What is Stuxnet?
First of all, it's important (and a bit hilarious) to know the story behind Stuxnet. If you're researching Stuxnet for the first time, it's really easy to get confused. There's finger pointing, claims, supposed "confirmed sources", etc, left and right. I'll briefly go over it. For example:
Confirmed: US and Israel created Stuxnet, lost control of it.
The article is adapted from journalist David Sanger's forthcoming book, Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power, and it confirms that both the US and Israeli governments developed and deployed Stuxnet.Obama Order Sped Up Wave of Cyberattacks Against Iran.
Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet.US unleashed Stuxnet cyber war on Iran to appease Israel – report.
The US and Israel made the Stuxnet virus as a new kind of weapon targeted against Iran, a media investigation revealed. The operation reportedly started in the Bush era, but was intensified by Obama administration.Snowden confirms NSA created Stuxnet with Israeli aid.
“The NSA and Israel wrote Stuxnet together,” Snowden told Applebaum in the interview that was carried out in May.The big TLDR is here - Operation Olympic Games.
My initial reaction was "What the hell am I reading?", and it still sort of is. It goes on and on. All in all, after reading the above, you're likely inclined to believe that the US (and maybe even Israel) were behind Stuxnet. Whether or not this is true is a story for another day, although it's easier to lean towards 'yes' than it is to 'no'. The reason for this is due to the fact that Stuxnet as I discussed above used four zero-day flaws within Windows. It's a pretty big deal when malware exploits one zero-day flaw within the OS, but four is extremely high.
It's also pretty laughable to think that Stuxnet was created by amateurs not invested in any sort of organization regarding cyber warfare, etc of some sort, or amateurs in general. A lot of amateurs make malware for a lot of reasons, but causing nuclear centrifuges to commit suicide is pretty advanced. Aside from the many reasons to believe the answer is yes, some may lean towards no, and it's largely due to the fact that most cannot imagine the US and Israel working closely together to create something like Stuxnet.
I digress, and in any case, I'm not here to discuss politics or debate the true creator(s), so let's just get to the part where we talk about what Stuxnet was primarily created for. Stuxnet is a worm that was developed primarily to target industrial PLCs, which led to the nuclear centrifuges ultimately destroying themselves. The malware obviously couldn't be outright sent to the nuclear facilities themselves, so this is where its USB attack vector comes into play. More notably known as a supply chain attack:
So the creators of Stuxnet, they were thinking that these companies would do some communications with power plant workers; maybe exchange with USB devices. That’s probably how Stuxnet infected the system.
In the end, Stuxnet ended up destroying nearly one-fifth of Iran's centrifuges. In November 2010, it was reported that uranium enrichment within the Natanz nuclear facility had halted several times due to severe technical issues.
User-Mode
Stuxnet has two ways of injecting itself into the address space of a process and then executing exported functions. Stuxnet's user-mode modules are implemented as DLLs, and the first method is done by injecting itself into a preexisting process.
Preexisting Process Inject
1. Allocates a memory buffer in the calling process for the modules to be loaded.
2. Patches ntdll and hooks the following APIs:
- ZwQueryAttributesFile.
- ZwQuerySection.
Here's what a clean (unpatched) ntdll MZ header looks like:
We can see some of these hooks in action:
We can see some of these hooks in action:
ServiceDescriptor n°0
---------------------
ServiceTable : nt!KiServiceTable (804e26a8)
ParamTableBase : nt!KiArgumentTable (80510088)
NumberOfServices : 0000011c
Index Args Check System call
----- ---- ----- -----------
0019 0001 HOOK-> f8c5761c ##### Original -> nt!NtClose (805678dd)
0029 0007 HOOK-> f8c575d6 ##### Original -> nt!NtCreateKey (8057065d)
0032 0007 HOOK-> f8c57626 ##### Original -> nt!NtCreateSection (805652b3)
0035 0008 HOOK-> f8c575cc ##### Original -> nt!NtCreateThread (8058e63f)
003F 0001 HOOK-> f8c575db ##### Original -> nt!NtDeleteKey (805952be)
0041 0002 HOOK-> f8c575e5 ##### Original -> nt!NtDeleteValueKey (80592d50)
0044 0007 HOOK-> f8c57617 ##### Original -> nt!NtDuplicateObject (805715e0)
0062 0002 HOOK-> f8c575ea ##### Original -> nt!NtLoadKey (805aed5d)
007A 0004 HOOK-> f8c575b8 ##### Original -> nt!NtOpenProcess (805717c7)
0080 0004 HOOK-> f8c575bd ##### Original -> nt!NtOpenThread (8058a1bd)
00B1 0006 HOOK-> f8c5763f ##### Original -> nt!NtQueryValueKey (8056a1f1)
00C1 0003 HOOK-> f8c575f4 ##### Original -> nt!NtReplaceKey (8064f0fa)
00C8 0003 HOOK-> f8c57630 ##### Original -> nt!NtRequestWaitReplyPort (80576ce6)
00CC 0003 HOOK-> f8c575ef ##### Original -> nt!NtRestoreKey (8064ec91)
00D5 0002 HOOK-> f8c5762b ##### Original -> nt!NtSetContextThread (8062dcdf)
00ED 0003 HOOK-> f8c57635 ##### Original -> nt!NtSetSecurityObject (8059b19b)
00F7 0006 HOOK-> f8c575e0 ##### Original -> nt!NtSetValueKey (80572889)
00FF 0006 HOOK-> f8c5763a ##### Original -> nt!NtSystemDebugControl (80649ce3)
0101 0002 HOOK-> f8c575c7 ##### Original -> nt!NtTerminateProcess (805822e0)
If we for example go ahead and disassemble our hooked nt!NtClose function, we see the following:
lkd> u 0xFFFFFFFFF8C5761C L1
f8c5761c e92d8b23fe jmp f6e9014e
We have a hook regarding nt!NtClose and a jump. Classic rootkit behavior. Let's go further and dump the IAT by loading notepad.exe into OlyDbg and viewing executable modules:
Address Section Type ( Name Comment
0100102C .text Import ( GDI32.AbortDoc
0100131C .text Import msvcrt._acmdln
0100132C .text Import msvcrt._adjust_fdiv
01001300 .text Import ( msvcrt._cexit
01001204 .text Import ( USER32.CharLowerW
01001244 .text Import ( USER32.CharNextW
010011C0 .text Import ( USER32.CharUpperW
01001248 .text Import ( USER32.CheckMenuItem
01001230 .text Import ( USER32.ChildWindowFromPoint
010012D0 .text Import ( comdlg32.ChooseFontW
0100124C .text Import ( USER32.CloseClipboard
010010F8 .text Import ( KERNEL32.CloseHandle
010012B8 .text Import WINSPOOL.ClosePrinter
010012E0 .text Import ( comdlg32.CommDlgExtendedError
010010EC .text Import ( KERNEL32.CompareStringW
0100133C .text Import ( msvcrt._controlfp
01001040 .text Import ( GDI32.CreateDCW
01001214 .text Import ( USER32.CreateDialogParamW
010010B4 .text Import ( KERNEL32.CreateFileMappingW
01001104 .text Import ( KERNEL32.CreateFileW
01001064 .text Import ( GDI32.CreateFontIndirectW
01001020 .text Import ( COMCTL32.CreateStatusWindowW
010011E0 .text Import ( USER32.CreateWindowExW
010012F4 .text Import ( msvcrt._c_exit
010011A4 .text Import ( USER32.DefWindowProcW
01001034 .text Import ( GDI32.DeleteDC
01001158 .text Import ( KERNEL32.DeleteFileW
01001068 .text Import ( GDI32.DeleteObject
010011A8 .text Import ( USER32.DestroyWindow
01001198 .text Import ( USER32.DialogBoxParamW
01001294 .text Import ( USER32.DispatchMessageW
0100117C .text Import ( SHELL32.DragAcceptFiles
01001174 .text Import ( SHELL32.DragFinish
01001178 .text Import ( SHELL32.DragQueryFileW
01001210 .text Import ( USER32.DrawTextExW
0100125C .text Import ( USER32.EnableMenuItem
0100120C .text Import ( USER32.EnableWindow
01001288 .text Import ( USER32.EndDialog
01001030 .text Import ( GDI32.EndDoc
01001028 .text Import ( GDI32.EndPage
01001054 .text Import ( GDI32.EnumFontsW
01001308 .text Import ( msvcrt._except_handler3
010012F0 .text Import ( msvcrt._exit
01001318 .text Import ( msvcrt.exit
0100111C .text Import ( KERNEL32.FindClose
01001120 .text Import ( KERNEL32.FindFirstFileW
010012C8 .text Import ( comdlg32.FindTextW
010010F4 .text Import KERNEL32.FoldStringW
0100114C .text Import ( KERNEL32.FormatMessageW
0100115C .text Import ( KERNEL32.GetACP
01001188 .text Import ( USER32.GetClientRect
01001114 .text Import ( KERNEL32.GetCommandLineW
010010C0 .text Import ( KERNEL32.GetCurrentProcess
0100110C .text Import ( KERNEL32.GetCurrentProcessId
0100108C .text Import ( KERNEL32.GetCurrentThreadId
01001238 .text Import ( USER32.GetCursorPos
010010A0 .text Import ( KERNEL32.GetDateFormatW
01001194 .text Import ( USER32.GetDC
010011E4 .text Import ( USER32.GetDesktopWindow
01001060 .text Import ( GDI32.GetDeviceCaps
0100122C .text Import ( USER32.GetDlgCtrlID
01001274 .text Import ( USER32.GetDlgItem
01001284 .text Import ( USER32.GetDlgItemTextW
01001124 .text Import ( KERNEL32.GetFileAttributesW
010010B0 .text Import ( KERNEL32.GetFileInformationByHandle
010012D4 .text Import ( comdlg32.GetFileTitleW
010011E8 .text Import ( USER32.GetFocus
010011B4 .text Import ( USER32.GetForegroundWindow
010011A0 .text Import ( USER32.GetKeyboardLayout
01001138 .text Import ( KERNEL32.GetLastError
010010D8 .text Import ( KERNEL32.GetLocaleInfoW
01001098 .text Import ( KERNEL32.GetLocalTime
01001320 .text Import msvcrt.__getmainargs
01001264 .text Import ( USER32.GetMenu
01001258 .text Import ( USER32.GetMenuState
010012A8 .text Import ( USER32.GetMessageW
010010CC .text Import ( KERNEL32.GetModuleHandleA
0100105C .text Import ( GDI32.GetObjectW
010012D8 .text Import ( comdlg32.GetOpenFileNameW
0100128C .text Import ( USER32.GetParent
010012B4 .text Import WINSPOOL.GetPrinterDriverW
01001110 .text Import ( KERNEL32.GetProcAddress
010012E4 .text Import ( comdlg32.GetSaveFileNameW
010010D0 .text Import ( KERNEL32.GetStartupInfoA
01001058 .text Import ( GDI32.GetStockObject
01001260 .text Import ( USER32.GetSubMenu
010011CC .text Import ( USER32.GetSystemMenu
0100121C .text Import ( USER32.GetSystemMetrics
010010B8 .text Import ( KERNEL32.GetSystemTimeAsFileTime
0100103C .text Import ( GDI32.GetTextExtentPoint32W
01001048 .text Import ( GDI32.GetTextFaceW
0100106C .text Import ( GDI32.GetTextMetricsW
01001090 .text Import ( KERNEL32.GetTickCount
010010A4 .text Import KERNEL32.GetTimeFormatW
0100109C .text Import ( KERNEL32.GetUserDefaultLCID
01001150 .text Import KERNEL32.GetUserDefaultUILanguage
01001270 .text Import ( USER32.GetWindowLongW
010011BC .text Import ( USER32.GetWindowPlacement
01001218 .text Import ( USER32.GetWindowTextW
010010D4 .text Import ( KERNEL32.GlobalFree
010010A8 .text Import ( KERNEL32.GlobalLock
010010AC .text Import ( KERNEL32.GlobalUnlock
01001324 .text Import msvcrt._initterm
01001224 .text Import ( USER32.InvalidateRect
01001250 .text Import ( USER32.IsClipboardFormatAvailable
010012A0 .text Import ( USER32.IsDialogMessageW
010011B8 .text Import ( USER32.IsIconic
0100100C .text Import ADVAPI32.IsTextUnicode
01001304 .text Import ( msvcrt.iswctype
010011C8 .text Import ( USER32.LoadAcceleratorsW
010011D8 .text Import ( USER32.LoadCursorW
010011EC .text Import ( USER32.LoadIconW
010011D4 .text Import ( USER32.LoadImageW
010010C8 .text Import ( KERNEL32.LoadLibraryA
010011C4 .text Import ( USER32.LoadStringW
010010E0 .text Import ( KERNEL32.LocalAlloc
010010DC .text Import ( KERNEL32.LocalFree
010010F0 .text Import ( KERNEL32.LocalLock
01001148 .text Import ( KERNEL32.LocalReAlloc
01001134 .text Import ( KERNEL32.LocalSize
010012FC .text Import ( msvcrt.localtime
010010E8 .text Import ( KERNEL32.LocalUnlock
01001074 .text Import ( GDI32.LPtoDP
01001118 .text Import ( KERNEL32.lstrcatW
01001108 .text Import ( KERNEL32.lstrcmpiW
01001128 .text Import ( KERNEL32.lstrcmpW
01001130 .text Import ( KERNEL32.lstrcpynW
010010FC .text Import ( KERNEL32.lstrcpyW
010010E4 .text Import ( KERNEL32.lstrlenW
01001168 .text Import ( KERNEL32.MapViewOfFile
010011AC .text Import ( USER32.MessageBeep
01001268 .text Import ( USER32.MessageBoxW
0100739D .text Export <ModuleEntryPoint>
01001220 .text Import ( USER32.MoveWindow
0100112C .text Import ( KERNEL32.MulDiv
01001164 .text Import ( KERNEL32.MultiByteToWideChar
01001254 .text Import ( USER32.OpenClipboard
010012BC .text Import WINSPOOL.OpenPrinterW
010012C4 .text Import comdlg32.PageSetupDlgW
01001208 .text Import ( USER32.PeekMessageW
010012A4 .text Import ( USER32.PostMessageW
010011F4 .text Import ( USER32.PostQuitMessage
010012CC .text Import comdlg32.PrintDlgExW
01001330 .text Import msvcrt.__p__commode
01001334 .text Import msvcrt.__p__fmode
01001094 .text Import ( KERNEL32.QueryPerformanceCounter
01001100 .text Import ( KERNEL32.ReadFile
01001004 .text Import ( ADVAPI32.RegCloseKey
01001008 .text Import ( ADVAPI32.RegCreateKeyW
010011D0 .text Import ( USER32.RegisterClassExW
010011F8 .text Import ( USER32.RegisterWindowMessageW
01001014 .text Import ( ADVAPI32.RegOpenKeyExA
01001010 .text Import ( ADVAPI32.RegQueryValueExA
01001000 .text Import ( ADVAPI32.RegQueryValueExW
01001018 .text Import ( ADVAPI32.RegSetValueExW
01001190 .text Import ( USER32.ReleaseDC
010012DC .text Import ( comdlg32.ReplaceTextW
01001234 .text Import ( USER32.ScreenToClient
01001084 .text Import ( GDI32.SelectObject
0100123C .text Import ( USER32.SendDlgItemMessageW
01001240 .text Import ( USER32.SendMessageW
01001044 .text Import ( GDI32.SetAbortProc
0100119C .text Import ( USER32.SetActiveWindow
01001070 .text Import ( GDI32.SetBkMode
0100118C .text Import ( USER32.SetCursor
0100127C .text Import ( USER32.SetDlgItemTextW
01001154 .text Import ( KERNEL32.SetEndOfFile
01001278 .text Import ( USER32.SetFocus
01001140 .text Import ( KERNEL32.SetLastError
01001080 .text Import ( GDI32.SetMapMode
01001200 .text Import ( USER32.SetScrollPos
010010C4 .text Import ( KERNEL32.SetUnhandledExceptionFilter
01001328 .text Import msvcrt.__setusermatherr
0100107C .text Import ( GDI32.SetViewportExtEx
01001078 .text Import ( GDI32.SetWindowExtEx
0100126C .text Import ( USER32.SetWindowLongW
010011DC .text Import ( USER32.SetWindowPlacement
010011F0 .text Import ( USER32.SetWindowTextW
010012AC .text Import ( USER32.SetWinEventHook
01001338 .text Import msvcrt.__set_app_type
01001180 .text Import ( SHELL32.ShellAboutW
010011B0 .text Import ( USER32.ShowWindow
01001314 .text Import ( msvcrt._snwprintf
01001050 .text Import ( GDI32.StartDocW
01001038 .text Import ( GDI32.StartPage
010010BC .text Import ( KERNEL32.TerminateProcess
0100104C .text Import ( GDI32.TextOutW
010012F8 .text Import ( msvcrt.time
0100129C .text Import ( USER32.TranslateAcceleratorW
01001298 .text Import ( USER32.TranslateMessage
0100116C .text Import ( KERNEL32.UnhandledExceptionFilter
01001290 .text Import ( USER32.UnhookWinEvent
01001160 .text Import ( KERNEL32.UnmapViewOfFile
010011FC .text Import ( USER32.UpdateWindow
01001310 .text Import ( msvcrt.wcsncmp
01001340 .text Import ( msvcrt.wcsncpy
01001144 .text Import ( KERNEL32.WideCharToMultiByte
01001228 .text Import ( USER32.WinHelpW
0100113C .text Import ( KERNEL32.WriteFile
01001280 .text Import ( USER32.wsprintfW
0100130C .text Import ( msvcrt._wtol
010012EC .text Import msvcrt._XcptFilter
The Import Address Table (IAT) is essentially just a table of jumps. It's used primarily as a lookup table when an application is calling a function in a different module. Compiled programs cannot know the memory locations of the libraries they depend on, therefore an indirect jump (jmp) is required whenever an API call is made.
In the above code we can see jumps to functions such as USER32.GetKeyboardLayout, which is a wrapper for the NtUserLoadKeyboardLayoutEx win32k syscall. This is in regards to Stuxnet's keyboard layout vulnerability (CVE-2010-2743), which is one of four exploitative ways used to escalate privileges in order to reach ring 0.
I would have loved to set a breakpoint on win32k!NtUserLoadKeyboardLayoutEx and trace the malware as it's extremely interesting, but setting breakpoints is not possible on an LKD session. I would have needed to break in to another physical machine (which I don't have), or set up a host > virtual COM port, which is a bit of a pain. I'll chalk it up to something to do on a rainy day. Call me lazy... I know.
3. Calls LoadLibraryW which is exported from kernel32.dll and passes it as a parameter for specially crafted file names such as: KERNEL32.DLL.ASLR.[HEX] or SHELL32.DLL.ASLR.[HEX]. Below we can see an example of a KERNEL32 variant:
4. Calls desired exported function.
5. Calls FreeLibrary function to free load library.
New Process Inject
The second method of injection is done through injecting a newly created process, as such:
1. Creates host process.
2. Replaces process image with the Stuxnet module to execute and with code that will load the module and call a specificed export passing parameters.
There's a few different image names that can be chosen as the host process for the module:
- lsass.exe - MSFT system process in charge of enforcing the security policy.
- avp.exe - Kaspersky.
- mcshield.exe - McAfee VirusScan.
- avguard.exe - Avira Personal Edition.
- bdagent.exe - Bitdefender Switch Agent.
- UmxCfg.exe - eTrust Configuration Engine (HIPS).
- fsdfwd.exe - F-Secure.
- rtvscan.exe - Symantec Real time Virus Scan Service.
- ccSvchst.exe - Symantec Service Framework.
- ekrn.exe - ESET Service Process.
- tmproxy.exe - TrendMicro (PC-cillin in Australia and Virus Buster in Japan).
Malware Execution and Infection
First of all, to even successfully execute the malware you need to set your system time to before June 24th, 2012. This is due to the fact that Stuxnet hard-coded a poison pill to fully delete itself on June 24th, 2012. This was most likely done with the original idea in mind that Stuxnet wouldn't escape the nuclear facilities, which would allow time for Stuxnet to be reversed and ultimately defeated.
This piece of malware wanted to stay inside nuclear facilities, target Siemens systems, cause large actual damage, spread to cause more damage, and then go ghost. Fortunately, it did happen to escape its intended environment (some even speculate deliberately) and was inevitably reversed and defeated long before its hard-coded deletion date.
First of all, let's take a pre-infected look at the system with Autoruns + Process Explorer:
(Ignore the file not found messages)
Note the checked filter options > Verify code signatures + Hide Microsoft entries.
Everything looks to be pretty normal, and nothing really out of the ordinary. We can see we have one instance of lsass.exe.
Now let's turn things up a bit by executing the malware, and then comparing our results from pre-infection:
We can see now within Autoruns we have two new services - MRxCls and MRxNet. These are Stuxnet's kernel-mode drivers which enable its rookit functionality.
One big thing about malware that surfaces to the face of the public media (for whatever reason, we'll assume popularity/intention) is that journalists love to spin it and give awkward buzzwords - Undefeatable, The Most Sophisticated Malware, etc. Was Stuxnet an elborate piece of code? Yes, absolutely. Not only was knowledge needed regarding your typical rootkit/Win development, but heavy reverse engineering knowledge regarding Semens software was necessary as well.
However, one of Stuxnet's biggest weak points was its immense lack of anti-debugging/reversing techniques. Among a slew of reasons such as zero VM obfuscation, you can literally use the default regedit to find the locations of both MRxCLS and MRxNet. For example:
This had led Stuxnet to be something of a joke among some reverse engneers and analysts, even moreso if you believe that it was created by [insert government]. It's hard to imagine [insert government] wouldn't go to any lengths at all to hide its malware, but then again you never really know, right? : ) I'll continue the discussion regarding its kernel-mode functionality a little later as I'd like to swing back to user-mode real quick.
I couldn't get Process Explorer to run after infection, as the VM would bugcheck. I have no idea why, and AFAIK Stuxnet doesn't employ anti-debugging against Sysinternals tools by any means, so it was likely a buggy sample. I digress, and used VMmap instead:
We can see there's now three instances of lsass.exe, two of which are fake (newly created host processes). So first off, which is our legitmate lsass.exe? Well, 2/3 are the only ones above 1xxx regarding PID, so let's assume the only one not above 1xxx is legitimate:
If sort by Protection regarding the tabs, we can see it's mostly Execute/Read which doesn't raise any red flags. Let's assume for the moment this is legitimate and take a look at another one:
Uh oh, we can see two instances of memory that was chosen to share from this lsass.exe that has Write permissions in addition to Execute and Read. When a process has all three, it's a huge red flag for a fake/compromised process. In addition, note how the Size>Commited>Total Working Set, etc are equal. We can now at this point determine PID 648 is legitimate, and PID 1812 is fake. We can also at this point then assume that PID 1840 is fake as well:
Yep! In this case, we have five instances of memory that was chosen to be shared with R/W/E permissions, in addition to ntdll with R/W/E permissions as well. Note the Size>Commited>Total Working Set, etc equals again as well. At this point we can fully determine 1812 and 1840 are our fake lsass.exe instances, and 1840 is in relation to the patching of ntdll.
Let's further compare the three images based on their strings:
(PID 648 - legit)
(PID 1812 - fake #1)
Note we have quite the changes here, with the important being "!This program cannot run in DOS mode.". This is the classic MZ exe format used for .exe files within DOS. We can note the ASCII string - 4D. Let's take a look at the bottom of the string list:
(PID 1812 - fake #1)
We can see a number of functions, such as InternetOpen. We can at this point determine the DLL was successfully injected into this image of lsass.exe.
We can of course expect similar results with PID 1840:
(PID 1840 - fake #2)
Another big red flag of a malformed image.
Let's head back to discussing our kernel-mode drivers, MRxCls and MRxNet. As noted above, these two drivers aren't packed whatsoever with a protector nor packer, so inspecting them in-depth is painless:
First off, both of these drivers were digitally signed (albeit fake... what a surprise) to fool the user into believing it was a legitmate driver signed off as such by VeriSign. For example:
We can see MRxCls was fake-signed by VeriSign which claimed to be from Realtek. Realtek is obviously a legitimate company and releases lots of software/drivers for their products, such as audio, so this would fool a user if they ever questioned the legitimacy of the apparent MRxCls/Net drivers.
Using SwishDbgExt, let's dump the list of objects:
lkd> !ms_object
Object: \ (Directory)
|------|----------------------|--------------------|---------------------------------------------------------------------------|
| Hdle | Object Type | Addr | Name |
|------|----------------------|--------------------|---------------------------------------------------------------------------|
| 0000 | Directory | 0xFFFFFFFFE100D748 | ArcName |
| 0000 | Device | 0xFFFFFFFF821C75C0 | Ntfs |
| 0000 | Port | 0xFFFFFFFFE15EABB8 | SeLsaCommandPort |
| 0000 | Key | 0xFFFFFFFFE1010478 | \REGISTRY |
| 0000 | Port | 0xFFFFFFFFE186B9E8 | ThemeApiPort |
| 0000 | Port | 0xFFFFFFFFE1B05230 | XactSrvLpcPort |
| 0000 | Directory | 0xFFFFFFFFE15AA4B8 | NLS |
| 0000 | SymbolicLink | 0xFFFFFFFFE1008748 | DosDevices |
| 0000 | Port | 0xFFFFFFFFE13D4B68 | SeRmCommandPort |
| 0000 | Port | 0xFFFFFFFFE173BA00 | LsaAuthenticationPort |
| 0000 | Device | 0xFFFFFFFF82063A90 | Dfs |
| 0000 | Event | 0xFFFFFFFF821EF5C0 | |
| 0000 | Directory | 0xFFFFFFFFE100E838 | Driver
Notice the strange 'Driver' object with a 'Directory' type. Let's take a look:
lkd> !ms_object 0xFFFFFFFFE100E838
Object: Driver (Directory)
|------|----------------------|--------------------|---------------------------------------------------------------------------|
| Hdle | Object Type | Addr | Name |
|------|----------------------|--------------------|---------------------------------------------------------------------------|
| 0000 | Driver | 0xFFFFFFFF8231ECC0 | \Driver\Beep |
| 0000 | Driver | 0xFFFFFFFF821C72C0 | \Driver\NDIS |
| 0000 | Driver | 0xFFFFFFFF821D39C0 | \Driver\KSecDD |
| 0000 | Driver | 0xFFFFFFFF82198F38 | \Driver\Mouclass |
| 0000 | Driver | 0xFFFFFFFF82245410 | \Driver\Raspti |
| 0000 | Driver | 0xFFFFFFFF81F18768 | \Driver\es1371 |
... |
| 0000 | Driver | 0xFFFFFFFF81EA2880 | \Driver\MRxCls |
| 0000 | Driver | 0xFFFFFFFF821DE4A0 | \Driver\PCnet |
| 0000 | Driver | 0xFFFFFFFF81F0FAE8 | \Driver\MRxNet
Let's dump the driver object information for MRxNet:
lkd> !drvobj 81f0fae8
Driver object (81f0fae8) is for:
\Driver\MRxNet
Driver Extension List: (id , addr)
Device Object list:
820ee288 81f10020 81ebac80 82136298
82302298 82339be0 821bb500 821996c0
821bc238 8224a9d0
We can see MRxNet has a lot of device objects, so let's check one:
lkd> !devobj 81ebac80
Device object (81ebac80) is for:
\Driver\MRxNet DriverObject 81f0fae8
Current Irp 00000000 RefCount 0 Type 00000003 Flags 00000080
DevExt 81ebad38 DevObjExt 81ebad40
ExtensionFlags (0000000000)
AttachedTo (Lower) 821d4450 \FileSystem\Cdfs
Stuxnet creates new device objects and attaches to the device chain for each device object. As we can see, Stuxnet attached to cdfs.sys, which is part of the filesystem, specifically the CD-ROM filesystem driver. Other filesystem drivers it attaches to are: ntfs.sys, and fastfat.sys. After attaching, Stuxnet manages the driver object, which in turn provides Stuxnet with the ability to succesfully intercept IRP requests.
Other than checking regedit, we can also confirm the existence of the MRxCls service within the registry using the !dreg command, which displays formatted registry key information. Before we do this however, we need to load ntsdexts.dll, or we'll get the following:
lkd> !dreg System\CurrentControlSet\Services
No export dreg found
This is due to the fact that ntsdexts.dll isn't of course loaded in the extension DLL chain list:
lkd> .chain
Extension DLL search Path:
C:\Program Files\Debugging Tools for Windows (x86)\WINXP;C:\Program Files\Debugging Tools for Windows (x86)\winext;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\Debugging Tools for Windows (x86)\pri;C:\Program Files\Debugging Tools for Windows (x86);C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Extension DLL chain:
dbghelp: image 6.12.0002.633, API 6.1.6, built Mon Feb 01 15:08:26 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll]
ext: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:31 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\winext\ext.dll]
exts: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:24 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\exts.dll]
kext: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:22 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\winext\kext.dll]
kdexts: image 6.1.7650.0, API 1.0.0, built Mon Feb 01 15:08:19 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\kdexts.dll]
After loading it however with .load ntsdexts, we can then see it's in the list:
lkd> .chain
Extension DLL search Path:
C:\Program Files\Debugging Tools for Windows (x86)\WINXP;C:\Program Files\Debugging Tools for Windows (x86)\winext;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\Debugging Tools for Windows (x86)\pri;C:\Program Files\Debugging Tools for Windows (x86);C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Extension DLL chain:
ntsdexts: image 6.1.7650.0, API 1.0.0, built Mon Feb 01 15:08:08 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\ntsdexts.dll]
dbghelp: image 6.12.0002.633, API 6.1.6, built Mon Feb 01 15:08:26 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll]
ext: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:31 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\winext\ext.dll]
exts: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:24 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\exts.dll]
kext: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:22 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\winext\kext.dll]
kdexts: image 6.1.7650.0, API 1.0.0, built Mon Feb 01 15:08:19 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\kdexts.dll]
Let's now run !dreg again with our path to MRxCls:
lkd> !dreg System\CurrentControlSet\Services\MRxCls
Subkey: Enum
There it is, and we can see its subkey is Enum. We can confirm that looking back at the screenshot of its registry location above from earlier.
Here were the overall changes in the registry comparing pre-infection > post-infection:
----------------------------------
Keys deleted: 23
----------------------------------
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Control
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Control
HKLM\SYSTEM\ControlSet001\Services\MRxCls
HKLM\SYSTEM\ControlSet001\Services\MRxCls\Enum
HKLM\SYSTEM\ControlSet001\Services\MRxNet
HKLM\SYSTEM\ControlSet001\Services\MRxNet\Enum
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Control
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Enum
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Enum
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\0
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell
----------------------------------
Values deleted: 110
----------------------------------
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Service: "MRxCls"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Legacy: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Class: "LegacyDriver"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\DeviceDesc: "MRXCLS"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Control\ActiveService: "MRxCls"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Service: "MRxNet"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Legacy: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Class: "LegacyDriver"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\DeviceDesc: "MRXNET"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Control\ActiveService: "MRxNet"
HKLM\SYSTEM\ControlSet001\Services\MRxCls\Description: "MRXCLS"
HKLM\SYSTEM\ControlSet001\Services\MRxCls\DisplayName: "MRXCLS"
HKLM\SYSTEM\ControlSet001\Services\MRxCls\ErrorControl: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\MRxCls\Group: "Network"
HKLM\SYSTEM\ControlSet001\Services\MRxCls\ImagePath: "\??\C:\WINDOWS\system32\Drivers\mrxcls.sys"
HKLM\SYSTEM\ControlSet001\Services\MRxCls\Start: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\MRxCls\Type: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\MRxCls\Data: 8F 1F F7 6D 7D B1 C9 09 9D CC 24 7A C6 9F FB 23 90 BD 9D BF F1 D4 51 92 2A B4 1F 6A 2E A6 4F B3 CB 69 7C 0B 92 3B 1B C0 D7 75 17 A9 E3 33 48 DC AD F6 DA EA 2F 87 10 C4 21 81 A5 75 68 00 2E B1 C2 7B EB DD BB 72 47 DC 87 91 14 A5 F3 C4 32 B0 CC 93 38 36 6B 49 0A F2 6F 1F 1D A1 4A 15 05 80 4B 13 A8 AA 82 41 4B 89 DC 89 24 A2 ED 16 37 F3 42 A9 A0 6A 7F 82 CD 90 E5 3C 49 CC B2 97 CA CB 7B 64 C1 48 B2 4C F5 AE 54 42 74 0F 00 31 FD 80 E8 7E 0E 69 12 42 3A EC 0F 6F 03 B8 46 9C 68 97 AC 62 16 FB 1A 1B D9 33 6C E8 F9 93 C3 56 54 A1 89 7A 7B 77 CE BA 0D 95 A7 0F AB 5E 1C 3C 18 63 AE 3E 60 A6 81 BC FA 85 FB 37 A0 0A 57 F9 C9 D3 CF 6B 41 D9 6D CD 39 71 C5 11 83 F1 D9 F3 7D B7 91 F7 70 46 C2 24 F7 B9 0F 2D B2 60 72 1C 8F F9 98 16 34 52 4B 7D 5F 81 5F 35 FD 8B 3E 78 B1 0B 0A 90 5A D8 30 5A 56 90 9A C0 C1 0F EB 95 D5 2F B7 C5 8D 2B 3F 49 41 8B 86 B4 DB 71 67 69 E6 E8 69 77 29 77 18 82 11 8B D7 5D 26 E4 5A 5C 2C 46 C2 F0 02 28 D8 EA 4B 95 9C 3A 3C 12 DA
C4 87 21 91 4F D0 6E FA C4 DD B7 C9 AF E2 AE FE 14 0F 53 C4 BA DD 31 1A 38 7B 37 C0 9E 83 FF 2C B2 4C 88 33 C1 89 E5 CA 68 31 2D 20 CE 50 64 7B 39 C7 FB B1 9F A9 0D 6C 2A 82 AE 7F 25 43 A7 A2 28 EB 27 73 C9 45 F9 FD 53 A8 F4 A7 FD B4 90 B2 28 D8 0C 5A A8 84 D0 7F ED 99 25 18 FE B8 4C 48 66 8D 59 40 F6 CC 30 A6 F4 04 E8 76 9C EA 0E F6 A4 4A CE D2
HKLM\SYSTEM\ControlSet001\Services\MRxCls\Enum\0: "Root\LEGACY_MRXCLS\0000"
HKLM\SYSTEM\ControlSet001\Services\MRxCls\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\MRxCls\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\MRxNet\Description: "MRXNET"
HKLM\SYSTEM\ControlSet001\Services\MRxNet\DisplayName: "MRXNET"
HKLM\SYSTEM\ControlSet001\Services\MRxNet\ErrorControl: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\MRxNet\Group: "Network"
HKLM\SYSTEM\ControlSet001\Services\MRxNet\ImagePath: "\??\C:\WINDOWS\system32\Drivers\mrxnet.sys"
HKLM\SYSTEM\ControlSet001\Services\MRxNet\Start: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\MRxNet\Type: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\MRxNet\Enum\0: "Root\LEGACY_MRXNET\0000"
HKLM\SYSTEM\ControlSet001\Services\MRxNet\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\MRxNet\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Service: "MRxCls"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\DeviceDesc: "MRXCLS"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Control\ActiveService: "MRxCls"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Service: "MRxNet"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\DeviceDesc: "MRXNET"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Control\ActiveService: "MRxNet"
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Description: "MRXCLS"
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\DisplayName: "MRXCLS"
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Group: "Network"
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\ImagePath: "\??\C:\WINDOWS\system32\Drivers\mrxcls.sys"
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Start: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Data: 8F 1F F7 6D 7D B1 C9 09 9D CC 24 7A C6 9F FB 23 90 BD 9D BF F1 D4 51 92 2A B4 1F 6A 2E A6 4F B3 CB 69 7C 0B 92 3B 1B C0 D7 75 17 A9 E3 33 48 DC AD F6 DA EA 2F 87 10 C4 21 81 A5 75 68 00 2E B1 C2 7B EB DD BB 72 47 DC 87 91 14 A5 F3 C4 32 B0 CC 93 38 36 6B 49 0A F2 6F 1F 1D A1 4A 15 05 80 4B 13 A8 AA 82 41 4B 89 DC 89 24 A2 ED 16 37 F3 42 A9 A0 6A 7F 82 CD 90 E5 3C 49 CC B2 97 CA CB 7B 64 C1 48 B2 4C F5 AE 54 42 74 0F 00 31 FD 80 E8 7E 0E 69 12 42 3A EC 0F 6F 03 B8 46 9C 68 97 AC 62 16 FB 1A 1B D9 33 6C E8 F9 93 C3 56 54 A1 89 7A 7B 77 CE BA 0D 95 A7 0F AB 5E 1C 3C 18 63 AE 3E 60 A6 81 BC FA 85 FB 37 A0 0A 57 F9 C9 D3 CF 6B 41 D9 6D CD 39 71 C5 11 83 F1 D9 F3 7D B7 91 F7 70 46 C2 24 F7 B9 0F 2D B2 60 72 1C 8F F9 98 16 34 52 4B 7D 5F 81 5F 35 FD 8B 3E 78 B1 0B 0A 90 5A D8 30 5A 56 90 9A C0 C1 0F EB 95 D5 2F B7 C5 8D 2B 3F 49 41 8B 86 B4 DB 71 67 69 E6 E8 69 77 29 77 18 82 11 8B D7 5D 26 E4 5A 5C 2C 46 C2 F0 02 28 D8 EA 4B 95 9C 3A 3C 12
DA C4 87 21 91 4F D0 6E FA C4 DD B7 C9 AF E2 AE FE 14 0F 53 C4 BA DD 31 1A 38 7B 37 C0 9E 83 FF 2C B2 4C 88 33 C1 89 E5 CA 68 31 2D 20 CE 50 64 7B 39 C7 FB B1 9F A9 0D 6C 2A 82 AE 7F 25 43 A7 A2 28 EB 27 73 C9 45 F9 FD 53 A8 F4 A7 FD B4 90 B2 28 D8 0C 5A A8 84 D0 7F ED 99 25 18 FE B8 4C 48 66 8D 59 40 F6 CC 30 A6 F4 04 E8 76 9C EA 0E F6 A4 4A CE D2
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Enum\0: "Root\LEGACY_MRXCLS\0000"
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Description: "MRXNET"
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\DisplayName: "MRXNET"
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Group: "Network"
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\ImagePath: "\??\C:\WINDOWS\system32\Drivers\mrxnet.sys"
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Start: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Enum\0: "Root\LEGACY_MRXNET\0000"
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Enum\NextInstance: 0x00000001
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHAPCY:gvzrqngr.pcy: 04 00 00 00 06 00 00 00 00 54 07 85 81 FE CF 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\ZJ\Ybgf bs Fghkarg\fazj\znyjner.rkr: 04 00 00 00 06 00 00 00 50 13 53 27 90 93 CA 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\0: 34 00 31 00 00 00 00 00 2C 3C 8C 70 10 00 73 6E 6D 77 00 00 20 00 03 00 04 00 EF BE 2C 3C 8C 70 2C 3C 8C 70 14 00 00 00 73 00 6E 00 6D 00 77 00 00 00 14 00 00 00
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\0\NodeSlot: 0x00000022
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\0\MRUListEx: FF FF FF FF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\FolderType: "Documents"
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Mode: 0x00000006
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\ScrollPos1280x720(1).x: 0x00000000
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\ScrollPos1280x720(1).y: 0x00000000
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Sort: 0x00000000
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\SortDir: 0x00000001
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Col: 0xFFFFFFFF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\ColInfo: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FD DF DF FD 0F 00 06 00 28 00 10 00 34 00 48 00 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 04 00 00 00 05 00 00 00 B4 00 60 00 78 00 78 00 B4 00 B4 00 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\MinPos1280x720(1).x: 0xFFFFFFFF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\MinPos1280x720(1).y: 0xFFFFFFFF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\MaxPos1280x720(1).x: 0xFFFFFFFF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\MaxPos1280x720(1).y: 0xFFFFFFFF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\WinPos1280x720(1).left: 0x000000CB
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\WinPos1280x720(1).top: 0x00000034
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\WinPos1280x720(1).right: 0x000003EB
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\WinPos1280x720(1).bottom: 0x0000028C
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Rev: 0x00000000
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\WFlags: 0x00000000
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\ShowCmd: 0x00000001
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\FFlags: 0x00000001
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\HotKey: 0x00000000
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Buttons: 0xFFFFFFFF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Links: 0x00000000
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Address: 0x00000000
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Vid: "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Owner\Desktop\MW\Lots of Stuxnet\snmw\malware.exe: "malware"
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\WinRAR\Interface\ShowPassword: 0x00000000
----------------------------------
Values modified: 17
----------------------------------
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 5B 70 29 6B 9F F8 6B 2E 27 BB 05 43 02 B3 42 43 88 7C 39 EA 7C 8F C3 C1 DA 61 6A 7A 3D A9 27 BB 06 12 F2 A2 B5 89 09 83 C9 CE 03 F8 7F 6C 1E 79 D9 10 7D F0 29 05 03 B9 29 88 8C EC E2 3C CB 04 12 E3 E3 EC 8F E6 27 0A 15 A9 09 6C 29 34 89 55
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 53 06 23 D9 FE 36 71 5D D7 02 23 98 92 D3 0C AA 52 45 17 A4 D9 2B 2E E6 C7 C1 12 FE D2 A0 E1 8A 5F CF 23 E0 9B 16 74 7E DC 38 BF 7E D6 F0 9F 97 9A 5B C8 12 7C C2 9E CE EF 95 DE D1 60 56 23 7A 21 96 9C 23 E4 CF D9 77 67 97 F4 EA F1 0D 25 18
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count\HRZR_PGYFRFFVBA: 81 9C 54 0E 05 00 00 00
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count\HRZR_PGYFRFFVBA: E3 F3 7F 0E 04 00 00 00
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 04 00 00 00 79 00 00 00 E0 8D E6 42 90 93 CA 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 04 00 00 00 77 00 00 00 A0 EC DC 76 81 FE CF 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHAPCY: 04 00 00 00 0B 00 00 00 00 54 07 85 81 FE CF 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHAPCY: 01 00 00 00 0B 00 00 00 60 F6 98 73 27 F4 CF 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 04 00 00 00 4C 00 00 00 F0 8C 4C 41 90 93 CA 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 04 00 00 00 4A 00 00 00 90 73 55 73 81 FE CF 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\FlfGbbyf\Nhgbehaf\nhgbehaf.rkr: 04 00 00 00 08 00 00 00 E0 8D E6 42 90 93 CA 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\FlfGbbyf\Nhgbehaf\nhgbehaf.rkr: 04 00 00 00 07 00 00 00 50 F6 45 98 7E FE CF 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\Shell\Bags\1\Desktop\ItemPos1280x720(1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 16 02 00 00 14 00 1F 60 40 F0 5F 64 81 50 1B 10 9F 08 00 AA 00 2F 95 4E 15 00 00 00 4E 00 00 00 5A 00 3A 00 D4 02 00 00 5E 45 49 46 20 00 4D 4F 5A 49 4C 4C 7E 31 2E 4C 4E 4B 00 00 3E 00 03 00 04 00 EF BE 5E 45 49 46 6C 45 D2 6B 14 00 00 00 4D 00 6F 00 7A 00 69 00 6C 00 6C 00 61 00 20 00 46 00 69 00 72 00 65 00 66 00 6F 00 78 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 CA 01 00 00 34 00 31 00 00 00 00 00 5E 45 65 50 10 00 6D 62 61 72 00 00 20 00 03 00 04 00 EF BE 5E 45 63 50 5F 45 8D 55 14 00 00 00 6D 00 62 00 61 00 72 00 00 00 14 00 60 00 00 00 CA 01 00 00 2E 00 31 00 00 00 00 00 6C 45 4F 6C 10 00 4D 57 00 00 1C 00 03 00 04 00 EF BE 6C 45 48 6C 6C 45 4F 6C 14 00 00 00 4D 00 57 00 00 00 12 00 60 00 00 00 E6 00 00 00 3C 00 31 00 00 00 00 00 6A 45 6B 21 10 00 6F 64 62 67 31 31 30 00 26 00 03 00 04 00 EF BE
6A 45 F4 1A 6C 45 59 6C 14 00 00 00 6F 00 64 00 62 00 67 00 31 00 31 00 30 00 00 00 16 00 AB 00 00 00 02 00 00 00 4C 00 31 00 00 00 00 00 6C 45 0F 6D 10 00 52 45 47 53 48 4F 7E 31 2E 30 00 00 32 00 03 00 04 00 EF BE 6C 45 0F 6D 6C 45 12 6D 14 00 00 00 52 00 65 00 67 00 73 00 68 00 6F 00 74 00 2D 00 31 00 2E 00 39 00 2E 00 30 00 00 00 1A 00 60 00 00 00 16 02 00 00 40 00 31 00 00 00 00 00 6C 45 D1 6E 10 00 53 79 73 54 6F 6F 6C 73 00 00 28 00 03 00 04 00 EF BE 6C 45 73 6C 6C 45 D1 6E 14 00 00 00 53 00 79 00 73 00 54 00 6F 00 6F 00 6C 00 73 00 00 00 18 00 15 00 00 00 02 00 00 00 3C 00 32 00 5F 38 1C 00 5E 45 EF 45 20 00 62 65 72 2E 72 61 72 00 26 00 03 00 04 00 EF BE 5E 45 EF 45 6C 45 AE 6B 14 00 00 00 62 00 65 00 72 00 2E 00 72 00 61 00 72 00 00 00 16 00 60 00 00 00 32 01 00 00 4E 00 32 00 78 ED 9C 00 5E 45 D0 51 20 00 48 49 54 4D 41 4E 7E 31 2E 45 58 45 00 00 32 00 03 00 04 00 EF BE 5E 45 C6 51 6A 45 87 28 14 00 00 00 48 00 69 00 74 00 6D 00 61 00 6E 00 50 00 72 00 6F 00 2E 00 65 00 78 0
0 65 00 00 00 1C 00 60 00 00 00 4E 00 00 00 5C 00 32 00 8B 02 00 00 6A 45 80 12 20 00 49 44 41 50 52 4F 7E 31 2E 4C 4E 4B 00 00 40 00 03 00 04 00 EF BE 6A 45 80 12 6A 45 E7 1A 14 00 00 00 49 00 44 00 41 00 20 00 50 00 72 00 6F 00 20 00 28 00 33 00 32 00 2D 00 62 00 69 00 74 00 29 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 9A 00 00 00 5C 00 32 00 97 02 00 00 6A 45 80 12 20 00 49 44 41 50 52 4F 7E 32 2E 4C 4E 4B 00 00 40 00 03 00 04 00 EF BE 6A 45 80 12 6A 45 F3 1E 14 00 00 00 49 00 44 00 41 00 20 00 50 00 72 00 6F 00 20 00 28 00 36 00 34 00 2D 00 62 00 69 00 74 00 29 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 02 00 00 00 52 00 32 00 CE 02 00 00 5E 45 74 83 20 00 4F 53 46 4F 52 45 7E 31 2E 4C 4E 4B 00 00 36 00 03 00 04 00 EF BE 5E 45 74 83 6A 45 12 59 14 00 00 00 4F 00 53 00 46 00 6F 00 72 00 65 00 6E 00 73 00 69 00 63 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 9A 00 00 00 66 00 32 00 97 01 00 00 5E 45 ED 46 20 00 53 48 4F 52 54 43 7E 31 2E 4C 4E 4B 00 00 4A
00 03 00 04 00 EF BE 5E 45 ED 46 6C 45 75 6C 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 44 00 6F 00 77 00 6E 00 6C 00 6F 00 61 00 64 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 E6 00 00 00 62 00 32 00 8A 02 00 00 5E 45 58 47 20 00 53 48 4F 52 54 43 7E 32 2E 4C 4E 4B 00 00 46 00 03 00 04 00 EF BE 5E 45 58 47 6C 45 E5 6C 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 66 00 69 00 72 00 65 00 66 00 6F 00 78 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 32 01 00 00 60 00 32 00 DF 02 00 00 5E 45 A8 48 20 00 53 48 4F 52 54 43 7E 33 2E 4C 4E 4B 00 00 44 00 03 00 04 00 EF BE 5E 45 A8 48 6C 45 5A 6C 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 77 00 69 00 6E 00 64 00 62 00 67 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 7E 01 00 00 50 00 32 00 F1 85 3F 00 5F 45 09 56 20 00 54 44 53 53 4B 49 7E 31 2E 5A 49 50 00 00 34 00 03 00 04 00 EF BE 5F 45 09 56 6C 45
75 6C 14 00 00 00 74 00 64 00 73 00 73 00 6B 00 69 00 6C 00 6C 00 65 00 72 00 2E 00 7A 00 69 00 70 00 00 00 1C 00 15 00 00 00 7E 01 00 00 4C 00 32 00 00 CE 05 00 5E 45 3B 50 20 00 74 67 32 69 6A 6E 6A 69 2E 65 78 65 00 00 30 00 03 00 04 00 EF BE 5E 45 3A 50 5E 45 35 83 14 00 00 00 74 00 67 00 32 00 69 00 6A 00 6E 00 6A 00 69 00 2E 00 65 00 78 00 65 00 00 00 1C 00 15 00 00 00 7E 01 00 00 00 00 00 00
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\Shell\Bags\1\Desktop\ItemPos1280x720(1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 16 02 00 00 14 00 1F 60 40 F0 5F 64 81 50 1B 10 9F 08 00 AA 00 2F 95 4E 15 00 00 00 4E 00 00 00 5A 00 3A 00 D4 02 00 00 5E 45 49 46 20 00 4D 4F 5A 49 4C 4C 7E 31 2E 4C 4E 4B 00 00 3E 00 03 00 04 00 EF BE 5E 45 49 46 6C 45 D2 6B 14 00 00 00 4D 00 6F 00 7A 00 69 00 6C 00 6C 00 61 00 20 00 46 00 69 00 72 00 65 00 66 00 6F 00 78 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 CA 01 00 00 34 00 31 00 00 00 00 00 5E 45 65 50 10 00 6D 62 61 72 00 00 20 00 03 00 04 00 EF BE 5E 45 63 50 5F 45 8D 55 14 00 00 00 6D 00 62 00 61 00 72 00 00 00 14 00 60 00 00 00 CA 01 00 00 2E 00 31 00 00 00 00 00 6C 45 4F 6C 10 00 4D 57 00 00 1C 00 03 00 04 00 EF BE 6C 45 48 6C 6C 45 4F 6C 14 00 00 00 4D 00 57 00 00 00 12 00 60 00 00 00 E6 00 00 00 3C 00 31 00 00 00 00 00 6A 45 6B 21 10 00 6F 64 62 67 31 31 30 00 26 00 03 00 04 00 EF BE
6A 45 F4 1A 6C 45 59 6C 14 00 00 00 6F 00 64 00 62 00 67 00 31 00 31 00 30 00 00 00 16 00 60 00 00 00 16 02 00 00 40 00 31 00 00 00 00 00 6C 45 84 6C 10 00 53 79 73 54 6F 6F 6C 73 00 00 28 00 03 00 04 00 EF BE 6C 45 73 6C 6C 45 84 6C 14 00 00 00 53 00 79 00 73 00 54 00 6F 00 6F 00 6C 00 73 00 00 00 18 00 15 00 00 00 02 00 00 00 3C 00 32 00 5F 38 1C 00 5E 45 EF 45 20 00 62 65 72 2E 72 61 72 00 26 00 03 00 04 00 EF BE 5E 45 EF 45 6C 45 AE 6B 14 00 00 00 62 00 65 00 72 00 2E 00 72 00 61 00 72 00 00 00 16 00 60 00 00 00 32 01 00 00 4E 00 32 00 78 ED 9C 00 5E 45 D0 51 20 00 48 49 54 4D 41 4E 7E 31 2E 45 58 45 00 00 32 00 03 00 04 00 EF BE 5E 45 C6 51 6A 45 87 28 14 00 00 00 48 00 69 00 74 00 6D 00 61 00 6E 00 50 00 72 00 6F 00 2E 00 65 00 78 00 65 00 00 00 1C 00 60 00 00 00 4E 00 00 00 5C 00 32 00 8B 02 00 00 6A 45 80 12 20 00 49 44 41 50 52 4F 7E 31 2E 4C 4E 4B 00 00 40 00 03 00 04 00 EF BE 6A 45 80 12 6A 45 E7 1A 14 00 00 00 49 00 44 00 41 00 20 00 50 00 72 00 6F 00 20 00 28 00 33 00 32 0
0 2D 00 62 00 69 00 74 00 29 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 9A 00 00 00 5C 00 32 00 97 02 00 00 6A 45 80 12 20 00 49 44 41 50 52 4F 7E 32 2E 4C 4E 4B 00 00 40 00 03 00 04 00 EF BE 6A 45 80 12 6A 45 F3 1E 14 00 00 00 49 00 44 00 41 00 20 00 50 00 72 00 6F 00 20 00 28 00 36 00 34 00 2D 00 62 00 69 00 74 00 29 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 02 00 00 00 52 00 32 00 CE 02 00 00 5E 45 74 83 20 00 4F 53 46 4F 52 45 7E 31 2E 4C 4E 4B 00 00 36 00 03 00 04 00 EF BE 5E 45 74 83 6A 45 12 59 14 00 00 00 4F 00 53 00 46 00 6F 00 72 00 65 00 6E 00 73 00 69 00 63 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 9A 00 00 00 66 00 32 00 97 01 00 00 5E 45 ED 46 20 00 53 48 4F 52 54 43 7E 31 2E 4C 4E 4B 00 00 4A 00 03 00 04 00 EF BE 5E 45 ED 46 6C 45 75 6C 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 44 00 6F 00 77 00 6E 00 6C 00 6F 00 61 00 64 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 E6 00 00 00 62 00 32
00 8A 02 00 00 5E 45 58 47 20 00 53 48 4F 52 54 43 7E 32 2E 4C 4E 4B 00 00 46 00 03 00 04 00 EF BE 5E 45 58 47 6A 45 F3 1E 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 66 00 69 00 72 00 65 00 66 00 6F 00 78 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 32 01 00 00 60 00 32 00 DF 02 00 00 5E 45 A8 48 20 00 53 48 4F 52 54 43 7E 33 2E 4C 4E 4B 00 00 44 00 03 00 04 00 EF BE 5E 45 A8 48 6C 45 5A 6C 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 77 00 69 00 6E 00 64 00 62 00 67 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 7E 01 00 00 50 00 32 00 F1 85 3F 00 5F 45 09 56 20 00 54 44 53 53 4B 49 7E 31 2E 5A 49 50 00 00 34 00 03 00 04 00 EF BE 5F 45 09 56 6C 45 75 6C 14 00 00 00 74 00 64 00 73 00 73 00 6B 00 69 00 6C 00 6C 00 65 00 72 00 2E 00 7A 00 69 00 70 00 00 00 1C 00 15 00 00 00 7E 01 00 00 4C 00 32 00 00 CE 05 00 5E 45 3B 50 20 00 74 67 32 69 6A 6E 6A 69 2E 65 78 65 00 00 30 00 03 00 04 00 EF BE 5E 45
3A 50 5E 45 35 83 14 00 00 00 74 00 67 00 32 00 69 00 6A 00 6E 00 6A 00 69 00 2E 00 65 00 78 00 65 00 00 00 1C 00 AB 00 00 00 02 00 00 00 4C 00 31 00 00 00 00 00 6C 45 0F 6D 10 00 52 45 47 53 48 4F 7E 31 2E 30 00 00 32 00 03 00 04 00 EF BE 6C 45 0F 6D 6C 45 12 6D 14 00 00 00 52 00 65 00 67 00 73 00 68 00 6F 00 74 00 2D 00 31 00 2E 00 39 00 2E 00 30 00 00 00 1A 00 AB 00 00 00 02 00 00 00 00 00 00 00
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 07 00 00 00 06 00 00 00 08 00 00 00 02 00 00 00 01 00 00 00 05 00 00 00 04 00 00 00 03 00 00 00 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 08 00 00 00 06 00 00 00 02 00 00 00 07 00 00 00 01 00 00 00 05 00 00 00 04 00 00 00 03 00 00 00 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\MRUListEx: 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\MRUListEx: FF FF FF FF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\7\MRUListEx: 00 00 00 00 01 00 00 00 FF FF FF FF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\7\MRUListEx: 01 00 00 00 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\27\Shell\ItemPos1280x720(1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 00 00 00 4E 00 31 00 00 00 00 00 6C 45 23 70 10 00 4C 4F 54 53 4F 46 7E 31 00 00 36 00 03 00 04 00 EF BE 6C 45 3C 6C 6C 45 23 70 14 00 00 00 4C 00 6F 00 74 00 73 00 20 00 6F 00 66 00 20 00 53 00 74 00 75 00 78 00 6E 00 65 00 74 00 00 00 18 00 DC 00 00 00 02 00 00 00 34 00 31 00 00 00 00 00 6C 45 51 6C 10 00 54 44 4C 34 00 00 20 00 03 00 04 00 EF BE 6C 45 4F 6C 6C 45 51 6C 14 00 00 00 54 00 44 00 4C 00 34 00 00 00 14 00 DC 00 00 00 02 00 00 00 00 00 00 00
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\27\Shell\ItemPos1280x720(1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 00 00 00 4E 00 31 00 00 00 00 00 6C 45 E9 6C 10 00 4C 4F 54 53 4F 46 7E 31 00 00 36 00 03 00 04 00 EF BE 6C 45 3C 6C 6C 45 E9 6C 14 00 00 00 4C 00 6F 00 74 00 73 00 20 00 6F 00 66 00 20 00 53 00 74 00 75 00 78 00 6E 00 65 00 74 00 00 00 18 00 DC 00 00 00 02 00 00 00 34 00 31 00 00 00 00 00 6C 45 51 6C 10 00 54 44 4C 34 00 00 20 00 03 00 04 00 EF BE 6C 45 4F 6C 6C 45 51 6C 14 00 00 00 54 00 44 00 4C 00 34 00 00 00 14 00 DC 00 00 00 02 00 00 00 00 00 00 00
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).left: 0x00000049
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).left: 0x0000002C
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).top: 0x00000057
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).top: 0x0000003A
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).right: 0x00000369
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).right: 0x0000034C
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).bottom: 0x000002AF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).bottom: 0x00000292
HKU\S-1-5-21-515967899-1935655697-682003330-1003\SessionInformation\ProgramCount: 0x00000002
HKU\S-1-5-21-515967899-1935655697-682003330-1003\SessionInformation\ProgramCount: 0x00000001
----------------------------------
Total changes: 150
----------------------------------
23 deleted keys, 110 values deleted, 17 values modified. Total = 150 changes.
Overall, there's a lot to this rootkit. I didn't go into the MRxCls configuration file decryption, network changes/attack methods, other methods of zero-day flaws, etc but even so you can see that this is a pretty sophisticated piece of malware. However, as we now see, its biggest downfall was its complete lack of protection.
The only personal explanation I have for this is that the creator(s) were either rushed to get it done by 'x' timeframe, so they focused on main code more than obfuscation, or they just imagined it wouldn't ever escape its original intended environment, so they'd never have to worry about reverse engineering being an issue.
References
Stuxnet Under the Microscope.
Analyzing a Stuxnet Infection with the Sysinternals Tools.
Great, Thanks !
ReplyDeleteProb with NTFS?
ReplyDeleteanalyze ntfs permissions
Thank you for sharing valuable information. Nice post. I enjoyed reading this post.
ReplyDeleteโกเด้นสล็อต
great post so thanks for this.
ReplyDeleteInternet explorer customer service
Article you have shared here very good!
ReplyDeleteRouter Login not working
Routerlogin admin page
Routerlogin
Routerlogin Net
You can latest information regarding and download pdf official available RPF Constable Admit Card 2018
ReplyDeleteShared this Obat gatal di selangkangan dan bokong atau pantat tone Obat rahang bawah telinga sakit dan bengkak nano Obat sakit pinggang belakang bawah know Obat luka borok bernanah dan berair where Obat kalazion di kelopak mata atas dan bawah here Obat ganglion di tangan steady Obat bintik seperti jerawat di sekitar mata think Obat infeksi kulit selulitis well Obat mata perih dan berair all Obat kurap di selangkangan Thanks...
ReplyDeletemx player downloading
ReplyDeletemx player free download
mx player pro apk download
mx player new version
mx player apk
mx player 2018
dandruff
ReplyDeletedandruff symptoms
vaginal atrophy
Read more info, Read more info,Read more info,Read more info,Read more info
DeleteThank you
ReplyDeleteYour article is very inspirational, hopefully it will be useful for many people
Cara Mengatasi Nyeri Tulang & Sendi
6 Cara Mencegah Dan Mengatasi Pengeroposan Tulang
Cara Menyembuhkan Patah Tulang
Cara Mengempiskan Kaki Bengkak
Obat Kurap
ReplyDeletesnaptube downloading
snaptube apk
snaptube app
snaptube download
There are also custom search options, which will make it easier to get good results.
Nice to be visiting your blog again, it has been months for me. Well this article that i’ve been waited for so long. I need this article to complete my assignment in the college, and it has same topic with your article. Thanks, great share :
ReplyDeleteobat jantung bengkak tradisional
Read More
DeleteRead More
Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read more
Great sharing! Thank you for sharing! Keep up the great work mate! Cheers!
DeleteGreat read !
DeleteThanks for your personal marvelous posting! I quite enjoyed reading it,you could be a great author. Amazon Gift Card generator works on a simple yet efficient code developed by our team of programmers.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteIf love is no longer for me and if he is happy for you, I will leave even though my heart will not be willing
ReplyDeleteCara Mengobati Usus Buntu
Cara Mengobati Sinusitis
Cara Mengobati Gusi Bengkak
Cara Menghilangkan Benjolan Di Ketiak
Pengobatan Herbal Alami
Solusi Sehat Dengan Herbal
shareit apk
ReplyDeleteshareit for android
shareit for pc
shareit for ios
shareit pc
it has been months for me. Well this article that i’ve been waited for so long.
The information you have posted is very useful. The sites you have referred was good. Thanks for sharing is there any way where i can find how to get rixty generator
ReplyDeletetutuapp is the best iOS App store elective for disengaged applications. Working of the tutu application is altogether immediate. You ought to just to download the tutuapp apk and after that click on the downloaded record with the objective that it can start the foundation technique.
ReplyDeleteyoutube.com
ReplyDeletewww.lampungservice.com
www.lampunginfo.com
lampungjasa.blogspot.com
beritalampungmedia.blogspot.com
tempatservicehpdibandarlampung.blogspot.com
Hi, I am Anirudh. I am a Fitness trainer by profession. Are you looking forward to shape your body. Check here to know how to cara mengecilkan lengan in simple ways.
ReplyDeleteThanks for sharing, very informative blog.
ReplyDeleteReverseEngineering
Nice blog!!!!!!!.
ReplyDeleteReverse Engineering in USA
ReplyDeleteHey, this is amazing content. thank you for sharing.
ReverseEngineering
free fb auto liker app
ReplyDeletefree download clash of lights server from our site and play resource free coc game.
ReplyDeleteGreat read !
DeleteThanks for info
ReplyDeleteautocad solutions
Great article. Thanks Check out https://apkpapa.com/whatsapp-plus-apk/ to download #Whatsappplusapk on #Apkpapa.com
ReplyDeleteReverse engineering is also known as the back-engineering. Last week I started a reverse engineering project in my company. Onsite3D helping me at this project. Reverse engineering Calgary, Alberta
ReplyDeleteNice read! Always a pleasure reading your blog! Thank you for sharing!
ReplyDeleteAnyway, anyone heard of the project Whistler Grand in D05 in Singapore? I heard its a pretty good project with huge potential upside. Anyone else interested? Check this out!
Whistler Grand
Reverse engineering is the process of reconstruction of an existing product. Reverse engineering will allow you to explore the Technic of your competitors. Onsite3D can help you for reverse engineering. Reverse engineering Grand Prairie, Alberta
ReplyDelete
ReplyDeleteExcellent Blog! I would like to thank for the efforts you have made in writing this post. I am hoping the same best work from you in the future as well.
I wanted to thank you for this websites! Thanks for sharing. Great websites!
Pubg APK
Pubg mobile APK
kingroot apk download
ReplyDeletekingroot for windows
kingroot for pc
kingroot for android
I am hoping the same best work from you in the future as well.
Onsite3D is the most popular company in Alberta that provides the best 3D laser scanning service. The also popular for the best data acquisition service, lidar scanning service, and more. Visit their site to know more - Onsite3D
ReplyDeletehappymod ios
ReplyDeletehappymod download
happymod descargar
The also popular for the best data acquisition service, lidar scanning service, and more. Visit their site to know more
appvn ios
ReplyDeleteappvn app
minecraft appvn
appvn 2019
Plenty of useful apps for your Android phone.
Great read !
ReplyDeleteHey, I’m Mangesh Wakchaure, A part Time Blogger , Youtuber & Affiliate Marketer and Founder of teaig.com and mangesh.tech.
ReplyDeleteMovieReviews is a website that provides you authentic information about MovieReviews and Trailers.
KFC with an end goal to meet and surpass client desires offers its esteemed clients to round out a client criticism to be filled in return for a prize coupon with a free chicken cup.
ReplyDeletevisit MyKFCexperience
فرش مسجد
ReplyDeleteفرش سجاده اي
فروش اينترنتي فرش سجاده اي
تابلو فرش چهره
تابلو فرش
ReplyDeleteTHANK YOU FOR SHARING NICE POST WITH US.
Website design Denver Colorado
Web design Denver Colorado
Affordable web design Jacksonville Fl
Affordable web design Boston
بهترین یخچال ایرانی
ReplyDelete
ReplyDeleteThanks for your page! Your share information it helped me alot!
digital marketing boston
denver seo company
Thank you for sharing article with us. It is really awesome.
ReplyDeletelocal business listing sites
InstaPot is a multi-functional pressure cooker that can eliminate the use of 9-10 other kitchen appliances. Thus, it will not only save your time, but it will also save your money which you would have invested in buying other kitchen appliances.visit here instant pot amazon
ReplyDeleteIn the field of multivariate statistics, kernel principal component analysis (kernel PCA) is an extension of principal component analysis (PCA) using techniques of kernel methods. Using a kernel, the originally linear operations of PCA are performed in a reproducing kernel Hilbert space.
ReplyDeleteیخچال دیپوینت
بهترین یخچال ایرانی
ست شیرالات شودر
تلویزیون الیویا
quickboot apk
ReplyDeletequickboot download
iroot apk
iroot download
to know more about this click above
จีคลับ
ReplyDeletelink1
ReplyDeletelink2
link3
link4
link5
link6
link7
link1
ReplyDeletelink2
link3
link4
link5
link6
link7
APK Apps
ReplyDeletehow to open apk files on mac
ReplyDeletehow to open apk files on mac
how to open crdownload files on mac
how to open bin file in windows
ReplyDeletehow to open dll file in windows
how to open enc file in windows
open config file download
ReplyDeletetif file viewer
programs to open cfg files
how do i convert a prn file to pdf
ReplyDeletehow to play mkv files on android
how to read hex file
Freelance maintenance technicians also benefit from establishing relationships with multiple clients. Working as a freelancer.
ReplyDeletemaintenance technician
Norton.com/Setup
ReplyDeleteOffice.com/Setup
McAfee.com/Activate
Norton.com/Setup
Office.com/Setup
McAfee.com/Activate
McAfee.com/Activate
Thanks for the blog post. check the similar The first professional networking platform for commissions
ReplyDeleteFind - Visit profiles offering commissions
Connect - Contact with best commission providers near you
Commission - Work or refer the business and get agreed commission
Commission agent
Thanks for the blog post. check the similar The first professional networking platform for commissions
ReplyDeleteFind - Visit profiles offering commissions
Connect - Contact with best commission providers near you
Commission - Work or refer the business and get agreed commission
Commission agent
Girl Instagram Captions
ReplyDeleteSpotify Premium Apk
Whatsapp Plus Apk
pubg lite pc download
ReplyDeletepubg lite download pc
download pubg lite pc
pubg mobile lite pc
download pubg pc lite
pubg pc lite download
not bad info about staxnet. If you are interested in high-quality online casinos, go here - 918kiss. you will not regret anything, the time spent usefully
ReplyDeleteescort
ReplyDeleteescorts
escort madrid
escorts madrid
putas madrid
madrid escort
madrid escorts
great blog. Found a good site - จีคลับ a variety of games, from card games to slots. don't lose a chance
ReplyDeleteHow to write great blogs.
ReplyDeleteแทงบาคาร่าขั้นต่ำ แทงบาคาร่าขั้นต่ำ แทงบาคาร่าขั้นต่ำ แทงบาคาร่าขั้นต่ำ
OMG! This is a very great blog.
แทงบาคาร่าขั้นต่ำ แทงบาคาร่าขั้นต่ำ แทงบาคาร่าขั้นต่ำ
Syekh Abdul Qodir JailaniRahmat Allah SWTTahajudninonurmadi.comHanafi
ReplyDeleteninonurmadi.com
ninonurmadi.com
ninonurmadi.com
ninonurmadi.com
This is good info. จีคลับ168
ReplyDeleteThere are several differences between software and hardware or software vs hardware. A Below we list the top ten differences that will help you effectively distinguish what distinguishes these two elements.
ReplyDeletehttps://5gtelecomtech.blogspot.com/2020/02/differences-between-software-and.html
Great read guys! Thank you for sharing! Anyway anyone from Singapore here? Interested in property investment? I saw a few property launches that has got huge potential. Anyway keen to know more? Click on the link below!
ReplyDeleteDaintree Residence Location
DainTree Residence Singapore
daintree residence balance unit
whistler grand condo
whistler grand singapore
whistler grand site plan
jadescape location
jadescape singapore
jadescape condo
There are several differences between software and hardware or software vs hardware.
ReplyDeleteUPLAY365
flyfreemedia
ReplyDeleteclub
cults3d
choralnet
hyperspaces
xapk
ReplyDeleteopen csv file
ReplyDeletehwp viewer
ReplyDeleteGOOD Day !
ReplyDeleteUSA Fresh & Verified SSN Leads with best connectivity
All Leads have genuine & valid information
**HEADERS IN LEADS**
First Name | Last Name | SSN | Dob | DL Number |Address | State | City | Zip | Phone Number | Account Number | Bank NAME
*Price for SSN lead $2
*You can ask for sample before any deal
*If anyone buy in bulk, we can negotiate
*Sampling is just for serious buyers
==>ACTIVE & FRESH CC FULLZ ALSO AVAILABLE<==
->$5 PER EACH
->Hope for the long term deal
->Interested buyers will be welcome
**Contact Information 24/7**
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
MyBlogger Club
ReplyDeleteGuest Posting Site
Best Guest Blogging Site
Guest Blogger
Guest Blogging Site
Nice Blog. Thanks for sharing.
ReplyDeleteBest college for mba International Business in Dehradun
Specialised MBA or General MBA : Which MBA Course is better for your career ?
Best Corporate Video Production Company in Bangalore and top Explainer Video Company in Bangalore , 3d, 2d Animation Video Makers in Chennai
ReplyDeleteExcellent article. Good tips! Fantastic stuff!
gbwhatsapp apk
ReplyDeletegbwhatsapp apk download
gb whatsapp
Wonder to see this information, thanks
ReplyDeletehow to open md files
The Networking Engineer expected set of responsibilities contrasts according to the association's necessities. Likewise with some other activity, explicit aptitudes and experience are commonly required for these networking occupations.
ReplyDeleteMore Info: https://technical-issues-answers.blogspot.com/2020/02/the-various-roles-of-networking.html
https://www.wordlab.com/forums/users/footballmanagercrack/
ReplyDeletehttps://dashburst.com/footballmanagercrack
https://developers.oxwall.com/user/footballmanagercrack
http://flgclassifieds.cce.cornell.edu/author/footballmanagercrack/
https://www.mixcloud.com/footballmanagercrack/
https://participa.santboi.cat/profiles/footballmanager/activity
https://www.velvetjobs.com/profile/footballmanagercrack
https://www.pacte-entreprises.gouv.fr/profile/footballmanagercrack
http://cine4home.de/forums/users/footballmanagercrack
https://kalicrack.com/football-manager-2020-crack-v1/
ReplyDeletehttps://softwar2crack.com/football-manager-2020-crack/
https://10crack.com/football-manager-2020-crack-v1/
Daftar Slot Live22
ReplyDeleteDaftar Live22 Slot
Daftar Live22 Casino
ID Live22 Indonesia
Slot Live22
Live22 Slot
Agen Live22 Deposit 25 Ribu
Agen Live22
Just add the plugin for an instant half-speed effect with zero setup. Or go in deep with powerful creative controls. HalfTime works on loops, virtual instruments or even live audio input, inspiring you in seconds.
ReplyDeletevst crack 32 lives
vst 3 crack
vst crack nexus 3
serum vst crack 32 bit
nexus vst crack 32 bit
nexus 3 vst crack
nectar 3 vst crack
dune 3 vst crack download
nexus 3 vst crack windows
nexus 3 vst crack reddit
ReplyDeleteThese stories are truly incredible. Thank you for this information. เยอร์เก้น คล็อปป์
https://fun88club.net/
https://zaza000.hatenablog.com/
https://188betgroup.com/
Your article is great. Come in, read my stuff, click. >> fun88club
ReplyDeletezaza000
188betgroup
บาคาร่า ออนไลน์
I certainly enjoyed every small bit of it, I have you bookmarked to check out all the unused stuff you post. 3d modeling services Denver, Colorado
ReplyDeletejual obat aborsi di malaysia
ReplyDeletejual obat aborsi di hongkong
jual obat aborsi di singapura
jual obat aborsi di medan
jual obat aborsi di banda aceh
jual obat aborsi di lampung
jual obat aborsi di pekanbaru
jual obat aborsi di padang
jual obat aborsi di palembang
jual obat aborsi di jambi
jual obat aborsi di samarinda
jual obat aborsi di balikpapan
jual obat aborsi di pontianak
jual obat aborsi di banjarmasin
jual obat aborsi di bontang
jual obat aborsi di tarakan
jual obat aborsi di palangkaraya
jual obat aborsi di banjarbaru
jual obat aborsi di singkawang
jual obat aborsi di makassar
jual obat aborsi di manado
jual obat aborsi di palu
jual obat aborsi di kendari
jual obat aborsi di palopo
jual obat aborsi di tomohon
jual obat aborsi di gorontalo
jual obat aborsi di toli-toli
jual obat aborsi di denpasar
jual obat aborsi di ubud
jual obat aborsi di kutai
jual obat aborsi di bedugul
jual obat aborsi di singaraja
jual obat aborsi di kupang
jual obat aborsi di lombok
jual obat aborsi di mataram
jual obat aborsi di sumbawa
jual obat aborsi di jayapura
jual obat aborsi di sorong
We have carefully selected high-class and professional teachers of Quran. Our teachers are proficient receptors to encourage students to recite well and to maintain their interest Online Quran Teacher
ReplyDeleteNice Blog. Thanks for sharing with us. Such amazing information.
ReplyDeleteSOCIAL MEDIA TIPS TO BOOST YOUR FAN BASE
MyBlogger Club
Guest Posting Site
Best Guest Blogging Site
Guest Blogger
Guest Blogging Site
احتمالا می دانید که برخی از مواد خوراکی که هر روز از آن ها استفاده می کنیم را می توان به عنوان ابزار و درمانی برای زیبایی بیشتر نیز به کار گرفت. به طور مثال، برای براق کردن موها از آب لیمو استفاده می شود. یا از روغن زیتون برای مرطوب و چرب کردن پوست های خشک بهره گرفته می شود. یا مثلا عسل را می توان به عنوان درمانی برای رفع جوش و اکنه استفاده کرد. در همین راستا، در ادامه این مطلب چندین روش درمانی یا ماسک خانگی صورت را برایتان انتخاب کرده ایم که به بهبود هر چه بیشتر زیبایی و سلامت شما کمک شایانی خواند نمود
ReplyDeleteThank you for the valuable information.iam very much impressed with this one.
ReplyDeleteLooking forward for the good posts. Are you furthermore may trying to find Funny whatsapp group join list
openapkfile.xyz
ReplyDeleteupdate Reviews
ReplyDeleteReviews
I will be looking forward to your next post. Thank you
ReplyDeleteเทคโลโลยี 5G เร็ว แรง ไม่สะดุด ให้มากกว่า 10 เท่า
ReplyDeleteFor all my checking just as printing works whether in office or at home, I generally like to utilize HP printer. In any case, because of certain causes, I am confronting loads of issues identified with my HP printer and dont realize how to end them. In this way, I simply need to realize that, would i be able to confide in
123.hp.com/setup to fix my issues which are related with my HP printer.
Very Helpful Article. Super bull It might help you. Super bull Thanks For Sharing
ReplyDeleteSuper bull Thank you very much.
AGEN BOLA TERPERCAYA
ReplyDeleteKAMUBET – SITUS JUDI BOLA, TOGEL ONLINE, DAN AGEN CASINO
======SPORTBOOK======
- SBOBET | AFB88 | IBCBET -
Minimal Bet Parlay : Rp 3.000
Minimal Single Bet : Rp 10.000
======DISKON TOGEL======
2D – 29.75% X 70
3D – 59.50% X 400
4D – 66.00% X 3000
======PROMO=====
BONUS WELCOME DEPOSIT 50% SLOT GAMES
BONUS NEXT DEPOSIT 10%
BONUS ROLLINGAN CASINO 1%
BONUS CASHBACK SLOT GAMES UP TO 5%
BONUS CASHBACK SPORTBOOK 10%
=========================
Minimal Deposit : Rp 10.000
Minimal Withdraw : Rp 50.000
Minimal Deposit Pulsa : Rp. 15.000
Proses Deposit dan Withdraw hanya 2 Menit
======HUBUNGI KAMI======
Link : 178.128.120.230
Whatsapp - +855882285275
Instagram : @kamubet77
Facebook : @kamubet888
Twitter : @kamubet
Line – Kamubet
Wechat – Kamubet
https://openbinfiles.xyz
ReplyDeleteدانلود آهنگ جدید
ReplyDeleteدانلود آهنگ
دانلود اهنگ
I am working as a SEO Analyst.My blog gives information about latest
ReplyDeletetechnologies and IT Courses.
IT Education
ReplyDeleteI am working as a SEO Analyst.My blog gives information about latest
technologies and IT Courses.
IT Education
Open bin files
ReplyDeletetiktok name generator
ReplyDeleteTikTok Names
best tiktok names
aesthetic tiktok names
tiktok creator name
bio for tiktok
tiktok usernames search
alt tiktok username ideas
musically name generator
Loud Updates
I will be looking forward to your next post. Thank you
ReplyDeleteแทงหวยออนไลน์ คือสิ่งที่น่าสนใจที่สุด "
Watch Chiefs Game Live
ReplyDeleteWatch Bears Game Live
Watch Raiders Game Live
Watch Steelers Game Live
Watch Rams Game Live
GB WhatsApp Apk
ReplyDeleteHow To Update GB Whatsapp
GB WhatsApp Latest
How To Install Whatsapp Mod Apk
I will be looking forward to your next post. Thank you
ReplyDeleteหวยออนไลน์ ถูกกฎหมาย ปลอดภัยต่อการเล่น ตอบโจทย์ดีในปัจจุบัน "
This is my blog. Click here.
ReplyDeleteรอบรู้เรื่องคาสิโนออนไลน์"
Wow! That's amazing, so amazing information, and it's definitely useful for people who need it. Thanks for the information. Hi, I am a developer of online money making websites. I have great pleasure and willingness to offer you unlimited happiness, we provide a wide variety of games Huay VIP such as more than 200 slots, baccarat, the most stable and secure financial system. Support all systems, apply for new members, receive free credit immediately.
ReplyDeleteหวย อภิโชค หวยออนไลน์ ความสนุกรูปแบบใหม่ อัตรจ่ายสูงที่สุดในไทย เรียนรู้ง่าย สมัครง่าย เล่นง่าย ได้เงินจริง สล็อต สามารถเลือก ซื้อเลขเด็ด ของคุณได้ง่าย เรามีคอลเซนเตอร์ คอยให้บริการ ตลอด 24 ชั่วโมง
ReplyDelete
ReplyDeletethis game is good pg slot
this game is good joker
this game is good joker123
this game is good joker gaming
this game is good pgslot auto
this game is good pg slot
this game is good joker
this game is good joker123
this game is good joker gaming
this game is good pgslot auto
this game is good pgslot
I truly inspired after studied this since of a few quality work and enlightening considerations. I fair wanna say much obliged for the author and wish you all the finest for coming! Quality 3d laser scanner Vancouver, BC
ReplyDeleteInterpages
ReplyDeleteGuest Blogger
Guest Blogging Site
Guest Blogging Website
Guest Posting Site
Good aticle สล็อตjoker xo แปะแมว บัคฟรีเกมแบบ งงๆ ไม่เคยเจอมาก่อน
ReplyDelete
ReplyDeleteamazing and outstanding post
Best Printer Support Services in USA
HP Printer Support Service USA
Brother Printer Support Service
Suggest good information in this message, click here.
ReplyDeletegolferstyleyoyaku.com"
kopithecat25.wixsite.com/horo01"
Interpages
ReplyDeleteGuest Blogger
Guest Blogging Site
Guest Blogging Website
Guest Posting Site
Yami immigration is a well-known and experienced immigration consultant in Surat. We provide Immigration Services for many countries such as Italy, Canada, France, Australia, Germany, USA, Malaysia, New Zealand, and Singapore.
ReplyDeleteDr. Vivek Galani is a leading expert in skin and hair. At hair transplant clinic in Surat Skin Care, Cosmetic Laser, Hair Transplant & Slimming Center, Dr. Galani offers the most advanced cosmetic and dermatologic care treatments. The clinic uses advanced FUE methods to produce high-quality hair transplants.
ReplyDeleteKeytexmachines is leading CNC Machining Job Work in surat With Excellent Quality, Cost Effective Price & Prompt Delivery. CNC Machining Job Work, CNC Turning Job Work, CNC Machine Service offered by Keytex machines, Surat.
ReplyDeleteSlot Game Click Here! SLOT
ReplyDeleteShreeja Health Care is leading manufacturer of Oil Maker Machine. Shreeja Oil Extraction Machine is able to extract oil from various seeds like peanuts, Coconut, Sesame, Soybean, macadamia nuts, walnuts, sunflower seeds, vegetable seeds flaxseed etc.
ReplyDeleteThe Vintage Garments is leading t shirt manufacturer. Buy online latest T-shirts, Sarees, kurties, tops, dress, tracks at wholesale price
ReplyDeleteSlot Game SLOT
ReplyDeleteFunny Game Click Here! SUPERSLOT
ReplyDeleteSlot Game SLOTPG
ReplyDeleteSlot Game Click Here! SLOT
ReplyDeleteNice Blog. Thanks for sharing with us. Such amazing information.
ReplyDeleteNever Avoid these SEO Tips to Grow your Business Online
Interpages
Guest Blogger
Guest Blogging Site
Guest Blogging Website
Guest Posting Site
Trueline Solution is leading Digital Marketing Company in Surat that provides services like SEO, SMM, ASO, SMO, PPC and many other digital marketing services and development services.
ReplyDelete
ReplyDeletegreat post! thank you. if you want you can check out on this website to buy packaging machines. جت پرینتر صنعتی
دستگاه بسته بندی
دستگاه تاریخ زن دستی
Funny Game Click Here! SUPERSLOT
ReplyDeletesqlyog ultimate crack
ReplyDeleteFunny Game Click Here! SUPERSLOT
ReplyDeleteGood Game SLOTPG
ReplyDeleteLaxmi pipe Industries is leading ss pipe manufacturer . We are also manufactures and exporter of steel pipes & tubes.
ReplyDeleteGood Game SLOT PG
ReplyDeleteยินดีต้อนรับสู่ UPLAY365.COM เว็บพนันออนไลน์ All In One ที่รวมเว็บพนันออนไลน์อันดับ 1 ไว้ที่เดียวกันมากที่สุด ไม่ว่าจะเป็น เกมส์ไพ่ ที่เป็นที่นิยม เช่นบาคาร่า แบล็คแจ็ค เสือมังกร หรือจะเป็น รูเล็ต สล็อตออนไลน์ คีโน โป๊กเกอร์ forex ไก่ชน เกมส์ยิงปลา แทงบอล แทงบาส เทนนิส ESPORT แทงมวยไทย และอื่นๆอีกมากมาย พร้อมเทคโนโลยีชั้นนำจากผู้ผลิตซอฟต์แวร์เกมส์ระดับโลก ความน่าเชื่อถือได้มาเป็นอันดับ 1 สามารถเล่นได้ทั้งบนคอมพิวเตอร์ , มือถือ ระบบ android และ IOS *คาสิโนออนไลน์ : สามารถเลือกเล่นกับคาสิโนชั้นนำดังนี้ SexyBaccarat, AG Casino, GOLD Casino, SA Casino, W88 Casino, D88 Casino, WM Casino, GD Casino เป็นต้น *แทงบอล : U กีฬา (U SPORTS) , S กีฬา (S SPORTS) มั่นใจได้เลยว่า อัตราการจ่ายค่าน้ำดีที่สุดต้อง uplay365 เหมาะสำหรับทั้งนักพนันมืออาชีพและ มือใหม่ โดยทางเรามีพนักงานคอยสอนเรื่องการแทงบอลเบื้องต้น แทงง่าย อัตราจ่ายดี *สล็อตออนไลน์ ,เกมส์ยิงปลา : JOKER123,PLAYTECH และอื่นๆ อีกมากมาย ทั้งหมดนี้ สามารถเล่นได้ใน 1 ยูสเซอร์เท่านั้น สนใจสมัครสมาชิกรับเครดิตฟรี สามารถสมัครได้ตนเองที่หน้าเว็บ หรือติดต่อ Callcenter โดย ทางเรามีพนักงานไว้บริการและแก้ปัญหา ตลอด 24 ชั่วโมง สอบถามข้อมูลเพิ่มเติมได้กับแอดมินได้ตลอด 24 ชม.ค่ะ
ReplyDeleteEVO Club
SA Casino
ReplyDeleteThank you for your sharing. Thanks to this blog I can learn more things. Expand your knowledge and abilities. Actually the article is very practical. Thank you.If you are the one looking for technical help in Roadrunner Email then call us today at Roadrunner Support Number and get connected with our award-winning team of Roadrunner Email. They are capable of resolving the technical bugs and issues.
Roadrunner Email Not Working
Change Roadrunner Password
Reset Roadrunner Password
TWC Email Not Working
RR Email Login Problems
RR Email App Not Working
Recover Forgot Spectrum Email Password
Change Spectrum WiFi Password
Forgot Spectrum WiFi Password
It was a very good article. Thank you for posting this good content.
ReplyDeleteحضرات
สล็อต
ReplyDeletesuperslotแจกเครดิตฟรี
ReplyDeletesuperslotแจกเครดิตฟรี
ReplyDeleteสล็อต
ReplyDeleteสล็อต
ReplyDeleteบาคาร่า sexygame.game
ReplyDeletegreat content odin (firmware flashing software)
ReplyDeleteShreeja Health Care is leading manufacturer of Oil Maker Machine . Shreeja Oil Extraction Machine is able to extract oil from various seeds like peanuts, Coconut, Sesame, Soybean, macadamia nuts, walnuts, sunflower seeds, vegetable seeds flaxseed etc.
ReplyDeleteShreeja Health Care is leading manufacturer of Oil Maker Machine . Shreeja Oil Extraction Machine is able to extract oil from various seeds like peanuts, Coconut, Sesame, Soybean, macadamia nuts, walnuts, sunflower seeds, vegetable seeds flaxseed etc.
ReplyDeleteShreeja Health Care is leading manufacturer of Oil Maker Machine . Shreeja Oil Extraction Machine is able to extract oil from various seeds like peanuts, Coconut, Sesame, Soybean, macadamia nuts, walnuts, sunflower seeds, vegetable seeds flaxseed etc.
ReplyDeleteShreeja Health Care is leading manufacturer of Oil Maker Machine . Shreeja Oil Extraction Machine is able to extract oil from various seeds like peanuts, Coconut, Sesame, Soybean, macadamia nuts, walnuts, sunflower seeds, vegetable seeds flaxseed etc.
ReplyDeleteShreeja Health Care is leading manufacturer of Oil Maker Machine . Shreeja Oil Extraction Machine is able to extract oil from various seeds like peanuts, Coconut, Sesame, Soybean, macadamia nuts, walnuts, sunflower seeds, vegetable seeds flaxseed etc.
ReplyDeleteGood PGกดเพื่อดู
ReplyDeleteMGWIN88 ให้บริการ บาคาร่า เว็บพนันออนไลน์
ReplyDeleteคาสิโนออนไลน์ มีเกมให้เลือกเล่นมากมาย สล็อต บาคาร่า รูเล็ต เกมไพ่ ยิงปลา ฝาก ถอน โอนไว ที่สุดในไทย
แอดไลน์ รับเครดิตฟรี 500 ไม่ต้องฝาก >> : @MGWIN
We offer the types of assistance of assignment help online to the students who need help from our writing experts. Our expert specialists give different sorts of advantages by which the students can get the best grades in their assignments. Our Assignment Helper have faith in finishing the assignment inside the given time just as before deadlines with the master's help. We never miss the deadlines that make us quick assignment supplier to give the assignment writing services. Our services of assignment help online spare the students' significant time which the students can put resources into another significant subject.
ReplyDeleteVisit www.office.com/setup in your browser and Select the subscription you want to renew and then choose Renew now to pay now for a full year of Office 365 or Renew with a monthly subscription to pay for a month at a time.
ReplyDeleteYou can reinstall or install Microsoft Office Setup at office.com/setup
ReplyDeleteShreeja Health Care is leading manufacturer of Oil Making Machine. Shreeja Oil Extraction Machine is able to extract oil from various seeds like peanuts, Coconut, Sesame, Soybean, macadamia nuts, walnuts, sunflower seeds, vegetable seeds flaxseed etc.
ReplyDeleteShreeja Health Care is leading manufacturer of Oil Maker Machine. Shreeja Oil Extraction Machine is able to extract oil from various seeds like peanuts, Coconut, Sesame, Soybean, macadamia nuts, walnuts, sunflower seeds, vegetable seeds flaxseed etc.
ReplyDeleteDr. Vivek Galani is a leading expert in skin and hair. At hair transplant clinic in Surat Skin Care, Cosmetic Laser, Hair Transplant & Slimming Center, Dr. Galani offers the most advanced cosmetic and dermatologic care treatments. The clinic uses advanced FUE methods to produce high-quality hair transplants.
ReplyDeleteKeytexmachines is leading CNC Machining Job Work in surat With Excellent Quality, Cost Effective Price & Prompt Delivery. CNC Machining Job Work, CNC Turning Job Work, CNC Machine Service offered by Keytex machines, Surat.
ReplyDeleteLaxmi pipe Industries is leading ss pipe manufacturer . We are also manufactures and exporter of steel pipes & tubes.
ReplyDeleteFall for the luxurious Hugo Boss perfume for men and women on Active Care Store. Our collection of perfumes is pleasant with exquisite fragrances. These perfumes are for those who want to live life on their terms and conditions.
ReplyDeleteapk file for pc
ReplyDeleteapk file for pc
ReplyDeletehow to become limitless
ReplyDeleteHow to Calculate Which Risk to Take
Hello. I found your blog using msn. This is a really well written article. I'll bookmark it and go back and read more of your helpful info. Thanks for the post I will come back for sure. biogaming
ReplyDelete
ReplyDeletePlaying video games as a child can make you smarter
It’s official: a study shows that if you played video games growing up, it helped your intelligence as an adult.
npshop
ReplyDeletejoomlaforum
codecademy
wikidot
envato
change
wikihow
sourceforge
habr
crunchyroll
ReplyDeletepnuna
itssa
iranmicro
detik
mellifera
cookpad
persianseven
ipresta
1roman
kelidestan
progforum
ReplyDelete6Rgeiq
gd
tomsguide
addicts
elotrolado
mydramalist
cosmo
videohelp
dailystrength
ReplyDeletemacrumors
hobbyconsolas
animenewsnetwork
taringa
idfl
neowin
similarweb
digit
enjin
ReplyDeletebitcointalk
kodi
lyricstrans
openclassroom
gry-onlin
ardforum
aminoapps
razer
kaskus
tinhte
I wish more authors of this type of content would take the time you did to research and write so well. I am very impressed with your vision and insight. 먹튀검증
ReplyDelete
ReplyDeleteloxblog
farsiblog
hellonews
nasim
monoblog
avablog
networknews
rozblog
aramblog
blogspot
Hiring someone for the assignment, you need to go especially for someone with the native touch. The accounting techniques and policies of different nations are different. Get the Online accounting assignment help from someone who is well versed with the accounting technique of your native country. You cannot go for an accounting assignment help from a European for your Asian college! Every country has its own accounting techniques and to finish everything properly, you need to hire someone with a proper idea of the accounting techniques of your country
ReplyDeleteIf you want to read Quran with perfect tajweed rules so you should enroll in online quran classes for kids..
ReplyDelete
ReplyDeleteseforum
iniaturehorsetal
imatepheasanthu
over
hrono
ommunity
fo
gravity
zenstudios
gfo
ReplyDeletegforum
tep
afte
oru
ilykit
ummypet
enretrieve
xerforu
คาสิโนออนไลน์ 928bet ฟรีเครดิต คัดสรรค์เกมส์คาสิโนออนไลน์บนมือถือ สุดยอดเกมส์ยอดนิยมจากทั่วทุกมุมโลก มารวมไว้ในที่เดียว ที่จะทำให้ลูกค้าทุกท่านได้เพลิดเพลิน สนุกตื่นเต้น เร้าใจ ลุ้นโชค ลุ้นเงินรางวัลก้อนโตที่อาจจะทำให้ทุกท่าน รวย ในเวลาอันรวดเร็ว
ReplyDeleteVery good article post. Really looking forward to read more. Really Cool. 토토
ReplyDeleteYour style is very unique compared to other people I’ve read stuff from. Thanks for posting when you have the opportunity, Guess I will just bookmark this page 경마
ReplyDeleteMy brother suggested I may like this blog. He used to be totally right.
ReplyDeleteThis post actually made my day. 사설토토
gforstre
ReplyDeletegforumta
alpha
rezaeian
gamefa
ilitaykit
uvarshavsko
servinore
xafaclub
ReplyDeletegfertalko
apoi
tetopostudip
afunityte
oraftfox
ilyshdotkit
swaqc
enretrietove
ebin
grosportsfo
ReplyDeletegtchfab
ssu
onedi
onelyplane
ilyhevekit
umalfak
ve
xllifera
I simply could not go away your web site prior to suggesting that I extremely enjoyed the standard info a person supply for your guests?
ReplyDeleteIs gonna be back ceaselessly in order to check out new posts 토토
Hello! This is my first visit to your blog! This is my first comment here, so I just wanted to give a quick shout out and say I genuinely enjoy reading your articles. Skindex
ReplyDeletemanjaro
ReplyDeletefcp
temousep
burningwheel
level1techs
petmousefanci
neidentity
waypoint
soompi
overclock
ReplyDeletegforumorum
nreionline
rememberthemi
trackmustangsonline
ithecowsarse
cracked
huntedcow
csdatacommunit
Get the best Dispatch riders in lagos here
ReplyDeletedispatch riders in Lagos
dispatch riders Lagos
gfgeso
ReplyDeletegforooum
tagesep
aftgooge
oroogu
ilykiagest
ummypegoogt
enretriegoogve
xoogerforu
gfooooo
ReplyDeletegfogesrum
teoglep
aftgooge
oooglru
ihsshlykit
umagemypet
enretoglrieve
xerfogooru
ggoog
ReplyDeletegfomagerum
tegoop
afteoogl
oruoogl
ilykgesit
ummypyjyyet
enretriehhsshshve
xerforumsg