Mar 31 CVE-2010-0188 PDF Project done, welcome comments from adriennemissyou@gmail.com

• CVE-2010-0188 Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors

Download cb3cb17527bfde64b455f9c5385975c8 Project.pdf as a password protected archive (please contact me if you need the password)

Details cb3cb17527bfde64b455f9c5385975c8 Project.pdf 

From: Jhang [mailto:adriennemissyou@gmail.com]
Sent: 2010-03-31 2:30 AM
To: XXXXXXXX
Subject: Project done, welcome comments

Virutotal

http://www.virustotal.com/analisis/45484674ea4463a2f9f1718d2015ab866faf1bd673b12543581e87ff5feabdb7-1270046162

File project.PDF received on 2010.03.31 14:36:02 (UTC)
Result: 2/36 (5.56%)
Sophos    4.52.0    2010.03.31    Troj/PDFJs-II
Symantec    20091.2.0.41    2010.03.31    Trojan.Pidief.I
File size: 87673 bytes
MD5...: cb3cb17527bfde64b455f9c5385975c8

ESET Nod32 detection of CVE-2010-0806

March 30, 2010 ESET quickly corrected the false positive and there should be no more alarms. Please update your AV definitions.

The following links are being detected by ESET Nod32 as JS/Exploit.CVE-2010-0806 trojan. However, I looked at the js files and i do not see the CVE-2010-0806 exploit in them. They seem to be false positives - some sort of ads scripts.


    * hxxp://assets.loomia.com/js/clixdom.js
    * hxxp://widget-cache.loomia.com/js/onewidget_clix.js
    * hxxp://a.l.yimg.com/a/lib/s5/searchpad_core_metro_js_200911061221.js

http://www.virustotal.com/analisis/66fda6e512a0900224cec2ed93c2facac2ba80ef7e1c62d866c7b0d46af9cd15-1269964297%20

 File clixdom.js received on 2010.03.30 15:51:37 (UTC)
Result: 1/42 (2.38%)
NOD32     4985     2010.03.30     JS/Exploit.CVE-2010-0806

Let me know if I am wrong.

Thanks -M

P.S. I just found this discussion related to it JS/EXploit.CVE-2010-0806 trojan on Yahoo

Mar 30 CVE-2010-0806 IE 0-day hxxp://bbs.vgl.co.kr/bbs/icon/ie.html

hxxp://bbs.vgl.co.kr/bbs/icon/ie.html   - malicious link

Download ie.html as a password protected archive (or you can get it from the link above) Please contact me if you need the password

Details ie.html 

http://www.virustotal.com/analisis/6827df1e55c9d7bbbf80272a919606aa7d5ee7b90fd049d67c6b2c0e2f458819-1269977772
 File ie.html received on 2010.03.30 19:36:12 (UTC)
Result: 19/42 (45.24%)
Antivirus     Version     Last Update     Result
a-squared    4.5.0.50    2010.03.30    Exploit.JS.CVE-2010-0806!IK
Authentium    5.2.0.5    2010.03.30    JS/Cosmu.A
Avast    4.8.1351.0    2010.03.30    JS:CVE-2010-0806-C
Avast5    5.0.332.0    2010.03.30    JS:CVE-2010-0806-C
AVG    9.0.0.787    2010.03.29    Exploit
BitDefender    7.2    2010.03.30    Exploit.Cosmu.A
eSafe    7.0.17.0    2010.03.28    JS.CVE2010-0806
eTrust-Vet    35.2.7396    2010.03.30    JS/Dish!exploit
F-Prot    4.5.1.85    2010.03.30    JS/Cosmu.A
F-Secure    9.0.15370.0    2010.03.30    Exploit.Cosmu.A
Fortinet    4.0.14.0    2010.03.30    JS/CVE20100806.B!exploit
GData    19    2010.03.30    Exploit.Cosmu.A
Ikarus    T3.1.1.80.0    2010.03.30    Exploit.JS.CVE-2010-0806
Kaspersky    7.0.0.125    2010.03.30    Exploit.JS.CVE-2010-0806.b
Microsoft    1.5605    2010.03.30    Exploit:JS/CVE-2010-0806
nProtect    2009.1.8.0    2010.03.30    Exploit.Cosmu.A
Sophos    4.52.0    2010.03.30    Troj/ExpJS-R
Sunbelt    6117    2010.03.30    Trojan.JS.BOFExploit (v)
VirusBuster    5.0.27.0    2010.03.30    JS.BOFExploit.Gen
Additional information
File size: 6494 bytes
MD5...: fcfeb0287f172a2c58f680fcd120ea48

bbs.vgl.co.kr has one IP number , which is the same as for vgl.co.kr, but the reverse is 211-115-80-207.kidc.net. vgl.co.kr and http://www.robtex.com/dns/www.vgl.co.kr.html point to the same IP. vgl.co.kr is delegated to two nameservers, however one delegated nameserver is missing in the zone. Incoming mail for vgl.co.kr is handled by seven mailservers having a total of 28 IP numbers. Some of them are on the same IP network. bbs.vgl.co.kr is hosted on a server in Korea. It is not listed in any blacklists.

      Hostname:    211-115-80-207.kidc.net
      ISP:    KRNIC
      Organization:    Hanbiro, Inc.
       Country:    Korea, Republic of
      State/Region:    Soul-t'ukpyolsi
      City:    Seoul

Mar 30 CVE-2009-4324 PDF China and Foreign Military Modernization from americansina@gmail.com

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.

 Download d7520d1957d5ef26e068727fac4c4f02 WebMemo.pdf as a password protected archive (please contact me if you need the password)

Details d7520d1957d5ef26e068727fac4c4f02 WebMemo.pdf 

From: Dean Cheng [mailto:americansina@gmail.com]
Sent: 2010-03-30 9:18 AM
Subject: China and Foreign Military Modernization

Dear Folks,

One of the little-noticed actions in the recently concluded session of the Chinese National People’s Congress was the enactment of a National Defense Mobilization Law. In an age when conventional conflicts are planned to conclude in a matter of days or weeks, it is striking that the People’s Republic of China  (PRC) should choose to ensure its readiness for a protracted war. Indeed, it suggests that the People’s Liberation Army (PLA) is thinking about future wars in a very different way from their Western counterparts, where full-scale mobilization is rarely discussed at all. Whereas the U.S. and its allies have mostly neglected the prospect of a prolonged high-intensity conflict, the PLA appears intent on preparing for both short- and long-term wars.

The actions of the National People’s Congress have distinct implications for U.S. defense planners, as they portend an opponent who may choose to fight a protracted conflict—but with anti-ship missiles rather than IEDs. And it should also raise questions among foreign investors—how might their facilities and assets be treated in the event of a crisis?

We have drafted a memo to this regards as attached. Your inputs are highly appreciated.

Best regards,

Cheng
--
Dean Cheng
Research Fellow, Asian Studies Cente

---------
Virustotal
http://www.virustotal.com/analisis/8b821297ce83d927e3ab73fe465149beb64b67d5b2cbee1cfaa4953c84c6a302-1269966037
File WebMemo.pdf received on 2010.03.30 16:20:37 (UTC)
Result: 8/42 (19.05%)
Avast     4.8.1351.0     2010.03.30     JS:Pdfka-XX
Avast5     5.0.332.0     2010.03.30     JS:Pdfka-XX
BitDefender     7.2     2010.03.30     Exploit.PDF-JS.Gen
F-Secure     9.0.15370.0     2010.03.30     Exploit.PDF-JS.Gen
GData     19     2010.03.30     Exploit.PDF-JS.Gen
Kaspersky     7.0.0.125     2010.03.30     Exploit.JS.Pdfka.bvz
Microsoft     1.5605     2010.03.30     Exploit:Win32/Pdfjsc.gen!A
nProtect     2009.1.8.0     2010.03.30     Exploit.PDF-JS.Gen
Additional information
File size: 201777 bytes
MD5   : d7520d1957d5ef26e068727fac4c4f02

Vicheck.ca
https://www.vicheck.ca/md5query.php?hash=d7520d1957d5ef26e068727fac4c4f02
Type: PDF Exploit call to media.newPlayer CVE-2009-4324
XOR Key:0x[]


CVE-2009-4324

 

Malware links March 2010

If you are looking for links to download samples, look here Links and resources for malware samples

• hxxp://66.232.142.167/funny.php    JS/Exploit.ADODB.Stream.NAP trojan   
•  hxxp://googlecounter.cn/web/gla.php contains PDF/Exploit.Gen trojan.
• hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/SmileyCentralInitialSetup1.0.1.1.cab contains a variant of Win32/AdInstaller 
• hxxp://google.analytics.com.aptwhzoqc.info/kav/KAV5.exe/oHbcb9bc6cV0100f070006R8b2e329c102Tf70a1fc2201l0409K6cb1af37317 contains JS/Exploit.Pdfka.BXK trojan.
• hxxp://google.analytics.com.aptwhzoqc.info/kav/KAV5.exe/eHbcb9bc6cV0100f070006R8b2e329c102Tf70a1fde201l0409K6cb1af37318J0f0006010 contains Win32/Adware.SpywareProtect2009 application.
• hxxp://google.analytics.com.aptwhzoqc.info/kav/KAV5 .asp/oHbcb9bc6cV0100f070006Rbab08f6d102Tf70a1fd7201l0409K5c3a3a34317 contains JS/Exploit.Pdfka.BXK trojan. 
• hxxp://google.analytics.com.aptwhzoqc.info/kav/KAV5 .asp/eHbcb9bc6cV0100f070006Rbab08f6d102Tf70a1fd2201l0409K5c3a3a34318J0f0006010 contains Win32/Adware.SpywareProtect2009 application.
• http://www.paramountcommunication.com/heritage/index.php?utm_source=Newsletter&utm_medium=Email&utm_campaign=Insider+Online&email=...   JS/TrojanDownloader.Pegel.AA  
• hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab    a variant of Win32/AdInstaller       
• hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-5/myWebFaceInitialSetup1.0.1.3.cab    a variant of Win32/AdInstaller 
•  hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-6/1.2.0.1/MyFunCards.exe    a variant of Win32/AdInstaller             
• hxxp://blogger-com.custhelp.com.lauxanh-us.readystockonline.ru:8080/mop.com/mop.com/google.com/woot.com/zol.com.cn.php    JS/TrojanDownloader.Iframe.NHK trojan          
• hxxp://capitalone-com.victoriassecret.com.rutube-ru.newsuperway.ru:808/qidian.com/qidian.com/kioskea.net/google.com/howstuffworks.com.php    JS/TrojanDownloader.Iframe.NHK trojan   
• hxxp://consuladodamulher.org.br/Itau/cont_artigos.php?s=TQQeTma9&id=6    multiple threats      
• hxxp://golddeery.info/show-banner.php?kod=629081&site=ff.ca    HTML/Iframe.B.Gen virus  
• hxxp://google.analytics.com.hzlyaejcvmat.info/nte/AVORP1KAV6 .asp/oU230d9c2eHbcb9bc6cV0100f070006R8c1977ae102Tf7326dcc201l0409K7959373b317    JS/Exploit.Pdfka.NTY trojan                      
• hxxp://google.analytics.com.mdmnegsxcytq.info/kav/kav5.html/oHbcb9bc6cV0100f070006R24c1e2fe102Tf7114d86201l0409Kede2a3a5317    JS/Exploit.Pdfka.NUI trojan          
• hxxp://google.analytics.com.mdmnegsxcytq.info/kav/kav5.py/oHbcb9bc6cV03002f36002R22c9ccec102Tf7139f4fQ000002f3901801F002a000aJ11000601l0409K41010ef5317    JS/Exploit.Pdfka.NUI trojan          
•  hxxp://google.analytics.com.molbquhwebp.info/kav/kav5.py/eHbcb9bc6cV0100f070006Ra7e4cffb102Tf7151520201l0409Kd9bdaac13240    a variant of Win32/Kryptik.DHM trojan   
• hxxp://google.analytics.com.molbquhwebp.info/kav/kav5.py/oHbcb9bc6cV0100f070006Ra7e4cffb102Tf7151527201l0409Kd9bdaac1317    JS/Exploit.Pdfka.NUI trojan              
• hxxp://google.analytics.com.vvpwiceojasw.info/kavs/KAV6.exe/oHbcb9bc6cV0100f070006R695b81f8102Tf71ecc4c201l0409Ked0fd1fa317    JS/Exploit.Pdfka.NUI trojan      
• hxxp://media.stu.edu.cn/ckjournalists/wp-content/plugins/test/fragus/pdf.php    PDF/Exploit.Pidief.OJS.Gen trojan     
•  hxxp://origin-ics.seekmo.com/IC/GPLSeekmo7Zip02/770/-2_td_g-m_tsu_o9_oh_g44_tm8_g-l_tzg9xhg_g-t_tzdzpgcd_g4kl_tl_g-e_tul-m8_gk8_tp_oz/7zipsetup.exe    a variant of Win32/Adware.HotBar.E application 
• hxxp://reeufgcwdaa.com/kavs/KAV6.exe/oHbcb9bc6cV03f01830002Ra6b096a2102Tf71a35a1Q000002f3901801F002a000aJ11000601l0409K4c7ff6ef317    JS/Exploit.Pdfka.NUI trojan      
•  hxxp://rytsedwtov.in/new/sdfg.jar    multiple threats   
•  hxxp://traffictravelling.com/cgi-bin/001?sourceid=3&domain=d3.zedo.com/q002106201317r0409R96b62002Xf72fe433Ybcb9bc6cZ0100f070    JS/Exploit.Pdfka.BQP trojan          
• hxxp://www.car-parking.eu/city/geneva.html    JS/TrojanDownloader.Agent.NTN trojan    
• hxxp://www.samplegraduateschoolessay.com/wp-content/plugins/wp-email/email-js-packed.js?ver=2.31    JS/TrojanDownloader.Agent.NRN trojan        
• hxxp://www.sciences-po.org/    HTML/ScrInject.B.Gen virus                       
  hxxp://www1.hatin-the-safe-atpc.in/build6_290.php?cmd=sendFile&counter=2&p=p52dcWptaF/Cj8bYbnOCdVik12qYVp/Zatrau4FdlJ/JnsWYeHpfqKygdW2SY5jKZ2NmamJpiqDWkaTboKCViaJ0WKrO1c+eb1qfnaSZdV/XlsndblaWpG9rnFuTYGCUXpmSlGprWKjKx6Chpqipbmdjr7DYW8vVoJeZmWCb05qRo5XHn8bM    a variant of Win32/Kryptik.DFC trojan         
• hxxp://ylwgheakrozn.com/nte/AVORP1TATRA9.py    JS/Exploit.Agent.NBA trojan              

           

Mar 28 CVE-2010-0806 IE 0-day U.S.-ROK ALLIANCE... In Korea, Divide and be Conquered from richard.mark45@yahoo.com

• CVE-2010-0806 Use-after-free vulnerability in the Peer Objects component (aka iepeers.dll) in Microsoft Internet Explorer 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via vectors involving access to an invalid pointer after the deletion of an object, as exploited in the wild in March 2010. 
• Microsoft Security Advisory (981374) and fix - kb 981374 Microsoft Security Advisory: Vulnerability in Internet Explorer could allow remote code execution 

Malicious link hxxp://spot-news.com/spot/news.html

Details hxxp://spot-news.com/spot/news.html

 
Here is more more piece of news from the same source as earlier today. Maybe they hope we abandon BBC World News and switch to their agency.

From: Richard Mark [mailto:richard.mark45@yahoo.com]
Sent: Sunday, March 28, 2010 11:17 PM
To: XXXXXXXXXXXXXX
Subject: U.S.-ROK ALLIANCE... In Korea, Divide and be Conquered

U.S.-ROK ALLIANCE

In Korea, Divide and be Conquered

Brookings Senior Fellow Michael O'Hanlon argues that, for a number of practical
reasons, 2012 may prove too soon to transfer wartime operational control of
South Korean forces to Korean command. O'Hanlon writes that if there is a
need to evaluate the 2012 plan afresh, that should happen without apology,
without undue haste and without any predetermined conclusion.

Read More

Header info
Received: from [123.125.156.136] by web114509.mail.gq1.yahoo.com via HTTP;
 Sun, 28 Mar 2010 20:17:26 PDT
X-Mailer: YahooMailRC/324.3 YahooMailWebService/0.8.100.260964
Date: Sun, 28 Mar 2010 20:17:26 -0700
From: Richard Mark
Subject: U.S.-ROK ALLIANCE... In Korea, Divide and be Conquered


Sender ip info        Hostname:    123.125.156.151
      ISP:    China Unicom Beijing Province Network
      Organization:    China Unicom Beijing Province Network
      Proxy:    Suspected network sharing device.
      Country:    China
      State/Region:    Beijing
      City:    Beijing

The exploit and all other details are the same as in this post from earlier today

Mar 27 CVE-2010-0806 IE 0-day Dozens missing after ship sinks near North Korea from kevin.bohn33@hotmail.com

• CVE-2010-0806 Use-after-free vulnerability in the Peer Objects component (aka iepeers.dll) in Microsoft Internet Explorer 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via vectors involving access to an invalid pointer after the deletion of an object, as exploited in the wild in March 2010. 
• Microsoft Security Advisory (981374) and fix - kb 981374 Microsoft Security Advisory: Vulnerability in Internet Explorer could allow remote code execution 

Malicious link  hxxp://spot-news.com/test/test.html (still active on March 27, 2010) -  Internet Explorer Zero day exploit

Download  043d308bfda76e35122567cf933e1b2a winint32.exe and test.htm as a password protected archive (please contact me if you need the password)

Details on the link and files

Update March 30, 2010 - Cisco issued  a Threat Outbreak Alert alert related to this particular threat.

From: Kevin Bohn [mailto:kevin.bohn33@hotmail.com]
Sent: Saturday, March 27, 2010 7:35 AM
To: XXXXXXXXXXX
Subject: Dozens missing after ship sinks near North Korea


Dozens missing after ship sinks near North Korea
a navy ship sank in tense Yellow Sea waters off the coast of North Korea.

Detail Story   http://www.mofat.go.kr/press/breifing
_______________________________________
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. Sign up now.


Headers

Received: from SNT112-W16 ([65.55.90.199]) by snt0-omc4-s20.snt0.hotmail.com
 with Microsoft SMTPSVC(6.0.3790.3959);     Sat, 27 Mar 2010 04:34:39 -0700
Message-ID:
Return-Path: kevin.bohn33@hotmail.com
Content-Type: multipart/alternative;
    boundary="_2fd4e512-5e88-49c3-96eb-4fc20039c8d1_"
X-Originating-IP: [123.125.156.151]
From: Kevin Bohn
Sender ip info 

      Hostname:    123.125.156.151
      ISP:    China Unicom Beijing Province Network
      Organization:    China Unicom Beijing Province Network
      Proxy:    Suspected network sharing device.
      Country:    China
      State/Region:    Beijing
      City:    Beijing



Site host info from robtex.com hxxp://spot-news.com/test/test.html
124.217.255.232 

satpalast.com, oxidesale.com, serendipity.li, http://www.blogger.com/dns/www.satpalast.com.html, teenz-info-ms.net and at least two other hosts point to 124.217.255.232. It is blacklisted in one list.

Hostname: 124.217.255.232
ISP: PIRADIUS NET
Organization: PIRADIUS NET
Country: Malaysia
State/Region: Johor
City: Johor Bahru

Exploit info
Please see Trancer's post with more details about the exploit and explanation by Praetorian Prefect

hxxp://spot-news.com/test/test.html 

Tested on Windows XP SP2 Internet Explorer  7

The following files were created:

%USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\J742EA2Y\test.htm

%USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5NRUWTV44\winint32.exe

Virustotal

test.htm

http://www.virustotal.com/analisis/276b1482b3c59c80d4d0ee9987203f6ded5452b805425eb5c5ebe4439fc8071f-1269725177

File test.htm received on 2010.03.27 21:26:17 (UTC)
Result: 3/42 (7.14%)
Print results Print results
AVG     9.0.0.787     2010.03.27     Script/Exploit
Microsoft     1.5605     2010.03.27     Exploit:JS/CVE-2010-0806
Sunbelt     6101     2010.03.26     Trojan.JS.BOFExploit (v)

winint32.exe

http://www.virustotal.com/analisis/2db8a9c401911c7317e8a89c35d979d0e8e9ba718ae13a0a0cfedd957654ec10-1269725346

  File winint32.exe received on 2010.03.27 21:29:06 (UTC)
Result: 3/42 (7.15%)
Microsoft    1.5605    2010.03.27    Trojan:Win32/Tapaoux.A
Panda    10.0.2.2    2010.03.27    Suspicious file
Symantec    20091.2.0.41    2010.03.27    Suspicious.Insight
File size: 357344 bytes
MD5...: 043d308bfda76e35122567cf933e1b2a

Microsoft information about Trojan:Win32/Tapaoux.A

Threatexpert report

Anubis Report

[#############################################################################] Anubis Analysis Report for winint32.exe MD5: 043d308bfda76e35122567cf933e1b2a [#############################################################################] Summary: - Autostart capabilities: This executable registers processes to be executed at system start. This could result in unwanted actions to be performed automatically. - Creates files in the Windows system directory: Malware often keepscopies of itself in the Windows directory to stay undetected by users. - Performs File Modification and Destruction: The executable modifiesand destructs files which are not temporary. - Spawns Processes: The executable produces processes during the execution. - Performs Registry Activities: The executable reads and modifies registry values. It also creates and monitors registry keys. [=============================================================================] Table of Contents [=============================================================================] - General information - winint32.exe a) Registry Activities b) File Activities c) Windows Service Activities d) Process Activities e) Other Activities - services.exe a) Registry Activities b) File Activities c) Other Activities - cmd.exe a) Registry Activities b) File Activities [#############################################################################] 1. General Information [#############################################################################] [=============================================================================] Information about Anubis' invocation [=============================================================================] Time needed: 60 s Report created: 03/27/10, 17:53:24 UTC Termination reason: All tracked processes have exited Program version: 1.74.2681 [#############################################################################] 2. winint32.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Primary Analysis Subject Filename: winint32.exe MD5: 043d308bfda76e35122567cf933e1b2a SHA-1: 0d941f58d554a9970e50adb353193ea3525f9c8f File Size: 357344 Bytes Command Line: "C:\winint32.exe" Process-status at analysis end: dead Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\comdlg32.dll ], Base Address: [0x763B0000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\COMCTL32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\WINSPOOL.DRV ], Base Address: [0x73000000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntoskrnl.exe ], Base Address: [0x00B60000 ], Size: [0x00216680 ] Module Name: [ C:\WINDOWS\system32\MSCTF.dll ], Base Address: [0x74720000 ], Size: [0x0004C000 ] Module Name: [ C:\WINDOWS\system32\Apphelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] [=============================================================================] 2.a) winint32.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Keys Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{75053DE3-294C-12CE-1CDF-1BF4CE6CD741} ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Active Setup\Installed Components\{75053DE3-294C-12CE-1CDF-1BF4CE6CD741} ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{75053DE3-294C-12CE-1CDF-1BF4CE6CD741} ], Value Name: [ ], New Value: [ Microsoft Explorer ] Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{75053DE3-294C-12CE-1CDF-1BF4CE6CD741} ], Value Name: [ IsInstalled ], New Value: [ 1 ] Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{75053DE3-294C-12CE-1CDF-1BF4CE6CD741} ], Value Name: [ StubPath ], New Value: [ "C:\WINDOWS\system32\inetcpl.exe" SystemBasicTools ] Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{75053DE3-294C-12CE-1CDF-1BF4CE6CD741} ], Value Name: [ Version ], New Value: [ 1,0,0,1 ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Active Setup\Installed Components\{75053DE3-294C-12CE-1CDF-1BF4CE6CD741} ], Value Name: [ Version ], New Value: [ 1,0,0,0 ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ AppData ], New Value: [ C:\Documents and Settings\Administrator\Application Data ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Startup ], New Value: [ C:\Documents and Settings\Administrator\Start Menu\Programs\Startup ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{75053DE3-294C-12CE-1CDF-1BF4CE6CD741} ], Value Name: [ Version ], Value: [ 1,0,0,1 ], 2 times Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ], Value Name: [ CUAS ], Value: [ 0 ], 1 time Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time Key: [ HKLM\SYSTEM\WPA\MediaCenter ], Value Name: [ Installed ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ PolicyScope ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemSize ], Value: [ 779 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemSize ], Value: [ 517 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemSize ], Value: [ 918 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemSize ], Value: [ 229 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemSize ], Value: [ 370 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ AppData ], Value: [ %USERPROFILE%\Application Data ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Startup ], Value: [ %USERPROFILE%\Start Menu\Programs\Startup ], 1 time [=============================================================================] 2.b) winint32.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\SystemCheck.bat ] File Name: [ C:\WINDOWS\system32\bitcheck.dll ] File Name: [ C:\WINDOWS\system32\inetcpl.exe ] File Name: [ C:\WINDOWS\system32\inetcpl.sys ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\bitcheck.dll ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\SystemCheck.bat ] File Name: [ C:\WINDOWS\system32\bitcheck.dll ] File Name: [ C:\WINDOWS\system32\inetcpl.exe ] File Name: [ C:\WINDOWS\system32\inetcpl.sys ] File Name: [ WinChkDrv77 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times File: [ WinChkDrv77 ], Control Code: [ 0x0022E660 ], 1 time File: [ WinChkDrv77 ], Control Code: [ 0x0022E65C ], 2 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\SystemCheck.bat ] File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ] File Name: [ C:\WINDOWS\WindowsShell.Manifest ] File Name: [ C:\WINDOWS\system32\Apphelp.dll ] File Name: [ C:\WINDOWS\system32\COMCTL32.dll ] File Name: [ C:\WINDOWS\system32\MSCTF.dll ] File Name: [ C:\WINDOWS\system32\SHELL32.dll ] File Name: [ C:\WINDOWS\system32\WINSPOOL.DRV ] File Name: [ C:\WINDOWS\system32\cmd.exe ] File Name: [ C:\WINDOWS\system32\imm32.dll ] File Name: [ C:\WINDOWS\system32\ntoskrnl.exe ] File Name: [ C:\WINDOWS\system32\rpcss.dll ] File Name: [ C:\Windows\AppPatch\sysmain.sdb ] [=============================================================================] 2.c) winint32.exe - Windows Service Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Services Started: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Service: [ WinChkDrv77 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Services Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Name: [ WinChkDrv77 ], Type: [ SERVICE_DEMAND_START ], Path: [ C:\WINDOWS\system32\inetcpl.sys ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Services Deleted: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Service: [ WinChkDrv77 ] [=============================================================================] 2.d) winint32.exe - Process Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Processes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Executable: [ C:\WINDOWS\system32\cmd.exe ], Command Line: [ ] Executable: [ ], Command Line: [ C:\SystemCheck.bat ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Remote Threads Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Affected Process: [ C:\WINDOWS\system32\cmd.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\WINDOWS\system32\cmd.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Written: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\WINDOWS\system32\cmd.exe ] [=============================================================================] 2.e) winint32.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutexes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutex: [ CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Windows SEH exceptions: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x40b4d9 ], 1 time Description: [ Exception 0xc0000096 (STATUS_PRIVILEGED_INSTRUCTION) at 0x40b57b ], 1 time [#############################################################################] 3. services.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: A service was started. Filename: services.exe MD5: 0e776ed5f7cc9f94299e70461b7b8185 SHA-1: cb5a33cec4c7b8ef4bd5dc8c241005b66b26cbbf File Size: 108544 Bytes Command Line: C:\WINDOWS\system32\services.exe Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\NCObjAPI.DLL ], Base Address: [0x5F770000 ], Size: [0x0000C000 ] Module Name: [ C:\WINDOWS\system32\MSVCP60.dll ], Base Address: [0x76080000 ], Size: [0x00065000 ] Module Name: [ C:\WINDOWS\system32\SCESRV.dll ], Base Address: [0x7DBD0000 ], Size: [0x00051000 ] Module Name: [ C:\WINDOWS\system32\AUTHZ.dll ], Base Address: [0x776C0000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\umpnpmgr.dll ], Base Address: [0x7DBA0000 ], Size: [0x00021000 ] Module Name: [ C:\WINDOWS\system32\WINSTA.dll ], Base Address: [0x76360000 ], Size: [0x00010000 ] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcAdProc.dll ], Base Address: [0x47260000 ], Size: [0x0000F000 ] Module Name: [ C:\WINDOWS\system32\Apphelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\eventlog.dll ], Base Address: [0x77B70000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ], Base Address: [0x76BF0000 ], Size: [0x0000B000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\wtsapi32.dll ], Base Address: [0x76F50000 ], Size: [0x00008000 ] [=============================================================================] 3.a) services.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Keys Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CONTROLSET001\CONTROL\CLASS\{8ECC055D-047F-11D1-A537-0000F8753ED1}\0000 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Keys Deleted: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\System\CurrentControlSet\Control\Class\{8ECC055D-047F-11D1-A537-0000F8753ED1}\0000 ] Key: [ HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WINCHKDRV77\0000\Control ] Key: [ HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WINCHKDRV77\0000 ] Key: [ HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WINCHKDRV77 ] Key: [ HKLM\System\CurrentControlSet\Services\WinChkDrv77\Security ] Key: [ HKLM\System\CurrentControlSet\Services\WinChkDrv77\Enum ] Key: [ HKLM\System\CurrentControlSet\Services\WinChkDrv77 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\Root\LEGACY_WINCHKDRV77\0000 ], Value Name: [ Driver ], New Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1}\0000 ] Key: [ HKLM\System\CurrentControlSet\Services\WinChkDrv77 ], Value Name: [ DeleteFlag ], New Value: [ 1 ] Key: [ HKLM\System\CurrentControlSet\Services\WinChkDrv77 ], Value Name: [ Start ], New Value: [ 4 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\Root\LEGACY_WINCHKDRV77\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 2 times Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\Root\LEGACY_WINCHKDRV77\0000 ], Value Name: [ Driver ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1}\0000 ], 2 times Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\WinChkDrv77\Enum ], Value Name: [ 0 ], Value: [ Root\LEGACY_WINCHKDRV77\0000 ], 3 times Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\WinChkDrv77\Enum ], Value Name: [ Count ], Value: [ 1 ], 6 times [=============================================================================] 3.b) services.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER, Flags: Named pipe ] File Name: [ C:\WINDOWS\system32\config\SysEvent.Evt ] [=============================================================================] 3.c) services.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Drivers Loaded: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Driver: [ HKLM\System\CurrentControlSet\Services\WinChkDrv77 ] [#############################################################################] 4. cmd.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Started by winint32.exe Filename: cmd.exe MD5: 6d778e0f95447e6546553eeea709d03c SHA-1: 811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1 File Size: 389120 Bytes Command Line: cmd /c C:\SystemCheck.bat Process-status at analysis end: dead Exit Code: 1 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] [=============================================================================] 4.a) cmd.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ AutoRun ], Value: [ ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ CompletionChar ], Value: [ 64 ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ DefaultColor ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ EnableExtensions ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ PathCompletionChar ], Value: [ 64 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ PolicyScope ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemSize ], Value: [ 779 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemSize ], Value: [ 517 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemSize ], Value: [ 918 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemSize ], Value: [ 229 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemSize ], Value: [ 370 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Nls\Language Groups ], Value Name: [ 1 ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], Value Name: [ 00000C07 ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ], Value Name: [ CompletionChar ], Value: [ 9 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ], Value Name: [ DefaultColor ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ], Value Name: [ EnableExtensions ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time [=============================================================================] 4.b) cmd.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Deleted: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\SystemCheck.bat ] File Name: [ C:\winint32.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\SystemCheck.bat ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\SystemCheck.bat ] [#############################################################################] International Secure Systems Lab http://www.iseclab.org Vienna University of Technology Eurecom France UC Santa Barbara http://www.tuwien.ac.at http://www.eurecom.fr http://www.cs.ucsb.edu Contact: anubis@iseclab.org

Mar 25 CVE-2010-0188 PDF Re: conference memo from jesseandy2@gmail.com

• CVE-2010-0188 Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors

Download  c9c89ebc508c783defe7042eb9c0e5cc conference memo.PDF and all files below as a password protected archive (please contact me if you need the password)

Details c9c89ebc508c783defe7042eb9c0e5cc conference memo.PDF 

This is a fake conversation - it is a semi interesting social engineering trick.

 

From: Lee [mailto:jesseandy2@gmail.com]
Sent: Thursday, March 25, 2010 11:11 PM
To: XXXXXXXXXXXXXX
Subject: Re: conference memo

Who are you?What do you mean?.This conference memo  is nothing with me.

On Thu, Mar 25, 2010 at 4:46 PM,  wrote:
 
Hey,this is the last conference memo, After reading it ,pls send it to Mr Francis,and delete this mail ASAP.

Lee


Virustotal report
http://www.virustotal.com/analisis/49cefe07c61ddce14b2eea7c64a5bc2a97e29e0bbdd0cd52832a1dff0369a523-1269796247
 File conference_memo.PDF received on 2010.03.28 17:10:47 (UTC)
Result: 4/42 (9.53%)
F-Secure    9.0.15370.0    2010.03.28    Exploit:W32/Pidief.CNF
PCTools    7.0.3.5    2010.03.28    HeurEngine.Pdexe
Sophos    4.52.0    2010.03.28    Troj/PDFJs-II
Symantec    20091.2.0.41    2010.03.28    Trojan.Pidief.I
File size: 76137 bytes
MD5...: c9c89ebc508c783defe7042eb9c0e5cc

parsed with pdf-parser.py  

Mar 24 CVE-2008-0081 XLS 2010_ beauty calendar from navy_kidds@yahoo.com.tw

• CVE-2008-0081 Unspecified vulnerability in Microsoft Excel 2000 SP3 through 2003 SP2, Viewer 2003, and Office 2004 for Mac allows user-assisted remote attackers to execute arbitrary code via crafted macros, aka "Macro Validation Vulnerability," a different vulnerability than CVE-2007-3490.

Download 7d5b0b8274e189d406cc3374f994e441 - 2010_.xls as a password protected archive (please contact me if you need the password)

• Details 7d5b0b8274e189d406cc3374f994e441 - 2010_.xls

2010_ beauty calendar

 From: bruce Mr. [mailto:navy_kidds@yahoo.com.tw]
Sent: Wednesday, March 24, 2010 4:44 AM
To XXXXX
Subject: 2010_美女月曆
Importance: Low



 






Headers
Received: from [203.188.203.171] by t2.bullet.mail.tp2.yahoo.com with NNFMP; 24 Mar 2010 08:44:02 -0000
Received: from [127.0.0.1] by omp104.mail.tp2.yahoo.com with NNFMP; 24 Mar 2010 08:43:51 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 403351.51908.bm@omp104.mail.tp2.yahoo.com
      
Hostname:    omp104.mail.tp2.yahoo.com
      ISP:    TAIPEI, TAIWAN
      Organization:    TAIPEI, TAIWAN
      Country:    Taiwan
      State/Region:    T'ai-pei
      City:    Taipei


Virustotal
http://www.virustotal.com/analisis/829b04fe2362b07185694f08d25e91372d95afc9540df9247b58157a46da4c02-1269464469
 File 2010_.xls received on 2010.03.24 21:01:09 (UTC)
Result: 12/42 (28.58%)
a-squared    4.5.0.50    2010.03.24    Exploit.MSExcel.Agent!IK
Antiy-AVL    2.0.3.7    2010.03.24    Exploit/MSExcel.Agent
Authentium    5.2.0.5    2010.03.24    MSExcel/Dropper.B!Camelot
Comodo    4372    2010.03.24    UnclassifiedMalware
F-Prot    4.5.1.85    2010.03.24    File is damaged
Fortinet    4.0.14.0    2010.03.24    MSExcel/UDDesc.A!exploit.M20080081
Ikarus    T3.1.1.80.0    2010.03.24    Exploit.MSExcel.Agent
Kaspersky    7.0.0.125    2010.03.24    Exploit.MSExcel.Agent.u
McAfee    5930    2010.03.24    Exploit-MSExcel.h
McAfee+Artemis    5930    2010.03.24    Exploit-MSExcel.h
McAfee-GW-Edition    6.8.5    2010.03.24    Heuristic.BehavesLike.Exploit.OLE2.CodeExec.PGPG
File size: 109184 bytes
MD5...: 7d5b0b8274e189d406cc3374f994e441