Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'exploer' = '<SYSTEM32>\exploer.exe'
- '<SYSTEM32>\exploer.exe'
- '%TEMP%\RarSFX0\rinst.exe'
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\shimgvw.dll,ImageView_Fullscreen %TEMP%\zom.jpg
- Handler for all processes: <SYSTEM32>\exploerhk.dll
- ClassName: '' WindowName: 'Process Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'RegmonClass' WindowName: ''
- ClassName: '' WindowName: 'Registry Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'FilemonClass' WindowName: ''
- ClassName: '' WindowName: 'File Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'PROCMON_WINDOW_CLASS' WindowName: ''
- <SYSTEM32>\dt\2013-04-16_22-40-55-274843
- <SYSTEM32>\dt\2013-04-16_22-40-54-273812
- <SYSTEM32>\dt\2013-04-16_22-40-56-275828
- <SYSTEM32>\dt\2013-04-16_22-40-58-277875
- <SYSTEM32>\dt\2013-04-16_22-40-57-276781
- <SYSTEM32>\dt\2013-04-16_22-40-53-272859
- <SYSTEM32>\dt\2013-04-16_22-40-46-265921
- <SYSTEM32>\dt\2013-04-16_22-40-44-264046
- <SYSTEM32>\dt\2013-04-16_22-40-47-266937
- <SYSTEM32>\dt\2013-04-16_22-40-51-270890
- <SYSTEM32>\dt\2013-04-16_22-40-49-268953
- <SYSTEM32>\dt\2013-04-16_22-41-11-290875
- <SYSTEM32>\dt\2013-04-16_22-41-10-289812
- <SYSTEM32>\dt\2013-04-16_22-41-13-292890
- <SYSTEM32>\dt\2013-04-16_22-41-17-296906
- <SYSTEM32>\dt\2013-04-16_22-41-15-294921
- <SYSTEM32>\dt\2013-04-16_22-41-09-288859
- <SYSTEM32>\dt\2013-04-16_22-41-02-281921
- <SYSTEM32>\dt\2013-04-16_22-41-00-279859
- <SYSTEM32>\dt\2013-04-16_22-41-04-283890
- <SYSTEM32>\dt\2013-04-16_22-41-08-287890
- <SYSTEM32>\dt\2013-04-16_22-41-06-286468
- <SYSTEM32>\dt\2013-04-16_22-40-27-246812
- <SYSTEM32>\dt\2013-04-16_22-40-26-245765
- <SYSTEM32>\dt\2013-04-16_22-40-28-247734
- <SYSTEM32>\dt\2013-04-16_22-40-30-249875
- <SYSTEM32>\dt\2013-04-16_22-40-29-248718
- <SYSTEM32>\dt\2013-04-16_22-40-25-244765
- <SYSTEM32>\dt\2013-04-16_22-40-21-240828
- <SYSTEM32>\dt\2013-04-16_22-40-20-239843
- <SYSTEM32>\dt\2013-04-16_22-40-22-241750
- <SYSTEM32>\dt\2013-04-16_22-40-24-243765
- <SYSTEM32>\dt\2013-04-16_22-40-23-242750
- <SYSTEM32>\dt\2013-04-16_22-40-39-258812
- <SYSTEM32>\dt\2013-04-16_22-40-38-257796
- <SYSTEM32>\dt\2013-04-16_22-40-40-259828
- <SYSTEM32>\dt\2013-04-16_22-40-43-262937
- <SYSTEM32>\dt\2013-04-16_22-40-41-260968
- <SYSTEM32>\dt\2013-04-16_22-40-37-256843
- <SYSTEM32>\dt\2013-04-16_22-40-33-252843
- <SYSTEM32>\dt\2013-04-16_22-40-32-251750
- <SYSTEM32>\dt\2013-04-16_22-40-34-253859
- <SYSTEM32>\dt\2013-04-16_22-40-36-255781
- <SYSTEM32>\dt\2013-04-16_22-40-35-254781
- <SYSTEM32>\dt\2013-04-16_22-41-19-298921
- <SYSTEM32>\dt\2013-04-16_22-42-13-353000
- <SYSTEM32>\dt\2013-04-16_22-42-11-350921
- <SYSTEM32>\dt\2013-04-16_22-42-15-354968
- <SYSTEM32>\dt\2013-04-16_22-42-19-358968
- <SYSTEM32>\dt\2013-04-16_22-42-17-356984
- <SYSTEM32>\dt\2013-04-16_22-42-09-348906
- <SYSTEM32>\dt\2013-04-16_22-42-02-341968
- <SYSTEM32>\dt\2013-04-16_22-42-00-339921
- <SYSTEM32>\dt\2013-04-16_22-42-04-343859
- <SYSTEM32>\dt\2013-04-16_22-42-07-347093
- <SYSTEM32>\dt\2013-04-16_22-42-05-344968
- <SYSTEM32>\dt\2013-04-16_22-42-35-374984
- <SYSTEM32>\dt\2013-04-16_22-42-33-372968
- <SYSTEM32>\dt\2013-04-16_22-42-37-376984
- <SYSTEM32>\dt\2013-04-16_22-42-41-380984
- <SYSTEM32>\dt\2013-04-16_22-42-39-378984
- <SYSTEM32>\dt\2013-04-16_22-42-31-370968
- <SYSTEM32>\dt\2013-04-16_22-42-23-362937
- <SYSTEM32>\dt\2013-04-16_22-42-21-361046
- <SYSTEM32>\dt\2013-04-16_22-42-25-364953
- <SYSTEM32>\dt\2013-04-16_22-42-29-368968
- <SYSTEM32>\dt\2013-04-16_22-42-27-366984
- <SYSTEM32>\dt\2013-04-16_22-41-35-315171
- <SYSTEM32>\dt\2013-04-16_22-41-33-312937
- <SYSTEM32>\dt\2013-04-16_22-41-37-316968
- <SYSTEM32>\dt\2013-04-16_22-41-41-320921
- <SYSTEM32>\dt\2013-04-16_22-41-39-318937
- <SYSTEM32>\dt\2013-04-16_22-41-31-310906
- <SYSTEM32>\dt\2013-04-16_22-41-23-302906
- <SYSTEM32>\dt\2013-04-16_22-41-21-300906
- <SYSTEM32>\dt\2013-04-16_22-41-25-304921
- <SYSTEM32>\dt\2013-04-16_22-41-29-308906
- <SYSTEM32>\dt\2013-04-16_22-41-27-306921
- <SYSTEM32>\dt\2013-04-16_22-41-53-332859
- <SYSTEM32>\dt\2013-04-16_22-41-52-331843
- <SYSTEM32>\dt\2013-04-16_22-41-54-333937
- <SYSTEM32>\dt\2013-04-16_22-41-58-337968
- <SYSTEM32>\dt\2013-04-16_22-41-56-335921
- <SYSTEM32>\dt\2013-04-16_22-41-51-330859
- <SYSTEM32>\dt\2013-04-16_22-41-45-324953
- <SYSTEM32>\dt\2013-04-16_22-41-43-322921
- <SYSTEM32>\dt\2013-04-16_22-41-47-326953
- <SYSTEM32>\dt\2013-04-16_22-41-50-329843
- <SYSTEM32>\dt\2013-04-16_22-41-49-328828
- <SYSTEM32>\dt\2013-04-16_22-39-18-177656
- <SYSTEM32>\dt\2013-04-16_22-39-17-176656
- <SYSTEM32>\dt\2013-04-16_22-39-19-178750
- <SYSTEM32>\dt\2013-04-16_22-39-21-180734
- <SYSTEM32>\dt\2013-04-16_22-39-20-179718
- <SYSTEM32>\dt\2013-04-16_22-39-16-175656
- <SYSTEM32>\dt\2013-04-16_22-39-12-171671
- <SYSTEM32>\dt\2013-04-16_22-39-11-170687
- <SYSTEM32>\dt\2013-04-16_22-39-13-172671
- <SYSTEM32>\dt\2013-04-16_22-39-15-174687
- <SYSTEM32>\dt\2013-04-16_22-39-14-173703
- <SYSTEM32>\dt\2013-04-16_22-39-29-188734
- <SYSTEM32>\dt\2013-04-16_22-39-28-187750
- <SYSTEM32>\dt\2013-04-16_22-39-30-189765
- <SYSTEM32>\dt\2013-04-16_22-39-32-191750
- <SYSTEM32>\dt\2013-04-16_22-39-31-190765
- <SYSTEM32>\dt\2013-04-16_22-39-27-186718
- <SYSTEM32>\dt\2013-04-16_22-39-23-182718
- <SYSTEM32>\dt\2013-04-16_22-39-22-181734
- <SYSTEM32>\dt\2013-04-16_22-39-24-183734
- <SYSTEM32>\dt\2013-04-16_22-39-26-185734
- <SYSTEM32>\dt\2013-04-16_22-39-25-184718
- %TEMP%\zom.jpg
- %TEMP%\RarSFX0\zom.jpg
- <SYSTEM32>\pk.bin
- <SYSTEM32>\exploerhk.dll
- <SYSTEM32>\exploer.exe
- %TEMP%\RarSFX0\rinst.exe
- %TEMP%\RarSFX0\inst.dat
- %TEMP%\RarSFX0\pk.bin
- %TEMP%\RarSFX0\opt.dat
- %TEMP%\RarSFX0\exploer.exe
- %TEMP%\RarSFX0\exploerhk.dll
- <SYSTEM32>\dt\2013-04-16_22-39-07-166687
- <SYSTEM32>\dt\2013-04-16_22-39-06-165796
- <SYSTEM32>\dt\2013-04-16_22-39-08-167671
- <SYSTEM32>\dt\2013-04-16_22-39-10-169828
- <SYSTEM32>\dt\2013-04-16_22-39-09-168671
- <SYSTEM32>\temporary.bmp
- <SYSTEM32>\inst.dat
- <SYSTEM32>\opt.dat
- <SYSTEM32>\rinst.exe
- <SYSTEM32>\pk.bin_back
- <SYSTEM32>\dt\2013-04-16_22-39-33-192781
- <SYSTEM32>\dt\2013-04-16_22-40-03-222812
- <SYSTEM32>\dt\2013-04-16_22-40-02-221796
- <SYSTEM32>\dt\2013-04-16_22-40-04-223781
- <SYSTEM32>\dt\2013-04-16_22-40-07-227250
- <SYSTEM32>\dt\2013-04-16_22-40-05-224984
- <SYSTEM32>\dt\2013-04-16_22-40-01-220812
- <SYSTEM32>\dt\2013-04-16_22-39-57-216750
- <SYSTEM32>\dt\2013-04-16_22-39-56-215796
- <SYSTEM32>\dt\2013-04-16_22-39-58-217765
- <SYSTEM32>\dt\2013-04-16_22-40-00-219828
- <SYSTEM32>\dt\2013-04-16_22-39-59-218812
- <SYSTEM32>\dt\2013-04-16_22-40-16-235812
- <SYSTEM32>\dt\2013-04-16_22-40-15-234843
- <SYSTEM32>\dt\2013-04-16_22-40-17-236796
- <SYSTEM32>\dt\2013-04-16_22-40-19-238828
- <SYSTEM32>\dt\2013-04-16_22-40-18-237812
- <SYSTEM32>\dt\2013-04-16_22-40-14-233796
- <SYSTEM32>\dt\2013-04-16_22-40-10-229796
- <SYSTEM32>\dt\2013-04-16_22-40-09-228796
- <SYSTEM32>\dt\2013-04-16_22-40-11-230812
- <SYSTEM32>\dt\2013-04-16_22-40-13-232750
- <SYSTEM32>\dt\2013-04-16_22-40-12-231796
- <SYSTEM32>\dt\2013-04-16_22-39-41-200765
- <SYSTEM32>\dt\2013-04-16_22-39-40-199687
- <SYSTEM32>\dt\2013-04-16_22-39-42-201734
- <SYSTEM32>\dt\2013-04-16_22-39-44-203734
- <SYSTEM32>\dt\2013-04-16_22-39-43-202718
- <SYSTEM32>\dt\2013-04-16_22-39-39-198796
- <SYSTEM32>\dt\2013-04-16_22-39-35-194750
- <SYSTEM32>\dt\2013-04-16_22-39-34-193734
- <SYSTEM32>\dt\2013-04-16_22-39-36-195750
- <SYSTEM32>\dt\2013-04-16_22-39-38-197765
- <SYSTEM32>\dt\2013-04-16_22-39-37-196750
- <SYSTEM32>\dt\2013-04-16_22-39-52-211765
- <SYSTEM32>\dt\2013-04-16_22-39-51-210765
- <SYSTEM32>\dt\2013-04-16_22-39-53-212703
- <SYSTEM32>\dt\2013-04-16_22-39-55-214703
- <SYSTEM32>\dt\2013-04-16_22-39-54-213750
- <SYSTEM32>\dt\2013-04-16_22-39-50-209781
- <SYSTEM32>\dt\2013-04-16_22-39-46-205734
- <SYSTEM32>\dt\2013-04-16_22-39-45-204781
- <SYSTEM32>\dt\2013-04-16_22-39-47-206734
- <SYSTEM32>\dt\2013-04-16_22-39-49-208750
- <SYSTEM32>\dt\2013-04-16_22-39-48-207703
- %TEMP%\RarSFX0\zom.jpg
- %TEMP%\RarSFX0\rinst.exe
- <SYSTEM32>\temporary.bmp
- <SYSTEM32>\pk.bin_back
- %TEMP%\RarSFX0\inst.dat
- %TEMP%\RarSFX0\exploer.exe
- %TEMP%\RarSFX0\pk.bin
- %TEMP%\RarSFX0\opt.dat
- %TEMP%\RarSFX0\exploerhk.dll
- from <SYSTEM32>\rinst.exe to <SYSTEM32>\exploerr.exe
- 'sm##.aol.com':25
- DNS ASK sm##.aol.com
- ClassName: 'ShImgVw:CPreviewWnd' WindowName: ''
- ClassName: 'Indicator' WindowName: ''
- ClassName: 'NDDEAgnt' WindowName: 'NetDDE Agent'
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: '18467-41' WindowName: ''
- ClassName: '' WindowName: 'PKL Window'