Sunday, April 3, 2011

Money Mules & Malware Operators

Welcome to my first blog post. I am a get it done kind of guy, so lets dive right in. About a week ago, I received a tip about some rather weird money mule (definition of money mule and how the scam works here) sites deploying malware to their mules as a sort of "test" to see if they are "fit" for employment by these money laundering scammers. As a quick as I dived in, some things began making sense. First off, the money mule sites are operating on the following IP blocks/websites as of 3 days ago -

193.105.134.230:
fintec-ukltd.ws (whois)
fourthgroup-ltd.cc (whois) - Registered by rots@cheapbox.ru
nimrod-inc.net (whois)
paultonsgroup-ltd.info  (whois) - Registered by pt@cheapbox.ru
renaissance-llc.cc (whois)
squitgroup-llc.net (whois)

193.105.134.231:
duncroft-group-inc.cc (whois) - Registered by swiss@ca4.ru
lilac-groupllc.cc (whois) - Registered by lane@free-id.ru
online-solutionsllc.cc (whois) - Registered by coma@ca4.ru
richmond-art-group.com (whois) - Registered by binary@ca4.ru
royalthelmas-teamant.asia (whois)
tinassanservice-groupllc.cc (whois) - Registered by six@yourisp.ru
tonsley-art.com (whois) - Registered by pagan@ppmail.ru
tonsley-group-uk.net (whois)
westview-art.net (whois)
worldofart-ltd.info (whois) - Registered by belief@ca4.ru

193.105.134.232:
alternative-art-ltd.net   (whois)artmarket-llc.net   (whois)
artsolveltdco.at   (whois)
competitorgroup-ltd.com   (whois)
de-blitznet.cc   (whois)
drysdale-group-inc.cc   (whois)
fourth-ukltd.net   (whois)

193.105.134.234:
drysdale-antcorp.at   (whois)
artsolveltd.cc   (whois)
blitznet-de.eu   (whois)
competitor-uk-group.net   (whois)
helby-groupltd.biz   (whois)
qead-groupllc.net   (whois)
qeadllc-uk.com   (whois)
richmond-art-uk.biz   (whois)
 
195.182.57.93:
drysdale-antcorp.biz 
itservice-ltd.net 
pegasltdunion.cc

Now, a quick google search on these IP blocks and domains show that I am not the only one writing about it. Dancho Danchev, another IT Security guy (a guru I look up to in fact), has already covered it here.  Another interesting link (by hpHOST's)  found in research to this money mule scam was found here, and was primarily what I went off of for the research from here down.

If you read that last link closely you'll notice that hpHOST calls attention to the following directory structure on these domains in order to access the malware hosted on them -

/registration/need_quiz/?reg

Let's grab some malware and play with it. I run a malware lab for fun (yes I know... it's as much of a hobby as collecting stamps or pet rocks but I enjoy it). In this lab I try to figure out how malware operates. So lets get down to business with the malware I managed to pull in sites like this.

In this analysis, I plugged one sample into the lab, and analyzed the rest via antivirus programs. Of interesting nature, I noticed two things. First off, this psychiatric quiz is contained in a .exe file. WIndows users, there's your virus/trojan A.K.A. malware right there. Second off, their link for the Mac OSx malware doesn't work and just shells you to the online test. To bad, as I was hoping to find some malware for the Mac to run tests on (if I had the capability of doing so). Don't get me wrong, I love the Mac interface. It's my second favorite OS in the world. However a typical Mac user response that I see is "Viruses? Malware? Why do I have to worry about that... I use a Mac!" *insert elitist Mac user comment here* How I wish this was true (yes malware for Mac's does exist, I've sanitized my Mac before). So, moral of the story, the malware test is for windows only users. *Hint: Steve Jobs - Send me some Mac's and I'll gladly turn over any malware research affecting your OS when I do find OSx malware*

Let's get the basics done first and go with a general full scale analysis using an online malware scanner for each file I downloaded from these sites -

fintecltd.exe 
MD5: 6bfe0ec7ad47533a303914a6edebb6b2
SHA1: 15231a02d10da56cec07610721146e3cdcd3459a
Results here

fourthukltd.exe
MD5: c09006e1796a20fa9533d5b63a0fe13a
SHA1: 143ba94b9fbe040a3276b7f6b1fb4eecb30f54bc
Results here


paultonsgroupltd.exe
MD5: e7c679d6d83912beb8ccaf6b738fbbec
SHA1: 0b821b2fb3a722928e7680e5ad2491bee6911e68
Results here


squitgroupllc.exe
MD5: 88e1e7b86ceeaaf60570a6a975b72f0e
SHA1: 7de676905e2e5391520ccfa03979f0171c0f50a
Results here
Comments: 0/20 Antiviruses picked this up!

richmondartuk.exe
MD5: 4a0c4b3906c2678b1e4a01ff1c31e3ea
SHA1: 9640a15b0c0a89b021146445827b03a1be1ff796
Results here 
Comments: 0/20 Antiviruses picked this up!

tonsleyart.exe
MD5: 9a342d12bfe709818a39607657b505ab
SHA1: de033bfdc406ab3620fa3dc086a952b168db6ba0
Results here 

tonsleygroupuk.exe
MD5: 9a342d12bfe709818a39607657b505ab
SHA1: de033bfdc406ab3620fa3dc086a952b168db6ba0
Results here 

westviewart.exe
MD5: cc6a33d3ecba47004f37f0e30bbe243a
SHA1: f777ffcf58d5e67cf577b85cde954aea7ecc5f06
Results here 

alternativeartltd.exe
MD5: 13d9691edfd80b2b1f6807ff99b7ee06
SHA1: 5c63a392d42dbfcd9c28f851f837f5acb66dedcc
Results here 

artmarketllc.exe
MD5: 71d4afb8d1427378fa89a6221e2a4e63
SHA1: d0c2d4bb4b1bfaa682ea78cbd388a4c72b89f988
Results here 

competitorukgroup.exe
MD5: d1ba8d1d164e943b7fc0c5de38291290
SHA1: facbc8317c1487012c99ae8ab48de06cc8d704b1
Results here 

fourthukltd.exe

MD5: c09006e1796a20fa9533d5b63a0fe13a
SHA1: 143ba94b9fbe040a3276b7f6b1fb4eecb30f54bc
Results here 

blitznetde.exe
MD5: ead7862fa4897039db70f37a799653ff
SHA1: d59b22997a2074a26fd6d12564f928aa9f3963b0
 Results here

helbygroupltd.exe
MD5: 9e293223936cee6d13e9e176c7b0d5a0
SHA1: 839c1675a38db7a83b8e64d4df08fd37ff622ca8

Results here


qeadgroupllc.exe
MD5: 529fcb7821c662147bb27f66e8ad89ab
SHA1: f814c1ba13e05c47a71d16d4a70de6e9ef03048c
Results here





Now, let me explain something. The fact that an antivirus does not pick up a certain bit of malware is nothing new. Those are zero days, but in this case it's as simple as this: those pieces of malware that were undetected by AV vendors were password protected/encrypted to keep guys like me from analyzing them. I know, because I tried to upload all of them into my malware lab to no avail. That said, I ended up using one that was picked up by major AV vendors. I ended up uploading it to my windows test machine and came up with the following results -


Registry Changes: 
Regshot 1.8.2
Comments:2nd shot
Datetime:2010/11/22 09:01:57  ,  2010/11/22 09:13:41
Computer:HUNTER , HUNTER
Username: ,

----------------------------------
Keys added:19
----------------------------------
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv\OpenWithList
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\0\0\2
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\0\0\2\0
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\BagMRU\4
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\BagMRU\4\0
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\12
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\12\Shell
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\13
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\13\Shell
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\14
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\14\Shell
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\inctest
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\WinRAR SFX

----------------------------------
Values added:88
----------------------------------
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv\OpenWithList\a: "regshot.exe"
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv\OpenWithList\MRUList: "a"
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nycun Uhagre\Qrfxgbc\nhgbfrp_mrhf\fdhvgtebhcyyp.rkr: 02 00 00 00 06 00 00 00 00 C2 7D 76 24 8A CB 01
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nycun Uhagre\Qrfxgbc\nhgbfrp_mrhf\pbzcrgvgbehxtebhc.rkr: 02 00 00 00 06 00 00 00 E0 8D 78 84 24 8A CB 01
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nycun Uhagre\Qrfxgbc\nhgbfrp_mrhf\evpuzbaqneghx.rkr: 02 00 00 00 06 00 00 00 B0 F1 74 90 24 8A CB 01
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nycun Uhagre\Qrfxgbc\nhgbfrp_mrhf\grfg\grfg2.rkr: 02 00 00 00 06 00 00 00 60 EC 66 94 24 8A CB 01
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\a: "C:\Documents and Settings\Alpha Hunter\Desktop\autosec_zeus\one.hiv"
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\MRUList: "a"
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\a: "C:\Documents and Settings\Alpha Hunter\Desktop\autosec_zeus\one.hiv"
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "a"
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\a: 72 00 65 00 67 00 73 00 68 00 6F 00 74 00 2E 00 65 00 78 00 65 00 00 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 6C 00 70 00 68 00 61 00 20 00 48 00 75 00 6E 00 74 00 65 00 72 00 5C 00 44 00 65 00 73 00 6B 00 74 00 6F 00 70 00 5C 00 61 00 75 00 74 00 6F 00 73 00 65 00 63 00 5F 00 7A 00 65 00 75 00 73 00 00 00
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "a"
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\BagMRU\4: 48 00 31 00 00 00 00 00 76 3D 2E 46 10 00 41 55 54 4F 53 45 7E 31 00 00 30 00 03 00 04 00 EF BE 76 3D 2E 46 76 3D 2E 46 14 00 00 00 61 00 75 00 74 00 6F 00 73 00 65 00 63 00 5F 00 7A 00 65 00 75 00 73 00 00 00 18 00 00 00
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\0\0\2: 4C 00 31 00 00 00 00 00 75 3D 40 3D 12 00 4C 4F 43 41 4C 53 7E 31 00 00 34 00 03 00 04 00 EF BE 53 3D DD 0A 76 3D 8D 44 14 00 00 00 4C 00 6F 00 63 00 61 00 6C 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 00 00 18 00 00 00
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\0\0\2\0\NodeSlot: 0x0000000C
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\0\0\2\0\MRUListEx: FF FF FF FF
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\0\0\2\0: 34 00 31 00 00 00 00 00 76 3D 18 46 10 00 54 65 6D 70 00 00 20 00 03 00 04 00 EF BE 53 3D DD 0A 76 3D 23 48 14 00 00 00 54 00 65 00 6D 00 70 00 00 00 14 00 00 00
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\0\0\2\MRUListEx: 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\BagMRU\4\0\NodeSlot: 0x0000000E
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\BagMRU\4\0\MRUListEx: FF FF FF FF
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\BagMRU\4\NodeSlot: 0x0000000D
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\BagMRU\4\MRUListEx: 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\BagMRU\4\0: 34 00 31 00 00 00 00 00 76 3D C8 48 10 00 74 65 73 74 00 00 20 00 03 00 04 00 EF BE 76 3D C8 48 76 3D C9 48 14 00 00 00 74 00 65 00 73 00 74 00 00 00 14 00 00 00
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\12\Shell\FolderType: "Documents"
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\13\Shell\FolderType: "Documents"
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\13\Shell\MinPos800x600(1).x: 0xFFFFFFFF
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\13\Shell\MinPos800x600(1).y: 0xFFFFFFFF
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\13\Shell\MaxPos800x600(1).x: 0xFFFFFFFF
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\13\Shell\MaxPos800x600(1).y: 0xFFFFFFFF
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\13\Shell\WinPos800x600(1).left: 0x00000016
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\13\Shell\WinPos800x600(1).top: 0x0000001D
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\13\Shell\WinPos800x600(1).right: 0x0000026E
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\13\Shell\WinPos800x600(1).bottom: 0x000001AE
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\13\Shell\Rev: 0x00000000
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\13\Shell\WFlags: 0x00000002
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\13\Shell\ShowCmd: 0x00000003
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\13\Shell\FFlags: 0x00000001
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\13\Shell\HotKey: 0x00000000
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\13\Shell\Buttons: 0xFFFFFFFF
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\13\Shell\Links: 0x00000000
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\13\Shell\Address: 0x00000000
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\13\Shell\Vid: "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\13\Shell\Mode: 0x00000006
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\13\Shell\ScrollPos800x600(1).x: 0x00000000
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\13\Shell\ScrollPos800x600(1).y: 0x00000000
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\13\Shell\Sort: 0x00000000
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\13\Shell\SortDir: 0x00000001
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\13\Shell\Col: 0xFFFFFFFF
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\13\Shell\ColInfo: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FD DF DF FD 0F 00 06 00 28 00 10 00 34 00 48 00 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 04 00 00 00 05 00 00 00 B4 00 60 00 78 00 78 00 B4 00 B4 00 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\14\Shell\FolderType: "Documents"
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\14\Shell\MinPos800x600(1).x: 0xFFFFFFFF
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\14\Shell\MinPos800x600(1).y: 0xFFFFFFFF
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\14\Shell\MaxPos800x600(1).x: 0xFFFFFFFF
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\14\Shell\MaxPos800x600(1).y: 0xFFFFFFFF
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\14\Shell\WinPos800x600(1).left: 0x00000016
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\14\Shell\WinPos800x600(1).top: 0x0000001D
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\14\Shell\WinPos800x600(1).right: 0x0000026E
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\14\Shell\WinPos800x600(1).bottom: 0x000001AE
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\14\Shell\Rev: 0x00000000
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\14\Shell\WFlags: 0x00000002
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\14\Shell\ShowCmd: 0x00000003
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\14\Shell\FFlags: 0x00000001
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\14\Shell\HotKey: 0x00000000
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\14\Shell\Buttons: 0xFFFFFFFF
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\14\Shell\Links: 0x00000000
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\14\Shell\Address: 0x00000000
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\14\Shell\Vid: "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\14\Shell\Mode: 0x00000006
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\14\Shell\ScrollPos800x600(1).x: 0x00000000
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\14\Shell\ScrollPos800x600(1).y: 0x00000000
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\14\Shell\Sort: 0x00000000
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\14\Shell\SortDir: 0x00000001
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\14\Shell\Col: 0xFFFFFFFF
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\14\Shell\ColInfo: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FD DF DF FD 0F 00 06 00 28 00 10 00 34 00 48 00 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 04 00 00 00 05 00 00 00 B4 00 60 00 78 00 78 00 B4 00 B4 00 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-12691: "My Recent Documents"
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Alpha Hunter\Desktop\autosec_zeus\squitgroupllc.exe: "squitgroupllc"
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Alpha Hunter\Desktop\autosec_zeus\competitorukgroup.exe: "competitorukgroup"
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Alpha Hunter\Desktop\autosec_zeus\test\test2.exe: "test2"
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\MUICache\@xpsp3res.dll,-20001: "Diagnose Connection Problems..."
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Alpha Hunter\Desktop\autosec_zeus\richmondartuk.exe: "richmondartuk"
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31273: "These links open other folders and take you quickly to useful places."
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31253: "Moves the selected items to the Recycle Bin. If you want to recover them later, go to the Recycle Bin."
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\inctest\hash: 59 4B 41 62 55 65 48 49 4B 56 47 50 58 4D 66 48 00 12 3F F9 3F 12 3F 3F 00 00 3F 1C 3F 12 3F 3F 28 00 3F 00 00 15 3F 12 3F 3F 3F 12 3F 3F 3F 3F 3F 3F 3F 3F 3F 12 3F 3F 3F 3F 3F 3F 3F 3F 3F F9 3F 3F 3F F9 3F 12 3F 3F 3F F9 3F F9 00 00 3F F8 3F 12 3F 3F 3F F8 3F 3F 3F 44 3F 12 3F 3F 3F F8 3F 12 3F 40 3F 40 3F 3F 3F 45 3F 12 3F 12 00 00 00 00 3F 1C 02 00 3F F8 3F F9 3F F8 00 00 00 00
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\inctest\res: 4A 6D 46 75 63 33 64 6C 63 6A 45 39 4D 7A 41 6D 59 57 35 7A 64 32 56 79 4D 6A 30 79 4D 43 5A 68 62 6E 4E 33 5A 58 49 7A 50 54 4D 78 4A 6D 46 75 63 33 64 6C 63 6A 51 39 4D 53 5A 68 62 6E 4E 33 5A 58 49 31 50 54 4D 77 4A 6D 46 75 63 33 64 6C 63 6A 59 39 4C 54 45 77 4A 6D 46 75 63 33 64 6C 63 6A 63 39 4D 6A 41 6D 59 57 35 7A 64 32 56 79 4F 44 30 78 4D 43 5A 68 62 6E 4E 33 5A 58 49 35 50 54 45 78 4A 6D 46 75 63 33 64 6C 63 6A 45 77 50 54 45 77 4A 6D 46 75 63 33 64 6C 63 6A 45 78 50 54 4D 77 4A 6D 46 75 63 33 64 6C 63 6A 45 79 50 54 45 77 4A 6D 46 75 63 33 64 6C 63 6A 45 7A 50 54 4D 77 4A 6D 46 75 63 33 64 6C 63 6A 45 30 50 54 4D 77 4A 6D 46 75 63 33 64 6C 63 6A 45 31 50 54 4D 77 4A 6D 46 75 63 33 64 6C 63 6A 45 31 50 54 49 77 4A 6B 5A 4F 59 57 31 6C 50 56 4E 6C 59 57 34 6D 54 45 35 68 62 57 55 39 53 48 56 75 64 47 56 79 4A 6B 56 74 59 57 6C 73 50 58 4E 70 62 6D 34 75 61 48 56 75 64 47 56 79 4A 54 51 77 5A 32 31 68 61 57 77 75 59 32 39 74 4A 6C 4E 6A 62 33 4A 6C 50 54 4D 77 4D 79 5A 55 61 57 31 6C 50 54 49 77 4E 43 3D 3D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\inctest\serv: 0x00000001
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\WinRAR SFX\test%: "test\"

----------------------------------
Values modified:39
----------------------------------
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: CA 2B C5 0A A6 5F 91 F3 5C 08 4E 68 76 99 99 44 C2 9C DF 88 76 31 36 4B 89 11 11 D2 24 72 CC E9 2F 10 72 8F A5 BE C4 9F 83 05 31 60 9C CF 05 64 BE 10 3A FB F8 70 0B 50 1D 77 40 4C CE 52 78 A8 8D 34 DA 75 55 55 3F 34 44 8D E1 CE 64 03 DF 90
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 88 91 0E 18 57 AC 0E A9 19 B8 23 73 2A 73 EC 19 0A 11 8A 42 2A 19 61 14 F1 6F 0F C9 0B 27 D1 45 2B DB 70 A4 E5 D8 63 28 7E 32 5B 21 FC 9F EF BC 2D 60 F1 C5 C0 3D A0 C8 E7 D7 B3 06 D2 E5 29 9F 60 3E 25 4C 14 B7 16 45 F3 F3 FA 57 17 0E 35 74
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x0000000D
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000016
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x0000000B
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x0000000F
HKLM\SYSTEM\ControlSet001\Services\Dhcp\Parameters\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}: 36 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 1D 7D EB 4C 0A 00 02 02 33 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 1D 7D EB 4C 00 01 51 80 0F 00 00 00 00 00 00 00 18 00 00 00 00 00 00 00 1D 7D EB 4C 6D 63 64 30 33 36 35 37 2E 6C 61 78 2E 77 61 79 70 6F 72 74 2E 6E 65 74 06 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 1D 7D EB 4C C0 A8 01 01 03 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 1D 7D EB 4C 0A 00 02 02 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 1D 7D EB 4C FF FF FF 00 35 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 1D 7D EB 4C 05 00 00 00
HKLM\SYSTEM\ControlSet001\Services\Dhcp\Parameters\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}: 36 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 3C 85 EB 4C 0A 00 02 02 33 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 3C 85 EB 4C 00 01 51 80 0F 00 00 00 00 00 00 00 18 00 00 00 00 00 00 00 3C 85 EB 4C 6D 63 64 30 33 36 35 37 2E 6C 61 78 2E 77 61 79 70 6F 72 74 2E 6E 65 74 06 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 3C 85 EB 4C C0 A8 01 01 03 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 3C 85 EB 4C 0A 00 02 02 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 3C 85 EB 4C FF FF FF 00 35 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 3C 85 EB 4C 05 00 00 00
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x0000001D
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x0000001E
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\LeaseObtainedTime: 0x4CEA2B9D
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\LeaseObtainedTime: 0x4CEA33BC
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\T1: 0x4CEAD45D
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\T1: 0x4CEADC7C
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\T2: 0x4CEB52ED
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\T2: 0x4CEB5B0C
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\LeaseTerminatesTime: 0x4CEB7D1D
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\LeaseTerminatesTime: 0x4CEB853C
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\DhcpRetryTime: 0x0000A8BE
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\DhcpRetryTime: 0x0000A8C0
HKLM\SYSTEM\ControlSet001\Services\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\Parameters\Tcpip\LeaseObtainedTime: 0x4CEA2B9D
HKLM\SYSTEM\ControlSet001\Services\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\Parameters\Tcpip\LeaseObtainedTime: 0x4CEA33BC
HKLM\SYSTEM\ControlSet001\Services\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\Parameters\Tcpip\T1: 0x4CEAD45D
HKLM\SYSTEM\ControlSet001\Services\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\Parameters\Tcpip\T1: 0x4CEADC7C
HKLM\SYSTEM\ControlSet001\Services\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\Parameters\Tcpip\T2: 0x4CEB52ED
HKLM\SYSTEM\ControlSet001\Services\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\Parameters\Tcpip\T2: 0x4CEB5B0C
HKLM\SYSTEM\ControlSet001\Services\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\Parameters\Tcpip\LeaseTerminatesTime: 0x4CEB7D1D
HKLM\SYSTEM\ControlSet001\Services\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\Parameters\Tcpip\LeaseTerminatesTime: 0x4CEB853C
HKLM\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}: 36 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 1D 7D EB 4C 0A 00 02 02 33 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 1D 7D EB 4C 00 01 51 80 0F 00 00 00 00 00 00 00 18 00 00 00 00 00 00 00 1D 7D EB 4C 6D 63 64 30 33 36 35 37 2E 6C 61 78 2E 77 61 79 70 6F 72 74 2E 6E 65 74 06 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 1D 7D EB 4C C0 A8 01 01 03 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 1D 7D EB 4C 0A 00 02 02 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 1D 7D EB 4C FF FF FF 00 35 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 1D 7D EB 4C 05 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}: 36 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 3C 85 EB 4C 0A 00 02 02 33 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 3C 85 EB 4C 00 01 51 80 0F 00 00 00 00 00 00 00 18 00 00 00 00 00 00 00 3C 85 EB 4C 6D 63 64 30 33 36 35 37 2E 6C 61 78 2E 77 61 79 70 6F 72 74 2E 6E 65 74 06 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 3C 85 EB 4C C0 A8 01 01 03 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 3C 85 EB 4C 0A 00 02 02 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 3C 85 EB 4C FF FF FF 00 35 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 3C 85 EB 4C 05 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x0000001D
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x0000001E
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\LeaseObtainedTime: 0x4CEA2B9D
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\LeaseObtainedTime: 0x4CEA33BC
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\T1: 0x4CEAD45D
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\T1: 0x4CEADC7C
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\T2: 0x4CEB52ED
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\T2: 0x4CEB5B0C
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\LeaseTerminatesTime: 0x4CEB7D1D
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\LeaseTerminatesTime: 0x4CEB853C
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\DhcpRetryTime: 0x0000A8BE
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\DhcpRetryTime: 0x0000A8C0
HKLM\SYSTEM\CurrentControlSet\Services\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\Parameters\Tcpip\LeaseObtainedTime: 0x4CEA2B9D
HKLM\SYSTEM\CurrentControlSet\Services\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\Parameters\Tcpip\LeaseObtainedTime: 0x4CEA33BC
HKLM\SYSTEM\CurrentControlSet\Services\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\Parameters\Tcpip\T1: 0x4CEAD45D
HKLM\SYSTEM\CurrentControlSet\Services\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\Parameters\Tcpip\T1: 0x4CEADC7C
HKLM\SYSTEM\CurrentControlSet\Services\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\Parameters\Tcpip\T2: 0x4CEB52ED
HKLM\SYSTEM\CurrentControlSet\Services\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\Parameters\Tcpip\T2: 0x4CEB5B0C
HKLM\SYSTEM\CurrentControlSet\Services\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\Parameters\Tcpip\LeaseTerminatesTime: 0x4CEB7D1D
HKLM\SYSTEM\CurrentControlSet\Services\{E834EB28-3954-4C5B-98DA-092BE91DA8A4}\Parameters\Tcpip\LeaseTerminatesTime: 0x4CEB853C
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count\HRZR_HVGBBYONE: 01 00 00 00 08 00 00 00 C0 D7 11 A6 4F 89 CB 01
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count\HRZR_HVGBBYONE: 03 00 00 00 09 00 00 00 40 E1 82 8A 24 8A CB 01
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count\HRZR_HVGBBYONE:0k1,120: 01 00 00 00 08 00 00 00 C0 D7 11 A6 4F 89 CB 01
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count\HRZR_HVGBBYONE:0k1,120: 03 00 00 00 09 00 00 00 40 E1 82 8A 24 8A CB 01
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 02 00 00 00 21 00 00 00 10 B5 9A C5 23 8A CB 01
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 02 00 00 00 26 00 00 00 60 EC 66 94 24 8A CB 01
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 02 00 00 00 11 00 00 00 30 1B 9D C4 23 8A CB 01
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 02 00 00 00 13 00 00 00 A0 0D 98 70 24 8A CB 01
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nycun Uhagre\Qrfxgbc\gpcivrj.rkr: 02 00 00 00 06 00 00 00 E0 F5 95 BF F5 89 CB 01
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nycun Uhagre\Qrfxgbc\gpcivrj.rkr: 02 00 00 00 07 00 00 00 B0 04 EC 10 24 8A CB 01
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02 02 02 02 02 02 02 02
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02 02 02 02 02 02 02 02 02 02 02
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 02 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 04 00 00 00 02 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\MRUListEx: 00 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\MRUListEx: 01 00 00 00 00 00 00 00 02 00 00 00 FF FF FF FF
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\0\0\MRUListEx: 01 00 00 00 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\0\0\MRUListEx: 02 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\SessionInformation\ProgramCount: 0x00000001
HKU\S-1-5-21-1645522239-854245398-1957994488-1004\SessionInformation\ProgramCount: 0x00000002

----------------------------------
Total changes:146
----------------------------------
 

Additionally, I was monitoring the malware did two other interesting things. The first of which was fairly predictable, and that was the malware dialing to IP address 95.64.9.68 (whois) for the following directory structures - 


/registration/quiz/?key=YKAbUeHIKVGPXMfH
/css/style.css
/css/registration.css
/js/jquery.js
/js/drupal.js
/js/AC_OETags.js
/images/ban_activecollab.gif
/images/ban_mt.jpg
/images/ban_formspring.jpg
/images/ban_freshbooks.png
/images/header_bg.gif
/images/simple_bg.jpg
/images/slider_bg_top.jpg
/images/Footer_bg.gif
/favicon.ico
/registration/need_quiz/?reg
/mail/src/kcaptcha/index.php/?site=0d2dcef8f9717de13e1982425
/registration/quiz/?check=YKAbUeHIKVGPXMfH
/js/form.js 


Now, the 95.64.9.68 is no stranger to malware or being used for money mule scams (in fact ADRAL, the owner of this IP block, was recently linked to the lizamoon mass SQL injection attack) -

http://amada.abuse.ch/?search=drysdale-antcorp.at
http://amada.abuse.ch/?search=throne-groupllc.cc

Drysdale-antcorp.at (whois) has the same site template as the rest of the money muling sites and is more than likely a drop point or maybe even (we could hope) a C&C for whatever these guys are infecting. Another funny fact about drysdale-antcorp.at is that it was on IP block 193.105.134.231as of a week ago tying it single handedly to this group of malware pushing money mule scammers.

The last thing that was interesting about this and a last point to my comrades in arms in the antifraud movement, the malware changed the hosts file on my malware lab to block the victim of this malware infection from viewing the following sites -

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost


127.0.0.1 www.complaintsboard.com
127.0.0.1 www.complaintsboard.com
127.0.0.1 www.complaintsboard.com
127.0.0.1 complaintsboard.com
127.0.0.1 complaintsboard.com
127.0.0.1 complaintsboard.com
127.0.0.1 www.bobbear.co.uk
127.0.0.1 www.bobbear.co.uk
127.0.0.1 www.bobbear.co.uk
127.0.0.1 bobbear.co.uk
127.0.0.1 bobbear.co.uk
127.0.0.1 bobbear.co.uk
127.0.0.1 www.bobbear.com
127.0.0.1 www.bobbear.com
127.0.0.1 www.bobbear.com
127.0.0.1 bobbear.com
127.0.0.1 bobbear.com
127.0.0.1 bobbear.com
127.0.0.1 www.419legal.org
127.0.0.1 www.419legal.org
127.0.0.1 www.419legal.org
127.0.0.1 419legal.org
127.0.0.1 419legal.org
127.0.0.1 419legal.org
127.0.0.1 www.scam.com
127.0.0.1 www.scam.com
127.0.0.1 www.scam.com
127.0.0.1 scam.com
127.0.0.1 scam.com
127.0.0.1 scam.com
127.0.0.1 www.anti-scam.org
127.0.0.1 www.anti-scam.org
127.0.0.1 www.anti-scam.org
127.0.0.1 anti-scam.org
127.0.0.1 anti-scam.org
127.0.0.1 anti-scam.org
127.0.0.1 www.consumerfraudreporting.org
127.0.0.1 www.consumerfraudreporting.org
127.0.0.1 www.consumerfraudreporting.org
127.0.0.1 consumerfraudreporting.org
127.0.0.1 consumerfraudreporting.org
127.0.0.1 consumerfraudreporting.org
127.0.0.1 www.ripoffreport.com
127.0.0.1 www.ripoffreport.com
127.0.0.1 www.ripoffreport.com
127.0.0.1 ripoffreport.com
127.0.0.1 ripoffreport.com
127.0.0.1 ripoffreport.com
127.0.0.1 www.tjshome.com
127.0.0.1 www.tjshome.com
127.0.0.1 www.tjshome.com
127.0.0.1 tjshome.com
127.0.0.1 tjshome.com
127.0.0.1 tjshome.com
127.0.0.1 www.scamfraudalert.wordpress.com
127.0.0.1 www.scamfraudalert.wordpress.com
127.0.0.1 www.scamfraudalert.wordpress.com
127.0.0.1 scamfraudalert.wordpress.com
127.0.0.1 scamfraudalert.wordpress.com
127.0.0.1 scamfraudalert.wordpress.com
127.0.0.1 www.fraudwatchers.org
127.0.0.1 www.fraudwatchers.org
127.0.0.1 www.fraudwatchers.org
127.0.0.1 fraudwatchers.org
127.0.0.1 fraudwatchers.org
127.0.0.1 fraudwatchers.org
127.0.0.1 www.scamfraudalert.com
127.0.0.1 www.scamfraudalert.com
127.0.0.1 www.scamfraudalert.com
127.0.0.1 scamfraudalert.com
127.0.0.1 scamfraudalert.com
127.0.0.1 scamfraudalert.com
127.0.0.1 www.emailscammers.com
127.0.0.1 www.emailscammers.com
127.0.0.1 www.emailscammers.com
127.0.0.1 emailscammers.com
127.0.0.1 emailscammers.com
127.0.0.1 emailscammers.com
127.0.0.1 www.phishbucket.org
127.0.0.1 www.phishbucket.org
127.0.0.1 www.phishbucket.org
127.0.0.1 phishbucket.org
127.0.0.1 phishbucket.org
127.0.0.1 phishbucket.org
127.0.0.1 www.delphifaq.com
127.0.0.1 www.delphifaq.com
127.0.0.1 www.delphifaq.com
127.0.0.1 delphifaq.com
127.0.0.1 delphifaq.com
127.0.0.1 delphifaq.com
127.0.0.1 www.flakelist.org
127.0.0.1 www.flakelist.org
127.0.0.1 www.flakelist.org
127.0.0.1 flakelist.org
127.0.0.1 flakelist.org
127.0.0.1 flakelist.org
127.0.0.1 www.scamwarners.com
127.0.0.1 www.scamwarners.com
127.0.0.1 www.scamwarners.com
127.0.0.1 scamwarners.com
127.0.0.1 scamwarners.com
127.0.0.1 scamwarners.com
127.0.0.1 www.harvardbenefits.biz
127.0.0.1 www.harvardbenefits.biz
127.0.0.1 www.harvardbenefits.biz
127.0.0.1 harvardbenefits.biz
127.0.0.1 harvardbenefits.biz
127.0.0.1 harvardbenefits.biz
127.0.0.1 www.joewein.net
127.0.0.1 www.joewein.net
127.0.0.1 www.joewein.net
127.0.0.1 joewein.net
127.0.0.1 joewein.net
127.0.0.1 joewein.net
127.0.0.1 www.workathometruth.com
127.0.0.1 www.workathometruth.com
127.0.0.1 www.workathometruth.com
127.0.0.1 workathometruth.com
127.0.0.1 workathometruth.com
127.0.0.1 workathometruth.com
127.0.0.1 www.brainhandles.com
127.0.0.1 www.brainhandles.com
127.0.0.1 www.brainhandles.com
127.0.0.1 www.siteadvisor.com
127.0.0.1 www.siteadvisor.com
127.0.0.1 www.siteadvisor.com
127.0.0.1 www.fbi.gov
127.0.0.1 www.fbi.gov
127.0.0.1 www.fbi.gov
127.0.0.1 fbi.gov
127.0.0.1 fbi.gov
127.0.0.1 fbi.gov
127.0.0.1 forums.careerbuilder.com
127.0.0.1 forums.careerbuilder.com
127.0.0.1 forums.careerbuilder.com
127.0.0.1 krebsonsecurity.com
127.0.0.1 krebsonsecurity.com
127.0.0.1 krebsonsecurity.com
127.0.0.1 whois.domaintools.com
127.0.0.1 whois.domaintools.com
127.0.0.1 whois.domaintools.com
127.0.0.1 domaintools.com
127.0.0.1 domaintools.com
127.0.0.1 domaintools.com
127.0.0.1 www.domaintools.com
127.0.0.1 www.domaintools.com
127.0.0.1 www.domaintools.com
127.0.0.1 db.aa419.org
127.0.0.1 db.aa419.org
127.0.0.1 db.aa419.org
127.0.0.1 www.cybercrimeops.com
127.0.0.1 www.cybercrimeops.com
127.0.0.1 www.cybercrimeops.com
127.0.0.1 cybercrimeops.com
127.0.0.1 cybercrimeops.com
127.0.0.1 cybercrimeops.com
127.0.0.1 www.fraud-news.com
127.0.0.1 www.fraud-news.com
127.0.0.1 www.fraud-news.com
127.0.0.1 fraud-news.com
127.0.0.1 fraud-news.com
127.0.0.1 fraud-news.com
127.0.0.1 forums.moneysavingexpert.com
127.0.0.1 forums.moneysavingexpert.com
127.0.0.1 forums.moneysavingexpert.com

There are a few blocked websites there of interest, and mainly because they are under botnet DDoS attack as I write this up. Amongst those sites are aa419.org, cybercrimeops.com, and 419legal.org. I would imagine they're under attack for their roles in the antifraud community, so I must give these words of encouragement. Keep fighting guys! These scammers know you're hitting them hence them trying to block their victims from even knowing you exist. Together, we can make a dent!

Hope you enjoyed my analysis of the malware, and I'll be back with more sooner or later.

Edit: drysdale-antcorp.at has moved back to IP block 193.105.134.234. Upon analyzing the site I did find one malware sample there, which had the following results - 


drysdaleantcorp.exe
MD5: 051072e37f61733e385511912a26ae1d
SHA1: 5bcf1a2860ddea28baca35e8e5b78da2a5067485
Results here
Comments: Again, 0/20 major major antiviruses picked this up.

While checking the sites again, I noticed some of them have switched DNS and IP blocks, but the main I)P blocks mentioned are still being used. It's like they're playing musical chairs but with name servers. While checking around, I did take a sampling of the name servers these sites are using -

NS1.AUUSDEC.CC
NS3.AUSTDEC.CC
dnsukrect.com
folowdns.cc
NS1.LIBUNITAU.CC
OLIVAU.CC
pageredns.cc
ringtons.cc
tvsilvau.cc
ukdns.cc
uknamo.com
ukansnami.com
uknsspace.cc
zonensuk.cc

This should provide me with something to go off of for blog post #2 (coming soon to a theater near you). 


Posted by Fully Automatic at 12:07 AM
Labels:

1 comment:

  1. AAAJanuary 7, 2013 at 5:01 PM

    Ive recently been recruited as a mule.. how can I know if my pc is infected? Thnx

    (please delete this)

    ReplyDelete

Subscribe to: Post Comments (Atom)