DNS Lookup
Host Name IP Address
direct.ips.co.jp 202.218.13.230
loja.tray.com.br 201.20.35.20
www.imusica.com.br 201.49.212.100
www.digimer.com.br 187.17.83.154
www.kajima.co.jp 203.180.140.61
www.ristex.jp 222.146.58.38
m-repo.lib.meiji.ac.jp 133.26.200.10
www.science-forum.co.jp 202.191.113.9
bunker.org.ua 195.214.214.53
opens
www.iknow.co.jp 184.72.216.126
secure.fox
shop.poziti
rastu.com.ua
Outgoing connection to remote server: 208.110.80.34 TCP port 443
Outgoing connection to remote server: direct.ips.co.jp TCP port 443
Outgoing connection to remote server: loja.tray.com.br TCP port 443
Outgoing connection to remote server: loja.tray.com.br TCP port 443
Outgoing connection to remote server: direct.ips.co.jp TCP port 443
Outgoing connection to remote server: www.imusica.com.br TCP port 443
Outgoing connection to remote server: www.digimer.com.br TCP port 443
Outgoing connection to remote server: www.kajima.co.jp TCP port 443
Outgoing connection to remote server: www.ristex.jp TCP port 443
Outgoing connection to remote server: m-repo.lib.meiji.ac.jp TCP port 443
Outgoing connection to remote server: www.science-forum.co.jp TCP port 443
Outgoing connection to remote server: bunker.org.ua TCP port 443
Outgoing connection to remote server: bunker.org.ua TCP port 443
Outgoing connection to remote server: bunker.org.ua TCP port 443
Outgoing connection to remote server: www.iknow.co.jp TCP port 443
Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “wuaucldt” = c:windowssystem32wuaucldt.exe
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “wuaucldt” = c:dokumente und einstellungenadministratorwuaucldt.exe
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “MaxUserPort” = [REG_DWORD, value: 0000FFFE]
Reads HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_CURRENT_USERSoftwareMicrosoft “OSVersion”
File Changes by all processes
New Files .pipefirstnormalpipe1
.pipesecondnormalpipe2
c:windowssystem32wuaucldt.exe
c:dokumente und einstellungenadministratorwuaucldt.exe
.pipefirstnormalpipe1
.pipesecondnormalpipe2
DeviceRasAcd
C:WINDOWSsystem32driverscdrom.sys
C:WINDOWSsystem32dllcachecdrom.sys
DeviceRasAcd
DeviceTcp
DeviceIp
DeviceIp
Opened Files .pipefirstnormalpipe1
.pipesecondnormalpipe2
c:atmo.exe
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
c:windowssystem32
C:WINDOWSsystem32
.pipefirstnormalpipe1
.pipesecondnormalpipe2
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
.PhysicalDrive0
.PhysicalDrive0
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSSystem32
C:WINDOWSsystem32driverscdrom.sys
.PIPESfcApi
C:WINDOWSsystem32regedit.exe
.Ip
Deleted Files c:atmo.exe
Chronological Order Create NamedPipe: .pipefirstnormalpipe1
Create NamedPipe: .pipesecondnormalpipe2
Open File: .pipefirstnormalpipe1 (OPEN_EXISTING)
Open File: .pipesecondnormalpipe2 (OPEN_EXISTING)
Open File: c:atmo.exe (OPEN_EXISTING)
Create File: c:windowssystem32wuaucldt.exe
Create File: c:dokumente und einstellungenadministratorwuaucldt.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: c:windowssystem32 ()
Find File: C:WINDOWSsystem32wuaucldt.exe
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32cmd.exe
Create NamedPipe: .pipefirstnormalpipe1
Create NamedPipe: .pipesecondnormalpipe2
Open File: .pipefirstnormalpipe1 (OPEN_EXISTING)
Open File: .pipesecondnormalpipe2 (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32svchost.exe
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Get File Attributes: c:atmo.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: c: Flags: (SECURITY_ANONYMOUS)
Find File: c:atmo.exe
Delete File: c:atmo.exe
Open File: .PhysicalDrive0 (OPEN_EXISTING)
Open File: .PhysicalDrive0 (OPEN_EXISTING)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSSystem32 ()
Find File: C:WINDOWSsystem32svchost.exe
Open File: C:WINDOWSsystem32driverscdrom.sys (OPEN_EXISTING)
Open File: .PIPESfcApi (OPEN_EXISTING)
Create File: C:WINDOWSsystem32driverscdrom.sys
Create File: C:WINDOWSsystem32dllcachecdrom.sys
Open File: C:WINDOWSsystem32regedit.exe (OPEN_EXISTING)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)