DNS Lookup
Host Name IP Address
dell-d3e62f7e26 10.1.6.2
gutyeaz.com 184.106.247.215
kadds.ru 91.211.117.127
rapidshare.com
rapidshare.com 195.122.131.4
rs286l34.rapidshare.com
rs286l34.rapidshare.com 62.67.1.87
UDP Connections
Remote IP Address: 184.106.247.215 Port: 2727
Send Datagram: packet(s) of size 21
Recv Datagram: 3000 packet(s) of size 0
Remote IP Address: 184.106.247.215 Port: 2727
Send Datagram: packet(s) of size 21
Recv Datagram: 3000 packet(s) of size 0
Remote IP Address: 91.211.117.127 Port: 2727
Send Datagram: packet(s) of size 21
Send Datagram: 3 packet(s) of size 10
Send Datagram: packet(s) of size 20
Send Datagram: 3 packet(s) of size 2
Send Datagram: packet(s) of size 1
Recv Datagram: 6457 packet(s) of size 0
Recv Datagram: packet(s) of size 21
Recv Datagram: packet(s) of size 10
Recv Datagram: packet(s) of size 514
Recv Datagram: packet(s) of size 94
Download URLs
http://195.122.131.4/files/433082601/3.exe (rapidshare.com)
http://62.67.1.87/files/433082601/3.exe (rs286l34.rapidshare.com)
Outgoing connection to remote server: rapidshare.com TCP port 80
Outgoing connection to remote server: rs286l34.rapidshare.com TCP port 80
SMTP: 67.195.168.31:25
SMTP: 67.195.168.230:25
SMTP: 74.6.136.65:25
Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “Taskman” = C:Dokumente und EinstellungenAdministratorAnwendungsdatenjuzjf.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “sudalaf” = C:WINDOWSsystem32doofen.exe
“sudalaf” = C:WINDOWSsystem32doofen.exe
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_CURRENT_USERSoftwareMicrosoftVisual Basic6.0 “AllowUnsafeObjectPassing”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “Taskman”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “sudalaf”
“sudalaf”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemCentralProcessor� “~MHz”
HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemCentralProcessor� “ProcessorNameString”
File Changes by all processes
New Files DeviceRasAcd
C:Dokumente und EinstellungenAdministratorAnwendungsdatenjuzjf.exe
C:DOKUME~1ADMINI~1LOKALE~1Temp4579.exe
DeviceTcp
DeviceIp
DeviceIp
DeviceTcp6
DeviceNetBT_Tcpip_{5D19E473-BE30-416B-B5C7-D8A091C41D2F}
C:WINDOWSsystem32copoosyk.exe
DeviceTcp
DeviceIp
DeviceIp
DeviceTcp6
DeviceNetBT_Tcpip_{5D19E473-BE30-416B-B5C7-D8A091C41D2F}
C:WINDOWSsystem32doofen.exe
C:WINDOWSsystem32doofen.exe
Opened Files C:WINDOWSRegistrationR000000000007.clb
C:Dokumente und EinstellungenAdministratorAnwendungsdatenjuzjf.exe
.PIPElsarpc
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:DOKUME~1ADMINI~1LOKALE~1Temp
.Ip
.PIPEsamr
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
.Ip
.PIPEsamr
Deleted Files C:Dokumente und EinstellungenAdministratorAnwendungsdatenjuzjf.exe
Chronological Order Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Set File Attributes: C:Dokumente und EinstellungenAdministratorAnwendungsdatenjuzjf.exe Flags: (FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS)
Delete File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenjuzjf.exe
Copy File: c:back.exe to C:Dokumente und EinstellungenAdministratorAnwendungsdatenjuzjf.exe
Set File Attributes: C:Dokumente und EinstellungenAdministratorAnwendungsdatenjuzjf.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenjuzjf.exe (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Create File: C:DOKUME~1ADMINI~1LOKALE~1Temp4579.exe
Get File Attributes: c:cwsandboxcwsandbox.exe Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp ()
Find File: C:DOKUME~1ADMINI~1LOKALE~1Temp4579.exe
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Create/Open File: DeviceTcp6 (OPEN_ALWAYS)
Create/Open File: DeviceNetBT_Tcpip_{5D19E473-BE30-416B-B5C7-D8A091C41D2F} (OPEN_ALWAYS)
Open File: .PIPEsamr (OPEN_EXISTING)
Move File: C:DOKUME~1ADMINI~1LOKALE~1Temp4579.exe to C:WINDOWSsystem32copoosyk.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32copoosyk.exe
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Create/Open File: DeviceTcp6 (OPEN_ALWAYS)
Create/Open File: DeviceNetBT_Tcpip_{5D19E473-BE30-416B-B5C7-D8A091C41D2F} (OPEN_ALWAYS)
Open File: .PIPEsamr (OPEN_EXISTING)
Move File: C:WINDOWSsystem32copoosyk.exe to C:WINDOWSsystem32doofen.exe
Copy File: C:WINDOWSsystem32copoosyk.exe to C:WINDOWSsystem32doofen.exe