a00540044003400 http://anubis.iseclab.org/ Value Times Page 7 of 13 Analysis Report for ajan.exe - submitted on 01/15/16, 15:31:33 UTC Registry Values Read: Key Name HKLM\SOFTWARE\Classes\Installer\Assemblies\Global UIAutomationClient,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35", 0x29006d0066002a0065005d0061006b007 4 7b0040004f0069006c0024005700 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global UIAutomationClient,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35", 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global UIAutomationClientsideProviders,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf385 0x29006d0066002a0065005d0061006b007 4 7b0040004f0069006c0024005700 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global UIAutomationClientsideProviders,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf385 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global UIAutomationProvider,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e3 0x29006d0066002a0065005d0061006b007 4 7b0040004f0069006c0024005700 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global UIAutomationProvider,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e3 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global UIAutomationTypes,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35", 0x29006d0066002a0065005d0061006b007 4 7b0040004f0069006c0024005700 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global UIAutomationTypes,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35", 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global WindowsBase,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",Proce 0x29006d0066002a0065005d0061006b007 4 7b0040004f0069006c0024005700 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global WindowsBase,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",Proce 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global WindowsFormsIntegration,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad36 0x29006d0066002a0065005d0061006b007 4 7b0040004f0069006c0024005700 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global WindowsFormsIntegration,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad36 0x6a0025006c00240032007900620063006 4 690035004b00290075006a005100 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global cscompmgd,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileV 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global mscorcfg,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVers 0x250045006d0041006a003f00430025006 4 6b0039005700370063004e004200 HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ CUAS HKLM\SYSTEM\CurrentControlSet\Control\Session Manager CriticalSectionTimeout 2592000 1 HKLM\SYSTEM\Setup SystemSetupInProgress0 1 HKLM\Software\Microsoft\.NETFramework InstallRoot C:\WINDOWS\Microsoft.NET\Framework\ 9 HKLM\Software\Microsoft\.NETFramework\Policy\\v4.0 30319 30319-30319 1 HKLM\Software\Microsoft\Fusion\GACChangeNotification \Default Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL 0x9ae26ea720cfcb01 1 HKLM\Software\Microsoft\Fusion\GACChangeNotification \Default Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL 0x421127aa20cfcb01 1 HKLM\Software\Microsoft\Fusion\GACChangeNotification \Default System,2.0.0.0,,b77a5c561934e089,MSIL 0x8a57dea520cfcb01 1 HKLM\Software\Microsoft\Fusion\GACChangeNotification \Default System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL 0x18bb1ba420cfcb01 1 HKLM\Software\Microsoft\Fusion\GACChangeNotification \Default System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL 0x9cbf64a520cfcb01 1 HKLM\Software\Microsoft\Fusion\GACChangeNotification \Default System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL 0x028b82a120cfcb01 1 HKLM\Software\Microsoft\Fusion\GACChangeNotification \Default System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL 0x1ab45fb020cfcb01 1 HKLM\Software\Microsoft\Fusion\GACChangeNotification \Default System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL 0xb4074cae20cfcb01 1 HKLM\Software\Microsoft\Fusion\GACChangeNotification \Default System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL 0x586ef1ad20cfcb01 1 HKLM\Software\Microsoft\Fusion\GACChangeNotification \Default System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL 0x50fdd5a120cfcb01 1 HKLM\Software\Microsoft\Fusion\GACChangeNotification \Default System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86 0x58d936a320cfcb01 1 HKLM\Software\Microsoft\Fusion\GACChangeNotification \Default System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL 0xa6ff4ea820cfcb01 1 HKLM\Software\Microsoft\Fusion\GACChangeNotification \Default System.Xml,2.0.0.0,,b77a5c561934e089,MSIL 0xca1b97a220cfcb01 1 HKLM\Software\Microsoft\Fusion\GACChangeNotification \Default mscorlib,2.0.0.0,,b77a5c561934e089,x86 0xa8ce1d9f20cfcb01 1 http://anubis.iseclab.org/ Value 0 Times 1 Page 8 of 13 Analysis Report for ajan.exe - submitted on 01/15/16, 15:31:33 UTC Registry Values Read: Key Name Value Times HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32 LatestIndex 117 3 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\19ab8d57\291a02d0\6 DisplayName System.Xml,2.0.0.0,,b77a5c561934e0889 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\19ab8d57\291a02d0\6 LastModTime 0xca1b97a220cfcb01 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\19ab8d57\291a02d0\6 SIG 0xe129b85668d5c94a83901a595a688da05 546fb0968a3ad8f39d84fd920ec9 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\19ab8d57\291a02d0\6 Status 4098 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\24bf93f6\643db07b\1c DisplayName System.Web,2.0.0.0,,b03f5f7f11d50a33a 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\24bf93f6\643db07b\1c LastModTime 0x58d936a320cfcb01 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\24bf93f6\643db07b\1c SIG 0x257ea63099a54b47b394ae802aab504d1 19f0e298ec19246fcdb594503704 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\24bf93f6\643db07b\1c Status 8194 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\2b1a4e4\6abb48d8\40 DisplayName System.Management,2.0.0.0,,b03f5f7f f11d50a3a 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\2b1a4e4\6abb48d8\40 LastModTime 0x1ab45fb020cfcb01 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\2b1a4e4\6abb48d8\40 SIG 0x3e169fe688ba0044a1e06d7325a897046 6350b207203b659a3f4acb1d6fd4 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\2b1a4e4\6abb48d8\40 Status 4098 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\2dd6ac50\3914f670\a DisplayName Accessibility,2.0.0.0,,b03f5f7f11d550a3a 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\2dd6ac50\3914f670\a LastModTime 0x9ae26ea720cfcb01 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\2dd6ac50\3914f670\a SIG 0x0c125ccbcbedd94384951da8e0098afff f59f82cfa273bcd55ade98bfad83 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\2dd6ac50\3914f670\a Status 4098 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\3ced59c5\7f729234\b DisplayName System.Deployment,2.0.0.0,,b03f5f7f f11d50a3a 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\3ced59c5\7f729234\b LastModTime 0x9cbf64a520cfcb01 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\3ced59c5\7f729234\b SIG 0xaa6a30bb5ee45e4395aee8e3e013862cc c3e045ee0eeb054e6d82e3b4dc36 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\3ced59c5\7f729234\b Status 4098 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\3f50fe4f\6e9ac653\7 DisplayName System,2.0.0.0,,b77a5c561934e089 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\3f50fe4f\6e9ac653\7 LastModTime 0x8a57dea520cfcb01 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\3f50fe4f\6e9ac653\7 SIG 0x7739f7fe32588e438bd70fda47be005ca a87ed832d6e6b76aa0302a427ffe 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\3f50fe4f\6e9ac653\7 Status 4098 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\41c04c7e\4426ac2f\c DisplayName System.Runtime.Serialization.Format tters.Soap,2.0.0.0,,b03f5f7f11d50a33a 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\41c04c7e\4426ac2f\c LastModTime 0x586ef1ad20cfcb01 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\41c04c7e\4426ac2f\c SIG 0x84ba240465953246b597c8a014faed3e9 952c5f993566c233a384370ec6af 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\41c04c7e\4426ac2f\c Status 4098 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\424bd4d8\67e63d5c\5 DisplayName System.Configuration,2.0.0.0,,b03f5 5f7f11d50a3a 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\424bd4d8\67e63d5c\5 LastModTime 0x18bb1ba420cfcb01 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\424bd4d8\67e63d5c\5 SIG 0x13b985b524af744ea7870ebe1b5d5d065 58961b3f64a74093492875c9d8f1 1 http://anubis.iseclab.org/ Page 9 of 13 Analysis Report for ajan.exe - submitted on 01/15/16, 15:31:33 UTC Registry Values Read: Key Name Value Times HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\424bd4d8\67e63d5c\5 Status 4098 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\475dce40\2995e574\e DisplayName System.Security,2.0.0.0,,b03f5f7f111d50a3a 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\475dce40\2995e574\e LastModTime 0x50fdd5a120cfcb01 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\475dce40\2995e574\e SIG 0x35ebef571a04574ba2270f0f0ce1e3b70 0ca85b8f2d6480a1d16ea10f281a 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\475dce40\2995e574\e Status 4098 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\4f99a7c9\7949fb97\42 DisplayName Microsoft.VisualBasic,8.0.0.0,,b03f f5f7f11d50a3a 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\4f99a7c9\7949fb97\42 LastModTime 0x421127aa20cfcb01 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\4f99a7c9\7949fb97\42 SIG 0x8d608f73d22b3548baf6a7faf89c5f230 0b86a6a7c448b7f134ef800ede26 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\4f99a7c9\7949fb97\42 Status 4098 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\9 DisplayName System.Drawing,2.0.0.0,,b03f5f7f11dd50a3a 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\9 LastModTime 0x028b82a120cfcb01 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\9 SIG 0xd13b44b636575b40b535819858133665d d8507ae68706294dda848b7a1e72 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\9 Status 4098 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\7950e2c5\319545b3\8 DisplayName mscorlib,2.0.0.0,,b77a5c561934e089 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\7950e2c5\319545b3\8 LastModTime 0xa8ce1d9f20cfcb01 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\7950e2c5\319545b3\8 Modules sortkey.nlp|sorttbls.nlp|big5.nlp|b bopomofo.nlp|ksc.nlp|prc.nlp|prcp.n nlp|xjis.nlp|normidna.nlp|normnfc.nnlp| normnfd.nlp|normnfkc.nlp|normnffkd.nlp 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\7950e2c5\319545b3\8 SIG 0x61498a5bb093b143a337bdf5962ece99b bd6c58fc8f03105a020331f4a600 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\7950e2c5\319545b3\8 Status 8198 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\c991064\268e923b\10 DisplayName System.Windows.Forms,2.0.0.0,,b77a5 5c561934e089 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\c991064\268e923b\10 LastModTime 0xa6ff4ea820cfcb01 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\c991064\268e923b\10 SIG 0x44a949e4640e604da04329762516a96e6 6e1fa3a76770071df15dc4d908f9 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\c991064\268e923b\10 Status 4098 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\f6e8397\61a5c1bb\1d DisplayName System.Runtime.Remoting,2.0.0.0,,b7 77a5c561934e089 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\f6e8397\61a5c1bb\1d LastModTime 0xb4074cae20cfcb01 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\f6e8397\61a5c1bb\1d SIG 0x564f729ebc6f6b4bb3dc6f535b33f8fbd d8487686c42a2af9e970a5ba9956 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\IL\f6e8397\61a5c1bb\1d Status 4098 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\181938c6\3c74e9a9\8 ConfigMask 4361 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\181938c6\3c74e9a9\8 ConfigString ZAP--0000-0000 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\181938c6\3c74e9a9\8 DisplayName mscorlib,2.0.0.0,,b77a5c561934e089 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\181938c6\3c74e9a9\8 ILDependencies 0xc5e25079b345953108000000020000000 00000000 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\181938c6\3c74e9a9\8 MVID 0x642534209e13d16e93b80a628742d2ee 1 http://anubis.iseclab.org/ Page 10 of 13 Analysis Report for ajan.exe - submitted on 01/15/16, 15:31:33 UTC Registry Values Read: Key Name Value Times HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\181938c6\3c74e9a9\8 Status 0 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\1c22df2f\52628d2e\46 ConfigMask 4361 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\1c22df2f\52628d2e\46 ConfigString ZAP--0000-0000 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\1c22df2f\52628d2e\46 DisplayName Microsoft.VisualBasic,8.0.0.0,,b03f f5f7f11d50a3a 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\1c22df2f\52628d2e\46 ILDependencies 0x6410990c3b928e2610000000020000000 00000000c0d4c76dcafacd3f0900 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\1c22df2f\52628d2e\46 MVID 0x900525e192ca3d523143207ac11ae5f5 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\1c22df2f\52628d2e\46 NIDependencies 0xc6381918a9e9743c08000000020000000 000000004f7cbc303282491d0700 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\1c22df2f\52628d2e\46 Status 0 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\30bc7c4f\1d498232\7 ConfigMask 4361 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\30bc7c4f\1d498232\7 ConfigString ZAP--0000-0000 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\30bc7c4f\1d498232\7 DisplayName System,2.0.0.0,,b77a5c561934e089 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\30bc7c4f\1d498232\7 ILDependencies 0xd8d44b425c3de66705000000020000000 00000000578dab19d0021a290600 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\30bc7c4f\1d498232\7 MVID 0x36dbfcf62e07d819b3de533898868ecf 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\30bc7c4f\1d498232\7 NIDependencies 0xc6381918a9e9743c08000000020000000 00000000 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\30bc7c4f\1d498232\7 Status 0 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\3cca06a0\31de29a4\f ConfigMask 4361 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\3cca06a0\31de29a4\f ConfigString ZAP--0000-0000 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\3cca06a0\31de29a4\f DisplayName System.Drawing,2.0.0.0,,b03f5f7f11dd50a3a 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\3cca06a0\31de29a4\f ILDependencies 0xc0d4c76dcafacd3f09000000020000000 00000000 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\3cca06a0\31de29a4\f MVID 0xc91f68c2920882e02aec00eeabb6b415 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\3cca06a0\31de29a4\f NIDependencies 0xc6381918a9e9743c08000000020000000 000000004f7cbc303282491d0700 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\3cca06a0\31de29a4\f Status 0 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\61e7e666\69db6748\e ConfigMask 4361 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\61e7e666\69db6748\e ConfigString ZAP--0000-0000 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\61e7e666\69db6748\e DisplayName System.Windows.Forms,2.0.0.0,,b77a5 5c561934e089 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\61e7e666\69db6748\e ILDependencies 0x40ce5d4774e595290e000000020000000 00000000578dab19d0021a290600 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\61e7e666\69db6748\e MVID 0x0c70e5d82578be2f6c0dde89182261c5 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\61e7e666\69db6748\e NIDependencies 0xc6381918a9e9743c08000000020000000 000000004f7cbc303282491d0700 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\NI\61e7e666\69db6748\e Status 0 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\index75 ILUsageMask 0xffffffffffffffffff01 1 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\ v2.0.50727_32\index75 NIUsageMask 0xfffffffffffffffff1 1 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default Latest 1 1 http://anubis.iseclab.org/ Page 11 of 13 Analysis Report for ajan.exe - submitted on 01/15/16, 15:31:33 UTC Registry Values Read: Key Name HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default LegacyPolicyTimeStamp0x0000000000000000 Value Times 1 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default index1 0x00 1 HKLM\Software\Microsoft\Windows NT\CurrentVersion\ Image File Execution Options\mscoree.dll CheckAppHelp 1 1 HKLM\Software\Microsoft\Windows NT\CurrentVersion\ Image File Execution Options\mscorwks.dll CheckAppHelp 1 1 HKLM\Software\Microsoft\Windows NT\CurrentVersion\ Windows AppInit_DLLs HKLM\Software\Policies\Microsoft\Windows\Safer\ CodeIdentifiers TransparentEnabled 1 1 1 HKLM\System\CurrentControlSet\Control\Terminal Server TSAppCompat 0 1 HKU\S-1-5-21-842925246-1425521274-308236825-500\ Keyboard Layout\Toggle Language Hotkey 1 2 HKU\S-1-5-21-842925246-1425521274-308236825-500\ Keyboard Layout\Toggle Layout Hotkey 2 2 HKU\S-1-5-21-842925246-1425521274-308236825-500\ Software\Microsoft\Windows\CurrentVersion\Explorer\ User Shell Folders AppData %USERPROFILE%\Application Data 1 HKU\S-1-5-21-842925246-1425521274-308236825-500\ Software\Microsoft\Windows\CurrentVersion\Explorer\ User Shell Folders Cache %USERPROFILE%\Local Settings\ Temporary Internet Files 1 2.b) ajan.exe - File Activities Files Read: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\machine.config File System Control Communication: File Control Code Times C:\Program Files\Common Files\ 0x00090028 1 File Control Code Times \Device\KsecDD 0x00390008 8 Device Control Communication: Memory Mapped Files: File Name C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\culture.dll C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll C:\WINDOWS\WindowsShell.Manifest C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas# \900525e192ca3d523143207ac11ae5f5\Microsoft.VisualBasic.ni.dll C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\c91f68c2920882e02aec00eeabb6b415\System.Drawing.ni.dll C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms \0c70e5d82578be2f6c0dde89182261c5\System.Windows.Forms.ni.dll C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\36dbfcf62e07d819b3de533898868ecf\System.ni.dll C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\642534209e13d16e93b80a628742d2ee\mscorlib.ni.dll C:\WINDOWS\system32\MSCTF.dll C:\WINDOWS\system32\comctl32.dll C:\WINDOWS\system32\imm32.dll http://anubis.iseclab.org/ Page 12 of 13 Analysis Report for ajan.exe - submitted on 01/15/16, 15:31:33 UTC Memory Mapped Files: File Name C:\WINDOWS\system32\l_intl.nls C:\WINDOWS\system32\mscoree.dll C:\WINDOWS\system32\rpcss.dll C:\WINDOWS\system32\shell32.dll C:\WINDOWS\system32\shfolder.dll C:\ajan.exe 2.c) ajan.exe - Other Activities Mutexes Created: CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274308236825-500 Windows SEH exceptions: Description Times Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0xd61f0e 1 Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0xd63da6 1 Exception 0xe0434f4d at 0x7c812aeb 3 http://anubis.iseclab.org/ Page 13 of 13
Benzer belgeler
Adem TEKEREK, Gazi Üniversitesi
Version: 1.3.5.1 url_loader (binary download) http://pos
trendmicro.com.au=209.85.229.104
kasperskyanz.com.au=209.85.229.104
bitdefender.com.au=209.85.229.104
eset.com.au=209.85.229.104
vet.com.au=209.85.229.104
sm.mcafee.com=209.85.229.104
home.mcafee.c...