anubis left
Anubis - Analysis Report
anubis right

Analysis Report for Java.exe

Comment on this report

Summary:

Description Risk
Write to foreign memory areas: This executable tampers with the execution of another process. high
Execution did not terminate correctly: The executable crashed. medium
Spawns Processes: The executable produces processes during the execution. low
Performs Registry Activities: The executable creates and/or modifies registry entries. low


Table of Contents

expand all expand all   collapse all collapse all

1. General Information

  - Information about Anubis' invocation  
Time needed: 256 s 
Report created: 06/08/12, 14:32:01 UTC 
Termination reason: Timeout 
Program version: 1.76.3886 

2. Java.exe

  - General information about this executable  
Analysis Reason: Primary Analysis Subject 
Filename: Java.exe 
MD5: df220fa1f1600b02a8d23ead1f94044a 
SHA-1: cdcdeead91a5be2d4d7c1c4ce8f0a7a9d3d88565 
File Size: 237056 Bytes
Process-status at analysis end: alive 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​mscoree.dll  0x79000000  0x0004A000 
C:\​WINDOWS\​system32\​KERNEL32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​Microsoft.NET\​Framework\​v4.0.30319\​mscoreei.dll  0x603B0000  0x00066000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​Microsoft.NET\​Framework\​v2.0.50727\​mscorwks.dll  0x79E70000  0x0058F000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\​MSVCR80.dll  0x78130000  0x0009B000 
C:\​WINDOWS\​system32\​shell32.dll  0x7C9C0000  0x00817000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll  0x773D0000  0x00103000 
C:\​WINDOWS\​system32\​comctl32.dll  0x5D090000  0x0009A000 
C:\​WINDOWS\​assembly\​NativeImages_v2.0.50727_32\​mscorlib\​642534209e13d16e93b80a628742d2ee\​mscorlib.ni.dll  0x790C0000  0x00B36000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 
C:\​WINDOWS\​system32\​MSCTF.dll  0x74720000  0x0004C000 
C:\​WINDOWS\​assembly\​NativeImages_v2.0.50727_32\​System\​36dbfcf62e07d819b3de533898868ecf\​System.ni.dll  0x7A440000  0x007EA000 
C:\​WINDOWS\​assembly\​NativeImages_v2.0.50727_32\​Microsoft.VisualBas#\​900525e192ca3d523143207ac11ae5f5\​Microsoft.VisualBasic.ni.dll  0x5E430000  0x001AE000 
C:\​WINDOWS\​Microsoft.NET\​Framework\​v2.0.50727\​mscorjit.dll  0x79060000  0x00056000 
C:\​WINDOWS\​assembly\​NativeImages_v2.0.50727_32\​System.Drawing\​c91f68c2920882e02aec00eeabb6b415\​System.Drawing.ni.dll  0x7ADE0000  0x0019C000 
C:\​WINDOWS\​assembly\​NativeImages_v2.0.50727_32\​System.Windows.Forms\​0c70e5d82578be2f6c0dde89182261c5\​System.Windows.Forms.ni.dll  0x7AFD0000  0x00C9C000 
C:\​WINDOWS\​assembly\​NativeImages_v2.0.50727_32\​System.Runtime.Remo#\​3c822251e1a4b15dbbb90c2cf9f75352\​System.Runtime.Remoting.ni.dll  0x67770000  0x000CC000 
C:\​WINDOWS\​system32\​uxtheme.dll  0x5AD70000  0x00038000 
C:\​WINDOWS\​system32\​rsaenh.dll  0x68000000  0x00036000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\​gdiplus.dll  0x4EC50000  0x001A6000 
C:\​WINDOWS\​Microsoft.NET\​Framework\​v2.0.50727\​culture.dll  0x60340000  0x00008000 
C:\​WINDOWS\​system32\​Apphelp.dll  0x77B40000  0x00022000 
C:\​WINDOWS\​system32\​VERSION.dll  0x77C00000  0x00008000 

2.a) Java.exe - Registry Activities

  - Registry Values Modified:  
Key Name New Value
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  AppData  C:\​Documents and Settings\​Administrator\​Application Data 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cache  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files 

  - Registry Values Read:  
Key Name Value Times
HKLM\​SOFTWARE\​Microsoft\​CTF\​SystemShared\​  CUAS 
HKLM\​SOFTWARE\​Microsoft\​Cryptography\​Defaults\​Provider\​Microsoft Strong Cryptographic Provider  Image Path  rsaenh.dll  12 
HKLM\​SOFTWARE\​Microsoft\​Cryptography\​Defaults\​Provider\​Microsoft Strong Cryptographic Provider  Type 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​FontSubstitutes  Arial Baltic,186  Arial,186 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​FontSubstitutes  Arial CE,238  Arial,238 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​FontSubstitutes  Arial CYR,204  Arial,204 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​FontSubstitutes  Arial Greek,161  Arial,161 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​FontSubstitutes  Arial TUR,162  Arial,162 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​FontSubstitutes  Courier New Baltic,186  Courier New,186 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​FontSubstitutes  Courier New CE,238  Courier New,238 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​FontSubstitutes  Courier New CYR,204  Courier New,204 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​FontSubstitutes  Courier New Greek,161  Courier New,161 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​FontSubstitutes  Courier New TUR,162  Courier New,162 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​FontSubstitutes  Helv  MS Sans Serif 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​FontSubstitutes  Helvetica  Arial 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​FontSubstitutes  MS Shell Dlg  Microsoft Sans Serif 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​FontSubstitutes  MS Shell Dlg 2  Tahoma 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​FontSubstitutes  Times  Times New Roman 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​FontSubstitutes  Times New Roman Baltic,186  Times New Roman,186 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​FontSubstitutes  Times New Roman CE,238  Times New Roman,238 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​FontSubstitutes  Times New Roman CYR,204  Times New Roman,204 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​FontSubstitutes  Times New Roman Greek,161  Times New Roman,161 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​FontSubstitutes  Times New Roman TUR,162  Times New Roman,162 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​FontSubstitutes  Tms Rmn  MS Serif 
HKLM\​SYSTEM\​CurrentControlSet\​Control\​Session Manager  CriticalSectionTimeout  2592000 
HKLM\​SYSTEM\​Setup  SystemSetupInProgress 
HKLM\​SYSTEM\​WPA\​MediaCenter  Installed 
HKLM\​Software\​Microsoft\​.NETFramework  InstallRoot  C:\​WINDOWS\​Microsoft.NET\​Framework\​ 
HKLM\​Software\​Microsoft\​.NETFramework\​Policy\​\​v4.0  30319  30319-30319 
HKLM\​Software\​Microsoft\​Cryptography  MachineGuid  4604e8cc-5b9c-4ffb-a374-a62e6d0494fc  12 
HKLM\​Software\​Microsoft\​Cryptography\​Defaults\​Provider Types\​Type 001  Name  Microsoft Strong Cryptographic Provider 
HKLM\​Software\​Microsoft\​Fusion\​GACChangeNotification\​Default  Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL  0x9ae26ea720cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​GACChangeNotification\​Default  Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL  0x421127aa20cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​GACChangeNotification\​Default  System,2.0.0.0,,b77a5c561934e089,MSIL  0x8a57dea520cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​GACChangeNotification\​Default  System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL  0x18bb1ba420cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​GACChangeNotification\​Default  System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL  0x9cbf64a520cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​GACChangeNotification\​Default  System.DirectoryServices,2.0.0.0,,b03f5f7f11d50a3a,MSIL  0x9c19c7a720cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​GACChangeNotification\​Default  System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL  0x028b82a120cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​GACChangeNotification\​Default  System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL  0x1ab45fb020cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​GACChangeNotification\​Default  System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL  0xb4074cae20cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​GACChangeNotification\​Default  System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL  0x586ef1ad20cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​GACChangeNotification\​Default  System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL  0x50fdd5a120cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​GACChangeNotification\​Default  System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86  0x58d936a320cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​GACChangeNotification\​Default  System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL  0xa6ff4ea820cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​GACChangeNotification\​Default  System.Xml,2.0.0.0,,b77a5c561934e089,MSIL  0xca1b97a220cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​GACChangeNotification\​Default  mscorlib,2.0.0.0,,b77a5c561934e089,x86  0xa8ce1d9f20cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32  LatestIndex  117 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​19ab8d57\​291a02d0\​6  DisplayName  System.Xml,2.0.0.0,,b77a5c561934e089 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​19ab8d57\​291a02d0\​6  LastModTime  0xca1b97a220cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​19ab8d57\​291a02d0\​6  SIG  0xe129b85668d5c94a83901a595a688da0546fb0968a3ad8f39d84fd920ec9 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​19ab8d57\​291a02d0\​6  Status  4098 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​24bf93f6\​643db07b\​1c  DisplayName  System.Web,2.0.0.0,,b03f5f7f11d50a3a 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​24bf93f6\​643db07b\​1c  LastModTime  0x58d936a320cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​24bf93f6\​643db07b\​1c  SIG  0x257ea63099a54b47b394ae802aab504d19f0e298ec19246fcdb594503704 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​24bf93f6\​643db07b\​1c  Status  8194 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​2b1a4e4\​6abb48d8\​40  DisplayName  System.Management,2.0.0.0,,b03f5f7f11d50a3a 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​2b1a4e4\​6abb48d8\​40  LastModTime  0x1ab45fb020cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​2b1a4e4\​6abb48d8\​40  SIG  0x3e169fe688ba0044a1e06d7325a897046350b207203b659a3f4acb1d6fd4 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​2b1a4e4\​6abb48d8\​40  Status  4098 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​2dd6ac50\​3914f670\​a  DisplayName  Accessibility,2.0.0.0,,b03f5f7f11d50a3a 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​2dd6ac50\​3914f670\​a  LastModTime  0x9ae26ea720cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​2dd6ac50\​3914f670\​a  SIG  0x0c125ccbcbedd94384951da8e0098afff59f82cfa273bcd55ade98bfad83 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​2dd6ac50\​3914f670\​a  Status  4098 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​3a6a696d\​638045d1\​20  DisplayName  System.DirectoryServices,2.0.0.0,,b03f5f7f11d50a3a 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​3a6a696d\​638045d1\​20  LastModTime  0x9c19c7a720cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​3a6a696d\​638045d1\​20  SIG  0x600e4254def88f47a6dc794867cc25fadc8d2cf561769985a4e7105cde4a 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​3a6a696d\​638045d1\​20  Status  4098 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​3ced59c5\​7f729234\​b  DisplayName  System.Deployment,2.0.0.0,,b03f5f7f11d50a3a 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​3ced59c5\​7f729234\​b  LastModTime  0x9cbf64a520cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​3ced59c5\​7f729234\​b  SIG  0xaa6a30bb5ee45e4395aee8e3e013862cc3e045ee0eeb054e6d82e3b4dc36 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​3ced59c5\​7f729234\​b  Status  4098 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​3f50fe4f\​6e9ac653\​7  DisplayName  System,2.0.0.0,,b77a5c561934e089 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​3f50fe4f\​6e9ac653\​7  LastModTime  0x8a57dea520cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​3f50fe4f\​6e9ac653\​7  SIG  0x7739f7fe32588e438bd70fda47be005ca87ed832d6e6b76aa0302a427ffe 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​3f50fe4f\​6e9ac653\​7  Status  4098 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​41c04c7e\​4426ac2f\​c  DisplayName  System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​41c04c7e\​4426ac2f\​c  LastModTime  0x586ef1ad20cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​41c04c7e\​4426ac2f\​c  SIG  0x84ba240465953246b597c8a014faed3e952c5f993566c233a384370ec6af 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​41c04c7e\​4426ac2f\​c  Status  4098 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​424bd4d8\​67e63d5c\​5  DisplayName  System.Configuration,2.0.0.0,,b03f5f7f11d50a3a 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​424bd4d8\​67e63d5c\​5  LastModTime  0x18bb1ba420cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​424bd4d8\​67e63d5c\​5  SIG  0x13b985b524af744ea7870ebe1b5d5d0658961b3f64a74093492875c9d8f1 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​424bd4d8\​67e63d5c\​5  Status  4098 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​475dce40\​2995e574\​e  DisplayName  System.Security,2.0.0.0,,b03f5f7f11d50a3a 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​475dce40\​2995e574\​e  LastModTime  0x50fdd5a120cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​475dce40\​2995e574\​e  SIG  0x35ebef571a04574ba2270f0f0ce1e3b70ca85b8f2d6480a1d16ea10f281a 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​475dce40\​2995e574\​e  Status  4098 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​4f99a7c9\​7949fb97\​42  DisplayName  Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​4f99a7c9\​7949fb97\​42  LastModTime  0x421127aa20cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​4f99a7c9\​7949fb97\​42  SIG  0x8d608f73d22b3548baf6a7faf89c5f230b86a6a7c448b7f134ef800ede26 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​4f99a7c9\​7949fb97\​42  Status  4098 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​6dc7d4c0\​3fcdfaca\​9  DisplayName  System.Drawing,2.0.0.0,,b03f5f7f11d50a3a 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​6dc7d4c0\​3fcdfaca\​9  LastModTime  0x028b82a120cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​6dc7d4c0\​3fcdfaca\​9  SIG  0xd13b44b636575b40b535819858133665d8507ae68706294dda848b7a1e72 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​6dc7d4c0\​3fcdfaca\​9  Status  4098 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​7950e2c5\​319545b3\​8  DisplayName  mscorlib,2.0.0.0,,b77a5c561934e089 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​7950e2c5\​319545b3\​8  LastModTime  0xa8ce1d9f20cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​7950e2c5\​319545b3\​8  Modules  sortkey.nlp|sorttbls.nlp|big5.nlp|bopomofo.nlp|ksc.nlp|prc.nlp|prcp.nlp|xjis.nlp|normidna.nlp|normnfc.nlp|normnfd.nlp|normnfkc.nlp|normnfkd.nlp 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​7950e2c5\​319545b3\​8  SIG  0x61498a5bb093b143a337bdf5962ece99bd6c58fc8f03105a020331f4a600 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​7950e2c5\​319545b3\​8  Status  8198 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​c991064\​268e923b\​10  DisplayName  System.Windows.Forms,2.0.0.0,,b77a5c561934e089 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​c991064\​268e923b\​10  LastModTime  0xa6ff4ea820cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​c991064\​268e923b\​10  SIG  0x44a949e4640e604da04329762516a96e6e1fa3a76770071df15dc4d908f9 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​c991064\​268e923b\​10  Status  4098 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​f6e8397\​61a5c1bb\​1d  DisplayName  System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​f6e8397\​61a5c1bb\​1d  LastModTime  0xb4074cae20cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​f6e8397\​61a5c1bb\​1d  SIG  0x564f729ebc6f6b4bb3dc6f535b33f8fbd8487686c42a2af9e970a5ba9956 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​f6e8397\​61a5c1bb\​1d  Status  4098 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​181938c6\​3c74e9a9\​8  ConfigMask  4361 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​181938c6\​3c74e9a9\​8  ConfigString  ZAP--0000-0000 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​181938c6\​3c74e9a9\​8  DisplayName  mscorlib,2.0.0.0,,b77a5c561934e089 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​181938c6\​3c74e9a9\​8  ILDependencies  0xc5e25079b3459531080000000200000000000000 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​181938c6\​3c74e9a9\​8  MVID  0x642534209e13d16e93b80a628742d2ee 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​181938c6\​3c74e9a9\​8  Status 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​1c22df2f\​52628d2e\​46  ConfigMask  4361 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​1c22df2f\​52628d2e\​46  ConfigString  ZAP--0000-0000 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​1c22df2f\​52628d2e\​46  DisplayName  Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​1c22df2f\​52628d2e\​46  ILDependencies  0x6410990c3b928e26100000000200000000000000c0d4c76dcafacd3f0900 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​1c22df2f\​52628d2e\​46  MVID  0x900525e192ca3d523143207ac11ae5f5 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​1c22df2f\​52628d2e\​46  NIDependencies  0xc6381918a9e9743c0800000002000000000000004f7cbc303282491d0700 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​1c22df2f\​52628d2e\​46  Status 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​30bc7c4f\​1d498232\​7  ConfigMask  4361 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​30bc7c4f\​1d498232\​7  ConfigString  ZAP--0000-0000 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​30bc7c4f\​1d498232\​7  DisplayName  System,2.0.0.0,,b77a5c561934e089 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​30bc7c4f\​1d498232\​7  ILDependencies  0xd8d44b425c3de667050000000200000000000000578dab19d0021a290600 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​30bc7c4f\​1d498232\​7  MVID  0x36dbfcf62e07d819b3de533898868ecf 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​30bc7c4f\​1d498232\​7  NIDependencies  0xc6381918a9e9743c080000000200000000000000 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​30bc7c4f\​1d498232\​7  Status 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​3cca06a0\​31de29a4\​f  ConfigMask  4361 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​3cca06a0\​31de29a4\​f  ConfigString  ZAP--0000-0000 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​3cca06a0\​31de29a4\​f  DisplayName  System.Drawing,2.0.0.0,,b03f5f7f11d50a3a 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​3cca06a0\​31de29a4\​f  ILDependencies  0xc0d4c76dcafacd3f090000000200000000000000 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​3cca06a0\​31de29a4\​f  MVID  0xc91f68c2920882e02aec00eeabb6b415 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​3cca06a0\​31de29a4\​f  NIDependencies  0xc6381918a9e9743c0800000002000000000000004f7cbc303282491d0700 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​3cca06a0\​31de29a4\​f  Status 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​432ba598\​3d75b7fc\​1d  ConfigMask  4361 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​432ba598\​3d75b7fc\​1d  ConfigString  ZAP--0000-0000 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​432ba598\​3d75b7fc\​1d  DisplayName  System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​432ba598\​3d75b7fc\​1d  ILDependencies  0xf693bf247bb03d641c00000002000000000000007e4cc0412fac26440c00 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​432ba598\​3d75b7fc\​1d  MVID  0x3c822251e1a4b15dbbb90c2cf9f75352 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​432ba598\​3d75b7fc\​1d  NIDependencies  0xc6381918a9e9743c0800000002000000000000004f7cbc303282491d0700 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​432ba598\​3d75b7fc\​1d  Status 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​61e7e666\​69db6748\​e  ConfigMask  4361 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​61e7e666\​69db6748\​e  ConfigString  ZAP--0000-0000 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​61e7e666\​69db6748\​e  DisplayName  System.Windows.Forms,2.0.0.0,,b77a5c561934e089 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​61e7e666\​69db6748\​e  ILDependencies  0x40ce5d4774e595290e0000000200000000000000578dab19d0021a290600 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​61e7e666\​69db6748\​e  MVID  0x0c70e5d82578be2f6c0dde89182261c5 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​61e7e666\​69db6748\​e  NIDependencies  0xc6381918a9e9743c0800000002000000000000004f7cbc303282491d0700 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​61e7e666\​69db6748\​e  Status 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​index75  ILUsageMask  0xffffffffffffffffff01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​index75  NIUsageMask  0xfffffffffffffffff1 
HKLM\​Software\​Microsoft\​Fusion\​PublisherPolicy\​Default  Latest 
HKLM\​Software\​Microsoft\​Fusion\​PublisherPolicy\​Default  LegacyPolicyTimeStamp  0x0000000000000000 
HKLM\​Software\​Microsoft\​Fusion\​PublisherPolicy\​Default  index1  0x00 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Image File Execution Options\​mscoree.dll  CheckAppHelp 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Image File Execution Options\​mscorwks.dll  CheckAppHelp 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  AuthenticodeEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  DefaultLevel  262144 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  PolicyScope 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemData  0x5eab304f957a49896a006c1c31154015 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemSize  779 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemData  0x67b0d48b343a3fd3bce9dc646704f394 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemSize  517 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemData  0x327802dcfef8c893dc8ab006dd847d1d 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemSize  918 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemData  0xbd9a2adb42ebd8560e250e4df8162f67 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemSize  229 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemData  0x386b085f84ecf669d36b956a22c01e80 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemSize  370 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  ItemData  %HKEY_CURRENT_USER\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders\​Cache%OLK* 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  SaferFlags 
HKLM\​System\​CurrentControlSet\​Control\​ComputerName\​ActiveComputerName  ComputerName  PC 
HKLM\​System\​CurrentControlSet\​Control\​Lsa  FIPSAlgorithmPolicy 
HKLM\​System\​CurrentControlSet\​Control\​Terminal Server  TSUserEnabled 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Keyboard Layout\​Toggle  Language Hotkey 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Keyboard Layout\​Toggle  Layout Hotkey 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​GDIPlus  FontCachePath  C:\​Documents and Settings\​Administrator\​Local Settings\​Application Data 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cache  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  AppData  %USERPROFILE%\​Application Data 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Cache  %USERPROFILE%\​Local Settings\​Temporary Internet Files 

2.b) Java.exe - File Activities

  - Files Created:  
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe

  - Files Read:  
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\machine.config
C:\WINDOWS\system32\rsaenh.dll
PIPE\lsarpc

  - Files Modified:  
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
PIPE\lsarpc

  - File System Control Communication:  
File Control Code Times
C:\Program Files\Common Files\  0x00090028 
PIPE\lsarpc  0x0011C017 

  - Device Control Communication:  
File Control Code Times
\Device\KsecDD  0x00390008 

  - Memory Mapped Files:  
File Name
C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
C:\Java.exe
C:\WINDOWS\FONTS\MICROSS.TTF
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\culture.dll
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\gdiplus.dll
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\900525e192ca3d523143207ac11ae5f5\Microsoft.VisualBasic.ni.dll
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\c91f68c2920882e02aec00eeabb6b415\System.Drawing.ni.dll
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\3c822251e1a4b15dbbb90c2cf9f75352\System.Runtime.Remoting.ni.dll
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\0c70e5d82578be2f6c0dde89182261c5\System.Windows.Forms.ni.dll
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\36dbfcf62e07d819b3de533898868ecf\System.ni.dll
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\642534209e13d16e93b80a628742d2ee\mscorlib.ni.dll
C:\WINDOWS\system32\Apphelp.dll
C:\WINDOWS\system32\MSCTF.dll
C:\WINDOWS\system32\ShimEng.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\crypt32.dll
C:\WINDOWS\system32\imm32.dll
C:\WINDOWS\system32\l_intl.nls
C:\WINDOWS\system32\mscoree.dll
C:\WINDOWS\system32\rpcss.dll
C:\WINDOWS\system32\rsaenh.dll
C:\WINDOWS\system32\shell32.dll
C:\WINDOWS\system32\uxtheme.dll
C:\Windows\AppPatch\sysmain.sdb

2.c) Java.exe - Process Activities

  - Processes Created:  
Executable Command Line
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe   
  C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe 

  - Remote Threads Created:  
Affected Process
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe

  - Foreign Memory Regions Read:  
Process: C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
Process: C:\Java.exe

  - Foreign Memory Regions Written:  
Process: C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
Process: C:\Java.exe

2.d) Java.exe - Other Activities

  - Mutexes Created:  
CTF.Asm.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.Compart.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.LBES.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.Layouts.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.TMD.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.TimListCache.FMPDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500MUTEX.DefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500

  - Windows SEH exceptions:  
Description Times
Exception 0xe06d7363 at 0x7c812aeb 
Exception 0xe0434f4d at 0x7c812aeb 

3. svchost.exe

  - General information about this executable  
Analysis Reason: Started by Java.exe 
Filename: svchost.exe 
Process-status at analysis end: alive 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​MSVBVM60.DLL  0x73420000  0x00153000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​OLEAUT32.dll  0x77120000  0x0008B000 
C:\​WINDOWS\​system32\​ShimEng.dll  0x5CB70000  0x00026000 
C:\​WINDOWS\​AppPatch\​AcGenral.DLL  0x6F880000  0x001CA000 
C:\​WINDOWS\​system32\​WINMM.dll  0x76B40000  0x0002D000 
C:\​WINDOWS\​system32\​MSACM32.dll  0x77BE0000  0x00015000 
C:\​WINDOWS\​system32\​VERSION.dll  0x77C00000  0x00008000 
C:\​WINDOWS\​system32\​SHELL32.dll  0x7C9C0000  0x00817000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​system32\​USERENV.dll  0x769C0000  0x000B4000 
C:\​WINDOWS\​system32\​UxTheme.dll  0x5AD70000  0x00038000 

3.a) svchost.exe - Registry Activities

  - Registry Values Read:  
Key Name Value Times
HKLM\​SYSTEM\​CurrentControlSet\​Control\​Session Manager  CriticalSectionTimeout  2592000 
HKLM\​SYSTEM\​WPA\​MediaCenter  Installed 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 
HKLM\​System\​CurrentControlSet\​Control\​Terminal Server  TSUserEnabled 

3.b) svchost.exe - File Activities

  - File System Control Communication:  
File Control Code Times
C:\Program Files\Common Files\  0x00090028 

  - Device Control Communication:  
File Control Code Times
\Device\KsecDD  0x00390008 

  - Memory Mapped Files:  
File Name
C:\WINDOWS\AppPatch\AcGenral.DLL
C:\WINDOWS\system32\MSACM32.dll
C:\WINDOWS\system32\MSVBVM60.DLL
C:\WINDOWS\system32\ShimEng.dll
C:\WINDOWS\system32\UxTheme.dll
C:\WINDOWS\system32\WINMM.dll
C:\Windows\AppPatch\sysmain.sdb


International Secure Systems Lab
Vienna University of Technology, Eurecom France, UC Santa Barbara
Contact: anubis@iseclab.org