What is Stuxnet?
First of all, it's important (and a bit hilarious) to know the story behind Stuxnet. If you're researching Stuxnet for the first time, it's really easy to get confused. There's finger pointing, claims, supposed "confirmed sources", etc, left and right. I'll briefly go over it. For example:
Confirmed: US and Israel created Stuxnet, lost control of it.
The article is adapted from journalist David Sanger's forthcoming book, Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power, and it confirms that both the US and Israeli governments developed and deployed Stuxnet.Obama Order Sped Up Wave of Cyberattacks Against Iran.
Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet.US unleashed Stuxnet cyber war on Iran to appease Israel – report.
The US and Israel made the Stuxnet virus as a new kind of weapon targeted against Iran, a media investigation revealed. The operation reportedly started in the Bush era, but was intensified by Obama administration.Snowden confirms NSA created Stuxnet with Israeli aid.
“The NSA and Israel wrote Stuxnet together,” Snowden told Applebaum in the interview that was carried out in May.The big TLDR is here - Operation Olympic Games.
My initial reaction was "What the hell am I reading?", and it still sort of is. It goes on and on. All in all, after reading the above, you're likely inclined to believe that the US (and maybe even Israel) were behind Stuxnet. Whether or not this is true is a story for another day, although it's easier to lean towards 'yes' than it is to 'no'. The reason for this is due to the fact that Stuxnet as I discussed above used four zero-day flaws within Windows. It's a pretty big deal when malware exploits one zero-day flaw within the OS, but four is extremely high.
It's also pretty laughable to think that Stuxnet was created by amateurs not invested in any sort of organization regarding cyber warfare, etc of some sort, or amateurs in general. A lot of amateurs make malware for a lot of reasons, but causing nuclear centrifuges to commit suicide is pretty advanced. Aside from the many reasons to believe the answer is yes, some may lean towards no, and it's largely due to the fact that most cannot imagine the US and Israel working closely together to create something like Stuxnet.
I digress, and in any case, I'm not here to discuss politics or debate the true creator(s), so let's just get to the part where we talk about what Stuxnet was primarily created for. Stuxnet is a worm that was developed primarily to target industrial PLCs, which led to the nuclear centrifuges ultimately destroying themselves. The malware obviously couldn't be outright sent to the nuclear facilities themselves, so this is where its USB attack vector comes into play. More notably known as a supply chain attack:
So the creators of Stuxnet, they were thinking that these companies would do some communications with power plant workers; maybe exchange with USB devices. That’s probably how Stuxnet infected the system.
In the end, Stuxnet ended up destroying nearly one-fifth of Iran's centrifuges. In November 2010, it was reported that uranium enrichment within the Natanz nuclear facility had halted several times due to severe technical issues.
User-Mode
Stuxnet has two ways of injecting itself into the address space of a process and then executing exported functions. Stuxnet's user-mode modules are implemented as DLLs, and the first method is done by injecting itself into a preexisting process.
Preexisting Process Inject
1. Allocates a memory buffer in the calling process for the modules to be loaded.
2. Patches ntdll and hooks the following APIs:
- ZwQueryAttributesFile.
- ZwQuerySection.
Here's what a clean (unpatched) ntdll MZ header looks like:
We can see some of these hooks in action:
We can see some of these hooks in action:
ServiceDescriptor n°0
---------------------
ServiceTable : nt!KiServiceTable (804e26a8)
ParamTableBase : nt!KiArgumentTable (80510088)
NumberOfServices : 0000011c
Index Args Check System call
----- ---- ----- -----------
0019 0001 HOOK-> f8c5761c ##### Original -> nt!NtClose (805678dd)
0029 0007 HOOK-> f8c575d6 ##### Original -> nt!NtCreateKey (8057065d)
0032 0007 HOOK-> f8c57626 ##### Original -> nt!NtCreateSection (805652b3)
0035 0008 HOOK-> f8c575cc ##### Original -> nt!NtCreateThread (8058e63f)
003F 0001 HOOK-> f8c575db ##### Original -> nt!NtDeleteKey (805952be)
0041 0002 HOOK-> f8c575e5 ##### Original -> nt!NtDeleteValueKey (80592d50)
0044 0007 HOOK-> f8c57617 ##### Original -> nt!NtDuplicateObject (805715e0)
0062 0002 HOOK-> f8c575ea ##### Original -> nt!NtLoadKey (805aed5d)
007A 0004 HOOK-> f8c575b8 ##### Original -> nt!NtOpenProcess (805717c7)
0080 0004 HOOK-> f8c575bd ##### Original -> nt!NtOpenThread (8058a1bd)
00B1 0006 HOOK-> f8c5763f ##### Original -> nt!NtQueryValueKey (8056a1f1)
00C1 0003 HOOK-> f8c575f4 ##### Original -> nt!NtReplaceKey (8064f0fa)
00C8 0003 HOOK-> f8c57630 ##### Original -> nt!NtRequestWaitReplyPort (80576ce6)
00CC 0003 HOOK-> f8c575ef ##### Original -> nt!NtRestoreKey (8064ec91)
00D5 0002 HOOK-> f8c5762b ##### Original -> nt!NtSetContextThread (8062dcdf)
00ED 0003 HOOK-> f8c57635 ##### Original -> nt!NtSetSecurityObject (8059b19b)
00F7 0006 HOOK-> f8c575e0 ##### Original -> nt!NtSetValueKey (80572889)
00FF 0006 HOOK-> f8c5763a ##### Original -> nt!NtSystemDebugControl (80649ce3)
0101 0002 HOOK-> f8c575c7 ##### Original -> nt!NtTerminateProcess (805822e0)
If we for example go ahead and disassemble our hooked nt!NtClose function, we see the following:
lkd> u 0xFFFFFFFFF8C5761C L1
f8c5761c e92d8b23fe jmp f6e9014e
We have a hook regarding nt!NtClose and a jump. Classic rootkit behavior. Let's go further and dump the IAT by loading notepad.exe into OlyDbg and viewing executable modules:
Address Section Type ( Name Comment
0100102C .text Import ( GDI32.AbortDoc
0100131C .text Import msvcrt._acmdln
0100132C .text Import msvcrt._adjust_fdiv
01001300 .text Import ( msvcrt._cexit
01001204 .text Import ( USER32.CharLowerW
01001244 .text Import ( USER32.CharNextW
010011C0 .text Import ( USER32.CharUpperW
01001248 .text Import ( USER32.CheckMenuItem
01001230 .text Import ( USER32.ChildWindowFromPoint
010012D0 .text Import ( comdlg32.ChooseFontW
0100124C .text Import ( USER32.CloseClipboard
010010F8 .text Import ( KERNEL32.CloseHandle
010012B8 .text Import WINSPOOL.ClosePrinter
010012E0 .text Import ( comdlg32.CommDlgExtendedError
010010EC .text Import ( KERNEL32.CompareStringW
0100133C .text Import ( msvcrt._controlfp
01001040 .text Import ( GDI32.CreateDCW
01001214 .text Import ( USER32.CreateDialogParamW
010010B4 .text Import ( KERNEL32.CreateFileMappingW
01001104 .text Import ( KERNEL32.CreateFileW
01001064 .text Import ( GDI32.CreateFontIndirectW
01001020 .text Import ( COMCTL32.CreateStatusWindowW
010011E0 .text Import ( USER32.CreateWindowExW
010012F4 .text Import ( msvcrt._c_exit
010011A4 .text Import ( USER32.DefWindowProcW
01001034 .text Import ( GDI32.DeleteDC
01001158 .text Import ( KERNEL32.DeleteFileW
01001068 .text Import ( GDI32.DeleteObject
010011A8 .text Import ( USER32.DestroyWindow
01001198 .text Import ( USER32.DialogBoxParamW
01001294 .text Import ( USER32.DispatchMessageW
0100117C .text Import ( SHELL32.DragAcceptFiles
01001174 .text Import ( SHELL32.DragFinish
01001178 .text Import ( SHELL32.DragQueryFileW
01001210 .text Import ( USER32.DrawTextExW
0100125C .text Import ( USER32.EnableMenuItem
0100120C .text Import ( USER32.EnableWindow
01001288 .text Import ( USER32.EndDialog
01001030 .text Import ( GDI32.EndDoc
01001028 .text Import ( GDI32.EndPage
01001054 .text Import ( GDI32.EnumFontsW
01001308 .text Import ( msvcrt._except_handler3
010012F0 .text Import ( msvcrt._exit
01001318 .text Import ( msvcrt.exit
0100111C .text Import ( KERNEL32.FindClose
01001120 .text Import ( KERNEL32.FindFirstFileW
010012C8 .text Import ( comdlg32.FindTextW
010010F4 .text Import KERNEL32.FoldStringW
0100114C .text Import ( KERNEL32.FormatMessageW
0100115C .text Import ( KERNEL32.GetACP
01001188 .text Import ( USER32.GetClientRect
01001114 .text Import ( KERNEL32.GetCommandLineW
010010C0 .text Import ( KERNEL32.GetCurrentProcess
0100110C .text Import ( KERNEL32.GetCurrentProcessId
0100108C .text Import ( KERNEL32.GetCurrentThreadId
01001238 .text Import ( USER32.GetCursorPos
010010A0 .text Import ( KERNEL32.GetDateFormatW
01001194 .text Import ( USER32.GetDC
010011E4 .text Import ( USER32.GetDesktopWindow
01001060 .text Import ( GDI32.GetDeviceCaps
0100122C .text Import ( USER32.GetDlgCtrlID
01001274 .text Import ( USER32.GetDlgItem
01001284 .text Import ( USER32.GetDlgItemTextW
01001124 .text Import ( KERNEL32.GetFileAttributesW
010010B0 .text Import ( KERNEL32.GetFileInformationByHandle
010012D4 .text Import ( comdlg32.GetFileTitleW
010011E8 .text Import ( USER32.GetFocus
010011B4 .text Import ( USER32.GetForegroundWindow
010011A0 .text Import ( USER32.GetKeyboardLayout
01001138 .text Import ( KERNEL32.GetLastError
010010D8 .text Import ( KERNEL32.GetLocaleInfoW
01001098 .text Import ( KERNEL32.GetLocalTime
01001320 .text Import msvcrt.__getmainargs
01001264 .text Import ( USER32.GetMenu
01001258 .text Import ( USER32.GetMenuState
010012A8 .text Import ( USER32.GetMessageW
010010CC .text Import ( KERNEL32.GetModuleHandleA
0100105C .text Import ( GDI32.GetObjectW
010012D8 .text Import ( comdlg32.GetOpenFileNameW
0100128C .text Import ( USER32.GetParent
010012B4 .text Import WINSPOOL.GetPrinterDriverW
01001110 .text Import ( KERNEL32.GetProcAddress
010012E4 .text Import ( comdlg32.GetSaveFileNameW
010010D0 .text Import ( KERNEL32.GetStartupInfoA
01001058 .text Import ( GDI32.GetStockObject
01001260 .text Import ( USER32.GetSubMenu
010011CC .text Import ( USER32.GetSystemMenu
0100121C .text Import ( USER32.GetSystemMetrics
010010B8 .text Import ( KERNEL32.GetSystemTimeAsFileTime
0100103C .text Import ( GDI32.GetTextExtentPoint32W
01001048 .text Import ( GDI32.GetTextFaceW
0100106C .text Import ( GDI32.GetTextMetricsW
01001090 .text Import ( KERNEL32.GetTickCount
010010A4 .text Import KERNEL32.GetTimeFormatW
0100109C .text Import ( KERNEL32.GetUserDefaultLCID
01001150 .text Import KERNEL32.GetUserDefaultUILanguage
01001270 .text Import ( USER32.GetWindowLongW
010011BC .text Import ( USER32.GetWindowPlacement
01001218 .text Import ( USER32.GetWindowTextW
010010D4 .text Import ( KERNEL32.GlobalFree
010010A8 .text Import ( KERNEL32.GlobalLock
010010AC .text Import ( KERNEL32.GlobalUnlock
01001324 .text Import msvcrt._initterm
01001224 .text Import ( USER32.InvalidateRect
01001250 .text Import ( USER32.IsClipboardFormatAvailable
010012A0 .text Import ( USER32.IsDialogMessageW
010011B8 .text Import ( USER32.IsIconic
0100100C .text Import ADVAPI32.IsTextUnicode
01001304 .text Import ( msvcrt.iswctype
010011C8 .text Import ( USER32.LoadAcceleratorsW
010011D8 .text Import ( USER32.LoadCursorW
010011EC .text Import ( USER32.LoadIconW
010011D4 .text Import ( USER32.LoadImageW
010010C8 .text Import ( KERNEL32.LoadLibraryA
010011C4 .text Import ( USER32.LoadStringW
010010E0 .text Import ( KERNEL32.LocalAlloc
010010DC .text Import ( KERNEL32.LocalFree
010010F0 .text Import ( KERNEL32.LocalLock
01001148 .text Import ( KERNEL32.LocalReAlloc
01001134 .text Import ( KERNEL32.LocalSize
010012FC .text Import ( msvcrt.localtime
010010E8 .text Import ( KERNEL32.LocalUnlock
01001074 .text Import ( GDI32.LPtoDP
01001118 .text Import ( KERNEL32.lstrcatW
01001108 .text Import ( KERNEL32.lstrcmpiW
01001128 .text Import ( KERNEL32.lstrcmpW
01001130 .text Import ( KERNEL32.lstrcpynW
010010FC .text Import ( KERNEL32.lstrcpyW
010010E4 .text Import ( KERNEL32.lstrlenW
01001168 .text Import ( KERNEL32.MapViewOfFile
010011AC .text Import ( USER32.MessageBeep
01001268 .text Import ( USER32.MessageBoxW
0100739D .text Export <ModuleEntryPoint>
01001220 .text Import ( USER32.MoveWindow
0100112C .text Import ( KERNEL32.MulDiv
01001164 .text Import ( KERNEL32.MultiByteToWideChar
01001254 .text Import ( USER32.OpenClipboard
010012BC .text Import WINSPOOL.OpenPrinterW
010012C4 .text Import comdlg32.PageSetupDlgW
01001208 .text Import ( USER32.PeekMessageW
010012A4 .text Import ( USER32.PostMessageW
010011F4 .text Import ( USER32.PostQuitMessage
010012CC .text Import comdlg32.PrintDlgExW
01001330 .text Import msvcrt.__p__commode
01001334 .text Import msvcrt.__p__fmode
01001094 .text Import ( KERNEL32.QueryPerformanceCounter
01001100 .text Import ( KERNEL32.ReadFile
01001004 .text Import ( ADVAPI32.RegCloseKey
01001008 .text Import ( ADVAPI32.RegCreateKeyW
010011D0 .text Import ( USER32.RegisterClassExW
010011F8 .text Import ( USER32.RegisterWindowMessageW
01001014 .text Import ( ADVAPI32.RegOpenKeyExA
01001010 .text Import ( ADVAPI32.RegQueryValueExA
01001000 .text Import ( ADVAPI32.RegQueryValueExW
01001018 .text Import ( ADVAPI32.RegSetValueExW
01001190 .text Import ( USER32.ReleaseDC
010012DC .text Import ( comdlg32.ReplaceTextW
01001234 .text Import ( USER32.ScreenToClient
01001084 .text Import ( GDI32.SelectObject
0100123C .text Import ( USER32.SendDlgItemMessageW
01001240 .text Import ( USER32.SendMessageW
01001044 .text Import ( GDI32.SetAbortProc
0100119C .text Import ( USER32.SetActiveWindow
01001070 .text Import ( GDI32.SetBkMode
0100118C .text Import ( USER32.SetCursor
0100127C .text Import ( USER32.SetDlgItemTextW
01001154 .text Import ( KERNEL32.SetEndOfFile
01001278 .text Import ( USER32.SetFocus
01001140 .text Import ( KERNEL32.SetLastError
01001080 .text Import ( GDI32.SetMapMode
01001200 .text Import ( USER32.SetScrollPos
010010C4 .text Import ( KERNEL32.SetUnhandledExceptionFilter
01001328 .text Import msvcrt.__setusermatherr
0100107C .text Import ( GDI32.SetViewportExtEx
01001078 .text Import ( GDI32.SetWindowExtEx
0100126C .text Import ( USER32.SetWindowLongW
010011DC .text Import ( USER32.SetWindowPlacement
010011F0 .text Import ( USER32.SetWindowTextW
010012AC .text Import ( USER32.SetWinEventHook
01001338 .text Import msvcrt.__set_app_type
01001180 .text Import ( SHELL32.ShellAboutW
010011B0 .text Import ( USER32.ShowWindow
01001314 .text Import ( msvcrt._snwprintf
01001050 .text Import ( GDI32.StartDocW
01001038 .text Import ( GDI32.StartPage
010010BC .text Import ( KERNEL32.TerminateProcess
0100104C .text Import ( GDI32.TextOutW
010012F8 .text Import ( msvcrt.time
0100129C .text Import ( USER32.TranslateAcceleratorW
01001298 .text Import ( USER32.TranslateMessage
0100116C .text Import ( KERNEL32.UnhandledExceptionFilter
01001290 .text Import ( USER32.UnhookWinEvent
01001160 .text Import ( KERNEL32.UnmapViewOfFile
010011FC .text Import ( USER32.UpdateWindow
01001310 .text Import ( msvcrt.wcsncmp
01001340 .text Import ( msvcrt.wcsncpy
01001144 .text Import ( KERNEL32.WideCharToMultiByte
01001228 .text Import ( USER32.WinHelpW
0100113C .text Import ( KERNEL32.WriteFile
01001280 .text Import ( USER32.wsprintfW
0100130C .text Import ( msvcrt._wtol
010012EC .text Import msvcrt._XcptFilter
The Import Address Table (IAT) is essentially just a table of jumps. It's used primarily as a lookup table when an application is calling a function in a different module. Compiled programs cannot know the memory locations of the libraries they depend on, therefore an indirect jump (jmp) is required whenever an API call is made.
In the above code we can see jumps to functions such as USER32.GetKeyboardLayout, which is a wrapper for the NtUserLoadKeyboardLayoutEx win32k syscall. This is in regards to Stuxnet's keyboard layout vulnerability (CVE-2010-2743), which is one of four exploitative ways used to escalate privileges in order to reach ring 0.
I would have loved to set a breakpoint on win32k!NtUserLoadKeyboardLayoutEx and trace the malware as it's extremely interesting, but setting breakpoints is not possible on an LKD session. I would have needed to break in to another physical machine (which I don't have), or set up a host > virtual COM port, which is a bit of a pain. I'll chalk it up to something to do on a rainy day. Call me lazy... I know.
3. Calls LoadLibraryW which is exported from kernel32.dll and passes it as a parameter for specially crafted file names such as: KERNEL32.DLL.ASLR.[HEX] or SHELL32.DLL.ASLR.[HEX]. Below we can see an example of a KERNEL32 variant:
4. Calls desired exported function.
5. Calls FreeLibrary function to free load library.
New Process Inject
The second method of injection is done through injecting a newly created process, as such:
1. Creates host process.
2. Replaces process image with the Stuxnet module to execute and with code that will load the module and call a specificed export passing parameters.
There's a few different image names that can be chosen as the host process for the module:
- lsass.exe - MSFT system process in charge of enforcing the security policy.
- avp.exe - Kaspersky.
- mcshield.exe - McAfee VirusScan.
- avguard.exe - Avira Personal Edition.
- bdagent.exe - Bitdefender Switch Agent.
- UmxCfg.exe - eTrust Configuration Engine (HIPS).
- fsdfwd.exe - F-Secure.
- rtvscan.exe - Symantec Real time Virus Scan Service.
- ccSvchst.exe - Symantec Service Framework.
- ekrn.exe - ESET Service Process.
- tmproxy.exe - TrendMicro (PC-cillin in Australia and Virus Buster in Japan).
Malware Execution and Infection
First of all, to even successfully execute the malware you need to set your system time to before June 24th, 2012. This is due to the fact that Stuxnet hard-coded a poison pill to fully delete itself on June 24th, 2012. This was most likely done with the original idea in mind that Stuxnet wouldn't escape the nuclear facilities, which would allow time for Stuxnet to be reversed and ultimately defeated.
This piece of malware wanted to stay inside nuclear facilities, target Siemens systems, cause large actual damage, spread to cause more damage, and then go ghost. Fortunately, it did happen to escape its intended environment (some even speculate deliberately) and was inevitably reversed and defeated long before its hard-coded deletion date.
First of all, let's take a pre-infected look at the system with Autoruns + Process Explorer:
(Ignore the file not found messages)
Note the checked filter options > Verify code signatures + Hide Microsoft entries.
Everything looks to be pretty normal, and nothing really out of the ordinary. We can see we have one instance of lsass.exe.
Now let's turn things up a bit by executing the malware, and then comparing our results from pre-infection:
We can see now within Autoruns we have two new services - MRxCls and MRxNet. These are Stuxnet's kernel-mode drivers which enable its rookit functionality.
One big thing about malware that surfaces to the face of the public media (for whatever reason, we'll assume popularity/intention) is that journalists love to spin it and give awkward buzzwords - Undefeatable, The Most Sophisticated Malware, etc. Was Stuxnet an elborate piece of code? Yes, absolutely. Not only was knowledge needed regarding your typical rootkit/Win development, but heavy reverse engineering knowledge regarding Semens software was necessary as well.
However, one of Stuxnet's biggest weak points was its immense lack of anti-debugging/reversing techniques. Among a slew of reasons such as zero VM obfuscation, you can literally use the default regedit to find the locations of both MRxCLS and MRxNet. For example:
This had led Stuxnet to be something of a joke among some reverse engneers and analysts, even moreso if you believe that it was created by [insert government]. It's hard to imagine [insert government] wouldn't go to any lengths at all to hide its malware, but then again you never really know, right? : ) I'll continue the discussion regarding its kernel-mode functionality a little later as I'd like to swing back to user-mode real quick.
I couldn't get Process Explorer to run after infection, as the VM would bugcheck. I have no idea why, and AFAIK Stuxnet doesn't employ anti-debugging against Sysinternals tools by any means, so it was likely a buggy sample. I digress, and used VMmap instead:
We can see there's now three instances of lsass.exe, two of which are fake (newly created host processes). So first off, which is our legitmate lsass.exe? Well, 2/3 are the only ones above 1xxx regarding PID, so let's assume the only one not above 1xxx is legitimate:
%2Bafter.png)
If sort by Protection regarding the tabs, we can see it's mostly Execute/Read which doesn't raise any red flags. Let's assume for the moment this is legitimate and take a look at another one:
%2Bafter.png)
Uh oh, we can see two instances of memory that was chosen to share from this lsass.exe that has Write permissions in addition to Execute and Read. When a process has all three, it's a huge red flag for a fake/compromised process. In addition, note how the Size>Commited>Total Working Set, etc are equal. We can now at this point determine PID 648 is legitimate, and PID 1812 is fake. We can also at this point then assume that PID 1840 is fake as well:
%2Bafter.png)
Yep! In this case, we have five instances of memory that was chosen to be shared with R/W/E permissions, in addition to ntdll with R/W/E permissions as well. Note the Size>Commited>Total Working Set, etc equals again as well. At this point we can fully determine 1812 and 1840 are our fake lsass.exe instances, and 1840 is in relation to the patching of ntdll.
Let's further compare the three images based on their strings:
%2Bafter.png)
(PID 648 - legit)
%2Bafter%2Btop.png)
(PID 1812 - fake #1)
Note we have quite the changes here, with the important being "!This program cannot run in DOS mode.". This is the classic MZ exe format used for .exe files within DOS. We can note the ASCII string - 4D. Let's take a look at the bottom of the string list:
%2Bafter%2Bbottom.png)
(PID 1812 - fake #1)
We can see a number of functions, such as InternetOpen. We can at this point determine the DLL was successfully injected into this image of lsass.exe.
We can of course expect similar results with PID 1840:
%2Bafter%2Btop.png)
(PID 1840 - fake #2)
We can also see abnormal termination of the NT Kernel, as well as a jmp:
Another big red flag of a malformed image.
Let's head back to discussing our kernel-mode drivers, MRxCls and MRxNet. As noted above, these two drivers aren't packed whatsoever with a protector nor packer, so inspecting them in-depth is painless:
First off, both of these drivers were digitally signed (albeit fake... what a surprise) to fool the user into believing it was a legitmate driver signed off as such by VeriSign. For example:
We can see MRxCls was fake-signed by VeriSign which claimed to be from Realtek. Realtek is obviously a legitimate company and releases lots of software/drivers for their products, such as audio, so this would fool a user if they ever questioned the legitimacy of the apparent MRxCls/Net drivers.
Using SwishDbgExt, let's dump the list of objects:
lkd> !ms_object
Object: \ (Directory)
|------|----------------------|--------------------|---------------------------------------------------------------------------|
| Hdle | Object Type | Addr | Name |
|------|----------------------|--------------------|---------------------------------------------------------------------------|
| 0000 | Directory | 0xFFFFFFFFE100D748 | ArcName |
| 0000 | Device | 0xFFFFFFFF821C75C0 | Ntfs |
| 0000 | Port | 0xFFFFFFFFE15EABB8 | SeLsaCommandPort |
| 0000 | Key | 0xFFFFFFFFE1010478 | \REGISTRY |
| 0000 | Port | 0xFFFFFFFFE186B9E8 | ThemeApiPort |
| 0000 | Port | 0xFFFFFFFFE1B05230 | XactSrvLpcPort |
| 0000 | Directory | 0xFFFFFFFFE15AA4B8 | NLS |
| 0000 | SymbolicLink | 0xFFFFFFFFE1008748 | DosDevices |
| 0000 | Port | 0xFFFFFFFFE13D4B68 | SeRmCommandPort |
| 0000 | Port | 0xFFFFFFFFE173BA00 | LsaAuthenticationPort |
| 0000 | Device | 0xFFFFFFFF82063A90 | Dfs |
| 0000 | Event | 0xFFFFFFFF821EF5C0 | |
| 0000 | Directory | 0xFFFFFFFFE100E838 | Driver
Notice the strange 'Driver' object with a 'Directory' type. Let's take a look:
lkd> !ms_object 0xFFFFFFFFE100E838
Object: Driver (Directory)
|------|----------------------|--------------------|---------------------------------------------------------------------------|
| Hdle | Object Type | Addr | Name |
|------|----------------------|--------------------|---------------------------------------------------------------------------|
| 0000 | Driver | 0xFFFFFFFF8231ECC0 | \Driver\Beep |
| 0000 | Driver | 0xFFFFFFFF821C72C0 | \Driver\NDIS |
| 0000 | Driver | 0xFFFFFFFF821D39C0 | \Driver\KSecDD |
| 0000 | Driver | 0xFFFFFFFF82198F38 | \Driver\Mouclass |
| 0000 | Driver | 0xFFFFFFFF82245410 | \Driver\Raspti |
| 0000 | Driver | 0xFFFFFFFF81F18768 | \Driver\es1371 |
... |
| 0000 | Driver | 0xFFFFFFFF81EA2880 | \Driver\MRxCls |
| 0000 | Driver | 0xFFFFFFFF821DE4A0 | \Driver\PCnet |
| 0000 | Driver | 0xFFFFFFFF81F0FAE8 | \Driver\MRxNet
Let's dump the driver object information for MRxNet:
lkd> !drvobj 81f0fae8
Driver object (81f0fae8) is for:
\Driver\MRxNet
Driver Extension List: (id , addr)
Device Object list:
820ee288 81f10020 81ebac80 82136298
82302298 82339be0 821bb500 821996c0
821bc238 8224a9d0
We can see MRxNet has a lot of device objects, so let's check one:
lkd> !devobj 81ebac80
Device object (81ebac80) is for:
\Driver\MRxNet DriverObject 81f0fae8
Current Irp 00000000 RefCount 0 Type 00000003 Flags 00000080
DevExt 81ebad38 DevObjExt 81ebad40
ExtensionFlags (0000000000)
AttachedTo (Lower) 821d4450 \FileSystem\Cdfs
Stuxnet creates new device objects and attaches to the device chain for each device object. As we can see, Stuxnet attached to cdfs.sys, which is part of the filesystem, specifically the CD-ROM filesystem driver. Other filesystem drivers it attaches to are: ntfs.sys, and fastfat.sys. After attaching, Stuxnet manages the driver object, which in turn provides Stuxnet with the ability to succesfully intercept IRP requests.
Other than checking regedit, we can also confirm the existence of the MRxCls service within the registry using the !dreg command, which displays formatted registry key information. Before we do this however, we need to load ntsdexts.dll, or we'll get the following:
lkd> !dreg System\CurrentControlSet\Services
No export dreg found
This is due to the fact that ntsdexts.dll isn't of course loaded in the extension DLL chain list:
lkd> .chain
Extension DLL search Path:
C:\Program Files\Debugging Tools for Windows (x86)\WINXP;C:\Program Files\Debugging Tools for Windows (x86)\winext;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\Debugging Tools for Windows (x86)\pri;C:\Program Files\Debugging Tools for Windows (x86);C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Extension DLL chain:
dbghelp: image 6.12.0002.633, API 6.1.6, built Mon Feb 01 15:08:26 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll]
ext: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:31 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\winext\ext.dll]
exts: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:24 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\exts.dll]
kext: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:22 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\winext\kext.dll]
kdexts: image 6.1.7650.0, API 1.0.0, built Mon Feb 01 15:08:19 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\kdexts.dll]
After loading it however with .load ntsdexts, we can then see it's in the list:
lkd> .chain
Extension DLL search Path:
C:\Program Files\Debugging Tools for Windows (x86)\WINXP;C:\Program Files\Debugging Tools for Windows (x86)\winext;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\Debugging Tools for Windows (x86)\pri;C:\Program Files\Debugging Tools for Windows (x86);C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Extension DLL chain:
ntsdexts: image 6.1.7650.0, API 1.0.0, built Mon Feb 01 15:08:08 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\ntsdexts.dll]
dbghelp: image 6.12.0002.633, API 6.1.6, built Mon Feb 01 15:08:26 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll]
ext: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:31 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\winext\ext.dll]
exts: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:24 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\exts.dll]
kext: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:22 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\winext\kext.dll]
kdexts: image 6.1.7650.0, API 1.0.0, built Mon Feb 01 15:08:19 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\kdexts.dll]
Let's now run !dreg again with our path to MRxCls:
lkd> !dreg System\CurrentControlSet\Services\MRxCls
Subkey: Enum
There it is, and we can see its subkey is Enum. We can confirm that looking back at the screenshot of its registry location above from earlier.
Here were the overall changes in the registry comparing pre-infection > post-infection:
----------------------------------
Keys deleted: 23
----------------------------------
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Control
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Control
HKLM\SYSTEM\ControlSet001\Services\MRxCls
HKLM\SYSTEM\ControlSet001\Services\MRxCls\Enum
HKLM\SYSTEM\ControlSet001\Services\MRxNet
HKLM\SYSTEM\ControlSet001\Services\MRxNet\Enum
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Control
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Enum
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Enum
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\0
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell
----------------------------------
Values deleted: 110
----------------------------------
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Service: "MRxCls"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Legacy: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Class: "LegacyDriver"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\DeviceDesc: "MRXCLS"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Control\ActiveService: "MRxCls"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Service: "MRxNet"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Legacy: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Class: "LegacyDriver"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\DeviceDesc: "MRXNET"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Control\ActiveService: "MRxNet"
HKLM\SYSTEM\ControlSet001\Services\MRxCls\Description: "MRXCLS"
HKLM\SYSTEM\ControlSet001\Services\MRxCls\DisplayName: "MRXCLS"
HKLM\SYSTEM\ControlSet001\Services\MRxCls\ErrorControl: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\MRxCls\Group: "Network"
HKLM\SYSTEM\ControlSet001\Services\MRxCls\ImagePath: "\??\C:\WINDOWS\system32\Drivers\mrxcls.sys"
HKLM\SYSTEM\ControlSet001\Services\MRxCls\Start: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\MRxCls\Type: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\MRxCls\Data: 8F 1F F7 6D 7D B1 C9 09 9D CC 24 7A C6 9F FB 23 90 BD 9D BF F1 D4 51 92 2A B4 1F 6A 2E A6 4F B3 CB 69 7C 0B 92 3B 1B C0 D7 75 17 A9 E3 33 48 DC AD F6 DA EA 2F 87 10 C4 21 81 A5 75 68 00 2E B1 C2 7B EB DD BB 72 47 DC 87 91 14 A5 F3 C4 32 B0 CC 93 38 36 6B 49 0A F2 6F 1F 1D A1 4A 15 05 80 4B 13 A8 AA 82 41 4B 89 DC 89 24 A2 ED 16 37 F3 42 A9 A0 6A 7F 82 CD 90 E5 3C 49 CC B2 97 CA CB 7B 64 C1 48 B2 4C F5 AE 54 42 74 0F 00 31 FD 80 E8 7E 0E 69 12 42 3A EC 0F 6F 03 B8 46 9C 68 97 AC 62 16 FB 1A 1B D9 33 6C E8 F9 93 C3 56 54 A1 89 7A 7B 77 CE BA 0D 95 A7 0F AB 5E 1C 3C 18 63 AE 3E 60 A6 81 BC FA 85 FB 37 A0 0A 57 F9 C9 D3 CF 6B 41 D9 6D CD 39 71 C5 11 83 F1 D9 F3 7D B7 91 F7 70 46 C2 24 F7 B9 0F 2D B2 60 72 1C 8F F9 98 16 34 52 4B 7D 5F 81 5F 35 FD 8B 3E 78 B1 0B 0A 90 5A D8 30 5A 56 90 9A C0 C1 0F EB 95 D5 2F B7 C5 8D 2B 3F 49 41 8B 86 B4 DB 71 67 69 E6 E8 69 77 29 77 18 82 11 8B D7 5D 26 E4 5A 5C 2C 46 C2 F0 02 28 D8 EA 4B 95 9C 3A 3C 12 DA
C4 87 21 91 4F D0 6E FA C4 DD B7 C9 AF E2 AE FE 14 0F 53 C4 BA DD 31 1A 38 7B 37 C0 9E 83 FF 2C B2 4C 88 33 C1 89 E5 CA 68 31 2D 20 CE 50 64 7B 39 C7 FB B1 9F A9 0D 6C 2A 82 AE 7F 25 43 A7 A2 28 EB 27 73 C9 45 F9 FD 53 A8 F4 A7 FD B4 90 B2 28 D8 0C 5A A8 84 D0 7F ED 99 25 18 FE B8 4C 48 66 8D 59 40 F6 CC 30 A6 F4 04 E8 76 9C EA 0E F6 A4 4A CE D2
HKLM\SYSTEM\ControlSet001\Services\MRxCls\Enum\0: "Root\LEGACY_MRXCLS\0000"
HKLM\SYSTEM\ControlSet001\Services\MRxCls\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\MRxCls\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\MRxNet\Description: "MRXNET"
HKLM\SYSTEM\ControlSet001\Services\MRxNet\DisplayName: "MRXNET"
HKLM\SYSTEM\ControlSet001\Services\MRxNet\ErrorControl: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\MRxNet\Group: "Network"
HKLM\SYSTEM\ControlSet001\Services\MRxNet\ImagePath: "\??\C:\WINDOWS\system32\Drivers\mrxnet.sys"
HKLM\SYSTEM\ControlSet001\Services\MRxNet\Start: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\MRxNet\Type: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\MRxNet\Enum\0: "Root\LEGACY_MRXNET\0000"
HKLM\SYSTEM\ControlSet001\Services\MRxNet\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\MRxNet\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Service: "MRxCls"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\DeviceDesc: "MRXCLS"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Control\ActiveService: "MRxCls"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Service: "MRxNet"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\DeviceDesc: "MRXNET"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Control\ActiveService: "MRxNet"
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Description: "MRXCLS"
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\DisplayName: "MRXCLS"
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Group: "Network"
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\ImagePath: "\??\C:\WINDOWS\system32\Drivers\mrxcls.sys"
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Start: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Data: 8F 1F F7 6D 7D B1 C9 09 9D CC 24 7A C6 9F FB 23 90 BD 9D BF F1 D4 51 92 2A B4 1F 6A 2E A6 4F B3 CB 69 7C 0B 92 3B 1B C0 D7 75 17 A9 E3 33 48 DC AD F6 DA EA 2F 87 10 C4 21 81 A5 75 68 00 2E B1 C2 7B EB DD BB 72 47 DC 87 91 14 A5 F3 C4 32 B0 CC 93 38 36 6B 49 0A F2 6F 1F 1D A1 4A 15 05 80 4B 13 A8 AA 82 41 4B 89 DC 89 24 A2 ED 16 37 F3 42 A9 A0 6A 7F 82 CD 90 E5 3C 49 CC B2 97 CA CB 7B 64 C1 48 B2 4C F5 AE 54 42 74 0F 00 31 FD 80 E8 7E 0E 69 12 42 3A EC 0F 6F 03 B8 46 9C 68 97 AC 62 16 FB 1A 1B D9 33 6C E8 F9 93 C3 56 54 A1 89 7A 7B 77 CE BA 0D 95 A7 0F AB 5E 1C 3C 18 63 AE 3E 60 A6 81 BC FA 85 FB 37 A0 0A 57 F9 C9 D3 CF 6B 41 D9 6D CD 39 71 C5 11 83 F1 D9 F3 7D B7 91 F7 70 46 C2 24 F7 B9 0F 2D B2 60 72 1C 8F F9 98 16 34 52 4B 7D 5F 81 5F 35 FD 8B 3E 78 B1 0B 0A 90 5A D8 30 5A 56 90 9A C0 C1 0F EB 95 D5 2F B7 C5 8D 2B 3F 49 41 8B 86 B4 DB 71 67 69 E6 E8 69 77 29 77 18 82 11 8B D7 5D 26 E4 5A 5C 2C 46 C2 F0 02 28 D8 EA 4B 95 9C 3A 3C 12
DA C4 87 21 91 4F D0 6E FA C4 DD B7 C9 AF E2 AE FE 14 0F 53 C4 BA DD 31 1A 38 7B 37 C0 9E 83 FF 2C B2 4C 88 33 C1 89 E5 CA 68 31 2D 20 CE 50 64 7B 39 C7 FB B1 9F A9 0D 6C 2A 82 AE 7F 25 43 A7 A2 28 EB 27 73 C9 45 F9 FD 53 A8 F4 A7 FD B4 90 B2 28 D8 0C 5A A8 84 D0 7F ED 99 25 18 FE B8 4C 48 66 8D 59 40 F6 CC 30 A6 F4 04 E8 76 9C EA 0E F6 A4 4A CE D2
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Enum\0: "Root\LEGACY_MRXCLS\0000"
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Description: "MRXNET"
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\DisplayName: "MRXNET"
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Group: "Network"
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\ImagePath: "\??\C:\WINDOWS\system32\Drivers\mrxnet.sys"
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Start: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Enum\0: "Root\LEGACY_MRXNET\0000"
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Enum\NextInstance: 0x00000001
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHAPCY:gvzrqngr.pcy: 04 00 00 00 06 00 00 00 00 54 07 85 81 FE CF 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\ZJ\Ybgf bs Fghkarg\fazj\znyjner.rkr: 04 00 00 00 06 00 00 00 50 13 53 27 90 93 CA 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\0: 34 00 31 00 00 00 00 00 2C 3C 8C 70 10 00 73 6E 6D 77 00 00 20 00 03 00 04 00 EF BE 2C 3C 8C 70 2C 3C 8C 70 14 00 00 00 73 00 6E 00 6D 00 77 00 00 00 14 00 00 00
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\0\NodeSlot: 0x00000022
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\0\MRUListEx: FF FF FF FF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\FolderType: "Documents"
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Mode: 0x00000006
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\ScrollPos1280x720(1).x: 0x00000000
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\ScrollPos1280x720(1).y: 0x00000000
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Sort: 0x00000000
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\SortDir: 0x00000001
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Col: 0xFFFFFFFF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\ColInfo: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FD DF DF FD 0F 00 06 00 28 00 10 00 34 00 48 00 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 04 00 00 00 05 00 00 00 B4 00 60 00 78 00 78 00 B4 00 B4 00 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\MinPos1280x720(1).x: 0xFFFFFFFF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\MinPos1280x720(1).y: 0xFFFFFFFF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\MaxPos1280x720(1).x: 0xFFFFFFFF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\MaxPos1280x720(1).y: 0xFFFFFFFF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\WinPos1280x720(1).left: 0x000000CB
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\WinPos1280x720(1).top: 0x00000034
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\WinPos1280x720(1).right: 0x000003EB
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\WinPos1280x720(1).bottom: 0x0000028C
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Rev: 0x00000000
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\WFlags: 0x00000000
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\ShowCmd: 0x00000001
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\FFlags: 0x00000001
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\HotKey: 0x00000000
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Buttons: 0xFFFFFFFF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Links: 0x00000000
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Address: 0x00000000
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Vid: "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Owner\Desktop\MW\Lots of Stuxnet\snmw\malware.exe: "malware"
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\WinRAR\Interface\ShowPassword: 0x00000000
----------------------------------
Values modified: 17
----------------------------------
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 5B 70 29 6B 9F F8 6B 2E 27 BB 05 43 02 B3 42 43 88 7C 39 EA 7C 8F C3 C1 DA 61 6A 7A 3D A9 27 BB 06 12 F2 A2 B5 89 09 83 C9 CE 03 F8 7F 6C 1E 79 D9 10 7D F0 29 05 03 B9 29 88 8C EC E2 3C CB 04 12 E3 E3 EC 8F E6 27 0A 15 A9 09 6C 29 34 89 55
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 53 06 23 D9 FE 36 71 5D D7 02 23 98 92 D3 0C AA 52 45 17 A4 D9 2B 2E E6 C7 C1 12 FE D2 A0 E1 8A 5F CF 23 E0 9B 16 74 7E DC 38 BF 7E D6 F0 9F 97 9A 5B C8 12 7C C2 9E CE EF 95 DE D1 60 56 23 7A 21 96 9C 23 E4 CF D9 77 67 97 F4 EA F1 0D 25 18
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count\HRZR_PGYFRFFVBA: 81 9C 54 0E 05 00 00 00
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count\HRZR_PGYFRFFVBA: E3 F3 7F 0E 04 00 00 00
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 04 00 00 00 79 00 00 00 E0 8D E6 42 90 93 CA 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 04 00 00 00 77 00 00 00 A0 EC DC 76 81 FE CF 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHAPCY: 04 00 00 00 0B 00 00 00 00 54 07 85 81 FE CF 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHAPCY: 01 00 00 00 0B 00 00 00 60 F6 98 73 27 F4 CF 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 04 00 00 00 4C 00 00 00 F0 8C 4C 41 90 93 CA 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 04 00 00 00 4A 00 00 00 90 73 55 73 81 FE CF 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\FlfGbbyf\Nhgbehaf\nhgbehaf.rkr: 04 00 00 00 08 00 00 00 E0 8D E6 42 90 93 CA 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\FlfGbbyf\Nhgbehaf\nhgbehaf.rkr: 04 00 00 00 07 00 00 00 50 F6 45 98 7E FE CF 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\Shell\Bags\1\Desktop\ItemPos1280x720(1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 16 02 00 00 14 00 1F 60 40 F0 5F 64 81 50 1B 10 9F 08 00 AA 00 2F 95 4E 15 00 00 00 4E 00 00 00 5A 00 3A 00 D4 02 00 00 5E 45 49 46 20 00 4D 4F 5A 49 4C 4C 7E 31 2E 4C 4E 4B 00 00 3E 00 03 00 04 00 EF BE 5E 45 49 46 6C 45 D2 6B 14 00 00 00 4D 00 6F 00 7A 00 69 00 6C 00 6C 00 61 00 20 00 46 00 69 00 72 00 65 00 66 00 6F 00 78 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 CA 01 00 00 34 00 31 00 00 00 00 00 5E 45 65 50 10 00 6D 62 61 72 00 00 20 00 03 00 04 00 EF BE 5E 45 63 50 5F 45 8D 55 14 00 00 00 6D 00 62 00 61 00 72 00 00 00 14 00 60 00 00 00 CA 01 00 00 2E 00 31 00 00 00 00 00 6C 45 4F 6C 10 00 4D 57 00 00 1C 00 03 00 04 00 EF BE 6C 45 48 6C 6C 45 4F 6C 14 00 00 00 4D 00 57 00 00 00 12 00 60 00 00 00 E6 00 00 00 3C 00 31 00 00 00 00 00 6A 45 6B 21 10 00 6F 64 62 67 31 31 30 00 26 00 03 00 04 00 EF BE
6A 45 F4 1A 6C 45 59 6C 14 00 00 00 6F 00 64 00 62 00 67 00 31 00 31 00 30 00 00 00 16 00 AB 00 00 00 02 00 00 00 4C 00 31 00 00 00 00 00 6C 45 0F 6D 10 00 52 45 47 53 48 4F 7E 31 2E 30 00 00 32 00 03 00 04 00 EF BE 6C 45 0F 6D 6C 45 12 6D 14 00 00 00 52 00 65 00 67 00 73 00 68 00 6F 00 74 00 2D 00 31 00 2E 00 39 00 2E 00 30 00 00 00 1A 00 60 00 00 00 16 02 00 00 40 00 31 00 00 00 00 00 6C 45 D1 6E 10 00 53 79 73 54 6F 6F 6C 73 00 00 28 00 03 00 04 00 EF BE 6C 45 73 6C 6C 45 D1 6E 14 00 00 00 53 00 79 00 73 00 54 00 6F 00 6F 00 6C 00 73 00 00 00 18 00 15 00 00 00 02 00 00 00 3C 00 32 00 5F 38 1C 00 5E 45 EF 45 20 00 62 65 72 2E 72 61 72 00 26 00 03 00 04 00 EF BE 5E 45 EF 45 6C 45 AE 6B 14 00 00 00 62 00 65 00 72 00 2E 00 72 00 61 00 72 00 00 00 16 00 60 00 00 00 32 01 00 00 4E 00 32 00 78 ED 9C 00 5E 45 D0 51 20 00 48 49 54 4D 41 4E 7E 31 2E 45 58 45 00 00 32 00 03 00 04 00 EF BE 5E 45 C6 51 6A 45 87 28 14 00 00 00 48 00 69 00 74 00 6D 00 61 00 6E 00 50 00 72 00 6F 00 2E 00 65 00 78 0
0 65 00 00 00 1C 00 60 00 00 00 4E 00 00 00 5C 00 32 00 8B 02 00 00 6A 45 80 12 20 00 49 44 41 50 52 4F 7E 31 2E 4C 4E 4B 00 00 40 00 03 00 04 00 EF BE 6A 45 80 12 6A 45 E7 1A 14 00 00 00 49 00 44 00 41 00 20 00 50 00 72 00 6F 00 20 00 28 00 33 00 32 00 2D 00 62 00 69 00 74 00 29 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 9A 00 00 00 5C 00 32 00 97 02 00 00 6A 45 80 12 20 00 49 44 41 50 52 4F 7E 32 2E 4C 4E 4B 00 00 40 00 03 00 04 00 EF BE 6A 45 80 12 6A 45 F3 1E 14 00 00 00 49 00 44 00 41 00 20 00 50 00 72 00 6F 00 20 00 28 00 36 00 34 00 2D 00 62 00 69 00 74 00 29 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 02 00 00 00 52 00 32 00 CE 02 00 00 5E 45 74 83 20 00 4F 53 46 4F 52 45 7E 31 2E 4C 4E 4B 00 00 36 00 03 00 04 00 EF BE 5E 45 74 83 6A 45 12 59 14 00 00 00 4F 00 53 00 46 00 6F 00 72 00 65 00 6E 00 73 00 69 00 63 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 9A 00 00 00 66 00 32 00 97 01 00 00 5E 45 ED 46 20 00 53 48 4F 52 54 43 7E 31 2E 4C 4E 4B 00 00 4A
00 03 00 04 00 EF BE 5E 45 ED 46 6C 45 75 6C 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 44 00 6F 00 77 00 6E 00 6C 00 6F 00 61 00 64 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 E6 00 00 00 62 00 32 00 8A 02 00 00 5E 45 58 47 20 00 53 48 4F 52 54 43 7E 32 2E 4C 4E 4B 00 00 46 00 03 00 04 00 EF BE 5E 45 58 47 6C 45 E5 6C 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 66 00 69 00 72 00 65 00 66 00 6F 00 78 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 32 01 00 00 60 00 32 00 DF 02 00 00 5E 45 A8 48 20 00 53 48 4F 52 54 43 7E 33 2E 4C 4E 4B 00 00 44 00 03 00 04 00 EF BE 5E 45 A8 48 6C 45 5A 6C 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 77 00 69 00 6E 00 64 00 62 00 67 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 7E 01 00 00 50 00 32 00 F1 85 3F 00 5F 45 09 56 20 00 54 44 53 53 4B 49 7E 31 2E 5A 49 50 00 00 34 00 03 00 04 00 EF BE 5F 45 09 56 6C 45
75 6C 14 00 00 00 74 00 64 00 73 00 73 00 6B 00 69 00 6C 00 6C 00 65 00 72 00 2E 00 7A 00 69 00 70 00 00 00 1C 00 15 00 00 00 7E 01 00 00 4C 00 32 00 00 CE 05 00 5E 45 3B 50 20 00 74 67 32 69 6A 6E 6A 69 2E 65 78 65 00 00 30 00 03 00 04 00 EF BE 5E 45 3A 50 5E 45 35 83 14 00 00 00 74 00 67 00 32 00 69 00 6A 00 6E 00 6A 00 69 00 2E 00 65 00 78 00 65 00 00 00 1C 00 15 00 00 00 7E 01 00 00 00 00 00 00
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\Shell\Bags\1\Desktop\ItemPos1280x720(1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 16 02 00 00 14 00 1F 60 40 F0 5F 64 81 50 1B 10 9F 08 00 AA 00 2F 95 4E 15 00 00 00 4E 00 00 00 5A 00 3A 00 D4 02 00 00 5E 45 49 46 20 00 4D 4F 5A 49 4C 4C 7E 31 2E 4C 4E 4B 00 00 3E 00 03 00 04 00 EF BE 5E 45 49 46 6C 45 D2 6B 14 00 00 00 4D 00 6F 00 7A 00 69 00 6C 00 6C 00 61 00 20 00 46 00 69 00 72 00 65 00 66 00 6F 00 78 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 CA 01 00 00 34 00 31 00 00 00 00 00 5E 45 65 50 10 00 6D 62 61 72 00 00 20 00 03 00 04 00 EF BE 5E 45 63 50 5F 45 8D 55 14 00 00 00 6D 00 62 00 61 00 72 00 00 00 14 00 60 00 00 00 CA 01 00 00 2E 00 31 00 00 00 00 00 6C 45 4F 6C 10 00 4D 57 00 00 1C 00 03 00 04 00 EF BE 6C 45 48 6C 6C 45 4F 6C 14 00 00 00 4D 00 57 00 00 00 12 00 60 00 00 00 E6 00 00 00 3C 00 31 00 00 00 00 00 6A 45 6B 21 10 00 6F 64 62 67 31 31 30 00 26 00 03 00 04 00 EF BE
6A 45 F4 1A 6C 45 59 6C 14 00 00 00 6F 00 64 00 62 00 67 00 31 00 31 00 30 00 00 00 16 00 60 00 00 00 16 02 00 00 40 00 31 00 00 00 00 00 6C 45 84 6C 10 00 53 79 73 54 6F 6F 6C 73 00 00 28 00 03 00 04 00 EF BE 6C 45 73 6C 6C 45 84 6C 14 00 00 00 53 00 79 00 73 00 54 00 6F 00 6F 00 6C 00 73 00 00 00 18 00 15 00 00 00 02 00 00 00 3C 00 32 00 5F 38 1C 00 5E 45 EF 45 20 00 62 65 72 2E 72 61 72 00 26 00 03 00 04 00 EF BE 5E 45 EF 45 6C 45 AE 6B 14 00 00 00 62 00 65 00 72 00 2E 00 72 00 61 00 72 00 00 00 16 00 60 00 00 00 32 01 00 00 4E 00 32 00 78 ED 9C 00 5E 45 D0 51 20 00 48 49 54 4D 41 4E 7E 31 2E 45 58 45 00 00 32 00 03 00 04 00 EF BE 5E 45 C6 51 6A 45 87 28 14 00 00 00 48 00 69 00 74 00 6D 00 61 00 6E 00 50 00 72 00 6F 00 2E 00 65 00 78 00 65 00 00 00 1C 00 60 00 00 00 4E 00 00 00 5C 00 32 00 8B 02 00 00 6A 45 80 12 20 00 49 44 41 50 52 4F 7E 31 2E 4C 4E 4B 00 00 40 00 03 00 04 00 EF BE 6A 45 80 12 6A 45 E7 1A 14 00 00 00 49 00 44 00 41 00 20 00 50 00 72 00 6F 00 20 00 28 00 33 00 32 0
0 2D 00 62 00 69 00 74 00 29 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 9A 00 00 00 5C 00 32 00 97 02 00 00 6A 45 80 12 20 00 49 44 41 50 52 4F 7E 32 2E 4C 4E 4B 00 00 40 00 03 00 04 00 EF BE 6A 45 80 12 6A 45 F3 1E 14 00 00 00 49 00 44 00 41 00 20 00 50 00 72 00 6F 00 20 00 28 00 36 00 34 00 2D 00 62 00 69 00 74 00 29 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 02 00 00 00 52 00 32 00 CE 02 00 00 5E 45 74 83 20 00 4F 53 46 4F 52 45 7E 31 2E 4C 4E 4B 00 00 36 00 03 00 04 00 EF BE 5E 45 74 83 6A 45 12 59 14 00 00 00 4F 00 53 00 46 00 6F 00 72 00 65 00 6E 00 73 00 69 00 63 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 9A 00 00 00 66 00 32 00 97 01 00 00 5E 45 ED 46 20 00 53 48 4F 52 54 43 7E 31 2E 4C 4E 4B 00 00 4A 00 03 00 04 00 EF BE 5E 45 ED 46 6C 45 75 6C 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 44 00 6F 00 77 00 6E 00 6C 00 6F 00 61 00 64 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 E6 00 00 00 62 00 32
00 8A 02 00 00 5E 45 58 47 20 00 53 48 4F 52 54 43 7E 32 2E 4C 4E 4B 00 00 46 00 03 00 04 00 EF BE 5E 45 58 47 6A 45 F3 1E 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 66 00 69 00 72 00 65 00 66 00 6F 00 78 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 32 01 00 00 60 00 32 00 DF 02 00 00 5E 45 A8 48 20 00 53 48 4F 52 54 43 7E 33 2E 4C 4E 4B 00 00 44 00 03 00 04 00 EF BE 5E 45 A8 48 6C 45 5A 6C 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 77 00 69 00 6E 00 64 00 62 00 67 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 7E 01 00 00 50 00 32 00 F1 85 3F 00 5F 45 09 56 20 00 54 44 53 53 4B 49 7E 31 2E 5A 49 50 00 00 34 00 03 00 04 00 EF BE 5F 45 09 56 6C 45 75 6C 14 00 00 00 74 00 64 00 73 00 73 00 6B 00 69 00 6C 00 6C 00 65 00 72 00 2E 00 7A 00 69 00 70 00 00 00 1C 00 15 00 00 00 7E 01 00 00 4C 00 32 00 00 CE 05 00 5E 45 3B 50 20 00 74 67 32 69 6A 6E 6A 69 2E 65 78 65 00 00 30 00 03 00 04 00 EF BE 5E 45
3A 50 5E 45 35 83 14 00 00 00 74 00 67 00 32 00 69 00 6A 00 6E 00 6A 00 69 00 2E 00 65 00 78 00 65 00 00 00 1C 00 AB 00 00 00 02 00 00 00 4C 00 31 00 00 00 00 00 6C 45 0F 6D 10 00 52 45 47 53 48 4F 7E 31 2E 30 00 00 32 00 03 00 04 00 EF BE 6C 45 0F 6D 6C 45 12 6D 14 00 00 00 52 00 65 00 67 00 73 00 68 00 6F 00 74 00 2D 00 31 00 2E 00 39 00 2E 00 30 00 00 00 1A 00 AB 00 00 00 02 00 00 00 00 00 00 00
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 07 00 00 00 06 00 00 00 08 00 00 00 02 00 00 00 01 00 00 00 05 00 00 00 04 00 00 00 03 00 00 00 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 08 00 00 00 06 00 00 00 02 00 00 00 07 00 00 00 01 00 00 00 05 00 00 00 04 00 00 00 03 00 00 00 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\MRUListEx: 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\MRUListEx: FF FF FF FF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\7\MRUListEx: 00 00 00 00 01 00 00 00 FF FF FF FF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\7\MRUListEx: 01 00 00 00 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\27\Shell\ItemPos1280x720(1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 00 00 00 4E 00 31 00 00 00 00 00 6C 45 23 70 10 00 4C 4F 54 53 4F 46 7E 31 00 00 36 00 03 00 04 00 EF BE 6C 45 3C 6C 6C 45 23 70 14 00 00 00 4C 00 6F 00 74 00 73 00 20 00 6F 00 66 00 20 00 53 00 74 00 75 00 78 00 6E 00 65 00 74 00 00 00 18 00 DC 00 00 00 02 00 00 00 34 00 31 00 00 00 00 00 6C 45 51 6C 10 00 54 44 4C 34 00 00 20 00 03 00 04 00 EF BE 6C 45 4F 6C 6C 45 51 6C 14 00 00 00 54 00 44 00 4C 00 34 00 00 00 14 00 DC 00 00 00 02 00 00 00 00 00 00 00
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\27\Shell\ItemPos1280x720(1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 00 00 00 4E 00 31 00 00 00 00 00 6C 45 E9 6C 10 00 4C 4F 54 53 4F 46 7E 31 00 00 36 00 03 00 04 00 EF BE 6C 45 3C 6C 6C 45 E9 6C 14 00 00 00 4C 00 6F 00 74 00 73 00 20 00 6F 00 66 00 20 00 53 00 74 00 75 00 78 00 6E 00 65 00 74 00 00 00 18 00 DC 00 00 00 02 00 00 00 34 00 31 00 00 00 00 00 6C 45 51 6C 10 00 54 44 4C 34 00 00 20 00 03 00 04 00 EF BE 6C 45 4F 6C 6C 45 51 6C 14 00 00 00 54 00 44 00 4C 00 34 00 00 00 14 00 DC 00 00 00 02 00 00 00 00 00 00 00
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).left: 0x00000049
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).left: 0x0000002C
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).top: 0x00000057
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).top: 0x0000003A
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).right: 0x00000369
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).right: 0x0000034C
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).bottom: 0x000002AF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).bottom: 0x00000292
HKU\S-1-5-21-515967899-1935655697-682003330-1003\SessionInformation\ProgramCount: 0x00000002
HKU\S-1-5-21-515967899-1935655697-682003330-1003\SessionInformation\ProgramCount: 0x00000001
----------------------------------
Total changes: 150
----------------------------------
23 deleted keys, 110 values deleted, 17 values modified. Total = 150 changes.
Overall, there's a lot to this rootkit. I didn't go into the MRxCls configuration file decryption, network changes/attack methods, other methods of zero-day flaws, etc but even so you can see that this is a pretty sophisticated piece of malware. However, as we now see, its biggest downfall was its complete lack of protection.
The only personal explanation I have for this is that the creator(s) were either rushed to get it done by 'x' timeframe, so they focused on main code more than obfuscation, or they just imagined it wouldn't ever escape its original intended environment, so they'd never have to worry about reverse engineering being an issue.
References
Stuxnet Under the Microscope.
Analyzing a Stuxnet Infection with the Sysinternals Tools.
Great, Thanks !
ReplyDeleteProb with NTFS?
ReplyDeleteanalyze ntfs permissions
great post so thanks for this.
ReplyDeleteInternet explorer customer service
Article you have shared here very good!
ReplyDeleteRouter Login not working
Routerlogin admin page
Routerlogin
Routerlogin Net
You can latest information regarding and download pdf official available RPF Constable Admit Card 2018
ReplyDeleteShared this Obat gatal di selangkangan dan bokong atau pantat tone Obat rahang bawah telinga sakit dan bengkak nano Obat sakit pinggang belakang bawah know Obat luka borok bernanah dan berair where Obat kalazion di kelopak mata atas dan bawah here Obat ganglion di tangan steady Obat bintik seperti jerawat di sekitar mata think Obat infeksi kulit selulitis well Obat mata perih dan berair all Obat kurap di selangkangan Thanks...
ReplyDeletedandruff
ReplyDeletedandruff symptoms
vaginal atrophy
Read more info, Read more info,Read more info,Read more info,Read more info
Delete
ReplyDeletesnaptube downloading
snaptube apk
snaptube app
snaptube download
There are also custom search options, which will make it easier to get good results.
Nice to be visiting your blog again, it has been months for me. Well this article that i’ve been waited for so long. I need this article to complete my assignment in the college, and it has same topic with your article. Thanks, great share :
ReplyDeleteobat jantung bengkak tradisional
Read More
DeleteRead More
Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read more
Great sharing! Thank you for sharing! Keep up the great work mate! Cheers!
DeleteGreat read !
DeleteThanks for your personal marvelous posting! I quite enjoyed reading it,you could be a great author. Amazon Gift Card generator works on a simple yet efficient code developed by our team of programmers.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteshareit apk
ReplyDeleteshareit for android
shareit for pc
shareit for ios
shareit pc
it has been months for me. Well this article that i’ve been waited for so long.
The information you have posted is very useful. The sites you have referred was good. Thanks for sharing is there any way where i can find how to get rixty generator
ReplyDeletetutuapp is the best iOS App store elective for disengaged applications. Working of the tutu application is altogether immediate. You ought to just to download the tutuapp apk and after that click on the downloaded record with the objective that it can start the foundation technique.
ReplyDeleteHi, I am Anirudh. I am a Fitness trainer by profession. Are you looking forward to shape your body. Check here to know how to cara mengecilkan lengan in simple ways.
ReplyDeleteThanks for sharing, very informative blog.
ReplyDeleteReverseEngineering
Nice blog!!!!!!!.
ReplyDeleteReverse Engineering in USA
ReplyDeleteHey, this is amazing content. thank you for sharing.
ReverseEngineering
free fb auto liker app
ReplyDeletefree download clash of lights server from our site and play resource free coc game.
ReplyDeleteGreat read !
DeleteThanks for info
ReplyDeleteautocad solutions
Great article. Thanks Check out https://apkpapa.com/whatsapp-plus-apk/ to download #Whatsappplusapk on #Apkpapa.com
ReplyDeleteReverse engineering is also known as the back-engineering. Last week I started a reverse engineering project in my company. Onsite3D helping me at this project. Reverse engineering Calgary, Alberta
ReplyDeleteNice read! Always a pleasure reading your blog! Thank you for sharing!
ReplyDeleteAnyway, anyone heard of the project Whistler Grand in D05 in Singapore? I heard its a pretty good project with huge potential upside. Anyone else interested? Check this out!
Whistler Grand
Reverse engineering is the process of reconstruction of an existing product. Reverse engineering will allow you to explore the Technic of your competitors. Onsite3D can help you for reverse engineering. Reverse engineering Grand Prairie, Alberta
ReplyDeletekingroot apk download
ReplyDeletekingroot for windows
kingroot for pc
kingroot for android
I am hoping the same best work from you in the future as well.
Onsite3D is the most popular company in Alberta that provides the best 3D laser scanning service. The also popular for the best data acquisition service, lidar scanning service, and more. Visit their site to know more - Onsite3D
ReplyDeletehappymod ios
ReplyDeletehappymod download
happymod descargar
The also popular for the best data acquisition service, lidar scanning service, and more. Visit their site to know more
appvn ios
ReplyDeleteappvn app
minecraft appvn
appvn 2019
Plenty of useful apps for your Android phone.
Great read !
ReplyDeleteHey, I’m Mangesh Wakchaure, A part Time Blogger , Youtuber & Affiliate Marketer and Founder of teaig.com and mangesh.tech.
ReplyDeleteMovieReviews is a website that provides you authentic information about MovieReviews and Trailers.
KFC with an end goal to meet and surpass client desires offers its esteemed clients to round out a client criticism to be filled in return for a prize coupon with a free chicken cup.
ReplyDeletevisit MyKFCexperience
ReplyDeleteTHANK YOU FOR SHARING NICE POST WITH US.
Website design Denver Colorado
Web design Denver Colorado
Affordable web design Jacksonville Fl
Affordable web design Boston
بهترین یخچال ایرانی
ReplyDelete
ReplyDeleteThanks for your page! Your share information it helped me alot!
digital marketing boston
denver seo company
Thank you for sharing article with us. It is really awesome.
ReplyDeletelocal business listing sites
InstaPot is a multi-functional pressure cooker that can eliminate the use of 9-10 other kitchen appliances. Thus, it will not only save your time, but it will also save your money which you would have invested in buying other kitchen appliances.visit here instant pot amazon
ReplyDeleteIn the field of multivariate statistics, kernel principal component analysis (kernel PCA) is an extension of principal component analysis (PCA) using techniques of kernel methods. Using a kernel, the originally linear operations of PCA are performed in a reproducing kernel Hilbert space.
ReplyDeleteیخچال دیپوینت
بهترین یخچال ایرانی
ست شیرالات شودر
تلویزیون الیویا
quickboot apk
ReplyDeletequickboot download
iroot apk
iroot download
to know more about this click above
link1
ReplyDeletelink2
link3
link4
link5
link6
link7
how to open bin file in windows
ReplyDeletehow to open dll file in windows
how to open enc file in windows
open config file download
ReplyDeletetif file viewer
programs to open cfg files
how do i convert a prn file to pdf
ReplyDeletehow to play mkv files on android
how to read hex file
Freelance maintenance technicians also benefit from establishing relationships with multiple clients. Working as a freelancer.
ReplyDeletemaintenance technician
Girl Instagram Captions
ReplyDeleteSpotify Premium Apk
Whatsapp Plus Apk
not bad info about staxnet. If you are interested in high-quality online casinos, go here - 918kiss. you will not regret anything, the time spent usefully
ReplyDeletegreat blog. Found a good site - จีคลับ a variety of games, from card games to slots. don't lose a chance
ReplyDeleteHow to write great blogs.
ReplyDeleteแทงบาคาร่าขั้นต่ำ แทงบาคาร่าขั้นต่ำ แทงบาคาร่าขั้นต่ำ แทงบาคาร่าขั้นต่ำ
ReplyDeleteOMG! This is a very great blog.
แทงบาคาร่าขั้นต่ำ แทงบาคาร่าขั้นต่ำ แทงบาคาร่าขั้นต่ำ
Syekh Abdul Qodir JailaniRahmat Allah SWTTahajudninonurmadi.comHanafi
ReplyDeleteninonurmadi.com
ninonurmadi.com
ninonurmadi.com
ninonurmadi.com
This is good info. จีคลับ168
ReplyDeleteThere are several differences between software and hardware or software vs hardware. A Below we list the top ten differences that will help you effectively distinguish what distinguishes these two elements.
ReplyDeletehttps://5gtelecomtech.blogspot.com/2020/02/differences-between-software-and.html
Great read guys! Thank you for sharing! Anyway anyone from Singapore here? Interested in property investment? I saw a few property launches that has got huge potential. Anyway keen to know more? Click on the link below!
ReplyDeleteDaintree Residence Location
DainTree Residence Singapore
daintree residence balance unit
whistler grand condo
whistler grand singapore
whistler grand site plan
jadescape location
jadescape singapore
jadescape condo
There are several differences between software and hardware or software vs hardware.
ReplyDeleteUPLAY365
flyfreemedia
ReplyDeleteclub
cults3d
choralnet
hyperspaces
xapk
ReplyDeleteopen csv file
ReplyDeletehwp viewer
ReplyDeleteGOOD Day !
ReplyDeleteUSA Fresh & Verified SSN Leads with best connectivity
All Leads have genuine & valid information
**HEADERS IN LEADS**
First Name | Last Name | SSN | Dob | DL Number |Address | State | City | Zip | Phone Number | Account Number | Bank NAME
*Price for SSN lead $2
*You can ask for sample before any deal
*If anyone buy in bulk, we can negotiate
*Sampling is just for serious buyers
==>ACTIVE & FRESH CC FULLZ ALSO AVAILABLE<==
->$5 PER EACH
->Hope for the long term deal
->Interested buyers will be welcome
**Contact Information 24/7**
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
MyBlogger Club
ReplyDeleteGuest Posting Site
Best Guest Blogging Site
Guest Blogger
Guest Blogging Site
gbwhatsapp apk
ReplyDeletegbwhatsapp apk download
gb whatsapp
Wonder to see this information, thanks
ReplyDeletehow to open md files
The Networking Engineer expected set of responsibilities contrasts according to the association's necessities. Likewise with some other activity, explicit aptitudes and experience are commonly required for these networking occupations.
ReplyDeleteMore Info: https://technical-issues-answers.blogspot.com/2020/02/the-various-roles-of-networking.html
https://www.wordlab.com/forums/users/footballmanagercrack/
ReplyDeletehttps://dashburst.com/footballmanagercrack
https://developers.oxwall.com/user/footballmanagercrack
http://flgclassifieds.cce.cornell.edu/author/footballmanagercrack/
https://www.mixcloud.com/footballmanagercrack/
https://participa.santboi.cat/profiles/footballmanager/activity
https://www.velvetjobs.com/profile/footballmanagercrack
https://www.pacte-entreprises.gouv.fr/profile/footballmanagercrack
http://cine4home.de/forums/users/footballmanagercrack
Just add the plugin for an instant half-speed effect with zero setup. Or go in deep with powerful creative controls. HalfTime works on loops, virtual instruments or even live audio input, inspiring you in seconds.
ReplyDeletevst crack 32 lives
vst 3 crack
vst crack nexus 3
serum vst crack 32 bit
nexus vst crack 32 bit
nexus 3 vst crack
nectar 3 vst crack
dune 3 vst crack download
nexus 3 vst crack windows
nexus 3 vst crack reddit
ReplyDeleteThese stories are truly incredible. Thank you for this information. เยอร์เก้น คล็อปป์
https://fun88club.net/
https://zaza000.hatenablog.com/
https://188betgroup.com/
Your article is great. Come in, read my stuff, click. >> fun88club
ReplyDeletezaza000
188betgroup
บาคาร่า ออนไลน์
I certainly enjoyed every small bit of it, I have you bookmarked to check out all the unused stuff you post. 3d modeling services Denver, Colorado
ReplyDeletejual obat aborsi di malaysia
ReplyDeletejual obat aborsi di hongkong
jual obat aborsi di singapura
jual obat aborsi di medan
jual obat aborsi di banda aceh
jual obat aborsi di lampung
jual obat aborsi di pekanbaru
jual obat aborsi di padang
jual obat aborsi di palembang
jual obat aborsi di jambi
jual obat aborsi di samarinda
jual obat aborsi di balikpapan
jual obat aborsi di pontianak
jual obat aborsi di banjarmasin
jual obat aborsi di bontang
jual obat aborsi di tarakan
jual obat aborsi di palangkaraya
jual obat aborsi di banjarbaru
jual obat aborsi di singkawang
jual obat aborsi di makassar
jual obat aborsi di manado
jual obat aborsi di palu
jual obat aborsi di kendari
jual obat aborsi di palopo
jual obat aborsi di tomohon
jual obat aborsi di gorontalo
jual obat aborsi di toli-toli
jual obat aborsi di denpasar
jual obat aborsi di ubud
jual obat aborsi di kutai
jual obat aborsi di bedugul
jual obat aborsi di singaraja
jual obat aborsi di kupang
jual obat aborsi di lombok
jual obat aborsi di mataram
jual obat aborsi di sumbawa
jual obat aborsi di jayapura
jual obat aborsi di sorong
We have carefully selected high-class and professional teachers of Quran. Our teachers are proficient receptors to encourage students to recite well and to maintain their interest Online Quran Teacher
ReplyDeleteNice Blog. Thanks for sharing with us. Such amazing information.
ReplyDeleteSOCIAL MEDIA TIPS TO BOOST YOUR FAN BASE
MyBlogger Club
Guest Posting Site
Best Guest Blogging Site
Guest Blogger
Guest Blogging Site
احتمالا می دانید که برخی از مواد خوراکی که هر روز از آن ها استفاده می کنیم را می توان به عنوان ابزار و درمانی برای زیبایی بیشتر نیز به کار گرفت. به طور مثال، برای براق کردن موها از آب لیمو استفاده می شود. یا از روغن زیتون برای مرطوب و چرب کردن پوست های خشک بهره گرفته می شود. یا مثلا عسل را می توان به عنوان درمانی برای رفع جوش و اکنه استفاده کرد. در همین راستا، در ادامه این مطلب چندین روش درمانی یا ماسک خانگی صورت را برایتان انتخاب کرده ایم که به بهبود هر چه بیشتر زیبایی و سلامت شما کمک شایانی خواند نمود
ReplyDeleteThank you for the valuable information.iam very much impressed with this one.
ReplyDeleteLooking forward for the good posts. Are you furthermore may trying to find Funny whatsapp group join list
openapkfile.xyz
ReplyDeleteupdate Reviews
ReplyDeleteReviews
I will be looking forward to your next post. Thank you
ReplyDeleteเทคโลโลยี 5G เร็ว แรง ไม่สะดุด ให้มากกว่า 10 เท่า
Very Helpful Article. Super bull It might help you. Super bull Thanks For Sharing
ReplyDeleteSuper bull Thank you very much.
https://openbinfiles.xyz
ReplyDeleteدانلود آهنگ جدید
ReplyDeleteدانلود آهنگ
دانلود اهنگ
Open bin files
ReplyDeleteI will be looking forward to your next post. Thank you
ReplyDeleteแทงหวยออนไลน์ คือสิ่งที่น่าสนใจที่สุด "
Watch Chiefs Game Live
ReplyDeleteWatch Bears Game Live
Watch Raiders Game Live
Watch Steelers Game Live
Watch Rams Game Live
GB WhatsApp Apk
ReplyDeleteHow To Update GB Whatsapp
GB WhatsApp Latest
How To Install Whatsapp Mod Apk
I will be looking forward to your next post. Thank you
ReplyDeleteหวยออนไลน์ ถูกกฎหมาย ปลอดภัยต่อการเล่น ตอบโจทย์ดีในปัจจุบัน "
This is my blog. Click here.
ReplyDeleteรอบรู้เรื่องคาสิโนออนไลน์"
Wow! That's amazing, so amazing information, and it's definitely useful for people who need it. Thanks for the information. Hi, I am a developer of online money making websites. I have great pleasure and willingness to offer you unlimited happiness, we provide a wide variety of games Huay VIP such as more than 200 slots, baccarat, the most stable and secure financial system. Support all systems, apply for new members, receive free credit immediately.
ReplyDeleteหวย อภิโชค หวยออนไลน์ ความสนุกรูปแบบใหม่ อัตรจ่ายสูงที่สุดในไทย เรียนรู้ง่าย สมัครง่าย เล่นง่าย ได้เงินจริง สล็อต สามารถเลือก ซื้อเลขเด็ด ของคุณได้ง่าย เรามีคอลเซนเตอร์ คอยให้บริการ ตลอด 24 ชั่วโมง
ReplyDelete
ReplyDeletethis game is good pg slot
this game is good joker
this game is good joker123
this game is good joker gaming
this game is good pgslot auto
this game is good pg slot
this game is good joker
this game is good joker123
this game is good joker gaming
this game is good pgslot auto
this game is good pgslot
I truly inspired after studied this since of a few quality work and enlightening considerations. I fair wanna say much obliged for the author and wish you all the finest for coming! Quality 3d laser scanner Vancouver, BC
ReplyDeleteInterpages
ReplyDeleteGuest Blogger
Guest Blogging Site
Guest Blogging Website
Guest Posting Site
Good aticle สล็อตjoker xo แปะแมว บัคฟรีเกมแบบ งงๆ ไม่เคยเจอมาก่อน
ReplyDeleteInterpages
ReplyDeleteGuest Blogger
Guest Blogging Site
Guest Blogging Website
Guest Posting Site
The Vintage Garments is leading t shirt manufacturer. Buy online latest T-shirts, Sarees, kurties, tops, dress, tracks at wholesale price
ReplyDeleteSlot Game SLOTPG
ReplyDeleteNice Blog. Thanks for sharing with us. Such amazing information.
ReplyDeleteNever Avoid these SEO Tips to Grow your Business Online
Interpages
Guest Blogger
Guest Blogging Site
Guest Blogging Website
Guest Posting Site
ReplyDeletegreat post! thank you. if you want you can check out on this website to buy packaging machines. جت پرینتر صنعتی
دستگاه بسته بندی
دستگاه تاریخ زن دستی
sqlyog ultimate crack
ReplyDeleteGood Game SLOTPG
ReplyDeleteGood Game SLOT PG
ReplyDelete
ReplyDeleteThank you for your sharing. Thanks to this blog I can learn more things. Expand your knowledge and abilities. Actually the article is very practical. Thank you.If you are the one looking for technical help in Roadrunner Email then call us today at Roadrunner Support Number and get connected with our award-winning team of Roadrunner Email. They are capable of resolving the technical bugs and issues.
Roadrunner Email Not Working
Change Roadrunner Password
Reset Roadrunner Password
TWC Email Not Working
RR Email Login Problems
RR Email App Not Working
Recover Forgot Spectrum Email Password
Change Spectrum WiFi Password
Forgot Spectrum WiFi Password
It was a very good article. Thank you for posting this good content.
ReplyDeleteحضرات
superslotแจกเครดิตฟรี
ReplyDeletesuperslotแจกเครดิตฟรี
ReplyDeleteบาคาร่า sexygame.game
ReplyDeletegreat content odin (firmware flashing software)
ReplyDeleteShreeja Health Care is leading manufacturer of Oil Maker Machine . Shreeja Oil Extraction Machine is able to extract oil from various seeds like peanuts, Coconut, Sesame, Soybean, macadamia nuts, walnuts, sunflower seeds, vegetable seeds flaxseed etc.
ReplyDeleteGood PGกดเพื่อดู
ReplyDeleteMGWIN88 ให้บริการ บาคาร่า เว็บพนันออนไลน์
ReplyDeleteคาสิโนออนไลน์ มีเกมให้เลือกเล่นมากมาย สล็อต บาคาร่า รูเล็ต เกมไพ่ ยิงปลา ฝาก ถอน โอนไว ที่สุดในไทย
แอดไลน์ รับเครดิตฟรี 500 ไม่ต้องฝาก >> : @MGWIN
Visit www.office.com/setup in your browser and Select the subscription you want to renew and then choose Renew now to pay now for a full year of Office 365 or Renew with a monthly subscription to pay for a month at a time.
ReplyDeleteShreeja Health Care is leading manufacturer of Oil Making Machine. Shreeja Oil Extraction Machine is able to extract oil from various seeds like peanuts, Coconut, Sesame, Soybean, macadamia nuts, walnuts, sunflower seeds, vegetable seeds flaxseed etc.
ReplyDeleteShreeja Health Care is leading manufacturer of Oil Maker Machine. Shreeja Oil Extraction Machine is able to extract oil from various seeds like peanuts, Coconut, Sesame, Soybean, macadamia nuts, walnuts, sunflower seeds, vegetable seeds flaxseed etc.
ReplyDeleteDr. Vivek Galani is a leading expert in skin and hair. At hair transplant clinic in Surat Skin Care, Cosmetic Laser, Hair Transplant & Slimming Center, Dr. Galani offers the most advanced cosmetic and dermatologic care treatments. The clinic uses advanced FUE methods to produce high-quality hair transplants.
ReplyDeleteKeytexmachines is leading CNC Machining Job Work in surat With Excellent Quality, Cost Effective Price & Prompt Delivery. CNC Machining Job Work, CNC Turning Job Work, CNC Machine Service offered by Keytex machines, Surat.
ReplyDeleteLaxmi pipe Industries is leading ss pipe manufacturer . We are also manufactures and exporter of steel pipes & tubes.
ReplyDeleteFall for the luxurious Hugo Boss perfume for men and women on Active Care Store. Our collection of perfumes is pleasant with exquisite fragrances. These perfumes are for those who want to live life on their terms and conditions.
ReplyDeleteapk file for pc
ReplyDeleteapk file for pc
ReplyDeletehow to become limitless
ReplyDeleteHow to Calculate Which Risk to Take
Hello. I found your blog using msn. This is a really well written article. I'll bookmark it and go back and read more of your helpful info. Thanks for the post I will come back for sure. biogaming
ReplyDelete
ReplyDeletePlaying video games as a child can make you smarter
It’s official: a study shows that if you played video games growing up, it helped your intelligence as an adult.
npshop
ReplyDeletejoomlaforum
codecademy
wikidot
envato
change
wikihow
sourceforge
habr
crunchyroll
ReplyDeletepnuna
itssa
iranmicro
detik
mellifera
cookpad
persianseven
ipresta
1roman
kelidestan
progforum
ReplyDelete6Rgeiq
gd
tomsguide
addicts
elotrolado
mydramalist
cosmo
videohelp
dailystrength
ReplyDeletemacrumors
hobbyconsolas
animenewsnetwork
taringa
idfl
neowin
similarweb
digit
enjin
ReplyDeletebitcointalk
kodi
lyricstrans
openclassroom
gry-onlin
ardforum
aminoapps
razer
kaskus
tinhte
If you want to read Quran with perfect tajweed rules so you should enroll in online quran classes for kids..
ReplyDelete
ReplyDeleteseforum
iniaturehorsetal
imatepheasanthu
over
hrono
ommunity
fo
gravity
zenstudios
gfo
ReplyDeletegforum
tep
afte
oru
ilykit
ummypet
enretrieve
xerforu
คาสิโนออนไลน์ 928bet ฟรีเครดิต คัดสรรค์เกมส์คาสิโนออนไลน์บนมือถือ สุดยอดเกมส์ยอดนิยมจากทั่วทุกมุมโลก มารวมไว้ในที่เดียว ที่จะทำให้ลูกค้าทุกท่านได้เพลิดเพลิน สนุกตื่นเต้น เร้าใจ ลุ้นโชค ลุ้นเงินรางวัลก้อนโตที่อาจจะทำให้ทุกท่าน รวย ในเวลาอันรวดเร็ว
ReplyDeleteYour style is very unique compared to other people I’ve read stuff from. Thanks for posting when you have the opportunity, Guess I will just bookmark this page 경마
ReplyDeleteMy brother suggested I may like this blog. He used to be totally right.
ReplyDeleteThis post actually made my day. 사설토토
gforstre
ReplyDeletegforumta
alpha
rezaeian
gamefa
ilitaykit
uvarshavsko
servinore
xafaclub
ReplyDeletegfertalko
apoi
tetopostudip
afunityte
oraftfox
ilyshdotkit
swaqc
enretrietove
ebin
grosportsfo
ReplyDeletegtchfab
ssu
onedi
onelyplane
ilyhevekit
umalfak
ve
xllifera
Hello! This is my first visit to your blog! This is my first comment here, so I just wanted to give a quick shout out and say I genuinely enjoy reading your articles. Skindex
ReplyDeletemanjaro
ReplyDeletefcp
temousep
burningwheel
level1techs
petmousefanci
neidentity
waypoint
soompi
overclock
ReplyDeletegforumorum
nreionline
rememberthemi
trackmustangsonline
ithecowsarse
cracked
huntedcow
csdatacommunit
Get the best Dispatch riders in lagos here
ReplyDeletedispatch riders in Lagos
dispatch riders Lagos
gfgeso
ReplyDeletegforooum
tagesep
aftgooge
oroogu
ilykiagest
ummypegoogt
enretriegoogve
xoogerforu
gfooooo
ReplyDeletegfogesrum
teoglep
aftgooge
oooglru
ihsshlykit
umagemypet
enretoglrieve
xerfogooru
ggoog
ReplyDeletegfomagerum
tegoop
afteoogl
oruoogl
ilykgesit
ummypyjyyet
enretriehhsshshve
xerforumsg
The Best Site.
ReplyDeletezroor
gfhhsho
ReplyDeletegforumagagag
tepxhdj
afteagg
oruaayy
ilykitgayay
ummygaypet
enredudutrieve
xerfayyyoru
gfosgggs
ReplyDeletegforumgshh
tepaggaga
aftgyyre
ogshru
ilagayykit
ummsgshhypet
enretrhssssieve
xerfggoru
gforgsyreeyum
ReplyDeletetepgdj
aftegys
orugahhh
ilykitmb
ummypejllt
enretrievnffve
xerfofooooru
Hi, We are giving Quran Education to Children and adults in USA . You will cover quran classes online with best teacher
ReplyDeletework award to Ramin Fallah
ReplyDeletebaccarat
ReplyDeleteแทงบอลออนไลน์
SA GAMING
คาสิโนออนไลน์
สล็อต
UFABET
บาคาร่า SA
PG SLOT
PG SLOT
PG SLOT
PG SLOT
ufabet
UFABET
UFABET
UFABET
สล็อต
UFABET
คาสิโน
ดูหนังออนไลน์
Joker Slot
SLOTXO
SLOTXO
SLOTXO
UFABET
sa gaming
joker
coin haber - koin haber - kripto para haberleri - coin haber - instagram video indir - instagram takipçi satın al - instagram takipçi satın al - tiktok takipçi satın al - instagram takipçi satın al - instagram takipçi satın al - instagram takipçi satın al - instagram takipçi satın al - instagram takipçi satın al - binance güvenilir mi - binance güvenilir mi - binance güvenilir mi - binance güvenilir mi - instagram beğeni satın al - instagram beğeni satın al - google haritalara yer ekleme - btcturk güvenilir mi - binance hesap açma - kuşadası kiralık villa - tiktok izlenme satın al - instagram takipçi satın al - sms onay - paribu sahibi - binance sahibi - btcturk sahibi - paribu ne zaman kuruldu - binance ne zaman kuruldu - btcturk ne zaman kuruldu - youtube izlenme satın al - torrent oyun - google haritalara yer ekleme - altyapısız internet - bedava internet - no deposit bonus forex - erkek spor ayakkabı - tiktok jeton hilesi - tiktok beğeni satın al - microsoft word indir - misli indir - instagram takipçi satın al
ReplyDeleteEgyptian Mystery Book Slot Game This is a 6-reel, 5-row video slot (with an extra reel on top of reel 2 to reel 5). It features Wilds-on-the-Way and a Free Spins feature with an increased multiplier of winning When 4 or more Scatter symbols appear on the board, you enter the Free Spins feature and get free spins. caishen wins ทดลองเล่น
ReplyDeleteturn slots is that you apply for a new member in order to receive a bonus Make 100% free slots and be able to claim bonuses to use secret slots formulas, the number one online gambling game. ทดลองเล่นสล็อต pg
ReplyDeleteNumber one online gambling game and follow the conditions of the website that you are playing for example, deposit 100 baht, you will receive a 100% bonus on what is turnover, combined with the deposit amount is 200 baht. ทดลองเล่นสล็อตฟรีทุกค่าย
ReplyDeleteBut will not be able to withdraw the bonus amount can be used. The turn balance is to have to turn 5 times, that is, 200 x 5 = 1,000 baht. Just follow the simple conditions, just this, you will be able to play slots. online Or online casinos now with the Ambbet wallet website here in one place, complete in one website. ต้องที่นี่
ReplyDelete
ReplyDeletep1
p2
p3
p4
p5
p6
p7
p8
p9
p10
p11
p12
p13
p14
p15
p16
p17
p18
p19
p20
p21
p37
p22
p23
p24
p25
p26
p27
p28
p29
p30
p31
p32
p33
p34
p35
p36
ReplyDeletep1
p2
p3
p4
p5
p6
p7
p8
p9
p10
p11
p12
p13
p14
p15
p16
p17
p18
p19
p20
p21
p37
p22
p23
p24
p25
p26
p27
p28
p29
Jungle Delight เกมสล็อตผลไม้ทำเงินง่ายจาก pgslot
ReplyDeleteJungle Delight อีกหนึ่งเกมสล็อตที่น่าเฝ้าดูมากมายในเวลานี้จากค่าย pgslot เกมพนันด้ามจับเอาเกมเรียงผลไม้ที่คนจำนวนไม่น้อยเคยเล่นกันมาในตอนหนึ่งมาเป็นลักษณะของเกม แม้กระนั้นเพิ่มเรื่องราวเข้าไปในเกมให้อย่างกับว่าผู้เล่นอยู่ข้างในป่าใหญ่และก็มีสัตว์ที่ประพฤติเสมอเทวดารอควบคุมเกมพนัน เกมพนันที่มีภาพผลไม้หลายสีมาทำให้การเข้าเล่นพนันแต่ละครั้งมองผ่องใสแล้วก็ยังคงเป็นเกมที่เคยชินสำหรับหลายท่านอีกด้วย ถึงแม้ว่าเมื่อก่อนเกมเรียงผลไม้บางครั้งอาจจะเป็นเกมที่เล่นเพียงแต่สะสมแต้มเพื่อชิงชั้นเพียงแค่นั้น แต่ว่าเมื่อมันเปลี่ยนมาเป็นเกม สล็อต ซึ่งสามารถทำเงินได้จริงก็เลยไม่แปลกที่มันจะเป็นที่นิยมแล้วก็มีคนไม่ใช่น้อยเข้าเล่นทำเงินในทุกๆวัน ทั้งยังข้างในเกมยังมีส่วนที่ทำให้เป็นที่นิยมอยู่อีกมากมายดังต่อไปนี้
• เครื่องหมายเกม
เครื่องหมายเกม pgslot นี้เป็นการนำเอาสัตว์ป่าที่มีความคิดว่าตัวเองนั้นเป็นเจ้าป่าเจ้าเขา มาเป็นตัวเด่นของเกมที่จะรอมอบความพิเศษให้แก่เกมในแต่ละตอน ข้างในเกมก็จะเต็มไปด้วยผลไม้นานาประการสีที่หมุนเปลี่ยนกันออกมาในทุกรอบสำนักงานหมุนเกม และก็ยังมีเครื่องหมายพิเศษอย่าง Wild ที่จะเข้ามาช่วยทำให้เงินรางวัลออกง่ายมากยิ่งกว่าเดิมหากว่าผลไม้จะเรียงกันเพียงแค่ 2 ภาพแต่ว่าแม้มีเครื่องหมาย Wild เรียงออกมาด้วยก็เปลี่ยนเป็นเงินรางวัลในทันทีเลยนะ รวมทั้งพิเศษเสริมเติมขึ้นมาอีกเป็นเครื่องหมายเลข 7 ที่จะมากับเงินรางวัลมากถึง 1000 บาทอย่างยิ่งจริงๆ
• การชำระเงินรางวัลของเกม
สำหรับในการหมุนแต่ละรอบนั้นผู้เล่นได้โอกาสที่กำลังจะได้เงินรางวัลมากยิ่งกว่า 1 รางวัล ซึ่งผลไม้แล้วก็เครื่องหมายต่างๆก็จะมีเงินรางวัลที่ไม่เหมือนกันออกไป แต่ว่าไม่ว่าจะเป็นเงินรางวัลแบบไหนแม้ออกมาพร้อมผู้เล่นก็จะได้ทั้งสิ้นจากเกมซึ่งจัดว่าเป็นผลดีต่อผู้เล่นได้ไม่น้อย เงินรางวัลของเกมนั้นถ้าผู้เล่นปรับเงินสูงขึ้นพนันต่อรอบ เงินรางวัลก็จะมากขึ้นอีกเมื่อออกมาก็เลยสร้างความคุ้มราคาให้เพิ่มขึ้นเรื่อยๆสำหรับในการเล่นแต่ละครั้ง
• เครื่องหมายพิเศษ Scatter รวมทั้ง Wild
เครื่องหมาย Scatter เรียง 3 ภาพจะเข้าสู่รอบหมุนฟรี สร้างความคุ้มราคาสำหรับเพื่อการเข้าเล่นเยอะขึ้นเรื่อยๆอีกหลายเท่าตัวในส่วนของเครื่องหมาย Wild ผู้แทนของเครื่องหมายอื่นๆที่จะทำให้ทุกรอบการหมุนที่มีภาพนี้ออกมาแปลงเป็นเงินรางวัลได้ดูเหมือนจะทุกรอบ
เกม slotpg เกมนี้มากับ 20 ไลน์พนัน ที่ผู้เล่นสามารถปรับเพิ่มหรือลดไลน์พนันได้ และก็เมื่อปรับเพิ่มหรือลดไลน์พนันเงินที่ใช้ในการเดิมพันต่อรอบก็จะถูกปรับอัตโนมัติตามไลน์ด้วย เกมพนันที่ไลน์ไม่เยอะแยะแม้กระนั้นได้โอกาสทำเงินได้มากเป็นเกมที่พวกเราต้องการให้คุณได้ทดลองเข้าเล่น แล้วคุณจะบอกเป็นเสียงเดียวกันเลยว่ามันชำระเงินเยอะแยะจริงๆในเกมนี้
pgslot
จุดมุ่งหมายเป็นหัวใจสำคัญ pg slot
ReplyDeleteไม่ว่าคุณจะเข้าเล่นเกมพนันใดก็ตามต้องห้ามลืมจุดหมายสำหรับเพื่อการเข้าเล่นเด็ดขาด เนื่องจากว่าวัตถุประสงค์จะเป็นตัวยึดเหนี่ยวให้ท่านทราบว่าที่คุณเข้าเล่นพนันนั้นเพื่ออะไร ทั้งมันยังเป็นตัวช่วยสำหรับในการหยุดเล่นเกมให้กับตัวคุณได้เช่นกันเมื่อคุณทำเงินตามจุดหมายได้แล้ว
Muay Thai Champion เกมสล็อตสำหรับคนถูกใจมวยไทยจาก Pgslot
ReplyDeleteMuay Thai Champion เกมสล็อตจากทาง Pgslot ที่นำเอาเรื่องราวของมวยไทยมาเป็นลักษณะของเกม การถ่ายทอดความสวยสดงดงามของอาการรวมทั้งการต่อสู้ที่เป็นเอกลักษณ์ของคนประเทศไทยได้อย่างสมบูรณ์แบบ เกมที่เล่นแล้วทำให้เกิดความรู้สึกถึงความบันเทิงแล้วก็ได้รับดูความงดงามของมวยไทยไปในตัว เกมนี้เป็นเกมที่เปิดตัวนานพอเหมาะพอควรสุดแท้แต่ในตอนนี้ก็ยังคงเป็นที่นิยมอยู่ด้วยเงินรางวัลเกมรวมทั้งความพิเศษด้านในเกมที่ยังคงทำให้ผู้เล่นผู้คนจำนวนไม่ใช้น้อยพึงใจและก็ยังคงเข้าเล่นเพื่อทำเงินจากเกมนี้กันอยู่นั้นเอง
ความพิเศษรวมทั้งวิธีการทำเงินด้านในเกม
ข้างในเกม สล็อตออนไลน์ เกมนี้เต็มไปด้วยความน่าดึงดูดใจดูเหมือนจะทุกส่วนด้านใน ซึ่งทุกส่วนนี้เองที่ทำให้ความชื่นชอบของเกมไม่เคยตกลงไปเลย ทั้งด้วยลักษณะของเกมที่เพียงแค่มองดูเพียงแค่ข้างนอกก็น่าดึงดูดแล้วเมื่อเปิดเข้ามาในเกมก็ยิ่งน่าดึงดูดเข้าไปอีก นักการพนันส่วนมากก็เลยเข้าเล่นแล้วเข้าเล่นอีกในเกมนี้อยู่ตลอด แต่ว่าสำหรับคนใดกันแน่ที่ยังไม่เคยเล่นเกมนี้มาก่อน วันนี้พวกเราจะพาทุกคนมามองไปพร้อมว่าจะมีความน่าดึงดูดใจอะไรกันบ้างข้างในเกมนี้ ดังต่อไปนี้
• เครื่องหมายของเกม
เกม สล็อตออนไลน์ มากับเครื่องหมายเกมที่เกี่ยวกับมวยไทยทั้งผอง โดยภาพเครื่องหมายจะเป็นการออกลวดลายการต่อสู้แต่ละอิริยาบถ และก็มีนักมวยมุมแดงแล้วก็มุมสีน้ำเงินด้านในเกมนี้ เครื่องหมายของเกมแต่ละภาพจะมาพร้อมเงินรางวัลมากไม่น้อยเลยทีเดียว เพียงภาพเรียงกัน 3 ภาพขึ้นไปแค่นั้น เกมนี้ก็เลยทำเงินง่ายเพราะเหตุว่าเต็มไปด้วยเครื่องหมายที่พร้อมจะเรียงรายออก
• อัตราการชำระเงินรางวัลเกม pgslot
สำหรับเกมนี้นั้นจะต้องบอกเลยว่าอัตราการชำระเงินรางวัลก็ไม่ธรรมดาแบบเดียวกัน ยิ่งเพิ่มเงินที่ใช้ในการเดิมพันต่อรอบสูงมากแค่ไหนจังหวะได้รับเงินจำนวนไม่ใช่น้อยขึ้นก็สูงเพียงแค่นั้น เป็นเกมที่ได้ลุ้นตลอดทุกรอบการหมุนจริงๆและก็ยังมีฟีพบร์พิเศษของเกมที่เข้ามาช่วยปรับให้เงินรางวัลคุ้มเยอะขึ้นเรื่อยๆอยู่เรื่อยอีกด้วย เป็นเกมที่ถึงแม้เล่นไม่เป็นแม้กระนั้นก็สามารถทำเงินได้อย่างง่ายๆจริงๆ
• ภาพแล้วก็เสียงของเกม
กราฟิกเกมนี้มาแบบจัดเต็มทุกส่วนตั้งแต่ภาพปกของเกมตลอดจนข้างในเกม ทุกส่วนถูกดีไซน์มาได้อย่างน่าดึงดูดทั้งเสียงของเกมยังมีผลให้รู้สึกตื่นเต้นเสมือนได้นั่งเชียร์มวยอยู่ขอบเวทีกันอย่างยิ่งจริงๆ มันก็เลยเป็นเกมที่นับว่าดีรวมทั้งเพอร์เฟ็คมากมายๆที่พวกเรากระหยิ่มใจต้องการพรีเซนเทชั่นให้ทุกคนได้ทดลองเข้าเล่นกันมอง
แล้วก็เกมจากทาง Pgslot ยังมีเกมน่าดึงดูดอีกเพียบเลยที่คอยให้ทุกคนได้ทดลองเข้าไปสัมผัสถึงความสนุกสนาน รวมทั้งช่วงที่กระบวนการทำเงินกันอยู่ ถ้าคุณพอใจเกมสล็อตพีจีเป็นคำตอบที่ยอดเยี่ยมในตอนนี้
Thank you for posting such a great article! It contains wonderful and helpful posts. Keep up the good work
ReplyDeleteTN ESEVAI, TN ESEVAI Application Status Check, Apply Online for Income and OBC Certificate, Login@ tnesevai.tn.gov.in
لیست غذاهای ایرانی
ReplyDeleteتبلیغات کلیکی گوگل
آموزش آرایشگری زنانه
تبلیغات در گوگل ادوردز
تبلیغات در صفحه اول گوگل
Our Assignment Help presents a viable opportunity for the students struggling with their assignment writing help them achieve excellence in their work. We render one-shot satisfaction.
ReplyDeleteIt is interesting, nice to see this blog thanks for sharing this. Buy Instagram Followers In India
ReplyDeleteucuz takipçi
ReplyDeleteucuz takipçi
tiktok izlenme satın al
binance güvenilir mi
okex güvenilir mi
paribu güvenilir mi
bitexen güvenilir mi
coinbase güvenilir mi
بازرگانی مهر بهترین و معتبرترین نمایندگی لپ تاپ ایسوس
ReplyDeletehttps://bit.ly/3zp0RzH
webdesign
ReplyDeletehttps://bit.ly/2XYZGcp
Loving the info on this website, you have done great job on the ทางเข้า betflix posts.
ReplyDeleteAll in all vstcrack is a handy application for editing your videos like a pro.
ReplyDeletehttps://games-sky.net/
ReplyDeleteWill not be able to play online slots if you are not a user. But you don't have to worry about that, we've got you covered. Just you register a member with us today via automatic system. PGทางเข้า https://www.pgslotgames.net/login-pg-slot/
ReplyDeleteI really love your work it's very beneficial to many people's. Your blog approach helps many people like myself. Its content is very easy to understand and helps a lot,
ReplyDeleteDo visit my site for new and Updated software : Tipard DVD Ripper
카지노사이트 Your blog is great. I read a lot of interesting things from it. Thank you very much for sharing. Hope you will update more news in the future.
ReplyDeleteHe has also developed a free trial game. come for hand Want to learn to play without investment, pay money,สล็อตทดลองเล่นฟรีถอนได้ play for free, like in a real game can buy free spins or free games as well try pg slots buy free spins
ReplyDeleteJust apply for membership, receive immediately, 100รับ200ถอนไม่อั้นpg promotion 100, unlimited withdrawal, pg, many special promotions. Deposit 100, get 200, unlimited withdrawals, including PG camps within one website. You don't have to go to multiple websites. one time subscription
ReplyDeleteBuy Slots Free Spins Has been developed in the first year of 2012 in the camp PG SLOT DEMO and which has received a very good response. make these slot players popularize the game ทดลองเล่นpg PG Slots Online is very with spectacular effects. Beautifully designed illustrations High resolution, 3D images can be played anywhere, anytime.
ReplyDelete22SLOT.COM is an online gambling website service provider. The strongest at the moment You can apply for PGSLOT (PG Slot) through the TrueMoney Wallet Auto deposit and withdrawal system with various promotions. There are bonuses to choose from at all times, unlimited payments, no need to turn. pg slot โปรโมชั่น100% If you don't get the bonus!
ReplyDeletenice.
ReplyDeleteopen file
download apk
download file
This post is good enough to make somebody understand this amazing thing, and I’m sure everyone will appreciate this interesting things. Visit our website too. Feel free to visit my website; 카지노사이트링크
ReplyDeleteIt is truly a great and helpful piece of info. I¦m glad that you simply shared this helpful info with us. Please keep us up to date like this. Thank you for sharing. Feel free to visit my website; 온라인카지노사이트넷
ReplyDeleteUmano Logic Edmonton Web Design Company based software development company founded in 2010 with over 10 years of experience. We had a team of creatives, analysts, and engineers that help you to bring your ideas to life. We are in the process to empower technology for the future. Get your FREE quote today. Lets Innovate Together!
ReplyDeleteLogic Pro Crack for Mac and Windows is a professional audio production software. In addition, the app can be used to edit audio for all new and ...
ReplyDeleteCall Of Duty Black Ops 4 PC is called as the top trending Battle Royale and first-person shooter video game which can be played individually
ReplyDeleteSLOT ONLINE DEPOSIT PULSA 5000
ReplyDeleteSLOT ONLINE TERPERCAYA | SLOT GACOR
Hi, happy that i saw on this in google. Thanks!
ReplyDelete카지노사이트
바카라사이트
바카라게임사이트
PG SLOT three-dimensional game graphics. Slot games feature allows for real money making. The rules of playing are not difficult to understand. Because there are 4 languages translated, namely Thai, English, Chinese, Burmese, PG slots are supported on all devices
ReplyDeleteอำนวนความสะดวก แก่ผู้เล่นกับการเล่น และ ดาวน์โหลด PG เวอร์ชั่นล่าสุด ได้ทันที เป็นเกมที่เน้นเพื่อพัฒนาเกมออกมาให้เหมาะสมกับทุกเพศทุกวัย และเล่นได้มีประสิทธิภาพเยอะที่สุด กับเกมสล็อตของค่าย PGSLOT
ReplyDeleteMore security
ReplyDeletehttps://www.sabalanmusic.ir/آهنگ-فرزاد-فرزین-رد-پا.html
https://www.sabalanmusic.ir/آهنگ-مسعود-صادقلو-اسمت-چیه.html
Pure Tuber Mod Apk
ReplyDeleteAnimal Restaurant Mod Apk
Foxit Mod Apk
Rummy Circle App Download
DIY Valentine Gifts
Snapchat Earnings
Yalla Live TV Direct
Know Everything About thr Past, Present, and Future of Bitcoin
ทดลองเล่นฟรี megagame-game เกมสล็อตมือถือ เกมทำเงิน2022 รวมเกมสล็อตแตกง่าย มากกว่า 1,000 เกม เล่นที่นี่ !
ReplyDeleteCoolby ZealBox Intel J4125 Mini PC: The Coolby ZealBox is a standard entry-level mini-PC; however, the port configuration may be fascinating. Mini-PCs have all the time been in demand for the area of interest functions on account of their nature
ReplyDeleteTRIGKEY Speed S1
BlitzHome BH-CMM5
BlitzWolf BW-VP15
RICH BIT H100
Beelink SER4
NVISEN MU05
Atomstack Air Assist system
LAOTIE FX150
Lottery Sambad 2022 year may be one of the most lucky one year for you. Buy your ticket and try your luck to won the lottery. As you know there are many prizes and lucky draw held on daily basis. Stay tuned to check and download Lottery Sambad 2022 results over here.
ReplyDelete·https://lotterysambadresult.in/
https://apkmodule.com/speedcn-vpn-vip-mod-apk/
ReplyDeleteSpeedcn vpn VIP Mod Apk
https://apkmodule.com/summertime-saga-apk/
ReplyDeleteSummertime Saga Apk
BIIT is one of the well known Computer classes in east delhi. You can choose any computer course which are provided by us. We offer all the course within your budget. You can call on 9311441524 or can visit to A-115 , First Floor , Near Panna Sweet, Shakarpur, Vikas Marg, Laxmi Nagar, Computer Institute, Opposite Metro Piller No. 33, Delhi, 110092. It is one of the best coaching which fulfills all your demand.
ReplyDeleteSaat ini togel deposit pulsa 10rb tanpa potongan besar sudah bisa dimainkan di agen Majalah4D bersama agen togel online anda bisa melakukan togel deposit pulsa 10rb hanya di Agen Togel Toto 4D hanya dengan menggunakan 1 user id saja.
ReplyDeleteTogel Toto 4D
Togel Toto 4D
Togel Toto 4D
Sabung Ayam Online
Link Sv388
Sabung ayam online
Aplikasi sv388
Slot Online Gacor
Slot Gacor
Great post, you have pointed out some excellent points, I as well believe this is a very superb website.สล็อตวอเลท
ReplyDelete