contagio

An Overview of Exploit Packs (Update 15) January 28, 2012

2012-01-28T02:42:00.001-05:00

Version 15. January 28, 2012

The full table in xls format - Version 15 can be downloaded from here.

xlsx format
in csv format Packs Sheet 1 References sheet 2

Additions - with many thanks to Kahu Security

Hierarchy Exploit Pack
=================
CVE-2006-0003
CVE-2009-0927
CVE-2010-0094
CVE-2010-0188
CVE-2010-0806
CVE-2010-0840
CVE-2010-1297
CVE-2010-1885
CVE-2011-0611
JavaSignedApplet

Siberia Private
==========
CVE-2005-0055
CVE-2006-0003
CVE-2007-5659
CVE-2008-2463
CVE-2008-2992
CVE-2009-0075
CVE-2009-0927
CVE-2009-3867
CVE-2009-4324
CVE-2010-0806

Techno XPack
===========
CVE-2008-2992
CVE-2010-0188
CVE-2010-0842
CVE-2010-1297
CVE-2010-2884
CVE-2010-3552
CVE-2010-3654
JavaSignedApplet

"Yang Pack"
=========
CVE-2010-0806
CVE-2011-2110
CVE-2011-2140
CVE-2011-354

Version 14. January 19, 2012

Version 14 Exploit Pack table additions:

Credits for the excellent Wild Wild West (October 2011 edition) go to kahusecurity.com

With many thanks to XyliBox (Xylitol - Steven), Malware Intelligence blog, and xakepy.cc for the information:

Blackhole 1.2.1 (Java Rhino added, weaker Java exploits removed)
Blackhole 1.2.1 (Java Skyline added)
Sakura Exploit Pack 1.0 (new kid on the block, private pack)
Phoenix 2.8. mini (condensed version of 2.7)
Fragus Black (weak Spanish twist on the original, black colored admin panel, a few old exploits added)

If you find any errors or CVE information for packs not featured , please send it to my email (in my profile above, thank you very much) .

The full table in xls format - Version 14 can be downloaded from here.

The exploit pack table in XLSX format
The exploit pack table in csv format

The references sheet in csv format

P.S. There are always corrections and additions thanks to your feedback after the document release, come back in a day or two to check in case v.15 is out.

Version 13. Aug 20, 2011

Kahusecurity issued an updated version of their Wild Wild West graphic that will help you learn Who is Who in the world of exploit packs. You can view the full version of their post in the link above.

Version 13 exploit pack table additions:

Bleeding Life 3.0
Merry Christmas Pack (many thanks to kahusecurity.com)+
Best Pack (many thanks to kahusecurity.com)
Sava Pack (many thanks to kahusecurity.com)
LinuQ
Eleonore 1.6.5
Zero Pack
Salo Pack (incomplete but it is also old)

List of packs in the table in alphabetical order

Best Pack
Blackhole Exploit 1.0
Blackhole Exploit 1.1
Bleeding Life 2.0
Bleeding Life 3.0
Bomba
CRIMEPACK 2.2.1
CRIMEPACK 2.2.8
CRIMEPACK 3.0
CRIMEPACK 3.1.3
Dloader
EL Fiiesta
Eleonore 1.3.2
Eleonore 1.4.1
Eleonore 1.4.4 Moded
Eleonore 1.6.3a
Eleonore 1.6.4
Eleonore 1.6.5
Fragus 1
Icepack
Impassioned Framework 1.0
Incognito
iPack
JustExploit
Katrin
Merry Christmas Pack
Liberty 1.0.7
Liberty 2.1.0*
LinuQ pack
Lupit
Mpack
Mushroom/unknown
Open Source Exploit (Metapack)
Papka
Phoenix 2.0
Phoenix 2.1
Phoenix 2.2
Phoenix 2.3
Phoenix 2.4
Phoenix 2.5
Phoenix 2.7
Robopak
Salo pack
Sava Pack
SEO Sploit pack
Siberia
T-Iframer
Unique Pack Sploit 2.1
Webattack
Yes Exploit 3.0RC
Zero Pack
Zombie Infection kit
Zopack

----------------------------------------------
Bleeding Life 3.0
New Version Ad is here

Merry Christmas Pack read analysis at kahusecurity.com	Best Pack read analysis at kahusecurity.com	Sava Pack read analysis at kahusecurity.com
Eleonore 1.6.5 [+] CVE-2011-0611 [+] CVE-2011-0559 [+] CVE-2010-4452 [-] CVE-2010-0886	Salo Pack Old (2009), added just for the collection	Zero Pack 62 exploits from various packs (mostly Open Source pack)
LinuQ pack Designed to compromise linux servers using vulnerable PHPMyAdmin. Comes with DDoS bot but any kind of code can be loaded for Linux botnet creation. LinuQ pack is PhpMyAdmin exploit pack with 4 PMA exploits based on a previous Russian version of the Romanian PMA scanner ZmEu. it is not considered to be original, unique, new, or anything special. All exploits are public and known well. It is designed to be installed on an IRC server (like UnrealIRCD). IP ranges already listed in bios.txt can be scanned, vulnerable IPs and specific PMA vulnerabilities will be listed in vuln.txt, then the corresponding exploits can be launched against the vulnerable server. It is more like a bot using PMA vulnerabilities than exploit pack. It is using CVE-2009-1148 (unconfirmed) CVE-2009-1149 (unconfirmed) CVE-2009-1150 (unconfirmed) CVE-2009-1151 (confirmed)

====================================================================

Version 12. May 26, 2011

additional changes (many thanks to kahusecurity.com)

Bomba

Papka

See the list of packs covered in the list below

The full table in xls format - Version 12 can be downloaded from here.

I want to thank everyone who sent packs and information :)

Version 11 May 26, 2011 Changes:

Phoenix2.7
"Dloader" (well, dloader is a loader but the pack is some unnamed pack http://damagelab.org/lofiversion/index.php?t=20852)
nuclear pack
Katrin
Robopak
Blackhole exploit kit 1.1.0
Mushroom/unknown
Open Source Exploit kit

====================================================================

10. May 8, 2011 Version 10 Exploit Pack Table_V10May11
First, I want to thank everyone who sent and posted comments for updates and corrections.

*** The Wild Wild West picture is from a great post about evolution of exploit packs by Kahu Security Wild Wild West Update

As usual, send your corrections and update lists.

Changes:

Eleonore 1.6.4
Eleonore 1.6.3a
Incognito
Blackhole

Go1Pack (not included) as reported as being a fake pack, here is a gui. Here is a threatpost article referencing it as it was used for an attack
Also, here is another article claiming it is not a fake http://community.websense.com/blogs/securitylabs/archive/2011/04/19/Mass-Injections-Leading-to-g01pack-Exploit-Kit.aspx
Go1 Pack CVE are reportedly
CVE-2006-0003
CVE-2009-0927
CVE-2010-1423
CVE-2010-1885
Does anyone have this pack or see it offered for sale?

Exploit kits I am planning to analyze and add (and/or find CVE listing for) are:

Open Source Exploit Kit
SALO
K0de

Legend:

Black color entries by Francois Paget

Red color entries by Gunther

Blue color entries by Mila

Also, here is a great presentation by Ratsoul (Donato Ferrante) about Java Exploits (http://www.inreverse.net/?p=1687)

--------------------------------------------------------
9. April 5, 2011 Version 9 ExploitPackTable_V9Apr11

It actually needs another update but I am posting it now and will issue version 10 as soon as I can.

Changes:
Phoenix 2.5
IFramer
Tornado
Bleeding life

Many thanks to Gunther for his contributions.
If you wish to add some, please send your info together with the reference links. Also please feel free to send corrections if you notice any mistakes

8. Update 8 Oct 22, 2010 Version 8 ExploitPackTable_V8Oct22-10

Changes:

Eleonore 1.4.4 Moded added (thanks to malwareint.blogspot.com)
Correction on CVE-2010-0746 in Phoenix 2.2 and 2.3. It is a mistake and the correct CVE is CVE-2010-0886 (thanks to
♫
etonshell for noticing)
SEO Sploit pack added (thanks to whsbehind.blogspot.com, evilcodecave.blogspot.com and blog.ahnlab.com)

7. Update 7 Oct 18, 2010 Version 7 ExploitPackTable_V7Oct18-10 released

thanks to SecNiche we have updates for Phoenix 2.4 :)

We also added shorthand/slang/abbreviated names for exploits for easy matching of exploits to CVE in the future. Please send us more information re packs, exploit names that can be added in the list. Thank you!

6. Update 6 Sept 27, 2010 Version 6 ExploitPackTable_V6Sept26-10 released

Thanks to Francois Paget (McAfee) we have updates for Phoenix 2.2 and Phoenix 2.3

5. Update 5. Sept 27, 2010 Version 5 ExploitPackTable_V5Sept26-10 released

Added updates for Phoenix 2.1 and Crimepack 3.1.3

4 Update 4 July 23, 2010 Version 4 ExploitPackTable_V4Ju23-10 released. Added a new Russian exploit kit called Zombie Infection Kit to the table. Read more at malwareview.com

Update 3 July 7, 2010. Please read more about this on the Brian Krebs' blog Pirate Bay Hack Exposes User Booty

Update 2 June 27, 2010 Sorry but Impassioned Framework is back where it belongs - blue

Update 1 June 24, 2010 Eleonore 1.4.1 columns was updated to include the correct list of the current exploits.

Francois Paget www.avertlabs.com kindly agreed to allow us to make additions to his Overview of Exploit Packs table published on Avertlabs (McAfee Blog)

Many thanks to Gunther from ARTeam for his help with the update. There are a few blanks and question marks, please do no hesitate to email me if you know the answer or if you see any errors.

Please click on the image below to expand it (it is a partial screenshot) Impassioned Framework is tentatively marked a different color because the author claims it is a security audit tool not exploit pack. However, there was no sufficient information provided yet to validate such claims. The pack is temporarily/tentatively marked a different color. We'll keep you posted.

Blackhole Ramnit - samples and analysis

2012-01-12T02:57:00.004-05:00

Ramnit - a Zeus-like trojan/worm/file infector with rootkit capabilities has been in the wild for a long time but recently made news because Seculert reported about a financial variant of this malware aimed at stealing Facebook credentials.

While I did not see any Facebook related activity in my samples, I am posting them anyway for your research as their functionality is the same.

The samples I have are being spread not via Facebook but via Blackhole exploit kit, which is a very effective method. Blackhole exploit kit was associated with the spread of ZeuS, Spyeye, and it is not surprising that Ramnit is being spread in the same manner by the same groups. The group of command and control servers that I researched is associated with pharma spam and "Canadian" online pharmacies.

General File Information

File: 607B2219FBCFBFE8E6AC9D7F3FB8D50E
MD5: 607B2219FBCFBFE8E6AC9D7F3FB8D50E

File: c33e7ed929760020820e8808289c240e
MD5: C33E7ED929760020820E8808289C240E

File: 76991eefea6cb01e1d7435ae973858e6 - not analysed
MD5: 76991EEFEA6CB01E1D7435AE973858E6

File: 2ff2c8ada4fc6291846f0d66ae57ca37 -not analysed
MD5: 2FF2C8ADA4FC6291846F0D66AE57CA37

Download

Download all the binaries and dropped files as a password protected archive (email me if you need the password)

Distribution

The files analysed were / are being distributed via Blackhole exploit pack. It starts with the usual large letter message "Please wait page is loading" -then Java exploit launches and compromise takes place if the machine is vulnerable. . Here you can see the Blackhole domains spreading Ramnit in the Malwaredomainlist . Amberfreda.com domain belongs to a legitimate company and is registered in Arizona, while a subdomain best.amberfreda.com is registered by some Ukranian guy. Not sure how they managed that.

amberfreda.com
173.201.97.1
p3nlhg49c090.shr.prod.phx3.secureserver.net
Domains By Proxy, LLC
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States

best.amberfreda.com
178.162.145.184
178-162-145-184.local
Host unreachable
178.162.145.128 - 178.162.145.255
VPS services
Ukraine
Vladimir Gubarenko
p/o box 8967
61106, Kharkov
Ukraine
phone: +7 4956637354
fax: +7 4956637354
admin@imhoster.net

http://www.malwaredomainlist.com/mdl.php?search=amberfreda.com&colsearch=All&quantity=50

Brief Analysis

607B2219FBCFBFE8E6AC9D7F3FB8D50E
Hendrik Adrian from Japan posted his analysis of the same sample ( 0day.JP - Ramnit) where he described the files created by the malware and the spam sending capabilities of the bot .

The bot deletes registry settings for the safe boot, which causes BSOD and prevents one from removing the malicious files in the safe mode.

----------------------------------Keys deleted:248----------------------------------HKLM\SYSTEM\ControlSet001\Control\SafeBoot\MinimalHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\AppMgmtHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\BaseHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Boot Bus ExtenderHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Boot file systemHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CryptSvcHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\DcomLaunchHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmadminHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmboot.sysHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmio.sysHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmload.sysHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmserverHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\EventLogHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\File systemHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\FilterHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\HelpSvcHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NetlogonHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PCI ConfigurationHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PlugPlayHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PNP FilterHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Primary diskHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\RpcSsHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SCSI ClassHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sermouse.sysHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sr.sysHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SRServiceHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\System Bus ExtenderHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vga.sysHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vgasave.sysHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinMgmtHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\NetworkHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\AFDHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\AppMgmtHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\BaseHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Boot Bus ExtenderHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Boot file systemHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\BrowserHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\CryptSvcHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\DcomLaunchHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\DhcpHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmadminHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmboot.sysHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmio.sysHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmload.sysHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmserverHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\DnsCacheHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\EventLogHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\File systemHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\FilterHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\HelpSvcHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\ip6fw.sysHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\ipnat.sysHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\LanmanServerHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\LanmanWorkstationHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\LmHostsHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\MessengerHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NDISHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NDIS WrapperHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NdisuioHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBIOSHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBIOSGroupHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBTHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetDDEGroupHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetlogonHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetManHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetworkHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetworkProviderHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NtLmSspHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\PCI ConfigurationHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\PlugPlayHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\PNP FilterHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\PNP_TDIHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Primary diskHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpcdd.sysHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpdd.sysHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpwd.sysHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdsessmgrHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\RpcSsHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\SCSI ClassHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\sermouse.sysHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\SharedAccessHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\sr.sysHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\SRServiceHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Streams DriversHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\System Bus ExtenderHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\TcpipHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\TDIHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdpipe.sysHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdtcp.sysHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\termserviceHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\vga.sysHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\vgasave.sysHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\WinMgmtHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\WZCSVCHKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\MinimalHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmtHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BaseHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus ExtenderHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot file systemHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvcHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunchHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmadminHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sysHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sysHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sysHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmserverHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventLogHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File systemHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FilterHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvcHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NetlogonHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PCI ConfigurationHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlayHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PNP FilterHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Primary diskHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSsHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SCSI ClassHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sysHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sysHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SRServiceHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Bus ExtenderHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vga.sysHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sysHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmtHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\NetworkHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AFDHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppMgmtHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\BaseHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot Bus ExtenderHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot file systemHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\BrowserHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CryptSvcHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DcomLaunchHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DhcpHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmadminHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sysHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sysHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sysHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmserverHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DnsCacheHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\EventLogHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\File systemHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\FilterHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\HelpSvcHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sysHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sysHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanServerHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstationHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LmHostsHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MessengerHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDISHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS WrapperHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NdisuioHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOSHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroupHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBTHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroupHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetlogonHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetManHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetworkHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetworkProviderHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NtLmSspHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PCI ConfigurationHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PlugPlayHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP FilterHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP_TDIHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Primary diskHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sysHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sysHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sysHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdsessmgrHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\RpcSsHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SCSI ClassHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sysHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SharedAccessHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sysHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SRServiceHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Streams DriversHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\System Bus ExtenderHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TcpipHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDIHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sysHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sysHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\termserviceHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sysHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sysHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WinMgmtHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WZCSVCHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}

2. Adds a Windows service
Micorsoft Windows Service - note the spelling

Keys added:18----------------------------------HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICEHKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE\0000HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE\0000\ControlHKLM\SYSTEM\ControlSet001\Services\Micorsoft Windows ServiceHKLM\SYSTEM\ControlSet001\Services\Micorsoft Windows Service\SecurityHKLM\SYSTEM\ControlSet001\Services\Micorsoft Windows Service\EnumHKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICEHKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE\0000HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE\0000\ControlHKLM\SYSTEM\CurrentControlSet\Services\Micorsoft Windows ServiceHKLM\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service\SecurityHKLM\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service\EnumHKU\S-1-5-21-789336058-1580436667-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\dll1HKU\S-1-5-21-789336058-1580436667-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe1HKU\S-1-5-21-789336058-1580436667-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dll1HKU\S-1-5-21-789336058-1580436667-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dll1\OpenWithListHKU\S-1-5-21-789336058-1580436667-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe1HKU\S-1-5-21-789336058-1580436667-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe1\OpenWithList

3. Adds the following files (names vary)

\Application Data\nvamibiv\vcryserj.exe - copy of the original http://www.virustotal.com/file-scan/report.html?id=f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c-1326310185

File: vcryserj.exe
Size: 135680
MD5: 607B2219FBCFBFE8E6AC9D7F3FB8D50E

\Application Data\wduqtdai.log - number of logs varies, contain encrypted data
\Application Data\xtyepaef.log number of logs varies, contain encrypted data
\Temp\nhptugtstukgwpyi.exe - copy of the original

File: nhptugtstukgwpyi.exe
Size: 135680
MD5: 607B2219FBCFBFE8E6AC9D7F3FB8D50E

\Start Menu\Programs\Startup\vcryserj.exe - copy of the original

File: vcryserj.exe
Size: 1356
MD5: 607B2219FBCFBFE8E6AC9D7F3FB8D50E

\Local Settings\Temp\dnsgvbny.sys the rootkit http://www.virustotal.com/file-scan/report.html?id=c1293f8dd8a243391d087742fc22c99b8263f70c6937f784c15e9e20252b38ae-1326346542

File: dnsgvbny.sys
Size: 15360
MD5: A6D351093F75D16C574DB31CDF736153

Ramnit injects itself into two svchost.exe processes and you can see them if you sort all processes by PID, the last two will those created by Ramnit.

It generates spam that it sends out on port 25, Hendrik already described this behavior in his post.

C33E7ED929760020820E8808289C240E

The second file has file infector features I did not observe in 607B2219FBCFBFE8E6AC9D7F3FB8D50E.

As you see in the log below, malicious svchost.exe modifies or tries to modify every binary and HTML file by appending malicious code to each file or a vbs script to HTML files - like described in this post by ESET Win32/Ramnit.A. and here in the post by Avira - Closer look at W32/Ramnit.C

This does not break the infected binaries, all files continue to work as designed, except they infect or reinfect the computer they are running on. Webmasters may upload infected html files and visitors of their sites may get infected as well. For an average user, it is impossible to clean a system compromised with Ramnit file injector and use it confidence. The only way is say good bye to all the HTM(L), DLL and EXE files and build a new system without trying to copy any hrml files, bookmark or applications.

"9/1/2012 22:26:4.43","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\AGM.dll""9/1/2012 22:26:4.43","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\AGM.dll""9/1/2012 22:26:4.43","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\AGM.dll""9/1/2012 22:26:4.43","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\AGM.dll""9/1/2012 22:26:4.103","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\AGM.dll""9/1/2012 22:26:4.103","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\AGM.dll""9/1/2012 22:26:4.293","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\ahclient.dll""9/1/2012 22:26:4.293","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\ahclient.dll""9/1/2012 22:26:4.293","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\ahclient.dll""9/1/2012 22:26:4.293","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\ahclient.dll""9/1/2012 22:26:4.293","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\ahclient.dll""9/1/2012 22:26:4.293","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\ahclient.dll""9/1/2012 22:26:4.764","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:4.994","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll""9/1/2012 22:26:4.994","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll""9/1/2012 22:26:4.994","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll""9/1/2012 22:26:4.994","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll""9/1/2012 22:26:4.994","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll""9/1/2012 22:26:5.84","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\AXE8SharedExpat.dll""9/1/2012 22:26:5.84","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\AXE8SharedExpat.dll""9/1/2012 22:26:5.84","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\AXE8SharedExpat.dll""9/1/2012 22:26:5.84","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\AXE8SharedExpat.dll""9/1/2012 22:26:5.84","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\AXE8SharedExpat.dll""9/1/2012 22:26:5.84","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\AXE8SharedExpat.dll""9/1/2012 22:26:5.285","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\AXSLE.dll""9/1/2012 22:26:5.285","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\AXSLE.dll""9/1/2012 22:26:5.285","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\AXSLE.dll""9/1/2012 22:26:5.285","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\AXSLE.dll""9/1/2012 22:26:5.285","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\AXSLE.dll""9/1/2012 22:26:5.485","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\BIB.dll""9/1/2012 22:26:5.485","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\BIB.dll""9/1/2012 22:26:5.485","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\BIB.dll""9/1/2012 22:26:5.485","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\BIB.dll""9/1/2012 22:26:5.495","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\BIB.dll""9/1/2012 22:26:5.575","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\BIBUtils.dll""9/1/2012 22:26:5.575","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\BIBUtils.dll""9/1/2012 22:26:5.575","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\BIBUtils.dll""9/1/2012 22:26:5.575","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\BIBUtils.dll""9/1/2012 22:26:5.575","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\BIBUtils.dll""9/1/2012 22:26:5.775","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\ccme_base.dll""9/1/2012 22:26:5.775","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\ccme_base.dll""9/1/2012 22:26:5.775","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\ccme_base.dll""9/1/2012 22:26:5.775","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\ccme_base.dll""9/1/2012 22:26:5.805","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\ccme_base.dll""9/1/2012 22:26:5.805","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\ccme_base.dll""9/1/2012 22:26:5.805","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\ccme_base.dll""9/1/2012 22:26:5.765","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:6.66","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\CoolType.dll""9/1/2012 22:26:6.66","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\CoolType.dll""9/1/2012 22:26:6.66","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\CoolType.dll""9/1/2012 22:26:6.66","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\CoolType.dll""9/1/2012 22:26:6.66","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\CoolType.dll""9/1/2012 22:26:6.66","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\CoolType.dll""9/1/2012 22:26:6.166","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\cryptocme2.dll""9/1/2012 22:26:6.166","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\cryptocme2.dll""9/1/2012 22:26:6.166","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\cryptocme2.dll""9/1/2012 22:26:6.166","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\cryptocme2.dll""9/1/2012 22:26:6.166","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\cryptocme2.dll""9/1/2012 22:26:6.166","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\cryptocme2.dll""9/1/2012 22:26:6.526","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\icucnv36.dll""9/1/2012 22:26:6.526","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\icucnv36.dll""9/1/2012 22:26:6.526","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\icucnv36.dll""9/1/2012 22:26:6.526","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\icucnv36.dll""9/1/2012 22:26:6.526","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\icucnv36.dll""9/1/2012 22:26:6.526","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\icucnv36.dll""9/1/2012 22:26:6.767","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:7.77","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\JP2KLib.dll""9/1/2012 22:26:7.77","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\JP2KLib.dll""9/1/2012 22:26:7.77","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\JP2KLib.dll""9/1/2012 22:26:7.77","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\JP2KLib.dll""9/1/2012 22:26:7.77","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\JP2KLib.dll""9/1/2012 22:26:7.77","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\JP2KLib.dll""9/1/2012 22:26:7.297","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\logsession.dll""9/1/2012 22:26:7.297","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\logsession.dll""9/1/2012 22:26:7.297","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\logsession.dll""9/1/2012 22:26:7.297","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\logsession.dll""9/1/2012 22:26:7.297","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\logsession.dll""9/1/2012 22:26:7.297","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\logsession.dll""9/1/2012 22:26:7.458","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.dll""9/1/2012 22:26:7.458","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.dll""9/1/2012 22:26:7.458","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.dll""9/1/2012 22:26:7.458","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.dll""9/1/2012 22:26:7.458","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.dll""9/1/2012 22:26:7.458","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.dll""9/1/2012 22:26:7.638","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe""9/1/2012 22:26:7.638","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe""9/1/2012 22:26:7.638","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe""9/1/2012 22:26:7.638","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe""9/1/2012 22:26:7.658","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe""9/1/2012 22:26:7.658","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe""9/1/2012 22:26:7.658","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe""9/1/2012 22:26:7.768","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:7.828","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\Onix32.dll""9/1/2012 22:26:7.828","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\Onix32.dll""9/1/2012 22:26:7.828","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\Onix32.dll""9/1/2012 22:26:7.828","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\Onix32.dll""9/1/2012 22:26:7.838","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\Onix32.dll""9/1/2012 22:26:7.838","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\Onix32.dll""9/1/2012 22:26:7.838","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\Onix32.dll""9/1/2012 22:26:8.389","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\pe.dll""9/1/2012 22:26:8.389","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\pe.dll""9/1/2012 22:26:8.389","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\pe.dll""9/1/2012 22:26:8.389","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\pe.dll""9/1/2012 22:26:8.389","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\pe.dll""9/1/2012 22:26:8.389","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\pe.dll""9/1/2012 22:26:8.770","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:9.771","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:10.772","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:11.774","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:12.315","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\sqlite.dll""9/1/2012 22:26:12.315","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\sqlite.dll""9/1/2012 22:26:12.315","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\sqlite.dll""9/1/2012 22:26:12.315","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\sqlite.dll""9/1/2012 22:26:12.315","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\sqlite.dll""9/1/2012 22:26:12.315","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\sqlite.dll""9/1/2012 22:26:12.315","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Reader 9.0\Reader\sqlite.dll""9/1/2012 22:26:12.775","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:13.777","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:13.787","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\mila\Local Settings\Application Data\wduqtdai.log""9/1/2012 22:26:14.217","file","Write","System","C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe""9/1/2012 22:26:14.217","file","Write","System","C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe""9/1/2012 22:26:14.237","file","Write","System","C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe""9/1/2012 22:26:14.237","file","Write","System","C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe""9/1/2012 22:26:14.778","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:15.219","file","Write","System","C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe""9/1/2012 22:26:15.780","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:16.781","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:17.783","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:18.784","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:18.914","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Capture\7za.exe""9/1/2012 22:26:18.914","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Capture\7za.exe""9/1/2012 22:26:18.914","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Capture\7za.exe""9/1/2012 22:26:18.914","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Capture\7za.exe""9/1/2012 22:26:18.924","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Capture\7za.exe""9/1/2012 22:26:18.924","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Capture\7za.exe""9/1/2012 22:26:19.225","file","Write","System","C:\Program Files\Capture\7za.exe""9/1/2012 22:26:19.225","file","Write","System","C:\Program Files\Capture\7za.exe""9/1/2012 22:26:19.225","file","Write","System","C:\Program Files\Capture\7za.exe""9/1/2012 22:26:19.785","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:20.226","file","Write","System","C:\Program Files\Capture\7za.exe""9/1/2012 22:26:20.787","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:20.927","registry","DeleteValueKey","System","HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\0""9/1/2012 22:26:20.927","registry","SetValueKey","System","HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count""9/1/2012 22:26:20.927","registry","SetValueKey","System","HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance""9/1/2012 22:26:21.518","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\DESIGNER\MSADDNDR.DLL""9/1/2012 22:26:21.518","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\DESIGNER\MSADDNDR.DLL""9/1/2012 22:26:21.518","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\DESIGNER\MSADDNDR.DLL""9/1/2012 22:26:21.518","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\DESIGNER\MSADDNDR.DLL""9/1/2012 22:26:21.518","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\DESIGNER\MSADDNDR.DLL""9/1/2012 22:26:21.518","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\DESIGNER\MSADDNDR.DLL""9/1/2012 22:26:21.788","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:22.329","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUT11F1.DLL""9/1/2012 22:26:22.329","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUT11F1.DLL""9/1/2012 22:26:22.329","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUT11F1.DLL""9/1/2012 22:26:22.329","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUT11F1.DLL""9/1/2012 22:26:22.329","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUT11F1.DLL""9/1/2012 22:26:22.329","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUT11F1.DLL""9/1/2012 22:26:22.499","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUT11M1.DLL""9/1/2012 22:26:22.499","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUT11M1.DLL""9/1/2012 22:26:22.499","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUT11M1.DLL""9/1/2012 22:26:22.499","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUT11M1.DLL""9/1/2012 22:26:22.499","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUT11M1.DLL""9/1/2012 22:26:22.499","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUT11M1.DLL""9/1/2012 22:26:22.650","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUTEMPP.DLL""9/1/2012 22:26:22.650","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUTEMPP.DLL""9/1/2012 22:26:22.650","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUTEMPP.DLL""9/1/2012 22:26:22.650","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUTEMPP.DLL""9/1/2012 22:26:22.650","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUTEMPP.DLL""9/1/2012 22:26:22.650","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUTEMPP.DLL""9/1/2012 22:26:22.790","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:22.800","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUTG2P.DLL""9/1/2012 22:26:22.800","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUTG2P.DLL""9/1/2012 22:26:22.800","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUTG2P.DLL""9/1/2012 22:26:22.800","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUTG2P.DLL""9/1/2012 22:26:22.800","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUTG2P.DLL""9/1/2012 22:26:22.800","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUTG2P.DLL""9/1/2012 22:26:22.900","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUTSTPP.DLL""9/1/2012 22:26:22.900","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUTSTPP.DLL""9/1/2012 22:26:22.900","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUTSTPP.DLL""9/1/2012 22:26:22.900","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUTSTPP.DLL""9/1/2012 22:26:22.900","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUTSTPP.DLL""9/1/2012 22:26:22.900","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\1033\TTS\TTS3000\ENUTSTPP.DLL""9/1/2012 22:26:23.100","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\ENUT3S51.DLL""9/1/2012 22:26:23.100","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\ENUT3S51.DLL""9/1/2012 22:26:23.100","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\ENUT3S51.DLL""9/1/2012 22:26:23.100","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\ENUT3S51.DLL""9/1/2012 22:26:23.100","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\ENUT3S51.DLL""9/1/2012 22:26:23.100","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\ENUT3S51.DLL""9/1/2012 22:26:23.170","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\LHCOM01A.DLL""9/1/2012 22:26:23.170","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\LHCOM01A.DLL""9/1/2012 22:26:23.170","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\LHCOM01A.DLL""9/1/2012 22:26:23.170","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\LHCOM01A.DLL""9/1/2012 22:26:23.170","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\LHCOM01A.DLL""9/1/2012 22:26:23.170","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\LHCOM01A.DLL""9/1/2012 22:26:23.441","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\TTSCORE.DLL""9/1/2012 22:26:23.441","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\TTSCORE.DLL""9/1/2012 22:26:23.441","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\TTSCORE.DLL""9/1/2012 22:26:23.441","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\TTSCORE.DLL""9/1/2012 22:26:23.441","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\TTSCORE.DLL""9/1/2012 22:26:23.441","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\L&H\SpeechEngines\TTSCORE.DLL""9/1/2012 22:26:23.791","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:23.851","file","Delete","C:\WINDOWS\system32\svchost.exe","C:\WINDOWS\system32\CatRoot2\tmp.edb""9/1/2012 22:26:24.793","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:25.23","file","Write","C:\Program Files\Wireshark\dumpcap.exe","C:\Documents and Settings\mila\Local Settings\Temp\wiresharkXXXXa03444""9/1/2012 22:26:25.133","file","Write","System","C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe""9/1/2012 22:26:25.133","file","Write","System","C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe""9/1/2012 22:26:25.133","file","Write","System","C:\Program Files\Capture\7za.exe""9/1/2012 22:26:25.133","file","Write","System","C:\Program Files\Capture\7za.exe""9/1/2012 22:26:25.774","file","Write","C:\Program Files\Wireshark\dumpcap.exe","C:\Documents and Settings\mila\Local Settings\Temp\wiresharkXXXXa03444""9/1/2012 22:26:25.794","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:26.275","file","Write","C:\Program Files\Wireshark\dumpcap.exe","C:\Documents and Settings\mila\Local Settings\Temp\wiresharkXXXXa03444""9/1/2012 22:26:26.796","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:27.26","file","Write","C:\Program Files\Wireshark\dumpcap.exe","C:\Documents and Settings\mila\Local Settings\Temp\wiresharkXXXXa03444""9/1/2012 22:26:26.996","registry","SetValueKey","C:\WINDOWS\system32\winlogon.exe","HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec""9/1/2012 22:26:27.567","file","Write","C:\Program Files\Wireshark\dumpcap.exe","C:\Documents and Settings\mila\Local Settings\Temp\wiresharkXXXXa03444""9/1/2012 22:26:27.797","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:28.67","file","Write","C:\Program Files\Wireshark\dumpcap.exe","C:\Documents and Settings\mila\Local Settings\Temp\wiresharkXXXXa03444""9/1/2012 22:26:28.218","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\INK\HWXUSA.DLL""9/1/2012 22:26:28.218","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\INK\HWXUSA.DLL""9/1/2012 22:26:28.218","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\INK\HWXUSA.DLL""9/1/2012 22:26:28.218","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\INK\HWXUSA.DLL""9/1/2012 22:26:28.218","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\INK\HWXUSA.DLL""9/1/2012 22:26:28.218","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\INK\HWXUSA.DLL""9/1/2012 22:26:28.308","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\INK\INKDIV.DLL""9/1/2012 22:26:28.308","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\INK\INKDIV.DLL""9/1/2012 22:26:28.308","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\INK\INKDIV.DLL""9/1/2012 22:26:28.308","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\INK\INKDIV.DLL""9/1/2012 22:26:28.318","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\INK\INKDIV.DLL""9/1/2012 22:26:28.318","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\INK\INKDIV.DLL""9/1/2012 22:26:28.568","file","Write","C:\Program Files\Wireshark\dumpcap.exe","C:\Documents and Settings\mila\Local Settings\Temp\wiresharkXXXXa03444""9/1/2012 22:26:28.798","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\dao360.dll.new""9/1/2012 22:26:28.798","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\dao360.dll.new""9/1/2012 22:26:28.798","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\dao360.dll.new""9/1/2012 22:26:28.798","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\dao360.dll.new""9/1/2012 22:26:28.798","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\dao360.dll.new""9/1/2012 22:26:28.798","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\dao360.dll.new""9/1/2012 22:26:28.798","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\dao360.dll.new""9/1/2012 22:26:28.798","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\dao360.dll.new""9/1/2012 22:26:28.798","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\dao360.dll.new""9/1/2012 22:26:28.798","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\dao360.dll.new""9/1/2012 22:26:28.798","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\dao360.dll.new""9/1/2012 22:26:28.798","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\dao360.dll.new""9/1/2012 22:26:28.798","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\dao360.dll.new""9/1/2012 22:26:28.798","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\dao360.dll.new""9/1/2012 22:26:28.798","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\dao360.dll.new""9/1/2012 22:26:28.798","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\dao360.dll.new""9/1/2012 22:26:28.798","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\dao360.dll.new""9/1/2012 22:26:28.798","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\dao360.dll.new""9/1/2012 22:26:28.798","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\dao360.dll.new""9/1/2012 22:26:28.808","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:29.69","file","Write","C:\Program Files\Wireshark\dumpcap.exe","C:\Documents and Settings\mila\Local Settings\Temp\wiresharkXXXXa03444""9/1/2012 22:26:29.459","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\BINDER.DLL""9/1/2012 22:26:29.459","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\BINDER.DLL""9/1/2012 22:26:29.459","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\BINDER.DLL""9/1/2012 22:26:29.459","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\BINDER.DLL""9/1/2012 22:26:29.459","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\BINDER.DLL""9/1/2012 22:26:29.459","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\BINDER.DLL""9/1/2012 22:26:29.820","file","Write","C:\Program Files\Wireshark\dumpcap.exe","C:\Documents and Settings\mila\Local Settings\Temp\wiresharkXXXXa03444""9/1/2012 22:26:29.810","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:30.461","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MDIINK.DLL""9/1/2012 22:26:30.461","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MDIINK.DLL""9/1/2012 22:26:30.461","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MDIINK.DLL""9/1/2012 22:26:30.461","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MDIINK.DLL""9/1/2012 22:26:30.461","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MDIINK.DLL""9/1/2012 22:26:30.461","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MDIINK.DLL""9/1/2012 22:26:30.551","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MDIVWCTL.DLL""9/1/2012 22:26:30.551","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MDIVWCTL.DLL""9/1/2012 22:26:30.551","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MDIVWCTL.DLL""9/1/2012 22:26:30.551","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MDIVWCTL.DLL""9/1/2012 22:26:30.551","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MDIVWCTL.DLL""9/1/2012 22:26:30.741","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MSPCORE.DLL""9/1/2012 22:26:30.741","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MSPCORE.DLL""9/1/2012 22:26:30.741","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MSPCORE.DLL""9/1/2012 22:26:30.741","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MSPCORE.DLL""9/1/2012 22:26:30.741","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MSPCORE.DLL""9/1/2012 22:26:30.741","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MSPCORE.DLL""9/1/2012 22:26:30.811","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:30.891","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MSPFILT.DLL""9/1/2012 22:26:30.891","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MSPFILT.DLL""9/1/2012 22:26:30.891","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MSPFILT.DLL""9/1/2012 22:26:30.891","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MSPFILT.DLL""9/1/2012 22:26:30.891","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MSPFILT.DLL""9/1/2012 22:26:30.951","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MSPGIMME.DLL""9/1/2012 22:26:30.951","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MSPGIMME.DLL""9/1/2012 22:26:30.951","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MSPGIMME.DLL""9/1/2012 22:26:30.951","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MSPGIMME.DLL""9/1/2012 22:26:30.951","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MSPGIMME.DLL""9/1/2012 22:26:31.502","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\OCRPS.DLL""9/1/2012 22:26:31.502","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\OCRPS.DLL""9/1/2012 22:26:31.502","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\OCRPS.DLL""9/1/2012 22:26:31.502","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\OCRPS.DLL""9/1/2012 22:26:31.502","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\OCRPS.DLL""9/1/2012 22:26:31.813","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:32.814","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:33.816","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:33.876","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MSDesigners7\MSVCP71.DLL""9/1/2012 22:26:33.876","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MSDesigners7\MSVCP71.DLL""9/1/2012 22:26:33.876","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MSDesigners7\MSVCP71.DLL""9/1/2012 22:26:33.876","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MSDesigners7\MSVCP71.DLL""9/1/2012 22:26:33.906","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MSDesigners7\MSVCP71.DLL""9/1/2012 22:26:33.906","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MSDesigners7\MSVCP71.DLL""9/1/2012 22:26:33.906","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MSDesigners7\MSVCP71.DLL""9/1/2012 22:26:34.6","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MSDesigners7\MSVCR71.DLL""9/1/2012 22:26:34.6","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MSDesigners7\MSVCR71.DLL""9/1/2012 22:26:34.6","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MSDesigners7\MSVCR71.DLL""9/1/2012 22:26:34.6","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MSDesigners7\MSVCR71.DLL""9/1/2012 22:26:34.6","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MSDesigners7\MSVCR71.DLL""9/1/2012 22:26:34.6","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\MSDesigners7\MSVCR71.DLL""9/1/2012 22:26:34.76","file","Write","C:\Program Files\Wireshark\dumpcap.exe","C:\Documents and Settings\mila\Local Settings\Temp\wiresharkXXXXa03444""9/1/2012 22:26:34.827","file","Write","C:\Program Files\Wireshark\dumpcap.exe","C:\Documents and Settings\mila\Local Settings\Temp\wiresharkXXXXa03444""9/1/2012 22:26:34.817","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:35.818","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:36.820","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:37.651","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSSOAP30.DLL""9/1/2012 22:26:37.651","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSSOAP30.DLL""9/1/2012 22:26:37.651","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSSOAP30.DLL""9/1/2012 22:26:37.651","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSSOAP30.DLL""9/1/2012 22:26:37.651","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSSOAP30.DLL""9/1/2012 22:26:37.651","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSSOAP30.DLL""9/1/2012 22:26:37.811","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSXML5.DLL""9/1/2012 22:26:37.811","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSXML5.DLL""9/1/2012 22:26:37.811","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSXML5.DLL""9/1/2012 22:26:37.811","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSXML5.DLL""9/1/2012 22:26:37.821","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSXML5.DLL""9/1/2012 22:26:37.821","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSXML5.DLL""9/1/2012 22:26:37.821","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:38.292","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\OFFICE11\WISC30.DLL""9/1/2012 22:26:38.292","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\OFFICE11\WISC30.DLL""9/1/2012 22:26:38.292","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\OFFICE11\WISC30.DLL""9/1/2012 22:26:38.292","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\OFFICE11\WISC30.DLL""9/1/2012 22:26:38.292","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\OFFICE11\WISC30.DLL""9/1/2012 22:26:38.723","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\1033\MSGR3EN.DLL""9/1/2012 22:26:38.723","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\1033\MSGR3EN.DLL""9/1/2012 22:26:38.723","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\1033\MSGR3EN.DLL""9/1/2012 22:26:38.723","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\1033\MSGR3EN.DLL""9/1/2012 22:26:38.723","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\1033\MSGR3EN.DLL""9/1/2012 22:26:38.723","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\1033\MSGR3EN.DLL""9/1/2012 22:26:38.823","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:39.153","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\1036\MSGR3FR.DLL""9/1/2012 22:26:39.153","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\1036\MSGR3FR.DLL""9/1/2012 22:26:39.153","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\1036\MSGR3FR.DLL""9/1/2012 22:26:39.183","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\1036\MSGR3FR.DLL""9/1/2012 22:26:39.153","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\1036\MSGR3FR.DLL""9/1/2012 22:26:39.183","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\1036\MSGR3FR.DLL""9/1/2012 22:26:39.183","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\1036\MSGR3FR.DLL""9/1/2012 22:26:39.394","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\3082\MSGR3ES.DLL""9/1/2012 22:26:39.394","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\3082\MSGR3ES.DLL""9/1/2012 22:26:39.394","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\3082\MSGR3ES.DLL""9/1/2012 22:26:39.394","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\3082\MSGR3ES.DLL""9/1/2012 22:26:39.394","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\3082\MSGR3ES.DLL""9/1/2012 22:26:39.394","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\3082\MSGR3ES.DLL""9/1/2012 22:26:39.704","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msinfo32.exe.new""9/1/2012 22:26:39.784","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\CHAPI3T1.DLL""9/1/2012 22:26:39.784","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\CHAPI3T1.DLL""9/1/2012 22:26:39.784","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\CHAPI3T1.DLL""9/1/2012 22:26:39.784","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\CHAPI3T1.DLL""9/1/2012 22:26:39.784","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\CHAPI3T1.DLL""9/1/2012 22:26:39.784","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\CHAPI3T1.DLL""9/1/2012 22:26:39.824","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:40.285","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSHY3ES.DLL""9/1/2012 22:26:40.285","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSHY3ES.DLL""9/1/2012 22:26:40.285","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSHY3ES.DLL""9/1/2012 22:26:40.285","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSHY3ES.DLL""9/1/2012 22:26:40.295","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSHY3ES.DLL""9/1/2012 22:26:40.295","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSHY3ES.DLL""9/1/2012 22:26:40.295","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSHY3ES.DLL""9/1/2012 22:26:40.756","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSLID.DLL""9/1/2012 22:26:40.756","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSLID.DLL""9/1/2012 22:26:40.756","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSLID.DLL""9/1/2012 22:26:40.756","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSLID.DLL""9/1/2012 22:26:40.756","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSLID.DLL""9/1/2012 22:26:40.756","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSLID.DLL""9/1/2012 22:26:40.826","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:41.26","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSSP3ES.DLL""9/1/2012 22:26:41.26","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSSP3ES.DLL""9/1/2012 22:26:41.26","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSSP3ES.DLL""9/1/2012 22:26:41.26","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSSP3ES.DLL""9/1/2012 22:26:41.26","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSSP3ES.DLL""9/1/2012 22:26:41.26","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSSP3ES.DLL""9/1/2012 22:26:41.176","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSSP3FR.DLL""9/1/2012 22:26:41.176","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSSP3FR.DLL""9/1/2012 22:26:41.176","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSSP3FR.DLL""9/1/2012 22:26:41.176","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSSP3FR.DLL""9/1/2012 22:26:41.176","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSSP3FR.DLL""9/1/2012 22:26:41.617","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSSPELL3.DLL""9/1/2012 22:26:41.617","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSSPELL3.DLL""9/1/2012 22:26:41.617","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSSPELL3.DLL""9/1/2012 22:26:41.617","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSSPELL3.DLL""9/1/2012 22:26:41.617","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSSPELL3.DLL""9/1/2012 22:26:41.617","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSSPELL3.DLL""9/1/2012 22:26:41.827","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:41.937","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSTH3ES.DLL""9/1/2012 22:26:41.937","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSTH3ES.DLL""9/1/2012 22:26:41.937","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSTH3ES.DLL""9/1/2012 22:26:41.937","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSTH3ES.DLL""9/1/2012 22:26:41.937","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSTH3ES.DLL""9/1/2012 22:26:41.937","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSTH3ES.DLL""9/1/2012 22:26:42.218","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSTHES3.DLL""9/1/2012 22:26:42.218","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSTHES3.DLL""9/1/2012 22:26:42.218","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSTHES3.DLL""9/1/2012 22:26:42.218","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSTHES3.DLL""9/1/2012 22:26:42.218","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSTHES3.DLL""9/1/2012 22:26:42.218","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\PROOF\MSTHES3.DLL""9/1/2012 22:26:42.829","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:43.830","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:44.831","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:45.833","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:46.834","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:47.836","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:48.837","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:49.668","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spcplui.dll.new""9/1/2012 22:26:49.728","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sapi.dll.new""9/1/2012 22:26:49.728","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sapi.dll.new""9/1/2012 22:26:49.728","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sapi.dll.new""9/1/2012 22:26:49.728","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sapi.dll.new""9/1/2012 22:26:49.728","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sapi.dll.new""9/1/2012 22:26:49.728","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sapi.dll.new""9/1/2012 22:26:49.728","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sapi.dll.new""9/1/2012 22:26:49.728","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sapi.dll.new""9/1/2012 22:26:49.728","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sapi.dll.new""9/1/2012 22:26:49.728","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sapi.dll.new""9/1/2012 22:26:49.728","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sapi.dll.new""9/1/2012 22:26:49.728","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sapi.dll.new""9/1/2012 22:26:49.728","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sapi.dll.new""9/1/2012 22:26:49.728","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sapi.dll.new""9/1/2012 22:26:49.728","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sapi.dll.new""9/1/2012 22:26:49.728","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sapi.dll.new""9/1/2012 22:26:49.728","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sapi.dll.new""9/1/2012 22:26:49.728","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sapi.dll.new""9/1/2012 22:26:49.728","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sapi.dll.new""9/1/2012 22:26:49.728","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sapi.dll.new""9/1/2012 22:26:49.728","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sapi.dll.new""9/1/2012 22:26:49.728","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sapi.dll.new""9/1/2012 22:26:49.728","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sapi.dll.new""9/1/2012 22:26:49.728","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sapi.dll.new""9/1/2012 22:26:49.728","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sapi.dll.new""9/1/2012 22:26:49.789","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sapisvr.exe.new""9/1/2012 22:26:49.839","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:50.840","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:51.842","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:52.843","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:53.844","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:54.846","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:55.847","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:56.849","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:57.850","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:58.60","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.DLL""9/1/2012 22:26:58.60","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.DLL""9/1/2012 22:26:58.60","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.DLL""9/1/2012 22:26:58.60","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.DLL""9/1/2012 22:26:58.60","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.DLL""9/1/2012 22:26:58.60","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.DLL""9/1/2012 22:26:58.261","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.DLL""9/1/2012 22:26:58.261","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.DLL""9/1/2012 22:26:58.261","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.DLL""9/1/2012 22:26:58.261","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.DLL""9/1/2012 22:26:58.261","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.DLL""9/1/2012 22:26:58.261","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.DLL""9/1/2012 22:26:58.661","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\WTSP61MS.DLL""9/1/2012 22:26:58.661","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\WTSP61MS.DLL""9/1/2012 22:26:58.661","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\WTSP61MS.DLL""9/1/2012 22:26:58.661","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\WTSP61MS.DLL""9/1/2012 22:26:58.671","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\WTSP61MS.DLL""9/1/2012 22:26:58.671","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\WTSP61MS.DLL""9/1/2012 22:26:58.671","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\WTSP61MS.DLL""9/1/2012 22:26:58.852","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:26:58.922","file","Write","C:\Program Files\Wireshark\dumpcap.exe","C:\Documents and Settings\mila\Local Settings\Temp\wiresharkXXXXa03444""9/1/2012 22:26:59.673","file","Write","C:\Program Files\Wireshark\dumpcap.exe","C:\Documents and Settings\mila\Local Settings\Temp\wiresharkXXXXa03444""9/1/2012 22:26:59.853","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:0.13","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\VBE6.DLL""9/1/2012 22:27:0.13","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\VBE6.DLL""9/1/2012 22:27:0.13","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\VBE6.DLL""9/1/2012 22:27:0.13","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\VBE6.DLL""9/1/2012 22:27:0.13","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\VBE6.DLL""9/1/2012 22:27:0.13","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\VBE6.DLL""9/1/2012 22:27:0.424","file","Write","C:\Program Files\Wireshark\dumpcap.exe","C:\Documents and Settings\mila\Local Settings\Temp\wiresharkXXXXa03444""9/1/2012 22:27:0.464","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\Visual Database Tools\MSVCP71.DLL""9/1/2012 22:27:0.464","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\Visual Database Tools\MSVCP71.DLL""9/1/2012 22:27:0.464","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\Visual Database Tools\MSVCP71.DLL""9/1/2012 22:27:0.464","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\Visual Database Tools\MSVCP71.DLL""9/1/2012 22:27:0.514","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\Visual Database Tools\MSVCP71.DLL""9/1/2012 22:27:0.514","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\Visual Database Tools\MSVCP71.DLL""9/1/2012 22:27:0.514","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\Visual Database Tools\MSVCP71.DLL""9/1/2012 22:27:0.644","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\Visual Database Tools\MSVCR71.DLL""9/1/2012 22:27:0.644","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\Visual Database Tools\MSVCR71.DLL""9/1/2012 22:27:0.644","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\Visual Database Tools\MSVCR71.DLL""9/1/2012 22:27:0.644","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\Visual Database Tools\MSVCR71.DLL""9/1/2012 22:27:0.644","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\Visual Database Tools\MSVCR71.DLL""9/1/2012 22:27:0.644","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\Visual Database Tools\MSVCR71.DLL""9/1/2012 22:27:0.854","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:1.45","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\Visual Database Tools\VDT70G.DLL""9/1/2012 22:27:1.45","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\Visual Database Tools\VDT70G.DLL""9/1/2012 22:27:1.45","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\Visual Database Tools\VDT70G.DLL""9/1/2012 22:27:1.45","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\Visual Database Tools\VDT70G.DLL""9/1/2012 22:27:1.45","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\Visual Database Tools\VDT70G.DLL""9/1/2012 22:27:1.45","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\Visual Database Tools\VDT70G.DLL""9/1/2012 22:27:1.175","file","Write","C:\Program Files\Wireshark\dumpcap.exe","C:\Documents and Settings\mila\Local Settings\Temp\wiresharkXXXXa03444""9/1/2012 22:27:1.205","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\COLOADER.DLL""9/1/2012 22:27:1.205","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\COLOADER.DLL""9/1/2012 22:27:1.205","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\COLOADER.DLL""9/1/2012 22:27:1.205","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\COLOADER.DLL""9/1/2012 22:27:1.205","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\COLOADER.DLL""9/1/2012 22:27:1.205","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\COLOADER.DLL""9/1/2012 22:27:1.856","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:1.926","file","Write","C:\Program Files\Wireshark\dumpcap.exe","C:\Documents and Settings\mila\Local Settings\Temp\wiresharkXXXXa03444""9/1/2012 22:27:2.427","file","Write","C:\Program Files\Wireshark\dumpcap.exe","C:\Documents and Settings\mila\Local Settings\Temp\wiresharkXXXXa03444""9/1/2012 22:27:2.857","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:3.178","file","Write","C:\Program Files\Wireshark\dumpcap.exe","C:\Documents and Settings\mila\Local Settings\Temp\wiresharkXXXXa03444""9/1/2012 22:27:3.859","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:3.929","file","Write","C:\Program Files\Wireshark\dumpcap.exe","C:\Documents and Settings\mila\Local Settings\Temp\wiresharkXXXXa03444""9/1/2012 22:27:4.860","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:5.451","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\triedit.dll.new""9/1/2012 22:27:5.451","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\triedit.dll.new""9/1/2012 22:27:5.451","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\triedit.dll.new""9/1/2012 22:27:5.451","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\triedit.dll.new""9/1/2012 22:27:5.451","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\triedit.dll.new""9/1/2012 22:27:5.541","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\vgx.dll.new""9/1/2012 22:27:5.541","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\vgx.dll.new""9/1/2012 22:27:5.541","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\vgx.dll.new""9/1/2012 22:27:5.541","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\vgx.dll.new""9/1/2012 22:27:5.541","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\vgx.dll.new""9/1/2012 22:27:5.541","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\vgx.dll.new""9/1/2012 22:27:5.541","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\vgx.dll.new""9/1/2012 22:27:5.541","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\vgx.dll.new""9/1/2012 22:27:5.541","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\vgx.dll.new""9/1/2012 22:27:5.541","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\vgx.dll.new""9/1/2012 22:27:5.541","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\vgx.dll.new""9/1/2012 22:27:5.541","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\vgx.dll.new""9/1/2012 22:27:5.541","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\vgx.dll.new""9/1/2012 22:27:5.541","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\vgx.dll.new""9/1/2012 22:27:5.541","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\vgx.dll.new""9/1/2012 22:27:5.541","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\vgx.dll.new""9/1/2012 22:27:5.541","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\vgx.dll.new""9/1/2012 22:27:5.541","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\vgx.dll.new""9/1/2012 22:27:5.541","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\vgx.dll.new""9/1/2012 22:27:5.541","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\vgx.dll.new""9/1/2012 22:27:5.541","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\vgx.dll.new""9/1/2012 22:27:5.541","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\vgx.dll.new""9/1/2012 22:27:5.541","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\vgx.dll.new""9/1/2012 22:27:5.541","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\vgx.dll.new""9/1/2012 22:27:5.541","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\vgx.dll.new""9/1/2012 22:27:5.541","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\vgx.dll.new""9/1/2012 22:27:5.541","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\vgx.dll.new""9/1/2012 22:27:5.862","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:6.863","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:7.865","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:8.866","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\SpeechEngines\Microsoft\SR61\1033\ITNGRAM.DLL""9/1/2012 22:27:8.866","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\SpeechEngines\Microsoft\SR61\1033\ITNGRAM.DLL""9/1/2012 22:27:8.866","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\SpeechEngines\Microsoft\SR61\1033\ITNGRAM.DLL""9/1/2012 22:27:8.866","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\SpeechEngines\Microsoft\SR61\1033\ITNGRAM.DLL""9/1/2012 22:27:8.866","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\SpeechEngines\Microsoft\SR61\1033\ITNGRAM.DLL""9/1/2012 22:27:8.866","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\SpeechEngines\Microsoft\SR61\1033\ITNGRAM.DLL""9/1/2012 22:27:8.866","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:9.777","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\SpeechEngines\Microsoft\SR61\SPSRENG.DLL""9/1/2012 22:27:9.777","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\SpeechEngines\Microsoft\SR61\SPSRENG.DLL""9/1/2012 22:27:9.777","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\SpeechEngines\Microsoft\SR61\SPSRENG.DLL""9/1/2012 22:27:9.777","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\SpeechEngines\Microsoft\SR61\SPSRENG.DLL""9/1/2012 22:27:9.777","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\SpeechEngines\Microsoft\SR61\SPSRENG.DLL""9/1/2012 22:27:9.777","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\SpeechEngines\Microsoft\SR61\SPSRENG.DLL""9/1/2012 22:27:9.867","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:9.948","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\SpeechEngines\Microsoft\SR61\SPSRX.DLL""9/1/2012 22:27:9.948","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\SpeechEngines\Microsoft\SR61\SPSRX.DLL""9/1/2012 22:27:9.948","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\SpeechEngines\Microsoft\SR61\SPSRX.DLL""9/1/2012 22:27:9.948","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\SpeechEngines\Microsoft\SR61\SPSRX.DLL""9/1/2012 22:27:9.948","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\SpeechEngines\Microsoft\SR61\SPSRX.DLL""9/1/2012 22:27:9.948","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\SpeechEngines\Microsoft\SR61\SPSRX.DLL""9/1/2012 22:27:10.869","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:11.530","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\fp4autl.dll.new""9/1/2012 22:27:11.530","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\fp4autl.dll.new""9/1/2012 22:27:11.530","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\fp4autl.dll.new""9/1/2012 22:27:11.530","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\fp4autl.dll.new""9/1/2012 22:27:11.530","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\fp4autl.dll.new""9/1/2012 22:27:11.530","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\fp4autl.dll.new""9/1/2012 22:27:11.530","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\fp4autl.dll.new""9/1/2012 22:27:11.530","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\fp4autl.dll.new""9/1/2012 22:27:11.530","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\fp4autl.dll.new""9/1/2012 22:27:11.530","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\fp4autl.dll.new""9/1/2012 22:27:11.530","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\fp4autl.dll.new""9/1/2012 22:27:11.530","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\fp4autl.dll.new""9/1/2012 22:27:11.530","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\fp4autl.dll.new""9/1/2012 22:27:11.530","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\fp4autl.dll.new""9/1/2012 22:27:11.530","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\fp4autl.dll.new""9/1/2012 22:27:11.530","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\fp4autl.dll.new""9/1/2012 22:27:11.530","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\fp4autl.dll.new""9/1/2012 22:27:11.530","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\fp4autl.dll.new""9/1/2012 22:27:11.530","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\fp4autl.dll.new""9/1/2012 22:27:11.530","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\fp4autl.dll.new""9/1/2012 22:27:11.530","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\fp4autl.dll.new""9/1/2012 22:27:11.870","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:12.872","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:12.902","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\System\MSMAPI\1033\CDO.DLL""9/1/2012 22:27:12.902","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\System\MSMAPI\1033\CDO.DLL""9/1/2012 22:27:12.902","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\System\MSMAPI\1033\CDO.DLL""9/1/2012 22:27:12.902","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\System\MSMAPI\1033\CDO.DLL""9/1/2012 22:27:12.932","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\System\MSMAPI\1033\CDO.DLL""9/1/2012 22:27:12.932","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Common Files\System\MSMAPI\1033\CDO.DLL""9/1/2012 22:27:13.873","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:13.873","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\mila\Local Settings\Application Data\wduqtdai.log""9/1/2012 22:27:14.875","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:15.876","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:16.237","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\mssoap1.dll.new""9/1/2012 22:27:16.237","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\mssoap1.dll.new""9/1/2012 22:27:16.237","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\mssoap1.dll.new""9/1/2012 22:27:16.237","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\mssoap1.dll.new""9/1/2012 22:27:16.237","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\mssoap1.dll.new""9/1/2012 22:27:16.237","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\mssoap1.dll.new""9/1/2012 22:27:16.237","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\mssoap1.dll.new""9/1/2012 22:27:16.287","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\mssoapr.dll.new""9/1/2012 22:27:16.357","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\wisc10.dll.new""9/1/2012 22:27:16.407","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spcommon.dll.new""9/1/2012 22:27:16.407","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spcommon.dll.new""9/1/2012 22:27:16.407","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spcommon.dll.new""9/1/2012 22:27:16.497","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spttseng.dll.new""9/1/2012 22:27:16.497","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spttseng.dll.new""9/1/2012 22:27:16.497","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spttseng.dll.new""9/1/2012 22:27:16.497","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spttseng.dll.new""9/1/2012 22:27:16.497","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spttseng.dll.new""9/1/2012 22:27:16.497","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spttseng.dll.new""9/1/2012 22:27:16.497","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spttseng.dll.new""9/1/2012 22:27:16.497","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spttseng.dll.new""9/1/2012 22:27:16.497","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spttseng.dll.new""9/1/2012 22:27:16.497","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spttseng.dll.new""9/1/2012 22:27:16.497","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spttseng.dll.new""9/1/2012 22:27:16.497","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spttseng.dll.new""9/1/2012 22:27:16.497","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spttseng.dll.new""9/1/2012 22:27:16.497","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spttseng.dll.new""9/1/2012 22:27:16.497","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spttseng.dll.new""9/1/2012 22:27:16.497","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spttseng.dll.new""9/1/2012 22:27:16.497","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spttseng.dll.new""9/1/2012 22:27:16.497","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spttseng.dll.new""9/1/2012 22:27:16.497","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spttseng.dll.new""9/1/2012 22:27:16.497","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spttseng.dll.new""9/1/2012 22:27:16.497","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spttseng.dll.new""9/1/2012 22:27:16.497","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spttseng.dll.new""9/1/2012 22:27:16.497","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spttseng.dll.new""9/1/2012 22:27:16.497","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spttseng.dll.new""9/1/2012 22:27:16.497","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\spttseng.dll.new""9/1/2012 22:27:16.557","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msader15.dll.new""9/1/2012 22:27:16.617","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msado15.dll.new""9/1/2012 22:27:16.617","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msado15.dll.new""9/1/2012 22:27:16.617","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msado15.dll.new""9/1/2012 22:27:16.617","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msado15.dll.new""9/1/2012 22:27:16.617","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msado15.dll.new""9/1/2012 22:27:16.617","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msado15.dll.new""9/1/2012 22:27:16.617","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msado15.dll.new""9/1/2012 22:27:16.617","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msado15.dll.new""9/1/2012 22:27:16.617","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msado15.dll.new""9/1/2012 22:27:16.617","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msado15.dll.new""9/1/2012 22:27:16.617","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msado15.dll.new""9/1/2012 22:27:16.617","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msado15.dll.new""9/1/2012 22:27:16.617","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msado15.dll.new""9/1/2012 22:27:16.617","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msado15.dll.new""9/1/2012 22:27:16.617","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msado15.dll.new""9/1/2012 22:27:16.617","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msado15.dll.new""9/1/2012 22:27:16.617","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msado15.dll.new""9/1/2012 22:27:16.657","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadomd.dll.new""9/1/2012 22:27:16.657","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadomd.dll.new""9/1/2012 22:27:16.657","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadomd.dll.new""9/1/2012 22:27:16.657","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadomd.dll.new""9/1/2012 22:27:16.657","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadomd.dll.new""9/1/2012 22:27:16.707","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msador15.dll.new""9/1/2012 22:27:16.767","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadox.dll.new""9/1/2012 22:27:16.767","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadox.dll.new""9/1/2012 22:27:16.767","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadox.dll.new""9/1/2012 22:27:16.767","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadox.dll.new""9/1/2012 22:27:16.767","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadox.dll.new""9/1/2012 22:27:16.767","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadox.dll.new""9/1/2012 22:27:16.767","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadox.dll.new""9/1/2012 22:27:16.827","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadrh15.dll.new""9/1/2012 22:27:16.847","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msjro.dll.new""9/1/2012 22:27:16.847","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msjro.dll.new""9/1/2012 22:27:16.847","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msjro.dll.new""9/1/2012 22:27:16.888","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\directdb.dll.new""9/1/2012 22:27:16.888","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\directdb.dll.new""9/1/2012 22:27:16.888","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\directdb.dll.new""9/1/2012 22:27:16.918","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadce.dll.new""9/1/2012 22:27:16.918","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadce.dll.new""9/1/2012 22:27:16.918","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadce.dll.new""9/1/2012 22:27:16.918","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadce.dll.new""9/1/2012 22:27:16.918","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadce.dll.new""9/1/2012 22:27:16.918","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadce.dll.new""9/1/2012 22:27:16.918","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadce.dll.new""9/1/2012 22:27:16.918","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadce.dll.new""9/1/2012 22:27:16.918","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadce.dll.new""9/1/2012 22:27:16.918","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadce.dll.new""9/1/2012 22:27:16.918","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadce.dll.new""9/1/2012 22:27:16.878","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:16.988","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadcer.dll.new""9/1/2012 22:27:17.18","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadcf.dll.new""9/1/2012 22:27:17.78","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadcfr.dll.new""9/1/2012 22:27:17.138","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadco.dll.new""9/1/2012 22:27:17.138","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadco.dll.new""9/1/2012 22:27:17.138","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadco.dll.new""9/1/2012 22:27:17.138","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadco.dll.new""9/1/2012 22:27:17.138","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadco.dll.new""9/1/2012 22:27:17.218","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadcor.dll.new""9/1/2012 22:27:17.248","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadcs.dll.new""9/1/2012 22:27:17.308","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadds.dll.new""9/1/2012 22:27:17.308","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadds.dll.new""9/1/2012 22:27:17.308","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadds.dll.new""9/1/2012 22:27:17.308","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadds.dll.new""9/1/2012 22:27:17.308","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msadds.dll.new""9/1/2012 22:27:17.679","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msaddsr.dll.new""9/1/2012 22:27:17.749","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaprsr.dll.new""9/1/2012 22:27:17.799","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaprst.dll.new""9/1/2012 22:27:17.799","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaprst.dll.new""9/1/2012 22:27:17.799","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaprst.dll.new""9/1/2012 22:27:17.799","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaprst.dll.new""9/1/2012 22:27:17.799","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaprst.dll.new""9/1/2012 22:27:17.799","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaprst.dll.new""9/1/2012 22:27:17.799","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaprst.dll.new""9/1/2012 22:27:17.859","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdarem.dll.new""9/1/2012 22:27:17.859","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdarem.dll.new""9/1/2012 22:27:17.859","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdarem.dll.new""9/1/2012 22:27:17.879","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:17.919","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaremr.dll.new""9/1/2012 22:27:17.999","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdfmap.dll.new""9/1/2012 22:27:18.880","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:19.882","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:20.883","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:21.314","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdadc.dll.new""9/1/2012 22:27:21.594","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaenum.dll.new""9/1/2012 22:27:21.755","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaer.dll.new""9/1/2012 22:27:21.885","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:22.586","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaora.dll.new""9/1/2012 22:27:22.586","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaora.dll.new""9/1/2012 22:27:22.586","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaora.dll.new""9/1/2012 22:27:22.586","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaora.dll.new""9/1/2012 22:27:22.586","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaora.dll.new""9/1/2012 22:27:22.586","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaora.dll.new""9/1/2012 22:27:22.586","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaora.dll.new""9/1/2012 22:27:22.886","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:23.116","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaorar.dll.new""9/1/2012 22:27:23.137","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaosp.dll.new""9/1/2012 22:27:23.137","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaosp.dll.new""9/1/2012 22:27:23.137","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaosp.dll.new""9/1/2012 22:27:23.487","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\awt.dll""9/1/2012 22:27:23.487","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\awt.dll""9/1/2012 22:27:23.487","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\awt.dll""9/1/2012 22:27:23.487","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\awt.dll""9/1/2012 22:27:23.487","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\awt.dll""9/1/2012 22:27:23.487","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\awt.dll""9/1/2012 22:27:23.537","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\axbridge.dll""9/1/2012 22:27:23.537","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\axbridge.dll""9/1/2012 22:27:23.537","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\axbridge.dll""9/1/2012 22:27:23.537","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\axbridge.dll""9/1/2012 22:27:23.537","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\axbridge.dll""9/1/2012 22:27:23.537","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\axbridge.dll""9/1/2012 22:27:23.667","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\client\jvm.dll""9/1/2012 22:27:23.667","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\client\jvm.dll""9/1/2012 22:27:23.667","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\client\jvm.dll""9/1/2012 22:27:23.667","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\client\jvm.dll""9/1/2012 22:27:23.667","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\client\jvm.dll""9/1/2012 22:27:23.667","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\client\jvm.dll""9/1/2012 22:27:23.767","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\cmm.dll""9/1/2012 22:27:23.767","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\cmm.dll""9/1/2012 22:27:23.767","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\cmm.dll""9/1/2012 22:27:23.787","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\cmm.dll""9/1/2012 22:27:23.767","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\cmm.dll""9/1/2012 22:27:23.787","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\cmm.dll""9/1/2012 22:27:23.787","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\cmm.dll""9/1/2012 22:27:23.787","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\cmm.dll""9/1/2012 22:27:23.848","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\dcpr.dll""9/1/2012 22:27:23.848","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\dcpr.dll""9/1/2012 22:27:23.848","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\dcpr.dll""9/1/2012 22:27:23.848","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\dcpr.dll""9/1/2012 22:27:23.848","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\dcpr.dll""9/1/2012 22:27:23.848","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\dcpr.dll""9/1/2012 22:27:23.888","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:23.898","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\deploy.dll""9/1/2012 22:27:23.898","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\deploy.dll""9/1/2012 22:27:23.898","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\deploy.dll""9/1/2012 22:27:23.898","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\deploy.dll""9/1/2012 22:27:23.898","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\deploy.dll""9/1/2012 22:27:23.898","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\deploy.dll""9/1/2012 22:27:23.998","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\dt_shmem.dll""9/1/2012 22:27:23.998","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\dt_shmem.dll""9/1/2012 22:27:23.998","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\dt_shmem.dll""9/1/2012 22:27:23.998","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\dt_shmem.dll""9/1/2012 22:27:23.998","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\dt_shmem.dll""9/1/2012 22:27:23.998","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\dt_shmem.dll""9/1/2012 22:27:24.48","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\dt_socket.dll""9/1/2012 22:27:24.48","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\dt_socket.dll""9/1/2012 22:27:24.48","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\dt_socket.dll""9/1/2012 22:27:24.48","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\dt_socket.dll""9/1/2012 22:27:24.48","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\dt_socket.dll""9/1/2012 22:27:24.98","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\eula.dll""9/1/2012 22:27:24.98","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\eula.dll""9/1/2012 22:27:24.98","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\eula.dll""9/1/2012 22:27:24.98","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\eula.dll""9/1/2012 22:27:24.98","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\eula.dll""9/1/2012 22:27:24.98","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\eula.dll""9/1/2012 22:27:24.148","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\fontmanager.dll""9/1/2012 22:27:24.148","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\fontmanager.dll""9/1/2012 22:27:24.148","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\fontmanager.dll""9/1/2012 22:27:24.148","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\fontmanager.dll""9/1/2012 22:27:24.148","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\fontmanager.dll""9/1/2012 22:27:24.148","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\fontmanager.dll""9/1/2012 22:27:24.198","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\hpi.dll""9/1/2012 22:27:24.198","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\hpi.dll""9/1/2012 22:27:24.198","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\hpi.dll""9/1/2012 22:27:24.198","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\hpi.dll""9/1/2012 22:27:24.198","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\hpi.dll""9/1/2012 22:27:24.248","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\hprof.dll""9/1/2012 22:27:24.248","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\hprof.dll""9/1/2012 22:27:24.248","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\hprof.dll""9/1/2012 22:27:24.248","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\hprof.dll""9/1/2012 22:27:24.248","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\hprof.dll""9/1/2012 22:27:24.248","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\hprof.dll""9/1/2012 22:27:24.298","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\instrument.dll""9/1/2012 22:27:24.298","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\instrument.dll""9/1/2012 22:27:24.298","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\instrument.dll""9/1/2012 22:27:24.298","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\instrument.dll""9/1/2012 22:27:24.298","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\instrument.dll""9/1/2012 22:27:24.298","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\instrument.dll""9/1/2012 22:27:24.348","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\ioser12.dll""9/1/2012 22:27:24.348","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\ioser12.dll""9/1/2012 22:27:24.348","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\ioser12.dll""9/1/2012 22:27:24.348","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\ioser12.dll""9/1/2012 22:27:24.348","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\ioser12.dll""9/1/2012 22:27:24.348","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\ioser12.dll""9/1/2012 22:27:24.398","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\j2pcsc.dll""9/1/2012 22:27:24.398","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\j2pcsc.dll""9/1/2012 22:27:24.398","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\j2pcsc.dll""9/1/2012 22:27:24.398","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\j2pcsc.dll""9/1/2012 22:27:24.398","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\j2pcsc.dll""9/1/2012 22:27:24.448","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\j2pkcs11.dll""9/1/2012 22:27:24.448","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\j2pkcs11.dll""9/1/2012 22:27:24.448","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\j2pkcs11.dll""9/1/2012 22:27:24.448","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\j2pkcs11.dll""9/1/2012 22:27:24.448","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\j2pkcs11.dll""9/1/2012 22:27:24.498","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jaas_nt.dll""9/1/2012 22:27:24.498","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jaas_nt.dll""9/1/2012 22:27:24.498","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jaas_nt.dll""9/1/2012 22:27:24.498","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jaas_nt.dll""9/1/2012 22:27:24.498","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jaas_nt.dll""9/1/2012 22:27:24.599","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\java.dll""9/1/2012 22:27:24.599","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\java.dll""9/1/2012 22:27:24.599","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\java.dll""9/1/2012 22:27:24.599","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\java.dll""9/1/2012 22:27:24.599","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\java.dll""9/1/2012 22:27:24.599","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\java.dll""9/1/2012 22:27:24.889","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:24.909","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\java_crw_demo.dll""9/1/2012 22:27:24.909","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\java_crw_demo.dll""9/1/2012 22:27:24.909","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\java_crw_demo.dll""9/1/2012 22:27:24.909","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\java_crw_demo.dll""9/1/2012 22:27:24.909","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\java_crw_demo.dll""9/1/2012 22:27:24.959","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jawt.dll""9/1/2012 22:27:24.959","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jawt.dll""9/1/2012 22:27:24.959","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jawt.dll""9/1/2012 22:27:24.959","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jawt.dll""9/1/2012 22:27:24.959","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jawt.dll""9/1/2012 22:27:25.59","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\JdbcOdbc.dll""9/1/2012 22:27:25.59","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\JdbcOdbc.dll""9/1/2012 22:27:25.59","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\JdbcOdbc.dll""9/1/2012 22:27:25.59","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\JdbcOdbc.dll""9/1/2012 22:27:25.59","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\JdbcOdbc.dll""9/1/2012 22:27:25.109","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jdwp.dll""9/1/2012 22:27:25.109","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jdwp.dll""9/1/2012 22:27:25.109","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jdwp.dll""9/1/2012 22:27:25.109","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jdwp.dll""9/1/2012 22:27:25.109","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jdwp.dll""9/1/2012 22:27:25.109","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jdwp.dll""9/1/2012 22:27:25.159","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jkernel.dll""9/1/2012 22:27:25.159","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jkernel.dll""9/1/2012 22:27:25.159","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jkernel.dll""9/1/2012 22:27:25.159","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jkernel.dll""9/1/2012 22:27:25.169","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jkernel.dll""9/1/2012 22:27:25.169","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jkernel.dll""9/1/2012 22:27:25.169","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jkernel.dll""9/1/2012 22:27:25.230","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jli.dll""9/1/2012 22:27:25.230","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jli.dll""9/1/2012 22:27:25.230","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jli.dll""9/1/2012 22:27:25.230","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jli.dll""9/1/2012 22:27:25.230","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jli.dll""9/1/2012 22:27:25.230","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jli.dll""9/1/2012 22:27:25.380","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jp2native.dll""9/1/2012 22:27:25.380","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jp2native.dll""9/1/2012 22:27:25.380","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jp2native.dll""9/1/2012 22:27:25.380","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jp2native.dll""9/1/2012 22:27:25.380","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jp2native.dll""9/1/2012 22:27:25.480","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpeg.dll""9/1/2012 22:27:25.480","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpeg.dll""9/1/2012 22:27:25.480","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpeg.dll""9/1/2012 22:27:25.480","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpeg.dll""9/1/2012 22:27:25.480","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpeg.dll""9/1/2012 22:27:25.480","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpeg.dll""9/1/2012 22:27:25.530","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpicom.dll""9/1/2012 22:27:25.530","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpicom.dll""9/1/2012 22:27:25.530","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpicom.dll""9/1/2012 22:27:25.530","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpicom.dll""9/1/2012 22:27:25.530","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpicom.dll""9/1/2012 22:27:25.530","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpicom.dll""9/1/2012 22:27:25.580","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpiexp.dll""9/1/2012 22:27:25.580","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpiexp.dll""9/1/2012 22:27:25.580","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpiexp.dll""9/1/2012 22:27:25.580","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpiexp.dll""9/1/2012 22:27:25.580","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpiexp.dll""9/1/2012 22:27:25.580","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpiexp.dll""9/1/2012 22:27:25.630","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpinscp.dll""9/1/2012 22:27:25.630","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpinscp.dll""9/1/2012 22:27:25.630","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpinscp.dll""9/1/2012 22:27:25.630","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpinscp.dll""9/1/2012 22:27:25.630","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpinscp.dll""9/1/2012 22:27:25.630","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpinscp.dll""9/1/2012 22:27:25.680","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpioji.dll""9/1/2012 22:27:25.680","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpioji.dll""9/1/2012 22:27:25.680","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpioji.dll""9/1/2012 22:27:25.680","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpioji.dll""9/1/2012 22:27:25.680","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpioji.dll""9/1/2012 22:27:25.680","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpioji.dll""9/1/2012 22:27:25.730","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpishare.dll""9/1/2012 22:27:25.730","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpishare.dll""9/1/2012 22:27:25.730","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpishare.dll""9/1/2012 22:27:25.730","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpishare.dll""9/1/2012 22:27:25.730","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpishare.dll""9/1/2012 22:27:25.730","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jpishare.dll""9/1/2012 22:27:25.880","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jsound.dll""9/1/2012 22:27:25.880","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jsound.dll""9/1/2012 22:27:25.880","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jsound.dll""9/1/2012 22:27:25.880","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jsound.dll""9/1/2012 22:27:25.880","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jsound.dll""9/1/2012 22:27:25.880","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jsound.dll""9/1/2012 22:27:25.890","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:25.941","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jsoundds.dll""9/1/2012 22:27:25.941","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jsoundds.dll""9/1/2012 22:27:25.941","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jsoundds.dll""9/1/2012 22:27:25.941","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jsoundds.dll""9/1/2012 22:27:25.941","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\jsoundds.dll""9/1/2012 22:27:26.211","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\management.dll""9/1/2012 22:27:26.211","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\management.dll""9/1/2012 22:27:26.211","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\management.dll""9/1/2012 22:27:26.211","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\management.dll""9/1/2012 22:27:26.211","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\management.dll""9/1/2012 22:27:26.261","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\mlib_image.dll""9/1/2012 22:27:26.261","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\mlib_image.dll""9/1/2012 22:27:26.261","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\mlib_image.dll""9/1/2012 22:27:26.261","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\mlib_image.dll""9/1/2012 22:27:26.261","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\mlib_image.dll""9/1/2012 22:27:26.261","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\mlib_image.dll""9/1/2012 22:27:26.411","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\net.dll""9/1/2012 22:27:26.411","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\net.dll""9/1/2012 22:27:26.411","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\net.dll""9/1/2012 22:27:26.411","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\net.dll""9/1/2012 22:27:26.411","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\net.dll""9/1/2012 22:27:26.411","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\net.dll""9/1/2012 22:27:26.491","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\new_plugin\msvcr71.dll""9/1/2012 22:27:26.491","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\new_plugin\msvcr71.dll""9/1/2012 22:27:26.491","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\new_plugin\msvcr71.dll""9/1/2012 22:27:26.491","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\new_plugin\msvcr71.dll""9/1/2012 22:27:26.491","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\new_plugin\msvcr71.dll""9/1/2012 22:27:26.491","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\new_plugin\msvcr71.dll""9/1/2012 22:27:26.591","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll""9/1/2012 22:27:26.591","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll""9/1/2012 22:27:26.591","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll""9/1/2012 22:27:26.591","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll""9/1/2012 22:27:26.591","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll""9/1/2012 22:27:26.591","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll""9/1/2012 22:27:26.642","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\nio.dll""9/1/2012 22:27:26.642","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\nio.dll""9/1/2012 22:27:26.642","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\nio.dll""9/1/2012 22:27:26.642","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\nio.dll""9/1/2012 22:27:26.642","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\nio.dll""9/1/2012 22:27:26.792","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\npoji610.dll""9/1/2012 22:27:26.792","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\npoji610.dll""9/1/2012 22:27:26.792","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\npoji610.dll""9/1/2012 22:27:26.792","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\npoji610.dll""9/1/2012 22:27:26.792","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\npoji610.dll""9/1/2012 22:27:26.792","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\npoji610.dll""9/1/2012 22:27:26.842","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\npt.dll""9/1/2012 22:27:26.842","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\npt.dll""9/1/2012 22:27:26.842","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\npt.dll""9/1/2012 22:27:26.842","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\npt.dll""9/1/2012 22:27:26.842","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\npt.dll""9/1/2012 22:27:26.842","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\npt.dll""9/1/2012 22:27:26.892","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:27.42","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\regutils.dll""9/1/2012 22:27:27.42","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\regutils.dll""9/1/2012 22:27:27.42","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\regutils.dll""9/1/2012 22:27:27.42","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\regutils.dll""9/1/2012 22:27:27.42","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\regutils.dll""9/1/2012 22:27:27.42","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\regutils.dll""9/1/2012 22:27:27.92","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\rmi.dll""9/1/2012 22:27:27.92","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\rmi.dll""9/1/2012 22:27:27.92","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\rmi.dll""9/1/2012 22:27:27.92","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\rmi.dll""9/1/2012 22:27:27.92","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\rmi.dll""9/1/2012 22:27:27.292","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\splashscreen.dll""9/1/2012 22:27:27.292","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\splashscreen.dll""9/1/2012 22:27:27.292","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\splashscreen.dll""9/1/2012 22:27:27.292","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\splashscreen.dll""9/1/2012 22:27:27.292","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\splashscreen.dll""9/1/2012 22:27:27.292","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\splashscreen.dll""9/1/2012 22:27:27.443","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\sunmscapi.dll""9/1/2012 22:27:27.443","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\sunmscapi.dll""9/1/2012 22:27:27.443","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\sunmscapi.dll""9/1/2012 22:27:27.443","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\sunmscapi.dll""9/1/2012 22:27:27.443","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\sunmscapi.dll""9/1/2012 22:27:27.443","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\sunmscapi.dll""9/1/2012 22:27:27.593","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\unpack.dll""9/1/2012 22:27:27.593","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\unpack.dll""9/1/2012 22:27:27.593","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\unpack.dll""9/1/2012 22:27:27.593","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\unpack.dll""9/1/2012 22:27:27.593","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\unpack.dll""9/1/2012 22:27:27.593","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\unpack.dll""9/1/2012 22:27:27.693","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\verify.dll""9/1/2012 22:27:27.693","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\verify.dll""9/1/2012 22:27:27.693","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\verify.dll""9/1/2012 22:27:27.693","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\verify.dll""9/1/2012 22:27:27.693","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\verify.dll""9/1/2012 22:27:27.743","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\w2k_lsa_auth.dll""9/1/2012 22:27:27.743","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\w2k_lsa_auth.dll""9/1/2012 22:27:27.743","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\w2k_lsa_auth.dll""9/1/2012 22:27:27.743","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\w2k_lsa_auth.dll""9/1/2012 22:27:27.743","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\w2k_lsa_auth.dll""9/1/2012 22:27:27.843","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\zip.dll""9/1/2012 22:27:27.843","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\zip.dll""9/1/2012 22:27:27.843","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\zip.dll""9/1/2012 22:27:27.843","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\zip.dll""9/1/2012 22:27:27.843","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\bin\zip.dll""9/1/2012 22:27:27.893","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:28.304","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaps.dll.new""9/1/2012 22:27:28.304","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaps.dll.new""9/1/2012 22:27:28.304","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaps.dll.new""9/1/2012 22:27:28.304","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaps.dll.new""9/1/2012 22:27:28.304","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaps.dll.new""9/1/2012 22:27:28.304","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaps.dll.new""9/1/2012 22:27:28.304","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaps.dll.new""9/1/2012 22:27:28.524","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdasc.dll.new""9/1/2012 22:27:28.554","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdasql.dll.new""9/1/2012 22:27:28.554","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdasql.dll.new""9/1/2012 22:27:28.554","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdasql.dll.new""9/1/2012 22:27:28.554","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdasql.dll.new""9/1/2012 22:27:28.554","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdasql.dll.new""9/1/2012 22:27:28.554","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdasql.dll.new""9/1/2012 22:27:28.554","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdasql.dll.new""9/1/2012 22:27:28.554","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdasql.dll.new""9/1/2012 22:27:28.554","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdasql.dll.new""9/1/2012 22:27:28.554","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdasql.dll.new""9/1/2012 22:27:28.554","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdasql.dll.new""9/1/2012 22:27:28.584","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdasqlr.dll.new""9/1/2012 22:27:28.604","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdatl3.dll.new""9/1/2012 22:27:28.604","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdatl3.dll.new""9/1/2012 22:27:28.604","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdatl3.dll.new""9/1/2012 22:27:28.634","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdatt.dll.new""9/1/2012 22:27:28.664","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msdaurl.dll.new""9/1/2012 22:27:28.684","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\msxactps.dll.new""9/1/2012 22:27:28.705","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\oledb32.dll.new""9/1/2012 22:27:28.705","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\oledb32.dll.new""9/1/2012 22:27:28.705","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\oledb32.dll.new""9/1/2012 22:27:28.705","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\oledb32.dll.new""9/1/2012 22:27:28.705","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\oledb32.dll.new""9/1/2012 22:27:28.705","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\oledb32.dll.new""9/1/2012 22:27:28.705","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\oledb32.dll.new""9/1/2012 22:27:28.705","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\oledb32.dll.new""9/1/2012 22:27:28.705","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\oledb32.dll.new""9/1/2012 22:27:28.705","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\oledb32.dll.new""9/1/2012 22:27:28.705","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\oledb32.dll.new""9/1/2012 22:27:28.705","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\oledb32.dll.new""9/1/2012 22:27:28.705","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\oledb32.dll.new""9/1/2012 22:27:28.705","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\oledb32.dll.new""9/1/2012 22:27:28.705","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\oledb32.dll.new""9/1/2012 22:27:28.745","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\oledb32r.dll.new""9/1/2012 22:27:28.745","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\oledb32r.dll.new""9/1/2012 22:27:28.745","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\oledb32r.dll.new""9/1/2012 22:27:28.765","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sqlxmlx.dll.new""9/1/2012 22:27:28.765","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sqlxmlx.dll.new""9/1/2012 22:27:28.765","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sqlxmlx.dll.new""9/1/2012 22:27:28.765","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sqlxmlx.dll.new""9/1/2012 22:27:28.765","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sqlxmlx.dll.new""9/1/2012 22:27:28.765","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sqlxmlx.dll.new""9/1/2012 22:27:28.765","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\sqlxmlx.dll.new""9/1/2012 22:27:28.805","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\wab32.dll.new""9/1/2012 22:27:28.805","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\wab32.dll.new""9/1/2012 22:27:28.805","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\wab32.dll.new""9/1/2012 22:27:28.805","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\wab32.dll.new""9/1/2012 22:27:28.805","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\wab32.dll.new""9/1/2012 22:27:28.805","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\wab32.dll.new""9/1/2012 22:27:28.805","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\wab32.dll.new""9/1/2012 22:27:28.805","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\wab32.dll.new""9/1/2012 22:27:28.805","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\wab32.dll.new""9/1/2012 22:27:28.805","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\wab32.dll.new""9/1/2012 22:27:28.805","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\wab32.dll.new""9/1/2012 22:27:28.805","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\wab32.dll.new""9/1/2012 22:27:28.805","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\wab32.dll.new""9/1/2012 22:27:28.805","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\wab32.dll.new""9/1/2012 22:27:28.815","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\wab32.dll.new""9/1/2012 22:27:28.815","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\wab32.dll.new""9/1/2012 22:27:28.815","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\wab32.dll.new""9/1/2012 22:27:28.875","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\wab32res.dll.new""9/1/2012 22:27:28.875","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\wab32res.dll.new""9/1/2012 22:27:28.875","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\wab32res.dll.new""9/1/2012 22:27:28.875","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\wab32res.dll.new""9/1/2012 22:27:28.875","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\wab32res.dll.new""9/1/2012 22:27:28.875","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\wab32res.dll.new""9/1/2012 22:27:28.875","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\wab32res.dll.new""9/1/2012 22:27:28.875","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\wab32res.dll.new""9/1/2012 22:27:28.875","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\wab32res.dll.new""9/1/2012 22:27:28.895","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VcrYserj""9/1/2012 22:27:28.925","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\icwconn.dll.new""9/1/2012 22:27:28.955","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\icwconn1.exe.new""9/1/2012 22:27:28.955","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\icwconn1.exe.new""9/1/2012 22:27:28.955","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\icwconn1.exe.new""9/1/2012 22:27:28.955","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\icwconn1.exe.new""9/1/2012 22:27:28.955","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\icwconn1.exe.new""9/1/2012 22:27:28.955","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\icwconn1.exe.new""9/1/2012 22:27:28.955","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\icwconn1.exe.new""9/1/2012 22:27:28.995","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\icwconn2.exe.new""9/1/2012 22:27:28.995","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\icwconn2.exe.new""9/1/2012 22:27:28.995","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\icwconn2.exe.new""9/1/2012 22:27:29.15","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\icwdl.dll.new""9/1/2012 22:27:29.25","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\icwhelp.dll.new""9/1/2012 22:27:29.25","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\icwhelp.dll.new""9/1/2012 22:27:29.25","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\icwhelp.dll.new""9/1/2012 22:27:29.25","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\icwhelp.dll.new""9/1/2012 22:27:29.25","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\icwhelp.dll.new""9/1/2012 22:27:29.45","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\icwres.dll.new""9/1/2012 22:27:29.65","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\icwrmind.exe.new""9/1/2012 22:27:29.85","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\icwtutor.exe.new""9/1/2012 22:27:29.85","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\icwtutor.exe.new""9/1/2012 22:27:29.85","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\icwtutor.exe.new""9/1/2012 22:27:29.125","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\icwutil.dll.new""9/1/2012 22:27:29.135","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\inetwiz.exe.new""9/1/2012 22:27:29.145","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\isignup.exe.new""9/1/2012 22:27:29.175","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\trialoc.dll.new""9/1/2012 22:27:29.185","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\hmmapi.dll.new""9/1/2012 22:27:29.195","file","Write","C:\WINDOWS\system32\winlogon.exe","C:\WINDOWS\system32\dllcache\iedw.exe.new""9/1/2012 22:27:29.365","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\lib\deploy\lzma.dll""9/1/2012 22:27:29.365","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\lib\deploy\lzma.dll""9/1/2012 22:27:29.365","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\lib\deploy\lzma.dll""9/1/2012 22:27:29.365","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\lib\deploy\lzma.dll""9/1/2012 22:27:29.365","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Java\jre6\lib\deploy\lzma.dll"

Thsi is what happens with VirustotalUpload2.exe (and most other Programs including Adobe, MS Office and Windows files)

http://www.virustotal.com/file-scan/report.html?id=a40aacca731c142148733786cae64d45df2e740e3fb744ffc513d251ec121cf7-1326169765
VirusTotalUpload2.exe
Submission date:
2012-01-10 04:29:25 (UTC)
Result:37 /43 (86.0%)
Print results
Antivirus     Version     Last Update     Result
AhnLab-V3     2012.01.09.00     2012.01.09     Win32/Ramnit.O
AntiVir     7.11.20.218     2012.01.10     W32/Ramnit.E
Avast     6.0.1289.0     2012.01.09     Win32:Ramnit-H
AVG     10.0.0.1190     2012.01.10     Win32/Zbot.G
BitDefender     7.2     2012.01.10     Win32.Ramnit.N
ByteHero     1.0.0.1     2011.12.31     Trojan.Win32.Heur.Gen
CAT-QuickHeal     12.00     2012.01.09     W32.Ramnit.C
ClamAV     0.97.3.0     2012.01.10     Trojan.Patched-168
Commtouch     5.3.2.6     2012.01.10     W32/Ramnit.E
Comodo     11229     2012.01.10     TrojWare.Win32.Patched.SM
DrWeb     5.0.2.03300     2012.01.09     Win32.Rmnet.8
Emsisoft     5.1.0.11     2012.01.10     Virus.Win32.Zbot!IK
eTrust-Vet     37.0.9672     2012.01.09     Win32/Ramnit.AJ
F-Prot     4.6.5.141     2012.01.09     W32/Ramnit.E
F-Secure     9.0.16440.0     2012.01.09     Win32.Ramnit.N
Fortinet     4.3.388.0     2012.01.10     W32/Ramnit.B
GData     22     2012.01.09     Win32.Ramnit.N
Ikarus     T3.1.1.109.0     2012.01.10     Virus.Win32.Zbot
Jiangmin     13.0.900     2012.01.09     Win32/PatchFile.gg
K7AntiVirus     9.124.5897     2012.01.09     Trojan
Kaspersky     9.0.0.837     2012.01.10     Trojan.Win32.Patched.md
McAfee     5.400.0.1158     2012.01.10     W32/Ramnit.b
McAfee-GW-Edition     2010.1E     2012.01.09     W32/Ramnit.b
Microsoft     1.7903     2012.01.09     Virus:Win32/Ramnit.AF
NOD32     6780     2012.01.10     Win32/Ramnit.H
Norman     6.07.13     2012.01.09     W32/Ramnit.AB
nProtect     2012-01-09.01     2012.01.10     Win32.Ramnit.N
Panda     10.0.3.5     2012.01.09     W32/Cosmu.L
PCTools     8.0.0.5     2012.01.10     Malware.Ramnit
Rising     23.92.01.01     2012.01.10     Win32.Ramnit.c
Symantec     20111.2.0.82     2012.01.10     W32.Ramnit.B!inf
TrendMicro     9.500.0.1008     2012.01.10     PE_RAMNIT.KC
TrendMicro-HouseCall     9.500.0.1008     2012.01.10     PE_RAMNIT.KC
ViRobot     2012.1.10.4872     2012.01.10     Win32.Ramnit.A
VirusBuster     14.1.158.1     2012.01.09     Win32.Ramnit.Gen.3
Additional information
MD5   : 25f6ee42d37e3f2f7dbe795e836d52e2

Traffic

607B2219FBCFBFE8E6AC9D7F3FB8D50E - C&C is sinkholedC33E7ED929760020820E8808289C240E - C&C is active

Despite the fact that the C&C for 607B2219FBCFBFE8E6AC9D7F3FB8D50E is sinkholed, it is still interesting to see the malware behavior when it tries to establish a connection with the server.

Ramnit samples used by the same group of attackers have overlapping set of C&C servers - the list is not the same but I found that my samples that are supposedly later version that Ramnit.AK have approximately 80% overlap in C&C list used by this RamnitAK binary described by Sophos . I have combined the two lists and ran WHOIS queries to establish active C&C and their location and registration.

The communications with the sinkholed server below show that once the bot receives SYN command from the C&C, it sends 6 bytes of data. Exact same behavior is described in this analysis of the binaries from Summer 2011 - with the only difference that the second packet sent by the bot was not 75 bytes but 149 bytes Bot of the Day: Ramnit/NinmulMonday, July 18th, 2011. If connection with the server is established, the traffic continues on on port 443, it is encoded but it is not SSL, it is some sort of custom protocol.

The bot is going through the list of domains trying to find those that are active. Most of the domains are not registered yet but the two currently active domains were registered on January 5 and 6, 2011. It appears that the attackers register new domains as soon as the lose any due to sinkholing and domain cancellations. Since all the domains have the most random names, they are not likely to be registered by someone else before they are needed. Having each binary to check a long list of domains makes the bot very noisy (consider making IDS signatures based on UDP port 53 thresholds) but it prevents the death of the botnet in case of the C&C loss. I have complied a list of approximately 400 domains with only 21 of them registered. If you created DNS blocks or sinkhole domains, consider blocking or sinkholing all of them, not only active.

Domain name: rjordulltl.com
89.149.242.185 - Leaseweb Germany GmbH (previously netdirekt e. K.)
Germany
Registrar: Regtime Ltd.
Creation date: 2012-01-05
Expiration date: 2013-01-05

Domain Name: goopndlgvy.com
Registrant:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676
89.149.242.185 - Leaseweb Germany GmbH (previously netdirekt e. K.)
Germany
Creation Date: 06-Jan-2012
Expiration Date: 06-Jan-2013

Communications with a sinkholed C&C and search for a new active server:

Bot <-> C&C communications on port 443

List of domains used by Ramnit binaries - feel free to pre-emptively sinkhole them. Part of them are from this Sophos analysis and part is from running these two binaries

absqvhpldvsmclt.comadhcssvuayv.comagpdvawvr.comaguhlabfubbvek.comalgvgcawwdsmiksvol.comamobragjgge.comanqsjvhjjkypabm.comanxpepxpukbfmh.comarhpgoeeasi.comarqogipjsbcdmk.comatfkpyicxsrrwqbct.comatuealmjufcwwb.comawckeliqcherasntmin.combaxqqapjrxxetjelhtk.combbmfswfgmljwj.combklerdwiadlxxbjunwu.combllkuhftropiwymr.combpmlhpuogveluyobjb.combtfkjkqv.combunxomdqokknkkllvkr.combvkdfvxoqxsabk.combxnrxuyjcytf.combygfsdfmrwbhlghll.combyraiyodqfdx.comcaosuihgsvivlxh.comcarrerfullezz.comcascotqhij.comcatvfmsxowehqvfahu.comccquxmelkltnucyqv.comccsnpnqxii.comcjemaqojxac.comckgryagcibbcf.comcmuhommmdlmhy.comcncvxhadekwnybnv.comcpmsussgpibatpmswq.comcqlmxlukplhlfdo.comcqlnwqaioac.comcswtnpnuhixdwjgm.comcxmdhrpwuvyl.comdcyakhpr.comdegbxpos.comdfyxptqjxwtdkjjbiu.comdgrdrqkpmggukqo.comdjeuagtquwwhera.comdlsvfpmniphnmxnvoeo.comdnmjahdaigeydiiorky.comdpdadshi.comdpjbclufd.comdpyeoipbso.comdrpfrkvdttdkhgpqi.comdthcjcsdxywxlsng.comdvgeqsama.comdxovrcmyletmggxf.comdykxkasesippbsjb.comdypislng.comeaayjpeyabqf.comebddteinurkortapgs.comecmdkxukhtf.comedqmjbyjcxyjqnjjodh.comeeuprbpohspwje.comegcftpguclkoi.comegvqomxmea.comeijahjdmm.comejjogggfqcmc.comelieidkolpc.comeljmrnwualb.comeolgavefbsntlobsnpp.comerfhytwpgitkpgudo.comervffluceipmfb.comexpecvmanfaydv.comfdkasoupvgxigejgdfb.comfgvkxjvghdulfrx.comfiblolpp.comfidjlfphserhycexjhf.comfkcxdfiv.comfksudkswknxd.comfktpfwoqpgcagpal.comfokvmmygnngm.comfqaeucdaicvnisqbd.comfsksblipt.comfssuatmti.comfujosogkpsxthf.comfvfeiutlwaw.comfxkapveygtffbkv.comfybdqchsheqiul.comgccadwuf.comgeyameywwoaf.comggpmcodfppkjirg.comghxctletck.comginbkjuweobmwp.comgjehgcrav.comgjvhfiouvwiqvtewbu.comgkholyjchymn.comgkusimsgjcauehgdjn.comgmeuasnn.comgoopndlgvy.comgormlunjjt.comgqmrhecnntccmawclmq.comgsbwxfecgbmuysm.comgwbdgrlikclhthyivym.comhaqkwkokaigcdslnrlr.comhbwpvcnwwcdgfojuixm.comhetjymgiddyamqq.comhfegocufjkndwc.comhgubujdad.comhhowujyrcvdrwpdvsck.comhijkitpq.comhjwrnlvdbcmjrfkjx.comhjxrksvo.comhugnnpnymbwnhtuh.comhxpgffdwbevww.comidseneqmupdijjklvtm.comiedaagmofvk.comieugluxmlx.comigspslbpjencmfax.comihoxyanyker.comilasqwag.comiljmekbkcukps.comiokxcthosa.comirfldtfkhgyrpsarcje.comisuhxkbqqxuauhdwn.comitehtxcch.comiuhohaeqgpikwwgvkki.comixjtpaxclwhxmadp.comixnaxrqn.comixsoscorrrqvyd.comiyaxaucrvnhmkylya.comjabdfnuridle.comjbkjkngvaiwaxr.comjdrqnbtklqwqrv.comjexgpprgph.comjfvgelaqyfhxygq.comjfvxpfbgo.comjhfugjtncuvsuumnks.comjjfcilvuchkjvutlho.comjktlguslfhcwqkmai.comjmvkyepiiqyixw.comjnjgogpcehsdkbnl.comjnpquwdupgauq.comjpaaommxplsmmnnp.comjufxfkajvqmjljumvuq.comjxnbdfwh.comjyvfsnsqddbgxq.comkbadlfpgtec.comkcpxjxrmvurhfe.comkgrrxfmyixossjmk.comkiiwacbehxexixl.comkjhsrucajdjlbpwwj.comkjjeuhhqiwvfnuvvtkd.comkjuldacvvmdffxi.comkmyxdodog.comknugxvsimayety.comkojadineqlbbfvtwlff.comkpkyaxyytagbk.comkqrkegigdtjxxcrvl.comkqweenxsiyjtbe.comkrtvnyxc.comktdofbmltjyt.comkvoxyhnaggyqrcc.comlaiotlboxklvpcdfhu.comlanwiojchmenjhn.comlarpjpbblpnkdwyx.comlbcqwwxucahiulchx.comlbdlmcmfuinc.comlcloroifjeilomowq.comldanknmdiqtrot.comleqnxekmi.comlfnjosunfd.comlgeohbboqpngfap.comlgsjwixwocm.comlnjrtxcjbiaov.comlnlhuiitohdvbgmx.comlolkcovkfktwhaks.comlpggutwsvtvnmvpxrc.comlqkdmcplj.comlrqxvrqsihwtudox.comluxsnxlqhebftttflob.comlvmrpvkyo.comlwnfgmpncjubpseh.comlyghwyciguta.commavjlatqkpuban.commcchphgndpadclga.commcnegeytoyh.commefqtfwlxrfhguru.commfsxlnoqvslcyfbl.commggtqypybfts.commjuqovvuruldy.commkmngqxwk.commlfymmarbaswncxmn.commlhlurqylttjc.commmigsmpwmmwtxacq.commmmngmrhvvohfnv.commmwhewlrckie.commpefryhfpwhfvj.commryonirvcpm.commstwcsnvylmullkqh.commsxuafqnwjhljurmw.commwiadfsqcbjkudxd.commwsjitqbf.comnbqealvkhirjn.comnbvhroptghtmsydrfq.comnbykkrkevuri.comngwhgabaxkpievvmm.comnirxlosffmarpbp.comnjqvexdhwhutar.comnoslwqaagtoxunnv.comnqlocokxsjnsffxeu.comnrcmbkxssydac.comntnwcxtwgxwecrdxr.comntohnxgjijsgi.comntqbbnywghbjvsoivo.comnwetlnpjovgxmj.comnwoyejym.comnwrqebry.comnyxmwnkkacwamvj.comnyyhahsslkflyhulcgl.comoaifpapl.comobcjfjseku.comobmfvijftylgjpf.comocnsfoyrdplmewnyx.comogpshvhk.comohpmyviumie.comoiexgmycrtwirsgcmv.comojmitlcyjsuyb.comojvpkaohbddmbfac.comoluddrbaeb.comomsilsdcpdsgpxm.comopxxjqvyjllj.comoqayununxmqdxo.comoqenuuygfpvopu.comorgflqxdnoyecgwib.comoukicfldnvxhrtxvuqr.comouwwtmcnuiudw.comovgucbrrvxqufkwq.comoxjlrgepfnkvdprbr.compaoxlrmbg.compbfttfgw.compbwjbkgdo.compdcdcwjwrqsq.compfkilgedjhq.comppgessnvvn.compphxfntktjvhgti.comppwnhnvwnvtggifhbv.comprcgijpwvrl.compvbmlrybufe.comqadjgxayck.comqanmwnpvpcyqsa.comqbpcpmcijn.comqdfgqwiovjlfegdcepm.comqekgxfrk.comqewgaoursqgghhfwbqa.comqfitnlxp.comqjnhsbctfdfpoisvgp.comqlbycfgbpvjwa.comqnmqexiqrxhvdwgl.comqopdypfxhda.comqpvvabbaqcn.comqqsvttcnvsigkh.comqsrywodlwhorwibvy.comqukccxcwi.comqvddnchpjtskjmgdlx.comqwfxemkbuee.comqxdfhujechixcrgdb.comrapbmprhwwm.comrcnnhkcagerrquby.comrelmyplngdrdxpyv.comrfngjynkypsphqfmkh.comrgcdictp.comrglaabsktspwrw.comrhfdjaecmygcrdgep.comrhoaahddyhbg.comrjordulltl.comrjykgymugqlscttx.comrkevnmhekdgvnf.comrkxukunrgvpkgmc.comrlvwjjhntfooonvhlou.comrmuyrkxxtk.comrqybdbvyvjuruuxv.comrsmhdfgpgw.comrtcocsaitmadupgl.comrwjsxxvvkbspdjoedi.comrxckgnatt.comrxkhdpigbqoeco.comrykgnuncbedueeuevxg.comsecdfbpyopjhyhuw.comsexdsgnrojhpptqb.comsgimiytkanu.comsgjwptrfosjeico.comsjfrarsvyhlr.comskqbirmcomtjty.comskroackqs.comsliokrvnkjenhwgpjl.comslmomdmcjuoaxdip.comsnkbcptiqgqmlvw.comsnpltixygwcpifp.comsphmwjrwlfl.comsptihuxubpj.comstar-trakers.comstleikxkbjwo.comstrhnkjvfskxlwinku.comsuhfvuljuihmevldp.comsvyafurnyrjrrfxjreh.comswtuvuibfapnited.comtcpfmbhnlyw.comtekiyftuevgnor.comtfgixgmqhdowexm.comtfpohsjc.comthkqfhupjgknkqcxhou.comthxkchcnhyssj.comticfmjsce.comtlxfrilp.comtnueoqahys.comtrlnhbpanhmspru.comtsilfaftadrrs.comtthayebvhdmntiyeuxw.comttjerkrdrrowibsipjr.comtufictpfglnlfq.comtuisyirhweflhvqyxh.comtupexbvpmsc.comtvxwdutxo.comtxapbjdlsrtpea.comucwkkgbdxvjexa.comudvnniovrov.comufxsqnjtryrny.comugwytktvhslgjm.comuhjwxipj.comuhndpadrwbuuchcvn.comuigwsscasowqdiyp.comuilmabdaxqlaxuj.comuiwbtjfp.comujypninrop.comukbukpuj.comumiuqmrmvsuiscitx.comumjxwuaaso.comumyratdfvmdrlpm.comurcnkvuuju.comushfktptgmspn.comutpsygswnjjw.comutvjcdjcwgqm.comutvvpcpmqhbnedb.comuwsctpihlt.comuxlyihgvfnqcrfcf.comuxqbewwdunihwscfl.comvfcyyjwcdrjjunrrw.comvgfsnrewuxeaoxoh.comvjpufudekyotltdnog.comvjrjcapuwf.comvlupfbsuppipkrvbsdy.comvmdgwbenh.comvmhgbribbhm.comvmurixwrquhb.comvnskyqlkrdfnnp.comvpchdxywmxtxedwgfac.comvvhvidpeog.comvxpxgorqkihafv.comvyibjxjnshtry.comwatqjvqnf.comwbjatshumpre.comwdcjfyyfwpx.comwgkyyalemnvhdrai.comwiyqctbhe.comwldpcgpkdxhdhvlpjc.comwmbnkplxddiaktnkjk.comwnlgghgffr.comwnoykspnesqfwbkgi.comwpaxdlstrs.comwpwaislxxgiskgscy.comwqfmumga.comwqnefkerofcmrap.comwrfpmykunwbrscjann.comwsjapwfphnhriq.comwvogkbbapujp.comwwgxwnil.comwxurahlisqbmppqss.comxcmcupdfcevkgbrue.comxeucibnop.comxfcdavqouyevtvgjwu.comxiangglgqatolsgfxqi.comxioyjfiguiuluff.comxnttkdfunybxgn.comxnuqkdwek.comxoodachpaujnikmpp.comxqdrbrjiqwwpahhk.comxsredbpaef.comxumpkgnvdcmhykvdak.comxxkoixiiiqpyecxoaka.comyarymutdstxwp.comybbwxrcoujexdh.comybdwipovbicmpekyh.comybmhumhymqj.comyecjrsxe.comyicgycrtyoxaiu.comykesfabqxbvmns.comykkcsanct.comylvylxwjpkcdl.comymcwineqkj.comynergdikorjg.comyqvndqgijbpmx.comyscqbwwljsiwwr.comyssrqxyljwrioko.comyxhkddrdcpbccoabmuk.comyyeyutjgnsfrmswdygl.com

Registered domains. See the text version below. The yellow/red entries show active C&C. All others are sinkholed or NXD'd.

ihoxyanyker.com  87.255.51.229 n/a     tom jerry        (arrettom83@yahoo.com)     st l 12     new york     New York,10005     US     Tel. +520.5467689 anxpepxpukbfmh.com   PrivacyProtect.org     Domain Admin        (contact@privacyprotect.org)     ID#10760, PO Box 16     Note - All Postal Mails Rejected, visit Privacyprotect.org     Nobby Beach     null,QLD 4218     AU     Tel. +45.36946676 carrerfullezz.com   PrivacyProtect.org     Domain Admin        (contact@privacyprotect.org)     ID#10760, PO Box 16     Note - All Postal Mails Rejected, visit Privacyprotect.org     Nobby Beach     null,QLD 4218     AU     Tel. +45.36946676 goopndlgvy.com 89-149-242-185.local 89.149.242.185 PrivacyProtect.org     Domain Admin        (contact@privacyprotect.org)     ID#10760, PO Box 16     Note - All Postal Mails Rejected, visit Privacyprotect.org     Nobby Beach     null,QLD 4218     AU     Tel. +45.36946676 hetjymgiddyamqq.com  87.255.51.229 PrivacyProtect.org     Domain Admin        (contact@privacyprotect.org)     ID#10760, PO Box 16     Note - All Postal Mails Rejected, visit Privacyprotect.org     Nobby Beach     null,QLD 4218     AU     Tel. +45.36946676 mstwcsnvylmullkqh.com hosted-by.leaseweb.com 62.212.65.176 PrivacyProtect.org     Domain Admin        (contact@privacyprotect.org)     ID#10760, PO Box 16     Note - All Postal Mails Rejected, visit Privacyprotect.org     Nobby Beach     null,QLD 4218     AU     Tel. +45.36946676 qfitnlxp.com  87.255.51.229 PrivacyProtect.org     Domain Admin        (contact@privacyprotect.org)     ID#10760, PO Box 16     Note - All Postal Mails Rejected, visit Privacyprotect.org     Nobby Beach     null,QLD 4218     AU     Tel. +45.36946676 vxpxgorqkihafv.com   PrivacyProtect.org     Domain Admin        (contact@privacyprotect.org)     ID#10760, PO Box 16     Note - All Postal Mails Rejected, visit Privacyprotect.org     Nobby Beach     null,QLD 4218     AU     Tel. +45.36946676 fssuatmti.com  82.165.39.88 Spy Eye Ilyinka Street 23 103132 Moscow RU Phone: +49.56953776 the.malware.cabal@gmail.com gqmrhecnntccmawclmq.com  82.165.39.88 Spy Eye Ilyinka Street 23 103132 Moscow RU Phone: +49.56953776 the.malware.cabal@gmail.com ouwwtmcnuiudw.com  82.165.39.88 Spy Eye Ilyinka Street 23 103132 Moscow RU Phone: +49.56953776 the.malware.cabal@gmail.com qdfgqwiovjlfegdcepm.com  82.165.39.88 Spy Eye Ilyinka Street 23 103132 Moscow RU Phone: +49.56953776 the.malware.cabal@gmail.com vlupfbsuppipkrvbsdy.com  82.165.39.88 Spy Eye Ilyinka Street 23 103132 Moscow RU Phone: +49.56953776 the.malware.cabal@gmail.com rjordulltl.com 89-149-242-185.local 89.149.242.185 Aleksandr Bragilevskij snkbcptiqgqmlvw.com   Aleksandr Bragilevskij star-trakers.com   Aleksandr Bragilevskij cpmsussgpibatpmswq.com 176-31-62-76.this.domain.has.been.sinkholed.by.zinkhole.org 176.31.62.76 Contact Privacy Inc. Customer 0129677017  96 Mowat Ave  Toronto, ON M6K 3M1  CA eeuprbpohspwje.com 176-31-62-76.this.domain.has.been.sinkholed.by.zinkhole.org 176.31.62.76 Contact Privacy Inc. Customer 0129769280  96 Mowat Ave  Toronto, ON M6K 3M1  CA itehtxcch.com 176-31-62-76.this.domain.has.been.sinkholed.by.zinkhole.org 176.31.62.76 Contact Privacy Inc. Customer 0129769281  96 Mowat Ave  Toronto, ON M6K 3M1  CA oaifpapl.com ip-50-62-3-35.ip.secureserver.net 50.62.3.35 Domains By Proxy, LLC DomainsByProxy.com 15111 N. Hayden Rd., Ste 160, PMB 353 Scottsdale, Arizona 85260 United States

As you notice, many domains are registered by "Aleksandr Bragilevskij"
Registrar: Regtime Ltd.
Creation date: 2011-12-03
Expiration date: 2012-12-03

Registrant:
    Aleksandr Bragilevskij
    Email: pfizer.corp@yahoo.com
    Organization: Aleksandr Bragilevskij
    Address: 333 E 79th St # 1T,
    City: New York City
    State: NY
    ZIP: 10001
    Country: UM
    Phone: +1.2127332323
    Fax: +1.2127332323

Google Search for pfizer.corp@yahoo.com reveals that the same address was used to register fake Canadian pharmacy sites, which makes sense, considering the Viagra spam.

trustpharmacy.us

188.72.200.84
Markus Faizer
Pfizer International
333 E 79th St # 1T,
New York City
NY
10001
United States
Phone: +1.2127332323
Fax: +1.2127332323
E-mail: pfizer.corp@yahoo.com

Adobe Zero Day CVE-2011-2462 - with samples

2011-12-07T15:28:00.019-05:00

Update: Adobe Released the patch yesterday and I posted a few samples below. There were several campaigns with two variants -
1) unencrypted (some are not working - see explanation below)
2) AESV3 encrypted (try to use Origami to decrypt these). Each of the posted samples are marked by their 'type"

CVE-2011-2462 the new Adobe Zero files come with the same payload we saw in CVE-2010-3654 Adobe Flash player zero day vulnerability, trojan Sykipot - using the same technique with injecting a DLL file into
iexplore, or firefox.exe, or outlook.exe and communicating with hXXps://www.prettylikeher.com/asp/kys_allow_get.asp?name=getkys.kys over HTTPS. Brandon Dixon from 9bplus.com posted a great initial analysis of Java script and payload from a file with this exploit, I am just adding a few additional details.

(CVE)number

CVE-2011-2462 Unspecified vulnerability in the U3D component in Adobe Reader andAcrobat 10.1.1 and earlier on Windows and Mac OS X, and Adobe Reader9.x through 9.4.6 on UNIX, allows remote attackers to executearbitrary code or cause a denial of service (memory corruption) viaunknown vectors, as exploited in the wild in December 2011.

File information

Unencrypted

File: FD778C023020A23311B68127BF7E7692_merray christmas.pdf
Size: 293808
MD5: FD778C023020A23311B68127BF7E7692

File: 2172079c9c4aa385624de6b4987dbc15 FY12 Per Diem Rates.pdf.pdf
Size: 118089
MD5: 2172079C9C4AA385624DE6B4987DBC15

File: 721fda5df552f4130218ad9bd2a4ab78.pdf ManTech Employee Satisfaction Survey.pdf
Size: 275683
MD5: 721FDA5DF552F4130218AD9BD2A4AB78

File: 517fe6ba9417e6c8b4d0a0b3b9c4c9a9.pdf 2012 Federal Employee Pay Calendar.pdf
Size: 80577
MD5: 517FE6BA9417E6C8B4D0A0B3B9C4C9A9

---------------------------------------------------------------------------------------------

Encrypted

File: 601F8F52CEDF043EE4D3D3C83706329F_invoice.pdf
Size: 258092
MD5: 601F8F52CEDF043EE4D3D3C83706329F

1E46C60E65AE9F9C9C8850372D8DA491_電子郵件資訊安全防護措施.pdf - Email security protection measures.pdf

Size: 1201039
MD5: 1E46C60E65AE9F9C9C8850372D8DA491

File: 92e9b24f7d041c4e6e952309e352e3753a21.pdf

Size: 711584
MD5: 7EAB072B76ABC4C3E8CBA8173C79890C

File: c095e10041da52f6434c1eb072cc570a03a8.pdf
Size: 405659
MD5: B9872F4B6D2290DE75A7FF2874A28850

Download

You can download all samples from here (email me if you need the password - email address is in my profile)

You can download dropped files described below from here

You can download pcap from here

Automatic scans

merray christmas.pdf - Virustotal
Submission date:
2011-12-10 12:02:37 (UTC)
16 /43 (37.2%)
AntiVir     7.11.19.57     2011.12.09     EXP/CVE-2011-2462
Avast     6.0.1289.0     2011.12.09     PDF:CVE_2011_2462 [Expl]
BitDefender     7.2     2011.12.10     Exploit.PDF-U3D.Gen
ClamAV     0.97.3.0     2011.12.10     PUA.Script.PDF.EmbeddedJavaScript
Commtouch     5.3.2.6     2011.12.10     CVE-2011-2462!Camelot
F-Secure     9.0.16440.0     2011.12.10     Exploit.PDF-U3D.Gen
GData     22     2011.12.10     Exploit.PDF-U3D.Gen
Kaspersky     9.0.0.837     2011.12.10     Exploit.Win32.Pidief.def
McAfee-GW-Edition     2010.1E     2011.12.10     Heuristic.BehavesLike.JS.Exploit.G
Panda     10.0.3.5     2011.12.10     Exploit/PDF.Gen.B
Sophos     4.72.0     2011.12.10     Exp/20112462-A
Symantec     20111.2.0.82     2011.12.10     Bloodhound.Exploit.439
TrendMicro     9.500.0.1008     2011.12.10     HEUR_PDFEXP.B
TrendMicro-HouseCall     9.500.0.1008     2011.12.10     HEUR_PDFEXP.B
VIPRE     11229     2011.12.10     Exploit.PDF-JS.Gen (v)
MD5   : fd778c023020a23311b68127bf7e7692

Virustotal
FY12 Per Diem Rates.pdf
2011-12-12 04:58:10 (UTC)
Result:23 /41 (56.1%)
AntiVir     7.11.19.61     2011.12.12     EXP/CVE-2011-2462
Avast     6.0.1289.0     2011.12.11     PDF:CVE_2011_2462 [Expl]
AVG     10.0.0.1190     2011.12.11     BackDoor.Outbreak.L
BitDefender     7.2     2011.12.12     Exploit.PDF-U3D.Gen
ClamAV     0.97.3.0     2011.12.12     PUA.Script.PDF.EmbeddedJavaScript
Commtouch     5.3.2.6     2011.12.11     CVE-2011-2462!Camelot
Comodo     10927     2011.12.12     UnclassifiedMalware
Emsisoft     5.1.0.11     2011.12.12     Exploit.Win32.Pidief!IK
F-Secure     9.0.16440.0     2011.12.12     Exploit.PDF-U3D.Gen
GData     22     2011.12.12     Exploit.PDF-U3D.Gen
Ikarus     T3.1.1.109.0     2011.12.12     Exploit.Win32.Pidief
K7AntiVirus     9.119.5640     2011.12.09     Trojan
Kaspersky     9.0.0.837     2011.12.12     Exploit.Win32.Pidief.def
McAfee     5.400.0.1158     2011.12.12     Exploit-CVE2011-2462
McAfee-GW-Edition     2010.1E     2011.12.11     Exploit-CVE2011-2462
Norman     6.07.13     2011.12.11     CVE/2011-2462.A
Sophos     4.72.0     2011.12.12     Exp/20112462-A
Symantec     20111.2.0.82     2011.12.11     Bloodhound.Exploit.439
TrendMicro     9.500.0.1008     2011.12.12     TROJ_PIDIEF.EGG
TrendMicro-HouseCall     9.500.0.1008     2011.12.12     TROJ_PIDIEF.EGG
VIPRE     11239     2011.12.12     Exploit.PDF-JS.Gen (v)
ViRobot     2011.12.12.4820     2011.12.12     PDF.S.CVE-2011-2462.118089
VirusBuster     14.1.110.0     2011.12.11     Exploit.Pdfjsc.Gen
MD5   : 2172079c9c4aa385624de6b4987dbc15

ManTech Employee Satisfaction Survey.pdf - Virustotal
Submission date:
2011-12-12 04:59:44 (UTC)
Result: 26 /43 (60.5%)
Antivirus     Version     Last Update     Result
AhnLab-V3     2011.12.10.02     2011.12.11     PDF/Cve-2011-2462
AntiVir     7.11.19.61     2011.12.12     EXP/CVE-2011-2462
Avast     6.0.1289.0     2011.12.11     PDF:CVE_2011_2462 [Expl]
AVG     10.0.0.1190     2011.12.11     BackDoor.Outbreak.L
BitDefender     7.2     2011.12.12     Exploit.PDF-U3D.Gen
ClamAV     0.97.3.0     2011.12.12     PUA.Script.PDF.EmbeddedJavaScript
Commtouch     5.3.2.6     2011.12.11     CVE-2011-2462!Camelot
Comodo     10927     2011.12.12     UnclassifiedMalware
DrWeb     5.0.2.03300     2011.12.12     Exploit.PDF.2642
Emsisoft     5.1.0.11     2011.12.12     Exploit.PDF-U3D!IK
F-Secure     9.0.16440.0     2011.12.12     Exploit.PDF-U3D.Gen
Fortinet     4.3.388.0     2011.12.12     PDF/Pidief.DEF!exploit
GData     22.304/22.569     2011.12.12     Exploit.PDF-U3D.Gen
Ikarus     T3.1.1.109.0     2011.12.12     Exploit.PDF-U3D
K7AntiVirus     9.119.5640     2011.12.09     Trojan
Kaspersky     9.0.0.837     2011.12.12     Exploit.Win32.Pidief.def
McAfee     5.400.0.1158     2011.12.12     Exploit-CVE2011-2462
McAfee-GW-Edition     2010.1E     2011.12.11     Exploit-CVE2011-2462
Norman     6.07.13     2011.12.11     CVE/2011-2462.A
Sophos     4.72.0     2011.12.12     Exp/20112462-A
Symantec     20111.2.0.82     2011.12.11     Bloodhound.Exploit.439
TrendMicro     9.500.0.1008     2011.12.12     TROJ_PIDIEF.EGG
TrendMicro-HouseCall     9.500.0.1008     2011.12.12     TROJ_PIDIEF.EGG
VIPRE     11239     2011.12.12     Exploit.PDF-JS.Gen (v)
ViRobot     2011.12.12.4820     2011.12.12     PDF.S.CVE-2011-2462.275683
VirusBuster     14.1.110.0     2011.12.11     Exploit.Pdfjsc.Gen
MD5   : 721fda5df552f4130218ad9bd2a4ab78

2012 Federal Employee Pay Calendar.pdf Virustotal
Submission date:2011-12-13 04:40:34 (UTC)
Result:30 /43 (69.8%)
Antivirus     Version     Last Update     Result
AhnLab-V3     2011.12.12.00     2011.12.12     PDF/Cve-2011-2462
AntiVir     7.11.19.74     2011.12.13     EXP/CVE-2011-2462
Avast     6.0.1289.0     2011.12.12     PDF:CVE_2011_2462 [Expl]
AVG     10.0.0.1190     2011.12.12     BackDoor.Outbreak.L
BitDefender     7.2     2011.12.13     Exploit.PDF-U3D.Gen
ClamAV     0.97.3.0     2011.12.13     PUA.Script.PDF.EmbeddedJavaScript
Commtouch     5.3.2.6     2011.12.13     CVE-2011-2462!Camelot
Comodo     10935     2011.12.13     UnclassifiedMalware
DrWeb     5.0.2.03300     2011.12.13     Exploit.PDF.2642
Emsisoft     5.1.0.11     2011.12.13     Exploit.PDF-U3D!IK
eTrust-Vet     37.0.9620     2011.12.13     PDF/Pidief.AJL
F-Secure     9.0.16440.0     2011.12.13     Exploit:JS/CVE-2011-2462.A
Fortinet     4.3.388.0     2011.12.13     PDF/Pidief.DEF!exploit
GData     22     2011.12.13     Exploit.PDF-U3D.Gen
Ikarus     T3.1.1.109.0     2011.12.13     Exploit.PDF-U3D
K7AntiVirus     9.119.5661     2011.12.12     Trojan
Kaspersky     9.0.0.837     2011.12.13     Exploit.Win32.Pidief.def
McAfee     5.400.0.1158     2011.12.13     Exploit-CVE2011-2462
McAfee-GW-Edition     2010.1E     2011.12.12     Exploit-CVE2011-2462
NOD32     6705     2011.12.12     PDF/Exploit.CVE-2011-2462.A
Norman     6.07.13     2011.12.12     CVE/2011-2462.A
nProtect     2011-12-12.01     2011.12.12     Trojan-Exploit/W32.Pidief.80577.JUM
Rising     23.88.00.02     2011.12.12     Hack.Exploit.CVE-2011-2462.a
Sophos     4.72.0     2011.12.13     Exp/20112462-A

Symantec     20111.2.0.82     2011.12.13     Bloodhound.Exploit.439
TrendMicro     9.500.0.1008     2011.12.13     TROJ_PIDIEF.EGG
TrendMicro-HouseCall     9.500.0.1008     2011.12.13     TROJ_PIDIEF.EGG
VIPRE     11245     2011.12.13     Exploit.PDF.CVE-2011-2462 (v)
ViRobot     2011.12.13.4822     2011.12.13     PDF.S.CVE-2011-2462.80577
VirusBuster     14.1.112.0     2011.12.12     Exploit.Pdfjsc.Gen
Additional information
MD5   : 517fe6ba9417e6c8b4d0a0b3b9c4c9a9

Additional info regarding files with non-working exploit (from SkyRecon R&D)

File: 517fe6ba9417e6c8b4d0a0b3b9c4c9a9.pdf 2012 Federal Employee Pay Calendar.pdf
Size: 80577
MD5: 517FE6BA9417E6C8B4D0A0B3B9C4C9A9

"It will not 'work' because the PDF has been altered by someone before sending. The real size of this PDF is : 80568 bytes, but someone added at the end of this PDF a string of 9 bytes ('grew').The problem is that the shellcode embeded in this PDF check its size before trying to drop anything,as the size is no longer 80568 but 80577, the shellcode never drops the exe or decoy PDF.So in order to get this PDF to 'work' one needs to remove the last 9 bytes of the file before opening it."

601F8F52CEDF043EE4D3D3C83706329F_invoice.pdf
Submission date:
2011-12-17 06:44:52 (UTC)
0/ 43 (0.0%)
MD5   : 601f8f52cedf043ee4d3d3c83706329f

1E46C60E65AE9F9C9C8850372D8DA491_____________.pdf
Submission date:
2011-12-17 06:45:36 (UTC)
MD5   : 1e46c60e65ae9f9c9c8850372d8da491

92e9b24f7d041c4e6e952309e352e3753a21.pdf
Submission date:
2011-12-17 06:59:28 (UTC)
2/ 43 (4.7%)
TrendMicro    9.500.0.1008    2011.12.17    TROJ_PIDIEF.RC1
TrendMicro-HouseCall    9.500.0.1008    2011.12.17    TROJ_PIDIEF.RC1
MD5   : 7eab072b76abc4c3e8cba8173c79890c

employee_AUS.pdf
Submission date:
2011-12-13 21:59:58 (UTC)
0 /43 (0.0%)
MD5   : b9872f4b6d2290de75a7ff2874a28850

Payload and traffic

The clean decoy file is
ManTech Employee Satisfaction Survey.pdf as it was mentioned by Brandon Dixon.

The trojan has been described before and you can see analysis at
Contagio. CVE-2010-3654 Adobe Flash player zero day vulnerability
Kaspersky Lab 2010 Sykipot exploits an Adobe Flash Zero-Day

Local Settings\pretty.exe
Size: 39936
MD5: E769A920B12D019679C43A9A4C0D7E2C

Headers Info

Time Date Stamp  4ECB430Eh 22/11/2011 06:37:02

pretty.exe
Submission date: 2011-12-07 16:33:35 (UTC)
Result: 18 /43 (41.9%)
Antivirus Version Last Update Result
AhnLab-V3 2011.12.07.00 2011.12.07 Trojan/Win32.Scar
AntiVir 7.11.19.14 2011.12.07 TR/Spy.Gen
AVG 10.0.0.1190 2011.12.07 unknown virus Win32/DH.FF83001C{40080009-00400000-
00000000}
BitDefender 7.2 2011.12.07 Gen:Trojan.Heur.PT.cqW@a0iqwubb
Commtouch 5.3.2.6 2011.12.07 W32/Heuristic-KPP!Eldorado
DrWeb 5.0.2.03300 2011.12.07 BACKDOOR.Trojan
Emsisoft 5.1.0.11 2011.12.07 Backdoor.Win32.Wkysol!IK
F-Prot 4.6.5.141 2011.11.29 W32/Heuristic-KPP!Eldorado
F-Secure 9.0.16440.0 2011.12.07 Gen:Trojan.Heur.PT.cqW@a0iqwubb
GData 22 2011.12.07 Gen:Trojan.Heur.PT.cqW@a0iqwubb
Ikarus T3.1.1.109.0 2011.12.07 Backdoor.Win32.Wkysol
Kaspersky 9.0.0.837 2011.12.07 HEUR:Trojan.Win32.Invader
McAfee 5.400.0.1158 2011.12.07 Generic BackDoor.u
McAfee-GW-Edition 2010.1E 2011.12.07 Artemis!E769A920B12D
PCTools 8.0.0.5 2011.12.07 Backdoor.Sykipot
Sophos 4.71.0 2011.12.07 Mal/Dropr-C
Symantec 20111.2.0.82 2011.12.07 Backdoor.Sykipot
VBA32 3.12.16.4 2011.12.07 Trojan.Win32.Inject.2
MD5 : e769a920b12d019679c43a9a4c0d7e2c

Local Settings\WSE4EF1.TMP
Size: 31232
MD5: BA7793845FE2A02187263A96E8DAAEC6
http://www.virustotal.com/file-scan/report.html?id=21d58245c495b9ed4234577fa3fb43cd4c703f38a9b5ce83aa490613168a735f-1323275543
original name: wship4.dll

WSE4EF1.TMP
Submission date: 2011-12-07 16:32:23 (UTC)
Result: 14 /43 (32.6%)
AhnLab-V3 2011.12.07.00 2011.12.07 Backdoor/Win32.CSon
AntiVir 7.11.19.14 2011.12.07 TR/Spy.Gen
BitDefender 7.2 2011.12.07 Gen:Variant.Graftor.3624
Emsisoft 5.1.0.11 2011.12.07 Backdoor.Win32.Wkysol!IK
F-Secure 9.0.16440.0 2011.12.07 Gen:Variant.Graftor.3624
GData 22 2011.12.07 Gen:Variant.Graftor.3624
Ikarus T3.1.1.109.0 2011.12.07 Backdoor.Win32.Wkysol
McAfee 5.400.0.1158 2011.12.07 Artemis!BA7793845FE2
McAfee-GW-Edition 2010.1E 2011.12.07 Artemis!BA7793845FE2
nProtect 2011-12-07.01 2011.12.07 Gen:Variant.Graftor.3624
Panda 10.0.3.5 2011.12.06 Suspicious file
PCTools 8.0.0.5 2011.12.07 Backdoor.Sykipot
Symantec 20111.2.0.82 2011.12.07 Backdoor.Sykipot
TrendMicro-HouseCall 9.500.0.1008 2011.12.07 -
VIPRE 11215 2011.12.07 Trojan.Win32.Wisp.gen.a (v)
MD5 : ba7793845fe2a02187263a96e8daaec6

WSE4EF1.TMP can be found and extractted from the Resource section of the main file PRETTY.EXE, the resource language is LANG_CHINESE, SUBLANG_CHINESE_SIMPLIFIED

Indeed, the temp file WSE4EF1.TMP , which is in our case it injected itself in our case in iexplore process but it can aslo use firefox.exe and outlook.exe.

deleted_files
\Local Settings\ctfmon.exe - same file as pretty.exe

Strings from pretty.exe

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
www.prettylikeher.com
https://www.prettylikeher.com/asp/kys_allow_get.asp?name=
explorer.exe
pdtpretty.tmp
gdtpretty.tmp
ptpretty.tmp
gtpretty.tmp
POST
HTTP/1.0
http://www.yahoo.com/
https
putfile:
getfile:
time:
door:
cmd:
19990817
%s,%s,%d
Proxyserver
Software\Microsoft\Windows\CurrentVersion\Internet Settings
firefox
%s,%d
-pretty20111122
&hostname=
https://www.prettylikeher.com/asp/kys_allow_get.asp?name=getkys.kys
outlook
iexplore
firefox.exe
outlook.exe
iexplore.exe
/ASP/KYS_ALLOW_PUT.ASP?TYPE=
%s,get:%s,%d
get:%s,%d
unsuccessfully!
successfully!
%s%s%s%s%s
cmd /c "
process
kill

The trojan communicates with the C&C domain on port 443
hXXps://www.prettylikeher.com/asp/kys_allow_get.asp?name=getkys.kys
You can download pcap from here

the C&C server is running a car design front end, which seems like it was stolen from somewhere else

prettylikeher.com
Registrant Contact:
   deng haimei
   haimei deng
   +86.07733944048 fax: +86.07733944048
   yulingshi
   guangxi guangxi 537000
   CN
71.36.88.82 RData

ccnslc.com.
desktop.newcarstyle.com.
info.kimfishions.com.
www.ccnslc.com.
www.prettylikeher.com.

Other domain hosted on the same IP

Domain name: imagespornfree.comRegistrant Contact:
   helan naiye
   naiye helan
   +86.02366029085 fax: +86.02366029085
   chongqingshishanpingbei111hao
   chonqing chongqing 210000
   CN
Hosting history
Event Date     Action     Pre-Action IP     Post-Action IP
2011-11-06     New     -none-     68.167.27.215
Name Server History
Event Date     Action     Pre-Action Server     Post-Action Server
2011-10-10     New     -none-     Cdncenter.com
RData for
68.167.27.215
ftp.younts.com.
mail.agentsafe.com.

30 PDF files processed by Cuckoo Sandbox - results and samples

2011-11-29T02:58:00.004-05:00

Update - posted a list of the dropped files for each file and the C&C info from pcaps in the end of the post - for review and easy Googling.

Shutterstock image

In addition to the post about the Cuckoo sandbox, please see below sandbox results and samples for 30 recent PDF files (APT type). I excluded the payload/dropped files because of the large number of benign files in the same folder as the payload. Perhaps seeing the output will help you decide whether you want to deploy the sandbox or not.
If you need to see the payload 'files' folders, please see the previous post for example or contact me.According to the author, the file dumps filtering will be added soon.
What you will see in the package:
Original analysis folder (excluding "Files" - dropped files)

Analysis.config - you will see the name of the analysed file there.
Analysis.log + report.txt- all API calls and created files log
Dump.pcap file
logs folder - in csv fomat
shots folder - screenshots taken
Original file itself

Additonal files

List of all hashes of all files
All pcap files converted to text
Filtered logs showing dropped files.

List of included files and corresponding Cuckoo sandbox analysis results

86730A9BC3AB99503322EDA6115C1096    1104statment.pdf
35458535961F767E267487E39641766C    1106.pdf
92D142E08DBEF9FC6BC61A575224C3EC    111109.pdf
B4CB1B1182EA0B616ED6702A2B25FAC2    20111106_.pdf
88B884E8CE014D6B8D30B8198E048708    20111111_SexyDay.pdf
C0D5B1CC0C77FCF32FF02AAC98FAC536    2012().pdf
31DD6F29F19626F8CE03D73B3F635296    2012()2.pdf
C89D0C1DF6B4EF20E8447B11BEB77723    2012()3.pdf
08CDC6213D63EA85FBCCD335579CAEC4    2015.pdf
57F8BC2995CA99E20B356B623FA12F29    AEO.pdf
61481CBCBD35034C7CF4D1930B5E63E3    ATT03306.pdf
CBEA315F41205B731379521C5464C134    ATT03865.pdf
452703B9292A7A5D45EB224C622D32CF    ATT11990.pdf
704D40896BF6C9EA174F4CF3B57AC562    ATT25948.pdf
2A0DCB1915C0465949E7AECFB06F47EA    ATT41702.pdf
979C64214F11F72EDDDD04FFC4887BB5    ATT63950.pdf
E30D11EB28BB88681D1FB31DA88D84C6    ATT78434.pdf
DD7A03F4932CB86A77BD57B1C21FC18F    ATT85096.pdf
1188EA8F0D086A8860A3AAFB54A3FA76    ATT88422.pdf
B4CB1B1182EA0B616ED6702A2B25FAC2    ATT93159.pdf
91759CA240EECCC4C742CFF341C9A9A7    ATT93487.pdf
3173D2A0A607ECCF21707A3DC5DE30DA    Bainbridge Skills.pdf
F567FFD4F7A19A469D836E5A0A9552AB    Conference information for next week.pdf
670E22EC5EE2F8D08795BA7FF5A5D52E    DOB Aug 2011.pdf
01A1CAA4BA9EC050BA8CEAFE26998577    g20 summit.pdf
670E22EC5EE2F8D08795BA7FF5A5D52E    ID194.pdf
CDB6DCF66B7D3C5BC678378F46BA94E7    military procurement.pdf
C898ABCEA6EAAA3E1795322D02E95D7E    NorthKorea.pdf
0A630BBAA1691ED10540048BD5B4CF04    Nuclear Security and Summit Diplomacy.pdf
DE095F05913928CF58A27F27C5BF8605    statement.pdf

DROPPED FILES AND C&Cs

52/[2011-11-29 00:13:25] "C:\APT_1104statment.pdf"
52/[2011-11-29 00:13:28] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
52/[2011-11-29 00:13:28] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
52/[2011-11-29 00:13:28] "C:\WINDOWS\system32\d3d8caps.dat"
52/[2011-11-29 00:13:28] "C:\WINDOWS\system32\d3d9caps.dat"
52/[2011-11-29 00:13:28] "iso88591"
78 71.361654    10.0.2.15 -> 110.142.12.95 TCP 1046 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
81 83.379329    10.0.2.15 -> 108.77.146.124 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460

53/[2011-11-29 00:15:55] "C:\APT_1106.pdf"
53/[2011-11-29 00:15:56] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
53/[2011-11-29 00:15:56] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
53/[2011-11-29 00:15:56] "C:\WINDOWS\system32\d3d8caps.dat"
53/[2011-11-29 00:15:56] "C:\WINDOWS\system32\d3d9caps.dat"
53/[2011-11-29 00:15:56] "iso88591"
103 131.960627    10.0.2.15 -> 61.203.196.118 TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460

54/[2011-11-29 00:18:22] "C:\APT_111109.pdf"
54/[2011-11-29 00:18:23] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
54/[2011-11-29 00:18:23] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
54/[2011-11-29 00:18:23] "C:\WINDOWS\system32\d3d8caps.dat"
54/[2011-11-29 00:18:23] "C:\WINDOWS\system32\d3d9caps.dat"
54/[2011-11-29 00:18:23] "iso88591"

92 100.874401    10.0.2.15 -> 110.142.12.95 TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
93 106.882960    10.0.2.15 -> 110.142.12.95 TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
97 118.901642    10.0.2.15 -> 62.233.245.91 TCP 1050 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
99 119.300035 62.233.245.91 -> 10.0.2.15    TCP 443 > 1050 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
100 119.300466    10.0.2.15 -> 62.233.245.91 TCP 1050 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
101 119.300509    10.0.2.15 -> 62.233.245.91 SSL Continuation Data
102 119.300538 62.233.245.91 -> 10.0.2.15    TCP 443 > 1050 [ACK] Seq=1 Ack=193 Win=65535 Len=0
104 119.671542 62.233.245.91 -> 10.0.2.15    TCP 443 > 1050 [FIN, ACK] Seq=1 Ack=193 Win=65535 Len=0
105 119.672034    10.0.2.15 -> 62.233.245.91 TCP 1050 > 443 [ACK] Seq=193 Ack=2 Win=64240 Len=0
106 119.672056    10.0.2.15 -> 62.233.245.91 TCP 1050 > 443 [FIN, ACK] Seq=193 Ack=2 Win=64240 Len=0
107 119.672107 62.233.245.91 -> 10.0.2.15    TCP 443 > 1050 [ACK] Seq=2 Ack=194 Win=65535 Len=0
108 119.672640    10.0.2.15 -> 62.233.245.91 TCP 1051 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
110 122.606271    10.0.2.15 -> 62.233.245.91 TCP 1051 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
111 123.110597 62.233.245.91 -> 10.0.2.15    TCP 80 > 1051 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
112 123.110991    10.0.2.15 -> 62.233.245.91 TCP 1051 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
113 123.111028    10.0.2.15 -> 62.233.245.91 HTTP GET /khdpi.php?id=0080131911386GB524 HTTP/1.1
114 123.111058 62.233.245.91 -> 10.0.2.15    TCP 80 > 1051 [ACK] Seq=1 Ack=189 Win=65535 Len=0
115 123.564824 62.233.245.91 -> 10.0.2.15    HTTP HTTP/1.1 404 Nie znaleziono obiektu (text/html)
116 123.565799    10.0.2.15 -> 62.233.245.91 TCP 1051 > 80 [FIN, ACK] Seq=189 Ack=312 Win=63929 Len=0
117 123.565880 62.233.245.91 -> 10.0.2.15    TCP 80 > 1051 [ACK] Seq=312 Ack=190 Win=65535 Len=0
118 123.581081 62.233.245.91 -> 10.0.2.15    TCP 80 > 1051 [FIN, ACK] Seq=312 Ack=190 Win=65535 Len=0
119 123.581393    10.0.2.15 -> 62.233.245.91 TCP 1051 > 80 [ACK] Seq=190 Ack=313 Win=63929 Len=0
121 125.560394    10.0.2.15 -> 61.203.196.118 TCP 1052 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
123 128.514543    10.0.2.15 -> 61.203.196.118 TCP 1052 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
126 134.523033    10.0.2.15 -> 61.203.196.118 TCP 1052 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460

55/[2011-11-29 00:20:50] "C:\APT_20111106_.pdf"
55/[2011-11-29 00:20:51] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
55/[2011-11-29 00:20:51] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
55/[2011-11-29 00:20:51] "C:\WINDOWS\system32\d3d8caps.dat"
55/[2011-11-29 00:20:51] "C:\WINDOWS\system32\d3d9caps.dat"
55/[2011-11-29 00:20:51] "iso88591"
60 34.365192    10.0.2.15 -> 203.116.203.67 TCP 1043 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
61 34.682612 203.116.203.67 -> 10.0.2.15    TCP 443 > 1043 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
62 34.686987    10.0.2.15 -> 203.116.203.67 TCP 1043 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
63 34.687007    10.0.2.15 -> 203.116.203.67 SSL Continuation Data
64 34.687042 203.116.203.67 -> 10.0.2.15    TCP 443 > 1043 [ACK] Seq=1 Ack=194 Win=65535 Len=0
68 37.286460 203.116.203.67 -> 10.0.2.15    SSL Continuation Data

56/[2011-11-29 00:23:18] "C:\APT_20111111_SexyDay.pdf"
56/[2011-11-29 00:23:19] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
56/[2011-11-29 00:23:19] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
56/[2011-11-29 00:23:19] "C:\WINDOWS\system32\d3d8caps.dat"
56/[2011-11-29 00:23:19] "C:\WINDOWS\system32\d3d9caps.dat"
56/[2011-11-29 00:23:19] "iso88591"
60 34.580116    10.0.2.15 -> 62.233.245.91 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
61 35.001033 62.233.245.91 -> 10.0.2.15    TCP 443 > 1044 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
62 35.001274    10.0.2.15 -> 62.233.245.91 TCP 1044 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
63 35.001683    10.0.2.15 -> 62.233.245.91 SSL Continuation Data

57/[2011-11-29 00:25:45] "C:\APT_2012().pdf"
--

58/[2011-11-29 00:28:15] "C:\APT_2012()2.pdf"
58/[2011-11-29 00:28:15] "C:\DOCUME~1\Angie\LOCALS~1\Temp\different orgasms.pdf"
58/[2011-11-29 00:28:15] "C:\DOCUME~1\Angie\LOCALS~1\Temp\svchost.exe"
--

59/[2011-11-29 00:30:42] "C:\APT_2012()3.pdf"
59/[2011-11-29 00:30:43] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
59/[2011-11-29 00:30:43] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
59/[2011-11-29 00:30:43] "C:\WINDOWS\system32\d3d8caps.dat"
59/[2011-11-29 00:30:43] "C:\WINDOWS\system32\d3d9caps.dat"
59/[2011-11-29 00:30:43] "iso88591"

1   0.000000              ->              Ethernet [Packet size limited during capture]
59 34.274013    10.0.2.15 -> 59.120.54.79 TCP 1043 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
65 37.193422    10.0.2.15 -> 59.120.54.79 TCP 1043 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
73 43.201705    10.0.2.15 -> 59.120.54.79 TCP 1043 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
76 55.221290    10.0.2.15 -> 59.120.54.79 TCP 1046 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
78 58.222827    10.0.2.15 -> 59.120.54.79 TCP 1046 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
82 64.232492    10.0.2.15 -> 59.120.54.79 TCP 1046 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
86 76.250579    10.0.2.15 -> 2.116.180.66 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
88 79.253888    10.0.2.15 -> 2.116.180.66 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
91 85.262904    10.0.2.15 -> 2.116.180.66 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
95 97.180318    10.0.2.15 -> 2.116.180.66 TCP 1048 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
97 97.376698 2.116.180.66 -> 10.0.2.15    TCP 80 > 1048 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
98 97.376875    10.0.2.15 -> 2.116.180.66 TCP 1048 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
99 97.377127    10.0.2.15 -> 2.116.180.66 HTTP GET /rqban.php?id=0026041911386GB524 HTTP/1.1
100 97.377168 2.116.180.66 -> 10.0.2.15    TCP 80 > 1048 [ACK] Seq=1 Ack=188 Win=65535 Len=0
110 127.883970    10.0.2.15 -> 2.116.180.66 TCP 1048 > 80 [FIN, ACK] Seq=188 Ack=1 Win=64240 Len=0
111 127.884082 2.116.180.66 -> 10.0.2.15    TCP 80 > 1048 [ACK] Seq=1 Ack=189 Win=65535 Len=0
112 127.884442    10.0.2.15 -> 2.229.10.5   TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
113 128.055148 2.116.180.66 -> 10.0.2.15    TCP 80 > 1048 [FIN, ACK] Seq=1 Ack=189 Win=65535 Len=0
114 128.055442    10.0.2.15 -> 2.116.180.66 TCP 1048 > 80 [ACK] Seq=189 Ack=2 Win=64240 Len=0
116 130.827421    10.0.2.15 -> 2.229.10.5   TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
121 136.835963    10.0.2.15 -> 2.229.10.5   TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460

60/[2011-11-29 00:33:09] "C:\APT_2015.pdf"
60/[2011-11-29 00:33:10] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
60/[2011-11-29 00:33:10] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
60/[2011-11-29 00:33:10] "C:\WINDOWS\system32\d3d8caps.dat"
60/[2011-11-29 00:33:10] "C:\WINDOWS\system32\d3d9caps.dat"
60/[2011-11-29 00:33:10] "iso88591"
90 85.128211    10.0.2.15 -> 71.246.244.139 TCP 1047 > 1010 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
94 97.055009    10.0.2.15 -> 206.253.41.47 TCP 1048 > 8080 [SYN] Seq=0 Win=64240 Len=0 MSS=1460

61/[2011-11-29 00:35:36] "C:\APT_AEO.pdf"
61/[2011-11-29 00:35:37] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
61/[2011-11-29 00:35:37] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
61/[2011-11-29 00:35:37] "C:\WINDOWS\system32\d3d8caps.dat"
61/[2011-11-29 00:35:37] "C:\WINDOWS\system32\d3d9caps.dat"
61/[2011-11-29 00:35:37] "iso88591"
98 105.995079    10.0.2.15 -> 61.203.196.118 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
103 120.016061    10.0.2.15 -> 220.135.104.7 TCP 1048 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460

62/[2011-11-29 00:38:03] "C:\APT_ATT03306.pdf"
62/[2011-11-29 00:38:03] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
62/[2011-11-29 00:38:03] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
62/[2011-11-29 00:38:03] "C:\WINDOWS\system32\d3d8caps.dat"
62/[2011-11-29 00:38:03] "C:\WINDOWS\system32\d3d9caps.dat"
62/[2011-11-29 00:38:03] "iso88591"
62 34.663176 203.116.203.67 -> 10.0.2.15    TCP 443 > 1043 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
63 34.664159    10.0.2.15 -> 203.116.203.67 TCP 1043 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
64 34.664179    10.0.2.15 -> 203.116.203.67 SSL Continuation Data

63/[2011-11-29 00:40:29] "C:\APT_ATT03865.pdf"

64/[2011-11-29 00:42:59] "C:\APT_ATT11990.pdf"
64/[2011-11-29 00:43:00] "C:\DOCUME~1\Angie\LOCALS~1\Temp\svchost.exe"
64/[2011-11-29 00:43:00] "C:\WINDOWS\system32\cmd.exe"
64/[2011-11-29 00:43:00] "C:\WINDOWS\system32\d3d8caps.dat"
64/[2011-11-29 00:43:00] "C:\WINDOWS\system32\d3d9caps.dat"
64/[2011-11-29 00:43:00] "iso88591"
1   0.000000              ->              Ethernet [Packet size limited during capture]
66 40.373167    10.0.2.15 -> 60.249.85.109 TCP 1043 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
67 40.819758 60.249.85.109 -> 10.0.2.15    TCP 443 > 1043 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
68 40.820024    10.0.2.15 -> 60.249.85.109 TCP 1043 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
69 40.820061    10.0.2.15 -> 60.249.85.109 SSL Continuation Data
70 40.820088 60.249.85.109 -> 10.0.2.15    TCP 443 > 1043 [ACK] Seq=1 Ack=23 Win=65535 Len=0
74 40.881943    10.0.2.15 -> 68.87.73.246 DNS Standard query A checkip.dyndns.org
75 41.032372 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME checkip.dyndns.com A 216.146.39.70 A 91.198.22.70 A 216.146.38.70
76 41.033219    10.0.2.15 -> 216.146.39.70 TCP 1045 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
77 41.269469 216.146.39.70 -> 10.0.2.15    TCP 80 > 1045 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
78 41.270321    10.0.2.15 -> 216.146.39.70 TCP 1045 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
79 41.270384    10.0.2.15 -> 216.146.39.70 HTTP GET / HTTP/1.1 Continuation or non-HTTP traffic
80 41.270423 216.146.39.70 -> 10.0.2.15    TCP 80 > 1045 [ACK] Seq=1 Ack=65 Win=65535 Len=0
81 41.552327 216.146.39.70 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (text/html)
82 41.552557 216.146.39.70 -> 10.0.2.15    TCP 80 > 1045 [FIN, ACK] Seq=261 Ack=65 Win=65535 Len=0
83 41.552712    10.0.2.15 -> 216.146.39.70 TCP 1045 > 80 [ACK] Seq=65 Ack=262 Win=63980 Len=0
84 41.552744    10.0.2.15 -> 216.146.39.70 TCP 1045 > 80 [FIN, ACK] Seq=65 Ack=262 Win=63980 Len=0
85 41.552773 216.146.39.70 -> 10.0.2.15    TCP 80 > 1045 [ACK] Seq=262 Ack=66 Win=65535 Len=0
86 41.553781    10.0.2.15 -> 60.249.85.109 SSL Continuation Data

65/[2011-11-29 00:45:26] "C:\APT_ATT25948.pdf"
65/[2011-11-29 00:45:27] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
65/[2011-11-29 00:45:27] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
65/[2011-11-29 00:45:27] "C:\WINDOWS\system32\d3d8caps.dat"
65/[2011-11-29 00:45:27] "C:\WINDOWS\system32\d3d9caps.dat"
65/[2011-11-29 00:45:27] "iso88591"
60 35.138773    10.0.2.15 -> 203.116.203.67 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
62 35.703752 203.116.203.67 -> 10.0.2.15    TCP 443 > 1044 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
63 35.703752    10.0.2.15 -> 203.116.203.67 TCP 1044 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
64 35.703752    10.0.2.15 -> 203.116.203.67 SSL Continuation Data
65 35.703752 203.116.203.67 -> 10.0.2.15    TCP 443 > 1044 [ACK] Seq=1 Ack=194 Win=65535 Len=0
68 37.287146 203.116.203.67 -> 10.0.2.15    SSL Continuation Data

66/[2011-11-29 00:47:53] "C:\APT_ATT41702.pdf"
66/[2011-11-29 00:47:54] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
66/[2011-11-29 00:47:54] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
66/[2011-11-29 00:47:54] "C:\WINDOWS\system32\d3d8caps.dat"
66/[2011-11-29 00:47:54] "C:\WINDOWS\system32\d3d9caps.dat"
66/[2011-11-29 00:47:54] "iso88591"
62 35.220147    10.0.2.15 -> 203.92.33.98 TCP 1043 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
63 35.729797 203.92.33.98 -> 10.0.2.15    TCP 443 > 1043 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
64 35.730349    10.0.2.15 -> 203.92.33.98 TCP 1043 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
65 35.730367    10.0.2.15 -> 203.92.33.98 SSL Continuation Data
66 35.730401 203.92.33.98 -> 10.0.2.15    TCP 443 > 1043 [ACK] Seq=1 Ack=192 Win=65535 Len=0
68 36.008025 203.92.33.98 -> 10.0.2.15    TCP 443 > 1043 [FIN, ACK] Seq=1 Ack=192 Win=65535 Len=0

67/[2011-11-29 00:50:20] "C:\APT_ATT63950.pdf"

68/[2011-11-29 00:52:48] "C:\APT_ATT78434.pdf"
68/[2011-11-29 00:52:49] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
68/[2011-11-29 00:52:49] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
68/[2011-11-29 00:52:49] "C:\WINDOWS\system32\d3d8caps.dat"
68/[2011-11-29 00:52:49] "C:\WINDOWS\system32\d3d9caps.dat"
68/[2011-11-29 00:52:49] "iso88591"
106 118.728793    10.0.2.15 -> 62.233.245.91 TCP 1050 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
107 119.104435 62.233.245.91 -> 10.0.2.15    TCP 80 > 1050 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
108 119.104435    10.0.2.15 -> 62.233.245.91 TCP 1050 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
109 119.104435    10.0.2.15 -> 62.233.245.91 HTTP GET /vikqz.php?id=0007871911386GB524 HTTP/1.1
110 119.104435 62.233.245.91 -> 10.0.2.15    TCP 80 > 1050 [ACK] Seq=1 Ack=189 Win=65535 Len=0
111 119.290731 62.233.245.91 -> 10.0.2.15    HTTP HTTP/1.1 404 Nie znaleziono obiektu (text/html)
112 119.291465 62.233.245.91 -> 10.0.2.15    TCP 80 > 1050 [FIN, ACK] Seq=312 Ack=189 Win=65535 Len=0

69/[2011-11-29 00:55:16] "C:\APT_ATT85096.pdf"
69/[2011-11-29 00:55:17] "C:\DOCUME~1\Angie\LOCALS~1\Temp\different orgasms.pdf"
69/[2011-11-29 00:55:17] "C:\DOCUME~1\Angie\LOCALS~1\Temp\svchost.exe"

70/[2011-11-29 00:57:43] "C:\APT_ATT88422.pdf"
70/[2011-11-29 00:57:43] "C:\DOCUME~1\Angie\LOCALS~1\Temp\11.pdf"
70/[2011-11-29 00:57:43] "C:\DOCUME~1\Angie\LOCALS~1\Temp\ccapp.exe"
70/[2011-11-29 00:57:43] "C:\WINDOWS\system32\d3d8caps.dat"
70/[2011-11-29 00:57:43] "C:\WINDOWS\system32\d3d9caps.dat"
70/[2011-11-29 00:57:43] "iso88591"
1   0.000000              ->              Ethernet [Packet size limited during capture]
61 34.446095    10.0.2.15 -> 59.120.54.79 TCP 1044 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
66 37.377861    10.0.2.15 -> 59.120.54.79 TCP 1044 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
74 43.386561    10.0.2.15 -> 59.120.54.79 TCP 1044 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
77 55.405520    10.0.2.15 -> 59.120.54.79 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
79 58.407708    10.0.2.15 -> 59.120.54.79 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
83 64.416957    10.0.2.15 -> 59.120.54.79 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
87 76.434892    10.0.2.15 -> 2.116.180.66 TCP 1048 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
89 79.438217    10.0.2.15 -> 2.116.180.66 TCP 1048 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
92 85.447996    10.0.2.15 -> 2.116.180.66 TCP 1048 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
96 97.365250    10.0.2.15 -> 2.116.180.66 TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
98 97.766921 2.116.180.66 -> 10.0.2.15    TCP 80 > 1049 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
99 97.767318    10.0.2.15 -> 2.116.180.66 TCP 1049 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
100 97.767349    10.0.2.15 -> 2.116.180.66 HTTP GET /hrqxk.php?id=0100641911386GB524 HTTP/1.1
101 97.767394 2.116.180.66 -> 10.0.2.15    TCP 80 > 1049 [ACK] Seq=1 Ack=188 Win=65535 Len=0
111 128.279223    10.0.2.15 -> 2.116.180.66 TCP 1049 > 80 [FIN, ACK] Seq=188 Ack=1 Win=64240 Len=0
112 128.279304 2.116.180.66 -> 10.0.2.15    TCP 80 > 1049 [ACK] Seq=1 Ack=189 Win=65535 Len=0
113 128.279790    10.0.2.15 -> 2.229.10.5   TCP 1050 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
114 128.455002 2.116.180.66 -> 10.0.2.15    TCP 80 > 1049 [FIN, ACK] Seq=1 Ack=189 Win=65535 Len=0
115 128.455337    10.0.2.15 -> 2.116.180.66 TCP 1049 > 80 [ACK] Seq=189 Ack=2 Win=64240 Len=0
117 131.213059    10.0.2.15 -> 2.229.10.5   TCP 1050 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
122 137.221641    10.0.2.15 -> 2.229.10.5   TCP 1050 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460

71/[2011-11-29 01:00:10] "C:\APT_ATT93159.pdf"
71/[2011-11-29 01:00:11] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
71/[2011-11-29 01:00:11] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
71/[2011-11-29 01:00:11] "C:\WINDOWS\system32\d3d8caps.dat"
71/[2011-11-29 01:00:11] "C:\WINDOWS\system32\d3d9caps.dat"
71/[2011-11-29 01:00:11] "iso88591"
61 35.267636    10.0.2.15 -> 203.116.203.67 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
62 35.755264 203.116.203.67 -> 10.0.2.15    TCP 443 > 1044 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
63 35.755767    10.0.2.15 -> 203.116.203.67 TCP 1044 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0

72/[2011-11-29 01:00:52] "C:\APT_ATT93487.pdf"
72/[2011-11-29 01:00:53] "C:\DOCUME~1\Angie\LOCALS~1\Temp\11111.exe"
72/[2011-11-29 01:00:53] "C:\WINDOWS\system32\cmd.exe"
49 28.589394    10.0.2.15 -> 68.87.73.246 DNS Standard query A family.mobwork.net
52 28.815334 68.87.73.246 -> 10.0.2.15    DNS Standard query response, No such name
53 28.824172    10.0.2.15 -> 60.249.219.82 TCP 1045 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
55 29.391808 60.249.219.82 -> 10.0.2.15    TCP 443 > 1045 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
56 29.393046    10.0.2.15 -> 60.249.219.82 TCP 1045 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
57 29.393089    10.0.2.15 -> 60.249.219.82 SSL Continuation Data

73/[2011-11-29 01:03:20] "C:\APT_Bainbridge Skills.pdf"
73/[2011-11-29 01:03:20] "C:\WINDOWS\\googlesetup.dll"
73/[2011-11-29 01:03:20] "C:\WINDOWS\AdobeARM.dll"
73/[2011-11-29 01:03:20] "C:\WINDOWS\system32\cmd.exe"
73/[2011-11-29 01:03:20] "C:\WINDOWS\system32\d3d8caps.dat"
73/[2011-11-29 01:03:20] "C:\WINDOWS\system32\d3d9caps.dat"
1   0.000000              ->              Ethernet [Packet size limited during capture]
60 34.385805    10.0.2.15 -> 68.87.73.246 DNS Standard query A winssl.dyndns.org
61 34.386808    10.0.2.15 -> 68.87.73.246 DNS Standard query A www.microsoft.com
63 34.651537 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME toggle.www.ms.akadns.net CNAME g.www.ms.akadns.net CNAME lb1.www.ms.akadns.net A 207.46.19.254
64 34.653667    10.0.2.15 -> 207.46.19.254 TCP 1047 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
65 34.660488 68.87.73.246 -> 10.0.2.15    DNS Standard query response, No such name
66 34.661636    10.0.2.15 -> 68.87.73.246 DNS Standard query A winssl.dyndns.org.hsd1.va.comcast.net
67 34.929382 207.46.19.254 -> 10.0.2.15    TCP 80 > 1047 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
68 34.929845    10.0.2.15 -> 207.46.19.254 TCP 1047 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
69 34.948980 68.87.73.246 -> 10.0.2.15    DNS Standard query response, No such name
71 35.171205    10.0.2.15 -> 207.46.19.254 HTTP GET /isapi/redir.dll?prd=ie&pver=6&ar=msnhome HTTP/1.1
72 35.171292 207.46.19.254 -> 10.0.2.15    TCP 80 > 1047 [ACK] Seq=1 Ack=1130 Win=65535 Len=0
73 35.457443 207.46.19.254 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
74 35.457494 207.46.19.254 -> 10.0.2.15    HTTP HTTP/1.0 200 OK (text/html)
75 35.457916    10.0.2.15 -> 207.46.19.254 TCP 1047 > 80 [ACK] Seq=1130 Ack=557 Win=63685 Len=0
76 35.470823    10.0.2.15 -> 207.46.19.254 TCP 1047 > 80 [FIN, ACK] Seq=1130 Ack=557 Win=63685 Len=0
77 35.470895 207.46.19.254 -> 10.0.2.15    TCP 80 > 1047 [ACK] Seq=557 Ack=1131 Win=65535 Len=0
79 36.074407    10.0.2.15 -> 207.46.19.254 TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
80 36.294800 207.46.19.254 -> 10.0.2.15    TCP 80 > 1049 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
81 36.295728    10.0.2.15 -> 207.46.19.254 TCP 1049 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
82 36.297643    10.0.2.15 -> 207.46.19.254 HTTP GET /isapi/redir.dll?prd=ie&pver=6&ar=msnhome HTTP/1.1
83 36.297718 207.46.19.254 -> 10.0.2.15    TCP 80 > 1049 [ACK] Seq=1 Ack=1291 Win=65535 Len=0
84 36.534015 207.46.19.254 -> 10.0.2.15    HTTP HTTP/1.1 302 Found (text/html)
85 36.536261    10.0.2.15 -> 68.87.73.246 DNS Standard query A home.microsoft.com
86 36.648320    10.0.2.15 -> 207.46.19.254 TCP 1049 > 80 [ACK] Seq=1291 Ack=547 Win=63694 Len=0
88 36.699394 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME redir.blu.cb3.glbdns.microsoft.com A 65.55.206.209
89 36.700413    10.0.2.15 -> 65.55.206.209 TCP 1050 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
90 36.873588 65.55.206.209 -> 10.0.2.15    TCP 80 > 1050 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
91 36.874437    10.0.2.15 -> 65.55.206.209 TCP 1050 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
92 36.874467    10.0.2.15 -> 65.55.206.209 HTTP GET / HTTP/1.1
93 36.874531 65.55.206.209 -> 10.0.2.15    TCP 80 > 1050 [ACK] Seq=1 Ack=1129 Win=65535 Len=0
94 37.055783 65.55.206.209 -> 10.0.2.15    HTTP HTTP/1.1 301 Moved Permanently
95 37.057985    10.0.2.15 -> 68.87.73.246 DNS Standard query A www.msn.com
96 37.236864 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME us.co1.cb3.glbdns.microsoft.com A 207.46.140.34
97 37.238158    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
98 37.249543    10.0.2.15 -> 65.55.206.209 TCP 1050 > 80 [ACK] Seq=1129 Ack=298 Win=63943 Len=0
100 37.491542 207.46.140.34 -> 10.0.2.15    TCP 80 > 1051 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
101 37.492462    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
102 37.492498    10.0.2.15 -> 207.46.140.34 HTTP GET / HTTP/1.1
103 37.492538 207.46.140.34 -> 10.0.2.15    TCP 80 > 1051 [ACK] Seq=1 Ack=817 Win=65535 Len=0
104 37.814454 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
105 37.814506 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
106 37.814816    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=1449 Win=62792 Len=0
107 37.814902 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
108 37.814937 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
109 37.815251    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=2897 Win=64240 Len=0
110 37.836372    10.0.2.15 -> 68.87.73.246 DNS Standard query A col.stc.s-msn.com
111 37.909124 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
112 37.909177 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
113 37.909422 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
114 37.909451 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
115 37.909473    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=4345 Win=62792 Len=0
116 37.909731    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=5793 Win=64240 Len=0
117 37.909824 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
118 37.909849 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
119 37.909985    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=7241 Win=62792 Len=0
120 37.910259 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
121 37.910488 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
122 37.910618    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=8689 Win=64240 Len=0
123 38.002706 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
124 38.002774 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
125 38.003245 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
126 38.003373 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
127 38.003895 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
128 38.003940    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=10137 Win=62792 Len=0
129 38.003985    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=11585 Win=64240 Len=0
130 38.004040 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
131 38.004123    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=13033 Win=62792 Len=0
132 38.005081 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
133 38.005125 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
134 38.005268    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=14481 Win=61344 Len=0
135 38.005378 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
136 38.005419 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
137 38.005525    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=15929 Win=59896 Len=0
138 38.005995 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
139 38.006038 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
140 38.006180    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=17377 Win=58448 Len=0
141 38.010812 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
142 38.010857 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
143 38.011153    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=18825 Win=57000 Len=0
144 38.011266 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
145 38.011312 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
146 38.011471    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=20273 Win=55552 Len=0
147 38.031499 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME colstc.co1.cb3.glbdns.microsoft.com CNAME msn.vo.msecnd.net A 65.54.81.209 A 65.54.81.185
148 38.032809    10.0.2.15 -> 65.54.81.209 TCP 1052 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
149 38.032977    10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
150 38.035078    10.0.2.15 -> 207.46.140.34 TCP [TCP Window Update] 1051 > 80 [ACK] Seq=817 Ack=20273 Win=64240 Len=0
151 38.091287 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
152 38.091328 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
153 38.091541    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=21721 Win=62792 Len=0
154 38.091594 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
155 38.091634 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
156 38.091800    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=23169 Win=64240 Len=0
157 38.091879 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
158 38.091903 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
159 38.092222    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=24617 Win=62792 Len=0
160 38.092252 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
161 38.092276 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
162 38.092752    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=26065 Win=64240 Len=0
163 38.092832 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
164 38.092860 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
165 38.093222    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=27513 Win=62792 Len=0
166 38.093252 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
167 38.093275 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
168 38.093711    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=28961 Win=64240 Len=0
169 38.093740 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
170 38.093769 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
171 38.094127    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=30409 Win=62792 Len=0
172 38.094157 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
173 38.094180 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
174 38.095541    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=31857 Win=61344 Len=0
175 38.095575 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
176 38.095605 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
177 38.096013    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=33305 Win=59896 Len=0
178 38.096093 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
179 38.096119 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
180 38.097120    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=34753 Win=58448 Len=0
181 38.097151    10.0.2.15 -> 207.46.140.34 TCP [TCP Window Update] 1051 > 80 [ACK] Seq=817 Ack=34753 Win=64240 Len=0
182 38.097195 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
183 38.097248 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
184 38.097469    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=36201 Win=62792 Len=0
185 38.097493 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
186 38.097528 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
187 38.097842    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=37649 Win=64240 Len=0
188 38.097871 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
189 38.097901 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
190 38.097952 207.46.140.34 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (text/html)
191 38.098031    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=39097 Win=62792 Len=0
193 38.237992 65.54.81.209 -> 10.0.2.15    TCP 80 > 1052 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
194 38.238320 65.54.81.209 -> 10.0.2.15    TCP 80 > 1053 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
195 38.238404    10.0.2.15 -> 65.54.81.209 TCP 1052 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
196 38.238788    10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
197 38.238804    10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/css/3c/e52849405b21b1b7b78858e8f94f2f.css HTTP/1.1
198 38.238890 65.54.81.209 -> 10.0.2.15    TCP 80 > 1052 [ACK] Seq=1 Ack=377 Win=65535 Len=0
199 38.240511    10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/css/f5/c58b60aba0638d30b1ba54ac21ef03.css HTTP/1.1
200 38.240573 65.54.81.209 -> 10.0.2.15    TCP 80 > 1053 [ACK] Seq=1 Ack=377 Win=65535 Len=0
201 38.250677    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=39854 Win=64240 Len=0
202 38.449344 65.54.81.209 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
203 38.464082 65.54.81.209 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
204 38.512984    10.0.2.15 -> 68.87.73.246 DNS Standard query A col.stj.s-msn.com
205 38.551278    10.0.2.15 -> 65.54.81.209 TCP 1052 > 80 [ACK] Seq=377 Ack=168 Win=64073 Len=0
206 38.652280    10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [ACK] Seq=377 Ack=169 Win=64072 Len=0
207 38.728227 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME colstj.co1.cb3.glbdns.microsoft.com CNAME msn.vo.msecnd.net A 65.54.81.24 A 65.54.81.18
208 38.729729    10.0.2.15 -> 65.54.81.24 TCP 1054 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
209 38.733541    10.0.2.15 -> 65.54.81.24 TCP 1055 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
210 38.735147    10.0.2.15 -> 68.87.73.246 DNS Standard query A amer.rel.msn.com
211 38.739101    10.0.2.15 -> 68.87.73.246 DNS Standard query A exp.www.msn.com
212 38.824585    10.0.2.15 -> 68.87.73.246 DNS Standard query A udc.msn.com
216 38.955997 65.54.81.24 -> 10.0.2.15    TCP 80 > 1055 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
217 38.956179    10.0.2.15 -> 65.54.81.24 TCP 1055 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
218 38.956342 65.54.81.24 -> 10.0.2.15    TCP 80 > 1054 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
219 38.958079    10.0.2.15 -> 65.54.81.24 TCP 1054 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
220 38.961515 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME amer.hops.glbdns.microsoft.com A 207.46.140.46
221 38.962824    10.0.2.15 -> 207.46.140.46 TCP 1057 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
222 38.965918    10.0.2.15 -> 68.87.73.246 DNS Standard query A view.atdmt.com
223 38.967318 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME ro-msn.exp.glbdns.microsoft.com A 65.55.18.18
224 38.973159    10.0.2.15 -> 65.55.18.18 TCP 1058 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
225 38.974222    10.0.2.15 -> 68.87.73.246 DNS Standard query A b.scorecardresearch.com
226 39.051152 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME udc.udc0.glbdns.microsoft.com A 70.37.130.35
227 39.053649    10.0.2.15 -> 70.37.130.35 TCP 1059 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
228 39.053691    10.0.2.15 -> 68.87.73.246 DNS Standard query A c.msn.com
229 39.200684 68.87.73.246 -> 10.0.2.15    DNS Standard query response A 65.55.33.48
230 39.201639    10.0.2.15 -> 65.55.33.48 TCP 1060 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
231 39.204105    10.0.2.15 -> 68.87.73.246 DNS Standard query A www.bing.com
232 39.204532 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME b.scorecardresearch.com.edgesuite.net CNAME a1294.w20.akamai.net A 96.17.168.80 A 96.17.168.152 A 96.17.168.98
233 39.206253    10.0.2.15 -> 96.17.168.80 TCP 1061 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
234 39.206283    10.0.2.15 -> 68.87.73.246 DNS Standard query A col.stb.s-msn.com
235 39.265296 207.46.140.46 -> 10.0.2.15    TCP 80 > 1057 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
236 39.265754    10.0.2.15 -> 207.46.140.46 TCP 1057 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
237 39.278876 65.55.18.18 -> 10.0.2.15    TCP 80 > 1058 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
238 39.279083    10.0.2.15 -> 65.55.18.18 TCP 1058 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
239 39.281502 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME c.msn.com.nsatc.net A 64.4.21.39
240 39.283203    10.0.2.15 -> 64.4.21.39   TCP 1062 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
241 39.283360    10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/icons/BING_websearch_2.jpg HTTP/1.1
242 39.283416 65.54.81.209 -> 10.0.2.15    TCP 80 > 1052 [ACK] Seq=168 Ack=740 Win=65535 Len=0
243 39.304309 70.37.130.35 -> 10.0.2.15    TCP 80 > 1059 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
244 39.304617    10.0.2.15 -> 70.37.130.35 TCP 1059 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
245 39.442570 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME colstb.co1.cb3.glbdns.microsoft.com CNAME msn.vo.msecnd.net A 65.54.81.24 A 65.54.81.47
246 39.443333 96.17.168.80 -> 10.0.2.15    TCP 80 > 1061 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
247 39.443994    10.0.2.15 -> 96.17.168.80 TCP 1061 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
248 39.444021    10.0.2.15 -> 65.54.81.24 TCP 1063 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
249 39.444045 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME search.ms.com.edgesuite.net CNAME a134.b.akamai.net A 96.17.171.161 A 96.17.171.99
250 39.445180    10.0.2.15 -> 65.54.81.24 TCP 1064 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
251 39.447047    10.0.2.15 -> 96.17.171.161 TCP 1065 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
252 39.447064    10.0.2.15 -> 68.87.73.246 DNS Standard query A blst.msn.com
253 39.447074    10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/ff/adchoices_gif2.gif HTTP/1.1
254 39.447147 65.54.81.209 -> 10.0.2.15    TCP 80 > 1053 [ACK] Seq=169 Ack=733 Win=65535 Len=0
255 39.449020    10.0.2.15 -> 65.54.81.24 HTTP GET /br/sc/js/01/dapmsn_exp_min.js HTTP/1.1
256 39.449080    10.0.2.15 -> 65.54.81.24 HTTP GET /br/sc/js/jquery/jquery-1.4.2.min.js HTTP/1.1
257 39.449102    10.0.2.15 -> 207.46.140.46 HTTP GET /default.aspx?parsergroup=hops&fk=W&gp=P&optkey=default&rf=&di=340&pi=7317&ps=95101&pageid=6875603&mk=en-us&tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&tfk=C%3Adefault&utk=&cts=1322546503640&tv=infopane_hops%3Ana%2Clocaltg%3Alocal%2Cstgsearch%3Apopsrchnew%2Csocialtg%3Afacebook HTTP/1.1
258 39.449124 65.54.81.24 -> 10.0.2.15    TCP 80 > 1055 [ACK] Seq=1 Ack=360 Win=65535 Len=0
259 39.449151 65.54.81.24 -> 10.0.2.15    TCP 80 > 1054 [ACK] Seq=1 Ack=364 Win=65535 Len=0
260 39.449168 207.46.140.46 -> 10.0.2.15    TCP 80 > 1057 [ACK] Seq=1 Ack=932 Win=65535 Len=0
261 39.449798    10.0.2.15 -> 65.55.18.18 HTTP GET /ro.aspx?evt=impr&obs=msnhp_us_pv&di=340&pi=7317&ps=95101&pn=US+HPMSFT3WANBOV2T2&ch=MSFT&rid=&cts=1322546503640&rf=&slv=0&tp=http%3A%2F%2Fwww.msn.com%2F HTTP/1.1
262 39.449817    10.0.2.15 -> 70.37.130.35 HTTP GET /c.gif?evt=impr&js=1&rid=&exa=msnhp_us_master_v2%3AWP10_5%2Cmsnhp_us_anbov2%3AT2&pp=False&bd=&gnd=&cts=1322546503670&aop=&expac=673II6B39_0912%3AT2~40II3a39_0803%3AWP10_5%7C&dv.SNLogin=fb%3Af%2Ctw%3Af&dv.GrpFrMod=infopane_hops%3Ana%2Clocaltg%3Alocal%2Cstgsearch%3Apopsrchnew%2Csocialtg%3Afacebook&hp=N&fk=W&gp=P&optkey=default&clid=3CE72C262627635C3C662E93222763E1&rf=&cu=http%3A%2F%2Fwww.msn.com%2F&sl=0&slv=0&bh=294&bw=609&scr=800x600&sd=32&di=340&pi=7317&ps=95101&mk=en-us&pn=US+HPMSFT3WANBOV2T2&pid=6875603&su=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&pageid=6875603&br=MSFT&mv=V14 HTTP/1.1
263 39.449827    10.0.2.15 -> 96.17.168.80 HTTP GET /b?c1=2&c2=3000001&c7=http%3A%2F%2Fwww.msn.com%2F&c9=&rn=1322546503680 HTTP/1.1
264 39.449861 65.55.18.18 -> 10.0.2.15    TCP 80 > 1058 [ACK] Seq=1 Ack=915 Win=65535 Len=0
265 39.449887 70.37.130.35 -> 10.0.2.15    TCP 80 > 1059 [ACK] Seq=1 Ack=1234 Win=65535 Len=0
266 39.449932 96.17.168.80 -> 10.0.2.15    TCP 80 > 1061 [ACK] Seq=1 Ack=383 Win=65535 Len=0
267 39.509919 65.55.33.48 -> 10.0.2.15    TCP 80 > 1060 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
268 39.510410    10.0.2.15 -> 65.55.33.48 TCP 1060 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
269 39.510434    10.0.2.15 -> 65.55.33.48 HTTP GET /action/MSN_Homepage_Remessaging_111808/nc?a=1 HTTP/1.1
270 39.510488 65.55.33.48 -> 10.0.2.15    TCP 80 > 1060 [ACK] Seq=1 Ack=488 Win=65535 Len=0
271 39.519224 65.54.81.209 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
272 39.520668    10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/07/617475cf39bf6f5c0bd6ecb985335c.gif HTTP/1.1
273 39.520762 65.54.81.209 -> 10.0.2.15    TCP 80 > 1052 [ACK] Seq=339 Ack=1112 Win=65535 Len=0
274 39.594079   64.4.21.39 -> 10.0.2.15    TCP 80 > 1062 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
275 39.594624    10.0.2.15 -> 64.4.21.39   TCP 1062 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
276 39.594651    10.0.2.15 -> 64.4.21.39   HTTP GET /c.gif?udc=true&di=340&pi=7317&ps=95101&lng=en-us&tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&rid=&rnd=1322546503680&rf=&scr=800x600 HTTP/1.1
277 39.594707   64.4.21.39 -> 10.0.2.15    TCP 80 > 1062 [ACK] Seq=1 Ack=791 Win=65535 Len=0
278 39.686830 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME blst.blu.cb3.glbdns.microsoft.com CNAME msn.vo.msecnd.net A 65.54.81.47 A 65.54.81.24
279 39.688064    10.0.2.15 -> 65.54.81.47 TCP 1066 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
280 39.688328 96.17.171.161 -> 10.0.2.15    TCP 80 > 1065 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
281 39.688516    10.0.2.15 -> 96.17.171.161 TCP 1065 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
282 39.688690 65.54.81.24 -> 10.0.2.15    TCP 80 > 1064 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
283 39.689023 65.54.81.24 -> 10.0.2.15    TCP 80 > 1063 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
284 39.690695    10.0.2.15 -> 65.54.81.24 TCP 1064 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
285 39.690716    10.0.2.15 -> 65.54.81.24 TCP 1063 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
286 39.690727    10.0.2.15 -> 96.17.171.161 HTTP GET /partner/primedns.gif HTTP/1.1
287 39.690749    10.0.2.15 -> 65.54.81.24 HTTP GET /i/B7/EB75D45B8948F72EE451223E95A96.gif HTTP/1.1
288 39.690758    10.0.2.15 -> 65.54.81.24 HTTP GET /i/65/CDAB2F44A1591D2B308C20C6C15375.jpg HTTP/1.1
289 39.690786 96.17.171.161 -> 10.0.2.15    TCP 80 > 1065 [ACK] Seq=1 Ack=492 Win=65535 Len=0
290 39.690805 65.54.81.24 -> 10.0.2.15    TCP 80 > 1063 [ACK] Seq=1 Ack=372 Win=65535 Len=0
291 39.690816 65.54.81.24 -> 10.0.2.15    TCP 80 > 1064 [ACK] Seq=1 Ack=372 Win=65535 Len=0
292 39.691986 65.54.81.209 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
293 39.693701    10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/7d/7fda667169fb45760dd7152ddafd78.gif HTTP/1.1
294 39.693744 65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
295 39.693804 65.54.81.209 -> 10.0.2.15    TCP 80 > 1053 [ACK] Seq=339 Ack=1107 Win=65535 Len=0
296 39.694158    10.0.2.15 -> 65.54.81.24 HTTP GET /br/sc/js/cf/ece838bdac41f565b1c59d87c4c9cf63.js HTTP/1.1
297 39.694198 65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
298 39.694217 65.54.81.24 -> 10.0.2.15    TCP 80 > 1055 [ACK] Seq=184 Ack=736 Win=65535 Len=0
299 39.708116 96.17.168.80 -> 10.0.2.15    HTTP HTTP/1.1 204 No Content
300 39.731730 70.37.130.35 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (GIF89a)
301 39.769324 207.46.140.46 -> 10.0.2.15    HTTP HTTP/1.1 204 No Content
302 39.776036    10.0.2.15 -> 68.87.73.246 DNS Standard query A rad.msn.com
303 39.776145 65.55.18.18 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (GIF89a)
304 39.782075 65.54.81.209 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
305 39.786147    10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/f8/614595fba50d96389708a4135776e4.gif HTTP/1.1
306 39.786252 65.54.81.209 -> 10.0.2.15    TCP 80 > 1052 [ACK] Seq=509 Ack=1487 Win=65535 Len=0
307 39.852770    10.0.2.15 -> 65.54.81.24 TCP 1054 > 80 [ACK] Seq=364 Ack=185 Win=64056 Len=0
308 39.852800    10.0.2.15 -> 96.17.168.80 TCP 1061 > 80 [ACK] Seq=383 Ack=249 Win=63992 Len=0
309 39.852816    10.0.2.15 -> 70.37.130.35 TCP 1059 > 80 [ACK] Seq=1234 Ack=368 Win=63873 Len=0
310 39.928698 65.55.33.48 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (GIF89a)
311 39.928761 65.55.33.48 -> 10.0.2.15    TCP 80 > 1060 [FIN, ACK] Seq=257 Ack=488 Win=65535 Len=0
312 39.929609    10.0.2.15 -> 65.55.33.48 TCP 1060 > 80 [ACK] Seq=488 Ack=258 Win=63984 Len=0
313 39.929655    10.0.2.15 -> 65.55.33.48 TCP 1060 > 80 [FIN, ACK] Seq=488 Ack=258 Win=63984 Len=0
314 39.929731 65.55.33.48 -> 10.0.2.15    TCP 80 > 1060 [ACK] Seq=258 Ack=489 Win=65535 Len=0
315 39.948119   64.4.21.39 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (GIF89a)
316 39.952979    10.0.2.15 -> 207.46.140.46 TCP 1057 > 80 [ACK] Seq=932 Ack=293 Win=63948 Len=0
317 39.953047    10.0.2.15 -> 65.55.18.18 TCP 1058 > 80 [ACK] Seq=915 Ack=371 Win=63870 Len=0
318 39.966706 65.54.81.47 -> 10.0.2.15    TCP 80 > 1066 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
319 39.967116    10.0.2.15 -> 65.54.81.47 TCP 1066 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
320 39.967167    10.0.2.15 -> 65.54.81.47 HTTP GET /as/wea3/i/en-us/law/11.gif HTTP/1.1
321 39.967213 65.54.81.47 -> 10.0.2.15    TCP 80 > 1066 [ACK] Seq=1 Ack=666 Win=65535 Len=0
322 39.973864 65.54.81.209 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
323 39.974378 65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
324 39.974529 65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
325 39.975523    10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/0c/c57bc2a7d38843d7c4aa8028fc9f82.gif HTTP/1.1
326 39.975607 65.54.81.209 -> 10.0.2.15    TCP 80 > 1053 [ACK] Seq=508 Ack=1481 Win=65535 Len=0
327 39.998798    10.0.2.15 -> 65.54.81.24 HTTP GET /i/93/FBAB2A6CE18375B5A6A8AB82A7DF1A.jpg HTTP/1.1
328 39.998894 65.54.81.24 -> 10.0.2.15    TCP 80 > 1064 [ACK] Seq=171 Ack=744 Win=65535 Len=0
329 39.999124    10.0.2.15 -> 65.54.81.24 HTTP GET /i/C3/D7F23B32F2CD62EC115C23378FFE1.jpg HTTP/1.1
330 39.999176 65.54.81.24 -> 10.0.2.15    TCP 80 > 1063 [ACK] Seq=170 Ack=743 Win=65535 Len=0
331 40.011676 96.17.171.161 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
332 40.042310 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME rad.msn.com.nsatc.net A 65.55.121.231 A 65.55.192.10
333 40.043911    10.0.2.15 -> 65.55.121.231 TCP 1067 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
334 40.053005 65.54.81.209 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
335 40.053287    10.0.2.15 -> 64.4.21.39   TCP 1062 > 80 [ACK] Seq=791 Ack=423 Win=63818 Len=0
336 40.054856    10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/c1/cc36ca69630adc1a2052edc7351a47.gif HTTP/1.1
337 40.054915 65.54.81.209 -> 10.0.2.15    TCP 80 > 1052 [ACK] Seq=679 Ack=1861 Win=65535 Len=0
338 40.153403    10.0.2.15 -> 96.17.171.161 TCP 1065 > 80 [ACK] Seq=492 Ack=277 Win=63964 Len=0
339 40.231698 65.54.81.47 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (GIF89a)
340 40.240187 65.54.81.209 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
341 40.255247 65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
342 40.259013    10.0.2.15 -> 65.54.81.24 HTTP GET /i/A2/CB94E521DF334C97CB2DC5056A52E.jpg HTTP/1.1
343 40.259091 65.54.81.24 -> 10.0.2.15    TCP 80 > 1064 [ACK] Seq=339 Ack=1114 Win=65535 Len=0
344 40.261390 65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
345 40.262416    10.0.2.15 -> 65.54.81.24 HTTP GET /i/E2/7244F875BC3B1936217FC28AC541.jpg HTTP/1.1
346 40.262477 65.54.81.24 -> 10.0.2.15    TCP 80 > 1063 [ACK] Seq=338 Ack=1023 Win=65535 Len=0
347 40.295186 65.55.121.231 -> 10.0.2.15    TCP 80 > 1067 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
348 40.295368    10.0.2.15 -> 65.55.121.231 TCP 1067 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
349 40.296893    10.0.2.15 -> 65.55.121.231 HTTP GET /ADSAdClient31.dll?GetSAd=&DPJS=4&PN=MSFT&ID=3CE72C262627635C3C662E93222763E1&MUID=3CE72C262627635C3C662E93222763E1&PG=MSNPFS&AP=1089 HTTP/1.1
350 40.296959 65.55.121.231 -> 10.0.2.15    TCP 80 > 1067 [ACK] Seq=1 Ack=771 Win=65535 Len=0
351 40.322531 65.54.81.209 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
352 40.353817    10.0.2.15 -> 65.54.81.47 TCP 1066 > 80 [ACK] Seq=666 Ack=1208 Win=63033 Len=0
353 40.353850    10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [ACK] Seq=1481 Ack=678 Win=63563 Len=0
354 40.453894    10.0.2.15 -> 65.54.81.209 TCP 1052 > 80 [ACK] Seq=1861 Ack=849 Win=63392 Len=0
355 40.524032 65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
356 40.528151    10.0.2.15 -> 65.54.81.24 HTTP GET /i/14/37366221F516EE388EAC8C26DC4FE9.jpg HTTP/1.1
357 40.528255 65.54.81.24 -> 10.0.2.15    TCP 80 > 1064 [ACK] Seq=507 Ack=1396 Win=65535 Len=0
358 40.531938 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
359 40.531989 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
360 40.532222 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
361 40.532260    10.0.2.15 -> 65.54.81.24 TCP 1063 > 80 [ACK] Seq=1023 Ack=1786 Win=64240 Len=0
362 40.532302 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
363 40.532631    10.0.2.15 -> 65.54.81.24 TCP 1063 > 80 [ACK] Seq=1023 Ack=3234 Win=62792 Len=0
364 40.533444 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
365 40.533500 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
366 40.533600    10.0.2.15 -> 65.54.81.24 TCP 1063 > 80 [ACK] Seq=1023 Ack=4682 Win=64240 Len=0
367 40.535446 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
368 40.535491 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
369 40.535892    10.0.2.15 -> 65.54.81.24 TCP 1063 > 80 [ACK] Seq=1023 Ack=6130 Win=62792 Len=0
370 40.536668 65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (JPEG JFIF image)
371 40.538144    10.0.2.15 -> 65.54.81.24 HTTP GET /i/25/4075B47E5BDF545B1FB27F1C75CDEC.jpg HTTP/1.1
372 40.538206 65.54.81.24 -> 10.0.2.15    TCP 80 > 1063 [ACK] Seq=6514 Ack=1395 Win=65535 Len=0
373 40.571685 65.55.121.231 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
374 40.571749 65.55.121.231 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (text/html)
375 40.572327    10.0.2.15 -> 65.55.121.231 TCP 1067 > 80 [ACK] Seq=771 Ack=1870 Win=64240 Len=0
376 40.647941 65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
377 40.648000    10.0.2.15 -> 68.87.73.246 DNS Standard query A ads.pointroll.com
378 40.723783    10.0.2.15 -> 65.55.18.18 HTTP GET /msn/msnhp_us_ttg?ty=TBCB&di=340&pi=7317&ps=95101&tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&rid=&ts=634581432960349339&rf= HTTP/1.1
379 40.723783 65.55.18.18 -> 10.0.2.15    TCP 80 > 1058 [ACK] Seq=371 Ack=1813 Win=65535 Len=0
380 40.803441 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
381 40.803523 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
382 40.803534 65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
383 40.803827 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
384 40.803865    10.0.2.15 -> 65.54.81.24 TCP 1064 > 80 [ACK] Seq=1396 Ack=1955 Win=64240 Len=0
385 40.803911 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
386 40.804073    10.0.2.15 -> 65.54.81.24 TCP 1064 > 80 [ACK] Seq=1396 Ack=3403 Win=62792 Len=0
387 40.804503 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
388 40.804542 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
389 40.804853    10.0.2.15 -> 65.54.81.24 TCP 1064 > 80 [ACK] Seq=1396 Ack=4851 Win=64240 Len=0
390 40.806526 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
391 40.806560 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
392 40.807193    10.0.2.15 -> 65.54.81.24 TCP 1064 > 80 [ACK] Seq=1396 Ack=6299 Win=62792 Len=0
393 40.807992 65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (JPEG JFIF image)
394 40.856905    10.0.2.15 -> 65.54.81.24 TCP 1055 > 80 [ACK] Seq=736 Ack=367 Win=63874 Len=0
395 40.861585    10.0.2.15 -> 65.54.81.24 HTTP GET /i/E2/37BA92E210D341BFDBF4126422A3D2.gif HTTP/1.1
396 40.861609    10.0.2.15 -> 65.54.81.24 HTTP GET /i/C4/9F97E4662E66D88ACDC52D97FC6C1.jpg HTTP/1.1
397 40.861689 65.54.81.24 -> 10.0.2.15    TCP 80 > 1064 [ACK] Seq=6932 Ack=1767 Win=65535 Len=0
398 40.861708 65.54.81.24 -> 10.0.2.15    TCP 80 > 1063 [ACK] Seq=6682 Ack=1765 Win=65535 Len=0
399 40.880472 68.87.73.246 -> 10.0.2.15    DNS Standard query response A 72.32.153.176
400 40.882015    10.0.2.15 -> 72.32.153.176 TCP 1068 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
401 40.969332    10.0.2.15 -> 96.17.171.161 HTTP GET /sck?cn=_SS&r=http://www.msn.com/sck.aspx&form=MSN005&h=b8642205-0de1-dc10-ed9b-66c5af494dd5 HTTP/1.1
402 40.969549 96.17.171.161 -> 10.0.2.15    TCP 80 > 1065 [ACK] Seq=277 Ack=1165 Win=65535 Len=0
403 40.972923    10.0.2.15 -> 96.17.171.161 TCP 1069 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
404 40.975068    10.0.2.15 -> 68.87.73.246 DNS Standard query A api.bing.com
405 40.999068    10.0.2.15 -> 65.54.81.24 HTTP GET /br/sc/js/51/anatm.js HTTP/1.1
406 40.999068 65.54.81.24 -> 10.0.2.15    TCP 80 > 1054 [ACK] Seq=185 Ack=714 Win=65535 Len=0
407 40.999068    10.0.2.15 -> 65.55.18.18 TCP 1070 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
408 41.064842 65.55.18.18 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (GIF89a)
409 41.143402 65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
410 41.143476 65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
411 41.151195    10.0.2.15 -> 65.54.81.24 HTTP GET /i/AD/A7F1B2A19D642097AC7567BCFCC2.jpg HTTP/1.1
412 41.151220    10.0.2.15 -> 65.54.81.24 HTTP GET /i/96/FFFA8C9EF55535D7A289CE662951.jpg HTTP/1.1
413 41.151299 65.54.81.24 -> 10.0.2.15    TCP 80 > 1064 [ACK] Seq=7101 Ack=2136 Win=65535 Len=0
414 41.151320 65.54.81.24 -> 10.0.2.15    TCP 80 > 1063 [ACK] Seq=6850 Ack=2135 Win=65535 Len=0
415 41.189538 72.32.153.176 -> 10.0.2.15    TCP 80 > 1068 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
416 41.190057    10.0.2.15 -> 72.32.153.176 TCP 1068 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
417 41.190073    10.0.2.15 -> 72.32.153.176 HTTP GET /PortalServe/?pid=1501166P77620111115192417&flash=6&time=2|1:1|-5&pos=s&ajx=1&redir=$CTURL$&r=0.970374845534282 HTTP/1.1
418 41.190128 72.32.153.176 -> 10.0.2.15    TCP 80 > 1068 [ACK] Seq=1 Ack=354 Win=65535 Len=0
419 41.250078 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME search.ms.com.edgesuite.net CNAME a134.b.akamai.net A 96.17.171.99 A 96.17.171.161
420 41.251219 96.17.171.161 -> 10.0.2.15    TCP 80 > 1069 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
421 41.251269    10.0.2.15 -> 96.17.171.99 TCP 1071 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
422 41.251658    10.0.2.15 -> 96.17.171.161 TCP 1069 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
423 41.251679    10.0.2.15 -> 96.17.171.161 HTTP GET /s/as/899538/en.js HTTP/1.1
424 41.251728 96.17.171.161 -> 10.0.2.15    TCP 80 > 1069 [ACK] Seq=1 Ack=489 Win=65535 Len=0
425 41.256685    10.0.2.15 -> 65.55.18.18 TCP 1058 > 80 [ACK] Seq=1813 Ack=741 Win=63500 Len=0
426 41.273484 65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
427 41.297670 96.17.171.161 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (text/html)
428 41.345989 65.55.18.18 -> 10.0.2.15    TCP 80 > 1070 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
429 41.346529    10.0.2.15 -> 65.55.18.18 TCP 1070 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
430 41.346547    10.0.2.15 -> 65.55.18.18 HTTP GET /msn/msnhp_us_ttg?ty=TACB&di=340&pi=7317&ps=95101&tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&rid=&ts=634581432960349339&rf= HTTP/1.1
431 41.346610 65.55.18.18 -> 10.0.2.15    TCP 80 > 1070 [ACK] Seq=1 Ack=899 Win=65535 Len=0
432 41.385740    10.0.2.15 -> 207.46.140.34 HTTP GET /sck.aspx?cv=_SS%3dSID%3d7415D61A534D4976A4769A771B40DC4E%3b&h=b8642205-0de1-dc10-ed9b-66c5af494dd5 HTTP/1.1
433 41.385855 207.46.140.34 -> 10.0.2.15    TCP 80 > 1051 [ACK] Seq=39854 Ack=1853 Win=65535 Len=0
434 41.431317 65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
435 41.434812    10.0.2.15 -> 65.54.81.24 HTTP GET /i/EE/4DA23F4C5870A75228FEAFD14EFBF.gif HTTP/1.1
436 41.434897 65.54.81.24 -> 10.0.2.15    TCP 80 > 1064 [ACK] Seq=7269 Ack=2506 Win=65535 Len=0
437 41.436012 65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
438 41.439276    10.0.2.15 -> 65.54.81.24 HTTP GET /i/5D/EE55A9EE91D76B923A4CD03D9B9A.jpg HTTP/1.1
439 41.439343 65.54.81.24 -> 10.0.2.15    TCP 80 > 1063 [ACK] Seq=7018 Ack=2504 Win=65535 Len=0
440 41.456934    10.0.2.15 -> 65.54.81.24 TCP 1054 > 80 [ACK] Seq=714 Ack=369 Win=63872 Len=0
441 41.456959    10.0.2.15 -> 96.17.171.161 TCP 1065 > 80 [ACK] Seq=1165 Ack=778 Win=63463 Len=0
442 41.510225 72.32.153.176 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
443 41.510686 72.32.153.176 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
444 41.511128    10.0.2.15 -> 72.32.153.176 TCP 1068 > 80 [ACK] Seq=354 Ack=2723 Win=64240 Len=0
445 41.511186 72.32.153.176 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
446 41.544137 96.17.171.99 -> 10.0.2.15    TCP 80 > 1071 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
447 41.544642    10.0.2.15 -> 96.17.171.99 TCP 1071 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
448 41.544660    10.0.2.15 -> 96.17.171.99 HTTP GET /qsonhs.aspx?form=MSN005&q= HTTP/1.1
449 41.544730 96.17.171.99 -> 10.0.2.15    TCP 80 > 1071 [ACK] Seq=1 Ack=397 Win=65535 Len=0
450 41.545295 96.17.171.161 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
451 41.563559 72.32.153.176 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (text/html)
452 41.563617 72.32.153.176 -> 10.0.2.15    TCP 80 > 1068 [FIN, ACK] Seq=3937 Ack=354 Win=65535 Len=0
453 41.565949    10.0.2.15 -> 72.32.153.176 TCP 1068 > 80 [ACK] Seq=354 Ack=3937 Win=63026 Len=0
454 41.565969    10.0.2.15 -> 72.32.153.176 TCP 1068 > 80 [ACK] Seq=354 Ack=3938 Win=63026 Len=0
455 41.565979    10.0.2.15 -> 72.32.153.176 TCP 1068 > 80 [FIN, ACK] Seq=354 Ack=3938 Win=63026 Len=0
456 41.566038 72.32.153.176 -> 10.0.2.15    TCP 80 > 1068 [ACK] Seq=3938 Ack=355 Win=65535 Len=0
457 41.659015    10.0.2.15 -> 96.17.171.161 TCP 1069 > 80 [ACK] Seq=489 Ack=241 Win=64000 Len=0
458 41.716634 65.55.18.18 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (GIF89a)
459 41.736305 65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
460 41.736769 65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
461 41.736838    10.0.2.15 -> 65.54.81.24 HTTP GET /i/A0/C9428460AFED1C89A9476537C01E6C.jpg HTTP/1.1
462 41.736918 65.54.81.24 -> 10.0.2.15    TCP 80 > 1064 [ACK] Seq=7436 Ack=2877 Win=65535 Len=0
463 41.737847    10.0.2.15 -> 65.54.81.24 HTTP GET /i/4F/B454FA8321E9C9FB98FC0ED6C9B31.jpg HTTP/1.1
464 41.737898 65.54.81.24 -> 10.0.2.15    TCP 80 > 1063 [ACK] Seq=7186 Ack=2874 Win=65535 Len=0
465 41.763584 207.46.140.34 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (text/html)
466 41.815036    10.0.2.15 -> 68.87.73.246 DNS Standard query A ad.doubleclick.net
467 41.815036    10.0.2.15 -> 68.87.73.246 DNS Standard query A speed.pointroll.com
468 41.863684    10.0.2.15 -> 65.55.18.18 TCP 1070 > 80 [ACK] Seq=899 Ack=371 Win=63870 Len=0
469 41.875036 96.17.171.99 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (application/json)
470 41.959015    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=1853 Ack=41235 Win=62859 Len=0
471 41.981056    10.0.2.15 -> 65.54.81.24 HTTP GET /br/sc/js/1c/4a0253de6eac448d8f2c39c53f8926.js HTTP/1.1
472 41.981188 65.54.81.24 -> 10.0.2.15    TCP 80 > 1055 [ACK] Seq=367 Ack=1208 Win=65535 Len=0
473 42.029614 65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
474 42.029763 65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
475 42.059567    10.0.2.15 -> 96.17.171.99 TCP 1071 > 80 [ACK] Seq=397 Ack=183 Win=64058 Len=0
476 42.103334 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME dart.l.doubleclick.net A 74.125.226.219
477 42.109345 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME speed.pointroll.com.edgesuite.net CNAME a1343.g.akamai.net A 96.17.168.113 A 96.17.168.91
478 42.115036    10.0.2.15 -> 74.125.226.219 TCP 1072 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
479 42.119160    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
480 42.124497    10.0.2.15 -> 65.54.81.24 HTTP GET /i/A9/7AA2D84B8DBC1D16190B37053EA70.jpg HTTP/1.1
481 42.124517    10.0.2.15 -> 65.54.81.24 HTTP GET /i/74/59D9EBE09028E93076FEB538BDF8AD.jpg HTTP/1.1
482 42.124582 65.54.81.24 -> 10.0.2.15    TCP 80 > 1064 [ACK] Seq=7604 Ack=3248 Win=65535 Len=0
483 42.124608 65.54.81.24 -> 10.0.2.15    TCP 80 > 1063 [ACK] Seq=7354 Ack=3246 Win=65535 Len=0
484 42.136035    10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/5f/5280118e68aedbc5821d17132a5340.gif HTTP/1.1
485 42.136184 65.54.81.209 -> 10.0.2.15    TCP 80 > 1053 [ACK] Seq=678 Ack=1855 Win=65535 Len=0
486 42.271036 65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
487 42.411033 96.17.168.113 -> 10.0.2.15    TCP 80 > 1073 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
488 42.415015    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
489 42.415015    10.0.2.15 -> 96.17.168.113 HTTP GET /PointRoll/Media/Banners/Ford/915428/2011_YECMSN3for40_ML_EXP_300x250_Default.jpg?PRAd=1544247&PRCID=1544247&PRplcmt=1501166&PRPID=1501166 HTTP/1.1
490 42.415015 96.17.168.113 -> 10.0.2.15    TCP 80 > 1073 [ACK] Seq=1 Ack=423 Win=65535 Len=0
491 42.415536 74.125.226.219 -> 10.0.2.15    TCP 80 > 1072 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
492 42.415679    10.0.2.15 -> 74.125.226.219 TCP 1072 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
493 42.419616    10.0.2.15 -> 74.125.226.219 HTTP GET /imp;v1;f;248163114;0-0;0;73804323;1%7C1;39709740%7C39727527%7C1;;cs=f;%3fhttp://ad.doubleclick.net/dot.gif?0.970374845534282 HTTP/1.1
494 42.419679 74.125.226.219 -> 10.0.2.15    TCP 80 > 1072 [ACK] Seq=1 Ack=464 Win=65535 Len=0
495 42.422923 65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
496 42.427066 65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
497 42.427692 65.54.81.209 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (GIF89a)
498 42.459605    10.0.2.15 -> 65.54.81.24 TCP 1055 > 80 [ACK] Seq=1208 Ack=551 Win=63690 Len=0
499 42.505684    10.0.2.15 -> 96.17.171.161 HTTP GET /msnhomepagehistory.aspx?sid=7415D61A534D4976A4769A771B40DC4E&_=1322546507615 HTTP/1.1
500 42.505829 96.17.171.161 -> 10.0.2.15    TCP 80 > 1065 [ACK] Seq=778 Ack=1704 Win=65535 Len=0
502 42.526183    10.0.2.15 -> 65.55.18.18 HTTP GET /msn/msnhp_us_ttg?ty=tl&di=340&pi=7317&ps=95101&tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&rid=&ts=634581432960349339&rf= HTTP/1.1
503 42.526291 65.55.18.18 -> 10.0.2.15    TCP 80 > 1058 [ACK] Seq=741 Ack=2751 Win=65535 Len=0
504 42.535068    10.0.2.15 -> 65.55.121.231 HTTP GET /ADSAdClient31.dll?GetSAd=&DPJS=4&PN=MSFT&ID=3CE72C262627635C3C662E93222763E1&MUID=3CE72C262627635C3C662E93222763E1&PG=MSNHQ2&AP=1402 HTTP/1.1
505 42.535068 65.55.121.231 -> 10.0.2.15    TCP 80 > 1067 [ACK] Seq=1870 Ack=1541 Win=65535 Len=0
506 42.541397    10.0.2.15 -> 65.55.121.231 TCP 1074 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
507 42.559068    10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [ACK] Seq=1855 Ack=1207 Win=63034 Len=0
508 42.559068    10.0.2.15 -> 65.54.81.24 TCP 1063 > 80 [ACK] Seq=3246 Ack=7522 Win=63232 Len=0
509 42.559068    10.0.2.15 -> 65.54.81.24 TCP 1064 > 80 [ACK] Seq=3248 Ack=7772 Win=63400 Len=0
510 42.673409 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
511 42.673487 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
512 42.673916 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
513 42.673970    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=1449 Win=62792 Len=0
514 42.674015 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
515 42.674261 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
516 42.674334    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=2897 Win=64240 Len=0
517 42.674404 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
518 42.674767 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
519 42.674803 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
520 42.674809    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=4345 Win=62792 Len=0
521 42.675405    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=5793 Win=64240 Len=0
522 42.686493 65.55.121.231 -> 10.0.2.15    TCP 80 > 1074 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
523 42.686981    10.0.2.15 -> 65.55.121.231 TCP 1074 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
524 42.686998    10.0.2.15 -> 65.55.121.231 HTTP GET /ADSAdClient31.dll?GetSAd=&DPJS=4&PN=MSFT&ID=3CE72C262627635C3C662E93222763E1&MUID=3CE72C262627635C3C662E93222763E1&PG=MSNIF1&AP=1455 HTTP/1.1
525 42.687061 65.55.121.231 -> 10.0.2.15    TCP 80 > 1074 [ACK] Seq=1 Ack=771 Win=65535 Len=0
526 42.687542 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
527 42.687594 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
528 42.687926 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
529 42.687986    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=7241 Win=62792 Len=0
530 42.688059 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
531 42.688083 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
532 42.688104 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
533 42.688436 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
534 42.688468    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=8689 Win=64240 Len=0
535 42.688482    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=10137 Win=62792 Len=0
536 42.688526 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
537 42.688990    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=11585 Win=64240 Len=0
538 42.692714 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
539 42.692765 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
540 42.693000 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
541 42.693064    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=13033 Win=62792 Len=0
542 42.693112 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
543 42.693961    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=14481 Win=64240 Len=0
544 42.696698 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
545 42.696740 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
546 42.697002 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
547 42.697043    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=15929 Win=62792 Len=0
548 42.697091 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
549 42.697385 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
550 42.697420    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=17377 Win=64240 Len=0
551 42.697493 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
552 42.697742 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
553 42.697796    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=18825 Win=62792 Len=0
554 42.697845 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
555 42.697858 96.17.168.113 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (JPEG JFIF image)
556 42.698340    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=20273 Win=64240 Len=0
557 42.698569 65.55.121.231 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (text/html)
558 42.707512 74.125.226.219 -> 10.0.2.15    HTTP HTTP/1.1 302 Moved Temporarily
559 42.712399 65.55.121.231 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (text/html)
560 42.739017    10.0.2.15 -> 74.125.226.219 HTTP GET /dot.gif?0.970374845534282 HTTP/1.1
561 42.739017 74.125.226.219 -> 10.0.2.15    TCP 80 > 1072 [ACK] Seq=196 Ack=828 Win=65535 Len=0
562 42.739017    10.0.2.15 -> 65.55.121.231 HTTP GET /ADSAdClient31.dll?GetSAd=&DPJS=4&PN=MSFT&ID=3CE72C262627635C3C662E93222763E1&MUID=3CE72C262627635C3C662E93222763E1&PG=MSNSUR&AP=1089 HTTP/1.1
563 42.739017 65.55.121.231 -> 10.0.2.15    TCP 80 > 1067 [ACK] Seq=2918 Ack=2311 Win=65535 Len=0
564 42.750353 96.17.171.161 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (text/javascript)
565 42.751066    10.0.2.15 -> 68.87.73.246 DNS Standard query A ad.wsod.com
566 42.755297 65.55.121.231 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (text/html)
567 42.756436 65.55.18.18 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (GIF89a)
568 42.769281 68.87.73.246 -> 10.0.2.15    DNS Standard query response A 209.234.225.242
569 42.774998    10.0.2.15 -> 209.234.225.242 TCP 1075 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
570 42.779251 74.125.226.219 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (GIF89a)
571 42.819327    10.0.2.15 -> 68.87.73.246 DNS Standard query A ads2.msads.net
572 42.823411    10.0.2.15 -> 74.125.226.219 HTTP GET /ad/N4492.MSN/B5014254.187;sz=1x1;ord=1124616328? HTTP/1.1
573 42.823584 74.125.226.219 -> 10.0.2.15    TCP 80 > 1072 [ACK] Seq=408 Ack=1215 Win=65535 Len=0
574 42.831942 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME msnads.vo.msecnd.net A 65.54.81.161 A 65.54.81.152
575 42.835114    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
576 42.841377 209.234.225.242 -> 10.0.2.15    TCP 80 > 1075 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
577 42.841639    10.0.2.15 -> 209.234.225.242 TCP 1075 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
578 42.842983    10.0.2.15 -> 209.234.225.242 HTTP GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/2398.1579.tk.177x20/725237877 HTTP/1.1
579 42.843061 209.234.225.242 -> 10.0.2.15    TCP 80 > 1075 [ACK] Seq=1 Ack=447 Win=65535 Len=0
580 42.849859 65.54.81.161 -> 10.0.2.15    TCP 80 > 1076 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
581 42.851660    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
582 42.851682    10.0.2.15 -> 65.54.81.161 HTTP GET /CIS/95/000/000/000/019/637.jpg HTTP/1.1
583 42.851746 65.54.81.161 -> 10.0.2.15    TCP 80 > 1076 [ACK] Seq=1 Ack=271 Win=65535 Len=0
584 42.859036    10.0.2.15 -> 65.55.18.18 TCP 1058 > 80 [ACK] Seq=2751 Ack=1111 Win=63130 Len=0
585 42.859036    10.0.2.15 -> 65.55.121.231 TCP 1067 > 80 [ACK] Seq=2311 Ack=3661 Win=64240 Len=0
586 42.859177    10.0.2.15 -> 96.17.171.161 TCP 1065 > 80 [ACK] Seq=1704 Ack=1561 Win=64240 Len=0
587 42.859192    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=20816 Win=63697 Len=0
588 42.859201    10.0.2.15 -> 65.55.121.231 TCP 1074 > 80 [ACK] Seq=771 Ack=1042 Win=63199 Len=0
589 42.866584 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
590 42.866630 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
591 42.866817    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=1449 Win=62792 Len=0
592 42.866872 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
593 42.866906 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
594 42.867362    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=2897 Win=64240 Len=0
595 42.869225 74.125.226.219 -> 10.0.2.15    HTTP HTTP/1.1 302 Moved Temporarily
596 42.870642    10.0.2.15 -> 68.87.73.246 DNS Standard query A m.doubleclick.net
597 42.879138 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
598 42.879176 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
599 42.879606 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
600 42.879650    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=4345 Win=62792 Len=0
601 42.879712 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
602 42.879752 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
603 42.879770 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
604 42.879960    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=5793 Win=64240 Len=0
605 42.879984    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=7241 Win=62792 Len=0
606 42.880034 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
607 42.880063 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
608 42.880599    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=8689 Win=64240 Len=0
609 42.880669 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
610 42.880708 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
611 42.880851    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=10137 Win=62792 Len=0
612 42.881147 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
613 42.881180 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
614 42.881718    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=11585 Win=64240 Len=0
615 42.881931 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME s0-2mdn-net.l.google.com A 74.125.226.251
616 42.883451    10.0.2.15 -> 74.125.226.251 TCP 1077 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
617 42.883774 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
618 42.883814 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
619 42.884081 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
620 42.884132    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=13033 Win=62792 Len=0
621 42.884182 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
622 42.884760    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=14481 Win=64240 Len=0
623 42.891069 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
624 42.891106 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
625 42.891258    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=15929 Win=62792 Len=0
626 42.891421 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
627 42.891474 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
628 42.891698    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=17377 Win=64240 Len=0
629 42.891736 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
630 42.891756 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
631 42.892333    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=18825 Win=62792 Len=0
632 42.895527 65.54.81.161 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (JPEG JFIF image)
633 42.910686 209.234.225.242 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (GIF89a)
634 42.912344 74.125.226.251 -> 10.0.2.15    TCP 80 > 1077 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
635 42.912673    10.0.2.15 -> 74.125.226.251 TCP 1077 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
636 42.914697    10.0.2.15 -> 74.125.226.251 HTTP GET /dot.gif HTTP/1.1
637 42.914776 74.125.226.251 -> 10.0.2.15    TCP 80 > 1077 [ACK] Seq=1 Ack=346 Win=65535 Len=0
638 42.936684 74.125.226.251 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (GIF89a)
639 43.059351    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=19542 Win=64240 Len=0
640 43.059392    10.0.2.15 -> 209.234.225.242 TCP 1075 > 80 [ACK] Seq=447 Ack=585 Win=63656 Len=0
641 43.059403    10.0.2.15 -> 74.125.226.251 TCP 1077 > 80 [ACK] Seq=346 Ack=361 Win=63880 Len=0
642 43.059411    10.0.2.15 -> 74.125.226.219 TCP 1072 > 80 [ACK] Seq=1215 Ack=627 Win=63614 Len=0
643 44.111447 65.54.81.47 -> 10.0.2.15    TCP 80 > 1066 [FIN, ACK] Seq=1208 Ack=666 Win=65535 Len=0
644 44.111703    10.0.2.15 -> 65.54.81.47 TCP 1066 > 80 [ACK] Seq=666 Ack=1209 Win=63033 Len=0
645 44.125425 65.54.81.209 -> 10.0.2.15    TCP 80 > 1052 [FIN, ACK] Seq=849 Ack=1861 Win=65535 Len=0
646 44.125599    10.0.2.15 -> 65.54.81.209 TCP 1052 > 80 [ACK] Seq=1861 Ack=850 Win=63392 Len=0
647 45.110536 65.54.81.24 -> 10.0.2.15    TCP 80 > 1054 [FIN, ACK] Seq=369 Ack=714 Win=65535 Len=0
648 45.110771    10.0.2.15 -> 65.54.81.24 TCP 1054 > 80 [ACK] Seq=714 Ack=370 Win=63872 Len=0
649 45.913572 209.234.225.242 -> 10.0.2.15    TCP 80 > 1075 [FIN, ACK] Seq=585 Ack=447 Win=65535 Len=0
650 45.914044    10.0.2.15 -> 209.234.225.242 TCP 1075 > 80 [ACK] Seq=447 Ack=586 Win=63656 Len=0
651 46.015286    10.0.2.15 -> 65.54.81.24 HTTP GET /i/D0/4278717F7C190E446356444E97F5A.jpg HTTP/1.1
652 46.015286 65.54.81.24 -> 10.0.2.15    TCP 80 > 1064 [ACK] Seq=7772 Ack=3529 Win=65535 Len=0
653 46.021859    10.0.2.15 -> 65.55.18.18 HTTP GET /ro.aspx?evt=br&di=340&pi=7317&ps=95101&rid=&cts=1322546511130&ce=1&hl=SWP22&cm=head%3Ecb1 HTTP/1.1
654 46.021940 65.55.18.18 -> 10.0.2.15    TCP 80 > 1070 [ACK] Seq=371 Ack=1837 Win=65535 Len=0
655 46.023977    10.0.2.15 -> 70.37.130.35 HTTP GET /c.gif?evt=br&rid=&exa=msnhp_us_master_v2%3AWP10_5%2Cmsnhp_us_anbov2%3AT2&cts=1322546511130&aop=&expac=673II6B39_0912%3AT2~40II3a39_0803%3AWP10_5%7C&fk=W&gp=P&optkey=default&clid=3CE72C262627635C3C662E93222763E1&di=340&pi=7317&ps=95101&mk=en-us&pn=US+HPMSFT3WANBOV2T2&pid=6875603&su=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&pageid=6875603&ce=1&hl=SWP22&cm=head%3Ecb1 HTTP/1.1
656 46.024062 70.37.130.35 -> 10.0.2.15    TCP 80 > 1059 [ACK] Seq=368 Ack=2249 Win=65535 Len=0
657 46.110765 65.54.81.24 -> 10.0.2.15    TCP 80 > 1055 [FIN, ACK] Seq=551 Ack=1208 Win=65535 Len=0
658 46.110950    10.0.2.15 -> 65.54.81.24 TCP 1055 > 80 [ACK] Seq=1208 Ack=552 Win=63690 Len=0
659 46.111199 65.54.81.24 -> 10.0.2.15    TCP 80 > 1063 [FIN, ACK] Seq=7522 Ack=3246 Win=65535 Len=0
660 46.111313    10.0.2.15 -> 65.54.81.24 TCP 1063 > 80 [ACK] Seq=3246 Ack=7523 Win=63232 Len=0
661 46.111460 65.54.81.24 -> 10.0.2.15    TCP 80 > 1064 [FIN, ACK] Seq=7772 Ack=3529 Win=65535 Len=0
662 46.112343    10.0.2.15 -> 65.54.81.24 TCP 1064 > 80 [ACK] Seq=3529 Ack=7773 Win=63400 Len=0
663 46.112364    10.0.2.15 -> 209.234.225.242 TCP 1075 > 80 [RST, ACK] Seq=447 Ack=586 Win=0 Len=0
664 46.112380    10.0.2.15 -> 65.54.81.47 TCP 1066 > 80 [RST, ACK] Seq=666 Ack=1209 Win=0 Len=0
665 46.112389    10.0.2.15 -> 65.54.81.24 TCP 1054 > 80 [RST, ACK] Seq=714 Ack=370 Win=0 Len=0
666 46.112397    10.0.2.15 -> 65.54.81.24 TCP 1055 > 80 [RST, ACK] Seq=1208 Ack=552 Win=0 Len=0
667 46.112406    10.0.2.15 -> 65.54.81.209 TCP 1052 > 80 [RST, ACK] Seq=1861 Ack=850 Win=0 Len=0
668 46.112691    10.0.2.15 -> 65.54.81.24 TCP 1064 > 80 [FIN, ACK] Seq=3529 Ack=7773 Win=63400 Len=0
669 46.112749 65.54.81.24 -> 10.0.2.15    TCP 80 > 1064 [ACK] Seq=7773 Ack=3530 Win=65535 Len=0
670 46.114825    10.0.2.15 -> 65.54.81.24 TCP 1063 > 80 [FIN, ACK] Seq=3246 Ack=7523 Win=63232 Len=0
671 46.114847    10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
672 46.114914 65.54.81.24 -> 10.0.2.15    TCP 80 > 1063 [ACK] Seq=7523 Ack=3247 Win=65535 Len=0
673 46.114979 65.54.81.161 -> 10.0.2.15    TCP 80 > 1076 [FIN, ACK] Seq=19542 Ack=271 Win=65535 Len=0
674 46.115148    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=19543 Win=64240 Len=0
675 46.117442 65.54.81.209 -> 10.0.2.15    TCP 80 > 1053 [FIN, ACK] Seq=1207 Ack=1855 Win=65535 Len=0
676 46.117592    10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [ACK] Seq=1855 Ack=1208 Win=63034 Len=0
677 46.152358 70.37.130.35 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (GIF89a)
678 46.187614 65.54.81.24 -> 10.0.2.15    TCP 80 > 1078 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
679 46.188088    10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
680 46.188111    10.0.2.15 -> 65.54.81.24 HTTP GET /i/D0/4278717F7C190E446356444E97F5A.jpg HTTP/1.1
681 46.188166 65.54.81.24 -> 10.0.2.15    TCP 80 > 1078 [ACK] Seq=1 Ack=282 Win=65535 Len=0
682 46.202724 65.55.18.18 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (GIF89a)
683 46.264115    10.0.2.15 -> 70.37.130.35 TCP 1059 > 80 [ACK] Seq=2249 Ack=735 Win=63506 Len=0
684 46.285768 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
685 46.285830 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
686 46.286098 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
687 46.286134    10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [ACK] Seq=282 Ack=1449 Win=62792 Len=0
688 46.286175 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
689 46.286853    10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [ACK] Seq=282 Ack=2897 Win=64240 Len=0
690 46.348872 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
691 46.348930 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
692 46.349148    10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [ACK] Seq=282 Ack=4345 Win=62792 Len=0
693 46.349189 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
694 46.349214 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
695 46.349435    10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [ACK] Seq=282 Ack=5793 Win=64240 Len=0
696 46.349475 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
697 46.349502 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
698 46.349924 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
699 46.350051 65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
700 46.350277 65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (JPEG JFIF image)
701 46.357721    10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [ACK] Seq=282 Ack=7241 Win=62792 Len=0
702 46.357745    10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [ACK] Seq=282 Ack=8689 Win=64240 Len=0
703 46.367174    10.0.2.15 -> 65.55.18.18 TCP 1070 > 80 [ACK] Seq=1837 Ack=741 Win=63500 Len=0
704 46.467160    10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [ACK] Seq=282 Ack=9620 Win=63309 Len=0
705 47.921611    10.0.2.15 -> 207.46.140.34 HTTP GET /?euid=3CE72C262627635C3C662E93222763E1&userGroup=W:default&PM=z:1&zipCode=22310&newsProviderId=WRC&weaDegreeType=F&weaLocations=wc%3A10067507 HTTP/1.1
706 47.921794 207.46.140.34 -> 10.0.2.15    TCP 80 > 1051 [ACK] Seq=41235 Ack=2799 Win=65535 Len=0
707 48.289718 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
708 48.289792 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
709 48.290040 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
710 48.290067 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
711 48.290076    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=42683 Win=64240 Len=0
712 48.290336 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
713 48.290369 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
714 48.290376    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=44131 Win=62792 Len=0
715 48.290871    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=45579 Win=64240 Len=0
716 48.291047 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
717 48.291073 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
718 48.291559 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
719 48.291583 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
720 48.291591    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=47027 Win=62792 Len=0
721 48.291921 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
722 48.292038    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=48475 Win=64240 Len=0
723 48.292068 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
724 48.292299 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
725 48.292383    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=49923 Win=62792 Len=0
726 48.292425 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
727 48.292808 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
728 48.292897    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=51371 Win=64240 Len=0
729 48.292939 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
730 48.293314 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
731 48.293343 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
732 48.293352    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=52819 Win=62792 Len=0
733 48.293786 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
734 48.293871    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=54267 Win=64240 Len=0
735 48.293913 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
736 48.294222 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
737 48.294250    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=55715 Win=62792 Len=0
738 48.294274 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
739 48.294679 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
740 48.294706 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
741 48.294712    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=57163 Win=64240 Len=0
742 48.294834    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=58611 Win=62792 Len=0
743 48.295187 207.46.140.34 -> 10.0.2.15    HTTP HTTP/1.1 200 OK (text/html)
744 48.467164    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=59959 Win=64240 Len=0
745 50.112739 65.54.81.24 -> 10.0.2.15    TCP 80 > 1078 [FIN, ACK] Seq=9620 Ack=282 Win=65535 Len=0
746 50.112974    10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [ACK] Seq=282 Ack=9621 Win=63309 Len=0
747 53.294480    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [RST, ACK] Seq=271 Ack=19543 Win=0 Len=0
748 53.294505    10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [RST, ACK] Seq=282 Ack=9621 Win=0 Len=0
749 53.294515    10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [RST, ACK] Seq=1855 Ack=1208 Win=0 Len=0
750 98.359689    10.0.2.15 -> 65.55.206.209 TCP 1050 > 80 [RST, ACK] Seq=1129 Ack=298 Win=0 Len=0
751 98.360086    10.0.2.15 -> 207.46.19.254 TCP 1049 > 80 [RST, ACK] Seq=1291 Ack=547 Win=0 Len=0
753 99.281366 207.46.140.46 -> 10.0.2.15    TCP 80 > 1057 [FIN, ACK] Seq=293 Ack=932 Win=65535 Len=0
754 99.281589    10.0.2.15 -> 207.46.140.46 TCP 1057 > 80 [ACK] Seq=932 Ack=294 Win=63948 Len=0
755 103.368611    10.0.2.15 -> 74.125.226.251 TCP 1077 > 80 [RST, ACK] Seq=346 Ack=361 Win=0 Len=0
756 103.368642    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [RST, ACK] Seq=423 Ack=20816 Win=0 Len=0
757 103.368652    10.0.2.15 -> 74.125.226.219 TCP 1072 > 80 [RST, ACK] Seq=1215 Ack=627 Win=0 Len=0
758 103.368661    10.0.2.15 -> 96.17.171.99 TCP 1071 > 80 [RST, ACK] Seq=397 Ack=183 Win=0 Len=0
759 103.368669    10.0.2.15 -> 65.55.121.231 TCP 1074 > 80 [RST, ACK] Seq=771 Ack=1042 Win=0 Len=0
760 103.368677    10.0.2.15 -> 65.55.121.231 TCP 1067 > 80 [RST, ACK] Seq=2311 Ack=3661 Win=0 Len=0
761 103.369276    10.0.2.15 -> 96.17.171.161 TCP 1069 > 80 [RST, ACK] Seq=489 Ack=241 Win=0 Len=0
762 103.369290    10.0.2.15 -> 96.17.171.161 TCP 1065 > 80 [RST, ACK] Seq=1704 Ack=1561 Win=0 Len=0
763 103.369298    10.0.2.15 -> 64.4.21.39   TCP 1062 > 80 [RST, ACK] Seq=791 Ack=423 Win=0 Len=0
764 103.369901    10.0.2.15 -> 96.17.168.80 TCP 1061 > 80 [RST, ACK] Seq=383 Ack=249 Win=0 Len=0
765 103.369913    10.0.2.15 -> 65.55.18.18 TCP 1058 > 80 [RST, ACK] Seq=2751 Ack=1111 Win=0 Len=0
766 103.369922    10.0.2.15 -> 207.46.140.46 TCP 1057 > 80 [RST, ACK] Seq=932 Ack=294 Win=0 Len=0
767 104.617462 207.46.140.34 -> 10.0.2.15    TCP 80 > 1051 [FIN, ACK] Seq=59959 Ack=2799 Win=65535 Len=0
768 104.617775    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=59960 Win=64240 Len=0
769 108.373475    10.0.2.15 -> 70.37.130.35 TCP 1059 > 80 [RST, ACK] Seq=2249 Ack=735 Win=0 Len=0
770 108.374044    10.0.2.15 -> 65.55.18.18 TCP 1070 > 80 [RST, ACK] Seq=1837 Ack=741 Win=0 Len=0
771 108.374060    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [RST, ACK] Seq=2799 Ack=59960 Win=0 Len=0

74/[2011-11-29 01:05:43] "C:\APT_Conference information for next week.pdf"
74/[2011-11-29 01:05:44] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
74/[2011-11-29 01:05:44] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
74/[2011-11-29 01:05:44] "C:\WINDOWS\system32\d3d8caps.dat"
74/[2011-11-29 01:05:44] "C:\WINDOWS\system32\d3d9caps.dat"
74/[2011-11-29 01:05:44] "iso88591"
74 44.123769    10.0.2.15 -> 110.142.12.95 TCP 1043 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
77 56.143195    10.0.2.15 -> 110.142.12.95 TCP 1045 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
78 59.145745    10.0.2.15 -> 110.142.12.95 TCP 1045 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
80 65.154873    10.0.2.15 -> 110.142.12.95 TCP 1045 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
83 77.173225    10.0.2.15 -> 108.77.146.124 TCP 1046 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
84 80.176440    10.0.2.15 -> 108.77.146.124 TCP 1046 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460

75/[2011-11-29 01:06:22] "C:\APT_DOB Aug 2011.pdf"
75/[2011-11-29 01:06:22] "C:\WINDOWS\system32\cmd.exe"
75/[2011-11-29 01:06:22] "C:\WINDOWS\system32\crypt32.dll"
75/[2011-11-29 01:06:22] "iso88591"
43 24.071248    10.0.2.15 -> 68.87.73.246 DNS Standard query A sh.antivirusbar.org
47 24.758951 68.87.73.246 -> 10.0.2.15    DNS Standard query response A 58.68.224.24
48 25.287274    10.0.2.15 -> 58.68.224.24 TCP 1046 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
50 25.746641 58.68.224.24 -> 10.0.2.15    TCP 80 > 1046 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
51 25.746656    10.0.2.15 -> 58.68.224.24 TCP 1046 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
52 25.747357    10.0.2.15 -> 58.68.224.24 TCP [TCP segment of a reassembled PDU]
53 25.747373    10.0.2.15 -> 58.68.224.24 HTTP POST /phqghumeaylnlfdxfircvscxggbwkfn.htm HTTP/1.1
54 25.747430 58.68.224.24 -> 10.0.2.15    TCP 80 > 1046 [ACK] Seq=1 Ack=236 Win=65535 Len=0
55 25.747449 58.68.224.24 -> 10.0.2.15    TCP 80 > 1046 [ACK] Seq=1 Ack=1516 Win=65535 Len=0

76/[2011-11-29 01:08:49] "C:\APT_g20 summit.pdf"
76/[2011-11-29 01:08:49] "C:\WINDOWS\system32\d3d9caps.dat"
76/[2011-11-29 01:08:50] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
76/[2011-11-29 01:08:50] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
76/[2011-11-29 01:08:50] "C:\WINDOWS\system32\d3d8caps.dat"
76/[2011-11-29 01:08:50] "iso88591"
1   0.000000              ->              Ethernet [Packet size limited during capture]
60 34.827483    10.0.2.15 -> 203.92.33.98 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
62 35.375156 203.92.33.98 -> 10.0.2.15    TCP 443 > 1044 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
63 35.375595    10.0.2.15 -> 203.92.33.98 TCP 1044 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
64 35.375614    10.0.2.15 -> 203.92.33.98 SSL Continuation Data
65 35.375670 203.92.33.98 -> 10.0.2.15    TCP 443 > 1044 [ACK] Seq=1 Ack=192 Win=65535 Len=0
66 35.643683 203.92.33.98 -> 10.0.2.15    TCP 443 > 1044 [FIN, ACK] Seq=1 Ack=192 Win=65535 Len=0
67 35.644358    10.0.2.15 -> 203.92.33.98 TCP 1044 > 443 [ACK] Seq=192 Ack=2 Win=64240 Len=0
68 35.644382    10.0.2.15 -> 203.92.33.98 TCP 1044 > 443 [FIN, ACK] Seq=192 Ack=2 Win=64240 Len=0
69 35.644435 203.92.33.98 -> 10.0.2.15    TCP 443 > 1044 [ACK] Seq=2 Ack=193 Win=65535 Len=0
70 35.646130    10.0.2.15 -> 211.233.62.146 TCP 1046 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
72 36.192141 211.233.62.146 -> 10.0.2.15    TCP 443 > 1046 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
73 36.192503    10.0.2.15 -> 211.233.62.146 TCP 1046 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
74 36.192520    10.0.2.15 -> 211.233.62.146 SSL Continuation Data

77/[2011-11-29 01:09:27] "C:\APT_ID194.pdf"
77/[2011-11-29 01:09:27] "C:\WINDOWS\system32\cmd.exe"
77/[2011-11-29 01:09:27] "C:\WINDOWS\system32\crypt32.dll"
77/[2011-11-29 01:09:27] "iso88591"
1   0.000000              ->              Ethernet [Packet size limited during capture]
42 23.708044    10.0.2.15 -> 68.87.73.246 DNS Standard query A sh.antivirusbar.org
43 24.209549 68.87.73.246 -> 10.0.2.15    DNS Standard query response A 58.68.224.24
44 24.213107    10.0.2.15 -> 58.68.224.24 TCP 1045 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
48 24.732612 58.68.224.24 -> 10.0.2.15    TCP 80 > 1045 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
49 24.733912    10.0.2.15 -> 58.68.224.24 TCP 1045 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
50 24.735034    10.0.2.15 -> 58.68.224.24 TCP [TCP segment of a reassembled PDU]
51 24.735034 58.68.224.24 -> 10.0.2.15    TCP 80 > 1045 [ACK] Seq=1 Ack=236 Win=65535 Len=0
52 24.736365    10.0.2.15 -> 58.68.224.24 HTTP POST /phqghumeaylnlfdxfircvscxggbwkfn.htm HTTP/1.1
53 24.736428 58.68.224.24 -> 10.0.2.15    TCP 80 > 1045 [ACK] Seq=1 Ack=1516 Win=65535 Len=0

78/[2011-11-29 01:11:54] "C:\APT_military procurement.pdf"
78/[2011-11-29 01:11:55] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
78/[2011-11-29 01:11:55] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
78/[2011-11-29 01:11:55] "C:\WINDOWS\system32\d3d8caps.dat"
78/[2011-11-29 01:11:55] "C:\WINDOWS\system32\d3d9caps.dat"
78/[2011-11-29 01:11:55] "iso88591"
60 34.295971    10.0.2.15 -> 203.116.203.67 TCP 1043 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
65 37.284641    10.0.2.15 -> 203.116.203.67 TCP 1043 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
67 37.841869 203.116.203.67 -> 10.0.2.15    TCP 443 > 1043 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
68 37.842133    10.0.2.15 -> 203.116.203.67 TCP 1043 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
69 37.843287    10.0.2.15 -> 203.116.203.67 SSL Continuation Data
70 37.843342 203.116.203.67 -> 10.0.2.15    TCP 443 > 1043 [ACK] Seq=1 Ack=194 Win=65535 Len=0

79/[2011-11-29 01:14:22] "C:\APT_NorthKorea.pdf"
79/[2011-11-29 01:14:22] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
79/[2011-11-29 01:14:22] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
79/[2011-11-29 01:14:22] "C:\WINDOWS\system32\d3d8caps.dat"
79/[2011-11-29 01:14:22] "C:\WINDOWS\system32\d3d9caps.dat"
79/[2011-11-29 01:14:22] "iso88591"
60 34.992584    10.0.2.15 -> 211.233.62.148 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
65 37.908912    10.0.2.15 -> 211.233.62.148 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
73 43.943196    10.0.2.15 -> 211.233.62.148 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
75 60.967116    10.0.2.15 -> 211.233.62.148 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
77 63.970209    10.0.2.15 -> 211.233.62.148 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460

80/[2011-11-29 01:16:51] "C:\APT_Nuclear Security and Summit Diplomacy.pdf"
80/[2011-11-29 01:16:53] "C:\DOCUME~1\Angie\LOCALS~1\Temp\A9R83C7.tmp"
80/[2011-11-29 01:16:53] "C:\WINDOWS\system32\d3d8caps.dat"
80/[2011-11-29 01:16:53] "C:\WINDOWS\system32\d3d9caps.dat"
80/[2011-11-29 01:16:54] "C:\WINDOWS\AutoUpdate.exe"
80/[2011-11-29 01:16:54] "C:\WINDOWS\ºÓ°]«O96-97³q°T¿ý.pdf"
----

81/[2011-11-29 01:19:57] "C:\APT_statement.pdf"
81/[2011-11-29 01:19:58] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
81/[2011-11-29 01:19:58] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
81/[2011-11-29 01:19:58] "C:\WINDOWS\system32\d3d8caps.dat"
81/[2011-11-29 01:19:58] "C:\WINDOWS\system32\d3d9caps.dat"
81/[2011-11-29 01:19:58] "iso88591"

72 54.979463    10.0.2.15 -> 78.39.236.6 TCP 1047 > 53 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
75 57.981829    10.0.2.15 -> 78.39.236.6 TCP 1047 > 53 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
78 63.990170    10.0.2.15 -> 78.39.236.6 TCP 1047 > 53 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
81 76.008794    10.0.2.15 -> 61.222.205.180 TCP 1048 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
83 79.012034    10.0.2.15 -> 61.222.205.180 TCP 1048 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460

Download

Download 30 analysis packages as a password protected archive (contact me if you need the password)

Nov 3 CVE-2011-0611 1104statment.pdf analyzed via Cuckoo sandbox

2011-11-29T02:14:00.004-05:00

I have been away and busy with all kinds of stuff (some malware related and some not :) but I am back.

I played a little recently with Cuckoo sandbox - an awesome free sandbox developed by Claudio Guarnieri (Linkedin). The sandbox has been out for several months, constantly being improved and got a lot of fans. You can read the Cuckoo guide here and also follow active discussions on the Malwr forum. I think the sandbox works very well and very flexible - it can be developed and extended to analyze any (many) kinds of exploits. You can find descriptions of the sandbox online but I want to post results of the sandbox analysis - something I didn't have chance to see until I installed it. I will post unfiltered results and with some minimal processing (conversion of pcaps to text, filtering out search results, etc.). This tool is still in development and you will not get polished reports like you see on Threatexpert but they are exportable into a database of your choice, searchable, and "tweakable". If you already tried it a while ago, try it again, I heard the later versions are much better than the earlier ones.

Common Vulnerability & Exposures CVE#

CVE-2011-0611

General File Information

CVE-2011-0611

File: 1104statment.pdf
Size: 91010
MD5: 86730A9BC3AB99503322EDA6115C1096

Download

Download as a password protected archive (email me if you need the password)

Download unfiltered analysis results - analysis folder (email me if you need the password)

Original Message and Headers

Received: (qmail 3627 invoked from network); 3 Nov 2011 02:53:35 -0000
Received: from msr8.hinet.net (HELO msr8.hinet.net) (168.95.4.108)
xxxxxxxxxxxxxx
Received: from deepin-f12c1fc0 (60-249-181-163.HINET-IP.hinet.net [60.249.181.163])
by msr8.hinet.net (8.14.2/8.14.2) with SMTP id pA32pCaW016745
xxxxxxxxxxxxx
Date: Thu, 3 Nov 2011 10:51:17 +0800
From: "cy.hsiao" <cy.hsiao@msa.hinet.net>
xxxxx
Reply-To: "jun.lun" <jun.lun@msa.hinet.net>
Subject: 1104statment
X-Priority: 1
X-GUID: 2AE71A5A-DDDA-497A-B8B7-1850D647AC9D
X-Mailer: Foxmail 7.0.1.84[cn]
MIME-Version: 1.0
Message-ID: <201111031040202773896@msa.hinet.net>
Content-Type: multipart/mixed;
boundary="----=_001_NextPart150125300633_=----"

60.249.181.163
60.249.0.0 - 60.249.255.255
Taiwan
CHTD, Chunghwa Telecom Co.,Ltd.
Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
Taipei Taiwan 100

Automated Scans

86730a9bc3ab99503322eda6115c1096

http://www.virustotal.com/file-scan/report.html?id=8a2b54f64d1866ac8c46c99651cadba1597bc5671cf9b4a966c1d23898b19ce6-1320344807
Submission date:2011-11-03 18:26:47 (UTC)
Result: 10 /42 (23.8%)
Avast     6.0.1289.0     2011.11.03     SWF:Dropper [Heur]
BitDefender     7.2     2011.11.03     Script.SWF.C08
F-Secure     9.0.16440.0     2011.11.03     Script.SWF.C08
GData     22     2011.11.03     Script.SWF.C08
Microsoft     1.7801     2011.11.03     Exploit:Win32/Pdfjsc.XD
Norman     6.07.13     2011.11.03     Exploit/2011-0611.A
nProtect     2011-11-03.01     2011.11.03     Script.SWF.C08
Sophos     4.71.0     2011.11.03     Troj/SWFExp-AK
Symantec     20111.2.0.82     2011.11.03     Trojan.Pidief
VirusBuster     14.1.44.0     2011.11.03     SWF.CVE-2011-0609.C
MD5   : 86730a9bc3ab99503322eda6115c1096

Created files

Trojan Taidoor

Cuckoo sandbox does a great job on binaries (and can capture deleted files too) but the document analysis results require a bit more filtering due to many legitimate Adobe and Office files that get generated during the analysis. It also does not calculate hash.

Dropped files (Results of a filtering script) -

[2011-11-29 00:13:25] [INFO] Dropped file "C:\APT_1104statment.pdf"

[2011-11-29 00:13:28] [INFO] Dropped file "C:\Documents and Settings\Angie\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
[2011-11-29 00:13:28] [INFO] Dropped file "C:\WINDOWS\system32\d3d9caps.dat"
[2011-11-29 00:13:28] [INFO] Dropped file "C:\WINDOWS\system32\d3d8caps.dat"
[2011-11-29 00:13:28] [INFO] Dropped file "iso88591"
[2011-11-29 00:13:28] [INFO] Dropped file "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
[2011-11-29 00:13:28] [INFO] Dropped file "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
[2011-11-29 00:13:29] [INFO] Dropped file "C:\WINDOWS\system32\OLEACCRC.DLL"
[2011-11-29 00:13:29] [INFO] Dropped file "C:\WINDOWS\system32\oleacc.dll"

Here is a unfiltered log (you would get all these files in the "Files" analysis folder as well)

This is a zipped folder with the entire unfiltered analysis (use the password scheme or email me if you need it)

www.virustotal.com/file-scan/report.html?id=e4875a7fe94b53f0088b0aedd88a2601b4bee99ed8d8196b547adfdb5cafe638-1322293498
2011112
Submission date:2011-11-26 07:44:58 (UTC)
Result:33 /43 (76.7%)

Antivirus    Version    Last Update    Result
AhnLab-V3    2011.11.25.00    2011.11.25    Backdoor/Win32.CSon
AntiVir    7.11.18.78    2011.11.25    TR/Hijacker.Gen
Antiy-AVL    2.0.3.7    2011.11.26    Backdoor/Win32.Agent.gen
Avast    6.0.1289.0    2011.11.25    Win32:Malware-gen
AVG    10.0.0.1190    2011.11.25    BackDoor.Generic14.AJZQ
BitDefender    7.2    2011.11.26    Gen:Trojan.Heur.TP.bq1@byoLvWnb
CAT-QuickHeal    12.00    2011.11.25    Backdoor.Agent.bwtk
Comodo    10789    2011.11.26    UnclassifiedMalware
DrWeb    5.0.2.03300    2011.11.26    Trojan.Taidoor
Emsisoft    5.1.0.11    2011.11.26    Backdoor.Win32.Simbot!IK
eSafe    7.0.17.0    2011.11.24    Win32.TRHijacker
F-Secure    9.0.16440.0    2011.11.26    Gen:Trojan.Heur.TP.bq1@byoLvWnb
Fortinet    4.3.370.0    2011.11.26    W32/Injector.JQA!tr
GData    22    2011.11.26    Gen:Trojan.Heur.TP.bq1@byoLvWnb
Ikarus    T3.1.1.109.0    2011.11.26    Backdoor.Win32.Simbot
Jiangmin    13.0.900    2011.11.25    Backdoor/Agent.diki
K7AntiVirus    9.119.5542    2011.11.25    Backdoor
Kaspersky    9.0.0.837    2011.11.26    Backdoor.Win32.Agent.bwtk
McAfee    5.400.0.1158    2011.11.26    Generic BackDoor!dtm
McAfee-GW-Edition    2010.1D    2011.11.25    Generic BackDoor!dtm
Microsoft    1.7801    2011.11.26    Backdoor:Win32/Simbot.gen
NOD32    6660    2011.11.26    a variant of Win32/Injector.JQA
Norman    6.07.13    2011.11.25    W32/Suspicious_Gen2.RUNSA
Panda    10.0.3.5    2011.11.25    Generic Backdoor
PCTools    8.0.0.5    2011.11.26    Backdoor.Trojan
Sophos    4.71.0    2011.11.26    Mal/Simbot-A
Symantec    20111.2.0.82    2011.11.26    Backdoor.Trojan
TheHacker    6.7.0.1.347    2011.11.24    Trojan/Injector.jqa
TrendMicro    9.500.0.1008    2011.11.26    TROJ_GEN.R47C7K4
TrendMicro-HouseCall    9.500.0.1008    2011.11.26    TROJ_GEN.R47C7K4
VBA32    3.12.16.4    2011.11.25    TrojanDownloader.Rubinurd.f
VIPRE    11151    2011.11.26    Trojan.Win32.Generic!BT
VirusBuster    14.1.85.0    2011.11.25    Backdoor.Agent!kZFb0jr2OQ4
Additional information
MD5   : a3a71678576164e93e882392e609a917

It also generates many screenshots to capture the malware behavior (you can turn off this feature) - see one screenshot below

Traffic

Cuckoo creates a dump pcap file you can download from there. You can of course run conversion to text as part of your post-processing routine like you see below.

 74  50.331130    10.0.2.15 -> 110.142.12.95 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 76  62.360903    10.0.2.15 -> 110.142.12.95 TCP 1046 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 77  65.352406    10.0.2.15 -> 110.142.12.95 TCP 1046 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 78  71.361654    10.0.2.15 -> 110.142.12.95 TCP 1046 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 81  83.379329    10.0.2.15 -> 108.77.146.124 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 83  86.382691    10.0.2.15 -> 108.77.146.124 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 85  92.391543    10.0.2.15 -> 108.77.146.124 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 89 104.309538    10.0.2.15 -> 108.77.146.124 TCP 1048 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 91 107.313022    10.0.2.15 -> 108.77.146.124 TCP 1048 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 94 113.321174    10.0.2.15 -> 108.77.146.124 TCP 1048 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
100 127.342043    10.0.2.15 -> 110.142.12.95 TCP 1049 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
102 130.345727    10.0.2.15 -> 110.142.12.95 TCP 1049 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
108 136.354881    10.0.2.15 -> 110.142.12.95 TCP 1049 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 

110.142.12.95
hirudo.lnk.telstra.net
Host reachable, 259 ms. average
110.142.0.0 - 110.143.255.255
Telstra
Level 12, 242 Exhibition St
Melbourne
VIC 3000
Australia

108.77.146.124
108-77-146-124.lightspeed.tulsok.sbcglobal.net
Host unreachable
108.64.0.0 - 108.95.255.255
AT&T Internet Services
2701 N. Central Expwy # 2205.15
Richardson
TX
75080
United States

Examples of other captures (I will post these files separately)

42 23.708044    10.0.2.15 -> 68.87.73.246 DNS Standard query A sh.antivirusbar.org
43 24.209549 68.87.73.246 -> 10.0.2.15    DNS Standard query response A 58.68.224.24
44 24.213107    10.0.2.15 -> 58.68.224.24 TCP 1045 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
48 24.732612 58.68.224.24 -> 10.0.2.15    TCP 80 > 1045 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
49 24.733912    10.0.2.15 -> 58.68.224.24 TCP 1045 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
50 24.735034    10.0.2.15 -> 58.68.224.24 TCP [TCP segment of a reassembled PDU]
51 24.735034 58.68.224.24 -> 10.0.2.15    TCP 80 > 1045 [ACK] Seq=1 Ack=236 Win=65535 Len=0
52 24.736365    10.0.2.15 -> 58.68.224.24 HTTP POST /phqghumeaylnlfdxfircvscxggbwkfn.htm HTTP/1.1
53 24.736428 58.68.224.24 -> 10.0.2.15    TCP 80 > 1045 [ACK] Seq=1 Ack=1516 Win=65535 Len=0

74 40.881943    10.0.2.15 -> 68.87.73.246 DNS Standard query A checkip.dyndns.org
75 41.032372 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME checkip.dyndns.com A 216.146.39.70 A 91.198.22.70 A 216.146.38.70
76 41.033219    10.0.2.15 -> 216.146.39.70 TCP 1045 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
77 41.269469 216.146.39.70 -> 10.0.2.15    TCP 80 > 1045 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
78 41.270321    10.0.2.15 -> 216.146.39.70 TCP 1045 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0

Hi

2011-11-17T00:41:00.003-05:00

Believe it or not, I am still alive and will post something soon.

Step by step binary analysis with Frankie Li ( dg003.exe dropper from "XinTang Event.chm" )

2011-11-03T07:57:00.003-04:00

With the express written permission from the author, here is a an excellent paper "A Detailed Analysis of an Advanced Persistent Threat Malware" and the corresponding malware sample, which you can reverse engineer following step by step explanation by the author Frankie Li (http://espionageware.blogspot.com/)- from vxrl.org (Valkyrie-X Security Research Group)

Another great analysis from the same group of another CHM file can be found here: Evidence of Advanced Persistent Threat: A Case Study of Malware for Political Espionage (paper for IEEE 6th International Conference on Malicious and Unwanted Software (Malware 2011)).

Do you wonder if your sample APT or just crimeware? Use their Xecure Deezer - APT identification engine

General File Information

File: dg003.exe
Size: 196608
MD5: 4EC0027BEF4D7E1786A04D021FA8A67F

Download
Download as a password protected archive (contact me if you need the password)

contagio

An Overview of Exploit Packs (Update 15) January 28, 2012

Blackhole Ramnit - samples and analysis

General File Information

Download

Distribution

Brief Analysis

Traffic

Adobe Zero Day CVE-2011-2462 - with samples

(CVE)number

File information

Download

Automatic scans

Payload and traffic

30 PDF files processed by Cuckoo Sandbox - results and samples

Download

Nov 3 CVE-2011-0611 1104statment.pdf analyzed via Cuckoo sandbox

Common Vulnerability & Exposures CVE#

General File Information

Download

Original Message and Headers

Automated Scans

Created files

Traffic

Hi

Step by step binary analysis with Frankie Li ( dg003.exe dropper from "XinTang Event.chm" )

General File Information

File: dg003.exeSize: 196608MD5: 4EC0027BEF4D7E1786A04D021FA8A67F

Download

File: dg003.exe
Size: 196608
MD5: 4EC0027BEF4D7E1786A04D021FA8A67F