contagio

Showing posts with label - INTERNET EXPLORER 7. Show all posts

Tuesday, March 30, 2010

ESET Nod32 detection of CVE-2010-0806

March 30, 2010 ESET quickly corrected the false positive and there should be no more alarms. Please update your AV definitions.

The following links are being detected by ESET Nod32 as JS/Exploit.CVE-2010-0806 trojan. However, I looked at the js files and i do not see the CVE-2010-0806 exploit in them. They seem to be false positives - some sort of ads scripts.

    * hxxp://assets.loomia.com/js/clixdom.js
    * hxxp://widget-cache.loomia.com/js/onewidget_clix.js
    * hxxp://a.l.yimg.com/a/lib/s5/searchpad_core_metro_js_200911061221.js

http://www.virustotal.com/analisis/66fda6e512a0900224cec2ed93c2facac2ba80ef7e1c62d866c7b0d46af9cd15-1269964297%20

File clixdom.js received on 2010.03.30 15:51:37 (UTC)
Result: 1/42 (2.38%)
NOD32 4985 2010.03.30 JS/Exploit.CVE-2010-0806

Let me know if I am wrong.

Thanks -M

P.S. I just found this discussion related to it JS/EXploit.CVE-2010-0806 trojan on Yahoo

Mar 30 CVE-2010-0806 IE 0-day hxxp://bbs.vgl.co.kr/bbs/icon/ie.html

hxxp://bbs.vgl.co.kr/bbs/icon/ie.html - malicious link

Download ie.html as a password protected archive (or you can get it from the link above) Please contact me if you need the password

Details ie.html

http://www.virustotal.com/analisis/6827df1e55c9d7bbbf80272a919606aa7d5ee7b90fd049d67c6b2c0e2f458819-1269977772
File ie.html received on 2010.03.30 19:36:12 (UTC)
Result: 19/42 (45.24%)
Antivirus     Version     Last Update     Result
a-squared    4.5.0.50    2010.03.30    Exploit.JS.CVE-2010-0806!IK
Authentium    5.2.0.5    2010.03.30    JS/Cosmu.A
Avast    4.8.1351.0    2010.03.30    JS:CVE-2010-0806-C
Avast5    5.0.332.0    2010.03.30    JS:CVE-2010-0806-C
AVG    9.0.0.787    2010.03.29    Exploit
BitDefender    7.2    2010.03.30    Exploit.Cosmu.A
eSafe    7.0.17.0    2010.03.28    JS.CVE2010-0806
eTrust-Vet    35.2.7396    2010.03.30    JS/Dish!exploit
F-Prot    4.5.1.85    2010.03.30    JS/Cosmu.A
F-Secure    9.0.15370.0    2010.03.30    Exploit.Cosmu.A
Fortinet    4.0.14.0    2010.03.30    JS/CVE20100806.B!exploit
GData    19    2010.03.30    Exploit.Cosmu.A
Ikarus    T3.1.1.80.0    2010.03.30    Exploit.JS.CVE-2010-0806
Kaspersky    7.0.0.125    2010.03.30    Exploit.JS.CVE-2010-0806.b
Microsoft    1.5605    2010.03.30    Exploit:JS/CVE-2010-0806
nProtect    2009.1.8.0    2010.03.30    Exploit.Cosmu.A
Sophos    4.52.0    2010.03.30    Troj/ExpJS-R
Sunbelt    6117    2010.03.30    Trojan.JS.BOFExploit (v)
VirusBuster    5.0.27.0    2010.03.30    JS.BOFExploit.Gen
Additional information
File size: 6494 bytes
MD5...: fcfeb0287f172a2c58f680fcd120ea48

bbs.vgl.co.kr has one IP number , which is the same as for vgl.co.kr, but the reverse is 211-115-80-207.kidc.net. vgl.co.kr and http://www.robtex.com/dns/www.vgl.co.kr.html point to the same IP. vgl.co.kr is delegated to two nameservers, however one delegated nameserver is missing in the zone. Incoming mail for vgl.co.kr is handled by seven mailservers having a total of 28 IP numbers. Some of them are on the same IP network. bbs.vgl.co.kr is hosted on a server in Korea. It is not listed in any blacklists.

      Hostname:    211-115-80-207.kidc.net
      ISP:    KRNIC
      Organization:    Hanbiro, Inc.
       Country:    Korea, Republic of
      State/Region:    Soul-t'ukpyolsi
      City:    Seoul

Sunday, March 28, 2010

Mar 28 CVE-2010-0806 IE 0-day U.S.-ROK ALLIANCE... In Korea, Divide and be Conquered from richard.mark45@yahoo.com

Malicious link hxxp://spot-news.com/spot/news.html

Details hxxp://spot-news.com/spot/news.html

Here is more more piece of news from the same source as earlier today. Maybe they hope we abandon BBC World News and switch to their agency.

From: Richard Mark [mailto:richard.mark45@yahoo.com]
Sent: Sunday, March 28, 2010 11:17 PM
To: XXXXXXXXXXXXXX
Subject: U.S.-ROK ALLIANCE... In Korea, Divide and be Conquered

U.S.-ROK ALLIANCE

In Korea, Divide and be Conquered

Brookings Senior Fellow Michael O'Hanlon argues that, for a number of practical
reasons, 2012 may prove too soon to transfer wartime operational control of
South Korean forces to Korean command. O'Hanlon writes that if there is a
need to evaluate the 2012 plan afresh, that should happen without apology,
without undue haste and without any predetermined conclusion.

Read More

Header info
Received: from [123.125.156.136] by web114509.mail.gq1.yahoo.com via HTTP;
Sun, 28 Mar 2010 20:17:26 PDT
X-Mailer: YahooMailRC/324.3 YahooMailWebService/0.8.100.260964
Date: Sun, 28 Mar 2010 20:17:26 -0700
From: Richard Mark
Subject: U.S.-ROK ALLIANCE... In Korea, Divide and be Conquered

Sender ip info       Hostname:    123.125.156.151
      ISP:    China Unicom Beijing Province Network
      Organization:    China Unicom Beijing Province Network
      Proxy:    Suspected network sharing device.
      Country:    China
      State/Region:    Beijing
      City:    Beijing

The exploit and all other details are the same as in this post from earlier today

Saturday, March 27, 2010

Mar 27 CVE-2010-0806 IE 0-day Dozens missing after ship sinks near North Korea from kevin.bohn33@hotmail.com

Malicious link hxxp://spot-news.com/test/test.html (still active on March 27, 2010) - Internet Explorer Zero day exploit

Download 043d308bfda76e35122567cf933e1b2a winint32.exe and test.htm as a password protected archive (please contact me if you need the password)

Details on the link and files

Update March 30, 2010 - Cisco issued a Threat Outbreak Alert alert related to this particular threat.

From: Kevin Bohn [mailto:kevin.bohn33@hotmail.com]
Sent: Saturday, March 27, 2010 7:35 AM
To: XXXXXXXXXXX
Subject: Dozens missing after ship sinks near North Korea

Dozens missing after ship sinks near North Korea
a navy ship sank in tense Yellow Sea waters off the coast of North Korea.

Detail Story http://www.mofat.go.kr/press/breifing
_______________________________________
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. Sign up now.

Headers

Received: from SNT112-W16 ([65.55.90.199]) by snt0-omc4-s20.snt0.hotmail.com

 with Microsoft SMTPSVC(6.0.3790.3959);     Sat, 27 Mar 2010 04:34:39 -0700

Message-ID: 

Return-Path: kevin.bohn33@hotmail.com

Content-Type: multipart/alternative;

    boundary="_2fd4e512-5e88-49c3-96eb-4fc20039c8d1_"

X-Originating-IP: [123.125.156.151]

From: Kevin Bohn 

Sender ip info

      Hostname:    123.125.156.151
      ISP:    China Unicom Beijing Province Network
      Organization:    China Unicom Beijing Province Network
      Proxy:    Suspected network sharing device.
      Country:    China
      State/Region:    Beijing
      City:    Beijing

Site host info from robtex.com hxxp://spot-news.com/test/test.html
124.217.255.232

satpalast.com, oxidesale.com, serendipity.li, http://www.blogger.com/dns/www.satpalast.com.html, teenz-info-ms.net and at least two other hosts point to 124.217.255.232. It is blacklisted in one list.

Hostname: 124.217.255.232
ISP: PIRADIUS NET
Organization: PIRADIUS NET
Country: Malaysia
State/Region: Johor
City: Johor Bahru

Exploit info
Please see Trancer's post with more details about the exploit and explanation by Praetorian Prefect

hxxp://spot-news.com/test/test.html

Tested on Windows XP SP2 Internet Explorer 7

The following files were created:

%USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\J742EA2Y\test.htm

%USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5NRUWTV44\winint32.exe

Virustotal

test.htm

http://www.virustotal.com/analisis/276b1482b3c59c80d4d0ee9987203f6ded5452b805425eb5c5ebe4439fc8071f-1269725177

File test.htm received on 2010.03.27 21:26:17 (UTC)
Result: 3/42 (7.14%)
Print results Print results
AVG    9.0.0.787    2010.03.27    Script/Exploit
Microsoft    1.5605    2010.03.27    Exploit:JS/CVE-2010-0806
Sunbelt    6101    2010.03.26    Trojan.JS.BOFExploit (v)

winint32.exe

http://www.virustotal.com/analisis/2db8a9c401911c7317e8a89c35d979d0e8e9ba718ae13a0a0cfedd957654ec10-1269725346

File winint32.exe received on 2010.03.27 21:29:06 (UTC)
Result: 3/42 (7.15%)
Microsoft   1.5605   2010.03.27   Trojan:Win32/Tapaoux.A
Panda   10.0.2.2   2010.03.27   Suspicious file
Symantec   20091.2.0.41   2010.03.27   Suspicious.Insight
File size: 357344 bytes
MD5...: 043d308bfda76e35122567cf933e1b2a

Microsoft information about Trojan:Win32/Tapaoux.A

Threatexpert report

Anubis Report

[#############################################################################]
    Anubis Analysis Report for winint32.exe
                   MD5: 043d308bfda76e35122567cf933e1b2a
[#############################################################################]

Summary: 
    - Autostart capabilities: 
        This executable registers processes to be executed at system start.
        This could result in unwanted actions to be performed automatically.

- Creates files in the Windows system directory:
        Malware often keepscopies of itself in the Windows directory to stay
        undetected by users.

- Performs File Modification and Destruction:
        The executable modifiesand destructs files which are not temporary.

- Spawns Processes:
        The executable produces processes during the execution.

- Performs Registry Activities:
        The executable reads and modifies registry values. It also creates and
        monitors registry keys.

[=============================================================================]
    Table of Contents
[=============================================================================]

- General information
- winint32.exe
  a) Registry Activities
  b) File Activities
  c) Windows Service Activities
  d) Process Activities
  e) Other Activities
    - services.exe
      a) Registry Activities
      b) File Activities
      c) Other Activities
    - cmd.exe
      a) Registry Activities
      b) File Activities

[#############################################################################]
    1. General Information
[#############################################################################]
[=============================================================================]
    Information about Anubis' invocation
[=============================================================================]
        Time needed:        60 s
        Report created:     03/27/10, 17:53:24 UTC
        Termination reason: All tracked processes have exited
        Program version:    1.74.2681

[#############################################################################]
    2. winint32.exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Primary Analysis Subject
        Filename:        winint32.exe
        MD5:             043d308bfda76e35122567cf933e1b2a
        SHA-1:           0d941f58d554a9970e50adb353193ea3525f9c8f
        File Size:       357344 Bytes
        Command Line:    "C:\winint32.exe" 
        Process-status
        at analysis end: dead
        Exit Code:       0

[=============================================================================]
    Run-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntoskrnl.exe ],
               Base Address: [0x00B60000 ], Size: [0x00216680 ]
        Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
               Base Address: [0x74720000 ], Size: [0x0004C000 ]
        Module Name: [ C:\WINDOWS\system32\Apphelp.dll ],
               Base Address: [0x77B40000 ], Size: [0x00022000 ]

[=============================================================================]
    2.a) winint32.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Keys Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{75053DE3-294C-12CE-1CDF-1BF4CE6CD741} ]
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Active Setup\Installed Components\{75053DE3-294C-12CE-1CDF-1BF4CE6CD741} ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{75053DE3-294C-12CE-1CDF-1BF4CE6CD741} ], 
             Value Name: [  ], New Value: [ Microsoft Explorer ]
        Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{75053DE3-294C-12CE-1CDF-1BF4CE6CD741} ], 
             Value Name: [ IsInstalled ], New Value: [ 1 ]
        Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{75053DE3-294C-12CE-1CDF-1BF4CE6CD741} ], 
             Value Name: [ StubPath ], New Value: [ "C:\WINDOWS\system32\inetcpl.exe" SystemBasicTools ]
        Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{75053DE3-294C-12CE-1CDF-1BF4CE6CD741} ], 
             Value Name: [ Version ], New Value: [ 1,0,0,1 ]
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Active Setup\Installed Components\{75053DE3-294C-12CE-1CDF-1BF4CE6CD741} ], 
             Value Name: [ Version ], New Value: [ 1,0,0,0 ]
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], 
             Value Name: [ AppData ], New Value: [ C:\Documents and Settings\Administrator\Application Data ]
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], 
             Value Name: [ Startup ], New Value: [ C:\Documents and Settings\Administrator\Start Menu\Programs\Startup ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{75053DE3-294C-12CE-1CDF-1BF4CE6CD741} ], 
             Value Name: [ Version ], Value: [ 1,0,0,1 ], 2 times
        Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ], 
             Value Name: [ CUAS ], Value: [ 0 ], 1 time
        Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], 
             Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
        Key: [ HKLM\SYSTEM\Setup ], 
             Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
        Key: [ HKLM\SYSTEM\WPA\MediaCenter ], 
             Value Name: [ Installed ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ PolicyScope ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ ItemSize ], Value: [ 779 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ ItemSize ], Value: [ 517 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ ItemSize ], Value: [ 918 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ ItemSize ], Value: [ 229 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ ItemSize ], Value: [ 370 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], 
             Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], 
             Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], 
             Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], 
             Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], 
             Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ AppData ], Value: [ %USERPROFILE%\Application Data ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Startup ], Value: [ %USERPROFILE%\Start Menu\Programs\Startup ], 1 time

[=============================================================================]
    2.b) winint32.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\SystemCheck.bat ]
        File Name: [ C:\WINDOWS\system32\bitcheck.dll ]
        File Name: [ C:\WINDOWS\system32\inetcpl.exe ]
        File Name: [ C:\WINDOWS\system32\inetcpl.sys ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\WINDOWS\system32\bitcheck.dll ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\SystemCheck.bat ]
        File Name: [ C:\WINDOWS\system32\bitcheck.dll ]
        File Name: [ C:\WINDOWS\system32\inetcpl.exe ]
        File Name: [ C:\WINDOWS\system32\inetcpl.sys ]
        File Name: [ WinChkDrv77 ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times
        File: [ WinChkDrv77 ], Control Code: [ 0x0022E660 ], 1 time
        File: [ WinChkDrv77 ], Control Code: [ 0x0022E65C ], 2 times

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\SystemCheck.bat ]
        File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
        File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
        File Name: [ C:\WINDOWS\system32\Apphelp.dll ]
        File Name: [ C:\WINDOWS\system32\COMCTL32.dll ]
        File Name: [ C:\WINDOWS\system32\MSCTF.dll ]
        File Name: [ C:\WINDOWS\system32\SHELL32.dll ]
        File Name: [ C:\WINDOWS\system32\WINSPOOL.DRV ]
        File Name: [ C:\WINDOWS\system32\cmd.exe ]
        File Name: [ C:\WINDOWS\system32\imm32.dll ]
        File Name: [ C:\WINDOWS\system32\ntoskrnl.exe ]
        File Name: [ C:\WINDOWS\system32\rpcss.dll ]
        File Name: [ C:\Windows\AppPatch\sysmain.sdb ]

[=============================================================================]
    2.c) winint32.exe - Windows Service Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Services Started:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Service: [ WinChkDrv77 ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Services Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Name: [ WinChkDrv77 ], Type: [ SERVICE_DEMAND_START ], Path: [ C:\WINDOWS\system32\inetcpl.sys ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Services Deleted:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Service: [ WinChkDrv77 ]

[=============================================================================]
    2.d) winint32.exe - Process Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Processes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Executable: [ C:\WINDOWS\system32\cmd.exe ], Command Line: [  ]
        Executable: [  ], Command Line: [ C:\SystemCheck.bat ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Remote Threads Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Affected Process: [ C:\WINDOWS\system32\cmd.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Foreign Memory Regions Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Process: [ C:\WINDOWS\system32\cmd.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Foreign Memory Regions Written:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Process: [ C:\WINDOWS\system32\cmd.exe ]

[=============================================================================]
    2.e) winint32.exe - Other Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Mutexes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Mutex: [ CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
        Mutex: [ CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
        Mutex: [ CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
        Mutex: [ CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
        Mutex: [ CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
        Mutex: [ CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500 ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Windows SEH exceptions:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x40b4d9 ], 1 time

Description: [ Exception 0xc0000096 (STATUS_PRIVILEGED_INSTRUCTION) at 0x40b57b ], 1 time

[#############################################################################]
    3. services.exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: A service was started.
        Filename:        services.exe
        MD5:             0e776ed5f7cc9f94299e70461b7b8185
        SHA-1:           cb5a33cec4c7b8ef4bd5dc8c241005b66b26cbbf
        File Size:       108544 Bytes
        Command Line:    C:\WINDOWS\system32\services.exe
        Process-status
        at analysis end: alive
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
               Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
        Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
               Base Address: [0x77E70000 ], Size: [0x00092000 ]
        Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
               Base Address: [0x77FE0000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]
        Module Name: [ C:\WINDOWS\system32\NCObjAPI.DLL ],
               Base Address: [0x5F770000 ], Size: [0x0000C000 ]
        Module Name: [ C:\WINDOWS\system32\MSVCP60.dll ],
               Base Address: [0x76080000 ], Size: [0x00065000 ]
        Module Name: [ C:\WINDOWS\system32\SCESRV.dll ],
               Base Address: [0x7DBD0000 ], Size: [0x00051000 ]
        Module Name: [ C:\WINDOWS\system32\AUTHZ.dll ],
               Base Address: [0x776C0000 ], Size: [0x00012000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
               Base Address: [0x769C0000 ], Size: [0x000B4000 ]
        Module Name: [ C:\WINDOWS\system32\umpnpmgr.dll ],
               Base Address: [0x7DBA0000 ], Size: [0x00021000 ]
        Module Name: [ C:\WINDOWS\system32\WINSTA.dll ],
               Base Address: [0x76360000 ], Size: [0x00010000 ]
        Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],
               Base Address: [0x5B860000 ], Size: [0x00055000 ]
        Module Name: [ C:\WINDOWS\system32\ShimEng.dll ],
               Base Address: [0x5CB70000 ], Size: [0x00026000 ]
        Module Name: [ C:\WINDOWS\AppPatch\AcAdProc.dll ],
               Base Address: [0x47260000 ], Size: [0x0000F000 ]
        Module Name: [ C:\WINDOWS\system32\Apphelp.dll ],
               Base Address: [0x77B40000 ], Size: [0x00022000 ]
        Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
               Base Address: [0x77C00000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\eventlog.dll ],
               Base Address: [0x77B70000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ],
               Base Address: [0x76BF0000 ], Size: [0x0000B000 ]
        Module Name: [ C:\WINDOWS\system32\WS2_32.dll ],
               Base Address: [0x71AB0000 ], Size: [0x00017000 ]
        Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ],
               Base Address: [0x71AA0000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\wtsapi32.dll ],
               Base Address: [0x76F50000 ], Size: [0x00008000 ]

[=============================================================================]
    3.a) services.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Keys Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SYSTEM\CONTROLSET001\CONTROL\CLASS\{8ECC055D-047F-11D1-A537-0000F8753ED1}\0000 ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Keys Deleted:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\System\CurrentControlSet\Control\Class\{8ECC055D-047F-11D1-A537-0000F8753ED1}\0000 ]
        Key: [ HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WINCHKDRV77\0000\Control ]
        Key: [ HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WINCHKDRV77\0000 ]
        Key: [ HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WINCHKDRV77 ]
        Key: [ HKLM\System\CurrentControlSet\Services\WinChkDrv77\Security ]
        Key: [ HKLM\System\CurrentControlSet\Services\WinChkDrv77\Enum ]
        Key: [ HKLM\System\CurrentControlSet\Services\WinChkDrv77 ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\Root\LEGACY_WINCHKDRV77\0000 ], 
             Value Name: [ Driver ], New Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1}\0000 ]
        Key: [ HKLM\System\CurrentControlSet\Services\WinChkDrv77 ], 
             Value Name: [ DeleteFlag ], New Value: [ 1 ]
        Key: [ HKLM\System\CurrentControlSet\Services\WinChkDrv77 ], 
             Value Name: [ Start ], New Value: [ 4 ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\Root\LEGACY_WINCHKDRV77\0000 ], 
             Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 2 times
        Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\Root\LEGACY_WINCHKDRV77\0000 ], 
             Value Name: [ Driver ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1}\0000 ], 2 times
        Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\WinChkDrv77\Enum ], 
             Value Name: [ 0 ], Value: [ Root\LEGACY_WINCHKDRV77\0000 ], 3 times
        Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\WinChkDrv77\Enum ], 
             Value Name: [ Count ], Value: [ 1 ], 6 times

[=============================================================================]
    3.b) services.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER, Flags: Named pipe ]
        File Name: [ C:\WINDOWS\system32\config\SysEvent.Evt ]

[=============================================================================]
    3.c) services.exe - Other Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Drivers Loaded:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Driver: [ HKLM\System\CurrentControlSet\Services\WinChkDrv77 ]

[#############################################################################]
    4. cmd.exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Started by winint32.exe
        Filename:        cmd.exe
        MD5:             6d778e0f95447e6546553eeea709d03c
        SHA-1:           811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1
        File Size:       389120 Bytes
        Command Line:    cmd /c C:\SystemCheck.bat
        Process-status
        at analysis end: dead
        Exit Code:       1

[=============================================================================]
    Run-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
               Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
        Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
               Base Address: [0x77E70000 ], Size: [0x00092000 ]
        Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
               Base Address: [0x77FE0000 ], Size: [0x00011000 ]

[=============================================================================]
    4.a) cmd.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\Software\Microsoft\Command Processor ], 
             Value Name: [ AutoRun ], Value: [  ], 1 time
        Key: [ HKLM\Software\Microsoft\Command Processor ], 
             Value Name: [ CompletionChar ], Value: [ 64 ], 1 time
        Key: [ HKLM\Software\Microsoft\Command Processor ], 
             Value Name: [ DefaultColor ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\Command Processor ], 
             Value Name: [ EnableExtensions ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\Command Processor ], 
             Value Name: [ PathCompletionChar ], Value: [ 64 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ PolicyScope ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ ItemSize ], Value: [ 779 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ ItemSize ], Value: [ 517 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ ItemSize ], Value: [ 918 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ ItemSize ], Value: [ 229 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ ItemSize ], Value: [ 370 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], 
             Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Language Groups ], 
             Value Name: [ 1 ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 
             Value Name: [ 00000C07 ], Value: [ 1 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ], 
             Value Name: [ CompletionChar ], Value: [ 9 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ], 
             Value Name: [ DefaultColor ], Value: [ 0 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ], 
             Value Name: [ EnableExtensions ], Value: [ 1 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], 
             Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time

[=============================================================================]
    4.b) cmd.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Deleted:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\SystemCheck.bat ]
        File Name: [ C:\winint32.exe ]

[#############################################################################]
                       International Secure Systems Lab                        
                            http://www.iseclab.org

Vienna University of Technology     Eurecom France            UC Santa Barbara
http://www.tuwien.ac.at          http://www.eurecom.fr  http://www.cs.ucsb.edu

Contact: anubis@iseclab.org

Wednesday, March 10, 2010

Mar 10. CVE-2010-0806 - Internet Explorer 6/7 0-day notes by Extraexploit

Here are are some comments by extraexploit related to the most recent Internet explorer 0-day

Pages