Thursday, September 12, 2013

Active Zbot Phishing Campaign Under the Hood.

     Zbot Under the Hood.


Metadata
ID:
b71416469446a3aa16af294fdb733f54
OS:
2600.xpsp.080413-2111
Started:
Wed Sep 11 07:31:46 EDT 2013
Ended:
Wed Sep 11 07:31:46 EDT 2013
Duration:
378 Seconds
Sandbox:
marburg(pilot-d)
File name:
Proforma%20Invoice.exe
Magic Type:
PE32 executable (GUI) Intel 80386, for MS Windows
Analyzed As:
exe
SHA256:
31af7e3ab6c689aa59217012cf7a7b824fc2cfb6a261f3e6a480c0b1d131453d
SHA1:
fe43dbd7232de304b84c538fb461f05537ba65ab
MD5:
e8c10d6aeecd5c39b1bf04797138933b

Fast flux is a DNS technique used by botnets to maintain a resilient command and control infrastructure of compromised hosts acting as proxies. Fast flux is characterized by multiple individual nodes within the network registering and de-registering their addresses as part of the DNS A record list for a DNS name. Each record has a very short TTL (time to live) value of usually less than five minutes. This creates a constantly changing list of destination addresses for a single DNS name. Please view the 'DNS' section under 'Network Analysis' for the associated traffic/communications. Additionally, the provided network PCAP will provide more details on the traffic stream.

Categories:
persistence
Tags:
network, ttl, dns, fast flux, command and control

Query Data
Answer Data
Query ID
Answer Type
TTL
www.google.com
173.194.43.19
40407
A
300
www.google.com
173.194.43.18
40407
A
300
www.google.com
173.194.43.17
40407
A
300
www.google.com
173.194.43.16
40407
A
300
www.google.com
173.194.43.20
40407
A
300

Process Created a File in the Windows Startup Folder
Severity: 80 Confidence: 50
A new file was added to the Windows StartUp folder to ensure that this file runs on system startup. Please review the 'Disk Artifacts' section in order to view additional details about this file.
Categories:
persistence
Tags:
startup, file, folder, process, autorun

Process ID
Process Name
Path
1592
Proforma%20Invoice.exe
\Documents and Settings\Joe Maldive\Start Menu\Programs\Startup\config.exe
Outbound HTTP POST Communications
Severity: 25 Confidence: 25

Outbound HTTP POST to a remote server was detected. This is not inherently suspicious but malware will often use POSTs in order to check in to the Command and Control servers upon infection or to upload or exfiltration data. Please view the 'HTTP' section under 'Network Analysis' for the associated traffic/communications. Additionally, the provided network PCAP will provide more details on the traffic stream.

GET  h00p://akeemtrade[.]biz:80/html/install/config[.]bin   (Warning!! Alive)
Stream: 3  Transaction: 0
Server IP
Server Port
Transport
Method
URL
199.79.62.19
80
TCP
GET
http://akeemtrade.biz:80/html/install/config.bin

Type:
request
Timestamp:
Wed Sep 11 07:33:55 EDT 2013
Actual Encoding:
Actual Content-type:
application/x-empty

Header
Value
cache-control
no-cache
connection
Close
host
akeemtrade.biz
accept
*/*
user-agent
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)

Type:
response
Timestamp:
Wed Sep 11 07:33:55 EDT 2013
Actual Encoding:
windows-1252
Actual Content-type:
application/octet-stream

Header
Value
content-type
application/octet-stream
connection
close
etag
"1cb074c-867c-4e448153dea00"
last-modified
Mon, 19 Aug 2013 07:42:32 GMT
content-length
34428
server
Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.8e-fips-rhel5 Phusion_Passenger/4.0.10 mod_bwlimited/1.4 mod_fcgid/2.3.6
accept-ranges
bytes
date
Wed, 11 Sep 2013 11:34:12 GMT

Categories:
exfiltration, fingerprinting
Tags:
network, http, post

Network Stream
Method
URL
6
POST
http://akeemtrade.biz:80/html/install/gate.php
5
POST
http://akeemtrade.biz:80/html/install/gate.php
Command Exe File Execution Detected
Severity: 50 Confidence: 80
A process executed a file using cmd.exe. Malware authors will often launch batch or shellscripts that utilize windows shell utilities. Additional uses include launching an interactive command shell
Categories:
Tags:
process, file, create, launch

Process ID
Process Name
Command Line
Path
1800
cmd.exe
"C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\tmpeaaff6e6.bat"
_0
Executable Imported the IsDebuggerPresent Symbol
Severity: 20 Confidence: 20
The IsDebuggerPresent function can be used by a process to check if a debugger has been attached to it, or is currently active on the system. Malware authors often check for the presence of a debugger as this is an indication that the malware is being analysed. The Malware may not run, or it may function differently, if a debugger is present, to make it more difficult to reverse-engineer its behavior. This is not an indicator of malicious activity as often legitimate programs import this function.
Categories:
obfuscation, anti-reversing
Tags:
process, artifact, static, import, PE

Artifact ID
Path
6
\Documents and Settings\Joe Maldive\Start Menu\Programs\Startup\config.exe
2
\Documents and Settings\Joe Maldive\Application Data\Viryq\somi.exe
3
\temp\Proforma%20Invoice.exe
1
Proforma%20Invoice.exe
Process Created an Executable in a User Directory
Severity: 60 Confidence: 95
Malware will often create a new executable file in a user directory such as 'Local Settings' or 'Application Data' in an attempt to hide its presence on the system. Often the name of the file is similar to the name of common system or user files. This is done to hide the executable, as the user may believe it's a legitimate file. Please review the 'Disk Artifacts' section in order to view additional details about this file.
Categories:
persistence, obfuscation
Tags:
executable, file, process, PE

Process ID
Process Name
Path
1592
Proforma%20Invoice.exe
C:\Documents and Settings\Joe Maldive\Start Menu\Programs\Startup\config.exe
916
Proforma%20Invoice.exe
C:\Documents and Settings\Joe Maldive\Application Data\Viryq\somi.exe

Process Modified File in a User Directory
Severity: 70 Confidence: 80
Malware will modify files in user directories to hide logs or other evidence. Also, by modifying various files it can disable functionality in the system which may detect or hamper the operation of the malware. Lastly, it may be attempting to hide an executable, so that it appears to be a legitimate file. Please review the 'Disk Artifacts' section in order to view additional details about this file.
Categories:
persistence, obfuscation
Tags:
executable, file, process

Process ID
Process Name
Path
1592
Proforma%20Invoice.exe
\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\aut1.tmp
1732
somi.exe
\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\f.txt
1352
Explorer.EXE
\Documents and Settings\Joe Maldive\Local Settings\Temporary Internet Files\Content.IE5\MRMBYDAX\gate[1].htm
1592
Proforma%20Invoice.exe
\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\f.txt
1352
Explorer.EXE
\Documents and Settings\Joe Maldive\Local Settings\Temporary Internet Files\Content.IE5\MRMBYDAX\webhp[1].htm
916
Proforma%20Invoice.exe
\Documents and Settings\Joe Maldive\Application Data\Viryq\somi.exe
1732
somi.exe
\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\aut2.tmp
1352
Explorer.EXE
\Documents and Settings\Joe Maldive\Application Data\Microsoft\Address Book\Joe Maldive.wab
1352
Explorer.EXE
\Documents and Settings\Joe Maldive\Local Settings\Temporary Internet Files\Content.IE5\MRMBYDAX\config[1].bin

Process Modified Autorun Registry Key Value
Severity: 80 Confidence: 60

Autorun registry keys can be used to load applications when Windows is started. Malware often uses these key locations to maintain persistence on the host. The values to examine are located in subkeys Run, RunOnce, RunServices, RunServicesOnce, RunOnceEx, or RunOnce\Setup. The key value will indicate where the program that will load on startup is located.

Categories:
persistence
Tags:
process, autorun, registry

Process ID
RegKey Value Name
RegKey Data Type
RegKey Name
Process Name
RegKey Data
1352
{832A9606-32CE-FE22-A0DC-76831BAE1BEB}
SZ
USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Explorer.EXE
"C:\Documents and Settings\Joe Maldive\Application Data\Viryq\somi.exe"s\\0
HTTP Traffic
GET  http://akeemtrade.biz:80/html/install/config.bin
Stream: 3   Transaction: 0
Server IP
Server Port
Transport
Method
URL
199.79.62.19
80
TCP
GET
http://akeemtrade.biz:80/html/install/config.bin

Type:
request
Timestamp:
Wed Sep 11 07:33:55 EDT 2013
Actual Encoding:
Actual Content-type:
application/x-empty

Header
Value
cache-control
no-cache
connection
Close
host
akeemtrade.biz
accept
*/*
user-agent
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)

Type:
response
Timestamp:
Wed Sep 11 07:33:55 EDT 2013
Actual Encoding:
windows-1252
Actual Content-type:
application/octet-stream

Header
Value
content-type
application/octet-stream
connection
close
etag
"1cb074c-867c-4e448153dea00"
last-modified
Mon, 19 Aug 2013 07:42:32 GMT
content-length
34428
server
Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.8e-fips-rhel5 Phusion_Passenger/4.0.10 mod_bwlimited/1.4 mod_fcgid/2.3.6
accept-ranges
bytes
date
Wed, 11 Sep 2013 11:34:12 GMT
GET  http://www.google.com:80/webhp
Stream: 4  Transaction: 0
Server IP
Server Port
Transport
Method
URL
173.194.43.19
80
TCP
GET
http://www.google.com:80/webhp

Type:
request
Timestamp:
Wed Sep 11 07:34:03 EDT 2013
Actual Encoding:
Actual Content-type:
application/x-empty

Header
Value
cache-control
no-cache
connection
Close
host
www.google.com
accept
*/*
user-agent
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)

Type:
response
Timestamp:
Wed Sep 11 07:34:03 EDT 2013
Actual Encoding:
ascii
Actual Content-type:
text/html

Header
Value
x-frame-options
SAMEORIGIN
content-type
text/html; charset=UTF-8
p3p
CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
cache-control
private, max-age=0
connection
close
x-xss-protection
1; mode=block
expires
-1
set-cookie
{ "elements": [ "PREF\u003dID\u003d667c83caea844ac8:FF\u003d0:TM\u003d1378899263:LM\u003d1378899263:S\u003dQx8nb0MbLfVx3PwW; expires\u003dFri, 11-Sep-2015 11:34:23 GMT; path\u003d/; domain\u003d.google.com", "NID\u003d67\u003dTxUdsZzb7X8Yrg_xKcRxituvtxo9un2uzb70Erp6XVU1w-GRaIsGcxtAcywQOQbDs2I4UgYqJb7xGQ_SsvfwmPxmQJ-cJ9R7fdw1REDBWpMQ0EYnGuj0Bh_yWPzaQTJ8; expires\u003dThu, 13-Mar-2014 11:34:23 GMT; path\u003d/; domain\u003d.google.com; HttpOnly" ] }
server
gws
alternate-protocol
80:quic
date
Wed, 11 Sep 2013 11:34:23 GMT

POST  http://akeemtrade.biz:80/html/install/gate.php
Stream: 5  Transaction: 0
Server IP
Server Port
Transport
Method
URL
199.79.62.19
80
TCP
POST
http://akeemtrade.biz:80/html/install/gate.php

Type:
request
Timestamp:
Wed Sep 11 07:34:06 EDT 2013
Actual Encoding:
windows-1252
Actual Content-type:
application/octet-stream

Header
Value
cache-control
no-cache
connection
Keep-Alive
host
akeemtrade.biz
accept
*/*
content-length
274
user-agent
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)

Type:
response
Timestamp:
Wed Sep 11 07:34:06 EDT 2013
Actual Encoding:
windows-1252
Actual Content-type:
application/octet-stream

Header
Value
content-type
text/html
connection
Keep-Alive
x-powered-by
PHP/5.2.17
transfer-encoding
chunked
server
Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.8e-fips-rhel5 Phusion_Passenger/4.0.10 mod_bwlimited/1.4 mod_fcgid/2.3.6
keep-alive
timeout=3, max=30
date
Wed, 11 Sep 2013 11:34:28 GMT
POST  http://akeemtrade.biz:80/html/install/gate.php
Stream: 6  Transaction: 0
Server IP
Server Port
Transport
Method
URL
199.79.62.19
80
TCP
POST
http://akeemtrade.biz:80/html/install/gate.php

Type:
request
Timestamp:
Wed Sep 11 07:35:01 EDT 2013
Actual Encoding:
windows-1252
Actual Content-type:
application/octet-stream

Header
Value
cache-control
no-cache
connection
Keep-Alive
host
akeemtrade.biz
accept
*/*
content-length
12538
user-agent
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)

Type:
response
Timestamp:
Wed Sep 11 07:35:01 EDT 2013
Actual Encoding:
windows-1252
Actual Content-type:
application/octet-stream

Header
Value
content-type
text/html
connection
Keep-Alive
x-powered-by
PHP/5.2.17
transfer-encoding
chunked
server
Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.8e-fips-rhel5 Phusion_Passenger/4.0.10 mod_bwlimited/1.4 mod_fcgid/2.3.6
keep-alive
timeout=3, max=30
date
Wed, 11 Sep 2013 11:35:31 GMT
DNS Traffic
Stream: 2 Query: 38241
Transport: UDP

Query ID
          Timestamp
Type
Data
38241
Wed Sep 11 07:33:54 EDT 2013
A
akeemtrade.biz
Answers
Query ID
          Timestamp
type
Data
   TTL
38241
Wed Sep 11 07:33:55 EDT 2013
A
199.79.62.19
  14400
Stream: 2 Query: 40407
Transport: UDP

Query ID
Timestamp
Type
Data
40407
Wed Sep 11 07:34:03 EDT 2013
A
www.google.com
Answers
Query ID
Timestamp
type
Data
TTL
40407
Wed Sep 11 07:34:03 EDT 2013
A
173.194.43.19
300
40407
Wed Sep 11 07:34:03 EDT 2013
A
173.194.43.18
300
40407
Wed Sep 11 07:34:03 EDT 2013
A
173.194.43.20
300
40407
Wed Sep 11 07:34:03 EDT 2013
A
173.194.43.17
300
40407
Wed Sep 11 07:34:03 EDT 2013
A
173.194.43.16
300
Artifacts
Artifacts 1: Proforma%20Invoice.exe
Source: submitted
Imports: 16
Magic Type: PE32 executable (GUI) Intel 80386, for MS Windows
SHA256: 31af7e3ab6c689aa59217012cf7a7b824fc2cfb6a261f3e6a480c0b1d131453d

Size: 1186076
Exports: 0
AV Sigs: 0
MD5: e8c10d6aeecd5c39b1bf04797138933b
Artifacts 2: /Documents and Settings/Joe Maldive/Application Data/Viryq/somi.exe
Source: disk
Imports: 16
Magic Type: PE32 executable (GUI) Intel 80386, for MS Windows
SHA256: d7ac68c5a3010eff2d56378e8e822dec804f5b27c17f4a2163148a8fdb5fb34c

Size: 1186076
Exports: 0
AV Sigs: 0
MD5: fa5f2d89313f05224389375873d1c206
Artifacts 3: /temp/Proforma%20Invoice.exe
Source: disk
Imports: 16
Magic Type: PE32 executable (GUI) Intel 80386, for MS Windows
SHA256: 31af7e3ab6c689aa59217012cf7a7b824fc2cfb6a261f3e6a480c0b1d131453d

Size: 1186076
Exports: 0
AV Sigs: 0
MD5: e8c10d6aeecd5c39b1bf04797138933b
Artifacts 4: /debug.txt
Source: disk
Imports: 0
Magic Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators
SHA256: 78ca91c37ac358f9f7adb8345bb4a49e8381611321e555a0e25f3ebd2a992002

Size: 26053
Exports: 0
AV Sigs: 0
MD5: fdae3aa240078bf14a9ca01367e079df
Artifacts 5: /Documents and Settings/Joe Maldive/Cookies/joe maldive@google[2].txt
Source: disk
Imports: 0
Magic Type: ASCII text
SHA256: e99b492efe53844df5cbd0dee5836a42525c5d3f1a500162f8552f5b0d5219ce

Size: 330
Exports: 0
AV Sigs: 0
MD5: 6f5c7e6633609997e9a13d4a1df825aa
Artifacts 6: /Documents and Settings/Joe Maldive/Start Menu/Programs/Startup/config.exe
Source: disk
Imports: 16
Magic Type: PE32 executable (GUI) Intel 80386, for MS Windows
SHA256: 31af7e3ab6c689aa59217012cf7a7b824fc2cfb6a261f3e6a480c0b1d131453d

Size: 1186076
Exports: 0
AV Sigs: 0
MD5: e8c10d6aeecd5c39b1bf04797138933b
Artifacts 7: /Documents and Settings/Joe Maldive/Local Settings/Application Data/Identities/{7AF0EC96-F1E3-4261-9C70-E611584E16B9}/Microsoft/Outlook Express/Folders.dbx
Source: disk
Imports: 0
Magic Type: MS Outlook Express DBX file, folder database
SHA256: 0272ff9b0dc70fdff37d03e9d397500b3a65db9b4fbd6c9568f47cd11ec39008

Size: 75204
Exports: 0
AV Sigs: 0
MD5: dd958f1389a18772a8809d9db903cb1a
Artifacts 8: /Documents and Settings/Joe Maldive/Local Settings/Application Data/Identities/{7AF0EC96-F1E3-4261-9C70-E611584E16B9}/Microsoft/Outlook Express/Offline.dbx
Source: disk
Imports: 0
Magic Type: MS Outlook Express DBX file, offline database
SHA256: 14ff7ea3f7634352d7e787a69b997d6694ac1f8270db51ad077b24efeffbfa11

Size: 9656
Exports: 0
AV Sigs: 0
MD5: c78f0742eae95fcf92f7f1c6009d9341
Artifacts 9: /Documents and Settings/Joe Maldive/Application Data/Microsoft/Address Book/Joe Maldive.wab
Source: disk
Imports: 0
Magic Type: data
SHA256: c8ded9535f8900ad231019421fcf711e06f252127ac904a14e1fd15c9d00970f

Size: 176594
Exports: 0
AV Sigs: 0
MD5: 991c6d55cb2cf996bdb5985fccd28506
Artifacts 10: /WINDOWS/Prefetch/CMD.EXE-087B4001.pf
Source: disk
Imports: 0
Magic Type: data
SHA256: fa221ecf5fa9713570059ccfdedcd8e1e2ce9cd8644d395f70d386dd8e1ae182

Size: 12150
Exports: 0
AV Sigs: 0
MD5: 02458f83c3e3f0e92202a623bb52d2a9
Artifacts 11: /Documents and Settings/Joe Maldive/Application Data/Microsoft/Address Book/Joe Maldive.wab~
Source: disk
Imports: 0
Magic Type: data
SHA256: c8ded9535f8900ad231019421fcf711e06f252127ac904a14e1fd15c9d00970f

Size: 176594
Exports: 0
AV Sigs: 0
MD5: 991c6d55cb2cf996bdb5985fccd28506
Artifacts 12: /Documents and Settings/Joe Maldive/Cookies/index.dat
Source: disk
Imports: 0
Magic Type: Internet Explorer cache file version Ver 5.2
SHA256: 53352349195130a01bd0f4e023a9b5d19481efc8f14f1737d3a138c4f77575c2

Size: 49152
Exports: 0
AV Sigs: 0
MD5: cf3aa327a36e2487e3ef0a5ee4abf09c
Artifacts 13: /Documents and Settings/Joe Maldive/Local Settings/Application Data/Identities/{7AF0EC96-F1E3-4261-9C70-E611584E16B9}/Microsoft/Outlook Express/Inbox.dbx
Source: disk
Imports: 0
Magic Type: MS Outlook Express DBX file, message database
SHA256: 2d4e7216ff1ba895c0dc2635edf9ca4a117ce54a0467ff2c816aa4f0b7bc8213

Size: 142036
Exports: 0
AV Sigs: 0
MD5: 47be83c580205c28a92921425c9d290a
Artifacts 14: /Documents and Settings/Joe Maldive/Local Settings/Application Data/Identities/{7AF0EC96-F1E3-4261-9C70-E611584E16B9}/Microsoft/Outlook Express/Sent Items.dbx
Source: disk
Imports: 0
Magic Type: MS Outlook Express DBX file, message database
SHA256: 37b9f67bd4301ecf6f56cbdaf697131c20441c3514f67f09510a2e700872a0ff

Size: 76500
Exports: 0
AV Sigs: 0
MD5: 5c9871500ef4f120d08456c18e04bb8c
Artifacts 15: /Documents and Settings/Joe Maldive/Local Settings/Temp/f.txt
Source: disk
Imports: 0
Magic Type: ASCII text, with very long lines, with no line terminators
SHA256: bedba9c52ab29f444c71a4e5d066db119ba723f01d09001ba491d644e5c89c66

Size: 351234
Exports: 0
AV Sigs: 0
MD5: 5e97f5478e0a8eeb584673adb92e2182
Artifacts 16: /WINDOWS/Prefetch/LOGONUI.EXE-0AF22957.pf
Source: disk
Imports: 0
Magic Type: data
SHA256: 5e72d480d453773a6bf0859e730ea59eefb88e8ac5ece1adb32fef5f041cfee5

Size: 24510
Exports: 0
AV Sigs: 0
MD5: cd23d66b54fc3d6f02dbf0f738c506ec
Artifacts 17: /WINDOWS/system32/config/SysEvent.Evt
Source: disk
Imports: 0
Magic Type: data
SHA256: 1a527a23b49b171fe86457078953e134a86ccbf52ed0b2b4f1e7f30f16c878ee

Size: 65536
Exports: 0
AV Sigs: 0
MD5: 816b8681b9e3cce365448c6ce4c3f4b4
Artifacts 18: config.bin
Source: network
Imports: 0
Magic Type: data
SHA256: 737a5a94a316ae95ee9a155531c726335f5aafc4e067da67f41962af96186424

Size: 34428
Exports: 0
AV Sigs: 0
MD5: 354b641762111cb669c5131efbc64e44
Artifacts 19: webhp
Source: network
Imports: 0
Magic Type: HTML document, ASCII text, with very long lines
SHA256: d99eb3558bade37801bc54bc446c453df57bb22b1ac8115d8a7c72fc86d6519c

Size: 31055
Exports: 0
AV Sigs: 0
MD5: b1330cfbd0d9dc8372297450cc66d226
Artifacts 20: gate.php
Source: network
Imports: 0
Magic Type: data
SHA256: cf18419178d5143a548f66be4524acefb44e44d2a334a42f12ced581294f111d

Size: 64
Exports: 0
AV Sigs: 0
MD5: 67423769ccbe3dafb1660569aed2122b
Artifacts 21: gate.php
Source: network
Imports: 0
Magic Type: data
SHA256: 812b3bfdc16966abe821f0e6f46d4b08b4849527dfd4ca29a49a9ae46297c362

Size: 64
Exports: 0
AV Sigs: 0
MD5: ae133b4fbddb539aabd0ebd0310ca5d5
Artifacts 22: 480-services.exe
Related to: process 480
Source: memory
Imports: 10
Magic Type: PE32 executable (GUI) Intel 80386, for MS Windows
SHA256: 62592336a5a8ff004307642b6e1f3ab77423f98c67d063aca9c2b2fd3033b360

Size: 108544
Exports: 0
AV Sigs: 1
MD5: f8b5365b630d3839216dd731958c790c
Artifacts 23: 428-winlogon.exe
Related to: process 428
Source: memory
Imports: 0
Magic Type: PE32 executable (GUI) Intel 80386, for MS Windows
SHA256: c7f1c355970569f88ff7001185f2aac92b143a4e83c919eb1f667bcfdf1154f8

Size: 507904
Exports: 0
AV Sigs: 0
MD5: 752070c7aa016e5fc9fed6d84b02bb26
Artifacts 24: 788-svchost.exe
Related to: process 788
Source: memory
Imports: 4
Magic Type: PE32 executable (GUI) Intel 80386, for MS Windows
SHA256: d86db08af7ff040f51ad7305e392e2cf696e97cfb671a7c492551b19a09de5b2

Size: 14336
Exports: 0
AV Sigs: 0
MD5: 9d977171d7e2c89833b537808806f4df
Artifacts 25: 1352-Explorer.EXE
Related to: process 1352
Source: memory
Imports: 13
Magic Type: PE32 executable (GUI) Intel 80386, for MS Windows
SHA256: c16eddac0250cf02e7228b194f042cc551fea6ea9c2a2bb679e6eef9f898c4aa

Size: 1033728
Exports: 0
AV Sigs: 0
MD5: a1db10d544b4c063b165d2ee392c5fc0
Artifacts 26: 748-svchost.exe
Related to: process 748
Source: memory
Imports: 4
Magic Type: PE32 executable (GUI) Intel 80386, for MS Windows
SHA256: 7d6b9a711fbf326e95f19e24b95f0d56ee5ad044f6f2fa5f02f5870c3b312acf

Size: 14336
Exports: 0
AV Sigs: 0
MD5: 9e12668de788d73e3dd0afdb9baca344
Artifacts 27: 780-wmiprvse.exe
Related to: process 780
Source: memory
Imports: 10
Magic Type: PE32 executable (GUI) Intel 80386, for MS Windows
SHA256: b0756163adcf10532efeba33abb298c89238d09d8929f7ba731d55648d321822

Size: 218112
Exports: 0
AV Sigs: 1
MD5: 9b3208698b43e53c05e86b472a5651d0

PE Sections
Address
Type
Virtual Size
Size
Entropy
Entropy Types
4096
.text
209184
20940       8
5.280843455233378
[native, packed]
217088
.data
6936
6656
4.946809128148061
[native]
225280
.rsrc
968
1024
3.2734914644890747
[indeterminate]
Imported/Exported Symbols
DLL
Imported Symbols
Virt. Address
msvcrt.dll
_CxxThrowException
16781828
msvcrt.dll
?_set_se_translator@@YAP6AXIPAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z
16781832
msvcrt.dll
wcstok
16781836
msvcrt.dll
__CxxFrameHandler
16781840
msvcrt.dll
setlocale
16781844
msvcrt.dll
wcslen
16781848
msvcrt.dll
_vsnwprintf
16781852
msvcrt.dll
_except_handler3
16781856
msvcrt.dll
_purecall
16781860
msvcrt.dll
_wcsicmp
16781864
msvcrt.dll
_c_exit
16781868
msvcrt.dll
_exit
16781872
msvcrt.dll
_XcptFilter
16781876
msvcrt.dll
_cexit
16781880
msvcrt.dll
exit
16781884
msvcrt.dll
_acmdln
16781888
msvcrt.dll
__getmainargs
16781892
msvcrt.dll
_initterm
16781896
msvcrt.dll
__setusermatherr
16781900
msvcrt.dll
_adjust_fdiv
16781904
msvcrt.dll
__p__commode
16781908
msvcrt.dll
__p__fmode
16781912
msvcrt.dll
__set_app_type
16781916
msvcrt.dll
??1type_info@@UAE@XZ
16781920
msvcrt.dll
__dllonexit
16781924
msvcrt.dll
_onexit
16781928
msvcrt.dll
?terminate@@YAXXZ
16781932
msvcrt.dll
_controlfp
16781936
ADVAPI32.dll
OpenProcessToken
16781340
ADVAPI32.dll
OpenThreadToken
16781344
ADVAPI32.dll
GetAclInformation
16781348
ADVAPI32.dll
ImpersonateLoggedOnUser
16781352
ADVAPI32.dll
RegOpenKeyExW
16781356
ADVAPI32.dll
RegDeleteKeyW
16781360
ADVAPI32.dll
RegCreateKeyExW
16781364
ADVAPI32.dll
RegCloseKey
16781368
ADVAPI32.dll
SetSecurityDescriptorOwner
16781372
ADVAPI32.dll
SetSecurityDescriptorGroup
16781376
ADVAPI32.dll
GetSecurityDescriptorLength
16781380
ADVAPI32.dll
MakeSelfRelativeSD
16781384
ADVAPI32.dll
RegDisablePredefinedCache
16781388
ADVAPI32.dll
RevertToSelf
16781392
ADVAPI32.dll
SetThreadToken
16781396
ADVAPI32.dll
FreeSid
16781400
ADVAPI32.dll
SetSecurityDescriptorDacl
16781404
ADVAPI32.dll
AddAce
16781408
ADVAPI32.dll
InitializeAcl
16781412
ADVAPI32.dll
GetLengthSid
16781416
ADVAPI32.dll
CopySid
16781420
ADVAPI32.dll
AllocateAndInitializeSid
16781424
ADVAPI32.dll
InitializeSecurityDescriptor
16781428
ADVAPI32.dll
ReportEventW
16781432
ADVAPI32.dll
RegisterEventSourceW
16781436
ADVAPI32.dll
DeregisterEventSource
16781440
ADVAPI32.dll
RegSetValueExW
16781444
KERNEL32.dll
DeleteCriticalSection
16781472
KERNEL32.dll
InterlockedCompareExchange
16781476
KERNEL32.dll
GetProcAddress
16781480
KERNEL32.dll
GetModuleHandleW
16781484
KERNEL32.dll
lstrcmpiW
16781488
KERNEL32.dll
GetCurrentProcessId
16781492
KERNEL32.dll
CloseHandle
16781496
KERNEL32.dll
InterlockedIncrement
16781500
KERNEL32.dll
InterlockedDecrement
16781504
KERNEL32.dll
SetEvent
16781508
KERNEL32.dll
InitializeCriticalSectionAndSpinCount
16781512
KERNEL32.dll
TerminateProcess
16781516
KERNEL32.dll
GetCurrentProcess
16781520
KERNEL32.dll
GetLastError
16781524
KERNEL32.dll
WaitForMultipleObjects
16781528
KERNEL32.dll
GetCurrentThreadId
16781532
KERNEL32.dll
WaitForSingleObject
16781536
KERNEL32.dll
DuplicateHandle
16781540
KERNEL32.dll
Sleep
16781544
KERNEL32.dll
CreateThread
16781548
KERNEL32.dll
UnmapViewOfFile
16781552
KERNEL32.dll
GetVersionExW
16781556
KERNEL32.dll
LocalFree
16781564
KERNEL32.dll
MapViewOfFile
16781568
KERNEL32.dll
CreateFileMappingW
16781572
KERNEL32.dll
OpenFileMappingW
16781576
KERNEL32.dll
OpenEventW
16781580
KERNEL32.dll
lstrlenW
16781584
KERNEL32.dll
GetModuleFileNameW
16781588
KERNEL32.dll
DebugBreak
16781592
KERNEL32.dll
EnterCriticalSection
16781596
KERNEL32.dll
LeaveCriticalSection
16781600
KERNEL32.dll
TlsAlloc
16781604
KERNEL32.dll
TlsFree
16781608
KERNEL32.dll
ChangeTimerQueueTimer
16781612
KERNEL32.dll
InterlockedExchange
16781616
KERNEL32.dll
SwitchToThread
16781620
KERNEL32.dll
CreateEventW
16781624
KERNEL32.dll
LCMapStringW
16781628
KERNEL32.dll
GetTickCount
16781632
KERNEL32.dll
GetCurrentThread
16781636
KERNEL32.dll
QueryPerformanceCounter
16781640
KERNEL32.dll
GetSystemTimeAsFileTime
16781644
KERNEL32.dll
UnhandledExceptionFilter
16781648
KERNEL32.dll
SetUnhandledExceptionFilter
16781652
KERNEL32.dll
GetModuleHandleA
16781656
KERNEL32.dll
GetStartupInfoA
16781660
KERNEL32.dll
GetCommandLineW
16781668
USER32.dll
PostMessageW
16781752
USER32.dll
DefWindowProcW
16781756
USER32.dll
DeleteMenu
16781760
USER32.dll
GetSystemMenu
16781764
USER32.dll
UpdateWindow
16781768
USER32.dll
ShowWindow
16781772
USER32.dll
CreateWindowExW
16781776
USER32.dll
RegisterClassW
16781780
USER32.dll
LoadCursorW
16781784
USER32.dll
MsgWaitForMultipleObjectsEx
16781788
USER32.dll
MsgWaitForMultipleObjects
16781792
USER32.dll
PeekMessageW
16781796
USER32.dll
GetMessageW
16781800
USER32.dll
TranslateMessage
16781804
USER32.dll
DispatchMessageW
16781808
USER32.dll
DestroyWindow
16781812
USER32.dll
UnregisterClassW
16781816
USER32.dll
LoadIconW
16781820
ntdll.dll
NtQuerySystemInformation
16781944
ntdll.dll
wcstol
16781948
ntdll.dll
wcsncpy
16781952
wbemcomn.dll
?DebugTrace@@YAHDPBDZZ
16782032
wbemcomn.dll
?ErrorTrace@@YAHDPBDZZ
16782036
FastProx.dll
?New@CWbemCallSecurity@@SGPAV1@XZ
16781452
NCObjAPI.DLL
WmiCreateObjectWithFormat
16781680
NCObjAPI.DLL
WmiEventSourceDisconnect
16781684
NCObjAPI.DLL
WmiDestroyObject
16781688
NCObjAPI.DLL
WmiSetAndCommitObject
16781692
NCObjAPI.DLL
WmiEventSourceConnect
16781696
OLEAUT32.dll
16781704
OLEAUT32.dll
16781708
OLEAUT32.dll
16781712
OLEAUT32.dll
16781716
OLEAUT32.dll
16781720
OLEAUT32.dll
16781724
OLEAUT32.dll
16781728
OLEAUT32.dll
16781732
OLEAUT32.dll
16781736
ole32.dll
CoImpersonateClient
16781960
ole32.dll
CoGetInterfaceAndReleaseStream
16781964
ole32.dll
CoMarshalInterThreadInterfaceInStream
16781968
ole32.dll
CoCreateGuid
16781972
ole32.dll
CoGetClassObject
16781976
ole32.dll
CLSIDFromString
16781980
ole32.dll
StringFromGUID2
16781984
ole32.dll
CoUninitialize
16781988
ole32.dll
CoRevertToSelf
16781992
ole32.dll
CoSwitchCallContext
16781996
ole32.dll
CoGetCallContext
16782000
ole32.dll
CoCreateInstance
16782004
ole32.dll
CoRegisterClassObject
16782008
ole32.dll
CoFreeUnusedLibrariesEx
16782012
ole32.dll
CoInitializeEx
16782016
ole32.dll
CoInitializeSecurity
16782020
ole32.dll
CoRevokeClassObject
16782024
Registry Activity
Created Keys
Created Key
 PID
Access List
Option List
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
1592(Proforma%20Invoice.exe)
CREATE_SUB_KEY,ENUMERATE_SUB_KEYS,QUERY_VALUE,READ_CONTROL,NOTIFY,SET_VALUE
REG_OPTION_NON_VOLATILE
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\Siah
916(Proforma%20Invoice.exe)
QUERY_VALUE,SET_VALUE
REG_OPTION_NON_VOLATILE
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\Software\Microsoft\Windows\Currentversion\Run
428(winlogon.exe)
SET_VALUE
REG_OPTION_NON_VOLATILE
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\Software\Microsoft\Windows\Currentversion\Run
492(lsass.exe)
SET_VALUE
REG_OPTION_NON_VOLATILE
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\Software\Microsoft\Multimedia\Audio Compression Manager\
1352(Explorer.EXE)
READ_CONTROL,CREATE_SUB_KEY,SET_VALUE
REG_OPTION_NON_VOLATILE
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0\News
1352(Explorer.EXE)
MAXIMUM_ALLOWED
REG_OPTION_NON_VOLATILE
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0\Rules
1352(Explorer.EXE)
MAXIMUM_ALLOWED
REG_OPTION_NON_VOLATILE
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0\RULES\Mail
1352(Explorer.EXE)
NO
Modified Key
PID
Value Name
Data
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
1592(Proforma%20Invoice.exe)
Seed
CKJK8C1OVbgqIDnTw2uEtLX8YAcESUne11GUjxuPFirvMkcgVxxVpuG5C003kKXK8+Zui1M+9mwB768e4ozm9N9ARGiTbnDttjqFJp9M+gg=
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
1592(Proforma%20Invoice.exe)
Seed
km/n2XArwzgXr3ee+ngp3/PDPnU5Gbr9LIP5wI4oXgncB98lqW3NIYNsKp06MXUpr5yQjx/F78e/hdEKU5pLqgwInt581VaqFUt3omtvNIY=
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
1592(Proforma%20Invoice.exe)
Seed
8wxI5YmO689WSb4TQl5pfN8/7qxCvBoSvQE7zDd6RXTB8KBd9MHQQkPPskDc+sM1NnNJnCc0e2mUlD4IYRuD6QfAfyf68uRjX4Y8usQmhsM=
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
1592(Proforma%20Invoice.exe)
Seed
i7cQwh8YMveJ4BD0uDBZ6Q9KGOXiBpPxfjRLzPaaQFB2il+CuEOEvQfVOEBDwhwEahdACnUszDI3AgwF5lCW+qkbu2kVVNfrJQ+DbK1lbDk=
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
1592(Proforma%20Invoice.exe)
Seed
VpM4tkgInewFkDflKOsW0fEQVdbEQIMGs8QDBkEIY6ZZrEW9TRos0kKYal70rftHs9hmOcc+3VUgxSBG3U/mGzyrZxWW37sc1EY6Xy5mzK0=
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
1592(Proforma%20Invoice.exe)
Seed
Tl9YsOXJ5ametPR1dhhEIxOfpRYIc3NwJ+TQmJxDIg6lePDnqtXHOSHZ4KYrprk8jTOJqWBk6axMXiADNRd4qEtiL2t1FqIQjAArolqIZAI=
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
1592(Proforma%20Invoice.exe)
Seed
5RO+vlR6MdigNebJkuV2H1vL3NXcLwC9oJH5yAf9XJR8bdwn6YQJ/ccIYpcumLB0FBQuBM0yvq5E60qr967ZtOemHhAu/aooP6Nc18E19Hw=
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
1592(Proforma%20Invoice.exe)
Seed
GGrIgRSnjemAaS9NurOsnMHD4Yd8S+rKYMJ48eqAVVEkOncx27CXRicLiHzZHVN0pjtod3yV1sOi/nwWF8wStlSQFwFEyYU8+6B7GbSU1aw=
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\{1209A444-8D68-11E1-9FE0-806D6172696F}
1592(Proforma%20Invoice.exe)
BaseClass
Drive
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\{3F424040-87AB-11E2-9D93-806D6172696F}
1592(Proforma%20Invoice.exe)
BaseClass
Drive
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\{75EF541F-D065-11E1-AC7A-525400123456}
1592(Proforma%20Invoice.exe)
BaseClass
Drive
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL FOLDERS
1592(Proforma%20Invoice.exe)
Startup
C:\Documents and Settings\Joe Maldive\Start Menu\Programs\Startup
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
916(Proforma%20Invoice.exe)
Seed
s17TAaYIu1X47EUO4tQm9iefujFVKOJYIbGlHB4AvTcL9/7kKnkAjm76QrazZUstIV07KQ8ZbBqt3mI/efU5FOdT/i2E4+8E1iHDC3qv8KI=
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL FOLDERS
916(Proforma%20Invoice.exe)
AppData
C:\Documents and Settings\Joe Maldive\Application Data
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
1800(cmd.exe)
Seed
pmczXs0lTmdNDkTAi6wR4sDe1VzGUDYWoHrwMJuHA+biYzO3sRPvYgB6bPZ32yAnfUXe2itG1AOMzrZ58DAQmyzLKKYkUpsG0m/E3O2RD4w=
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MENUORDER\START MENU
1352(Explorer.EXE)
Order
CAAAAAIAAAAAAgAAAQAAAAMAAADSAAAAAAAAAMQAAABBdWdNAgAAAAEAAACyADIARwYAAHg+yoAgAFNFVFBST34xLkxOSwAAiAADAAQA7754PsqAk0IkvRQAXABTAGUAdAAgAFAAcgBvAGcAcgBhAG0AIABBAGMAYwBlAHMAcwAgAGEAbgBkACAARABlAGYAYQB1AGwAdABzAC4AbABuAGsAAABAQzpcV0lORE9XU1xzeXN0ZW0zMlx4cHNwMXJlcy5kbGwsLTEwMDc3AAAcAA4AAAAKAO++AQAAABwAAAAAAAAAAACcAAAAAQAAAI4AAABBdWdNAgAAAAEAAAB8ADIAjgEAAHg+yoAgAFdJTkRPV34yLkxOSwAAUgADAAQA7754PsqAk0IkvRQAPABXAGkAbgBkAG8AdwBzACAAQwBhAHQAYQBsAG8AZwAuAGwAbgBrAAAAQHNoZWxsMzIuZGxsLC0yMjA3NQAcAA4AAAAKAO++AQAAABwAAAAAAAAAAACGAAAAAgAAAHgAAABBdWdNAgAAAAEAAABmADIA4wUAAHg+7IQgAFdJTkRPV34xLkxOSwAAPAADAAQA7754PsqAk0IkvRQAAABXAGkAbgBkAG8AdwBzACAAVQBwAGQAYQB0AGUALgBsAG4AawAAABwADgAAAAoA774BAAAAHAAAAAAAAAAAAA==
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
1352(Explorer.EXE)
{832A9606-32CE-FE22-A0DC-76831BAE1BEB}
"C:\Documents and Settings\Joe Maldive\Application Data\Viryq\somi.exe"
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CACHE\PATHS
1352(Explorer.EXE)
Directory
C:\Documents and Settings\Joe Maldive\Local Settings\Temporary Internet Files\Content.IE5
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CACHE\PATHS
1352(Explorer.EXE)
Paths
4
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CACHE\PATHS\PATH1
1352(Explorer.EXE)
CachePath
C:\Documents and Settings\Joe Maldive\Local Settings\Temporary Internet Files\Content.IE5\Cache1
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CACHE\PATHS\PATH2
1352(Explorer.EXE)
CachePath
C:\Documents and Settings\Joe Maldive\Local Settings\Temporary Internet Files\Content.IE5\Cache2
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CACHE\PATHS\PATH3
1352(Explorer.EXE)
CachePath
C:\Documents and Settings\Joe Maldive\Local Settings\Temporary Internet Files\Content.IE5\Cache3
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CACHE\PATHS\PATH4
1352(Explorer.EXE)
CachePath
C:\Documents and Settings\Joe Maldive\Local Settings\Temporary Internet Files\Content.IE5\Cache4
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CACHE\PATHS\PATH1
1352(Explorer.EXE)
CacheLimit
81830
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CACHE\PATHS\PATH2
1352(Explorer.EXE)
CacheLimit
81830
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL FOLDERS
1352(Explorer.EXE)
Common AppData
C:\Documents and Settings\All Users\Application Data
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL FOLDERS
1352(Explorer.EXE)
AppData
C:\Documents and Settings\Joe Maldive\Application Data
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
1352(Explorer.EXE)
MigrateProxy
1
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
1352(Explorer.EXE)
ProxyEnable
0
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\HARDWARE PROFILES\0001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
1352(Explorer.EXE)
ProxyEnable
0
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
1352(Explorer.EXE)
SavedLegacySettings
PAAAADkAAAABAAAAAAAAAAAAAAAAAAAABAAAAAAAAADQA5TMQOrLAQEAAAAKAAIPAAAAAAAAAAA=
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS
1352(Explorer.EXE)
ConnectionSettingsMigrated
1
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0
1352(Explorer.EXE)
VerStamp
3
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0
1352(Explorer.EXE)
SpellDontIgnoreDBCS
1
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0\MAIL
1352(Explorer.EXE)
Welcome Message
AQAAAA==
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0\MAIL
1352(Explorer.EXE)
Accounts Checked
AAAAAA==
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS
1352(Explorer.EXE)
AssociatedID
luzweuPxYUKccOYRWE4WuQ==
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER
1352(Explorer.EXE)
Server ID
4
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0
1352(Explorer.EXE)
StoreMigratedV5
1
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0
1352(Explorer.EXE)
ConvertedToDBX
1
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0
1352(Explorer.EXE)
Settings Upgraded
7
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0\MAIL
1352(Explorer.EXE)
Safe Attachments
1
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0\MAIL
1352(Explorer.EXE)
Secure Safe Attachments
1
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0
1352(Explorer.EXE)
Running
1
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0
1352(Explorer.EXE)
Store Root
%UserProfile%\Local Settings\Application Data\Identities\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\Microsoft\Outlook Express\
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WAB\WAB4
1352(Explorer.EXE)
OlkContactRefresh
0
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WAB\WAB4
1352(Explorer.EXE)
OlkFolderRefresh
0
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0\MAIL
1352(Explorer.EXE)
Welcome Message
0
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0
1352(Explorer.EXE)
SpoolerDlgPos
LAAAAAAAAAABAAAA/////////////////////5wAAABaAAAAhAIAAO0AAAA=
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0
1352(Explorer.EXE)
SpoolerTack
0
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0
1352(Explorer.EXE)
Compact Check Count
1
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\SIAH
1352(Explorer.EXE)
Wevohi
QM7LaebONjLfUzsKj/sQmzUrnYQPJufNSwJfiFr02fBKeG3an4Hq98FI204I7zzSfZkG7S1+kgOSZbr12hoTYBQLaGvDhNs7Smwl5IqPVaNsmFGMkFqIyOs5JNIPbeE2IZj8YoxARNnYBJTOHNqJkaeqVfo=
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\SIAH
1352(Explorer.EXE)
Wevohi
QM7LaebONjLfUzsKj/sQmzUrnYQPJufNSwJfiFr02fBKeG3an4Hq98FI204I7zzSfZlDkC1+kgOSZbr12hoTYBQLaGvDhNs7Smwl5IqPVaNsmFGMkFqIyOs5JNIPbeE2IZj8YoxARNnYBJTOHNqJkaeqVfo=
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
1352(Explorer.EXE)
SavedLegacySettings
PAAAADoAAAABAAAAAAAAAAAAAAAAAAAABAAAAAAAAADQA5TMQOrLAQEAAAAKAAIPAAAAAAAAAAA=
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PREFETCHER
748(svchost.exe)
TracesProcessed
19
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PREFETCHER
748(svchost.exe)
TracesSuccessful
5
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PREFETCHER
748(svchost.exe)
LastTraceFailure
4
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PREFETCHER
748(svchost.exe)
TracesProcessed
20
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{C20FDDB0-BD90-4E06-8D7A-87767A382393}
748(svchost.exe)
DhcpRetryStatus
2
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
1732(somi.exe)
Seed
dnB1uWVYV8C/XiPZ/lM0uxjN3S9TijbBeLYa4lFHw0QgddwgA3/FAGMPm1RL4MmYW1EVKMXg7DNDu4covfQIHvZ5gxIyvDolH5fa5lJq8+Y=
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
1732(somi.exe)
Seed
ESJ8JrtSEddOs2/iHYSrno3iAIxTx6n9SJns3GoTuHTEUt41K+m6Cz9w6LePJie6x4KrTiKvTmyixeMgY48LYVwKvjsqijMmvUDXbRH1kaU=
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
1732(somi.exe)
Seed
Eq2oI4Ph5E0eg88JSAIboHnCV5GqmWgWchX7bxOPzDFxd/dROaHboFbowMegoOOQrMm7PSE0NiWwcRJSoD8aifeq9POV/0/Z445I+PY6ISI=
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
1732(somi.exe)
Seed
mAlHRi1mqBnrRpcvXiCa9G58z70P9MJG0GQK/JL+I6Fl9Dox7mLlgsOT4XWU8XKvdRPzubDVHmCBQab80Cu56ozFLH+Q0XiUta9jC0B2g3s=
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
1732(somi.exe)
Seed
NakXEttKDZZ6wNNN6BsBoBAZD28t9GWUqY34Jtahy+WPJv4Ws9yvXKaaWQ56Kvn2HUm2HGUbLJLcgbtuNqhpCOImN4kGmjshiK3JHrwOjao=
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
1732(somi.exe)
Seed
25KNt4vjrJImgvojrb4XhfaYvplXB//IneFpmKwOznBsEUmp4Cxu+P8QefUpI5Yc9nwP2PAKGpIZzvjovbVPq/gobpmfbNgvg8FqZ0kneq8=
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
1732(somi.exe)
Seed
4+l3KUUA1Yd4iBV4zgFo4lST4BLhLv7MnUcti64/fU5udMRcXdysRODyG+IdycjFbLtUyXPYYcgNhdBZQHsCU346vNoxhxEr4cJ6Bq1FEvI=
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
1732(somi.exe)
Seed
TwrYotvpQtG/wybfLZcHI9EVPkEMDuLxCX38a33WEAo6Zw183gSRmmKV0A4OfHjVixQhH2U3ewN3/ABLJAr/AZf69IA0FXh9Xf+Z/5kcY24=
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\{1209A444-8D68-11E1-9FE0-806D6172696F}
1732(somi.exe)
BaseClass
Drive
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\{3F424040-87AB-11E2-9D93-806D6172696F}
1732(somi.exe)
BaseClass
Drive
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\{75EF541F-D065-11E1-AC7A-525400123456}
1732(somi.exe)
BaseClass
Drive
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL FOLDERS
1732(somi.exe)
Startup
C:\Documents and Settings\Joe Maldive\Start Menu\Programs\Startup
Filesystem Activity

Path
PID
Action
\??\C:\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\aut1.tmp
1592(Proforma%20Invoice.exe)
Created
\??\C:\Documents and Settings\Joe Maldive\Start Menu\Programs\Startup\config.exe
1592(Proforma%20Invoice.exe)
Created
\??\C:\Documents and Settings\Joe Maldive\Application Data\Viryq
916(Proforma%20Invoice.exe)
Created
\??\C:\Documents and Settings\Joe Maldive\Application Data\Ryry
916(Proforma%20Invoice.exe)
Created
\??\C:\debug.txt
916(Proforma%20Invoice.exe)
Created
\??\C:\Documents and Settings\Joe Maldive\Application Data\Viryq\somi.exe
916(Proforma%20Invoice.exe)
Created
\??\C:\Documents and Settings\Joe Maldive\Local Settings\Application Data\Identities\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}
1352(Explorer.EXE)
Created
\??\C:\Documents and Settings\Joe Maldive\Local Settings\Application Data\Identities\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\Microsoft\Outlook Express\Folders.dbx
1352(Explorer.EXE)
Created
\??\C:\Documents and Settings\Joe Maldive\Cookies\joe maldive@google[1].txt
1352(Explorer.EXE)
Created
\??\C:\Documents and Settings\Joe Maldive\Local Settings\Application Data\Identities\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\Microsoft\Outlook Express
1352(Explorer.EXE)
Created
\??\C:\Documents and Settings\Joe Maldive\Local Settings\Application Data\Identities\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\Microsoft
1352(Explorer.EXE)
Created
\??\C:\Documents and Settings\Joe Maldive\Local Settings\Application Data\Identities
1352(Explorer.EXE)
Created
\??\C:\Documents and Settings\Joe Maldive\Local Settings\Application Data\Identities\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\Microsoft\Outlook Express\Offline.dbx
1352(Explorer.EXE)
Created
\??\C:\Documents and Settings\Joe Maldive\Local Settings\Application Data\Identities\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\Microsoft\Outlook Express\Inbox.dbx
1352(Explorer.EXE)
Created
\??\C:\Documents and Settings\Joe Maldive\Application Data\Ryry\etefu.toe
1352(Explorer.EXE)
Created
\??\C:\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\aut2.tmp
1732(somi.exe)
Created
\Documents and Settings\Joe Maldive\Start Menu\Programs\Startup\config.exe
1592(Proforma%20Invoice.exe)
Deleted
\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\f.txt
1592(Proforma%20Invoice.exe)
Deleted
\lsarpc
1592(Proforma%20Invoice.exe)
Deleted
\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\aut1.tmp
1592(Proforma%20Invoice.exe)
Deleted
\Documents and Settings\Joe Maldive\Application Data\Viryq\somi.exe
916(Proforma%20Invoice.exe)
Deleted
\debug.txt
916(Proforma%20Invoice.exe)
Deleted
\lsarpc
916(Proforma%20Invoice.exe)
Deleted
\debug.txt
1704(somi.exe)
Deleted
\lsarpc
1704(somi.exe)
Deleted
\lsass
492(lsass.exe)
Deleted
\Documents and Settings\Joe Maldive\Local Settings\Temporary Internet Files\Content.IE5\MRMBYDAX\webhp[1].htm
1352(Explorer.EXE)
Deleted
\lsarpc
1352(Explorer.EXE)
Deleted
\Documents and Settings\Joe Maldive\Local Settings\Temporary Internet Files\Content.IE5\MRMBYDAX\gate[1].htm
1352(Explorer.EXE)
Deleted
\Documents and Settings\Joe Maldive\Cookies\joe maldive@google[2].txt
1352(Explorer.EXE)
Deleted
\Documents and Settings\Joe Maldive\Local Settings\Temporary Internet Files\Content.IE5\MRMBYDAX\config[1].bin
1352(Explorer.EXE)
Deleted
\debug.txt
1352(Explorer.EXE)
Deleted
\Documents and Settings\Joe Maldive\Application Data\Microsoft\Address Book\Joe Maldive.wab
1352(Explorer.EXE)
Deleted
\ROUTER
748(svchost.exe)
Deleted
\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\f.txt
1732(somi.exe)
Deleted
\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\aut2.tmp
1732(somi.exe)
Deleted
\lsarpc
1732(somi.exe)
Deleted
\temp\Proforma%20Invoice.exe
1592(Proforma%20Invoice.exe)
Read
\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\aut1.tmp
1592(Proforma%20Invoice.exe)
Read
\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\f.txt
1592(Proforma%20Invoice.exe)
Read
\lsarpc
1592(Proforma%20Invoice.exe)
Read
\temp\Proforma%20Invoice.exe
916(Proforma%20Invoice.exe)
Read
\lsarpc
916(Proforma%20Invoice.exe)
Read
\lsarpc
1704(somi.exe)
Read
\Documents and Settings\Joe Maldive\Application Data\Viryq\somi.exe
1704(somi.exe)
Read
\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\tmpeaaff6e6.bat
1800(cmd.exe)
Read
\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
1800(cmd.exe)
Read
\lsass
492(lsass.exe)
Read
\WINDOWS\system32\rsaenh.dll
1352(Explorer.EXE)
Read
\Documents and Settings\All Users\Start Menu\desktop.ini
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@www.microsoft[2].txt
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Start Menu\Programs\desktop.ini
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@mathtag[1].txt
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@dl.javafx[2].txt
1352(Explorer.EXE)
Read
\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@crowdscience[1].txt
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@c.atdmt[2].txt
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@forums.adobe[1].txt
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@www.ugdturner[1].txt
1352(Explorer.EXE)
Read
\lsarpc
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@mediaplex[2].txt
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Application Data\Ryry\etefu.tmp
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@ad.wsod[2].txt
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@c.msn[2].txt
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@sun[1].txt
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@live[1].txt
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@www.cnn[1].txt
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@dpm.demdex[2].txt
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@c.bing[1].txt
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@www.java[1].txt
1352(Explorer.EXE)
Read
\Documents and Settings\All Users\Start Menu\Programs\desktop.ini
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@brighthub[2].txt
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@translate.googleapis[1].txt
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@tweetmeme[1].txt
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@exp.www.msn[1].txt
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Application Data\Microsoft\Address Book\Joe Maldive.wab
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@exelator[2].txt
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@twitter[1].txt
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@voicefive[1].txt
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@ziffdavis.demdex[1].txt
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@contextweb[1].txt
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@technet.microsoft[2].txt
1352(Explorer.EXE)
Read
\AUTOEXEC.BAT
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@labnol[2].txt
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@m.webtrends[1].txt
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@download.mozilla[1].txt
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@java[1].txt
1352(Explorer.EXE)
Read
\Documents and Settings\Joe Maldive\Cookies\joe maldive@adbrite[2].txt
1352(Explorer.EXE)
Read
\ROUTER
748(svchost.exe)
Read
\Documents and Settings\Joe Maldive\Application Data\desktop.ini
1732(somi.exe)
Read
\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\aut2.tmp
1732(somi.exe)
Read
\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\f.txt
1732(somi.exe)
Read
\lsarpc
1732(somi.exe)
Read
\Documents and Settings\Joe Maldive\Application Data\Viryq\somi.exe
1732(somi.exe)
Read
\WINDOWS\system32\rsaenh.dll
788(svchost.exe)
Read
\WINDOWS\system32\drivers\etc\hosts
788(svchost.exe)
Read

No comments:

Post a Comment