Aug 7, 2009

Malware Analysis: Antivirus System PRO

Antivirus System PRO
Receive a suspicious file and did a simple behaviour analysis. Found that it is a Spyware/trojan that act as a Anti virus.

Analysis Report:
##############

File: sysguard.exe
Size: 309504
MD5: CB0B3C95821DD9C306562BC30B6D546A
Virus Found: Win32:Spyware-gen (Avast), Trojan:Win32/FakeSpypro (Microsoft)

On VirusTotal Website, only 15 out of 41 AV detected it (details). Major AV vendor such as McAfee, Symantec, TrendMicro were not able to detect it.



Summary:
=======
This is a Scam/trojan that act as a Antivirus program, which will trick users that they were infected by virus and will help them to clean if they purchase the license. Not sure whether it will really remove any virus but it definitely act like one with periodically opening IE browser to their homepage and websites such as www.porno.org and also pop virus alerts.

When the trojan is runningWhen you run the program, it will "scan" your system and alert you that your system is infected by many viruses.

When closing the programWhen you try to close the "Antivirus" program, it will inform the user that "Your PC will not be protected against spyware" and trick the user to purchase the full version of the program.

Trick user to buy the licenseThe program keep having the "Spyware Protect 2009 evalution version warining" popup, asking the user to purchase the full version.

Spyware AlertPeriodically, the user will see fake "Spyware Alert!" popup. Telling user that "Your computer is infected by spyware" and prompting the user to "upgrade" the "Antivirus" program.

Techincal Details:
################

Registry keys added:
==============
HKLM\SOFTWARE\Classes\CLSID\{BED0754A-8164-42a7-BAE8-A733451A0286}
HKLM\SOFTWARE\Classes\CLSID\{BED0754A-8164-42a7-BAE8-A733451A0286}\InProcServer32
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BED0754A-8164-42a7-BAE8-A733451A0286}
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_RASMAN\0000\Control
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_TAPISRV\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BED0754A-8164-42A7-BAE8-A733451A0286}
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BED0754A-8164-42A7-BAE8-A733451A0286}\iexplore
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan

Registry values added:
===============
HKLM\SOFTWARE\Classes\CLSID\{BED0754A-8164-42a7-BAE8-A733451A0286}\InProcServer32\: "C:\WINDOWS\system32\iehelper.dll"
HKLM\SOFTWARE\Classes\CLSID\{BED0754A-8164-42a7-BAE8-A733451A0286}\InProcServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{BED0754A-8164-42a7-BAE8-A733451A0286}\: "BHO"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BED0754A-8164-42a7-BAE8-A733451A0286}\: ""
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_RASMAN\0000\Control\ActiveService: "RasMan"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_TAPISRV\0000\Control\ActiveService: "TapiSrv"
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control\ActiveService: "RasMan"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control\ActiveService: "TapiSrv"
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Internet Explorer\Recovery\Active\{FFECBCBC-8329-11DE-811E-000C2965EC82}: 0x00000000
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\flfthneq.rkr: 03 00 00 00 06 00 00 00 A0 48 E9 0F 36 17 CA 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BED0754A-8164-42A7-BAE8-A733451A0286}\iexplore\Type: 0x00000003
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BED0754A-8164-42A7-BAE8-A733451A0286}\iexplore\Flags: 0x00000000
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BED0754A-8164-42A7-BAE8-A733451A0286}\iexplore\Count: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BED0754A-8164-42A7-BAE8-A733451A0286}\iexplore\Time: D9 07 08 00 05 00 07 00 08 00 0C 00 0D 00 7E 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BED0754A-8164-42A7-BAE8-A733451A0286}\iexplore\LoadTime: 0x00000012
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BED0754A-8164-42A7-BAE8-A733451A0286}\iexplore\LoadTimeCount: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Owner\Desktop\sysguard.exe: "sysguard"
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Internet Explorer\IEXPLORE.EXE: "Internet Explorer"
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\aazalirt: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\skaaanret: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\jungertab: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\zibaglertz: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\iddqdops: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\ronitfst: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\tobmygers: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\jikglond: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\tobykke: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\klopnidret: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\jiklagka: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\salrtybek: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\seeukluba: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\jrjakdsd: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\krkdkdkee: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\dkewiizkjdks: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\dkekkrkska: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\rkaskssd: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\kuruhccdsdd: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\krujmmwlrra: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\kkwknrbsggeg: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\ktknamwerr: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\iqmcnoeqz: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\ienotas: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\krkmahejdk: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\otpeppggq: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\krtawefg: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\oranerkka: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\kitiiwhaas: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\otowjdseww: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\otnnbektre: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\oropbbsee: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\irprokwks: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\ooorjaas: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\id: "33.2"
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\AvScan\ready: 0x00000001

Registry values modified:
===============
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 5B 3B 74 9B 83 B2 9A C6 F4 81 2B AA DE EF 53 81 4F 0E 94 64 EB A5 DC CD 3A 51 73 3C 42 81 1B 0C 30 E8 16 0E 5A 62 0C 58 E9 D4 14 7E 7B 60 99 88 86 D0 2F 76 06 5E 25 CC 0C BE E5 34 F4 C5 E0 4F F9 38 26 4C 89 72 B3 D0 77 93 44 E9 79 18 23 EE
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 5A 32 96 8A E8 58 FB 1D 09 37 B5 62 98 57 47 A4 8E C6 A0 86 1F 44 55 11 06 71 92 BC 52 C9 B7 22 D5 5A 3D E7 B2 54 14 84 B3 BB AC F8 D3 32 DA 3E FA A1 DF F0 CF 86 08 48 3F C4 E5 42 A6 6C ED 50 31 60 60 2E 98 35 B2 13 AC FA C0 E4 DC 84 A3 FC
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000009
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x0000000B
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Internet Explorer\Main\Window_Placement: 2C 00 00 00 00 00 00 00 01 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 53 00 00 00 6B 00 00 00 73 03 00 00 C3 02 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Internet Explorer\Main\Window_Placement: 2C 00 00 00 00 00 00 00 01 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 53 00 00 00 2A 00 00 00 73 03 00 00 82 02 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "egdfcba"
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "gedfcba"
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "jihgfcedba"
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "hjigfcedba"
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\MRUList: "ba"
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\MRUList: "ab"
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links\Order: 08 00 00 00 02 00 00 00 E0 00 00 00 01 00 00 00 02 00 00 00 68 00 00 00 00 00 00 00 5A 00 32 00 EC 00 00 00 DD 3A 27 71 20 00 53 55 47 47 45 53 7E 31 2E 55 52 4C 00 00 3E 00 03 00 04 00 EF BE DD 3A 27 71 DD 3A 27 71 14 00 00 00 53 00 75 00 67 00 67 00 65 00 73 00 74 00 65 00 64 00 20 00 53 00 69 00 74 00 65 00 73 00 2E 00 75 00 72 00 6C 00 00 00 1C 00 00 00 00 00 00 00 6C 00 00 00 01 00 00 00 5E 00 32 00 E2 00 00 00 DD 3A E1 70 20 00 57 45 42 53 4C 49 7E 31 2E 55 52 4C 00 00 42 00 03 00 04 00 EF BE DD 3A E1 70 DD 3A E1 70 14 00 00 00 57 00 65 00 62 00 20 00 53 00 6C 00 69 00 63 00 65 00 20 00 47 00 61 00 6C 00 6C 00 65 00 72 00 79 00 2E 00 75 00 72 00 6C 00 00 00 1C 00 00 00 00 00 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links\Order: 08 00 00 00 02 00 00 00 E0 00 00 00 01 00 00 00 02 00 00 00 68 00 00 00 00 00 00 00 5A 00 32 00 2E 01 00 00 DD 3A 29 71 20 00 53 55 47 47 45 53 7E 31 2E 55 52 4C 00 00 3E 00 03 00 04 00 EF BE DD 3A 27 71 DD 3A 29 71 14 00 00 00 53 00 75 00 67 00 67 00 65 00 73 00 74 00 65 00 64 00 20 00 53 00 69 00 74 00 65 00 73 00 2E 00 75 00 72 00 6C 00 00 00 1C 00 00 00 00 00 00 00 6C 00 00 00 01 00 00 00 5E 00 32 00 E2 00 00 00 DD 3A E1 70 20 00 57 45 42 53 4C 49 7E 31 2E 55 52 4C 00 00 42 00 03 00 04 00 EF BE DD 3A E1 70 DD 3A E1 70 14 00 00 00 57 00 65 00 62 00 20 00 53 00 6C 00 69 00 63 00 65 00 20 00 47 00 61 00 6C 00 6C 00 65 00 72 00 79 00 2E 00 75 00 72 00 6C 00 00 00 1C 00 00 00 00 00 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Order: 08 00 00 00 02 00 00 00 A6 0A 00 00 01 00 00 00 12 00 00 00 BE 00 00 00 00 00 00 00 B0 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 9E 00 32 00 1B 06 00 00 7E 39 66 37 20 00 53 45 54 50 52 4F 7E 31 2E 4C 4E 4B 00 00 74 00 03 00 04 00 EF BE 7E 39 30 33 06 3B AF 4B 14 00 5C 00 53 00 65 00 74 00 20 00 50 00 72 00 6F 00 67 00 72 00 61 00 6D 00 20 00 41 00 63 00 63 00 65 00 73 00 73 00 20 00 61 00 6E 00 64 00 20 00 44 00 65 00 66 00 61 00 75 00 6C 00 74 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 40 78 70 73 70 31 72 65 73 2E 64 6C 6C 2C 2D 31 30 30 37 37 00 00 1C 00 0E 00 00 00 0A 00 EF BE 01 00 00 00 1C 00 00 00 00 00 00 00 00 00 9C 00 00 00 01 00 00 00 8E 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 7C 00 32 00 8E 01 00 00 7E 39 30 33 20 00 57 49 4E 44 4F 57 7E 32 2E 4C 4E 4B 00 00 52 00 03 00 04 00 EF BE 7E 39 30 33 06 3B AF 4B 14 00 3C 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 43 00 61 00 74 00 61 00 6C 00 6F 00 67 00 2E 00 6C 00 6E 00 6B 00 00 00 40 73 68 65 6C 6C 33 32 2E 64 6C 6C 2C 2D 32 32 30 37 35 00 1C 00 0E 00 00 00 0A 00 EF BE 01 00 00 00 1C 00 00 00 00 00 00 00 00 00 86 00 00 00 02 00 00 00 78 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 66 00 32 00 E3 05 00 00 7E 39 30 33 20 00 57 49 4E 44 4F 57 7E 31 2E 4C 4E 4B 00 00 3C 00 03 00 04 00 EF BE 7E 39 30 33 06 3B AF 4B 14 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 55 00 70 00 64 00 61 00 74 00 65 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 0E 00 00 00 0A 00 EF BE 01 00 00 00 1C 00 00 00 00 00 00 00 00 00 64 00 00 00 0E 00 00 00 56 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 44 00 31 00 00 00 00 00 DD 3A 56 68 10 00 37 2D 5A 69 70 00 22 00 03 00 04 00 EF BE DD 3A 56 68 06 3B 05 48 14 00 00 00 37 00 2D 00 5A 00 69 00 70 00 00 00 14 00 0E 00 00 00 0A 00 EF BE 03 00 00 00 14 00 00 00 00 00 00 00 00 00 EC 00 00 00 03 00 00 00 DE 00 00 00 41 75 67 4D 02 00 00 00 02 00 00 00 68 00 31 00 00 00 00 00 DD 3A E0 70 11 00 41 43 43 45 53 53 7E 31 00 00 42 00 03 00 04 00 EF BE 7E 39 AF 33 06 3B 80 4A 14 00 2C 00 41 00 63 00 63 00 65 00 73 00 73 00 6F 00 72 00 69 00 65 00 73 00 00 00 40 73 68 65 6C 6C 33 32 2E 64 6C 6C 2C 2D 32 31 37 36 31 00 18 00 0E 00 00 00 0A 00 EF BE 02 00 00 00 18 00 00 00 62 00 31 00 00 00 00 00 7E 39 61 37 11 00 41 43 43 45 53 53 7E 31 00 00 2E 00 03 00 04 00 EF BE 7E 39 90 32 06 3B 80 4A 14 00 00 00 41 00 63 00 63 00 65 00 73 00 73 00 6F 00 72 00 69 00 65 00 73 00 00 00 18 00 0E 00 00 00 00 00 EF BE 03 00 00 00 18 00 0E 00 00 00 0A 00 EF BE 03 00 00 00 18 00 00 00 00 00 00 00 00 00 78 00 00 00 04 00 00 00 6A 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 58 00 31 00 00 00 00 00 7E 39 D0 32 11 00 47 61 6D 65 73 00 36 00 03 00 04 00 EF BE 7E 39 D0 32 06 3B 85 4A 14 00 20 00 47 00 61 00 6D 00 65 00 73 00 00 00 40 73 68 65 6C 6C 33 32 2E 64 6C 6C 2C 2D 32 31 37 37 33 00 14 00 0E 00 00 00 0A 00 EF BE 03 00 00 00 14 00 00 00 00 00 00 00 00 00 76 00 00 00 0F 00 00 00 68 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 56 00 31 00 00 00 00 00 DD 3A 41 69 10 00 49 44 41 50 52 4F 7E 31 00 00 30 00 03 00 04 00 EF BE DD 3A 41 69 06 3B 85 4A 14 00 00 00 49 00 44 00 41 00 20 00 50 00 72 00 6F 00 20 00 46 00 72 00 65 00 65 00 00 00 18 00 0E 00 00 00 0A 00 EF BE 03 00 00 00 18 00 00 00 00 00 00 00 00 00 86 00 00 00 10 00 00 00 78 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 66 00 31 00 00 00 00 00 DD 3A 63 6A 10 00 4D 41 4C 43 4F 44 7E 31 00 00 40 00 03 00 04 00 EF BE DD 3A 62 6A 06 3B 85 4A 14 00 00 00 4D 00 61 00 6C 00 63 00 6F 00 64 00 65 00 20 00 41 00 6E 00 61 00 6C 00 79 00 73 00 74 00 20 00 50 00 61 00 63 00 6B 00 00 00 18 00 0E 00 00 00 0A 00 EF BE 03 00 00 00 18 00 00 00 00 00 00 00 00 00 7C 00 00 00 11 00 00 00 6E 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 5C 00 31 00 00 00 00 00 DD 3A 87 69 10 00 4D 4F 5A 49 4C 4C 7E 31 00 00 36 00 03 00 04 00 EF BE DD 3A 87 69 06 3B 05 48 14 00 00 00 4D 00 6F 00 7A 00 69 00 6C 00 6C 00 61 00 20 00 46 00 69 00 72 00 65 00 66 00 6F 00 78 00 00 00 18 00 0E 00 00 00 0A 00 EF BE 03 00 00 00 18 00 00 00 00 00 00 00 00 00 EC 00 00 00 05 00 00 00 DE 00 00 00 41 75 67 4D 02 00 00 00 02 00 00 00 5E 00 31 00 00 00 00 00 7E 39 26 72 11 00 53 74 61 72 74 75 70 00 3A 00 03 00 04 00 EF BE 7E 39 AF 33 06 3B 8F 4A 14 00 24 00 53 00 74 00 61 00 72 00 74 00 75 00 70 00 00 00 40 73 68 65 6C 6C 33 32 2E 64 6C 6C 2C 2D 32 31 37 38 37 00 16 00 0E 00 00 00 0A 00 EF BE 02 00 00 00 16 00 00 00 6C 00 31 00 00 00 00 00 7E 39 26 72 11 00 53 74 61 72 74 75 70 00 3A 00 03 00 04 00 EF BE 7E 39 26 72 06 3B 85 4A 14 00 24 00 53 00 74 00 61 00 72 00 74 00 75 00 70 00 00 00 40 73 68 65 6C 6C 33 32 2E 64 6C 6C 2C 2D 32 31 37 38 37 00 16 00 0E 00 00 00 00 00 EF BE 03 00 00 00 16 00 0E 00 00 00 0A 00 EF BE 03 00 00 00 16 00 00 00 00 00 00 00 00 00 6A 00 00 00 06 00 00 00 5C 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 4A 00 31 00 00 00 00 00 7E 39 E0 38 10 00 57 69 6E 50 63 61 70 00 26 00 03 00 04 00 EF BE 7E 39 E0 38 06 3B 05 48 14 00 00 00 57 00 69 00 6E 00 50 00 63 00 61 00 70 00 00 00 16 00 0E 00 00 00 0A 00 EF BE 03 00 00 00 16 00 00 00 00 00 00 00 00 00 70 00 00 00 07 00 00 00 62 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 50 00 31 00 00 00 00 00 7E 39 DA 38 10 00 57 49 52 45 53 48 7E 31 00 00 2A 00 03 00 04 00 EF BE 7E 39 DA 38 06 3B 05 48 14 00 00 00 57 00 69 00 72 00 65 00 73 00 68 00 61 00 72 00 6B 00 00 00 18 00 0E 00 00 00 0A 00 EF BE 03 00 00 00 18 00 00 00 00 00 00 00 00 00 A2 00 00 00 08 00 00 00 94 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 82 00 32 00 23 03 00 00 DD 3A E0 70 20 00 49 4E 54 45 52 4E 7E 31 2E 4C 4E 4B 00 00 58 00 03 00 04 00 EF BE 7E 39 B8 33 06 3B AF 4B 14 00 40 00 49 00 6E 00 74 00 65 00 72 00 6E 00 65 00 74 00 20 00 45 00 78 00 70 00 6C 00 6F 00 72 00 65 00 72 00 2E 00 6C 00 6E 00 6B 00 00 00 40 78 70 73 70 31 72 65 73 2E 64 6C 6C 2C 2D 31 31 30 30 31 00 00 1C 00 0E 00 00 00 0A 00 EF BE 02 00 00 00 1C 00 00 00 00 00 00 00 00 00 82 00 00 00 09 00 00 00 74 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 62 00 32 00 36 07 00 00 7E 39 D0 32 20 00 4D 53 4E 45 58 50 7E 31 2E 4C 4E 4B 00 00 38 00 03 00 04 00 EF BE 7E 39 D0 32 06 3B AF 4B 14 00 00 00 4D 00 53 00 4E 00 20 00 45 00 78 00 70 00 6C 00 6F 00 72 00 65 00 72 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 0E 00 00 00 0A 00 EF BE 03 00 00 00 1C 00 00 00 00 00 00 00 00 00 9E 00 00 00 0A 00 00 00 90 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 7E 00 32 00 E2 02 00 00 7E 39 8E 38 20 00 4F 55 54 4C 4F 4F 7E 31 2E 4C 4E 4B 00 00 54 00 03 00 04 00 EF BE 7E 39 C1 33 06 3B AF 4B 14 00 3C 00 4F 00 75 00 74 00 6C 00 6F 00 6F 00 6B 00 20 00 45 00 78 00 70 00 72 00 65 00 73 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 40 78 70 73 70 31 72 65 73 2E 64 6C 6C 2C 2D 31 31 30 30 34 00 00 1C 00 0E 00 00 00 0A 00 EF BE 02 00 00 00 1C 00 00 00 00 00 00 00 00 00 B4 00 00 00 0B 00 00 00 A6 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 94 00 32 00 3F 06 00 00 7E 39 30 33 20 00 52 45 4D 4F 54 45 7E 31 2E 4C 4E 4B 00 00 6A 00 03 00 04 00 EF BE 7E 39 AF 33 06 3B AF 4B 14 00 40 00 52 00 65 00 6D 00 6F 00 74 00 65 00 20 00 41 00 73 00 73 00 69 00 73 00 74 00 61 00 6E 00 63 00 65 00 2E 00 6C 00 6E 00 6B 00 00 00 40 43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65 6D 33 32 5C 72 63 62 64 79 63 74 6C 2E 64 6C 6C 2C 2D 31 35 32 00 00 1C 00 0E 00 00 00 0A 00 EF BE 02 00 00 00 1C 00 00 00 00 00 00 00 00 00 B2 00 00 00 0C 00 00 00 A4 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 92 00 32 00 18 03 00 00 7E 39 8A 38 20 00 57 49 4E 44 4F 57 7E 31 2E 4C 4E 4B 00 00 68 00 03 00 04 00 EF BE 7E 39 AF 33 06 3B AE 4B 14 00 46 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4D 00 65 00 64 00 69 00 61 00 20 00 50 00 6C 00 61 00 79 00 65 00 72 00 2E 00 6C 00 6E 00 6B 00 00 00 40 43 3A 5C 57 49 4E 44 4F 57 53 5C 69 6E 66 5C 75 6E 72 65 67 6D 70 32 2E 65 78 65 2C 2D 34 00 1C 00 0E 00 00 00 0A 00 EF BE 02 00 00 00 1C 00 00 00 00 00 00 00 00 00 8C 00 00 00 0D 00 00 00 7E 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 6C 00 32 00 3D 03 00 00 7E 39 D1 32 20 00 57 49 4E 44 4F 57 7E 31 2E 4C 4E 4B 00 00 42 00 03 00 04 00 EF BE 7E 39 D1 32 06 3B AF 4B 14 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4D 00 65 00 73 00 73 00 65 00 6E 00 67 00 65 00 72 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 0E 00 00 00 0A 00 EF BE 03 00 00 00 1C 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Order: 08 00 00 00 02 00 00 00 A6 0A 00 00 01 00 00 00 12 00 00 00 BE 00 00 00 00 00 00 00 B0 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 9E 00 32 00 1B 06 00 00 7E 39 66 37 20 00 53 45 54 50 52 4F 7E 31 2E 4C 4E 4B 00 00 74 00 03 00 04 00 EF BE 7E 39 30 33 07 3B 8C 3D 14 00 5C 00 53 00 65 00 74 00 20 00 50 00 72 00 6F 00 67 00 72 00 61 00 6D 00 20 00 41 00 63 00 63 00 65 00 73 00 73 00 20 00 61 00 6E 00 64 00 20 00 44 00 65 00 66 00 61 00 75 00 6C 00 74 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 40 78 70 73 70 31 72 65 73 2E 64 6C 6C 2C 2D 31 30 30 37 37 00 00 1C 00 0E 00 00 00 0A 00 EF BE 01 00 00 00 1C 00 00 00 00 00 00 00 00 00 9C 00 00 00 01 00 00 00 8E 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 7C 00 32 00 8E 01 00 00 7E 39 30 33 20 00 57 49 4E 44 4F 57 7E 32 2E 4C 4E 4B 00 00 52 00 03 00 04 00 EF BE 7E 39 30 33 07 3B 8C 3D 14 00 3C 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 43 00 61 00 74 00 61 00 6C 00 6F 00 67 00 2E 00 6C 00 6E 00 6B 00 00 00 40 73 68 65 6C 6C 33 32 2E 64 6C 6C 2C 2D 32 32 30 37 35 00 1C 00 0E 00 00 00 0A 00 EF BE 01 00 00 00 1C 00 00 00 00 00 00 00 00 00 86 00 00 00 02 00 00 00 78 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 66 00 32 00 E3 05 00 00 7E 39 30 33 20 00 57 49 4E 44 4F 57 7E 31 2E 4C 4E 4B 00 00 3C 00 03 00 04 00 EF BE 7E 39 30 33 07 3B 8C 3D 14 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 55 00 70 00 64 00 61 00 74 00 65 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 0E 00 00 00 0A 00 EF BE 01 00 00 00 1C 00 00 00 00 00 00 00 00 00 64 00 00 00 0E 00 00 00 56 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 44 00 31 00 00 00 00 00 DD 3A 56 68 10 00 37 2D 5A 69 70 00 22 00 03 00 04 00 EF BE DD 3A 56 68 07 3B 78 3D 14 00 00 00 37 00 2D 00 5A 00 69 00 70 00 00 00 14 00 0E 00 00 00 0A 00 EF BE 03 00 00 00 14 00 00 00 00 00 00 00 00 00 EC 00 00 00 03 00 00 00 DE 00 00 00 41 75 67 4D 02 00 00 00 02 00 00 00 68 00 31 00 00 00 00 00 DD 3A E0 70 11 00 41 43 43 45 53 53 7E 31 00 00 42 00 03 00 04 00 EF BE 7E 39 AF 33 07 3B 78 3D 14 00 2C 00 41 00 63 00 63 00 65 00 73 00 73 00 6F 00 72 00 69 00 65 00 73 00 00 00 40 73 68 65 6C 6C 33 32 2E 64 6C 6C 2C 2D 32 31 37 36 31 00 18 00 0E 00 00 00 0A 00 EF BE 02 00 00 00 18 00 00 00 62 00 31 00 00 00 00 00 7E 39 61 37 11 00 41 43 43 45 53 53 7E 31 00 00 2E 00 03 00 04 00 EF BE 7E 39 90 32 07 3B 78 3D 14 00 00 00 41 00 63 00 63 00 65 00 73 00 73 00 6F 00 72 00 69 00 65 00 73 00 00 00 18 00 0E 00 00 00 00 00 EF BE 03 00 00 00 18 00 0E 00 00 00 0A 00 EF BE 03 00 00 00 18 00 00 00 00 00 00 00 00 00 78 00 00 00 04 00 00 00 6A 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 58 00 31 00 00 00 00 00 7E 39 D0 32 11 00 47 61 6D 65 73 00 36 00 03 00 04 00 EF BE 7E 39 D0 32 07 3B 78 3D 14 00 20 00 47 00 61 00 6D 00 65 00 73 00 00 00 40 73 68 65 6C 6C 33 32 2E 64 6C 6C 2C 2D 32 31 37 37 33 00 14 00 0E 00 00 00 0A 00 EF BE 03 00 00 00 14 00 00 00 00 00 00 00 00 00 76 00 00 00 0F 00 00 00 68 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 56 00 31 00 00 00 00 00 DD 3A 41 69 10 00 49 44 41 50 52 4F 7E 31 00 00 30 00 03 00 04 00 EF BE DD 3A 41 69 07 3B 78 3D 14 00 00 00 49 00 44 00 41 00 20 00 50 00 72 00 6F 00 20 00 46 00 72 00 65 00 65 00 00 00 18 00 0E 00 00 00 0A 00 EF BE 03 00 00 00 18 00 00 00 00 00 00 00 00 00 86 00 00 00 10 00 00 00 78 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 66 00 31 00 00 00 00 00 06 3B BD 4E 10 00 4D 41 4C 43 4F 44 7E 31 00 00 40 00 03 00 04 00 EF BE DD 3A 62 6A 07 3B 78 3D 14 00 00 00 4D 00 61 00 6C 00 63 00 6F 00 64 00 65 00 20 00 41 00 6E 00 61 00 6C 00 79 00 73 00 74 00 20 00 50 00 61 00 63 00 6B 00 00 00 18 00 0E 00 00 00 0A 00 EF BE 03 00 00 00 18 00 00 00 00 00 00 00 00 00 7C 00 00 00 11 00 00 00 6E 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 5C 00 31 00 00 00 00 00 DD 3A 87 69 10 00 4D 4F 5A 49 4C 4C 7E 31 00 00 36 00 03 00 04 00 EF BE DD 3A 87 69 07 3B 78 3D 14 00 00 00 4D 00 6F 00 7A 00 69 00 6C 00 6C 00 61 00 20 00 46 00 69 00 72 00 65 00 66 00 6F 00 78 00 00 00 18 00 0E 00 00 00 0A 00 EF BE 03 00 00 00 18 00 00 00 00 00 00 00 00 00 EC 00 00 00 05 00 00 00 DE 00 00 00 41 75 67 4D 02 00 00 00 02 00 00 00 5E 00 31 00 00 00 00 00 7E 39 26 72 11 00 53 74 61 72 74 75 70 00 3A 00 03 00 04 00 EF BE 7E 39 AF 33 07 3B 78 3D 14 00 24 00 53 00 74 00 61 00 72 00 74 00 75 00 70 00 00 00 40 73 68 65 6C 6C 33 32 2E 64 6C 6C 2C 2D 32 31 37 38 37 00 16 00 0E 00 00 00 0A 00 EF BE 02 00 00 00 16 00 00 00 6C 00 31 00 00 00 00 00 7E 39 26 72 11 00 53 74 61 72 74 75 70 00 3A 00 03 00 04 00 EF BE 7E 39 26 72 07 3B 78 3D 14 00 24 00 53 00 74 00 61 00 72 00 74 00 75 00 70 00 00 00 40 73 68 65 6C 6C 33 32 2E 64 6C 6C 2C 2D 32 31 37 38 37 00 16 00 0E 00 00 00 00 00 EF BE 03 00 00 00 16 00 0E 00 00 00 0A 00 EF BE 03 00 00 00 16 00 00 00 00 00 00 00 00 00 6A 00 00 00 06 00 00 00 5C 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 4A 00 31 00 00 00 00 00 7E 39 E0 38 10 00 57 69 6E 50 63 61 70 00 26 00 03 00 04 00 EF BE 7E 39 E0 38 07 3B 78 3D 14 00 00 00 57 00 69 00 6E 00 50 00 63 00 61 00 70 00 00 00 16 00 0E 00 00 00 0A 00 EF BE 03 00 00 00 16 00 00 00 00 00 00 00 00 00 70 00 00 00 07 00 00 00 62 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 50 00 31 00 00 00 00 00 7E 39 DA 38 10 00 57 49 52 45 53 48 7E 31 00 00 2A 00 03 00 04 00 EF BE 7E 39 DA 38 07 3B 78 3D 14 00 00 00 57 00 69 00 72 00 65 00 73 00 68 00 61 00 72 00 6B 00 00 00 18 00 0E 00 00 00 0A 00 EF BE 03 00 00 00 18 00 00 00 00 00 00 00 00 00 A2 00 00 00 08 00 00 00 94 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 82 00 32 00 23 03 00 00 DD 3A E0 70 20 00 49 4E 54 45 52 4E 7E 31 2E 4C 4E 4B 00 00 58 00 03 00 04 00 EF BE 7E 39 B8 33 07 3B 8C 3D 14 00 40 00 49 00 6E 00 74 00 65 00 72 00 6E 00 65 00 74 00 20 00 45 00 78 00 70 00 6C 00 6F 00 72 00 65 00 72 00 2E 00 6C 00 6E 00 6B 00 00 00 40 78 70 73 70 31 72 65 73 2E 64 6C 6C 2C 2D 31 31 30 30 31 00 00 1C 00 0E 00 00 00 0A 00 EF BE 02 00 00 00 1C 00 00 00 00 00 00 00 00 00 82 00 00 00 09 00 00 00 74 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 62 00 32 00 36 07 00 00 7E 39 D0 32 20 00 4D 53 4E 45 58 50 7E 31 2E 4C 4E 4B 00 00 38 00 03 00 04 00 EF BE 7E 39 D0 32 07 3B 8C 3D 14 00 00 00 4D 00 53 00 4E 00 20 00 45 00 78 00 70 00 6C 00 6F 00 72 00 65 00 72 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 0E 00 00 00 0A 00 EF BE 03 00 00 00 1C 00 00 00 00 00 00 00 00 00 9E 00 00 00 0A 00 00 00 90 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 7E 00 32 00 E2 02 00 00 7E 39 8E 38 20 00 4F 55 54 4C 4F 4F 7E 31 2E 4C 4E 4B 00 00 54 00 03 00 04 00 EF BE 7E 39 C1 33 07 3B 8C 3D 14 00 3C 00 4F 00 75 00 74 00 6C 00 6F 00 6F 00 6B 00 20 00 45 00 78 00 70 00 72 00 65 00 73 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 40 78 70 73 70 31 72 65 73 2E 64 6C 6C 2C 2D 31 31 30 30 34 00 00 1C 00 0E 00 00 00 0A 00 EF BE 02 00 00 00 1C 00 00 00 00 00 00 00 00 00 B4 00 00 00 0B 00 00 00 A6 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 94 00 32 00 3F 06 00 00 7E 39 30 33 20 00 52 45 4D 4F 54 45 7E 31 2E 4C 4E 4B 00 00 6A 00 03 00 04 00 EF BE 7E 39 AF 33 07 3B 8C 3D 14 00 40 00 52 00 65 00 6D 00 6F 00 74 00 65 00 20 00 41 00 73 00 73 00 69 00 73 00 74 00 61 00 6E 00 63 00 65 00 2E 00 6C 00 6E 00 6B 00 00 00 40 43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65 6D 33 32 5C 72 63 62 64 79 63 74 6C 2E 64 6C 6C 2C 2D 31 35 32 00 00 1C 00 0E 00 00 00 0A 00 EF BE 02 00 00 00 1C 00 00 00 00 00 00 00 00 00 B2 00 00 00 0C 00 00 00 A4 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 92 00 32 00 18 03 00 00 7E 39 8A 38 20 00 57 49 4E 44 4F 57 7E 31 2E 4C 4E 4B 00 00 68 00 03 00 04 00 EF BE 7E 39 AF 33 07 3B 8C 3D 14 00 46 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4D 00 65 00 64 00 69 00 61 00 20 00 50 00 6C 00 61 00 79 00 65 00 72 00 2E 00 6C 00 6E 00 6B 00 00 00 40 43 3A 5C 57 49 4E 44 4F 57 53 5C 69 6E 66 5C 75 6E 72 65 67 6D 70 32 2E 65 78 65 2C 2D 34 00 1C 00 0E 00 00 00 0A 00 EF BE 02 00 00 00 1C 00 00 00 00 00 00 00 00 00 8C 00 00 00 0D 00 00 00 7E 00 00 00 41 75 67 4D 02 00 00 00 01 00 00 00 6C 00 32 00 3D 03 00 00 7E 39 D1 32 20 00 57 49 4E 44 4F 57 7E 31 2E 4C 4E 4B 00 00 42 00 03 00 04 00 EF BE 7E 39 D1 32 07 3B 8C 3D 14 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4D 00 65 00 73 00 73 00 65 00 6E 00 67 00 65 00 72 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 0E 00 00 00 0A 00 EF BE 03 00 00 00 1C 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Balloon_Time: 3E 8A AD 89 78 16 CA 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Balloon_Time: 00 B6 E7 39 36 17 CA 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 03 00 00 00 35 00 00 00 D0 83 A5 98 35 17 CA 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 03 00 00 00 36 00 00 00 D0 A6 D8 0F 36 17 CA 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 03 00 00 00 8B 00 00 00 A0 25 B6 98 35 17 CA 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 03 00 00 00 8C 00 00 00 A0 48 E9 0F 36 17 CA 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Count: 0x00000005
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Count: 0x00000006
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Time: D9 07 06 00 01 00 1D 00 0E 00 08 00 10 00 1F 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Time: D9 07 08 00 05 00 07 00 08 00 0C 00 0B 00 1E 03
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Count: 0x00000005
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Count: 0x00000006
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Time: D9 07 06 00 01 00 1D 00 0E 00 08 00 10 00 2E 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Time: D9 07 08 00 05 00 07 00 08 00 0C 00 0B 00 2E 03
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 23 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 B0 A8 11 EE B6 52 C9 01 01 00 00 00 C0 A8 EC 80 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 26 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 B0 A8 11 EE B6 52 C9 01 01 00 00 00 C0 A8 EC 80 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 03 00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 00 00 00 00 03 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows Script\Settings\JITDebug: 0x00000000
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows Script\Settings\JITDebug: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\SessionInformation\ProgramCount: 0x00000003
HKU\S-1-5-21-1085031214-926492609-839522115-1003\SessionInformation\ProgramCount: 0x00000004

Files added:
========
C:\WINDOWS\system32\iehelper.dll

Other behaviours:
============
>IE Browser open to a several different URLs in few minutes interval. Some of the URL listed below:
-www.porno.org
-private.microsoft.com
-avir-guardian.com/purchase?r=33.2

www.porno.org

avir-guardian.com/purchase?r=33.2

>Change the hosts file with the following entries:
127.0.0.1 localhost
::1 localhost
91.206.201.8 private.microsoft.com
91.206.201.8 avir-guardian.com
91.206.201.8 www.avir-guardian.com

>The trojan is not compressed/encrypted by any packer. It is written in Visual C++. It will be much easier to do a reverse engineering.
PEiD showing the program is written in Microsoft Visual C++

No comments:

Post a Comment