Zbot Under the Hood.

Metadata

ID:

b71416469446a3aa16af294fdb733f54

OS:

2600.xpsp.080413-2111

Started:

Wed Sep 11 07:31:46 EDT 2013

Ended:

Wed Sep 11 07:31:46 EDT 2013

Duration:

378 Seconds

Sandbox:

marburg(pilot-d)

File name:

Proforma%20Invoice.exe

Magic Type:

PE32 executable (GUI) Intel 80386, for MS Windows

Analyzed As:

exe

SHA256:

31af7e3ab6c689aa59217012cf7a7b824fc2cfb6a261f3e6a480c0b1d131453d

SHA1:

fe43dbd7232de304b84c538fb461f05537ba65ab

MD5:

e8c10d6aeecd5c39b1bf04797138933b

Fast flux is a DNS technique used by botnets to maintain a resilient command and control infrastructure of compromised hosts acting as proxies. Fast flux is characterized by multiple individual nodes within the network registering and de-registering their addresses as part of the DNS A record list for a DNS name. Each record has a very short TTL (time to live) value of usually less than five minutes. This creates a constantly changing list of destination addresses for a single DNS name. Please view the ‘DNS’ section under ‘Network Analysis’ for the associated traffic/communications. Additionally, the provided network PCAP will provide more details on the traffic stream.

Categories:

persistence

Tags:

network, ttl, dns, fast flux, command and control

Query Data

Answer Data

Query ID

Answer Type

TTL

www.google.com

173.194.43.19

40407

A

300

www.google.com

173.194.43.18

40407

A

300

www.google.com

173.194.43.17

40407

A

300

www.google.com

173.194.43.16

40407

A

300

www.google.com

173.194.43.20

40407

A

300

Process Created a File in the Windows Startup Folder

Severity: 80 Confidence: 50

A new file was added to the Windows StartUp folder to ensure that this file runs on system startup. Please review the ‘Disk Artifacts’ section in order to view additional details about this file.

Categories:

persistence

Tags:

startup, file, folder, process, autorun

Process ID

Process Name

Path

1592

Proforma%20Invoice.exe

Documents and SettingsJoe MaldiveStart MenuProgramsStartupconfig.exe

Outbound HTTP POST Communications

Severity: 25 Confidence: 25


Outbound HTTP POST to a remote server was detected. This is not inherently suspicious but malware will often use POSTs in order to check in to the Command and Control servers upon infection or to upload or exfiltration data. Please view the ‘HTTP’ section under ‘Network Analysis’ for the associated traffic/communications. Additionally, the provided network PCAP will provide more details on the traffic stream.


GET  h00p://akeemtrade[.]biz:80/html/install/config[.]bin   (Warning!! Alive)

Stream: 3  Transaction: 0

Server IP

Server Port

Transport

Method

URL

199.79.62.19

80

TCP

GET

http://akeemtrade.biz:80/html/install/config.bin

Type:

request

Timestamp:

Wed Sep 11 07:33:55 EDT 2013

Actual Encoding:

Actual Content-type:

application/x-empty

Header

Value

cache-control

no-cache

connection

Close

host

akeemtrade.biz

accept

*/*

user-agent

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)

Type:

response

Timestamp:

Wed Sep 11 07:33:55 EDT 2013

Actual Encoding:

windows-1252

Actual Content-type:

application/octet-stream

Header

Value

content-type

application/octet-stream

connection

close

etag

“1cb074c-867c-4e448153dea00”

last-modified

Mon, 19 Aug 2013 07:42:32 GMT

content-length

34428

server

Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.8e-fips-rhel5 Phusion_Passenger/4.0.10 mod_bwlimited/1.4 mod_fcgid/2.3.6

accept-ranges

bytes

date

Wed, 11 Sep 2013 11:34:12 GMT

Categories:

exfiltration, fingerprinting

Tags:

network, http, post

Network Stream

Method

URL

6

POST

http://akeemtrade.biz:80/html/install/gate.php

5

POST

http://akeemtrade.biz:80/html/install/gate.php

Command Exe File Execution Detected

Severity: 50 Confidence: 80

A process executed a file using cmd.exe. Malware authors will often launch batch or shellscripts that utilize windows shell utilities. Additional uses include launching an interactive command shell

Categories:

Tags:

process, file, create, launch

Process ID

Process Name

Command Line

Path

1800

cmd.exe

“C:WINDOWSsystem32cmd.exe” /c “C:DOCUME~1JOEMAL~1LOCALS~1Temptmpeaaff6e6.bat”

_0

Executable Imported the IsDebuggerPresent Symbol

Severity: 20 Confidence: 20

The IsDebuggerPresent function can be used by a process to check if a debugger has been attached to it, or is currently active on the system. Malware authors often check for the presence of a debugger as this is an indication that the malware is being analysed. The Malware may not run, or it may function differently, if a debugger is present, to make it more difficult to reverse-engineer its behavior. This is not an indicator of malicious activity as often legitimate programs import this function.

Categories:

obfuscation, anti-reversing

Tags:

process, artifact, static, import, PE

Artifact ID

Path

6

Documents and SettingsJoe MaldiveStart MenuProgramsStartupconfig.exe

2

Documents and SettingsJoe MaldiveApplication DataViryqsomi.exe

3

tempProforma%20Invoice.exe

1

Proforma%20Invoice.exe

Process Created an Executable in a User Directory

Severity: 60 Confidence: 95

Malware will often create a new executable file in a user directory such as ‘Local Settings’ or ‘Application Data’ in an attempt to hide its presence on the system. Often the name of the file is similar to the name of common system or user files. This is done to hide the executable, as the user may believe it’s a legitimate file. Please review the ‘Disk Artifacts’ section in order to view additional details about this file.

Categories:

persistence, obfuscation

Tags:

executable, file, process, PE

Process ID

Process Name

Path

1592

Proforma%20Invoice.exe

C:Documents and SettingsJoe MaldiveStart MenuProgramsStartupconfig.exe

916

Proforma%20Invoice.exe

C:Documents and SettingsJoe MaldiveApplication DataViryqsomi.exe

Process Modified File in a User Directory

Severity: 70 Confidence: 80

Malware will modify files in user directories to hide logs or other evidence. Also, by modifying various files it can disable functionality in the system which may detect or hamper the operation of the malware. Lastly, it may be attempting to hide an executable, so that it appears to be a legitimate file. Please review the ‘Disk Artifacts’ section in order to view additional details about this file.

Categories:

persistence, obfuscation

Tags:

executable, file, process

Process ID

Process Name

Path

1592

Proforma%20Invoice.exe

DOCUME~1JOEMAL~1LOCALS~1Tempaut1.tmp

1732

somi.exe

DOCUME~1JOEMAL~1LOCALS~1Tempf.txt

1352

Explorer.EXE

Documents and SettingsJoe MaldiveLocal SettingsTemporary Internet FilesContent.IE5MRMBYDAXgate[1].htm

1592

Proforma%20Invoice.exe

DOCUME~1JOEMAL~1LOCALS~1Tempf.txt

1352

Explorer.EXE

Documents and SettingsJoe MaldiveLocal SettingsTemporary Internet FilesContent.IE5MRMBYDAXwebhp[1].htm

916

Proforma%20Invoice.exe

Documents and SettingsJoe MaldiveApplication DataViryqsomi.exe

1732

somi.exe

DOCUME~1JOEMAL~1LOCALS~1Tempaut2.tmp

1352

Explorer.EXE

Documents and SettingsJoe MaldiveApplication DataMicrosoftAddress BookJoe Maldive.wab

1352

Explorer.EXE

Documents and SettingsJoe MaldiveLocal SettingsTemporary Internet FilesContent.IE5MRMBYDAXconfig[1].bin

Process Modified Autorun Registry Key Value

Severity: 80 Confidence: 60


Autorun registry keys can be used to load applications when Windows is started. Malware often uses these key locations to maintain persistence on the host. The values to examine are located in subkeys Run, RunOnce, RunServices, RunServicesOnce, RunOnceEx, or RunOnceSetup. The key value will indicate where the program that will load on startup is located.

Categories:

persistence

Tags:

process, autorun, registry

Process ID

RegKey Value Name

RegKey Data Type

RegKey Name

Process Name

RegKey Data

1352

{832A9606-32CE-FE22-A0DC-76831BAE1BEB}

SZ

USERS-1-5-21-1202660629-583907252-1801674531-1003SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN

Explorer.EXE

“C:Documents and SettingsJoe MaldiveApplication DataViryqsomi.exe”s\0

HTTP Traffic

GET  http://akeemtrade.biz:80/html/install/config.bin

Stream: 3   Transaction: 0

Server IP

Server Port

Transport

Method

URL

199.79.62.19

80

TCP

GET

http://akeemtrade.biz:80/html/install/config.bin

Type:

request

Timestamp:

Wed Sep 11 07:33:55 EDT 2013

Actual Encoding:

Actual Content-type:

application/x-empty

Header

Value

cache-control

no-cache

connection

Close

host

akeemtrade.biz

accept

*/*

user-agent

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)

Type:

response

Timestamp:

Wed Sep 11 07:33:55 EDT 2013

Actual Encoding:

windows-1252

Actual Content-type:

application/octet-stream

Header

Value

content-type

application/octet-stream

connection

close

etag

“1cb074c-867c-4e448153dea00”

last-modified

Mon, 19 Aug 2013 07:42:32 GMT

content-length

34428

server

Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.8e-fips-rhel5 Phusion_Passenger/4.0.10 mod_bwlimited/1.4 mod_fcgid/2.3.6

accept-ranges

bytes

date

Wed, 11 Sep 2013 11:34:12 GMT

GET  http://www.google.com:80/webhp

Stream: 4  Transaction: 0

Server IP

Server Port

Transport

Method

URL

173.194.43.19

80

TCP

GET

http://www.google.com:80/webhp

Type:

request

Timestamp:

Wed Sep 11 07:34:03 EDT 2013

Actual Encoding:

Actual Content-type:

application/x-empty

Header

Value

cache-control

no-cache

connection

Close

host

www.google.com

accept

*/*

user-agent

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)

Type:

response

Timestamp:

Wed Sep 11 07:34:03 EDT 2013

Actual Encoding:

ascii

Actual Content-type:

text/html

Header

Value

x-frame-options

SAMEORIGIN

content-type

text/html; charset=UTF-8

p3p

CP=”This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info.”

cache-control

private, max-age=0

connection

close

x-xss-protection

1; mode=block

expires

-1

set-cookie

{ “elements”: [ “PREFu003dIDu003d667c83caea844ac8:FFu003d0:TMu003d1378899263:LMu003d1378899263:Su003dQx8nb0MbLfVx3PwW; expiresu003dFri, 11-Sep-2015 11:34:23 GMT; pathu003d/; domainu003d.google.com”, “NIDu003d67u003dTxUdsZzb7X8Yrg_xKcRxituvtxo9un2uzb70Erp6XVU1w-GRaIsGcxtAcywQOQbDs2I4UgYqJb7xGQ_SsvfwmPxmQJ-cJ9R7fdw1REDBWpMQ0EYnGuj0Bh_yWPzaQTJ8; expiresu003dThu, 13-Mar-2014 11:34:23 GMT; pathu003d/; domainu003d.google.com; HttpOnly” ] }

server

gws

alternate-protocol

80:quic

date

Wed, 11 Sep 2013 11:34:23 GMT

POST  http://akeemtrade.biz:80/html/install/gate.php

Stream: 5  Transaction: 0

Server IP

Server Port

Transport

Method

URL

199.79.62.19

80

TCP

POST

http://akeemtrade.biz:80/html/install/gate.php

Type:

request

Timestamp:

Wed Sep 11 07:34:06 EDT 2013

Actual Encoding:

windows-1252

Actual Content-type:

application/octet-stream

Header

Value

cache-control

no-cache

connection

Keep-Alive

host

akeemtrade.biz

accept

*/*

content-length

274

user-agent

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)

Type:

response

Timestamp:

Wed Sep 11 07:34:06 EDT 2013

Actual Encoding:

windows-1252

Actual Content-type:

application/octet-stream

Header

Value

content-type

text/html

connection

Keep-Alive

x-powered-by

PHP/5.2.17

transfer-encoding

chunked

server

Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.8e-fips-rhel5 Phusion_Passenger/4.0.10 mod_bwlimited/1.4 mod_fcgid/2.3.6

keep-alive

timeout=3, max=30

date

Wed, 11 Sep 2013 11:34:28 GMT

POST  http://akeemtrade.biz:80/html/install/gate.php

Stream: 6  Transaction: 0

Server IP

Server Port

Transport

Method

URL

199.79.62.19

80

TCP

POST

http://akeemtrade.biz:80/html/install/gate.php

Type:

request

Timestamp:

Wed Sep 11 07:35:01 EDT 2013

Actual Encoding:

windows-1252

Actual Content-type:

application/octet-stream

Header

Value

cache-control

no-cache

connection

Keep-Alive

host

akeemtrade.biz

accept

*/*

content-length

12538

user-agent

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)

Type:

response

Timestamp:

Wed Sep 11 07:35:01 EDT 2013

Actual Encoding:

windows-1252

Actual Content-type:

application/octet-stream

Header

Value

content-type

text/html

connection

Keep-Alive

x-powered-by

PHP/5.2.17

transfer-encoding

chunked

server

Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.8e-fips-rhel5 Phusion_Passenger/4.0.10 mod_bwlimited/1.4 mod_fcgid/2.3.6

keep-alive

timeout=3, max=30

date

Wed, 11 Sep 2013 11:35:31 GMT

DNS Traffic

Stream: 2 Query: 38241

Transport: UDP

Query ID

          Timestamp

Type

Data

38241

Wed Sep 11 07:33:54 EDT 2013

A

akeemtrade.biz

Answers

Query ID

          Timestamp

type

Data

   TTL

38241

Wed Sep 11 07:33:55 EDT 2013

A

199.79.62.19

  14400

Stream: 2 Query: 40407

Transport: UDP

Query ID

Timestamp

Type

Data

40407

Wed Sep 11 07:34:03 EDT 2013

A

www.google.com

Answers

Query ID

Timestamp

type

Data

TTL

40407

Wed Sep 11 07:34:03 EDT 2013

A

173.194.43.19

300

40407

Wed Sep 11 07:34:03 EDT 2013

A

173.194.43.18

300

40407

Wed Sep 11 07:34:03 EDT 2013

A

173.194.43.20

300

40407

Wed Sep 11 07:34:03 EDT 2013

A

173.194.43.17

300

40407

Wed Sep 11 07:34:03 EDT 2013

A

173.194.43.16

300

Artifacts

Artifacts 1: Proforma%20Invoice.exe

Source: submitted

Imports: 16

Magic Type: PE32 executable (GUI) Intel 80386, for MS Windows

SHA256: 31af7e3ab6c689aa59217012cf7a7b824fc2cfb6a261f3e6a480c0b1d131453d

Size: 1186076

Exports: 0

AV Sigs: 0

MD5: e8c10d6aeecd5c39b1bf04797138933b

Artifacts 2: /Documents and Settings/Joe Maldive/Application Data/Viryq/somi.exe

Source: disk

Imports: 16

Magic Type: PE32 executable (GUI) Intel 80386, for MS Windows

SHA256: d7ac68c5a3010eff2d56378e8e822dec804f5b27c17f4a2163148a8fdb5fb34c

Size: 1186076

Exports: 0

AV Sigs: 0

MD5: fa5f2d89313f05224389375873d1c206

Artifacts 3: /temp/Proforma%20Invoice.exe

Source: disk

Imports: 16

Magic Type: PE32 executable (GUI) Intel 80386, for MS Windows

SHA256: 31af7e3ab6c689aa59217012cf7a7b824fc2cfb6a261f3e6a480c0b1d131453d

Size: 1186076

Exports: 0

AV Sigs: 0

MD5: e8c10d6aeecd5c39b1bf04797138933b

Artifacts 4: /debug.txt

Source: disk

Imports: 0

Magic Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators

SHA256: 78ca91c37ac358f9f7adb8345bb4a49e8381611321e555a0e25f3ebd2a992002

Size: 26053

Exports: 0

AV Sigs: 0

MD5: fdae3aa240078bf14a9ca01367e079df

Artifacts 5: /Documents and Settings/Joe Maldive/Cookies/joe maldive@google[2].txt

Source: disk

Imports: 0

Magic Type: ASCII text

SHA256: e99b492efe53844df5cbd0dee5836a42525c5d3f1a500162f8552f5b0d5219ce

Size: 330

Exports: 0

AV Sigs: 0

MD5: 6f5c7e6633609997e9a13d4a1df825aa

Artifacts 6: /Documents and Settings/Joe Maldive/Start Menu/Programs/Startup/config.exe

Source: disk

Imports: 16

Magic Type: PE32 executable (GUI) Intel 80386, for MS Windows

SHA256: 31af7e3ab6c689aa59217012cf7a7b824fc2cfb6a261f3e6a480c0b1d131453d

Size: 1186076

Exports: 0

AV Sigs: 0

MD5: e8c10d6aeecd5c39b1bf04797138933b

Artifacts 7: /Documents and Settings/Joe Maldive/Local Settings/Application Data/Identities/{7AF0EC96-F1E3-4261-9C70-E611584E16B9}/Microsoft/Outlook Express/Folders.dbx

Source: disk

Imports: 0

Magic Type: MS Outlook Express DBX file, folder database

SHA256: 0272ff9b0dc70fdff37d03e9d397500b3a65db9b4fbd6c9568f47cd11ec39008

Size: 75204

Exports: 0

AV Sigs: 0

MD5: dd958f1389a18772a8809d9db903cb1a

Artifacts 8: /Documents and Settings/Joe Maldive/Local Settings/Application Data/Identities/{7AF0EC96-F1E3-4261-9C70-E611584E16B9}/Microsoft/Outlook Express/Offline.dbx

Source: disk

Imports: 0

Magic Type: MS Outlook Express DBX file, offline database

SHA256: 14ff7ea3f7634352d7e787a69b997d6694ac1f8270db51ad077b24efeffbfa11

Size: 9656

Exports: 0

AV Sigs: 0

MD5: c78f0742eae95fcf92f7f1c6009d9341

Artifacts 9: /Documents and Settings/Joe Maldive/Application Data/Microsoft/Address Book/Joe Maldive.wab

Source: disk

Imports: 0

Magic Type: data

SHA256: c8ded9535f8900ad231019421fcf711e06f252127ac904a14e1fd15c9d00970f

Size: 176594

Exports: 0

AV Sigs: 0

MD5: 991c6d55cb2cf996bdb5985fccd28506

Artifacts 10: /WINDOWS/Prefetch/CMD.EXE-087B4001.pf

Source: disk

Imports: 0

Magic Type: data

SHA256: fa221ecf5fa9713570059ccfdedcd8e1e2ce9cd8644d395f70d386dd8e1ae182

Size: 12150

Exports: 0

AV Sigs: 0

MD5: 02458f83c3e3f0e92202a623bb52d2a9

Artifacts 11: /Documents and Settings/Joe Maldive/Application Data/Microsoft/Address Book/Joe Maldive.wab~

Source: disk

Imports: 0

Magic Type: data

SHA256: c8ded9535f8900ad231019421fcf711e06f252127ac904a14e1fd15c9d00970f

Size: 176594

Exports: 0

AV Sigs: 0

MD5: 991c6d55cb2cf996bdb5985fccd28506

Artifacts 12: /Documents and Settings/Joe Maldive/Cookies/index.dat

Source: disk

Imports: 0

Magic Type: Internet Explorer cache file version Ver 5.2

SHA256: 53352349195130a01bd0f4e023a9b5d19481efc8f14f1737d3a138c4f77575c2

Size: 49152

Exports: 0

AV Sigs: 0

MD5: cf3aa327a36e2487e3ef0a5ee4abf09c

Artifacts 13: /Documents and Settings/Joe Maldive/Local Settings/Application Data/Identities/{7AF0EC96-F1E3-4261-9C70-E611584E16B9}/Microsoft/Outlook Express/Inbox.dbx

Source: disk

Imports: 0

Magic Type: MS Outlook Express DBX file, message database

SHA256: 2d4e7216ff1ba895c0dc2635edf9ca4a117ce54a0467ff2c816aa4f0b7bc8213

Size: 142036

Exports: 0

AV Sigs: 0

MD5: 47be83c580205c28a92921425c9d290a

Artifacts 14: /Documents and Settings/Joe Maldive/Local Settings/Application Data/Identities/{7AF0EC96-F1E3-4261-9C70-E611584E16B9}/Microsoft/Outlook Express/Sent Items.dbx

Source: disk

Imports: 0

Magic Type: MS Outlook Express DBX file, message database

SHA256: 37b9f67bd4301ecf6f56cbdaf697131c20441c3514f67f09510a2e700872a0ff

Size: 76500

Exports: 0

AV Sigs: 0

MD5: 5c9871500ef4f120d08456c18e04bb8c

Artifacts 15: /Documents and Settings/Joe Maldive/Local Settings/Temp/f.txt

Source: disk

Imports: 0

Magic Type: ASCII text, with very long lines, with no line terminators

SHA256: bedba9c52ab29f444c71a4e5d066db119ba723f01d09001ba491d644e5c89c66

Size: 351234

Exports: 0

AV Sigs: 0

MD5: 5e97f5478e0a8eeb584673adb92e2182

Artifacts 16: /WINDOWS/Prefetch/LOGONUI.EXE-0AF22957.pf

Source: disk

Imports: 0

Magic Type: data

SHA256: 5e72d480d453773a6bf0859e730ea59eefb88e8ac5ece1adb32fef5f041cfee5

Size: 24510

Exports: 0

AV Sigs: 0

MD5: cd23d66b54fc3d6f02dbf0f738c506ec

Artifacts 17: /WINDOWS/system32/config/SysEvent.Evt

Source: disk

Imports: 0

Magic Type: data

SHA256: 1a527a23b49b171fe86457078953e134a86ccbf52ed0b2b4f1e7f30f16c878ee

Size: 65536

Exports: 0

AV Sigs: 0

MD5: 816b8681b9e3cce365448c6ce4c3f4b4

Artifacts 18: config.bin

Source: network

Imports: 0

Magic Type: data

SHA256: 737a5a94a316ae95ee9a155531c726335f5aafc4e067da67f41962af96186424

Size: 34428

Exports: 0

AV Sigs: 0

MD5: 354b641762111cb669c5131efbc64e44

Artifacts 19: webhp

Source: network

Imports: 0

Magic Type: HTML document, ASCII text, with very long lines

SHA256: d99eb3558bade37801bc54bc446c453df57bb22b1ac8115d8a7c72fc86d6519c

Size: 31055

Exports: 0

AV Sigs: 0

MD5: b1330cfbd0d9dc8372297450cc66d226

Artifacts 20: gate.php

Source: network

Imports: 0

Magic Type: data

SHA256: cf18419178d5143a548f66be4524acefb44e44d2a334a42f12ced581294f111d

Size: 64

Exports: 0

AV Sigs: 0

MD5: 67423769ccbe3dafb1660569aed2122b

Artifacts 21: gate.php

Source: network

Imports: 0

Magic Type: data

SHA256: 812b3bfdc16966abe821f0e6f46d4b08b4849527dfd4ca29a49a9ae46297c362

Size: 64

Exports: 0

AV Sigs: 0

MD5: ae133b4fbddb539aabd0ebd0310ca5d5

Artifacts 22: 480-services.exe

Related to: process 480

Source: memory

Imports: 10

Magic Type: PE32 executable (GUI) Intel 80386, for MS Windows

SHA256: 62592336a5a8ff004307642b6e1f3ab77423f98c67d063aca9c2b2fd3033b360

Size: 108544

Exports: 0

AV Sigs: 1

MD5: f8b5365b630d3839216dd731958c790c

Artifacts 23: 428-winlogon.exe

Related to: process 428

Source: memory

Imports: 0

Magic Type: PE32 executable (GUI) Intel 80386, for MS Windows

SHA256: c7f1c355970569f88ff7001185f2aac92b143a4e83c919eb1f667bcfdf1154f8

Size: 507904

Exports: 0

AV Sigs: 0

MD5: 752070c7aa016e5fc9fed6d84b02bb26

Artifacts 24: 788-svchost.exe

Related to: process 788

Source: memory

Imports: 4

Magic Type: PE32 executable (GUI) Intel 80386, for MS Windows

SHA256: d86db08af7ff040f51ad7305e392e2cf696e97cfb671a7c492551b19a09de5b2

Size: 14336

Exports: 0

AV Sigs: 0

MD5: 9d977171d7e2c89833b537808806f4df

Artifacts 25: 1352-Explorer.EXE

Related to: process 1352

Source: memory

Imports: 13

Magic Type: PE32 executable (GUI) Intel 80386, for MS Windows

SHA256: c16eddac0250cf02e7228b194f042cc551fea6ea9c2a2bb679e6eef9f898c4aa

Size: 1033728

Exports: 0

AV Sigs: 0

MD5: a1db10d544b4c063b165d2ee392c5fc0

Artifacts 26: 748-svchost.exe

Related to: process 748

Source: memory

Imports: 4

Magic Type: PE32 executable (GUI) Intel 80386, for MS Windows

SHA256: 7d6b9a711fbf326e95f19e24b95f0d56ee5ad044f6f2fa5f02f5870c3b312acf

Size: 14336

Exports: 0

AV Sigs: 0

MD5: 9e12668de788d73e3dd0afdb9baca344

Artifacts 27: 780-wmiprvse.exe

Related to: process 780

Source: memory

Imports: 10

Magic Type: PE32 executable (GUI) Intel 80386, for MS Windows

SHA256: b0756163adcf10532efeba33abb298c89238d09d8929f7ba731d55648d321822

Size: 218112

Exports: 0

AV Sigs: 1

MD5: 9b3208698b43e53c05e86b472a5651d0

PE Sections

Address

Type

Virtual Size

Size

Entropy

Entropy Types

4096

.text

209184

20940       8

5.280843455233378

[native, packed]

217088

.data

6936

6656

4.946809128148061

[native]

225280

.rsrc

968

1024

3.2734914644890747

[indeterminate]

Imported/Exported Symbols

DLL

Imported Symbols

Virt. Address

msvcrt.dll

_CxxThrowException

16781828

msvcrt.dll

?_set_se_translator@@YAP6AXIPAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z

16781832

msvcrt.dll

wcstok

16781836

msvcrt.dll

__CxxFrameHandler

16781840

msvcrt.dll

setlocale

16781844

msvcrt.dll

wcslen

16781848

msvcrt.dll

_vsnwprintf

16781852

msvcrt.dll

_except_handler3

16781856

msvcrt.dll

_purecall

16781860

msvcrt.dll

_wcsicmp

16781864

msvcrt.dll

_c_exit

16781868

msvcrt.dll

_exit

16781872

msvcrt.dll

_XcptFilter

16781876

msvcrt.dll

_cexit

16781880

msvcrt.dll

exit

16781884

msvcrt.dll

_acmdln

16781888

msvcrt.dll

__getmainargs

16781892

msvcrt.dll

_initterm

16781896

msvcrt.dll

__setusermatherr

16781900

msvcrt.dll

_adjust_fdiv

16781904

msvcrt.dll

__p__commode

16781908

msvcrt.dll

__p__fmode

16781912

msvcrt.dll

__set_app_type

16781916

msvcrt.dll

??1type_info@@UAE@XZ

16781920

msvcrt.dll

__dllonexit

16781924

msvcrt.dll

_onexit

16781928

msvcrt.dll

?terminate@@YAXXZ

16781932

msvcrt.dll

_controlfp

16781936

ADVAPI32.dll

OpenProcessToken

16781340

ADVAPI32.dll

OpenThreadToken

16781344

ADVAPI32.dll

GetAclInformation

16781348

ADVAPI32.dll

ImpersonateLoggedOnUser

16781352

ADVAPI32.dll

RegOpenKeyExW

16781356

ADVAPI32.dll

RegDeleteKeyW

16781360

ADVAPI32.dll

RegCreateKeyExW

16781364

ADVAPI32.dll

RegCloseKey

16781368

ADVAPI32.dll

SetSecurityDescriptorOwner

16781372

ADVAPI32.dll

SetSecurityDescriptorGroup

16781376

ADVAPI32.dll

GetSecurityDescriptorLength

16781380

ADVAPI32.dll

MakeSelfRelativeSD

16781384

ADVAPI32.dll

RegDisablePredefinedCache

16781388

ADVAPI32.dll

RevertToSelf

16781392

ADVAPI32.dll

SetThreadToken

16781396

ADVAPI32.dll

FreeSid

16781400

ADVAPI32.dll

SetSecurityDescriptorDacl

16781404

ADVAPI32.dll

AddAce

16781408

ADVAPI32.dll

InitializeAcl

16781412

ADVAPI32.dll

GetLengthSid

16781416

ADVAPI32.dll

CopySid

16781420

ADVAPI32.dll

AllocateAndInitializeSid

16781424

ADVAPI32.dll

InitializeSecurityDescriptor

16781428

ADVAPI32.dll

ReportEventW

16781432

ADVAPI32.dll

RegisterEventSourceW

16781436

ADVAPI32.dll

DeregisterEventSource

16781440

ADVAPI32.dll

RegSetValueExW

16781444

KERNEL32.dll

DeleteCriticalSection

16781472

KERNEL32.dll

InterlockedCompareExchange

16781476

KERNEL32.dll

GetProcAddress

16781480

KERNEL32.dll

GetModuleHandleW

16781484

KERNEL32.dll

lstrcmpiW

16781488

KERNEL32.dll

GetCurrentProcessId

16781492

KERNEL32.dll

CloseHandle

16781496

KERNEL32.dll

InterlockedIncrement

16781500

KERNEL32.dll

InterlockedDecrement

16781504

KERNEL32.dll

SetEvent

16781508

KERNEL32.dll

InitializeCriticalSectionAndSpinCount

16781512

KERNEL32.dll

TerminateProcess

16781516

KERNEL32.dll

GetCurrentProcess

16781520

KERNEL32.dll

GetLastError

16781524

KERNEL32.dll

WaitForMultipleObjects

16781528

KERNEL32.dll

GetCurrentThreadId

16781532

KERNEL32.dll

WaitForSingleObject

16781536

KERNEL32.dll

DuplicateHandle

16781540

KERNEL32.dll

Sleep

16781544

KERNEL32.dll

CreateThread

16781548

KERNEL32.dll

UnmapViewOfFile

16781552

KERNEL32.dll

GetVersionExW

16781556

KERNEL32.dll

LocalFree

16781564

KERNEL32.dll

MapViewOfFile

16781568

KERNEL32.dll

CreateFileMappingW

16781572

KERNEL32.dll

OpenFileMappingW

16781576

KERNEL32.dll

OpenEventW

16781580

KERNEL32.dll

lstrlenW

16781584

KERNEL32.dll

GetModuleFileNameW

16781588

KERNEL32.dll

DebugBreak

16781592

KERNEL32.dll

EnterCriticalSection

16781596

KERNEL32.dll

LeaveCriticalSection

16781600

KERNEL32.dll

TlsAlloc

16781604

KERNEL32.dll

TlsFree

16781608

KERNEL32.dll

ChangeTimerQueueTimer

16781612

KERNEL32.dll

InterlockedExchange

16781616

KERNEL32.dll

SwitchToThread

16781620

KERNEL32.dll

CreateEventW

16781624

KERNEL32.dll

LCMapStringW

16781628

KERNEL32.dll

GetTickCount

16781632

KERNEL32.dll

GetCurrentThread

16781636

KERNEL32.dll

QueryPerformanceCounter

16781640

KERNEL32.dll

GetSystemTimeAsFileTime

16781644

KERNEL32.dll

UnhandledExceptionFilter

16781648

KERNEL32.dll

SetUnhandledExceptionFilter

16781652

KERNEL32.dll

GetModuleHandleA

16781656

KERNEL32.dll

GetStartupInfoA

16781660

KERNEL32.dll

GetCommandLineW

16781668

USER32.dll

PostMessageW

16781752

USER32.dll

DefWindowProcW

16781756

USER32.dll

DeleteMenu

16781760

USER32.dll

GetSystemMenu

16781764

USER32.dll

UpdateWindow

16781768

USER32.dll

ShowWindow

16781772

USER32.dll

CreateWindowExW

16781776

USER32.dll

RegisterClassW

16781780

USER32.dll

LoadCursorW

16781784

USER32.dll

MsgWaitForMultipleObjectsEx

16781788

USER32.dll

MsgWaitForMultipleObjects

16781792

USER32.dll

PeekMessageW

16781796

USER32.dll

GetMessageW

16781800

USER32.dll

TranslateMessage

16781804

USER32.dll

DispatchMessageW

16781808

USER32.dll

DestroyWindow

16781812

USER32.dll

UnregisterClassW

16781816

USER32.dll

LoadIconW

16781820

ntdll.dll

NtQuerySystemInformation

16781944

ntdll.dll

wcstol

16781948

ntdll.dll

wcsncpy

16781952

wbemcomn.dll

?DebugTrace@@YAHDPBDZZ

16782032

wbemcomn.dll

?ErrorTrace@@YAHDPBDZZ

16782036

FastProx.dll

?New@CWbemCallSecurity@@SGPAV1@XZ

16781452

NCObjAPI.DLL

WmiCreateObjectWithFormat

16781680

NCObjAPI.DLL

WmiEventSourceDisconnect

16781684

NCObjAPI.DLL

WmiDestroyObject

16781688

NCObjAPI.DLL

WmiSetAndCommitObject

16781692

NCObjAPI.DLL

WmiEventSourceConnect

16781696

OLEAUT32.dll

16781704

OLEAUT32.dll

16781708

OLEAUT32.dll

16781712

OLEAUT32.dll

16781716

OLEAUT32.dll

16781720

OLEAUT32.dll

16781724

OLEAUT32.dll

16781728

OLEAUT32.dll

16781732

OLEAUT32.dll

16781736

ole32.dll

CoImpersonateClient

16781960

ole32.dll

CoGetInterfaceAndReleaseStream

16781964

ole32.dll

CoMarshalInterThreadInterfaceInStream

16781968

ole32.dll

CoCreateGuid

16781972

ole32.dll

CoGetClassObject

16781976

ole32.dll

CLSIDFromString

16781980

ole32.dll

StringFromGUID2

16781984

ole32.dll

CoUninitialize

16781988

ole32.dll

CoRevertToSelf

16781992

ole32.dll

CoSwitchCallContext

16781996

ole32.dll

CoGetCallContext

16782000

ole32.dll

CoCreateInstance

16782004

ole32.dll

CoRegisterClassObject

16782008

ole32.dll

CoFreeUnusedLibrariesEx

16782012

ole32.dll

CoInitializeEx

16782016

ole32.dll

CoInitializeSecurity

16782020

ole32.dll

CoRevokeClassObject

16782024

Registry Activity

Created Keys

Created Key

 PID

Access List

Option List

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SOFTWAREMicrosoftWindowsCurrentVersionInternet Settings

1592(Proforma%20Invoice.exe)

CREATE_SUB_KEY,ENUMERATE_SUB_KEYS,QUERY_VALUE,READ_CONTROL,NOTIFY,SET_VALUE

REG_OPTION_NON_VOLATILE

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SOFTWAREMICROSOFTSiah

916(Proforma%20Invoice.exe)

QUERY_VALUE,SET_VALUE

REG_OPTION_NON_VOLATILE

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SoftwareMicrosoftWindowsCurrentversionRun

428(winlogon.exe)

SET_VALUE

REG_OPTION_NON_VOLATILE

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SoftwareMicrosoftWindowsCurrentversionRun

492(lsass.exe)

SET_VALUE

REG_OPTION_NON_VOLATILE

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SoftwareMicrosoftMultimediaAudio Compression Manager

1352(Explorer.EXE)

READ_CONTROL,CREATE_SUB_KEY,SET_VALUE

REG_OPTION_NON_VOLATILE

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003IDENTITIES{7AF0EC96-F1E3-4261-9C70-E611584E16B9}SOFTWAREMICROSOFTOUTLOOK EXPRESS5.0News

1352(Explorer.EXE)

MAXIMUM_ALLOWED

REG_OPTION_NON_VOLATILE

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003IDENTITIES{7AF0EC96-F1E3-4261-9C70-E611584E16B9}SOFTWAREMICROSOFTOUTLOOK EXPRESS5.0Rules

1352(Explorer.EXE)

MAXIMUM_ALLOWED

REG_OPTION_NON_VOLATILE

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003IDENTITIES{7AF0EC96-F1E3-4261-9C70-E611584E16B9}SOFTWAREMICROSOFTOUTLOOK EXPRESS5.0RULESMail

1352(Explorer.EXE)

NO

Modified Key

PID

Value Name

Data

REGISTRYMACHINESOFTWAREMICROSOFTCRYPTOGRAPHYRNG

1592(Proforma%20Invoice.exe)

Seed

CKJK8C1OVbgqIDnTw2uEtLX8YAcESUne11GUjxuPFirvMkcgVxxVpuG5C003kKXK8+Zui1M+9mwB768e4ozm9N9ARGiTbnDttjqFJp9M+gg=

REGISTRYMACHINESOFTWAREMICROSOFTCRYPTOGRAPHYRNG

1592(Proforma%20Invoice.exe)

Seed

km/n2XArwzgXr3ee+ngp3/PDPnU5Gbr9LIP5wI4oXgncB98lqW3NIYNsKp06MXUpr5yQjx/F78e/hdEKU5pLqgwInt581VaqFUt3omtvNIY=

REGISTRYMACHINESOFTWAREMICROSOFTCRYPTOGRAPHYRNG

1592(Proforma%20Invoice.exe)

Seed

8wxI5YmO689WSb4TQl5pfN8/7qxCvBoSvQE7zDd6RXTB8KBd9MHQQkPPskDc+sM1NnNJnCc0e2mUlD4IYRuD6QfAfyf68uRjX4Y8usQmhsM=

REGISTRYMACHINESOFTWAREMICROSOFTCRYPTOGRAPHYRNG

1592(Proforma%20Invoice.exe)

Seed

i7cQwh8YMveJ4BD0uDBZ6Q9KGOXiBpPxfjRLzPaaQFB2il+CuEOEvQfVOEBDwhwEahdACnUszDI3AgwF5lCW+qkbu2kVVNfrJQ+DbK1lbDk=

REGISTRYMACHINESOFTWAREMICROSOFTCRYPTOGRAPHYRNG

1592(Proforma%20Invoice.exe)

Seed

VpM4tkgInewFkDflKOsW0fEQVdbEQIMGs8QDBkEIY6ZZrEW9TRos0kKYal70rftHs9hmOcc+3VUgxSBG3U/mGzyrZxWW37sc1EY6Xy5mzK0=

REGISTRYMACHINESOFTWAREMICROSOFTCRYPTOGRAPHYRNG

1592(Proforma%20Invoice.exe)

Seed

Tl9YsOXJ5ametPR1dhhEIxOfpRYIc3NwJ+TQmJxDIg6lePDnqtXHOSHZ4KYrprk8jTOJqWBk6axMXiADNRd4qEtiL2t1FqIQjAArolqIZAI=

REGISTRYMACHINESOFTWAREMICROSOFTCRYPTOGRAPHYRNG

1592(Proforma%20Invoice.exe)

Seed

5RO+vlR6MdigNebJkuV2H1vL3NXcLwC9oJH5yAf9XJR8bdwn6YQJ/ccIYpcumLB0FBQuBM0yvq5E60qr967ZtOemHhAu/aooP6Nc18E19Hw=

REGISTRYMACHINESOFTWAREMICROSOFTCRYPTOGRAPHYRNG

1592(Proforma%20Invoice.exe)

Seed

GGrIgRSnjemAaS9NurOsnMHD4Yd8S+rKYMJ48eqAVVEkOncx27CXRicLiHzZHVN0pjtod3yV1sOi/nwWF8wStlSQFwFEyYU8+6B7GbSU1aw=

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERMOUNTPOINTS2{1209A444-8D68-11E1-9FE0-806D6172696F}

1592(Proforma%20Invoice.exe)

BaseClass

Drive

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERMOUNTPOINTS2{3F424040-87AB-11E2-9D93-806D6172696F}

1592(Proforma%20Invoice.exe)

BaseClass

Drive

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERMOUNTPOINTS2{75EF541F-D065-11E1-AC7A-525400123456}

1592(Proforma%20Invoice.exe)

BaseClass

Drive

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELL FOLDERS

1592(Proforma%20Invoice.exe)

Startup

C:Documents and SettingsJoe MaldiveStart MenuProgramsStartup

REGISTRYMACHINESOFTWAREMICROSOFTCRYPTOGRAPHYRNG

916(Proforma%20Invoice.exe)

Seed

s17TAaYIu1X47EUO4tQm9iefujFVKOJYIbGlHB4AvTcL9/7kKnkAjm76QrazZUstIV07KQ8ZbBqt3mI/efU5FOdT/i2E4+8E1iHDC3qv8KI=

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELL FOLDERS

916(Proforma%20Invoice.exe)

AppData

C:Documents and SettingsJoe MaldiveApplication Data

REGISTRYMACHINESOFTWAREMICROSOFTCRYPTOGRAPHYRNG

1800(cmd.exe)

Seed

pmczXs0lTmdNDkTAi6wR4sDe1VzGUDYWoHrwMJuHA+biYzO3sRPvYgB6bPZ32yAnfUXe2itG1AOMzrZ58DAQmyzLKKYkUpsG0m/E3O2RD4w=

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERMENUORDERSTART MENU

1352(Explorer.EXE)

Order

CAAAAAIAAAAAAgAAAQAAAAMAAADSAAAAAAAAAMQAAABBdWdNAgAAAAEAAACyADIARwYAAHg+yoAgAFNFVFBST34xLkxOSwAAiAADAAQA7754PsqAk0IkvRQAXABTAGUAdAAgAFAAcgBvAGcAcgBhAG0AIABBAGMAYwBlAHMAcwAgAGEAbgBkACAARABlAGYAYQB1AGwAdABzAC4AbABuAGsAAABAQzpcV0lORE9XU1xzeXN0ZW0zMlx4cHNwMXJlcy5kbGwsLTEwMDc3AAAcAA4AAAAKAO++AQAAABwAAAAAAAAAAACcAAAAAQAAAI4AAABBdWdNAgAAAAEAAAB8ADIAjgEAAHg+yoAgAFdJTkRPV34yLkxOSwAAUgADAAQA7754PsqAk0IkvRQAPABXAGkAbgBkAG8AdwBzACAAQwBhAHQAYQBsAG8AZwAuAGwAbgBrAAAAQHNoZWxsMzIuZGxsLC0yMjA3NQAcAA4AAAAKAO++AQAAABwAAAAAAAAAAACGAAAAAgAAAHgAAABBdWdNAgAAAAEAAABmADIA4wUAAHg+7IQgAFdJTkRPV34xLkxOSwAAPAADAAQA7754PsqAk0IkvRQAAABXAGkAbgBkAG8AdwBzACAAVQBwAGQAYQB0AGUALgBsAG4AawAAABwADgAAAAoA774BAAAAHAAAAAAAAAAAAA==

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN

1352(Explorer.EXE)

{832A9606-32CE-FE22-A0DC-76831BAE1BEB}

“C:Documents and SettingsJoe MaldiveApplication DataViryqsomi.exe”

REGISTRYMACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONINTERNET SETTINGSCACHEPATHS

1352(Explorer.EXE)

Directory

C:Documents and SettingsJoe MaldiveLocal SettingsTemporary Internet FilesContent.IE5

REGISTRYMACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONINTERNET SETTINGSCACHEPATHS

1352(Explorer.EXE)

Paths

4

REGISTRYMACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONINTERNET SETTINGSCACHEPATHSPATH1

1352(Explorer.EXE)

CachePath

C:Documents and SettingsJoe MaldiveLocal SettingsTemporary Internet FilesContent.IE5Cache1

REGISTRYMACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONINTERNET SETTINGSCACHEPATHSPATH2

1352(Explorer.EXE)

CachePath

C:Documents and SettingsJoe MaldiveLocal SettingsTemporary Internet FilesContent.IE5Cache2

REGISTRYMACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONINTERNET SETTINGSCACHEPATHSPATH3

1352(Explorer.EXE)

CachePath

C:Documents and SettingsJoe MaldiveLocal SettingsTemporary Internet FilesContent.IE5Cache3

REGISTRYMACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONINTERNET SETTINGSCACHEPATHSPATH4

1352(Explorer.EXE)

CachePath

C:Documents and SettingsJoe MaldiveLocal SettingsTemporary Internet FilesContent.IE5Cache4

REGISTRYMACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONINTERNET SETTINGSCACHEPATHSPATH1

1352(Explorer.EXE)

CacheLimit

81830

REGISTRYMACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONINTERNET SETTINGSCACHEPATHSPATH2

1352(Explorer.EXE)

CacheLimit

81830

REGISTRYMACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELL FOLDERS

1352(Explorer.EXE)

Common AppData

C:Documents and SettingsAll UsersApplication Data

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELL FOLDERS

1352(Explorer.EXE)

AppData

C:Documents and SettingsJoe MaldiveApplication Data

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONINTERNET SETTINGS

1352(Explorer.EXE)

MigrateProxy

1

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONINTERNET SETTINGS

1352(Explorer.EXE)

ProxyEnable

0

REGISTRYMACHINESYSTEMCONTROLSET001HARDWARE PROFILES001SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONINTERNET SETTINGS

1352(Explorer.EXE)

ProxyEnable

0

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONINTERNET SETTINGSCONNECTIONS

1352(Explorer.EXE)

SavedLegacySettings

PAAAADkAAAABAAAAAAAAAAAAAAAAAAAABAAAAAAAAADQA5TMQOrLAQEAAAAKAAIPAAAAAAAAAAA=

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SOFTWAREMICROSOFTINTERNET ACCOUNT MANAGERACCOUNTS

1352(Explorer.EXE)

ConnectionSettingsMigrated

1

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003IDENTITIES{7AF0EC96-F1E3-4261-9C70-E611584E16B9}SOFTWAREMICROSOFTOUTLOOK EXPRESS5.0

1352(Explorer.EXE)

VerStamp

3

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003IDENTITIES{7AF0EC96-F1E3-4261-9C70-E611584E16B9}SOFTWAREMICROSOFTOUTLOOK EXPRESS5.0

1352(Explorer.EXE)

SpellDontIgnoreDBCS

1

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003IDENTITIES{7AF0EC96-F1E3-4261-9C70-E611584E16B9}SOFTWAREMICROSOFTOUTLOOK EXPRESS5.0MAIL

1352(Explorer.EXE)

Welcome Message

AQAAAA==

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003IDENTITIES{7AF0EC96-F1E3-4261-9C70-E611584E16B9}SOFTWAREMICROSOFTOUTLOOK EXPRESS5.0MAIL

1352(Explorer.EXE)

Accounts Checked

AAAAAA==

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SOFTWAREMICROSOFTINTERNET ACCOUNT MANAGERACCOUNTS

1352(Explorer.EXE)

AssociatedID

luzweuPxYUKccOYRWE4WuQ==

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SOFTWAREMICROSOFTINTERNET ACCOUNT MANAGER

1352(Explorer.EXE)

Server ID

4

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003IDENTITIES{7AF0EC96-F1E3-4261-9C70-E611584E16B9}SOFTWAREMICROSOFTOUTLOOK EXPRESS5.0

1352(Explorer.EXE)

StoreMigratedV5

1

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003IDENTITIES{7AF0EC96-F1E3-4261-9C70-E611584E16B9}SOFTWAREMICROSOFTOUTLOOK EXPRESS5.0

1352(Explorer.EXE)

ConvertedToDBX

1

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003IDENTITIES{7AF0EC96-F1E3-4261-9C70-E611584E16B9}SOFTWAREMICROSOFTOUTLOOK EXPRESS5.0

1352(Explorer.EXE)

Settings Upgraded

7

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003IDENTITIES{7AF0EC96-F1E3-4261-9C70-E611584E16B9}SOFTWAREMICROSOFTOUTLOOK EXPRESS5.0MAIL

1352(Explorer.EXE)

Safe Attachments

1

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003IDENTITIES{7AF0EC96-F1E3-4261-9C70-E611584E16B9}SOFTWAREMICROSOFTOUTLOOK EXPRESS5.0MAIL

1352(Explorer.EXE)

Secure Safe Attachments

1

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003IDENTITIES{7AF0EC96-F1E3-4261-9C70-E611584E16B9}SOFTWAREMICROSOFTOUTLOOK EXPRESS5.0

1352(Explorer.EXE)

Running

1

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003IDENTITIES{7AF0EC96-F1E3-4261-9C70-E611584E16B9}SOFTWAREMICROSOFTOUTLOOK EXPRESS5.0

1352(Explorer.EXE)

Store Root

%UserProfile%Local SettingsApplication DataIdentities{7AF0EC96-F1E3-4261-9C70-E611584E16B9}MicrosoftOutlook Express

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SOFTWAREMICROSOFTWABWAB4

1352(Explorer.EXE)

OlkContactRefresh

0

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SOFTWAREMICROSOFTWABWAB4

1352(Explorer.EXE)

OlkFolderRefresh

0

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003IDENTITIES{7AF0EC96-F1E3-4261-9C70-E611584E16B9}SOFTWAREMICROSOFTOUTLOOK EXPRESS5.0MAIL

1352(Explorer.EXE)

Welcome Message

0

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003IDENTITIES{7AF0EC96-F1E3-4261-9C70-E611584E16B9}SOFTWAREMICROSOFTOUTLOOK EXPRESS5.0

1352(Explorer.EXE)

SpoolerDlgPos

LAAAAAAAAAABAAAA/////////////////////5wAAABaAAAAhAIAAO0AAAA=

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003IDENTITIES{7AF0EC96-F1E3-4261-9C70-E611584E16B9}SOFTWAREMICROSOFTOUTLOOK EXPRESS5.0

1352(Explorer.EXE)

SpoolerTack

0

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003IDENTITIES{7AF0EC96-F1E3-4261-9C70-E611584E16B9}SOFTWAREMICROSOFTOUTLOOK EXPRESS5.0

1352(Explorer.EXE)

Compact Check Count

1

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SOFTWAREMICROSOFTSIAH

1352(Explorer.EXE)

Wevohi

QM7LaebONjLfUzsKj/sQmzUrnYQPJufNSwJfiFr02fBKeG3an4Hq98FI204I7zzSfZkG7S1+kgOSZbr12hoTYBQLaGvDhNs7Smwl5IqPVaNsmFGMkFqIyOs5JNIPbeE2IZj8YoxARNnYBJTOHNqJkaeqVfo=

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SOFTWAREMICROSOFTSIAH

1352(Explorer.EXE)

Wevohi

QM7LaebONjLfUzsKj/sQmzUrnYQPJufNSwJfiFr02fBKeG3an4Hq98FI204I7zzSfZlDkC1+kgOSZbr12hoTYBQLaGvDhNs7Smwl5IqPVaNsmFGMkFqIyOs5JNIPbeE2IZj8YoxARNnYBJTOHNqJkaeqVfo=

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONINTERNET SETTINGSCONNECTIONS

1352(Explorer.EXE)

SavedLegacySettings

PAAAADoAAAABAAAAAAAAAAAAAAAAAAAABAAAAAAAAADQA5TMQOrLAQEAAAAKAAIPAAAAAAAAAAA=

REGISTRYMACHINESOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONPREFETCHER

748(svchost.exe)

TracesProcessed

19

REGISTRYMACHINESOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONPREFETCHER

748(svchost.exe)

TracesSuccessful

5

REGISTRYMACHINESOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONPREFETCHER

748(svchost.exe)

LastTraceFailure

4

REGISTRYMACHINESOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONPREFETCHER

748(svchost.exe)

TracesProcessed

20

REGISTRYMACHINESYSTEMCONTROLSET001SERVICESTCPIPPARAMETERSINTERFACES{C20FDDB0-BD90-4E06-8D7A-87767A382393}

748(svchost.exe)

DhcpRetryStatus

2

REGISTRYMACHINESOFTWAREMICROSOFTCRYPTOGRAPHYRNG

1732(somi.exe)

Seed

dnB1uWVYV8C/XiPZ/lM0uxjN3S9TijbBeLYa4lFHw0QgddwgA3/FAGMPm1RL4MmYW1EVKMXg7DNDu4covfQIHvZ5gxIyvDolH5fa5lJq8+Y=

REGISTRYMACHINESOFTWAREMICROSOFTCRYPTOGRAPHYRNG

1732(somi.exe)

Seed

ESJ8JrtSEddOs2/iHYSrno3iAIxTx6n9SJns3GoTuHTEUt41K+m6Cz9w6LePJie6x4KrTiKvTmyixeMgY48LYVwKvjsqijMmvUDXbRH1kaU=

REGISTRYMACHINESOFTWAREMICROSOFTCRYPTOGRAPHYRNG

1732(somi.exe)

Seed

Eq2oI4Ph5E0eg88JSAIboHnCV5GqmWgWchX7bxOPzDFxd/dROaHboFbowMegoOOQrMm7PSE0NiWwcRJSoD8aifeq9POV/0/Z445I+PY6ISI=

REGISTRYMACHINESOFTWAREMICROSOFTCRYPTOGRAPHYRNG

1732(somi.exe)

Seed

mAlHRi1mqBnrRpcvXiCa9G58z70P9MJG0GQK/JL+I6Fl9Dox7mLlgsOT4XWU8XKvdRPzubDVHmCBQab80Cu56ozFLH+Q0XiUta9jC0B2g3s=

REGISTRYMACHINESOFTWAREMICROSOFTCRYPTOGRAPHYRNG

1732(somi.exe)

Seed

NakXEttKDZZ6wNNN6BsBoBAZD28t9GWUqY34Jtahy+WPJv4Ws9yvXKaaWQ56Kvn2HUm2HGUbLJLcgbtuNqhpCOImN4kGmjshiK3JHrwOjao=

REGISTRYMACHINESOFTWAREMICROSOFTCRYPTOGRAPHYRNG

1732(somi.exe)

Seed

25KNt4vjrJImgvojrb4XhfaYvplXB//IneFpmKwOznBsEUmp4Cxu+P8QefUpI5Yc9nwP2PAKGpIZzvjovbVPq/gobpmfbNgvg8FqZ0kneq8=

REGISTRYMACHINESOFTWAREMICROSOFTCRYPTOGRAPHYRNG

1732(somi.exe)

Seed

4+l3KUUA1Yd4iBV4zgFo4lST4BLhLv7MnUcti64/fU5udMRcXdysRODyG+IdycjFbLtUyXPYYcgNhdBZQHsCU346vNoxhxEr4cJ6Bq1FEvI=

REGISTRYMACHINESOFTWAREMICROSOFTCRYPTOGRAPHYRNG

1732(somi.exe)

Seed

TwrYotvpQtG/wybfLZcHI9EVPkEMDuLxCX38a33WEAo6Zw183gSRmmKV0A4OfHjVixQhH2U3ewN3/ABLJAr/AZf69IA0FXh9Xf+Z/5kcY24=

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERMOUNTPOINTS2{1209A444-8D68-11E1-9FE0-806D6172696F}

1732(somi.exe)

BaseClass

Drive

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERMOUNTPOINTS2{3F424040-87AB-11E2-9D93-806D6172696F}

1732(somi.exe)

BaseClass

Drive

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERMOUNTPOINTS2{75EF541F-D065-11E1-AC7A-525400123456}

1732(somi.exe)

BaseClass

Drive

REGISTRYUSERS-1-5-21-1202660629-583907252-1801674531-1003SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELL FOLDERS

1732(somi.exe)

Startup

C:Documents and SettingsJoe MaldiveStart MenuProgramsStartup

Filesystem Activity

Path

PID

Action

??C:DOCUME~1JOEMAL~1LOCALS~1Tempaut1.tmp

1592(Proforma%20Invoice.exe)

Created

??C:Documents and SettingsJoe MaldiveStart MenuProgramsStartupconfig.exe

1592(Proforma%20Invoice.exe)

Created

??C:Documents and SettingsJoe MaldiveApplication DataViryq

916(Proforma%20Invoice.exe)

Created

??C:Documents and SettingsJoe MaldiveApplication DataRyry

916(Proforma%20Invoice.exe)

Created

??C:debug.txt

916(Proforma%20Invoice.exe)

Created

??C:Documents and SettingsJoe MaldiveApplication DataViryqsomi.exe

916(Proforma%20Invoice.exe)

Created

??C:Documents and SettingsJoe MaldiveLocal SettingsApplication DataIdentities{7AF0EC96-F1E3-4261-9C70-E611584E16B9}

1352(Explorer.EXE)

Created

??C:Documents and SettingsJoe MaldiveLocal SettingsApplication DataIdentities{7AF0EC96-F1E3-4261-9C70-E611584E16B9}MicrosoftOutlook ExpressFolders.dbx

1352(Explorer.EXE)

Created

??C:Documents and SettingsJoe MaldiveCookiesjoe maldive@google[1].txt

1352(Explorer.EXE)

Created

??C:Documents and SettingsJoe MaldiveLocal SettingsApplication DataIdentities{7AF0EC96-F1E3-4261-9C70-E611584E16B9}MicrosoftOutlook Express

1352(Explorer.EXE)

Created

??C:Documents and SettingsJoe MaldiveLocal SettingsApplication DataIdentities{7AF0EC96-F1E3-4261-9C70-E611584E16B9}Microsoft

1352(Explorer.EXE)

Created

??C:Documents and SettingsJoe MaldiveLocal SettingsApplication DataIdentities

1352(Explorer.EXE)

Created

??C:Documents and SettingsJoe MaldiveLocal SettingsApplication DataIdentities{7AF0EC96-F1E3-4261-9C70-E611584E16B9}MicrosoftOutlook ExpressOffline.dbx

1352(Explorer.EXE)

Created

??C:Documents and SettingsJoe MaldiveLocal SettingsApplication DataIdentities{7AF0EC96-F1E3-4261-9C70-E611584E16B9}MicrosoftOutlook ExpressInbox.dbx

1352(Explorer.EXE)

Created

??C:Documents and SettingsJoe MaldiveApplication DataRyryetefu.toe

1352(Explorer.EXE)

Created

??C:DOCUME~1JOEMAL~1LOCALS~1Tempaut2.tmp

1732(somi.exe)

Created

Documents and SettingsJoe MaldiveStart MenuProgramsStartupconfig.exe

1592(Proforma%20Invoice.exe)

Deleted

DOCUME~1JOEMAL~1LOCALS~1Tempf.txt

1592(Proforma%20Invoice.exe)

Deleted

lsarpc

1592(Proforma%20Invoice.exe)

Deleted

DOCUME~1JOEMAL~1LOCALS~1Tempaut1.tmp

1592(Proforma%20Invoice.exe)

Deleted

Documents and SettingsJoe MaldiveApplication DataViryqsomi.exe

916(Proforma%20Invoice.exe)

Deleted

debug.txt

916(Proforma%20Invoice.exe)

Deleted

lsarpc

916(Proforma%20Invoice.exe)

Deleted

debug.txt

1704(somi.exe)

Deleted

lsarpc

1704(somi.exe)

Deleted

lsass

492(lsass.exe)

Deleted

Documents and SettingsJoe MaldiveLocal SettingsTemporary Internet FilesContent.IE5MRMBYDAXwebhp[1].htm

1352(Explorer.EXE)

Deleted

lsarpc

1352(Explorer.EXE)

Deleted

Documents and SettingsJoe MaldiveLocal SettingsTemporary Internet FilesContent.IE5MRMBYDAXgate[1].htm

1352(Explorer.EXE)

Deleted

Documents and SettingsJoe MaldiveCookiesjoe maldive@google[2].txt

1352(Explorer.EXE)

Deleted

Documents and SettingsJoe MaldiveLocal SettingsTemporary Internet FilesContent.IE5MRMBYDAXconfig[1].bin

1352(Explorer.EXE)

Deleted

debug.txt

1352(Explorer.EXE)

Deleted

Documents and SettingsJoe MaldiveApplication DataMicrosoftAddress BookJoe Maldive.wab

1352(Explorer.EXE)

Deleted

ROUTER

748(svchost.exe)

Deleted

DOCUME~1JOEMAL~1LOCALS~1Tempf.txt

1732(somi.exe)

Deleted

DOCUME~1JOEMAL~1LOCALS~1Tempaut2.tmp

1732(somi.exe)

Deleted

lsarpc

1732(somi.exe)

Deleted

tempProforma%20Invoice.exe

1592(Proforma%20Invoice.exe)

Read

DOCUME~1JOEMAL~1LOCALS~1Tempaut1.tmp

1592(Proforma%20Invoice.exe)

Read

DOCUME~1JOEMAL~1LOCALS~1Tempf.txt

1592(Proforma%20Invoice.exe)

Read

lsarpc

1592(Proforma%20Invoice.exe)

Read

tempProforma%20Invoice.exe

916(Proforma%20Invoice.exe)

Read

lsarpc

916(Proforma%20Invoice.exe)

Read

lsarpc

1704(somi.exe)

Read

Documents and SettingsJoe MaldiveApplication DataViryqsomi.exe

1704(somi.exe)

Read

DOCUME~1JOEMAL~1LOCALS~1Temptmpeaaff6e6.bat

1800(cmd.exe)

Read

WINDOWSPrefetchCMD.EXE-087B4001.pf

1800(cmd.exe)

Read

lsass

492(lsass.exe)

Read

WINDOWSsystem32rsaenh.dll

1352(Explorer.EXE)

Read

Documents and SettingsAll UsersStart Menudesktop.ini

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@www.microsoft[2].txt

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveStart MenuProgramsdesktop.ini

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@mathtag[1].txt

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@dl.javafx[2].txt

1352(Explorer.EXE)

Read

Documents and SettingsAll UsersApplication DataMicrosoftNetworkConnectionsPbkrasphone.pbk

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@crowdscience[1].txt

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@c.atdmt[2].txt

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@forums.adobe[1].txt

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@www.ugdturner[1].txt

1352(Explorer.EXE)

Read

lsarpc

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@mediaplex[2].txt

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveApplication DataRyryetefu.tmp

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@ad.wsod[2].txt

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@c.msn[2].txt

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@sun[1].txt

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@live[1].txt

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@www.cnn[1].txt

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@dpm.demdex[2].txt

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@c.bing[1].txt

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@www.java[1].txt

1352(Explorer.EXE)

Read

Documents and SettingsAll UsersStart MenuProgramsdesktop.ini

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@brighthub[2].txt

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@translate.googleapis[1].txt

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@tweetmeme[1].txt

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@exp.www.msn[1].txt

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveApplication DataMicrosoftAddress BookJoe Maldive.wab

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@exelator[2].txt

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@twitter[1].txt

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@voicefive[1].txt

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@ziffdavis.demdex[1].txt

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@contextweb[1].txt

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@technet.microsoft[2].txt

1352(Explorer.EXE)

Read

AUTOEXEC.BAT

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@labnol[2].txt

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@m.webtrends[1].txt

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@download.mozilla[1].txt

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@java[1].txt

1352(Explorer.EXE)

Read

Documents and SettingsJoe MaldiveCookiesjoe maldive@adbrite[2].txt

1352(Explorer.EXE)

Read

ROUTER

748(svchost.exe)

Read

Documents and SettingsJoe MaldiveApplication Datadesktop.ini

1732(somi.exe)

Read

DOCUME~1JOEMAL~1LOCALS~1Tempaut2.tmp

1732(somi.exe)

Read

DOCUME~1JOEMAL~1LOCALS~1Tempf.txt

1732(somi.exe)

Read

lsarpc

1732(somi.exe)

Read

Documents and SettingsJoe MaldiveApplication DataViryqsomi.exe

1732(somi.exe)

Read

WINDOWSsystem32rsaenh.dll

788(svchost.exe)

Read

WINDOWSsystem32driversetchosts

788(svchost.exe)

Read

By admin