qiu1984.2288.org: type A, class IN, addr 60.173.8.181
Outgoing connection to remote server: qiu1984.2288.org TCP port 7089
Outgoing connection to remote server: qiu1984.2288.org TCP port 7089
Outgoing connection to remote server: qiu1984.2288.org TCP port 7089
Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREInstall “Debug” = C:ProgrammeNVIDIAYRntEx.OLE
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{438755C2-A8BA-11D1-B96B-00A0C90312E1}InProcServer32 “” = C:ProgrammeNVIDIAYRntEx.Dll
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREInstall “Debug”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESYSTEMSetup “Host”
“~MHz”
Enums HKEY_LOCAL_MACHINESYSTEMControlSet001ControlMediaResourcesmsvideo
File Changes by all processes
New Files C:ProgrammeNVIDIAYRntEx.Dll
C:ProgrammeNVIDIAYRntEx.OLE
C:DOKUME~1ADMINI~1LOKALE~1TempHM32.LOG
DeviceRasAcd
Opened Files C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:ProgrammeNVIDIAYRntEx.OLE
.PHYSICALDRIVE0
Deleted Files
Chronological Order Set File Attributes: C:ProgrammeNVIDIA Flags: (FILE_ATTRIBUTE_HIDDEN SECURITY_ANONYMOUS)
Get File Attributes: C:ProgrammeNVIDIAYRntEx.Dll Flags: (SECURITY_ANONYMOUS)
Create File: C:ProgrammeNVIDIAYRntEx.Dll
Get File Attributes: C:ProgrammeNVIDIAYRntEx.OLE Flags: (SECURITY_ANONYMOUS)
Create File: C:ProgrammeNVIDIAYRntEx.OLE
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32RUNDLL32.EXE
Move File: c:amun80fdffc1ae91fdd1f4d631e37e372018.exe to C:DOKUME~1ADMINI~1LOKALE~1TempHM32.LOG
Move File: C:DOKUME~1ADMINI~1LOKALE~1TempHM32.LOG to
Get File Attributes: C:ProgrammeNVIDIAYRntEx.Dll Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:ProgrammeNVIDIAYRntEx.Dll.manifest Flags: (SECURITY_ANONYMOUS)
Open File: C:ProgrammeNVIDIAYRntEx.OLE (OPEN_EXISTING)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Open File: .PHYSICALDRIVE0 (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystem32log.key Flags: (SECURITY_ANONYMOUS)