Dizin

Anubis - Analysis Report
download Şikayet

Transkript

Anubis - Analysis Report 
Anubis - Analysis Report
Analysis Report for ajan.exe
MD5: c23c3ef4f27c27f7fb015e7b7c16a464
International Secure Systems Lab
Vienna University of Technology , Eurecom France , UC Santa Barbara
Contact: [email protected]
Dependency overview:
ajan.exe
ajan.exe
Analysis reason: Primary Analysis Subject
Table of Contents:
1. General Information.............................................................................................................................................................................................. 4
2. ajan.exe................................................................................................................................................................................................................. 4
a) Registry Activities............................................................................................................................................................................................. 4
b) File Activities.................................................................................................................................................................................................. 12
c) Other Activities............................................................................................................................................................................................... 13
Analysis Report for ajan.exe - submitted on 01/15/16, 15:31:33 UTC
1. General Information
Information about Anubis' invocation
Time needed:
250 s
Report created:
01/15/16, 15:31:33 UTC
Termination reason:
Timeout
Program version:
1.76.3886
2. ajan.exe
General information about this executable
Analysis Reason:
Primary Analysis Subject
Filename:
ajan.exe
MD5:
c23c3ef4f27c27f7fb015e7b7c16a464
SHA-1:
6289ff502af82897fb567cb9d68ef8c6438e6ab4
File Size:
454656
Process-status at analysis end:
alive
Exit Code:
0
Load-time Dlls
Module Name
Base Address
Size
C:\WINDOWS\system32\ntdll.dll
0x7C900000
0x000AF000
C:\WINDOWS\system32\mscoree.dll
0x79000000
0x0004A000
C:\WINDOWS\system32\KERNEL32.dll
0x7C800000
0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll
0x77DD0000
0x0009B000
C:\WINDOWS\system32\RPCRT4.dll
0x77E70000
0x00092000
C:\WINDOWS\system32\Secur32.dll
0x77FE0000
0x00011000
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
0x603B0000
0x00066000
C:\WINDOWS\system32\SHLWAPI.dll
0x77F60000
0x00076000
C:\WINDOWS\system32\GDI32.dll
0x77F10000
0x00049000
C:\WINDOWS\system32\USER32.dll
0x7E410000
0x00091000
C:\WINDOWS\system32\msvcrt.dll
0x77C10000
0x00058000
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
0x79E70000
0x0058F000
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_xww_5cf844d2\MSVCR80.dll
0x78130000
0x0009B000
C:\WINDOWS\system32\shell32.dll
0x7C9C0000
0x00817000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CommonControls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
0x773D0000
0x00103000
C:\WINDOWS\system32\comctl32.dll
0x5D090000
0x0009A000
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\
642534209e13d16e93b80a628742d2ee\mscorlib.ni.dll
0x790C0000
0x00B36000
C:\WINDOWS\system32\ole32.dll
0x774E0000
0x0013D000
C:\WINDOWS\system32\MSCTF.dll
0x74720000
0x0004C000
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
0x79060000
0x00056000
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\
36dbfcf62e07d819b3de533898868ecf\System.ni.dll
0x7A440000
0x007EA000
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\
c91f68c2920882e02aec00eeabb6b415\System.Drawing.ni.dll
0x7ADE0000
0x0019C000
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\
900525e192ca3d523143207ac11ae5f5\Microsoft.VisualBasic.ni.dll
0x5E430000
0x001AE000
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\culture.dll
0x60340000
0x00008000
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\
0c70e5d82578be2f6c0dde89182261c5\System.Windows.Forms.ni.dll
0x7AFD0000
0x00C9C000
C:\WINDOWS\system32\shfolder.dll
0x76780000
0x00009000
2.a) ajan.exe - Registry Activities
http://anubis.iseclab.org/
Page 4 of 13
Analysis Report for ajan.exe - submitted on 01/15/16, 15:31:33 UTC
Registry Values Modified:
Key
Name
New Value
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\
Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
AppData
C:\Documents and Settings\Administrator\
Application Data
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\
Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Cache
C:\Documents and Settings\Administrator\
Local Settings\Temporary Internet Files
Registry Values Read:
Key
Name
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
Accessibility,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileV
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
CustomMarshalers,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutra
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
IEExecRemote,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",Fi
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
IEHost,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersio
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
IIEHost,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersio
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
ISymWrapper,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",File
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
Microsoft.Build.Conversion.v3.5,version="3.5.0.0",publicKeyToken="b03f5f7f11d50a3a",process
0x70002100560045003300360030004b006
4
630034004b006a00540044003400
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
Microsoft.Build.Engine,version="3.5.0.0",publicKeyToken="b03f5f7f11d50a3a",processorArchite
0x70002100560045003300360030004b006
4
630034004b006a00540044003400
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
Microsoft.Build.Framework,version="3.5.0.0",publicKeyToken="b03f5f7f11d50a3a",processorAr
0x70002100560045003300360030004b006
4
630034004b006a00540044003400
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
Microsoft.Build.Tasks.v3.5,version="3.5.0.0",publicKeyToken="b03f5f7f11d50a3a",processorArc
0x70002100560045003300360030004b006
4
630034004b006a00540044003400
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
Microsoft.Build.Utilities.v3.5,version="3.5.0.0",publicKeyToken="b03f5f7f11d50a3a",processorA
0x70002100560045003300360030004b006
4
630034004b006a00540044003400
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
Microsoft.JScript,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",F
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
Microsoft.Transactions.Bridge,Version="3.0.0.0",Culture="neutral",PublicKeyToken="b03f5f7f11
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
Microsoft.Transactions.Bridge.Dtc,Version="3.0.0.0",Culture="neutral",PublicKeyToken="b03f5f
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
Microsoft.VisualBasic,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neu
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
Microsoft.VisualBasic.Vsa,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture=
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
Microsoft.VisualC,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral"
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
Microsoft.VisualC.STLCLR,version="1.0.0.0",publicKeyToken="b03f5f7f11d50a3a",processorAr
0x70002100560045003300360030004b006
4
630034004b006a00540044003400
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
Microsoft.Vsa,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",File
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
Microsoft.Vsa.Vb.CodeDOMProcessor,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
Microsoft_VsaVb,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
PresentationBuildTasks,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e
0x29006d0066002a0065005d0061006b007
4
7b0040004f0069006c0024005700
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
PresentationBuildTasks,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
PresentationCFFRasterizer,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad3
0x29006d0066002a0065005d0061006b007
4
7b0040004f0069006c0024005700
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
PresentationCFFRasterizer,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad3
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
PresentationCore,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",Pr
0x29006d0066002a0065005d0061006b007
4
7b0040004f0069006c0024005700
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
PresentationCore,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",Pr
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
PresentationFramework,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e
0x29006d0066002a0065005d0061006b007
4
7b0040004f0069006c0024005700
http://anubis.iseclab.org/
Value
Times
Page 5 of 13
Analysis Report for ajan.exe - submitted on 01/15/16, 15:31:33 UTC
Registry Values Read:
Key
Name
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
PresentationFramework,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
PresentationFramework.Aero,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad
0x29006d0066002a0065005d0061006b007
4
7b0040004f0069006c0024005700
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
PresentationFramework.Aero,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
PresentationFramework.Classic,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856
0x29006d0066002a0065005d0061006b007
4
7b0040004f0069006c0024005700
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
PresentationFramework.Classic,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
PresentationFramework.Luna,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856a
0x29006d0066002a0065005d0061006b007
4
7b0040004f0069006c0024005700
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
PresentationFramework.Luna,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856a
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
PresentationFramework.Royale,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856
0x29006d0066002a0065005d0061006b007
4
7b0040004f0069006c0024005700
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
PresentationFramework.Royale,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
PresentationUI,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",Proc
0x29006d0066002a0065005d0061006b007
4
7b0040004f0069006c0024005700
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
PresentationUI,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",Proc
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
ReachFramework,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",P
0x29006d0066002a0065005d0061006b007
4
7b0040004f0069006c0024005700
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
ReachFramework,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",P
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
Regcode,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVers
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
SMDiagnostics,Version="3.0.0.0",Culture="neutral",PublicKeyToken="b77a5c561934e089",Proc
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",FileVers
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.AddIn,version="3.5.0.0",publicKeyToken="b77a5c561934e089",processorArchitecture=
0x70002100560045003300360030004b006
4
630034004b006a00540044003400
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.AddIn.Contract,version="2.0.0.0",publicKeyToken="b03f5f7f11d50a3a",processorArchit
0x70002100560045003300360030004b006
4
630034004b006a00540044003400
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Configuration.Install,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Core,version="3.5.0.0",publicKeyToken="b77a5c561934e089",processorArchitecture="
0x70002100560045003300360030004b006
4
630034004b006a00540044003400
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Data,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",Fil
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Data.DataSetExtensions,version="3.5.0.0",publicKeyToken="b77a5c561934e089",proc
0x70002100560045003300360030004b006
4
630034004b006a00540044003400
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Data.Linq,version="3.5.0.0",publicKeyToken="b77a5c561934e089",processorArchitectu
0x70002100560045003300360030004b006
4
630034004b006a00540044003400
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Data.OracleClient,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Design,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",Fi
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.DirectoryServices,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.DirectoryServices.AccountManagement,version="3.5.0.0",publicKeyToken="b77a5c561
0x70002100560045003300360030004b006
4
630034004b006a00540044003400
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Drawing,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",F
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Drawing.Design,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="n
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.EnterpriseServices,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture=
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.IO.Log,Version="3.0.0.0",Culture="neutral",PublicKeyToken="b03f5f7f11d50a3a",Proce
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.IdentityModel,Version="3.0.0.0",Culture="neutral",PublicKeyToken="b77a5c561934e08
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
http://anubis.iseclab.org/
Value
Times
Page 6 of 13
Analysis Report for ajan.exe - submitted on 01/15/16, 15:31:33 UTC
Registry Values Read:
Key
Name
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.IdentityModel.Selectors,Version="3.0.0.0",Culture="neutral",PublicKeyToken="b77a5c5
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Management,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neu
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Management.Instrumentation,version="3.5.0.0",publicKeyToken="b77a5c561934e089",
0x70002100560045003300360030004b006
4
630034004b006a00540044003400
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Messaging,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutra
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Net,version="3.5.0.0",publicKeyToken="b03f5f7f11d50a3a",processorArchitecture="MS
0x70002100560045003300360030004b006
4
630034004b006a00540044003400
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Printing,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",Pro
0x29006d0066002a0065005d0061006b007
4
7b0040004f0069006c0024005700
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Printing,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",Pro
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Runtime.Remoting,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Cultur
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Runtime.Serialization,Version="3.0.0.0",Culture="neutral",PublicKeyToken="b77a5c561
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Runtime.Serialization.Formatters.Soap,Version="1.0.5000.0",PublicKeyToken="b03f5f7
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Security,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",F
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.ServiceModel,Version="3.0.0.0",Culture="neutral",PublicKeyToken="b77a5c561934e08
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.ServiceModel.Install,Version="3.0.0.0",Culture="neutral",PublicKeyToken="b77a5c5619
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.ServiceModel.WasHosting,Version="3.0.0.0",Culture="neutral",PublicKeyToken="b77a5
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.ServiceModel.Web,version="3.5.0.0",publicKeyToken="31bf3856ad364e35",processorA
0x70002100560045003300360030004b006
4
630034004b006a00540044003400
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.ServiceProcess,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="n
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Speech,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",Pro
0x29006d0066002a0065005d0061006b007
4
7b0040004f0069006c0024005700
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Speech,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",Pro
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Web,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileV
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Web.Extensions,version="3.5.0.0",publicKeyToken="31bf3856ad364e35",processorArc
0x70002100560045003300360030004b006
4
630034004b006a00540044003400
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Web.Extensions.Design,version="3.5.0.0",publicKeyToken="31bf3856ad364e35",proce
0x70002100560045003300360030004b006
4
630034004b006a00540044003400
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Web.Mobile,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutr
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Web.RegularExpressions,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",C
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Web.Services,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neu
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Windows.Forms,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture=
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Windows.Presentation,version="3.5.0.0",publicKeyToken="b77a5c561934e089",proces
0x70002100560045003300360030004b006
4
630034004b006a00540044003400
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Workflow.Activities,processorArchitecture="MSIL",publicKeyToken="31BF3856AD364E
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Workflow.ComponentModel,processorArchitecture="MSIL",publicKeyToken="31BF3856
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Workflow.Runtime,processorArchitecture="MSIL",publicKeyToken="31BF3856AD364E3
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.WorkflowServices,version="3.5.0.0",publicKeyToken="31bf3856ad364e35",processorAr
0x70002100560045003300360030004b006
4
630034004b006a00540044003400
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Xml,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",File
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
System.Xml.Linq,version="3.5.0.0",publicKeyToken="b77a5c561934e089",processorArchitectur
0x70002100560045003300360030004b006
4
630034004b006a00540044003400
http://anubis.iseclab.org/
Value
Times
Page 7 of 13
Analysis Report for ajan.exe - submitted on 01/15/16, 15:31:33 UTC
Registry Values Read:
Key
Name
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
UIAutomationClient,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",
0x29006d0066002a0065005d0061006b007
4
7b0040004f0069006c0024005700
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
UIAutomationClient,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
UIAutomationClientsideProviders,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf385
0x29006d0066002a0065005d0061006b007
4
7b0040004f0069006c0024005700
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
UIAutomationClientsideProviders,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf385
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
UIAutomationProvider,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e3
0x29006d0066002a0065005d0061006b007
4
7b0040004f0069006c0024005700
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
UIAutomationProvider,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e3
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
UIAutomationTypes,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",
0x29006d0066002a0065005d0061006b007
4
7b0040004f0069006c0024005700
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
UIAutomationTypes,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
WindowsBase,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",Proce
0x29006d0066002a0065005d0061006b007
4
7b0040004f0069006c0024005700
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
WindowsBase,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",Proce
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
WindowsFormsIntegration,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad36
0x29006d0066002a0065005d0061006b007
4
7b0040004f0069006c0024005700
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
WindowsFormsIntegration,Version="3.0.0.0",Culture="neutral",PublicKeyToken="31bf3856ad36
0x6a0025006c00240032007900620063006
4
690035004b00290075006a005100
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
cscompmgd,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileV
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
mscorcfg,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVers
0x250045006d0041006a003f00430025006
4
6b0039005700370063004e004200
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\
CUAS
HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager
CriticalSectionTimeout 2592000
1
HKLM\SYSTEM\Setup
SystemSetupInProgress0
1
HKLM\Software\Microsoft\.NETFramework
InstallRoot
C:\WINDOWS\Microsoft.NET\Framework\
9
HKLM\Software\Microsoft\.NETFramework\Policy\\v4.0
30319
30319-30319
1
HKLM\Software\Microsoft\Fusion\GACChangeNotification
\Default
Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
0x9ae26ea720cfcb01
1
HKLM\Software\Microsoft\Fusion\GACChangeNotification
\Default
Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL
0x421127aa20cfcb01
1
HKLM\Software\Microsoft\Fusion\GACChangeNotification
\Default
System,2.0.0.0,,b77a5c561934e089,MSIL
0x8a57dea520cfcb01
1
HKLM\Software\Microsoft\Fusion\GACChangeNotification
\Default
System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
0x18bb1ba420cfcb01
1
HKLM\Software\Microsoft\Fusion\GACChangeNotification
\Default
System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
0x9cbf64a520cfcb01
1
HKLM\Software\Microsoft\Fusion\GACChangeNotification
\Default
System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
0x028b82a120cfcb01
1
HKLM\Software\Microsoft\Fusion\GACChangeNotification
\Default
System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
0x1ab45fb020cfcb01
1
HKLM\Software\Microsoft\Fusion\GACChangeNotification
\Default
System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL
0xb4074cae20cfcb01
1
HKLM\Software\Microsoft\Fusion\GACChangeNotification
\Default
System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
0x586ef1ad20cfcb01
1
HKLM\Software\Microsoft\Fusion\GACChangeNotification
\Default
System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
0x50fdd5a120cfcb01
1
HKLM\Software\Microsoft\Fusion\GACChangeNotification
\Default
System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86
0x58d936a320cfcb01
1
HKLM\Software\Microsoft\Fusion\GACChangeNotification
\Default
System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
0xa6ff4ea820cfcb01
1
HKLM\Software\Microsoft\Fusion\GACChangeNotification
\Default
System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
0xca1b97a220cfcb01
1
HKLM\Software\Microsoft\Fusion\GACChangeNotification
\Default
mscorlib,2.0.0.0,,b77a5c561934e089,x86
0xa8ce1d9f20cfcb01
1
http://anubis.iseclab.org/
Value
0
Times
1
Page 8 of 13
Analysis Report for ajan.exe - submitted on 01/15/16, 15:31:33 UTC
Registry Values Read:
Key
Name
Value
Times
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32
LatestIndex
117
3
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\19ab8d57\291a02d0\6
DisplayName
System.Xml,2.0.0.0,,b77a5c561934e0889
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\19ab8d57\291a02d0\6
LastModTime
0xca1b97a220cfcb01
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\19ab8d57\291a02d0\6
SIG
0xe129b85668d5c94a83901a595a688da05
546fb0968a3ad8f39d84fd920ec9
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\19ab8d57\291a02d0\6
Status
4098
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\24bf93f6\643db07b\1c
DisplayName
System.Web,2.0.0.0,,b03f5f7f11d50a33a
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\24bf93f6\643db07b\1c
LastModTime
0x58d936a320cfcb01
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\24bf93f6\643db07b\1c
SIG
0x257ea63099a54b47b394ae802aab504d1
19f0e298ec19246fcdb594503704
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\24bf93f6\643db07b\1c
Status
8194
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\2b1a4e4\6abb48d8\40
DisplayName
System.Management,2.0.0.0,,b03f5f7f
f11d50a3a
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\2b1a4e4\6abb48d8\40
LastModTime
0x1ab45fb020cfcb01
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\2b1a4e4\6abb48d8\40
SIG
0x3e169fe688ba0044a1e06d7325a897046
6350b207203b659a3f4acb1d6fd4
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\2b1a4e4\6abb48d8\40
Status
4098
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\2dd6ac50\3914f670\a
DisplayName
Accessibility,2.0.0.0,,b03f5f7f11d550a3a
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\2dd6ac50\3914f670\a
LastModTime
0x9ae26ea720cfcb01
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\2dd6ac50\3914f670\a
SIG
0x0c125ccbcbedd94384951da8e0098afff
f59f82cfa273bcd55ade98bfad83
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\2dd6ac50\3914f670\a
Status
4098
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\3ced59c5\7f729234\b
DisplayName
System.Deployment,2.0.0.0,,b03f5f7f
f11d50a3a
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\3ced59c5\7f729234\b
LastModTime
0x9cbf64a520cfcb01
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\3ced59c5\7f729234\b
SIG
0xaa6a30bb5ee45e4395aee8e3e013862cc
c3e045ee0eeb054e6d82e3b4dc36
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\3ced59c5\7f729234\b
Status
4098
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\3f50fe4f\6e9ac653\7
DisplayName
System,2.0.0.0,,b77a5c561934e089
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\3f50fe4f\6e9ac653\7
LastModTime
0x8a57dea520cfcb01
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\3f50fe4f\6e9ac653\7
SIG
0x7739f7fe32588e438bd70fda47be005ca
a87ed832d6e6b76aa0302a427ffe
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\3f50fe4f\6e9ac653\7
Status
4098
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\41c04c7e\4426ac2f\c
DisplayName
System.Runtime.Serialization.Format
tters.Soap,2.0.0.0,,b03f5f7f11d50a33a
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\41c04c7e\4426ac2f\c
LastModTime
0x586ef1ad20cfcb01
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\41c04c7e\4426ac2f\c
SIG
0x84ba240465953246b597c8a014faed3e9
952c5f993566c233a384370ec6af
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\41c04c7e\4426ac2f\c
Status
4098
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\424bd4d8\67e63d5c\5
DisplayName
System.Configuration,2.0.0.0,,b03f5
5f7f11d50a3a
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\424bd4d8\67e63d5c\5
LastModTime
0x18bb1ba420cfcb01
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\424bd4d8\67e63d5c\5
SIG
0x13b985b524af744ea7870ebe1b5d5d065
58961b3f64a74093492875c9d8f1
1
http://anubis.iseclab.org/
Page 9 of 13
Analysis Report for ajan.exe - submitted on 01/15/16, 15:31:33 UTC
Registry Values Read:
Key
Name
Value
Times
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\424bd4d8\67e63d5c\5
Status
4098
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\475dce40\2995e574\e
DisplayName
System.Security,2.0.0.0,,b03f5f7f111d50a3a
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\475dce40\2995e574\e
LastModTime
0x50fdd5a120cfcb01
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\475dce40\2995e574\e
SIG
0x35ebef571a04574ba2270f0f0ce1e3b70
0ca85b8f2d6480a1d16ea10f281a
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\475dce40\2995e574\e
Status
4098
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\4f99a7c9\7949fb97\42
DisplayName
Microsoft.VisualBasic,8.0.0.0,,b03f
f5f7f11d50a3a
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\4f99a7c9\7949fb97\42
LastModTime
0x421127aa20cfcb01
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\4f99a7c9\7949fb97\42
SIG
0x8d608f73d22b3548baf6a7faf89c5f230
0b86a6a7c448b7f134ef800ede26
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\4f99a7c9\7949fb97\42
Status
4098
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\9
DisplayName
System.Drawing,2.0.0.0,,b03f5f7f11dd50a3a
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\9
LastModTime
0x028b82a120cfcb01
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\9
SIG
0xd13b44b636575b40b535819858133665d
d8507ae68706294dda848b7a1e72
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\9
Status
4098
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\7950e2c5\319545b3\8
DisplayName
mscorlib,2.0.0.0,,b77a5c561934e089
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\7950e2c5\319545b3\8
LastModTime
0xa8ce1d9f20cfcb01
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\7950e2c5\319545b3\8
Modules
sortkey.nlp|sorttbls.nlp|big5.nlp|b
bopomofo.nlp|ksc.nlp|prc.nlp|prcp.n
nlp|xjis.nlp|normidna.nlp|normnfc.nnlp|
normnfd.nlp|normnfkc.nlp|normnffkd.nlp
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\7950e2c5\319545b3\8
SIG
0x61498a5bb093b143a337bdf5962ece99b
bd6c58fc8f03105a020331f4a600
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\7950e2c5\319545b3\8
Status
8198
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\c991064\268e923b\10
DisplayName
System.Windows.Forms,2.0.0.0,,b77a5
5c561934e089
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\c991064\268e923b\10
LastModTime
0xa6ff4ea820cfcb01
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\c991064\268e923b\10
SIG
0x44a949e4640e604da04329762516a96e6
6e1fa3a76770071df15dc4d908f9
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\c991064\268e923b\10
Status
4098
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\f6e8397\61a5c1bb\1d
DisplayName
System.Runtime.Remoting,2.0.0.0,,b7
77a5c561934e089
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\f6e8397\61a5c1bb\1d
LastModTime
0xb4074cae20cfcb01
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\f6e8397\61a5c1bb\1d
SIG
0x564f729ebc6f6b4bb3dc6f535b33f8fbd
d8487686c42a2af9e970a5ba9956
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\IL\f6e8397\61a5c1bb\1d
Status
4098
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\181938c6\3c74e9a9\8
ConfigMask
4361
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\181938c6\3c74e9a9\8
ConfigString
ZAP--0000-0000
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\181938c6\3c74e9a9\8
DisplayName
mscorlib,2.0.0.0,,b77a5c561934e089
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\181938c6\3c74e9a9\8
ILDependencies
0xc5e25079b345953108000000020000000
00000000
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\181938c6\3c74e9a9\8
MVID
0x642534209e13d16e93b80a628742d2ee
1
http://anubis.iseclab.org/
Page 10 of 13
Analysis Report for ajan.exe - submitted on 01/15/16, 15:31:33 UTC
Registry Values Read:
Key
Name
Value
Times
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\181938c6\3c74e9a9\8
Status
0
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\1c22df2f\52628d2e\46
ConfigMask
4361
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\1c22df2f\52628d2e\46
ConfigString
ZAP--0000-0000
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\1c22df2f\52628d2e\46
DisplayName
Microsoft.VisualBasic,8.0.0.0,,b03f
f5f7f11d50a3a
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\1c22df2f\52628d2e\46
ILDependencies
0x6410990c3b928e2610000000020000000
00000000c0d4c76dcafacd3f0900
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\1c22df2f\52628d2e\46
MVID
0x900525e192ca3d523143207ac11ae5f5
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\1c22df2f\52628d2e\46
NIDependencies
0xc6381918a9e9743c08000000020000000
000000004f7cbc303282491d0700
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\1c22df2f\52628d2e\46
Status
0
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\30bc7c4f\1d498232\7
ConfigMask
4361
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\30bc7c4f\1d498232\7
ConfigString
ZAP--0000-0000
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\30bc7c4f\1d498232\7
DisplayName
System,2.0.0.0,,b77a5c561934e089
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\30bc7c4f\1d498232\7
ILDependencies
0xd8d44b425c3de66705000000020000000
00000000578dab19d0021a290600
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\30bc7c4f\1d498232\7
MVID
0x36dbfcf62e07d819b3de533898868ecf
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\30bc7c4f\1d498232\7
NIDependencies
0xc6381918a9e9743c08000000020000000
00000000
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\30bc7c4f\1d498232\7
Status
0
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\3cca06a0\31de29a4\f
ConfigMask
4361
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\3cca06a0\31de29a4\f
ConfigString
ZAP--0000-0000
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\3cca06a0\31de29a4\f
DisplayName
System.Drawing,2.0.0.0,,b03f5f7f11dd50a3a
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\3cca06a0\31de29a4\f
ILDependencies
0xc0d4c76dcafacd3f09000000020000000
00000000
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\3cca06a0\31de29a4\f
MVID
0xc91f68c2920882e02aec00eeabb6b415
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\3cca06a0\31de29a4\f
NIDependencies
0xc6381918a9e9743c08000000020000000
000000004f7cbc303282491d0700
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\3cca06a0\31de29a4\f
Status
0
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\61e7e666\69db6748\e
ConfigMask
4361
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\61e7e666\69db6748\e
ConfigString
ZAP--0000-0000
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\61e7e666\69db6748\e
DisplayName
System.Windows.Forms,2.0.0.0,,b77a5
5c561934e089
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\61e7e666\69db6748\e
ILDependencies
0x40ce5d4774e595290e000000020000000
00000000578dab19d0021a290600
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\61e7e666\69db6748\e
MVID
0x0c70e5d82578be2f6c0dde89182261c5
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\61e7e666\69db6748\e
NIDependencies
0xc6381918a9e9743c08000000020000000
000000004f7cbc303282491d0700
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\NI\61e7e666\69db6748\e
Status
0
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\index75
ILUsageMask
0xffffffffffffffffff01
1
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\
v2.0.50727_32\index75
NIUsageMask
0xfffffffffffffffff1
1
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default
Latest
1
1
http://anubis.iseclab.org/
Page 11 of 13
Analysis Report for ajan.exe - submitted on 01/15/16, 15:31:33 UTC
Registry Values Read:
Key
Name
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default
LegacyPolicyTimeStamp0x0000000000000000
Value
Times
1
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default
index1
0x00
1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\mscoree.dll
CheckAppHelp
1
1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\mscorwks.dll
CheckAppHelp
1
1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Windows
AppInit_DLLs
HKLM\Software\Policies\Microsoft\Windows\Safer\
CodeIdentifiers
TransparentEnabled
1
1
1
HKLM\System\CurrentControlSet\Control\Terminal Server TSAppCompat
0
1
HKU\S-1-5-21-842925246-1425521274-308236825-500\
Keyboard Layout\Toggle
Language Hotkey
1
2
HKU\S-1-5-21-842925246-1425521274-308236825-500\
Keyboard Layout\Toggle
Layout Hotkey
2
2
HKU\S-1-5-21-842925246-1425521274-308236825-500\
Software\Microsoft\Windows\CurrentVersion\Explorer\
User Shell Folders
AppData
%USERPROFILE%\Application Data
1
HKU\S-1-5-21-842925246-1425521274-308236825-500\
Software\Microsoft\Windows\CurrentVersion\Explorer\
User Shell Folders
Cache
%USERPROFILE%\Local Settings\
Temporary Internet Files
1
2.b) ajan.exe - File Activities
Files Read:
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\machine.config
File System Control Communication:
File
Control Code
Times
C:\Program Files\Common Files\
0x00090028
1
File
Control Code
Times
\Device\KsecDD
0x00390008
8
Device Control Communication:
Memory Mapped Files:
File Name
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\culture.dll
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#
\900525e192ca3d523143207ac11ae5f5\Microsoft.VisualBasic.ni.dll
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\c91f68c2920882e02aec00eeabb6b415\System.Drawing.ni.dll
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms
\0c70e5d82578be2f6c0dde89182261c5\System.Windows.Forms.ni.dll
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\36dbfcf62e07d819b3de533898868ecf\System.ni.dll
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\642534209e13d16e93b80a628742d2ee\mscorlib.ni.dll
C:\WINDOWS\system32\MSCTF.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\imm32.dll
http://anubis.iseclab.org/
Page 12 of 13
Analysis Report for ajan.exe - submitted on 01/15/16, 15:31:33 UTC
Memory Mapped Files:
File Name
C:\WINDOWS\system32\l_intl.nls
C:\WINDOWS\system32\mscoree.dll
C:\WINDOWS\system32\rpcss.dll
C:\WINDOWS\system32\shell32.dll
C:\WINDOWS\system32\shfolder.dll
C:\ajan.exe
2.c) ajan.exe - Other Activities
Mutexes Created:
CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500
CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500
CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500
CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500
CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500
CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274308236825-500
Windows SEH exceptions:
Description
Times
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at
0xd61f0e
1
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at
0xd63da6
1
Exception 0xe0434f4d at 0x7c812aeb
3
http://anubis.iseclab.org/
Page 13 of 13

Benzer belgeler

Siber Güvenlik ve Savunma Cyber Security and Defence Siber

Siber Güvenlik ve Savunma Cyber Security and Defence Siber Adem TEKEREK, Gazi Üniversitesi

Detaylı

Version: 1.3.5.1 url_loader (binary download) http://pos

Version: 1.3.5.1 url_loader (binary download) http://pos trendmicro.com.au=209.85.229.104 kasperskyanz.com.au=209.85.229.104 bitdefender.com.au=209.85.229.104 eset.com.au=209.85.229.104 vet.com.au=209.85.229.104 sm.mcafee.com=209.85.229.104 home.mcafee.c...

Detaylı
2024 © doczz.biz.tr
Hakkımızda | DMCA / GDPR | Taciz