Zbot Under
the Hood.
Metadata
ID:
|
b71416469446a3aa16af294fdb733f54
|
OS:
|
2600.xpsp.080413-2111
|
Started:
|
Wed Sep 11 07:31:46 EDT
2013
|
Ended:
|
Wed Sep 11 07:31:46 EDT
2013
|
Duration:
|
378 Seconds
|
Sandbox:
|
marburg(pilot-d)
|
File name:
|
Proforma%20Invoice.exe
|
Magic Type:
|
PE32 executable (GUI)
Intel 80386, for MS Windows
|
Analyzed As:
|
exe
|
SHA256:
|
31af7e3ab6c689aa59217012cf7a7b824fc2cfb6a261f3e6a480c0b1d131453d
|
SHA1:
|
fe43dbd7232de304b84c538fb461f05537ba65ab
|
MD5:
|
e8c10d6aeecd5c39b1bf04797138933b
|
Fast flux is a DNS technique
used by botnets to maintain a resilient command and control infrastructure of
compromised hosts acting as proxies. Fast flux is characterized by multiple
individual nodes within the network registering and de-registering their addresses
as part of the DNS A record list for a DNS name. Each record has a very short
TTL (time to live) value of usually less than five minutes. This creates a
constantly changing list of destination addresses for a single DNS name. Please
view the 'DNS' section under 'Network Analysis' for the associated
traffic/communications. Additionally, the provided network PCAP will provide
more details on the traffic stream.
Categories:
|
persistence
|
Tags:
|
network, ttl, dns, fast
flux, command and control
|
Query Data
|
Answer Data
|
Query ID
|
Answer Type
|
TTL
|
www.google.com
|
173.194.43.19
|
40407
|
A
|
300
|
www.google.com
|
173.194.43.18
|
40407
|
A
|
300
|
www.google.com
|
173.194.43.17
|
40407
|
A
|
300
|
www.google.com
|
173.194.43.16
|
40407
|
A
|
300
|
www.google.com
|
173.194.43.20
|
40407
|
A
|
300
|
Process
Created a File in the Windows Startup Folder
Severity:
80 Confidence: 50
A new file was added to
the Windows StartUp folder to ensure that this file runs on system startup.
Please review the 'Disk Artifacts' section in order to view additional details
about this file.
Categories:
|
persistence
|
Tags:
|
startup, file, folder,
process, autorun
|
Process ID
|
Process Name
|
Path
|
1592
|
Proforma%20Invoice.exe
|
\Documents and
Settings\Joe Maldive\Start Menu\Programs\Startup\config.exe
|
Outbound
HTTP POST Communications
Severity:
25 Confidence: 25
Outbound HTTP POST to a
remote server was detected. This is not inherently suspicious but malware will
often use POSTs in order to check in to the Command and Control servers upon
infection or to upload or exfiltration data. Please view the 'HTTP' section
under 'Network Analysis' for the associated traffic/communications.
Additionally, the provided network PCAP will provide more details on the
traffic stream.
GET
h00p://akeemtrade[.]biz:80/html/install/config[.]bin (Warning!! Alive)
Stream:
3 Transaction: 0
Server
IP
|
Server
Port
|
Transport
|
Method
|
URL
|
199.79.62.19
|
80
|
TCP
|
GET
|
http://akeemtrade.biz:80/html/install/config.bin
|
Type:
|
request
|
Timestamp:
|
Wed Sep 11 07:33:55 EDT
2013
|
Actual Encoding:
|
|
Actual Content-type:
|
application/x-empty
|
Header
|
Value
|
cache-control
|
no-cache
|
connection
|
Close
|
host
|
akeemtrade.biz
|
accept
|
*/*
|
user-agent
|
Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR
2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
|
Type:
|
response
|
Timestamp:
|
Wed Sep 11 07:33:55 EDT
2013
|
Actual Encoding:
|
windows-1252
|
Actual Content-type:
|
application/octet-stream
|
Header
|
Value
|
content-type
|
application/octet-stream
|
connection
|
close
|
etag
|
"1cb074c-867c-4e448153dea00"
|
last-modified
|
Mon, 19 Aug 2013
07:42:32 GMT
|
content-length
|
34428
|
server
|
Apache/2.2.24 (Unix)
mod_ssl/2.2.24 OpenSSL/0.9.8e-fips-rhel5 Phusion_Passenger/4.0.10
mod_bwlimited/1.4 mod_fcgid/2.3.6
|
accept-ranges
|
bytes
|
date
|
Wed, 11 Sep 2013
11:34:12 GMT
|
Categories:
|
exfiltration,
fingerprinting
|
Tags:
|
network, http, post
|
Network Stream
|
Method
|
URL
|
6
|
POST
|
http://akeemtrade.biz:80/html/install/gate.php
|
5
|
POST
|
http://akeemtrade.biz:80/html/install/gate.php
|
Command
Exe File Execution Detected
Severity:
50 Confidence: 80
A process executed a file
using cmd.exe. Malware authors will often launch batch or shellscripts that
utilize windows shell utilities. Additional uses include launching an
interactive command shell
Categories:
|
|
Tags:
|
process, file, create,
launch
|
Process ID
|
Process Name
|
Command Line
|
Path
|
1800
|
cmd.exe
|
"C:\WINDOWS\system32\cmd.exe"
/c "C:\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\tmpeaaff6e6.bat"
|
_0
|
Executable
Imported the IsDebuggerPresent Symbol
Severity:
20 Confidence: 20
The IsDebuggerPresent
function can be used by a process to check if a debugger has been attached to
it, or is currently active on the system. Malware authors often check for the
presence of a debugger as this is an indication that the malware is being
analysed. The Malware may not run, or it may function differently, if a
debugger is present, to make it more difficult to reverse-engineer its
behavior. This is not an indicator of malicious activity as often legitimate programs
import this function.
Categories:
|
obfuscation,
anti-reversing
|
Tags:
|
process, artifact,
static, import, PE
|
Artifact ID
|
Path
|
6
|
\Documents and
Settings\Joe Maldive\Start Menu\Programs\Startup\config.exe
|
2
|
\Documents and
Settings\Joe Maldive\Application Data\Viryq\somi.exe
|
3
|
\temp\Proforma%20Invoice.exe
|
1
|
Proforma%20Invoice.exe
|
Process
Created an Executable in a User Directory
Severity:
60 Confidence: 95
Malware will often create
a new executable file in a user directory such as 'Local Settings' or
'Application Data' in an attempt to hide its presence on the system. Often the
name of the file is similar to the name of common system or user files. This is
done to hide the executable, as the user may believe it's a legitimate file.
Please review the 'Disk Artifacts' section in order to view additional details
about this file.
Categories:
|
persistence,
obfuscation
|
Tags:
|
executable, file,
process, PE
|
Process ID
|
Process Name
|
Path
|
1592
|
Proforma%20Invoice.exe
|
C:\Documents and
Settings\Joe Maldive\Start Menu\Programs\Startup\config.exe
|
916
|
Proforma%20Invoice.exe
|
C:\Documents and
Settings\Joe Maldive\Application Data\Viryq\somi.exe
|
Process
Modified File in a User Directory
Severity:
70 Confidence: 80
Malware will modify files
in user directories to hide logs or other evidence. Also, by modifying various
files it can disable functionality in the system which may detect or hamper the
operation of the malware. Lastly, it may be attempting to hide an executable,
so that it appears to be a legitimate file. Please review the 'Disk Artifacts'
section in order to view additional details about this file.
Categories:
|
persistence,
obfuscation
|
Tags:
|
executable, file,
process
|
Process ID
|
Process Name
|
Path
|
1592
|
Proforma%20Invoice.exe
|
\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\aut1.tmp
|
1732
|
somi.exe
|
\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\f.txt
|
1352
|
Explorer.EXE
|
\Documents and
Settings\Joe Maldive\Local Settings\Temporary Internet
Files\Content.IE5\MRMBYDAX\gate[1].htm
|
1592
|
Proforma%20Invoice.exe
|
\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\f.txt
|
1352
|
Explorer.EXE
|
\Documents and
Settings\Joe Maldive\Local Settings\Temporary Internet
Files\Content.IE5\MRMBYDAX\webhp[1].htm
|
916
|
Proforma%20Invoice.exe
|
\Documents and
Settings\Joe Maldive\Application Data\Viryq\somi.exe
|
1732
|
somi.exe
|
\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\aut2.tmp
|
1352
|
Explorer.EXE
|
\Documents and
Settings\Joe Maldive\Application Data\Microsoft\Address Book\Joe Maldive.wab
|
1352
|
Explorer.EXE
|
\Documents and
Settings\Joe Maldive\Local Settings\Temporary Internet
Files\Content.IE5\MRMBYDAX\config[1].bin
|
Process
Modified Autorun Registry Key Value
Severity:
80 Confidence: 60
Autorun registry keys can
be used to load applications when Windows is started. Malware often uses these
key locations to maintain persistence on the host. The values to examine are
located in subkeys Run, RunOnce, RunServices, RunServicesOnce, RunOnceEx, or
RunOnce\Setup. The key value will indicate where the program that will load on
startup is located.
Categories:
|
persistence
|
Tags:
|
process, autorun,
registry
|
Process ID
|
RegKey Value Name
|
RegKey Data Type
|
RegKey Name
|
Process Name
|
RegKey Data
|
1352
|
{832A9606-32CE-FE22-A0DC-76831BAE1BEB}
|
SZ
|
USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
|
Explorer.EXE
|
"C:\Documents and
Settings\Joe Maldive\Application Data\Viryq\somi.exe"s\\0
|
GET
http://akeemtrade.biz:80/html/install/config.bin
Server
IP
|
Server
Port
|
Transport
|
Method
|
URL
|
199.79.62.19
|
80
|
TCP
|
GET
|
http://akeemtrade.biz:80/html/install/config.bin
|
Type:
|
request
|
Timestamp:
|
Wed Sep 11 07:33:55 EDT
2013
|
Actual Encoding:
|
|
Actual Content-type:
|
application/x-empty
|
Header
|
Value
|
cache-control
|
no-cache
|
connection
|
Close
|
host
|
akeemtrade.biz
|
accept
|
*/*
|
user-agent
|
Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR
2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
|
Type:
|
response
|
Timestamp:
|
Wed Sep 11 07:33:55 EDT
2013
|
Actual Encoding:
|
windows-1252
|
Actual Content-type:
|
application/octet-stream
|
Header
|
Value
|
content-type
|
application/octet-stream
|
connection
|
close
|
etag
|
"1cb074c-867c-4e448153dea00"
|
last-modified
|
Mon, 19 Aug 2013
07:42:32 GMT
|
content-length
|
34428
|
server
|
Apache/2.2.24 (Unix)
mod_ssl/2.2.24 OpenSSL/0.9.8e-fips-rhel5 Phusion_Passenger/4.0.10
mod_bwlimited/1.4 mod_fcgid/2.3.6
|
accept-ranges
|
bytes
|
date
|
Wed, 11 Sep 2013
11:34:12 GMT
|
GET
http://www.google.com:80/webhp
Server
IP
|
Server
Port
|
Transport
|
Method
|
URL
|
173.194.43.19
|
80
|
TCP
|
GET
|
http://www.google.com:80/webhp
|
Type:
|
request
|
Timestamp:
|
Wed Sep 11 07:34:03 EDT
2013
|
Actual Encoding:
|
|
Actual Content-type:
|
application/x-empty
|
Header
|
Value
|
cache-control
|
no-cache
|
connection
|
Close
|
host
|
www.google.com
|
accept
|
*/*
|
user-agent
|
Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR
2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
|
Type:
|
response
|
Timestamp:
|
Wed Sep 11 07:34:03 EDT
2013
|
Actual Encoding:
|
ascii
|
Actual Content-type:
|
text/html
|
Header
|
Value
|
x-frame-options
|
SAMEORIGIN
|
content-type
|
text/html;
charset=UTF-8
|
p3p
|
CP="This is not a
P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657
for more info."
|
cache-control
|
private, max-age=0
|
connection
|
close
|
x-xss-protection
|
1; mode=block
|
expires
|
-1
|
set-cookie
|
{ "elements":
[
"PREF\u003dID\u003d667c83caea844ac8:FF\u003d0:TM\u003d1378899263:LM\u003d1378899263:S\u003dQx8nb0MbLfVx3PwW;
expires\u003dFri, 11-Sep-2015 11:34:23 GMT; path\u003d/;
domain\u003d.google.com",
"NID\u003d67\u003dTxUdsZzb7X8Yrg_xKcRxituvtxo9un2uzb70Erp6XVU1w-GRaIsGcxtAcywQOQbDs2I4UgYqJb7xGQ_SsvfwmPxmQJ-cJ9R7fdw1REDBWpMQ0EYnGuj0Bh_yWPzaQTJ8;
expires\u003dThu, 13-Mar-2014 11:34:23 GMT; path\u003d/;
domain\u003d.google.com; HttpOnly" ] }
|
server
|
gws
|
alternate-protocol
|
80:quic
|
date
|
Wed, 11 Sep 2013
11:34:23 GMT
|
POST
http://akeemtrade.biz:80/html/install/gate.php
Server
IP
|
Server
Port
|
Transport
|
Method
|
URL
|
199.79.62.19
|
80
|
TCP
|
POST
|
http://akeemtrade.biz:80/html/install/gate.php
|
Type:
|
request
|
Timestamp:
|
Wed Sep 11 07:34:06 EDT
2013
|
Actual Encoding:
|
windows-1252
|
Actual Content-type:
|
application/octet-stream
|
Header
|
Value
|
cache-control
|
no-cache
|
connection
|
Keep-Alive
|
host
|
akeemtrade.biz
|
accept
|
*/*
|
content-length
|
274
|
user-agent
|
Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR
2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
|
Type:
|
response
|
Timestamp:
|
Wed Sep 11 07:34:06 EDT
2013
|
Actual Encoding:
|
windows-1252
|
Actual Content-type:
|
application/octet-stream
|
Header
|
Value
|
content-type
|
text/html
|
connection
|
Keep-Alive
|
x-powered-by
|
PHP/5.2.17
|
transfer-encoding
|
chunked
|
server
|
Apache/2.2.24 (Unix)
mod_ssl/2.2.24 OpenSSL/0.9.8e-fips-rhel5 Phusion_Passenger/4.0.10
mod_bwlimited/1.4 mod_fcgid/2.3.6
|
keep-alive
|
timeout=3, max=30
|
date
|
Wed, 11 Sep 2013
11:34:28 GMT
|
POST
http://akeemtrade.biz:80/html/install/gate.php
Server
IP
|
Server
Port
|
Transport
|
Method
|
URL
|
199.79.62.19
|
80
|
TCP
|
POST
|
http://akeemtrade.biz:80/html/install/gate.php
|
Type:
|
request
|
Timestamp:
|
Wed Sep 11 07:35:01 EDT
2013
|
Actual Encoding:
|
windows-1252
|
Actual Content-type:
|
application/octet-stream
|
Header
|
Value
|
cache-control
|
no-cache
|
connection
|
Keep-Alive
|
host
|
akeemtrade.biz
|
accept
|
*/*
|
content-length
|
12538
|
user-agent
|
Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR
2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
|
Type:
|
response
|
Timestamp:
|
Wed Sep 11 07:35:01 EDT
2013
|
Actual Encoding:
|
windows-1252
|
Actual Content-type:
|
application/octet-stream
|
Header
|
Value
|
content-type
|
text/html
|
connection
|
Keep-Alive
|
x-powered-by
|
PHP/5.2.17
|
transfer-encoding
|
chunked
|
server
|
Apache/2.2.24 (Unix)
mod_ssl/2.2.24 OpenSSL/0.9.8e-fips-rhel5 Phusion_Passenger/4.0.10
mod_bwlimited/1.4 mod_fcgid/2.3.6
|
keep-alive
|
timeout=3, max=30
|
date
|
Wed, 11 Sep 2013
11:35:31 GMT
|
DNS
Traffic
Stream:
2 Query: 38241
Transport: UDP
Query ID
|
Timestamp
|
Type
|
Data
|
38241
|
Wed Sep 11 07:33:54 EDT
2013
|
A
|
akeemtrade.biz
|
Answers
Query ID
|
Timestamp
|
type
|
Data
|
TTL
|
38241
|
Wed Sep 11 07:33:55 EDT
2013
|
A
|
199.79.62.19
|
14400
|
Stream:
2 Query: 40407
Transport: UDP
Query ID
|
Timestamp
|
Type
|
Data
|
40407
|
Wed Sep 11 07:34:03 EDT
2013
|
A
|
www.google.com
|
Answers
Query ID
|
Timestamp
|
type
|
Data
|
TTL
|
40407
|
Wed Sep 11 07:34:03 EDT
2013
|
A
|
173.194.43.19
|
300
|
40407
|
Wed Sep 11 07:34:03 EDT
2013
|
A
|
173.194.43.18
|
300
|
40407
|
Wed Sep 11 07:34:03 EDT
2013
|
A
|
173.194.43.20
|
300
|
40407
|
Wed Sep 11 07:34:03 EDT
2013
|
A
|
173.194.43.17
|
300
|
40407
|
Wed Sep 11 07:34:03 EDT
2013
|
A
|
173.194.43.16
|
300
|
Artifacts
Source: submitted
Imports: 16
Magic Type: PE32 executable (GUI)
Intel 80386, for MS Windows
SHA256:
31af7e3ab6c689aa59217012cf7a7b824fc2cfb6a261f3e6a480c0b1d131453d
Size: 1186076
Exports: 0
AV Sigs: 0
MD5:
e8c10d6aeecd5c39b1bf04797138933b
Source: disk
Imports: 16
Magic Type: PE32 executable (GUI)
Intel 80386, for MS Windows
SHA256: d7ac68c5a3010eff2d56378e8e822dec804f5b27c17f4a2163148a8fdb5fb34c
Size: 1186076
Exports: 0
AV Sigs: 0
MD5:
fa5f2d89313f05224389375873d1c206
Source: disk
Imports: 16
Magic Type: PE32 executable (GUI)
Intel 80386, for MS Windows
SHA256: 31af7e3ab6c689aa59217012cf7a7b824fc2cfb6a261f3e6a480c0b1d131453d
Size: 1186076
Exports: 0
AV Sigs: 0
MD5:
e8c10d6aeecd5c39b1bf04797138933b
Source: disk
Imports: 0
Magic Type: UTF-8 Unicode (with
BOM) text, with CRLF line terminators
SHA256:
78ca91c37ac358f9f7adb8345bb4a49e8381611321e555a0e25f3ebd2a992002
Size: 26053
Exports: 0
AV Sigs: 0
MD5:
fdae3aa240078bf14a9ca01367e079df
Source: disk
Imports: 0
Magic Type: ASCII text
SHA256:
e99b492efe53844df5cbd0dee5836a42525c5d3f1a500162f8552f5b0d5219ce
Size: 330
Exports: 0
AV Sigs: 0
MD5:
6f5c7e6633609997e9a13d4a1df825aa
Source: disk
Imports: 16
Magic Type: PE32 executable (GUI)
Intel 80386, for MS Windows
SHA256:
31af7e3ab6c689aa59217012cf7a7b824fc2cfb6a261f3e6a480c0b1d131453d
Size: 1186076
Exports: 0
AV Sigs: 0
MD5:
e8c10d6aeecd5c39b1bf04797138933b
Artifacts 7: /Documents and Settings/Joe
Maldive/Local Settings/Application
Data/Identities/{7AF0EC96-F1E3-4261-9C70-E611584E16B9}/Microsoft/Outlook
Express/Folders.dbx
Source: disk
Imports: 0
Magic Type: MS Outlook Express DBX
file, folder database
SHA256: 0272ff9b0dc70fdff37d03e9d397500b3a65db9b4fbd6c9568f47cd11ec39008
Size: 75204
Exports: 0
AV Sigs: 0
MD5:
dd958f1389a18772a8809d9db903cb1a
Artifacts 8: /Documents and Settings/Joe
Maldive/Local Settings/Application
Data/Identities/{7AF0EC96-F1E3-4261-9C70-E611584E16B9}/Microsoft/Outlook
Express/Offline.dbx
Source: disk
Imports: 0
Magic Type: MS Outlook Express DBX
file, offline database
SHA256:
14ff7ea3f7634352d7e787a69b997d6694ac1f8270db51ad077b24efeffbfa11
Size: 9656
Exports: 0
AV Sigs: 0
MD5:
c78f0742eae95fcf92f7f1c6009d9341
Artifacts 9: /Documents and Settings/Joe
Maldive/Application Data/Microsoft/Address Book/Joe Maldive.wab
Source: disk
Imports: 0
Magic Type: data
SHA256:
c8ded9535f8900ad231019421fcf711e06f252127ac904a14e1fd15c9d00970f
Size: 176594
Exports: 0
AV Sigs: 0
MD5:
991c6d55cb2cf996bdb5985fccd28506
Source: disk
Imports: 0
Magic Type: data
SHA256:
fa221ecf5fa9713570059ccfdedcd8e1e2ce9cd8644d395f70d386dd8e1ae182
Size: 12150
Exports: 0
AV Sigs: 0
MD5: 02458f83c3e3f0e92202a623bb52d2a9
Artifacts 11: /Documents and Settings/Joe
Maldive/Application Data/Microsoft/Address Book/Joe Maldive.wab~
Source: disk
Imports: 0
Magic Type: data
SHA256:
c8ded9535f8900ad231019421fcf711e06f252127ac904a14e1fd15c9d00970f
Size: 176594
Exports: 0
AV Sigs: 0
MD5:
991c6d55cb2cf996bdb5985fccd28506
Source: disk
Imports: 0
Magic Type: Internet Explorer cache
file version Ver 5.2
SHA256:
53352349195130a01bd0f4e023a9b5d19481efc8f14f1737d3a138c4f77575c2
Size: 49152
Exports: 0
AV Sigs: 0
MD5:
cf3aa327a36e2487e3ef0a5ee4abf09c
Artifacts 13: /Documents and Settings/Joe
Maldive/Local Settings/Application
Data/Identities/{7AF0EC96-F1E3-4261-9C70-E611584E16B9}/Microsoft/Outlook
Express/Inbox.dbx
Source: disk
Imports: 0
Magic Type: MS Outlook Express DBX
file, message database
SHA256:
2d4e7216ff1ba895c0dc2635edf9ca4a117ce54a0467ff2c816aa4f0b7bc8213
Size: 142036
Exports: 0
AV Sigs: 0
MD5:
47be83c580205c28a92921425c9d290a
Artifacts 14: /Documents and Settings/Joe
Maldive/Local Settings/Application
Data/Identities/{7AF0EC96-F1E3-4261-9C70-E611584E16B9}/Microsoft/Outlook
Express/Sent Items.dbx
Source: disk
Imports: 0
Magic Type: MS Outlook Express DBX
file, message database
SHA256:
37b9f67bd4301ecf6f56cbdaf697131c20441c3514f67f09510a2e700872a0ff
Size: 76500
Exports: 0
AV Sigs: 0
MD5:
5c9871500ef4f120d08456c18e04bb8c
Source: disk
Imports: 0
Magic Type: ASCII text, with very
long lines, with no line terminators
SHA256:
bedba9c52ab29f444c71a4e5d066db119ba723f01d09001ba491d644e5c89c66
Size: 351234
Exports: 0
AV Sigs: 0
MD5:
5e97f5478e0a8eeb584673adb92e2182
Source: disk
Imports: 0
Magic Type: data
SHA256:
5e72d480d453773a6bf0859e730ea59eefb88e8ac5ece1adb32fef5f041cfee5
Size: 24510
Exports: 0
AV Sigs: 0
MD5:
cd23d66b54fc3d6f02dbf0f738c506ec
Source: disk
Imports: 0
Magic Type: data
SHA256:
1a527a23b49b171fe86457078953e134a86ccbf52ed0b2b4f1e7f30f16c878ee
Size: 65536
Exports: 0
AV Sigs: 0
MD5:
816b8681b9e3cce365448c6ce4c3f4b4
Source: network
Imports: 0
Magic Type: data
SHA256: 737a5a94a316ae95ee9a155531c726335f5aafc4e067da67f41962af96186424
Size: 34428
Exports: 0
AV Sigs: 0
MD5:
354b641762111cb669c5131efbc64e44
Source: network
Imports: 0
Magic Type: HTML document, ASCII
text, with very long lines
SHA256: d99eb3558bade37801bc54bc446c453df57bb22b1ac8115d8a7c72fc86d6519c
Size: 31055
Exports: 0
AV Sigs: 0
MD5:
b1330cfbd0d9dc8372297450cc66d226
Source: network
Imports: 0
Magic Type: data
SHA256:
cf18419178d5143a548f66be4524acefb44e44d2a334a42f12ced581294f111d
Size: 64
Exports: 0
AV Sigs: 0
MD5:
67423769ccbe3dafb1660569aed2122b
Source: network
Imports: 0
Magic Type: data
SHA256:
812b3bfdc16966abe821f0e6f46d4b08b4849527dfd4ca29a49a9ae46297c362
Size: 64
Exports: 0
AV Sigs: 0
MD5:
ae133b4fbddb539aabd0ebd0310ca5d5
Related to: process 480
Source: memory
Imports: 10
Magic Type: PE32 executable (GUI)
Intel 80386, for MS Windows
SHA256:
62592336a5a8ff004307642b6e1f3ab77423f98c67d063aca9c2b2fd3033b360
Size: 108544
Exports: 0
AV Sigs: 1
MD5:
f8b5365b630d3839216dd731958c790c
Related to: process 428
Source: memory
Imports: 0
Magic Type: PE32 executable (GUI)
Intel 80386, for MS Windows
SHA256: c7f1c355970569f88ff7001185f2aac92b143a4e83c919eb1f667bcfdf1154f8
Size: 507904
Exports: 0
AV Sigs: 0
MD5:
752070c7aa016e5fc9fed6d84b02bb26
Related to: process 788
Source: memory
Imports: 4
Magic Type: PE32 executable (GUI)
Intel 80386, for MS Windows
SHA256:
d86db08af7ff040f51ad7305e392e2cf696e97cfb671a7c492551b19a09de5b2
Size: 14336
Exports: 0
AV Sigs: 0
MD5:
9d977171d7e2c89833b537808806f4df
Related to: process 1352
Source: memory
Imports: 13
Magic Type: PE32 executable (GUI)
Intel 80386, for MS Windows
SHA256:
c16eddac0250cf02e7228b194f042cc551fea6ea9c2a2bb679e6eef9f898c4aa
Size: 1033728
Exports: 0
AV Sigs: 0
MD5:
a1db10d544b4c063b165d2ee392c5fc0
Related to: process 748
Source: memory
Imports: 4
Magic Type: PE32 executable (GUI)
Intel 80386, for MS Windows
SHA256:
7d6b9a711fbf326e95f19e24b95f0d56ee5ad044f6f2fa5f02f5870c3b312acf
Size: 14336
Exports: 0
AV Sigs: 0
MD5:
9e12668de788d73e3dd0afdb9baca344
Related to: process 780
Source: memory
Imports: 10
Magic Type: PE32 executable (GUI)
Intel 80386, for MS Windows
SHA256:
b0756163adcf10532efeba33abb298c89238d09d8929f7ba731d55648d321822
Size: 218112
Exports: 0
AV Sigs: 1
MD5:
9b3208698b43e53c05e86b472a5651d0
PE Sections
Address
|
Type
|
Virtual Size
|
Size
|
Entropy
|
Entropy Types
|
4096
|
.text
|
209184
|
20940 8
|
5.280843455233378
|
[native, packed]
|
217088
|
.data
|
6936
|
6656
|
4.946809128148061
|
[native]
|
225280
|
.rsrc
|
968
|
1024
|
3.2734914644890747
|
[indeterminate]
|
Imported/Exported Symbols
DLL
|
Imported Symbols
|
Virt. Address
|
msvcrt.dll
|
_CxxThrowException
|
16781828
|
msvcrt.dll
|
?_set_se_translator@@YAP6AXIPAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z
|
16781832
|
msvcrt.dll
|
wcstok
|
16781836
|
msvcrt.dll
|
__CxxFrameHandler
|
16781840
|
msvcrt.dll
|
setlocale
|
16781844
|
msvcrt.dll
|
wcslen
|
16781848
|
msvcrt.dll
|
_vsnwprintf
|
16781852
|
msvcrt.dll
|
_except_handler3
|
16781856
|
msvcrt.dll
|
_purecall
|
16781860
|
msvcrt.dll
|
_wcsicmp
|
16781864
|
msvcrt.dll
|
_c_exit
|
16781868
|
msvcrt.dll
|
_exit
|
16781872
|
msvcrt.dll
|
_XcptFilter
|
16781876
|
msvcrt.dll
|
_cexit
|
16781880
|
msvcrt.dll
|
exit
|
16781884
|
msvcrt.dll
|
_acmdln
|
16781888
|
msvcrt.dll
|
__getmainargs
|
16781892
|
msvcrt.dll
|
_initterm
|
16781896
|
msvcrt.dll
|
__setusermatherr
|
16781900
|
msvcrt.dll
|
_adjust_fdiv
|
16781904
|
msvcrt.dll
|
__p__commode
|
16781908
|
msvcrt.dll
|
__p__fmode
|
16781912
|
msvcrt.dll
|
__set_app_type
|
16781916
|
msvcrt.dll
|
??1type_info@@UAE@XZ
|
16781920
|
msvcrt.dll
|
__dllonexit
|
16781924
|
msvcrt.dll
|
_onexit
|
16781928
|
msvcrt.dll
|
?terminate@@YAXXZ
|
16781932
|
msvcrt.dll
|
_controlfp
|
16781936
|
ADVAPI32.dll
|
OpenProcessToken
|
16781340
|
ADVAPI32.dll
|
OpenThreadToken
|
16781344
|
ADVAPI32.dll
|
GetAclInformation
|
16781348
|
ADVAPI32.dll
|
ImpersonateLoggedOnUser
|
16781352
|
ADVAPI32.dll
|
RegOpenKeyExW
|
16781356
|
ADVAPI32.dll
|
RegDeleteKeyW
|
16781360
|
ADVAPI32.dll
|
RegCreateKeyExW
|
16781364
|
ADVAPI32.dll
|
RegCloseKey
|
16781368
|
ADVAPI32.dll
|
SetSecurityDescriptorOwner
|
16781372
|
ADVAPI32.dll
|
SetSecurityDescriptorGroup
|
16781376
|
ADVAPI32.dll
|
GetSecurityDescriptorLength
|
16781380
|
ADVAPI32.dll
|
MakeSelfRelativeSD
|
16781384
|
ADVAPI32.dll
|
RegDisablePredefinedCache
|
16781388
|
ADVAPI32.dll
|
RevertToSelf
|
16781392
|
ADVAPI32.dll
|
SetThreadToken
|
16781396
|
ADVAPI32.dll
|
FreeSid
|
16781400
|
ADVAPI32.dll
|
SetSecurityDescriptorDacl
|
16781404
|
ADVAPI32.dll
|
AddAce
|
16781408
|
ADVAPI32.dll
|
InitializeAcl
|
16781412
|
ADVAPI32.dll
|
GetLengthSid
|
16781416
|
ADVAPI32.dll
|
CopySid
|
16781420
|
ADVAPI32.dll
|
AllocateAndInitializeSid
|
16781424
|
ADVAPI32.dll
|
InitializeSecurityDescriptor
|
16781428
|
ADVAPI32.dll
|
ReportEventW
|
16781432
|
ADVAPI32.dll
|
RegisterEventSourceW
|
16781436
|
ADVAPI32.dll
|
DeregisterEventSource
|
16781440
|
ADVAPI32.dll
|
RegSetValueExW
|
16781444
|
KERNEL32.dll
|
DeleteCriticalSection
|
16781472
|
KERNEL32.dll
|
InterlockedCompareExchange
|
16781476
|
KERNEL32.dll
|
GetProcAddress
|
16781480
|
KERNEL32.dll
|
GetModuleHandleW
|
16781484
|
KERNEL32.dll
|
lstrcmpiW
|
16781488
|
KERNEL32.dll
|
GetCurrentProcessId
|
16781492
|
KERNEL32.dll
|
CloseHandle
|
16781496
|
KERNEL32.dll
|
InterlockedIncrement
|
16781500
|
KERNEL32.dll
|
InterlockedDecrement
|
16781504
|
KERNEL32.dll
|
SetEvent
|
16781508
|
KERNEL32.dll
|
InitializeCriticalSectionAndSpinCount
|
16781512
|
KERNEL32.dll
|
TerminateProcess
|
16781516
|
KERNEL32.dll
|
GetCurrentProcess
|
16781520
|
KERNEL32.dll
|
GetLastError
|
16781524
|
KERNEL32.dll
|
WaitForMultipleObjects
|
16781528
|
KERNEL32.dll
|
GetCurrentThreadId
|
16781532
|
KERNEL32.dll
|
WaitForSingleObject
|
16781536
|
KERNEL32.dll
|
DuplicateHandle
|
16781540
|
KERNEL32.dll
|
Sleep
|
16781544
|
KERNEL32.dll
|
CreateThread
|
16781548
|
KERNEL32.dll
|
UnmapViewOfFile
|
16781552
|
KERNEL32.dll
|
GetVersionExW
|
16781556
|
KERNEL32.dll
|
LocalFree
|
16781564
|
KERNEL32.dll
|
MapViewOfFile
|
16781568
|
KERNEL32.dll
|
CreateFileMappingW
|
16781572
|
KERNEL32.dll
|
OpenFileMappingW
|
16781576
|
KERNEL32.dll
|
OpenEventW
|
16781580
|
KERNEL32.dll
|
lstrlenW
|
16781584
|
KERNEL32.dll
|
GetModuleFileNameW
|
16781588
|
KERNEL32.dll
|
DebugBreak
|
16781592
|
KERNEL32.dll
|
EnterCriticalSection
|
16781596
|
KERNEL32.dll
|
LeaveCriticalSection
|
16781600
|
KERNEL32.dll
|
TlsAlloc
|
16781604
|
KERNEL32.dll
|
TlsFree
|
16781608
|
KERNEL32.dll
|
ChangeTimerQueueTimer
|
16781612
|
KERNEL32.dll
|
InterlockedExchange
|
16781616
|
KERNEL32.dll
|
SwitchToThread
|
16781620
|
KERNEL32.dll
|
CreateEventW
|
16781624
|
KERNEL32.dll
|
LCMapStringW
|
16781628
|
KERNEL32.dll
|
GetTickCount
|
16781632
|
KERNEL32.dll
|
GetCurrentThread
|
16781636
|
KERNEL32.dll
|
QueryPerformanceCounter
|
16781640
|
KERNEL32.dll
|
GetSystemTimeAsFileTime
|
16781644
|
KERNEL32.dll
|
UnhandledExceptionFilter
|
16781648
|
KERNEL32.dll
|
SetUnhandledExceptionFilter
|
16781652
|
KERNEL32.dll
|
GetModuleHandleA
|
16781656
|
KERNEL32.dll
|
GetStartupInfoA
|
16781660
|
KERNEL32.dll
|
GetCommandLineW
|
16781668
|
USER32.dll
|
PostMessageW
|
16781752
|
USER32.dll
|
DefWindowProcW
|
16781756
|
USER32.dll
|
DeleteMenu
|
16781760
|
USER32.dll
|
GetSystemMenu
|
16781764
|
USER32.dll
|
UpdateWindow
|
16781768
|
USER32.dll
|
ShowWindow
|
16781772
|
USER32.dll
|
CreateWindowExW
|
16781776
|
USER32.dll
|
RegisterClassW
|
16781780
|
USER32.dll
|
LoadCursorW
|
16781784
|
USER32.dll
|
MsgWaitForMultipleObjectsEx
|
16781788
|
USER32.dll
|
MsgWaitForMultipleObjects
|
16781792
|
USER32.dll
|
PeekMessageW
|
16781796
|
USER32.dll
|
GetMessageW
|
16781800
|
USER32.dll
|
TranslateMessage
|
16781804
|
USER32.dll
|
DispatchMessageW
|
16781808
|
USER32.dll
|
DestroyWindow
|
16781812
|
USER32.dll
|
UnregisterClassW
|
16781816
|
USER32.dll
|
LoadIconW
|
16781820
|
ntdll.dll
|
NtQuerySystemInformation
|
16781944
|
ntdll.dll
|
wcstol
|
16781948
|
ntdll.dll
|
wcsncpy
|
16781952
|
wbemcomn.dll
|
?DebugTrace@@YAHDPBDZZ
|
16782032
|
wbemcomn.dll
|
?ErrorTrace@@YAHDPBDZZ
|
16782036
|
FastProx.dll
|
?New@CWbemCallSecurity@@SGPAV1@XZ
|
16781452
|
NCObjAPI.DLL
|
WmiCreateObjectWithFormat
|
16781680
|
NCObjAPI.DLL
|
WmiEventSourceDisconnect
|
16781684
|
NCObjAPI.DLL
|
WmiDestroyObject
|
16781688
|
NCObjAPI.DLL
|
WmiSetAndCommitObject
|
16781692
|
NCObjAPI.DLL
|
WmiEventSourceConnect
|
16781696
|
OLEAUT32.dll
|
16781704
|
|
OLEAUT32.dll
|
16781708
|
|
OLEAUT32.dll
|
16781712
|
|
OLEAUT32.dll
|
16781716
|
|
OLEAUT32.dll
|
16781720
|
|
OLEAUT32.dll
|
16781724
|
|
OLEAUT32.dll
|
16781728
|
|
OLEAUT32.dll
|
16781732
|
|
OLEAUT32.dll
|
16781736
|
|
ole32.dll
|
CoImpersonateClient
|
16781960
|
ole32.dll
|
CoGetInterfaceAndReleaseStream
|
16781964
|
ole32.dll
|
CoMarshalInterThreadInterfaceInStream
|
16781968
|
ole32.dll
|
CoCreateGuid
|
16781972
|
ole32.dll
|
CoGetClassObject
|
16781976
|
ole32.dll
|
CLSIDFromString
|
16781980
|
ole32.dll
|
StringFromGUID2
|
16781984
|
ole32.dll
|
CoUninitialize
|
16781988
|
ole32.dll
|
CoRevertToSelf
|
16781992
|
ole32.dll
|
CoSwitchCallContext
|
16781996
|
ole32.dll
|
CoGetCallContext
|
16782000
|
ole32.dll
|
CoCreateInstance
|
16782004
|
ole32.dll
|
CoRegisterClassObject
|
16782008
|
ole32.dll
|
CoFreeUnusedLibrariesEx
|
16782012
|
ole32.dll
|
CoInitializeEx
|
16782016
|
ole32.dll
|
CoInitializeSecurity
|
16782020
|
ole32.dll
|
CoRevokeClassObject
|
16782024
|
Registry Activity
Created
Keys
Created Key
|
PID
|
Access List
|
Option List
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings
|
1592(Proforma%20Invoice.exe)
|
CREATE_SUB_KEY,ENUMERATE_SUB_KEYS,QUERY_VALUE,READ_CONTROL,NOTIFY,SET_VALUE
|
REG_OPTION_NON_VOLATILE
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\Siah
|
916(Proforma%20Invoice.exe)
|
QUERY_VALUE,SET_VALUE
|
REG_OPTION_NON_VOLATILE
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\Software\Microsoft\Windows\Currentversion\Run
|
428(winlogon.exe)
|
SET_VALUE
|
REG_OPTION_NON_VOLATILE
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\Software\Microsoft\Windows\Currentversion\Run
|
492(lsass.exe)
|
SET_VALUE
|
REG_OPTION_NON_VOLATILE
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\Software\Microsoft\Multimedia\Audio
Compression Manager\
|
1352(Explorer.EXE)
|
READ_CONTROL,CREATE_SUB_KEY,SET_VALUE
|
REG_OPTION_NON_VOLATILE
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK
EXPRESS\5.0\News
|
1352(Explorer.EXE)
|
MAXIMUM_ALLOWED
|
REG_OPTION_NON_VOLATILE
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK
EXPRESS\5.0\Rules
|
1352(Explorer.EXE)
|
MAXIMUM_ALLOWED
|
REG_OPTION_NON_VOLATILE
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK
EXPRESS\5.0\RULES\Mail
|
1352(Explorer.EXE)
|
NO
|
||||
Modified Key
|
PID
|
Value Name
|
Data
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
|
1592(Proforma%20Invoice.exe)
|
Seed
|
CKJK8C1OVbgqIDnTw2uEtLX8YAcESUne11GUjxuPFirvMkcgVxxVpuG5C003kKXK8+Zui1M+9mwB768e4ozm9N9ARGiTbnDttjqFJp9M+gg=
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
|
1592(Proforma%20Invoice.exe)
|
Seed
|
km/n2XArwzgXr3ee+ngp3/PDPnU5Gbr9LIP5wI4oXgncB98lqW3NIYNsKp06MXUpr5yQjx/F78e/hdEKU5pLqgwInt581VaqFUt3omtvNIY=
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
|
1592(Proforma%20Invoice.exe)
|
Seed
|
8wxI5YmO689WSb4TQl5pfN8/7qxCvBoSvQE7zDd6RXTB8KBd9MHQQkPPskDc+sM1NnNJnCc0e2mUlD4IYRuD6QfAfyf68uRjX4Y8usQmhsM=
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
|
1592(Proforma%20Invoice.exe)
|
Seed
|
i7cQwh8YMveJ4BD0uDBZ6Q9KGOXiBpPxfjRLzPaaQFB2il+CuEOEvQfVOEBDwhwEahdACnUszDI3AgwF5lCW+qkbu2kVVNfrJQ+DbK1lbDk=
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
|
1592(Proforma%20Invoice.exe)
|
Seed
|
VpM4tkgInewFkDflKOsW0fEQVdbEQIMGs8QDBkEIY6ZZrEW9TRos0kKYal70rftHs9hmOcc+3VUgxSBG3U/mGzyrZxWW37sc1EY6Xy5mzK0=
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
|
1592(Proforma%20Invoice.exe)
|
Seed
|
Tl9YsOXJ5ametPR1dhhEIxOfpRYIc3NwJ+TQmJxDIg6lePDnqtXHOSHZ4KYrprk8jTOJqWBk6axMXiADNRd4qEtiL2t1FqIQjAArolqIZAI=
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
|
1592(Proforma%20Invoice.exe)
|
Seed
|
5RO+vlR6MdigNebJkuV2H1vL3NXcLwC9oJH5yAf9XJR8bdwn6YQJ/ccIYpcumLB0FBQuBM0yvq5E60qr967ZtOemHhAu/aooP6Nc18E19Hw=
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
|
1592(Proforma%20Invoice.exe)
|
Seed
|
GGrIgRSnjemAaS9NurOsnMHD4Yd8S+rKYMJ48eqAVVEkOncx27CXRicLiHzZHVN0pjtod3yV1sOi/nwWF8wStlSQFwFEyYU8+6B7GbSU1aw=
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\{1209A444-8D68-11E1-9FE0-806D6172696F}
|
1592(Proforma%20Invoice.exe)
|
BaseClass
|
Drive
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\{3F424040-87AB-11E2-9D93-806D6172696F}
|
1592(Proforma%20Invoice.exe)
|
BaseClass
|
Drive
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\{75EF541F-D065-11E1-AC7A-525400123456}
|
1592(Proforma%20Invoice.exe)
|
BaseClass
|
Drive
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL
FOLDERS
|
1592(Proforma%20Invoice.exe)
|
Startup
|
C:\Documents and
Settings\Joe Maldive\Start Menu\Programs\Startup
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
|
916(Proforma%20Invoice.exe)
|
Seed
|
s17TAaYIu1X47EUO4tQm9iefujFVKOJYIbGlHB4AvTcL9/7kKnkAjm76QrazZUstIV07KQ8ZbBqt3mI/efU5FOdT/i2E4+8E1iHDC3qv8KI=
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL
FOLDERS
|
916(Proforma%20Invoice.exe)
|
AppData
|
C:\Documents and
Settings\Joe Maldive\Application Data
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
|
1800(cmd.exe)
|
Seed
|
pmczXs0lTmdNDkTAi6wR4sDe1VzGUDYWoHrwMJuHA+biYzO3sRPvYgB6bPZ32yAnfUXe2itG1AOMzrZ58DAQmyzLKKYkUpsG0m/E3O2RD4w=
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MENUORDER\START
MENU
|
1352(Explorer.EXE)
|
Order
|
CAAAAAIAAAAAAgAAAQAAAAMAAADSAAAAAAAAAMQAAABBdWdNAgAAAAEAAACyADIARwYAAHg+yoAgAFNFVFBST34xLkxOSwAAiAADAAQA7754PsqAk0IkvRQAXABTAGUAdAAgAFAAcgBvAGcAcgBhAG0AIABBAGMAYwBlAHMAcwAgAGEAbgBkACAARABlAGYAYQB1AGwAdABzAC4AbABuAGsAAABAQzpcV0lORE9XU1xzeXN0ZW0zMlx4cHNwMXJlcy5kbGwsLTEwMDc3AAAcAA4AAAAKAO++AQAAABwAAAAAAAAAAACcAAAAAQAAAI4AAABBdWdNAgAAAAEAAAB8ADIAjgEAAHg+yoAgAFdJTkRPV34yLkxOSwAAUgADAAQA7754PsqAk0IkvRQAPABXAGkAbgBkAG8AdwBzACAAQwBhAHQAYQBsAG8AZwAuAGwAbgBrAAAAQHNoZWxsMzIuZGxsLC0yMjA3NQAcAA4AAAAKAO++AQAAABwAAAAAAAAAAACGAAAAAgAAAHgAAABBdWdNAgAAAAEAAABmADIA4wUAAHg+7IQgAFdJTkRPV34xLkxOSwAAPAADAAQA7754PsqAk0IkvRQAAABXAGkAbgBkAG8AdwBzACAAVQBwAGQAYQB0AGUALgBsAG4AawAAABwADgAAAAoA774BAAAAHAAAAAAAAAAAAA==
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
|
1352(Explorer.EXE)
|
{832A9606-32CE-FE22-A0DC-76831BAE1BEB}
|
"C:\Documents and
Settings\Joe Maldive\Application Data\Viryq\somi.exe"
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET
SETTINGS\CACHE\PATHS
|
1352(Explorer.EXE)
|
Directory
|
C:\Documents and
Settings\Joe Maldive\Local Settings\Temporary Internet Files\Content.IE5
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET
SETTINGS\CACHE\PATHS
|
1352(Explorer.EXE)
|
Paths
|
4
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET
SETTINGS\CACHE\PATHS\PATH1
|
1352(Explorer.EXE)
|
CachePath
|
C:\Documents and
Settings\Joe Maldive\Local Settings\Temporary Internet
Files\Content.IE5\Cache1
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET
SETTINGS\CACHE\PATHS\PATH2
|
1352(Explorer.EXE)
|
CachePath
|
C:\Documents and
Settings\Joe Maldive\Local Settings\Temporary Internet
Files\Content.IE5\Cache2
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET
SETTINGS\CACHE\PATHS\PATH3
|
1352(Explorer.EXE)
|
CachePath
|
C:\Documents and
Settings\Joe Maldive\Local Settings\Temporary Internet
Files\Content.IE5\Cache3
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET
SETTINGS\CACHE\PATHS\PATH4
|
1352(Explorer.EXE)
|
CachePath
|
C:\Documents and Settings\Joe
Maldive\Local Settings\Temporary Internet Files\Content.IE5\Cache4
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET
SETTINGS\CACHE\PATHS\PATH1
|
1352(Explorer.EXE)
|
CacheLimit
|
81830
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET
SETTINGS\CACHE\PATHS\PATH2
|
1352(Explorer.EXE)
|
CacheLimit
|
81830
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL
FOLDERS
|
1352(Explorer.EXE)
|
Common AppData
|
C:\Documents and
Settings\All Users\Application Data
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL
FOLDERS
|
1352(Explorer.EXE)
|
AppData
|
C:\Documents and
Settings\Joe Maldive\Application Data
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET
SETTINGS
|
1352(Explorer.EXE)
|
MigrateProxy
|
1
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET
SETTINGS
|
1352(Explorer.EXE)
|
ProxyEnable
|
0
|
|||
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\HARDWARE
PROFILES\0001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
|
1352(Explorer.EXE)
|
ProxyEnable
|
0
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET
SETTINGS\CONNECTIONS
|
1352(Explorer.EXE)
|
SavedLegacySettings
|
PAAAADkAAAABAAAAAAAAAAAAAAAAAAAABAAAAAAAAADQA5TMQOrLAQEAAAAKAAIPAAAAAAAAAAA=
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\INTERNET
ACCOUNT MANAGER\ACCOUNTS
|
1352(Explorer.EXE)
|
ConnectionSettingsMigrated
|
1
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK
EXPRESS\5.0
|
1352(Explorer.EXE)
|
VerStamp
|
3
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK
EXPRESS\5.0
|
1352(Explorer.EXE)
|
SpellDontIgnoreDBCS
|
1
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK
EXPRESS\5.0\MAIL
|
1352(Explorer.EXE)
|
Welcome Message
|
AQAAAA==
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK
EXPRESS\5.0\MAIL
|
1352(Explorer.EXE)
|
Accounts Checked
|
AAAAAA==
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\INTERNET
ACCOUNT MANAGER\ACCOUNTS
|
1352(Explorer.EXE)
|
AssociatedID
|
luzweuPxYUKccOYRWE4WuQ==
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\INTERNET
ACCOUNT MANAGER
|
1352(Explorer.EXE)
|
Server ID
|
4
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK
EXPRESS\5.0
|
1352(Explorer.EXE)
|
StoreMigratedV5
|
1
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK
EXPRESS\5.0
|
1352(Explorer.EXE)
|
ConvertedToDBX
|
1
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK
EXPRESS\5.0
|
1352(Explorer.EXE)
|
Settings Upgraded
|
7
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK
EXPRESS\5.0\MAIL
|
1352(Explorer.EXE)
|
Safe Attachments
|
1
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK
EXPRESS\5.0\MAIL
|
1352(Explorer.EXE)
|
Secure Safe Attachments
|
1
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK
EXPRESS\5.0
|
1352(Explorer.EXE)
|
Running
|
1
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK
EXPRESS\5.0
|
1352(Explorer.EXE)
|
Store Root
|
%UserProfile%\Local
Settings\Application
Data\Identities\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\Microsoft\Outlook
Express\
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WAB\WAB4
|
1352(Explorer.EXE)
|
OlkContactRefresh
|
0
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WAB\WAB4
|
1352(Explorer.EXE)
|
OlkFolderRefresh
|
0
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK
EXPRESS\5.0\MAIL
|
1352(Explorer.EXE)
|
Welcome Message
|
0
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK
EXPRESS\5.0
|
1352(Explorer.EXE)
|
SpoolerDlgPos
|
LAAAAAAAAAABAAAA/////////////////////5wAAABaAAAAhAIAAO0AAAA=
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK
EXPRESS\5.0
|
1352(Explorer.EXE)
|
SpoolerTack
|
0
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\IDENTITIES\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\SOFTWARE\MICROSOFT\OUTLOOK
EXPRESS\5.0
|
1352(Explorer.EXE)
|
Compact Check Count
|
1
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\SIAH
|
1352(Explorer.EXE)
|
Wevohi
|
QM7LaebONjLfUzsKj/sQmzUrnYQPJufNSwJfiFr02fBKeG3an4Hq98FI204I7zzSfZkG7S1+kgOSZbr12hoTYBQLaGvDhNs7Smwl5IqPVaNsmFGMkFqIyOs5JNIPbeE2IZj8YoxARNnYBJTOHNqJkaeqVfo=
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\SIAH
|
1352(Explorer.EXE)
|
Wevohi
|
QM7LaebONjLfUzsKj/sQmzUrnYQPJufNSwJfiFr02fBKeG3an4Hq98FI204I7zzSfZlDkC1+kgOSZbr12hoTYBQLaGvDhNs7Smwl5IqPVaNsmFGMkFqIyOs5JNIPbeE2IZj8YoxARNnYBJTOHNqJkaeqVfo=
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET
SETTINGS\CONNECTIONS
|
1352(Explorer.EXE)
|
SavedLegacySettings
|
PAAAADoAAAABAAAAAAAAAAAAAAAAAAAABAAAAAAAAADQA5TMQOrLAQEAAAAKAAIPAAAAAAAAAAA=
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS
NT\CURRENTVERSION\PREFETCHER
|
748(svchost.exe)
|
TracesProcessed
|
19
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS
NT\CURRENTVERSION\PREFETCHER
|
748(svchost.exe)
|
TracesSuccessful
|
5
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS
NT\CURRENTVERSION\PREFETCHER
|
748(svchost.exe)
|
LastTraceFailure
|
4
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS
NT\CURRENTVERSION\PREFETCHER
|
748(svchost.exe)
|
TracesProcessed
|
20
|
|||
REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{C20FDDB0-BD90-4E06-8D7A-87767A382393}
|
748(svchost.exe)
|
DhcpRetryStatus
|
2
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
|
1732(somi.exe)
|
Seed
|
dnB1uWVYV8C/XiPZ/lM0uxjN3S9TijbBeLYa4lFHw0QgddwgA3/FAGMPm1RL4MmYW1EVKMXg7DNDu4covfQIHvZ5gxIyvDolH5fa5lJq8+Y=
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
|
1732(somi.exe)
|
Seed
|
ESJ8JrtSEddOs2/iHYSrno3iAIxTx6n9SJns3GoTuHTEUt41K+m6Cz9w6LePJie6x4KrTiKvTmyixeMgY48LYVwKvjsqijMmvUDXbRH1kaU=
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
|
1732(somi.exe)
|
Seed
|
Eq2oI4Ph5E0eg88JSAIboHnCV5GqmWgWchX7bxOPzDFxd/dROaHboFbowMegoOOQrMm7PSE0NiWwcRJSoD8aifeq9POV/0/Z445I+PY6ISI=
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
|
1732(somi.exe)
|
Seed
|
mAlHRi1mqBnrRpcvXiCa9G58z70P9MJG0GQK/JL+I6Fl9Dox7mLlgsOT4XWU8XKvdRPzubDVHmCBQab80Cu56ozFLH+Q0XiUta9jC0B2g3s=
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
|
1732(somi.exe)
|
Seed
|
NakXEttKDZZ6wNNN6BsBoBAZD28t9GWUqY34Jtahy+WPJv4Ws9yvXKaaWQ56Kvn2HUm2HGUbLJLcgbtuNqhpCOImN4kGmjshiK3JHrwOjao=
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
|
1732(somi.exe)
|
Seed
|
25KNt4vjrJImgvojrb4XhfaYvplXB//IneFpmKwOznBsEUmp4Cxu+P8QefUpI5Yc9nwP2PAKGpIZzvjovbVPq/gobpmfbNgvg8FqZ0kneq8=
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
|
1732(somi.exe)
|
Seed
|
4+l3KUUA1Yd4iBV4zgFo4lST4BLhLv7MnUcti64/fU5udMRcXdysRODyG+IdycjFbLtUyXPYYcgNhdBZQHsCU346vNoxhxEr4cJ6Bq1FEvI=
|
|||
REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG
|
1732(somi.exe)
|
Seed
|
TwrYotvpQtG/wybfLZcHI9EVPkEMDuLxCX38a33WEAo6Zw183gSRmmKV0A4OfHjVixQhH2U3ewN3/ABLJAr/AZf69IA0FXh9Xf+Z/5kcY24=
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\{1209A444-8D68-11E1-9FE0-806D6172696F}
|
1732(somi.exe)
|
BaseClass
|
Drive
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\{3F424040-87AB-11E2-9D93-806D6172696F}
|
1732(somi.exe)
|
BaseClass
|
Drive
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\{75EF541F-D065-11E1-AC7A-525400123456}
|
1732(somi.exe)
|
BaseClass
|
Drive
|
|||
REGISTRY\USER\S-1-5-21-1202660629-583907252-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL
FOLDERS
|
1732(somi.exe)
|
Startup
|
C:\Documents and
Settings\Joe Maldive\Start Menu\Programs\Startup
|
|||
Filesystem
Activity
Path
|
PID
|
Action
|
\??\C:\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\aut1.tmp
|
1592(Proforma%20Invoice.exe)
|
Created
|
\??\C:\Documents and
Settings\Joe Maldive\Start Menu\Programs\Startup\config.exe
|
1592(Proforma%20Invoice.exe)
|
Created
|
\??\C:\Documents and
Settings\Joe Maldive\Application Data\Viryq
|
916(Proforma%20Invoice.exe)
|
Created
|
\??\C:\Documents and
Settings\Joe Maldive\Application Data\Ryry
|
916(Proforma%20Invoice.exe)
|
Created
|
\??\C:\debug.txt
|
916(Proforma%20Invoice.exe)
|
Created
|
\??\C:\Documents and
Settings\Joe Maldive\Application Data\Viryq\somi.exe
|
916(Proforma%20Invoice.exe)
|
Created
|
\??\C:\Documents and
Settings\Joe Maldive\Local Settings\Application
Data\Identities\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}
|
1352(Explorer.EXE)
|
Created
|
\??\C:\Documents and
Settings\Joe Maldive\Local Settings\Application
Data\Identities\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\Microsoft\Outlook
Express\Folders.dbx
|
1352(Explorer.EXE)
|
Created
|
\??\C:\Documents and
Settings\Joe Maldive\Cookies\joe maldive@google[1].txt
|
1352(Explorer.EXE)
|
Created
|
\??\C:\Documents and
Settings\Joe Maldive\Local Settings\Application
Data\Identities\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\Microsoft\Outlook
Express
|
1352(Explorer.EXE)
|
Created
|
\??\C:\Documents and
Settings\Joe Maldive\Local Settings\Application
Data\Identities\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\Microsoft
|
1352(Explorer.EXE)
|
Created
|
\??\C:\Documents and
Settings\Joe Maldive\Local Settings\Application Data\Identities
|
1352(Explorer.EXE)
|
Created
|
\??\C:\Documents and
Settings\Joe Maldive\Local Settings\Application
Data\Identities\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\Microsoft\Outlook
Express\Offline.dbx
|
1352(Explorer.EXE)
|
Created
|
\??\C:\Documents and
Settings\Joe Maldive\Local Settings\Application
Data\Identities\{7AF0EC96-F1E3-4261-9C70-E611584E16B9}\Microsoft\Outlook
Express\Inbox.dbx
|
1352(Explorer.EXE)
|
Created
|
\??\C:\Documents and
Settings\Joe Maldive\Application Data\Ryry\etefu.toe
|
1352(Explorer.EXE)
|
Created
|
\??\C:\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\aut2.tmp
|
1732(somi.exe)
|
Created
|
\Documents and
Settings\Joe Maldive\Start Menu\Programs\Startup\config.exe
|
1592(Proforma%20Invoice.exe)
|
Deleted
|
\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\f.txt
|
1592(Proforma%20Invoice.exe)
|
Deleted
|
\lsarpc
|
1592(Proforma%20Invoice.exe)
|
Deleted
|
\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\aut1.tmp
|
1592(Proforma%20Invoice.exe)
|
Deleted
|
\Documents and
Settings\Joe Maldive\Application Data\Viryq\somi.exe
|
916(Proforma%20Invoice.exe)
|
Deleted
|
\debug.txt
|
916(Proforma%20Invoice.exe)
|
Deleted
|
\lsarpc
|
916(Proforma%20Invoice.exe)
|
Deleted
|
\debug.txt
|
1704(somi.exe)
|
Deleted
|
\lsarpc
|
1704(somi.exe)
|
Deleted
|
\lsass
|
492(lsass.exe)
|
Deleted
|
\Documents and
Settings\Joe Maldive\Local Settings\Temporary Internet
Files\Content.IE5\MRMBYDAX\webhp[1].htm
|
1352(Explorer.EXE)
|
Deleted
|
\lsarpc
|
1352(Explorer.EXE)
|
Deleted
|
\Documents and Settings\Joe
Maldive\Local Settings\Temporary Internet
Files\Content.IE5\MRMBYDAX\gate[1].htm
|
1352(Explorer.EXE)
|
Deleted
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@google[2].txt
|
1352(Explorer.EXE)
|
Deleted
|
\Documents and
Settings\Joe Maldive\Local Settings\Temporary Internet
Files\Content.IE5\MRMBYDAX\config[1].bin
|
1352(Explorer.EXE)
|
Deleted
|
\debug.txt
|
1352(Explorer.EXE)
|
Deleted
|
\Documents and
Settings\Joe Maldive\Application Data\Microsoft\Address Book\Joe Maldive.wab
|
1352(Explorer.EXE)
|
Deleted
|
\ROUTER
|
748(svchost.exe)
|
Deleted
|
\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\f.txt
|
1732(somi.exe)
|
Deleted
|
\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\aut2.tmp
|
1732(somi.exe)
|
Deleted
|
\lsarpc
|
1732(somi.exe)
|
Deleted
|
\temp\Proforma%20Invoice.exe
|
1592(Proforma%20Invoice.exe)
|
Read
|
\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\aut1.tmp
|
1592(Proforma%20Invoice.exe)
|
Read
|
\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\f.txt
|
1592(Proforma%20Invoice.exe)
|
Read
|
\lsarpc
|
1592(Proforma%20Invoice.exe)
|
Read
|
\temp\Proforma%20Invoice.exe
|
916(Proforma%20Invoice.exe)
|
Read
|
\lsarpc
|
916(Proforma%20Invoice.exe)
|
Read
|
\lsarpc
|
1704(somi.exe)
|
Read
|
\Documents and
Settings\Joe Maldive\Application Data\Viryq\somi.exe
|
1704(somi.exe)
|
Read
|
\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\tmpeaaff6e6.bat
|
1800(cmd.exe)
|
Read
|
\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
|
1800(cmd.exe)
|
Read
|
\lsass
|
492(lsass.exe)
|
Read
|
\WINDOWS\system32\rsaenh.dll
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\All Users\Start Menu\desktop.ini
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@www.microsoft[2].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Start Menu\Programs\desktop.ini
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@mathtag[1].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@dl.javafx[2].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@crowdscience[1].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@c.atdmt[2].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@forums.adobe[1].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@www.ugdturner[1].txt
|
1352(Explorer.EXE)
|
Read
|
\lsarpc
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@mediaplex[2].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Application Data\Ryry\etefu.tmp
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@ad.wsod[2].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@c.msn[2].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@sun[1].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@live[1].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@www.cnn[1].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@dpm.demdex[2].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@c.bing[1].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@www.java[1].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\All Users\Start Menu\Programs\desktop.ini
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@brighthub[2].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@translate.googleapis[1].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@tweetmeme[1].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@exp.www.msn[1].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and Settings\Joe
Maldive\Application Data\Microsoft\Address Book\Joe Maldive.wab
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@exelator[2].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@twitter[1].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@voicefive[1].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@ziffdavis.demdex[1].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and Settings\Joe
Maldive\Cookies\joe maldive@contextweb[1].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@technet.microsoft[2].txt
|
1352(Explorer.EXE)
|
Read
|
\AUTOEXEC.BAT
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@labnol[2].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@m.webtrends[1].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@download.mozilla[1].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@java[1].txt
|
1352(Explorer.EXE)
|
Read
|
\Documents and
Settings\Joe Maldive\Cookies\joe maldive@adbrite[2].txt
|
1352(Explorer.EXE)
|
Read
|
\ROUTER
|
748(svchost.exe)
|
Read
|
\Documents and Settings\Joe
Maldive\Application Data\desktop.ini
|
1732(somi.exe)
|
Read
|
\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\aut2.tmp
|
1732(somi.exe)
|
Read
|
\DOCUME~1\JOEMAL~1\LOCALS~1\Temp\f.txt
|
1732(somi.exe)
|
Read
|
\lsarpc
|
1732(somi.exe)
|
Read
|
\Documents and
Settings\Joe Maldive\Application Data\Viryq\somi.exe
|
1732(somi.exe)
|
Read
|
\WINDOWS\system32\rsaenh.dll
|
788(svchost.exe)
|
Read
|
\WINDOWS\system32\drivers\etc\hosts
|
788(svchost.exe)
|
Read
|
No comments:
Post a Comment