DNS Lookup
Host Name IP Address
0 127.0.0.1
institutoterra.org.br
institutoterra.org.br 200.234.200.152
UDP Connections
Remote IP Address: 127.0.0.1 Port: 1060
Send Datagram: 1495 packet(s) of size 1
Recv Datagram: 1495 packet(s) of size 1
Download URLs
http://200.234.200.152/js/gtec.jpg (institutoterra.org.br)
http://200.234.200.152/js/mtec.jpg (institutoterra.org.br)
Outgoing connection to remote server: institutoterra.org.br TCP port 80
Outgoing connection to remote server: institutoterra.org.br TCP port 80DNS Lookup
Host Name IP Address
jetrotrullinter.net 187.45.195.134
elearning2.huc.edu 216.154.214.21
Download URLs
http://187.45.195.134/localtxt/smart.txt (jetrotrullinter.net)
Data posted to URLs
http://216.154.214.21/continuinged/libs.php (elearning2.huc.edu)
Outgoing connection to remote server: jetrotrullinter.net TCP port 80
Outgoing connection to remote server: elearning2.huc.edu TCP port 8
Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESYSTEMControlSet001Servicescatchme “Type” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001Servicescatchme “ErrorControl” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001Servicescatchme “Start” = [REG_DWORD, value: 00000003]
HKEY_LOCAL_MACHINESYSTEMControlSet001Servicescatchme “ImagePath” = [REG_EXPAND_SZ, value: ??C:DOKUME~1ADMINI~1LOKALE~1Tempcatchme.sys]
HKEY_LOCAL_MACHINESYSTEMControlSet001Servicescatchme “Group” = [REG_EXPAND_SZ, value: Base]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “FirstRunn” = C:WinnetWinSockx.exe
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “10”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionFontSubstitutes “MS Shell Dlg 2”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionFontSubstitutes “MS Shell Dlg 2”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
File Changes by all processes
New Files DeviceRasAcd
DeviceTcp
DeviceIp
DeviceIp
C:APPCANNONcatchme.exe
C:APPCANNONSEXO.bat
C:DOKUME~1ADMINI~1LOKALE~1Tempcatchme.sys
C:Dokumente und EinstellungenAdministratorDesktopcatchme.log
C:Dokumente und EinstellungenAdministratorDesktopcatchme.log
C:Dokumente und EinstellungenAdministratorDesktopcatchme.log
C:Dokumente und EinstellungenAdministratorDesktopcatchme.log
C:Dokumente und EinstellungenAdministratorDesktopcatchme.log
C:Dokumente und EinstellungenAdministratorDesktopcatchme.log
C:Dokumente und EinstellungenAdministratorDesktopcatchme.log
C:Dokumente und EinstellungenAdministratorDesktopcatchme.log
C:Dokumente und EinstellungenAdministratorDesktopcatchme.log
C:Dokumente und EinstellungenAdministratorDesktopcatchme.log
C:Dokumente und EinstellungenAdministratorDesktopcatchme.log
C:Dokumente und EinstellungenAdministratorDesktopcatchme.log
C:Dokumente und EinstellungenAdministratorDesktopcatchme.log
C:ZQ561401.rar
DeviceRasAcd
Opened Files .PIPElsarpc
c:autoexec.bat
.PIPEROUTER
.Ip
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:Winnet
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:APPCANNONSEXO.bat
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:APPCANNON
.PIPElsarpc
.C:
.PhysicalDrive0
?Volume{068250df-fe63-11d5-978d-806d6172696f}
.catchme
C:DOKUME~1ADMINI~1LOKALE~1Tempcatchme.sys
.PIPElsarpc
.C:
.PhysicalDrive0
?Volume{068250df-fe63-11d5-978d-806d6172696f}
.catchme
.PIPElsarpc
.C:
.PhysicalDrive0
?Volume{068250df-fe63-11d5-978d-806d6172696f}
.catchme
.PIPElsarpc
.C:
.PhysicalDrive0
?Volume{068250df-fe63-11d5-978d-806d6172696f}
.catchme
.PIPElsarpc
.C:
.PhysicalDrive0
?Volume{068250df-fe63-11d5-978d-806d6172696f}
.catchme
.PIPElsarpc
.C:
.PhysicalDrive0
?Volume{068250df-fe63-11d5-978d-806d6172696f}
.catchme
.PIPElsarpc
.C:
.PhysicalDrive0
?Volume{068250df-fe63-11d5-978d-806d6172696f}
.catchme
.PIPElsarpc
.C:
.PhysicalDrive0
?Volume{068250df-fe63-11d5-978d-806d6172696f}
.catchme
.PIPElsarpc
.C:
.PhysicalDrive0
?Volume{068250df-fe63-11d5-978d-806d6172696f}
.catchme
.PIPElsarpc
.C:
.PhysicalDrive0
?Volume{068250df-fe63-11d5-978d-806d6172696f}
.catchme
.PIPElsarpc
.C:
.PhysicalDrive0
?Volume{068250df-fe63-11d5-978d-806d6172696f}
.catchme
.PIPElsarpc
.C:
.PhysicalDrive0
?Volume{068250df-fe63-11d5-978d-806d6172696f}
.catchme
.PIPElsarpc
.C:
.PhysicalDrive0
?Volume{068250df-fe63-11d5-978d-806d6172696f}
.catchme
Deleted Files C:Dokumente und EinstellungenAdministratorDesktopcatchme.log
C:APPCANNONcatchme.exe
C:APPCANNONSEXO.bat
C:DOKUME~1ADMINI~1LOKALE~1Tempcatchme.sys
Chronological Order Get File Attributes: C:Winnet Flags: (SECURITY_ANONYMOUS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Find File: C:WINDOWSsystem32Ras*.pbk
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Open File: .PIPEROUTER (OPEN_EXISTING)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:Winnet ()
Find File: C:WinnetWinSocky.exe
Find File: C:WinnetWinSockx.exe
Find File: C:WinnetWinSocky.de-DE
Find File: C:WinnetWinSocky.de
Find File: C:WinnetWinSocky.DEU
Find File: C:WinnetWinSocky.DE
Create File: C:APPCANNONcatchme.exe
Create File: C:APPCANNONSEXO.bat
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32cmd.exe
Delete File: C:Dokumente und EinstellungenAdministratorDesktopcatchme.log
Delete File: C:APPCANNONcatchme.exe
Delete File: C:APPCANNONSEXO.bat
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Find File: C:APPCANNONSEXO.bat
Open File: C:APPCANNONSEXO.bat (OPEN_EXISTING)
Find File: C:APPCANNONcatchme.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:APPCANNON ()
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .C: (OPEN_EXISTING)
Open File: .PhysicalDrive0 (OPEN_EXISTING)
Open File: ?Volume{068250df-fe63-11d5-978d-806d6172696f} (OPEN_EXISTING)
Open File: .catchme (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Tempcatchme.sys (OPEN_EXISTING)
Create File: C:DOKUME~1ADMINI~1LOKALE~1Tempcatchme.sys
Delete File: C:DOKUME~1ADMINI~1LOKALE~1Tempcatchme.sys
Create/Open File: C:Dokumente und EinstellungenAdministratorDesktopcatchme.log (OPEN_ALWAYS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .C: (OPEN_EXISTING)
Open File: .PhysicalDrive0 (OPEN_EXISTING)
Open File: ?Volume{068250df-fe63-11d5-978d-806d6172696f} (OPEN_EXISTING)
Open File: .catchme (OPEN_EXISTING)
Create/Open File: C:Dokumente und EinstellungenAdministratorDesktopcatchme.log (OPEN_ALWAYS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .C: (OPEN_EXISTING)
Open File: .PhysicalDrive0 (OPEN_EXISTING)
Open File: ?Volume{068250df-fe63-11d5-978d-806d6172696f} (OPEN_EXISTING)
Open File: .catchme (OPEN_EXISTING)
Create/Open File: C:Dokumente und EinstellungenAdministratorDesktopcatchme.log (OPEN_ALWAYS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .C: (OPEN_EXISTING)
Open File: .PhysicalDrive0 (OPEN_EXISTING)
Open File: ?Volume{068250df-fe63-11d5-978d-806d6172696f} (OPEN_EXISTING)
Open File: .catchme (OPEN_EXISTING)
Create/Open File: C:Dokumente und EinstellungenAdministratorDesktopcatchme.log (OPEN_ALWAYS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .C: (OPEN_EXISTING)
Open File: .PhysicalDrive0 (OPEN_EXISTING)
Open File: ?Volume{068250df-fe63-11d5-978d-806d6172696f} (OPEN_EXISTING)
Open File: .catchme (OPEN_EXISTING)
Create/Open File: C:Dokumente und EinstellungenAdministratorDesktopcatchme.log (OPEN_ALWAYS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .C: (OPEN_EXISTING)
Open File: .PhysicalDrive0 (OPEN_EXISTING)
Open File: ?Volume{068250df-fe63-11d5-978d-806d6172696f} (OPEN_EXISTING)
Open File: .catchme (OPEN_EXISTING)
Create/Open File: C:Dokumente und EinstellungenAdministratorDesktopcatchme.log (OPEN_ALWAYS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .C: (OPEN_EXISTING)
Open File: .PhysicalDrive0 (OPEN_EXISTING)
Open File: ?Volume{068250df-fe63-11d5-978d-806d6172696f} (OPEN_EXISTING)
Open File: .catchme (OPEN_EXISTING)
Create/Open File: C:Dokumente und EinstellungenAdministratorDesktopcatchme.log (OPEN_ALWAYS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .C: (OPEN_EXISTING)
Open File: .PhysicalDrive0 (OPEN_EXISTING)
Open File: ?Volume{068250df-fe63-11d5-978d-806d6172696f} (OPEN_EXISTING)
Open File: .catchme (OPEN_EXISTING)
Create/Open File: C:Dokumente und EinstellungenAdministratorDesktopcatchme.log (OPEN_ALWAYS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .C: (OPEN_EXISTING)
Open File: .PhysicalDrive0 (OPEN_EXISTING)
Open File: ?Volume{068250df-fe63-11d5-978d-806d6172696f} (OPEN_EXISTING)
Open File: .catchme (OPEN_EXISTING)
Create/Open File: C:Dokumente und EinstellungenAdministratorDesktopcatchme.log (OPEN_ALWAYS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .C: (OPEN_EXISTING)
Open File: .PhysicalDrive0 (OPEN_EXISTING)
Open File: ?Volume{068250df-fe63-11d5-978d-806d6172696f} (OPEN_EXISTING)
Open File: .catchme (OPEN_EXISTING)
Create/Open File: C:Dokumente und EinstellungenAdministratorDesktopcatchme.log (OPEN_ALWAYS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .C: (OPEN_EXISTING)
Open File: .PhysicalDrive0 (OPEN_EXISTING)
Open File: ?Volume{068250df-fe63-11d5-978d-806d6172696f} (OPEN_EXISTING)
Open File: .catchme (OPEN_EXISTING)
Create/Open File: C:Dokumente und EinstellungenAdministratorDesktopcatchme.log (OPEN_ALWAYS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .C: (OPEN_EXISTING)
Open File: .PhysicalDrive0 (OPEN_EXISTING)
Open File: ?Volume{068250df-fe63-11d5-978d-806d6172696f} (OPEN_EXISTING)
Open File: .catchme (OPEN_EXISTING)
Create/Open File: C:Dokumente und EinstellungenAdministratorDesktopcatchme.log (OPEN_ALWAYS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .C: (OPEN_EXISTING)
Open File: .PhysicalDrive0 (OPEN_EXISTING)
Open File: ?Volume{068250df-fe63-11d5-978d-806d6172696f} (OPEN_EXISTING)
Open File: .catchme (OPEN_EXISTING)
Create/Open File: C:Dokumente und EinstellungenAdministratorDesktopcatchme.log (OPEN_ALWAYS)
Find File: C:WinnetWinSockx.de-DE
Find File: C:WinnetWinSockx.de
Find File: C:WinnetWinSockx.DEU
Find File: C:WinnetWinSockx.DE
Get File Attributes: C:ZQ561401.rar Flags: (SECURITY_ANONYMOUS)
Create File: C:ZQ561401.rar
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)