Nov 19 CVE-2010-2883 with Flash JIT Spray (PDF in PDF) Event Invitation from The Heritage Foundation from spoofed Heritage address

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-2883 Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF document with a long field in a Smart INdependent Glyphlets (SING) table in a TTF font, as exploited in the wild in September 2010. NOTE: some of these details are obtained from third party information.

  General File Information

File  Event Invitation from Heritage.pdf
MD5   529AE8C6AC75E555402AA05F7960EB0D
SHA1   d793f0c3e051bc03b0cd5e2c2f87f3be33612d49
File size : 358996
Type:  PDF
Distribution: Email attachment

Read more...

Download

Download  Event Invitation from Heritage.pdf and the dropped files as a password protected archive (contact me if you need the password)

Original Message

From: Elizabeth XXXXXX [mailto:XXXXX@heritage.org]
Sent: Friday, November 19, 2010 3:53 AM
To: XXXXXXXXXXXXXX
Subject: Event Invitation from The Heritage Foundation: The Implications of Taiwan's Big City Elections

Dear Madam / Sir,

You are cordially invited to attend the Event of The Heritage Foundation on Dec 01, 2010: The Implications Of Taiwan's Big City Elections.
Please refer to the attached invitation and visit the Heritage site for event details.

Thanks,

________________________________________
Elizabeth XXXXXXX
Administrative Assistant
Asian Studies Center
The Heritage Foundation
214 Massachusetts Avenue, NE
Washington, DC 20002
XXXXXXXXXXXX
heritage.org

Message Headers

Received: (qmail 25793 invoked from network); 19 Nov 2010 08:53:27 -0000

Received: from msr19.hinet.net (HELO msr19.hinet.net) (168.95.4.119)

  by XXXXXXXXXXXX with SMTP; 19 Nov 2010 08:53:27 -0000

Received: from elizabethhamrickpc (61-222-104-222.HINET-IP.hinet.net [61.222.104.222])

by msr19.hinet.net (8.9.3/8.9.3) with ESMTP id QAA04206

for ; Fri, 19 Nov 2010 16:53:09 +0800 (CST)

Reply-To: newscomeon@yahoo.com

From: "Elizabeth Hamrick"

To: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Subject: Event Invitation from The Heritage Foundation: The Implications of Taiwan's Big City Elections

Date: Fri, 19 Nov 2010 16:53:09 +0800

Message-ID:

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_10111916482235810322685_000"

X-Priority: 3

X-Mailer: DreamMail 4.6.6.0

Sender

61.222.104.222

Hostname: 61-222-104-222.hinet-ip.hinet.net 

ISP: CHTD, Chunghwa Telecom Co., Ltd. 

Organization: Wei Kai Shi Ye Ltd. 

Proxy: None detected 

Type: Broadband 

Assignment: Static IP 

Country: Taiwan  

Automated Scans

File name: Event Invitation from Heritage.pdf

http://www.virustotal.com/file-scan/report.html?id=bf15872b77a7845dd423071a063529c8fdcb6b45665e96f66609ad848b20306d-1290660128

Submission date: 2010-11-25 04:42:08 (UTC)

Current status: finished

Result: 16 /43 (37.2%)

AntiVir 7.10.14.99 2010.11.24 EXP/Pidief.ddi

Antiy-AVL 2.0.3.7 2010.11.25 Exploit/Win32.Pidief

AVG 9.0.0.851 2010.11.24 Exploit_c.MGG

BitDefender 7.2 2010.11.25 Exploit.PDF-TTF.Gen

eTrust-Vet 36.1.7998 2010.11.24 PDF/CVE-2010-1297.B!exploit

F-Prot 4.6.2.117 2010.11.24 File is damaged

F-Secure 9.0.16160.0 2010.11.25 Exploit.PDF-TTF.Gen

GData 21 2010.11.25 Exploit.PDF-TTF.Gen

Kaspersky 7.0.0.125 2010.11.25 Exploit.Win32.Pidief.ddi

Microsoft 1.6402 2010.11.24 Exploit:Win32/CVE-2010-2883.A

nProtect 2010-11-24.01 2010.11.25 Exploit.PDF-TTF.Gen

PCTools 7.0.3.5 2010.11.25 HeurEngine.MaliciousExploit

Sophos 4.60.0 2010.11.25 Troj/SWFExp-X

SUPERAntiSpyware 4.40.0.1006 2010.11.25 -

Symantec 20101.2.0.161 2010.11.25 Bloodhound.Exploit.357

TrendMicro 9.120.0.1004 2010.11.24 TROJ_PIDIEF.HKD

TrendMicro-HouseCall 9.120.0.1004 2010.11.25 TROJ_PIDIEF.HKD

MD5   : 529ae8c6ac75e555402aa05f7960eb0d

CVE ID

Let me know if you have any comments, additions or corrections here  --

The file uses a pdf (1.pdf) embedded in the original "Event Invitation from Heritage.pdf"

FILE 1. Event Invitation from Heritage.pdf  529ae8c6ac75e555402aa05f7960eb0d

obj 1 0
 Type:
 Referencing:
 Contains stream

;9F7DF03346B2A4799ADF0EE158A1F80C>/CreationDate(D:20100920103657+08'00')/ModDate(D:20100923164332+08'00')/Size 1171>>/Subtype/application#2Fx-shockwave-flash


   /DL 1171
   /Length 1171
   /Params /CheckSum<9F7DF03346B2A4799ADF0EE158A1F80C>
   /CreationDate (D:20100920103657+08'00')
   /ModDate (D:20100923164332+08'00')
   /Size 1171



9F7DF03346B2A4799ADF0EE158A1F80C>/CreationDate(D:20100920103657+08'00')/ModDate(D:20100923164332+08'00')/Size 1171>>/Subtype/application#2Fx-shockwave-flash>>stream

CWS    c   xÚ•ÖYl U àûό玗Ävâ8[÷6]B œn@ÙÚ,„„ CJÚ
ñØ 'N ǵ'IÚ¦ BBHˆ $ÊŽ@PD%Ä ¼ $Ä. !±K ñD±ë3R9’Uá 3ž¹Ççž»Ìä„ÿI!Ž/ŠfˆÞ !„8 Úæ •O@tŠ£ø ¿âgX ë Æ7¿`å[ 6­î

1. Please read about the technique at JIT-SPRAY Attacks & Advanced Shellcode Security HITBSecConf2010, Amsterdam by Alexey Sintsov  
2. Alexey Sintsov's egg-hunter JIT shellcode generator for Flash 10.0.x is here  --
3. as pointed by Malware Tracker blog - he described a similar case: Hiding PDF Exploits by embedding PDF files in streams and Flash ROP heapsprays 
4. Also Symantec blog had an article about this kind of malicious pdf in October, 2010 

According to Symantec,  "A more advanced technique is to use a PDF file embedded in a PDF file. The third object contains a stream indicating “application/pdf” as a sub-byte. With “FlateDecode”, this PDF file is compressed by using Zlib/deflates. To identify the PDF exploiting this vulnerability, it should be inflated and parsed by the PDF parser again.

The PDF embedded in a PDF file is always the same one and it is just used to trigger the vulnerability. We detect PDF malware using this technique as Bloodhound.Exploit.357 as well." - Symantec, by Kazumasa Itabashi

 Event Invitation from Heritage.pdf
 Screenshot from our PDF - note jit-egg.swf  as in the PoC by Asintsev

Compressed Flash in Event Invitation from Heritage.pdf

-------------------------------------------------------------------------------------------

FILE 2    73E8F3BB63B16E5830528D226FBC9998
1.pdf  - CVE-2010-2883  - this file did not create any files during my testing and I did not analyse it further. If you have any comments or additions, please send. 

Files Created

%Temp%\A9R1AA.tmp\1.pdf
%Temp%\ctfmon.exe

File name:ctfmon.exe
http://www.virustotal.com/file-scan/report.html?id=fb0dc16f74061304d50f2404913ad836d59a92b9543c3a3aef91da4c2b8511aa-1291295776
Submission date:2010-12-02 13:16:16 (UTC)
Result:17 /43 (39.5%)
AhnLab-V3     2010.12.02.07     2010.12.02     Win-Trojan/Agent.32768.BUO
AVG     9.0.0.851     2010.12.02     Dropper.Generic2.BOYA
BitDefender     7.2     2010.12.02     Gen:Variant.Downloader.19
DrWeb     5.0.2.03300     2010.12.02     Win32.HLLW.Autoruner.27746
Emsisoft     5.0.0.50     2010.12.02     Trojan-Downloader.Win32.Small!IK
F-Secure     9.0.16160.0     2010.12.02     Gen:Variant.Downloader.19
GData     21     2010.12.02     Gen:Variant.Downloader.19
Ikarus     T3.1.1.90.0     2010.12.02     Trojan-Downloader.Win32.Small
Jiangmin     13.0.900     2010.12.02     TrojanDownloader.Small.avnm
NOD32     5666     2010.12.02     a variant of Win32/Injector.DKT
Norman     6.06.10     2010.12.02     W32/Malware
nProtect     2010-12-02.01     2010.12.02     Trojan-Downloader/W32.Small.32768.GW
Panda     10.0.2.7     2010.12.01     Suspicious file
Sophos     4.60.0     2010.12.02     Troj/Buzus-EI
TrendMicro     9.120.0.1004     2010.12.02     TROJ_INJECTR.SMA
TrendMicro-HouseCall     9.120.0.1004     2010.12.02     TROJ_INJECTR.SMA
ViRobot     2010.12.2.4181     2010.12.02     Backdoor.Win32.Generic.32768
Additional information
MD5   : 818bcf2a6c0680e91f774de404a2ad99

http://anubis.iseclab.org/?action=result&task_id=1c849d6ba2acff7848d1db3986dd317ac&call=first
[#############################################################################] Analysis Report for ctfmon.exe MD5: 818bcf2a6c0680e91f774de404a2ad99 [#############################################################################] Summary: - Performs File Modification and Destruction: The executable modifiesand destructs files which are not temporary. - Spawns Processes: The executable produces processes during the execution. - Performs Registry Activities: The executable reads and modifies registry values. It also creates and monitors registry keys. [=============================================================================] Table of Contents [=============================================================================] - General information - ctfmon.exe a) Registry Activities b) File Activities c) Process Activities d) Other Activities - svchost.exe - cmd.exe a) Registry Activities b) File Activities [#############################################################################] 1. General Information [#############################################################################] [=============================================================================] Information about Anubis' invocation [=============================================================================] Time needed: 241 s Report created: 12/02/10, 13:18:09 UTC Termination reason: Timeout Program version: 1.74.3195 [#############################################################################] 2. ctfmon.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Primary Analysis Subject Filename: ctfmon.exe MD5: 818bcf2a6c0680e91f774de404a2ad99 SHA-1: 5038eb2daf2ce6719cb4424b4e571cacd870f278 File Size: 32768 Bytes Command Line: "C:\ctfmon.exe" Process-status at analysis end: dead Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\netapi32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\rsaenh.dll ], Base Address: [0x68000000 ], Size: [0x00036000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\Apphelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] [=============================================================================] Ikarus Virus Scanner [=============================================================================] Trojan-Downloader.Win32.Small (Sig-Id: 1465325) [=============================================================================] 2.a) ctfmon.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001 ], Value Name: [ Name ], Value: [ Microsoft Strong Cryptographic Provider ], 40 times Key: [ HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider ], Value Name: [ Image Path ], Value: [ rsaenh.dll ], 40 times Key: [ HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider ], Value Name: [ Type ], Value: [ 1 ], 10 times Key: [ HKLM\SYSTEM\WPA\MediaCenter ], Value Name: [ Installed ], Value: [ 0 ], 2 times Key: [ HKLM\Software\Microsoft\Cryptography ], Value Name: [ MachineGuid ], Value: [ 4604e8cc-5b9c-4ffb-a374-a62e6d0494fc ], 80 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ], Value Name: [ AllUsersProfile ], Value: [ All Users ], 11 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ], Value Name: [ DefaultUserProfile ], Value: [ Default User ], 11 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ], Value Name: [ ProfilesDirectory ], Value: [ %SystemDrive%\Documents and Settings ], 22 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-842925246-1425521274-308236825-500 ], Value Name: [ CentralProfile ], Value: [ ], 11 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-842925246-1425521274-308236825-500 ], Value Name: [ Flags ], Value: [ 0 ], 11 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-842925246-1425521274-308236825-500 ], Value Name: [ ProfileImagePath ], Value: [ %SystemDrive%\Documents and Settings\Administrator ], 22 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-842925246-1425521274-308236825-500 ], Value Name: [ ProfileLoadTimeHigh ], Value: [ 30014298 ], 11 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-842925246-1425521274-308236825-500 ], Value Name: [ ProfileLoadTimeLow ], Value: [ 833226792 ], 11 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-842925246-1425521274-308236825-500 ], Value Name: [ State ], Value: [ 256 ], 11 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], Value Name: [ CommonFilesDir ], Value: [ C:\Program Files\Common Files ], 11 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], Value Name: [ ProgramFilesDir ], Value: [ C:\Program Files ], 11 times Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ PolicyScope ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemSize ], Value: [ 779 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemSize ], Value: [ 517 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemSize ], Value: [ 918 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemSize ], Value: [ 229 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemSize ], Value: [ 370 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], Value Name: [ ComputerName ], Value: [ PC ], 12 times Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ], Value Name: [ ProductType ], Value: [ WinNT ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ ComSpec ], Value: [ %SystemRoot%\system32\cmd.exe ], 22 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ FP_NO_HOST_CHECK ], Value: [ NO ], 22 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ NUMBER_OF_PROCESSORS ], Value: [ 1 ], 22 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ OS ], Value: [ Windows_NT ], 22 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ PATHEXT ], Value: [ .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH ], 22 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ PROCESSOR_ARCHITECTURE ], Value: [ x86 ], 22 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ PROCESSOR_IDENTIFIER ], Value: [ x86 Family 6 Model 3 Stepping 3, GenuineIntel ], 22 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ PROCESSOR_LEVEL ], Value: [ 6 ], 22 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ PROCESSOR_REVISION ], Value: [ 0303 ], 22 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ Path ], Value: [ %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem ], 22 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ TEMP ], Value: [ %SystemRoot%\TEMP ], 22 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ TMP ], Value: [ %SystemRoot%\TEMP ], 22 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ windir ], Value: [ %SystemRoot% ], 22 times Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Environment ], Value Name: [ TEMP ], Value: [ %USERPROFILE%\Local Settings\Temp ], 22 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Environment ], Value Name: [ TMP ], Value: [ %USERPROFILE%\Local Settings\Temp ], 22 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ], Value Name: [ ParseAutoexec ], Value: [ 1 ], 11 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ AppData ], Value: [ %USERPROFILE%\Application Data ], 11 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], Value Name: [ APPDATA ], Value: [ C:\Documents and Settings\Administrator\Application Data ], 22 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], Value Name: [ CLIENTNAME ], Value: [ ], 22 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], Value Name: [ HOMEDRIVE ], Value: [ C: ], 22 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], Value Name: [ HOMEPATH ], Value: [ \Documents and Settings\Administrator ], 22 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], Value Name: [ HOMESHARE ], Value: [ ], 22 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], Value Name: [ LOGONSERVER ], Value: [ \\PC ], 22 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], Value Name: [ SESSIONNAME ], Value: [ Console ], 22 times [=============================================================================] 2.b) ctfmon.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Deleted: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\ctfmon.exe.tmp1 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto ] File Name: [ C:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA ] File Name: [ C:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-842925246-1425521274-308236825-500 ] File Name: [ C:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-842925246-1425521274-308236825-500\a18ca4003deb042bbee7a40f15e1970b_4604e8cc-5b9c-4ffb-a374-a62e6d0494fc ] File Name: [ C:\RCX2.tmp ] File Name: [ C:\a.bat ] File Name: [ C:\ctfmon.exe.tmp1 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\rsaenh.dll ] File Name: [ C:\ctfmon.exe.tmp1 ] File Name: [ PIPE\lsarpc ] File Name: [ c:\autoexec.bat ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-842925246-1425521274-308236825-500\a18ca4003deb042bbee7a40f15e1970b_4604e8cc-5b9c-4ffb-a374-a62e6d0494fc ] File Name: [ C:\RCX2.tmp ] File Name: [ C:\a.bat ] File Name: [ C:\ctfmon.exe.tmp1 ] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Renamed: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Old File Name: [ C:\RCX2.tmp ], New File Name: [ C:\ctfmon.exe.tmp1 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 67 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-842925246-1425521274-308236825-500\a18ca4003deb042bbee7a40f15e1970b_4604e8cc-5b9c-4ffb-a374-a62e6d0494fc ] File Name: [ C:\WINDOWS\system32\Apphelp.dll ] File Name: [ C:\WINDOWS\system32\cmd.exe ] File Name: [ C:\WINDOWS\system32\crypt32.dll ] File Name: [ C:\WINDOWS\system32\rsaenh.dll ] File Name: [ C:\WINDOWS\system32\svchost.exe ] File Name: [ C:\Windows\AppPatch\sysmain.sdb ] File Name: [ C:\a.bat ] File Name: [ C:\ctfmon.exe ] File Name: [ C:\ctfmon.exe.tmp1 ] [=============================================================================] 2.c) ctfmon.exe - Process Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Processes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Executable: [ C:\WINDOWS\system32\svchost.exe ], Command Line: [ ] Executable: [ ], Command Line: [ svchost.exe ] Executable: [ C:\WINDOWS\system32\cmd.exe ], Command Line: [ ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Remote Threads Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Affected Process: [ C:\WINDOWS\system32\svchost.exe ] Affected Process: [ C:\WINDOWS\system32\cmd.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\WINDOWS\system32\cmd.exe ] Process: [ C:\WINDOWS\system32\svchost.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Written: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\WINDOWS\system32\cmd.exe ] Process: [ C:\WINDOWS\system32\svchost.exe ] [=============================================================================] 2.d) ctfmon.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutexes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutex: [ DBWinMutex ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Windows SEH exceptions: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x402062 ], 3 times Description: [ Exception 0x40010006 at 0x7c812aeb ], 1 time [#############################################################################] 3. svchost.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Started by ctfmon.exe Filename: svchost.exe Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] [#############################################################################] 4. cmd.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Started by ctfmon.exe Filename: cmd.exe MD5: 6d778e0f95447e6546553eeea709d03c SHA-1: 811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1 File Size: 389120 Bytes Command Line: cmd /c a.bat Process-status at analysis end: dead Exit Code: 1 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] [=============================================================================] 4.a) cmd.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ AutoRun ], Value: [ ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ CompletionChar ], Value: [ 64 ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ DefaultColor ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ EnableExtensions ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ PathCompletionChar ], Value: [ 64 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ PolicyScope ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemSize ], Value: [ 779 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemSize ], Value: [ 517 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemSize ], Value: [ 918 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemSize ], Value: [ 229 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemSize ], Value: [ 370 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Nls\Language Groups ], Value Name: [ 1 ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], Value Name: [ 00000C07 ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ], Value Name: [ CompletionChar ], Value: [ 9 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ], Value Name: [ DefaultColor ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ], Value Name: [ EnableExtensions ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time [=============================================================================] 4.b) cmd.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Deleted: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\a.bat ] File Name: [ C:\ctfmon.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\a.bat ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Renamed: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Old File Name: [ C:\ctfmon.exe.tmp1 ], New File Name: [ C:\ctfmon.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\a.bat ]

File: 1.pdf
http://www.virustotal.com/file-scan/report.html?id=18d3b53694cdd4674af02f336e939bc4a6f0dbae80f860a3266a74ba81a4f6a2-1291381162
Size: 36407
MD5:  73E8F3BB63B16E5830528D226FBC9998

File name:1.pdf
Submission date:2010-12-03 12:59:22 (UTC)
Result:16/ 43 (37.2%)
Antiy-AVL    2.0.3.7    2010.12.03    Exploit/Win32.Pidief
AVG    9.0.0.851    2010.12.03    Exploit_c.NCO
BitDefender    7.2    2010.12.03    Exploit.PDF-TTF.Gen
Emsisoft    5.0.0.50    2010.12.03    Exploit.Win32.Pidief!IK
F-Secure    9.0.16160.0    2010.12.03    Exploit.PDF-TTF.Gen
Fortinet    4.2.254.0    2010.12.03    PDF/CoolType!exploit.CVE20102883
GData    21    2010.12.03    Exploit.PDF-TTF.Gen
Ikarus    T3.1.1.90.0    2010.12.03    Exploit.Win32.Pidief
Kaspersky    7.0.0.125    2010.12.03    Exploit.Win32.Pidief.ddi
Microsoft    1.6402    2010.12.03    Exploit:Win32/CVE-2010-2883.A
nProtect    2010-12-03.01    2010.12.03    Exploit.PDF-TTF.Gen
PCTools    7.0.3.5    2010.12.03    HeurEngine.MaliciousExploit
Symantec    20101.2.0.161    2010.12.03    Bloodhound.Exploit.357
TrendMicro    9.120.0.1004    2010.12.03    TROJ_PIDIEF.HKD
TrendMicro-HouseCall    9.120.0.1004    2010.12.03    TROJ_PIDIEF.HKD
Additional information
MD5   : 73e8f3bb63b16e5830528d226fbc9998

Vicheck Scan
https://www.vicheck.ca/md5query.php?hash=73e8f3bb63b16e5830528d226fbc9998

 Result: Suspicious file - PDF Exploit font SING table CVE-2010-2883

Network activity

202.3.167.6

Hostname: 202-3-167-6-static.unigate.net.tw
ISP: Network topology of Unigate Telecom Inc.
Organization: Network topology of Unigate Telecom Inc.
Proxy: None detected
Type: Broadband
Assignment: Static IP
Country: Taiwan

202.60.203.229

Hostname: 202.60.203.229
ISP: T.C.C Technology Co., Ltd.
Organization: T.C.C Technology Co., Ltd.
Proxy: None detected
Type: Broadband
Assignment: Static IP
Country: Thailand
State/Region: Krung Thep
City: Bangkok