anubis left
Anubis - Analysis Report
anubis right

Analysis Report for mari0.exe

 Comment on this report

Summary:

Description Risk
Write to foreign memory areas: This executable tampers with the execution of another process. high
Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web. low
Execution did not terminate correctly: The executable crashed. medium
Spawns Processes: The executable produces processes during the execution. low
Performs Registry Activities: The executable creates and/or modifies registry entries. low


Table of Contents
expand all expand all   collapse all collapse all

1. General Information

  - Information about Anubis' invocation  
Time needed: 317 s 
Report created: 03/12/12, 14:49:58 UTC 
Termination reason: Timeout 
Program version: 1.75.3394 

2. mari0.exe

  - General information about this executable  
Analysis Reason: Primary Analysis Subject 
Filename: mari0.exe 
MD5: ffe997f9b5da1c41c38e52e2775c47c7 
SHA-1: bd5b94c1820c8172b39de3626c573a09c0a89e4e 
File Size: 6680576 Bytes
Process-status at analysis end: alive 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​mscoree.dll  0x79000000  0x0004A000 
C:\​WINDOWS\​system32\​KERNEL32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​Microsoft.NET\​Framework\​v4.0.30319\​mscoreei.dll  0x603B0000  0x00066000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​Microsoft.NET\​Framework\​v2.0.50727\​mscorwks.dll  0x79E70000  0x0058F000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\​MSVCR80.dll  0x78130000  0x0009B000 
C:\​WINDOWS\​system32\​shell32.dll  0x7C9C0000  0x00817000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll  0x773D0000  0x00103000 
C:\​WINDOWS\​system32\​comctl32.dll  0x5D090000  0x0009A000 
C:\​WINDOWS\​assembly\​NativeImages_v2.0.50727_32\​mscorlib\​642534209e13d16e93b80a628742d2ee\​mscorlib.ni.dll  0x790C0000  0x00B36000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 
C:\​WINDOWS\​Microsoft.NET\​Framework\​v2.0.50727\​mscorjit.dll  0x79060000  0x00056000 
C:\​WINDOWS\​assembly\​NativeImages_v2.0.50727_32\​System\​36dbfcf62e07d819b3de533898868ecf\​System.ni.dll  0x7A440000  0x007EA000 
C:\​WINDOWS\​assembly\​NativeImages_v2.0.50727_32\​Microsoft.VisualBas#\​900525e192ca3d523143207ac11ae5f5\​Microsoft.VisualBasic.ni.dll  0x5E430000  0x001AE000 
C:\​WINDOWS\​system32\​MSCTF.dll  0x74720000  0x0004C000 
C:\​WINDOWS\​system32\​netapi32.dll  0x5B860000  0x00055000 
C:\​WINDOWS\​system32\​SETUPAPI.dll  0x77920000  0x000F3000 
C:\​WINDOWS\​system32\​CLBCATQ.DLL  0x76FD0000  0x0007F000 
C:\​WINDOWS\​system32\​COMRes.dll  0x77050000  0x000C5000 
C:\​WINDOWS\​system32\​OLEAUT32.dll  0x77120000  0x0008B000 
C:\​WINDOWS\​system32\​VERSION.dll  0x77C00000  0x00008000 
C:\​WINDOWS\​system32\​urlmon.dll  0x7E1E0000  0x000A2000 
C:\​WINDOWS\​system32\​Apphelp.dll  0x77B40000  0x00022000 

2.a) mari0.exe - Registry Activities

  - Registry Values Modified:  
Key Name New Value
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Common Desktop  C:\​Documents and Settings\​All Users\​Desktop 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Common Documents  C:\​Documents and Settings\​All Users\​Documents 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​{a1094da8-30a0-11dd-817b-806d6172696f}\​  BaseClass  Drive 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​{a1094daa-30a0-11dd-817b-806d6172696f}\​  BaseClass  Drive 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  AppData  C:\​Documents and Settings\​Administrator\​Application Data 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cache  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cookies  C:\​Documents and Settings\​Administrator\​Cookies 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Desktop  C:\​Documents and Settings\​Administrator\​Desktop 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Personal  C:\​Documents and Settings\​Administrator\​My Documents 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  info IntranetName 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  info ProxyBypass 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  info UNCAsIntranet 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​ShellNoRoam\​MUICache\​  C:\​Documents and Settings\​Administrator\​Local Settings\​Temp\​javaupdate.exe  mari0 

  - Registry Values Read:  
Key Name Value Times
HKLM\​SOFTWARE\​CLASSES\​.ASP    aspfile 
HKLM\​SOFTWARE\​CLASSES\​.BAT    batfile 
HKLM\​SOFTWARE\​CLASSES\​.CER    CERFile 
HKLM\​SOFTWARE\​CLASSES\​.CHM    chm.file 
HKLM\​SOFTWARE\​CLASSES\​.CMD    cmdfile 
HKLM\​SOFTWARE\​CLASSES\​.COM    comfile 
HKLM\​SOFTWARE\​CLASSES\​.CPL    cplfile 
HKLM\​SOFTWARE\​CLASSES\​.CRT    CERFile 
HKLM\​SOFTWARE\​CLASSES\​.EXE    exefile 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{20D04FE0-3AEA-1069-A2D8-08002B30309D}\​INPROCSERVER32    %SystemRoot%\​system32\​SHELL32.dll 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\​INPROCSERVER32    C:\​WINDOWS\​system32\​urlmon.dll 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\​INPROCSERVER32  ThreadingModel  Both 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{AEB6717E-7E19-11D0-97EE-00C04FD91972}\​INPROCSERVER32    shell32.dll 
HKLM\​SOFTWARE\​CLASSES\​DIRECTORY  AlwaysShowExt   
HKLM\​SOFTWARE\​CLASSES\​DRIVE\​SHELLEX\​FOLDEREXTENSIONS\​{FBEB8A05-BEEE-4442-804E-409D6C4515E9}  DriveMask  32 
HKLM\​SOFTWARE\​CLASSES\​EXEFILE\​SHELL\​OPEN\​COMMAND    "%1" %* 
HKLM\​SOFTWARE\​Microsoft\​CTF\​SystemShared\​  CUAS 
HKLM\​SYSTEM\​CurrentControlSet\​Control\​Session Manager  CriticalSectionTimeout  2592000 
HKLM\​SYSTEM\​Setup  OsLoaderPath  \​ 
HKLM\​SYSTEM\​Setup  SystemPartition  \​Device\​HarddiskVolume1 
HKLM\​SYSTEM\​Setup  SystemSetupInProgress 
HKLM\​SYSTEM\​WPA\​MediaCenter  Installed 
HKLM\​Software\​Microsoft\​.NETFramework  InstallRoot  C:\​WINDOWS\​Microsoft.NET\​Framework\​ 
HKLM\​Software\​Microsoft\​.NETFramework\​Policy\​\​v4.0  30319  30319-30319 
HKLM\​Software\​Microsoft\​COM3  Com+Enabled 
HKLM\​Software\​Microsoft\​COM3  REGDBVersion  0x0b00000000000000 
HKLM\​Software\​Microsoft\​Fusion\​GACChangeNotification\​Default  Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL  0x421127aa20cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​GACChangeNotification\​Default  System,2.0.0.0,,b77a5c561934e089,MSIL  0x8a57dea520cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​GACChangeNotification\​Default  System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL  0x18bb1ba420cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​GACChangeNotification\​Default  System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL  0x9cbf64a520cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​GACChangeNotification\​Default  System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL  0x028b82a120cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​GACChangeNotification\​Default  System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL  0x1ab45fb020cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​GACChangeNotification\​Default  System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL  0xb4074cae20cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​GACChangeNotification\​Default  System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86  0x58d936a320cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​GACChangeNotification\​Default  System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL  0xa6ff4ea820cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​GACChangeNotification\​Default  System.Xml,2.0.0.0,,b77a5c561934e089,MSIL  0xca1b97a220cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​GACChangeNotification\​Default  mscorlib,2.0.0.0,,b77a5c561934e089,x86  0xa8ce1d9f20cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32  LatestIndex  117 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​19ab8d57\​291a02d0\​6  DisplayName  System.Xml,2.0.0.0,,b77a5c561934e089 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​19ab8d57\​291a02d0\​6  LastModTime  0xca1b97a220cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​19ab8d57\​291a02d0\​6  SIG  0xe129b85668d5c94a83901a595a688da0546fb0968a3ad8f39d84fd920ec9 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​19ab8d57\​291a02d0\​6  Status  4098 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​24bf93f6\​643db07b\​1c  DisplayName  System.Web,2.0.0.0,,b03f5f7f11d50a3a 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​24bf93f6\​643db07b\​1c  LastModTime  0x58d936a320cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​24bf93f6\​643db07b\​1c  SIG  0x257ea63099a54b47b394ae802aab504d19f0e298ec19246fcdb594503704 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​24bf93f6\​643db07b\​1c  Status  8194 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​2b1a4e4\​6abb48d8\​40  DisplayName  System.Management,2.0.0.0,,b03f5f7f11d50a3a 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​2b1a4e4\​6abb48d8\​40  LastModTime  0x1ab45fb020cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​2b1a4e4\​6abb48d8\​40  SIG  0x3e169fe688ba0044a1e06d7325a897046350b207203b659a3f4acb1d6fd4 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​2b1a4e4\​6abb48d8\​40  Status  4098 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​3ced59c5\​7f729234\​b  DisplayName  System.Deployment,2.0.0.0,,b03f5f7f11d50a3a 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​3ced59c5\​7f729234\​b  LastModTime  0x9cbf64a520cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​3ced59c5\​7f729234\​b  SIG  0xaa6a30bb5ee45e4395aee8e3e013862cc3e045ee0eeb054e6d82e3b4dc36 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​3ced59c5\​7f729234\​b  Status  4098 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​3f50fe4f\​6e9ac653\​7  DisplayName  System,2.0.0.0,,b77a5c561934e089 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​3f50fe4f\​6e9ac653\​7  LastModTime  0x8a57dea520cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​3f50fe4f\​6e9ac653\​7  SIG  0x7739f7fe32588e438bd70fda47be005ca87ed832d6e6b76aa0302a427ffe 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​3f50fe4f\​6e9ac653\​7  Status  4098 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​424bd4d8\​67e63d5c\​5  DisplayName  System.Configuration,2.0.0.0,,b03f5f7f11d50a3a 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​424bd4d8\​67e63d5c\​5  LastModTime  0x18bb1ba420cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​424bd4d8\​67e63d5c\​5  SIG  0x13b985b524af744ea7870ebe1b5d5d0658961b3f64a74093492875c9d8f1 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​424bd4d8\​67e63d5c\​5  Status  4098 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​4f99a7c9\​7949fb97\​42  DisplayName  Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​4f99a7c9\​7949fb97\​42  LastModTime  0x421127aa20cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​4f99a7c9\​7949fb97\​42  SIG  0x8d608f73d22b3548baf6a7faf89c5f230b86a6a7c448b7f134ef800ede26 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​4f99a7c9\​7949fb97\​42  Status  4098 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​6dc7d4c0\​3fcdfaca\​9  DisplayName  System.Drawing,2.0.0.0,,b03f5f7f11d50a3a 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​6dc7d4c0\​3fcdfaca\​9  LastModTime  0x028b82a120cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​6dc7d4c0\​3fcdfaca\​9  SIG  0xd13b44b636575b40b535819858133665d8507ae68706294dda848b7a1e72 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​6dc7d4c0\​3fcdfaca\​9  Status  4098 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​7950e2c5\​319545b3\​8  DisplayName  mscorlib,2.0.0.0,,b77a5c561934e089 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​7950e2c5\​319545b3\​8  LastModTime  0xa8ce1d9f20cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​7950e2c5\​319545b3\​8  Modules  sortkey.nlp|sorttbls.nlp|big5.nlp|bopomofo.nlp|ksc.nlp|prc.nlp|prcp.nlp|xjis.nlp|normidna.nlp|normnfc.nlp|normnfd.nlp|normnfkc.nlp|normnfkd.nlp 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​7950e2c5\​319545b3\​8  SIG  0x61498a5bb093b143a337bdf5962ece99bd6c58fc8f03105a020331f4a600 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​7950e2c5\​319545b3\​8  Status  8198 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​c991064\​268e923b\​10  DisplayName  System.Windows.Forms,2.0.0.0,,b77a5c561934e089 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​c991064\​268e923b\​10  LastModTime  0xa6ff4ea820cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​c991064\​268e923b\​10  SIG  0x44a949e4640e604da04329762516a96e6e1fa3a76770071df15dc4d908f9 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​c991064\​268e923b\​10  Status  4098 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​f6e8397\​61a5c1bb\​1d  DisplayName  System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​f6e8397\​61a5c1bb\​1d  LastModTime  0xb4074cae20cfcb01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​f6e8397\​61a5c1bb\​1d  SIG  0x564f729ebc6f6b4bb3dc6f535b33f8fbd8487686c42a2af9e970a5ba9956 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​IL\​f6e8397\​61a5c1bb\​1d  Status  4098 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​181938c6\​3c74e9a9\​8  ConfigMask  4361 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​181938c6\​3c74e9a9\​8  ConfigString  ZAP--0000-0000 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​181938c6\​3c74e9a9\​8  DisplayName  mscorlib,2.0.0.0,,b77a5c561934e089 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​181938c6\​3c74e9a9\​8  ILDependencies  0xc5e25079b3459531080000000200000000000000 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​181938c6\​3c74e9a9\​8  MVID  0x642534209e13d16e93b80a628742d2ee 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​181938c6\​3c74e9a9\​8  Status 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​1c22df2f\​52628d2e\​46  ConfigMask  4361 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​1c22df2f\​52628d2e\​46  ConfigString  ZAP--0000-0000 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​1c22df2f\​52628d2e\​46  DisplayName  Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​1c22df2f\​52628d2e\​46  ILDependencies  0x6410990c3b928e26100000000200000000000000c0d4c76dcafacd3f0900 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​1c22df2f\​52628d2e\​46  MVID  0x900525e192ca3d523143207ac11ae5f5 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​1c22df2f\​52628d2e\​46  NIDependencies  0xc6381918a9e9743c0800000002000000000000004f7cbc303282491d0700 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​1c22df2f\​52628d2e\​46  Status 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​30bc7c4f\​1d498232\​7  ConfigMask  4361 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​30bc7c4f\​1d498232\​7  ConfigString  ZAP--0000-0000 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​30bc7c4f\​1d498232\​7  DisplayName  System,2.0.0.0,,b77a5c561934e089 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​30bc7c4f\​1d498232\​7  ILDependencies  0xd8d44b425c3de667050000000200000000000000578dab19d0021a290600 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​30bc7c4f\​1d498232\​7  MVID  0x36dbfcf62e07d819b3de533898868ecf 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​30bc7c4f\​1d498232\​7  NIDependencies  0xc6381918a9e9743c080000000200000000000000 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​NI\​30bc7c4f\​1d498232\​7  Status 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​index75  ILUsageMask  0xffffffffffffffffff01 
HKLM\​Software\​Microsoft\​Fusion\​NativeImagesIndex\​v2.0.50727_32\​index75  NIUsageMask  0xfffffffffffffffff1 
HKLM\​Software\​Microsoft\​Fusion\​PublisherPolicy\​Default  Latest 
HKLM\​Software\​Microsoft\​Fusion\​PublisherPolicy\​Default  LegacyPolicyTimeStamp  0x0000000000000000 
HKLM\​Software\​Microsoft\​Fusion\​PublisherPolicy\​Default  index1  0x00 
HKLM\​Software\​Microsoft\​Internet Explorer\​Main\​FeatureControl\​FEATURE_BEHAVIORS 
HKLM\​Software\​Microsoft\​Internet Explorer\​Main\​FeatureControl\​FEATURE_DISABLE_MK_PROTOCOL 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Image File Execution Options\​mscoree.dll  CheckAppHelp 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Image File Execution Options\​mscorwks.dll  CheckAppHelp 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion  DevicePath  %SystemRoot%\​inf 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​FileAssociation  CutList  0x4100700070006c00690063006100740069006f006e002000460069006c00 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​ShellExecuteHooks  {AEB6717E-7E19-11d0-97EE-00C04FD91972}   
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Common Desktop  %ALLUSERSPROFILE%\​Desktop 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Common Documents  %ALLUSERSPROFILE%\​Documents 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  DriverCachePath  %SystemRoot%\​Driver Cache 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  LogLevel 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  ServicePackCachePath  c:\​windows\​ServicePackFiles\​ServicePackCache 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  ServicePackSourcePath  D:\​ 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  SourcePath  D:\​ 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  AuthenticodeEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  DefaultLevel  262144 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  PolicyScope 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemData  0x5eab304f957a49896a006c1c31154015 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemSize  779 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemData  0x67b0d48b343a3fd3bce9dc646704f394 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemSize  517 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemData  0x327802dcfef8c893dc8ab006dd847d1d 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemSize  918 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemData  0xbd9a2adb42ebd8560e250e4df8162f67 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemSize  229 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemData  0x386b085f84ecf669d36b956a22c01e80 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemSize  370 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  ItemData  %HKEY_CURRENT_USER\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders\​Cache%OLK* 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  SaferFlags 
HKLM\​System\​CurrentControlSet\​Control\​ComputerName\​ActiveComputerName  ComputerName  PC 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  Domain   
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  Hostname  pc 
HKLM\​System\​Setup  SystemSetupInProgress 
HKLM\​System\​WPA\​PnP  seed  1274198464 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Keyboard Layout\​Toggle  Language Hotkey 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Keyboard Layout\​Toggle  Layout Hotkey 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​  ShellState  0x2400000038080000000000000000000000000000010000000d0000000000 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  DontPrettyPath 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  Filter 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  Hidden 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  HideFileExt 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  HideIcons 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  MapNetDrvBtn 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  NoNetCrawling 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  SeparateProcess 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  ShowCompColor 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  ShowInfoTip 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  ShowSuperHidden 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  WebView 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​CPC\​Volume\​{a1094da8-30a0-11dd-817b-806d6172696f}\​  Data  0x000000005c005c003f005c0049004400450023004300640052006f006d00 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​CPC\​Volume\​{a1094da8-30a0-11dd-817b-806d6172696f}\​  Generation 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​CPC\​Volume\​{a1094daa-30a0-11dd-817b-806d6172696f}\​  Data  0x000000005c005c003f005c00530054004f00520041004700450023005600 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​CPC\​Volume\​{a1094daa-30a0-11dd-817b-806d6172696f}\​  Generation 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cache  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  AppData  %USERPROFILE%\​Application Data 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Cache  %USERPROFILE%\​Local Settings\​Temporary Internet Files 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Cookies  %USERPROFILE%\​Cookies 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Desktop  %USERPROFILE%\​Desktop 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Personal  %USERPROFILE%\​My Documents 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​0  1806 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​0  Flags  33 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​1  Flags  219 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​2  Flags  71 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​3  Flags 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​4  Flags 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​ShellNoRoam\​MUICache  LangID  0x0904 

  - Monitored Registry Keys:  
Key Name Watch subtree Notify Filter Count
HKLM\​Software\​Classes  Key Change,Value Change 
HKLM\​Software\​Classes\​CLSID  Key Change,Value Change 
HKLM\​Software\​Microsoft\​COM3  Key Change,Value Change 
HKU  Key Change,Value Change 

2.b) mari0.exe - File Activities

  - Files Created:  
C:\Documents and Settings\Administrator\Local Settings\Temp\javaupdate.exe

  - Files Read:  
C:\Documents and Settings\Administrator\Local Settings\Temp\javaupdate.exe
C:\Documents and Settings\Administrator\My Documents\desktop.ini
C:\Documents and Settings\All Users\Documents\desktop.ini
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\machine.config
C:\WINDOWS\Registration\R00000000000b.clb
PIPE\lsarpc
PIPE\wkssvc

  - Files Modified:  
C:\Documents and Settings\Administrator\Local Settings\Temp\javaupdate.exe
MountPointManager
PIPE\lsarpc
PIPE\wkssvc

  - File System Control Communication:  
File Control Code Times
C:\Program Files\Common Files\  0x00090028 
PIPE\wkssvc  0x0011C017 
PIPE\lsarpc  0x0011C017 

  - Device Control Communication:  
File Control Code Times
\Device\KsecDD  0x00390008 
IDE#CdRomQEMU_QEMU_CD-ROM________________________0.9.____#4d51303030302033202020202020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}  0x004D0008 
MountPointManager  0x006D0008 
STORAGE#Volume#1&30a96598&0&SignatureB15FB15FOffset7E00Length13F291800#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}  0x004D0008 
MountPointManager  0x006D0034 

  - Memory Mapped Files:  
File Name
C:\Documents and Settings\Administrator\Local Settings\Temp\javaupdate.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\900525e192ca3d523143207ac11ae5f5\Microsoft.VisualBasic.ni.dll
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\36dbfcf62e07d819b3de533898868ecf\System.ni.dll
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\642534209e13d16e93b80a628742d2ee\mscorlib.ni.dll
C:\WINDOWS\system32\Apphelp.dll
C:\WINDOWS\system32\CLBCATQ.DLL
C:\WINDOWS\system32\COMRes.dll
C:\WINDOWS\system32\MSCTF.dll
C:\WINDOWS\system32\SETUPAPI.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\imm32.dll
C:\WINDOWS\system32\l_intl.nls
C:\WINDOWS\system32\mscoree.dll
C:\WINDOWS\system32\rpcss.dll
C:\WINDOWS\system32\shell32.dll
C:\WINDOWS\system32\urlmon.dll
C:\Windows\AppPatch\sysmain.sdb
C:\mari0.exe

2.c) mari0.exe - Process Activities

  - Processes Created:  
Executable Command Line
C:\Documents and Settings\Administrator\Local Settings\Temp\javaupdate.exe   
C:\Documents and Settings\Administrator\Local Settings\Temp\javaupdate.exe  "C:\Documents and Settings\Administrator\Local Settings\Temp\javaupdate.exe"  

  - Remote Threads Created:  
Affected Process
C:\Documents and Settings\Administrator\Local Settings\Temp\javaupdate.exe

  - Foreign Memory Regions Read:  
Process: C:\Documents and Settings\Administrator\Local Settings\Temp\javaupdate.exe

  - Foreign Memory Regions Written:  
Process: C:\Documents and Settings\Administrator\Local Settings\Temp\javaupdate.exe

3. javaupdate.exe

  - General information about this executable  
Analysis Reason: Started by mari0.exe 
Filename: javaupdate.exe 
Process-status at analysis end: alive 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​mscoree.dll  0x79000000  0x0004A000 
C:\​WINDOWS\​system32\​KERNEL32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​Microsoft.NET\​Framework\​v4.0.30319\​mscoreei.dll  0x603B0000  0x00066000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​Microsoft.NET\​Framework\​v2.0.50727\​mscorwks.dll  0x79E70000  0x0058F000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\​MSVCR80.dll  0x78130000  0x0009B000 

3.a) javaupdate.exe - Registry Activities

  - Registry Values Read:  
Key Name Value Times
HKLM\​Software\​Microsoft\​.NETFramework  InstallRoot  C:\​WINDOWS\​Microsoft.NET\​Framework\​ 
HKLM\​Software\​Microsoft\​.NETFramework\​Policy\​\​v4.0  30319  30319-30319 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Image File Execution Options\​mscoree.dll  CheckAppHelp 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Image File Execution Options\​mscorwks.dll  CheckAppHelp 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 

3.b) javaupdate.exe - File Activities

  - Files Read:  
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\machine.config

  - File System Control Communication:  
File Control Code Times
C:\Program Files\Common Files  0x00090028 

  - Memory Mapped Files:  
File Name
C:\Documents and Settings\Administrator\Local Settings\Temp\javaupdate.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
C:\WINDOWS\system32\mscoree.dll


International Secure Systems Lab
Vienna University of Technology, Eurecom France, UC Santa Barbara
Contact: anubis@iseclab.org