Loading ...

Analysis Report

Overview

General Information

Analysis ID:0
Start time:14:54:49
Start date:05/02/2015
Overall analysis duration:0h 4m 37s
Report type:full
Sample file name:Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:7
HCA enabled:true
HCA success:
  • true, ratio: 100%
  • Number of executed functions: 279
  • Number of non-executed functions: 1211
Warnings:
  • Report size getting too big, too many NtQueryValueKey calls found.


Detection

StrategyReport FP/FN
Threshold malicious


Signature Overview


Protection of GUI:

barindex
Contains functionality to create a new desktopShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_003CD865 OpenWindowStationW,CreateWindowStationW,GetProcessWindowStation,OpenDesktopW,CreateDesktopW,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,CloseDesktop,CloseWindowStation,0_2_003CD865

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to read the clipboard dataShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_003BBECC NtCreateThread,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,#3,#19,WSASend,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore,0_2_003BBECC
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_003CAEFC EnterCriticalSection,GetTickCount,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage,0_2_003CAEFC
Hooks clipboard functions (used to sniff clipboard data)Show sources
Source: explorer.exeIAT, EAT or inline hook detected: module: USER32.dll function: GetClipboardData

E-Banking Fraud:

barindex
Hooks winsocket function (used for sniffing or altering network traffic)Show sources
Source: explorer.exeFile created: function: InternetReadFile

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeString found in binary or memory: http://
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.drString found in binary or memory: http://crl.microsoft.com/pki/crl/products/cspca.crl0h
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.drString found in binary or memory: http://crl.microsoft.com/pki/crl/products/tspca.crl0h
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.drString found in binary or memory: http://csc3-2009-aia.verisign.com/csc3-2009.cer0
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.drString found in binary or memory: http://csc3-2009-crl.verisign.com/csc3-2009.crl0d
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.drString found in binary or memory: http://go.adobe.com/kb/ts_cpsid_83708_en-usmoreinfourl0minorupdatetargetrtmadobe
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.drString found in binary or memory: http://microsoft.com0
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.drString found in binary or memory: http://ocsp.verisign.com0;
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.drString found in binary or memory: http://support.microsoft.com/?kbid=2484033
Source: Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeString found in binary or memory: http://www.google.com/webhp
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.drString found in binary or memory: http://www.microsoft.com/pki/certs/cspca.crt0
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.drString found in binary or memory: http://www.microsoft.com/pki/certs/tspca.crt0
Source: Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeString found in binary or memory: https://
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.drString found in binary or memory: https://www.verisign.com/rpa
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.drString found in binary or memory: https://www.verisign.com/rpa0
Contains functionality to download additional files from the internetShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_003BBECC NtCreateThread,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,#3,#19,WSASend,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore,0_2_003BBECC
Downloads a pdf file with wrong headerShow sources
Source: httpBad PDF prefix: HTTP/1.1 200 OK Content-Length: 43 Content-Type: text/html Date: Thu, 05 Feb 2015 13:54:15 GMT Data Raw: 42 75 63 6b 65 74 3d 31 31 33 38 31 35 35 32 34 34 0a 42 75 63 6b 65 74 54 61 62 6c 65 3d 35 0a 52 65 73 70 6f 6e 73 65 3d 31 0a Data Ascii: Bucket=1138155244BucketTable=5Response=1
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /StageOne/Generic/PnPRequestAdditionalSoftware/x86/USB_VID_80EE_PID_0021_REV_0100/6_1_0_0/0409/input_inf/_.htm?LCID=1033&OS=6.1.7600.2.00010100.0.0.48.16385&SM=innotek%20GmbH&SPN=VirtualBox&BV=VirtualBox&MID=4120A070-FD2D-4714-91B1-58190D826E31&Queue=1 HTTP/1.1 Connection: Keep-Alive User-Agent: MSDW Host: watson.microsoft.com
Source: global trafficHTTP traffic detected: GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1 Cache-Control: max-age = 86412 Connection: Keep-Alive Accept: */* If-Modified-Since: Tue, 28 Jun 2011 16:26:26 GMT If-None-Match: "0255720b035cc1:0" User-Agent: Microsoft-CryptoAPI/6.1 Host: www.download.windowsupdate.com
Source: global trafficHTTP traffic detected: GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1 Connection: Keep-Alive Accept: */* If-Modified-Since: Mon, 21 Mar 2011 18:10:04 GMT If-None-Match: "9f711034f3e7cb1:0" User-Agent: Microsoft-CryptoAPI/6.1 Host: crl.microsoft.com
Source: global trafficHTTP traffic detected: GET /pki/crl/products/WinPCA.crl HTTP/1.1 Cache-Control: max-age = 900 Connection: Keep-Alive Accept: */* If-Modified-Since: Mon, 11 Jul 2011 17:48:17 GMT If-None-Match: "529950b7f23fcc1:0" User-Agent: Microsoft-CryptoAPI/6.1 Host: crl.microsoft.com
Source: global trafficHTTP traffic detected: GET /pki/crl/products/WinPCA.crl HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: www.microsoft.com
Source: global trafficHTTP traffic detected: GET /fwlink/?LinkId=182227 HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: WATClient Host: go.microsoft.com
Source: global trafficHTTP traffic detected: GET /3/serverphp/cfg.bin HTTP/1.1 Accept: */* Connection: Close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C) Host: fiu-eu.org Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /pki/crl/products/CodeSignPCA.crl HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: crl.microsoft.com
Source: global trafficHTTP traffic detected: GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D HTTP/1.1 Cache-Control: max-age = 478693 Connection: Keep-Alive Accept: */* If-Modified-Since: Sat, 06 Aug 2011 06:28:48 GMT User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.verisign.com
Source: global trafficHTTP traffic detected: GET /3/serverphp/cfg.bin HTTP/1.1 Accept: */* Connection: Close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C) Host: fiu-eu.org Cache-Control: no-cache
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: watson.microsoft.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /fwlink/?LinkId=151642 HTTP/1.1 Connection: Keep-Alive Accept: text/* User-Agent: SLSSoapClient Content-Length: 0 Host: go.microsoft.com
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /3/serverphp/cfg.bin HTTP/1.1 Accept: */* Connection: Close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C) Host: fiu-eu.org Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /3/serverphp/cfg.bin HTTP/1.1 Accept: */* Connection: Close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C) Host: fiu-eu.org Cache-Control: no-cache
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.151:50036 -> 224.0.0.252:5355

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Windows\System32\taskhost.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run {4444357F-85DA-FDF7-676C-E42BACAD1769}
Source: C:\Windows\System32\taskhost.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run {4444357F-85DA-FDF7-676C-E42BACAD1769}
Monitors registry run keys for changesShow sources
Source: C:\Windows\System32\taskhost.exeRegistry key monitored: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_003C67DB socket,bind,#3,0_2_003C67DB
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_003C64FD socket,bind,listen,#3,0_2_003C64FD
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_004167DB socket,bind,closesocket,0_2_004167DB
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_004164FD socket,bind,listen,closesocket,0_2_004164FD
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeCode function: 1_2_004167DB socket,bind,closesocket,1_2_004167DB
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeCode function: 1_2_004164FD socket,bind,listen,closesocket,1_2_004164FD
Source: C:\Windows\System32\taskhost.exeCode function: 2_2_011A64FD socket,bind,listen,#3,2_2_011A64FD
Source: C:\Windows\System32\taskhost.exeCode function: 2_2_011A67DB socket,bind,#3,2_2_011A67DB
Source: C:\Windows\System32\dwm.exeCode function: 4_2_006464FD socket,bind,listen,#3,4_2_006464FD
Source: C:\Windows\System32\dwm.exeCode function: 4_2_006467DB socket,bind,#3,4_2_006467DB
Source: C:\Windows\explorer.exeCode function: 5_2_01B664FD socket,bind,listen,#3,5_2_01B664FD
Source: C:\Windows\explorer.exeCode function: 5_2_01B667DB socket,bind,#3,5_2_01B667DB
Source: C:\Windows\System32\conhost.exeCode function: 6_2_000C67DB socket,bind,#3,6_2_000C67DB
Source: C:\Windows\System32\conhost.exeCode function: 6_2_000C64FD socket,bind,listen,#3,6_2_000C64FD
Source: C:\Windows\System32\taskhost.exeCode function: 7_2_005167DB socket,bind,#3,7_2_005167DB
Source: C:\Windows\System32\taskhost.exeCode function: 7_2_005164FD socket,bind,listen,#3,7_2_005164FD
Source: C:\Windows\System32\WinSAT.exeCode function: 8_2_01D264FD socket,bind,listen,#3,8_2_01D264FD
Source: C:\Windows\System32\WinSAT.exeCode function: 8_2_01D267DB socket,bind,#3,8_2_01D267DB
Source: C:\Windows\System32\conhost.exeCode function: 9_2_001B67DB socket,bind,#3,9_2_001B67DB
Source: C:\Windows\System32\conhost.exeCode function: 9_2_001B64FD socket,bind,listen,#3,9_2_001B64FD
Source: C:\Windows\System32\cmd.exeCode function: 10_2_000467DB socket,bind,#3,10_2_000467DB
Source: C:\Windows\System32\cmd.exeCode function: 10_2_000464FD socket,bind,listen,#3,10_2_000464FD
Contains VNC / remote desktop functionality (RFB version string found)Show sources
Source: Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeString found in binary or memory: RFB 003.003

Stealing of Sensitive Information:

barindex
Steals Internet Explorer cookiesShow sources
Source: C:\Windows\System32\taskhost.exeFile read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@promotion.adobe[1].txt
Source: C:\Windows\System32\taskhost.exeFile read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@apmebf[1].txt
Source: C:\Windows\System32\taskhost.exeFile read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@live[1].txt
Source: C:\Windows\System32\taskhost.exeFile read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@wemfbox[2].txt
Source: C:\Windows\System32\taskhost.exeFile read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.bing[1].txt
Source: C:\Windows\System32\taskhost.exeFile read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@msnportal.112.2o7[1].txt
Source: C:\Windows\System32\taskhost.exeFile read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@usa[1].txt
Source: C:\Windows\System32\taskhost.exeFile read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@scorecardresearch[1].txt
Source: C:\Windows\System32\taskhost.exeFile read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@adobe[3].txt
Source: C:\Windows\System32\taskhost.exeFile read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@exp.www.msn[2].txt
Source: C:\Windows\System32\taskhost.exeFile read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@msn[2].txt
Source: C:\Windows\System32\taskhost.exeFile read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@sun[1].txt
Source: C:\Windows\System32\taskhost.exeFile read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@mediaplex[2].txt
Source: C:\Windows\System32\taskhost.exeFile read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@adobe[1].txt
Source: C:\Windows\System32\taskhost.exeFile read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@java[1].txt
Source: C:\Windows\System32\taskhost.exeFile read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@doubleclick[1].txt
Source: C:\Windows\System32\taskhost.exeFile read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@atdmt[1].txt
Source: C:\Windows\System32\taskhost.exeFile read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bing[1].txt
Source: C:\Windows\System32\taskhost.exeFile read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@c.bing[1].txt
Source: C:\Windows\System32\taskhost.exeFile read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@dl.javafx[2].txt
Source: C:\Windows\System32\taskhost.exeFile read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@ad.wsod[2].txt
Searches for Windows Mail specific filesShow sources
Source: C:\Windows\System32\taskhost.exeDirectory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail *
Source: C:\Windows\System32\taskhost.exeDirectory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail unknown
Source: C:\Windows\System32\taskhost.exeDirectory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup *
Source: C:\Windows\System32\taskhost.exeDirectory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup unknown
Source: C:\Windows\System32\taskhost.exeDirectory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\new *
Source: C:\Windows\System32\taskhost.exeDirectory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\new unknown
Source: C:\Windows\System32\taskhost.exeDirectory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery *
Source: C:\Windows\System32\taskhost.exeDirectory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery unknown

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeFile created: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_003C70A1 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,FreeLibrary,0_2_003C70A1
PE file contains an invalid checksumShow sources
Source: initial sampleStatic PE information: real checksum: 0x0 should be: 0x2399b

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_003C8AE4 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,0_2_003C8AE4

System Summary:

barindex
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\coretech\source\roxy_acrobat_9x\jpeg2k\public\binaries\windows\vs2005\release\dynamic\JP2KLib.pdb source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)Show sources
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.drBinary string: ! cci: !NCI: Op=BIND, Layer=NDIS, Upper=Tcpip6 Lower=\Device\{40017925-B58D-4581-8665-C6C9EDC5B7EF}, Error=00000019
Contains functionality to access the windows certificate storeShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_003CD5FB CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,0_2_003CD5FB
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_003CD486 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,0_2_003CD486
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_0041D5FB CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,0_2_0041D5FB
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_0041D486 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,0_2_0041D486
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeCode function: 1_2_0041D5FB CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,1_2_0041D5FB
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeCode function: 1_2_0041D486 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,1_2_0041D486
Source: C:\Windows\System32\taskhost.exeCode function: 2_2_011AD5FB CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,2_2_011AD5FB
Source: C:\Windows\System32\taskhost.exeCode function: 2_2_011AD486 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,2_2_011AD486
Source: C:\Windows\System32\dwm.exeCode function: 4_2_0064D486 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,4_2_0064D486
Source: C:\Windows\System32\dwm.exeCode function: 4_2_0064D5FB CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,4_2_0064D5FB
Source: C:\Windows\explorer.exeCode function: 5_2_01B6D5FB CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,5_2_01B6D5FB
Source: C:\Windows\explorer.exeCode function: 5_2_01B6D486 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,5_2_01B6D486
Source: C:\Windows\System32\conhost.exeCode function: 6_2_000CD486 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,6_2_000CD486
Source: C:\Windows\System32\conhost.exeCode function: 6_2_000CD5FB CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,6_2_000CD5FB
Source: C:\Windows\System32\taskhost.exeCode function: 7_2_0051D5FB CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,7_2_0051D5FB
Source: C:\Windows\System32\taskhost.exeCode function: 7_2_0051D486 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,7_2_0051D486
Source: C:\Windows\System32\WinSAT.exeCode function: 8_2_01D2D5FB CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,8_2_01D2D5FB
Source: C:\Windows\System32\WinSAT.exeCode function: 8_2_01D2D486 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,8_2_01D2D486
Source: C:\Windows\System32\conhost.exeCode function: 9_2_001BD486 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,9_2_001BD486
Source: C:\Windows\System32\conhost.exeCode function: 9_2_001BD5FB CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,9_2_001BD5FB
Source: C:\Windows\System32\cmd.exeCode function: 10_2_0004D5FB CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,10_2_0004D5FB
Source: C:\Windows\System32\cmd.exeCode function: 10_2_0004D486 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,10_2_0004D486
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_003C4A87 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,0_2_003C4A87
Contains functionality to enum processes or threadsShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_003C4A30 CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle,0_2_003C4A30
Creates files inside the user directoryShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeFile created: C:\Users\admin\AppData\Roaming\Oddyn
Creates temporary filesShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeFile created: C:\Users\admin\AppData\Local\Temp\tmp02840f01.bat
Executes batch filesShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\admin\AppData\Local\Temp\tmp02840f01.bat
PE file has an executable .text section and no other executable sectionShow sources
Source: initial sampleStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Spawns processesShow sources
Source: unknownProcess created: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe
Source: unknownProcess created: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeProcess created: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe C:\Users\admin\AppData\Roaming\Oddyn\madog.exe
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\admin\AppData\Local\Temp\tmp02840f01.bat
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\WinSAT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88d96a07-f192-11d4-a65f-0040963251e5}\InProcServer32
Contains functionality to call native functionsShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_003BBECC NtCreateThread,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,#3,#19,WSASend,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore,0_2_003BBECC
Contains functionality to launch a process as a different userShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_003C4CDD LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,0_2_003C4CDD
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_003C2D01 CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,0_2_003C2D01
Creates files inside the system directoryShow sources
Source: C:\Windows\System32\WinSAT.exeFile created: C:\Windows\Performance\WinSAT\DataStore\2015-02-05 14.55.11.358 DWM.Assessment (Recent).WinSAT.xml
Creates mutexesShow sources
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-D8D4-65C613159684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{CF5A2877-98D2-76E9-676C-E42BACAD1769}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\{A2504957-F9F2-1BE3-676C-E42BACAD1769}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-B0D0-65C67B119684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-FCD7-65C637169684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-ECD9-65C627189684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-28D1-65C6E3109684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-30D2-65C6FB139684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-7CD1-65C6B7109684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-C0D1-65C60B109684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{CF5A2878-98DD-76E9-676C-E42BACAD1769}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-54D6-65C69F179684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-F8DD-65C6331C9684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{C3B6FF42-4FE7-7A05-676C-E42BACAD1769}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-9CD2-65C657139684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-80D3-65C64B129684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-C0DE-65C60B1F9684}
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-ACD8-65C667199684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-10D4-65C6DB159684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-F0D2-65C63B139684}
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-98D7-65C653169684}
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-A8D2-65C663139684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-38DC-65C6F31D9684}
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{33EF092D-B988-8A5C-676C-E42BACAD1769}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-ACD4-65C667159684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-50D7-65C69B169684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-D8D1-65C613109684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{3CF593A4-2301-8546-676C-E42BACAD1769}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-FCD1-65C637109684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-20D4-65C6EB159684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-64D1-65C6AF109684}
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-D0DE-65C61B1F9684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-54D4-65C69F159684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-04DF-65C6CF1E9684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-F8D3-65C633129684}
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-44D7-65C68F169684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-70D3-65C6BB129684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-4CD0-65C687119684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{C3B6FF43-4FE6-7A05-676C-E42BACAD1769}
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMutant created: \Sessions\1\BaseNamedObjects\Local\{89F62C66-9CC3-3045-676C-E42BACAD1769}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-0CD2-65C6C7139684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\{A2504954-F9F1-1BE3-676C-E42BACAD1769}
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-FCD5-65C637149684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-98D3-65C653129684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{2BF62CF3-9C56-9245-676C-E42BACAD1769}
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-1CDF-65C6D71E9684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-94D7-65C65F169684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-6CD1-65C6A7109684}
Source: C:\Windows\System32\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-00DE-65C6CB1F9684}
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{822A19E9-A94C-3B99-B8D5-65C673149684}
Source: C:\Windows\System32\cmd.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A98E1C61-ACC4-103D-676C-E42BACAD1769}
Deletes Internet Explorer cookies via registryShow sources
Source: C:\Windows\System32\taskhost.exeRegistry key value created / modified: HKEY_USERS\Software\Microsoft\Internet Explorer\Privacy
Enables security privilegesShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeProcess token adjusted: Security
Reads the hosts fileShow sources
Source: C:\Windows\System32\taskhost.exeFile read: C:\Windows\System32\drivers\etc\hosts

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_003C69AA InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,0_2_003C69AA
Allocates memory in foreign processesShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory allocated: C:\Windows\System32\cmd.exe base: 30000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory allocated: C:\Windows\System32\taskhost.exe base: 1190000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory allocated: C:\Windows\explorer.exe base: 1B50000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory allocated: C:\Windows\System32\conhost.exe base: B0000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory allocated: C:\Windows\System32\taskhost.exe base: 500000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory allocated: C:\Windows\System32\WinSAT.exe base: 1D10000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory allocated: C:\Windows\System32\conhost.exe base: 1A0000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory allocated: unknown base: 3B0000 protect: page execute and read and write
Source: C:\Windows\System32\taskhost.exeMemory allocated: C:\Windows\System32\dwm.exe base: 630000 protect: page execute and read and write
Source: C:\Windows\System32\taskhost.exeMemory allocated: unknown base: 3B0000 protect: page execute and read and write
Changes memory attributes in foreign processes to executable or writableShow sources
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\taskhost.exe base: 1190000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\taskhost.exe base: 11B2BF8 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\taskhost.exe base: 11B2000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\taskhost.exe base: 11B2C0C protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\taskhost.exe base: 11B30BC protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\taskhost.exe base: 11B3000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\taskhost.exe base: 11B30C0 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\explorer.exe base: 1B50000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\explorer.exe base: 1B72BF8 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\explorer.exe base: 1B72000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\explorer.exe base: 1B72C0C protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\explorer.exe base: 1B730BC protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\explorer.exe base: 1B73000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\explorer.exe base: 1B730C0 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\conhost.exe base: B0000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\conhost.exe base: D2BF8 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\conhost.exe base: D2000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\conhost.exe base: D2C0C protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\conhost.exe base: D30BC protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\conhost.exe base: D3000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\conhost.exe base: D30C0 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\taskhost.exe base: 500000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\taskhost.exe base: 522BF8 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\taskhost.exe base: 522000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\taskhost.exe base: 522C0C protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\taskhost.exe base: 5230BC protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\taskhost.exe base: 523000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\taskhost.exe base: 5230C0 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\WinSAT.exe base: 1D10000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\WinSAT.exe base: 1D32BF8 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\WinSAT.exe base: 1D32000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\WinSAT.exe base: 1D32C0C protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\WinSAT.exe base: 1D330BC protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\WinSAT.exe base: 1D33000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\WinSAT.exe base: 1D330C0 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\conhost.exe base: 1A0000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\conhost.exe base: 1C2BF8 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\conhost.exe base: 1C2000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\conhost.exe base: 1C2C0C protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\conhost.exe base: 1C30BC protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\conhost.exe base: 1C3000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: C:\Windows\System32\conhost.exe base: 1C30C0 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: unknown base: 3B0000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: unknown base: 3D2BF8 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: unknown base: 3D2000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: unknown base: 3D2C0C protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: unknown base: 3D30BC protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: unknown base: 3D3000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory protected: unknown base: 3D30C0 protect: page execute and read and write
Source: C:\Windows\System32\taskhost.exeMemory protected: C:\Windows\System32\dwm.exe base: 630000 protect: page execute and read and write
Source: C:\Windows\System32\taskhost.exeMemory protected: C:\Windows\System32\dwm.exe base: 652BF8 protect: page execute and read and write
Source: C:\Windows\System32\taskhost.exeMemory protected: C:\Windows\System32\dwm.exe base: 652000 protect: page execute and read and write
Source: C:\Windows\System32\taskhost.exeMemory protected: C:\Windows\System32\dwm.exe base: 652C0C protect: page execute and read and write
Source: C:\Windows\System32\taskhost.exeMemory protected: C:\Windows\System32\dwm.exe base: 6530BC protect: page execute and read and write
Source: C:\Windows\System32\taskhost.exeMemory protected: C:\Windows\System32\dwm.exe base: 653000 protect: page execute and read and write
Source: C:\Windows\System32\taskhost.exeMemory protected: C:\Windows\System32\dwm.exe base: 6530C0 protect: page execute and read and write
Source: C:\Windows\System32\taskhost.exeMemory protected: unknown base: 3B0000 protect: page execute and read and write
Creates a thread in another existing process (thread injection)Show sources
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeThreat created: C:\Windows\System32\taskhost.exe EIP: 11A2CF7
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeThreat created: C:\Windows\explorer.exe EIP: 1B62CF7
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeThreat created: C:\Windows\System32\conhost.exe EIP: C2CF7
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeThreat created: C:\Windows\System32\taskhost.exe EIP: 512CF7
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeThreat created: C:\Windows\System32\WinSAT.exe EIP: 1D22CF7
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeThreat created: C:\Windows\System32\conhost.exe EIP: 1B2CF7
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeThreat created: unknown EIP: 3C2CF7
Source: C:\Windows\System32\taskhost.exeThreat created: C:\Windows\System32\dwm.exe EIP: 642CF7
Injects a PE file into a foreign processesShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: C:\Windows\System32\cmd.exe base: 30000 value starts with: 4D5A
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\taskhost.exe base: 1190000 value starts with: 4D5A
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\explorer.exe base: 1B50000 value starts with: 4D5A
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\conhost.exe base: B0000 value starts with: 4D5A
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\taskhost.exe base: 500000 value starts with: 4D5A
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\WinSAT.exe base: 1D10000 value starts with: 4D5A
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\conhost.exe base: 1A0000 value starts with: 4D5A
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: unknown base: 3B0000 value starts with: 4D5A
Source: C:\Windows\System32\taskhost.exeMemory written: C:\Windows\System32\dwm.exe base: 630000 value starts with: 4D5A
Injects code into the Windows Explorer (explorer.exe)Show sources
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: PID: 2032 base: 1B50000 value: 4D
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: PID: 2032 base: 1B72BF8 value: 00
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: PID: 2032 base: 1B72C0C value: 00
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: PID: 2032 base: 1B730BC value: 98
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: PID: 2032 base: 1B730C0 value: 4C
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeThread register set: target process: 4008
Sets debug register (to hijack the execution of another thread)Show sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeThread register set: 4008 7734C63D
Writes to foreign memory regionsShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: C:\Windows\System32\cmd.exe base: 30000
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: C:\Windows\System32\cmd.exe base: 52BF8
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: C:\Windows\System32\cmd.exe base: 52C0C
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: C:\Windows\System32\cmd.exe base: 530BC
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: C:\Windows\System32\cmd.exe base: 530C0
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\taskhost.exe base: 1190000
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\taskhost.exe base: 11B2BF8
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\taskhost.exe base: 11B2C0C
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\taskhost.exe base: 11B30BC
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\taskhost.exe base: 11B30C0
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\explorer.exe base: 1B50000
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\explorer.exe base: 1B72BF8
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\explorer.exe base: 1B72C0C
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\explorer.exe base: 1B730BC
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\explorer.exe base: 1B730C0
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\conhost.exe base: B0000
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\conhost.exe base: D2BF8
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\conhost.exe base: D2C0C
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\conhost.exe base: D30BC
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\conhost.exe base: D30C0
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\taskhost.exe base: 500000
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\taskhost.exe base: 522BF8
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\taskhost.exe base: 522C0C
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\taskhost.exe base: 5230BC
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\taskhost.exe base: 5230C0
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\WinSAT.exe base: 1D10000
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\WinSAT.exe base: 1D32BF8
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\WinSAT.exe base: 1D32C0C
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\WinSAT.exe base: 1D330BC
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\WinSAT.exe base: 1D330C0
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\conhost.exe base: 1A0000
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\conhost.exe base: 1C2BF8
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\conhost.exe base: 1C2C0C
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\conhost.exe base: 1C30BC
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: C:\Windows\System32\conhost.exe base: 1C30C0
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: unknown base: 3B0000
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: unknown base: 3D2BF8
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: unknown base: 3D2C0C
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: unknown base: 3D30BC
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeMemory written: unknown base: 3D30C0
Source: C:\Windows\System32\taskhost.exeMemory written: C:\Windows\System32\dwm.exe base: 630000
Source: C:\Windows\System32\taskhost.exeMemory written: C:\Windows\System32\dwm.exe base: 652BF8
Source: C:\Windows\System32\taskhost.exeMemory written: C:\Windows\System32\dwm.exe base: 652C0C
Source: C:\Windows\System32\taskhost.exeMemory written: C:\Windows\System32\dwm.exe base: 6530BC
Source: C:\Windows\System32\taskhost.exeMemory written: C:\Windows\System32\dwm.exe base: 6530C0

Anti Debugging and Sandbox Evasion:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_003CC5CA LdrGetDllHandle,EnterCriticalSection,lstrcmpiW,lstrcmpiW,lstrcmpiW,LeaveCriticalSection,0_2_003CC5CA
Contains functionality to create guard pages, often used to hinder reverse engineering and debuggingShow sources
Source: C:\Windows\System32\cmd.exeCode function: 10_2_00047BF7 VirtualProtectEx 000000FF,0003C160,0000001E,00052360,00052360,?,?,?,?,0003BE97,6A000523,00000000,?,?,0003C160,0005236010_2_00047BF7
Contains functionality to dynamically determine API callsShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_003C70A1 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,FreeLibrary,0_2_003C70A1
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_003C20C4 GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,GetLengthSid,GetCurrentProcessId,0_2_003C20C4
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\taskhost.exe TID: 3760Thread sleep time: -60000ms >= -60000ms
Source: C:\Windows\System32\taskhost.exe TID: 3760Thread sleep time: -60000ms >= -60000ms

Virtual Machine Detection:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_003C8AE4 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,0_2_003C8AE4
Queries a list of all running processesShow sources
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeProcess information queried: ProcessInformation
May tried to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.drBinary or memory string: VBoxGuest.cat
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.drBinary or memory string: VBoxGuest.sys
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.drBinary or memory string: VBoxMouse.cat
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.drBinary or memory string: VBoxGuest.inf
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Windows\System32\WinSAT.exeFile opened: PhysicalDrive0

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_003BEA11 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,0_2_003BEA11
Deletes itself after installationShow sources
Source: C:\Windows\System32\cmd.exeFile deleted: c:\zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe
Hooks files or directories query functions (used to hide files and directories)Show sources
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: GetFileAttributesExW
Modifies the prolog of user mode functions (user mode inline hooks)Show sources
Source: explorer.exeUser mode code has chanced: module: USER32.dll function: CallWindowProcA new code: 0xE9 0x9F 0xF8 0x8A 0xA4 0x4B
Overwrites code with function prologuesShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E000A value: 8B FF 55 8B EC E9 A6 F5 DA 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E0014 value: 8B FF 55 8B EC E9 34 5F 87 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E001E value: 8B FF 55 8B EC E9 90 EE A1 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E0028 value: 8B FF 55 8B EC E9 47 05 A9 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E0032 value: 8B FF 55 8B EC E9 0D 8E A3 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E003C value: 8B FF 55 8B EC E9 4D 04 A9 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E0046 value: 8B FF 55 8B EC E9 F3 C7 A1 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E0050 value: 8B FF 55 8B EC E9 0F E2 A1 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E005A value: 8B FF 55 8B EC E9 BA 12 A4 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E0064 value: 8B FF 55 8B EC E9 62 41 A2 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E006E value: 8B FF 55 8B EC E9 4F CB A1 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E0078 value: 8B FF 55 8B EC E9 70 3B F4 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E0082 value: 8B FF 55 8B EC E9 41 C4 F4 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E008C value: 8B FF 55 8B EC E9 16 68 F4 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E00A0 value: 8B FF 55 8B EC E9 48 17 BD 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E00C2 value: 8B FF 55 8B EC E9 92 BA BD 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E00CC value: 8B FF 55 8B EC E9 06 90 BF 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E00D6 value: 8B FF 55 8B EC E9 F1 3B C0 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E00E0 value: 8B FF 55 8B EC E9 B6 3D C0 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E00EA value: 8B FF 55 8B EC E9 8B 3A C0 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E00F4 value: 8B FF 55 8B EC E9 40 33 C0 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E00FE value: 8B FF 55 8B EC E9 D7 42 BE 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E0108 value: 8B FF 55 8B EC E9 D1 40 C0 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E0112 value: 8B FF 55 8B EC E9 04 27 BE 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E011C value: 8B FF 55 8B EC E9 04 E1 BD 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E0126 value: 8B FF 55 8B EC E9 00 20 BE 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E0130 value: 8B FF 55 8B EC E9 C3 5F BD 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E016C value: 8B FF 55 8B EC E9 E4 6E BE 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E0176 value: 8B FF 55 8B EC E9 EA C0 BD 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E0180 value: 8B FF 55 8B EC E9 EF 3E C0 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E0196 value: 8B FF 55 8B EC E9 FD BF BD 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E01A0 value: 8B FF 55 8B EC E9 33 C0 C1 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E01CA value: 8B FF 55 8B EC E9 C8 8D BE 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E01D4 value: 8B FF 55 8B EC E9 96 26 BE 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E01DE value: 8B FF 55 8B EC E9 D2 8F BE 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E01E8 value: 8B FF 55 8B EC E9 C5 2C BE 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E01F2 value: 8B FF 55 8B EC E9 18 8F BE 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E01FC value: 8B FF 55 8B EC E9 46 49 BF 76
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeMemory written: PID: 3684 base: 3E0206 value: 8B FF 55 8B EC E9 55 0B 02 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 124000A value: 8B FF 55 8B EC E9 A6 F5 F4 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 1240014 value: 8B FF 55 8B EC E9 34 5F A1 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 124001E value: 8B FF 55 8B EC E9 90 EE BB 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 1240028 value: 8B FF 55 8B EC E9 47 05 C3 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 1240032 value: 8B FF 55 8B EC E9 0D 8E BD 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 124003C value: 8B FF 55 8B EC E9 4D 04 C3 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 1240046 value: 8B FF 55 8B EC E9 F3 C7 BB 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 1240050 value: 8B FF 55 8B EC E9 0F E2 BB 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 124005A value: 8B FF 55 8B EC E9 BA 12 BE 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 1240064 value: 8B FF 55 8B EC E9 62 41 BC 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 124006E value: 8B FF 55 8B EC E9 4F CB BB 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 1240078 value: 8B FF 55 8B EC E9 70 3B 0E 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 1240082 value: 8B FF 55 8B EC E9 41 C4 0E 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 124008C value: 8B FF 55 8B EC E9 16 68 0E 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 12400A0 value: 8B FF 55 8B EC E9 48 17 D7 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 12400C2 value: 8B FF 55 8B EC E9 92 BA D7 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 12400CC value: 8B FF 55 8B EC E9 06 90 D9 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 12400D6 value: 8B FF 55 8B EC E9 F1 3B DA 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 12400E0 value: 8B FF 55 8B EC E9 B6 3D DA 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 12400EA value: 8B FF 55 8B EC E9 8B 3A DA 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 12400F4 value: 8B FF 55 8B EC E9 40 33 DA 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 12400FE value: 8B FF 55 8B EC E9 D7 42 D8 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 1240108 value: 8B FF 55 8B EC E9 D1 40 DA 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 1240112 value: 8B FF 55 8B EC E9 04 27 D8 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 124011C value: 8B FF 55 8B EC E9 04 E1 D7 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 1240126 value: 8B FF 55 8B EC E9 00 20 D8 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 1240130 value: 8B FF 55 8B EC E9 C3 5F D7 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 124016C value: 8B FF 55 8B EC E9 E4 6E D8 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 1240176 value: 8B FF 55 8B EC E9 EA C0 D7 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 1240180 value: 8B FF 55 8B EC E9 EF 3E DA 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 1240196 value: 8B FF 55 8B EC E9 FD BF D7 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 12401A0 value: 8B FF 55 8B EC E9 33 C0 DB 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 12401CA value: 8B FF 55 8B EC E9 C8 8D D8 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 12401D4 value: 8B FF 55 8B EC E9 96 26 D8 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 12401DE value: 8B FF 55 8B EC E9 D2 8F D8 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 12401E8 value: 8B FF 55 8B EC E9 C5 2C D8 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 12401F2 value: 8B FF 55 8B EC E9 18 8F D8 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 12401FC value: 8B FF 55 8B EC E9 46 49 D9 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 1292 base: 1240206 value: 8B FF 55 8B EC E9 55 0B 1C 74
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A000A value: 8B FF 55 8B EC E9 A6 F5 AE 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A0014 value: 8B FF 55 8B EC E9 34 5F 5B 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A001E value: 8B FF 55 8B EC E9 90 EE 75 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A0028 value: 8B FF 55 8B EC E9 47 05 7D 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A0032 value: 8B FF 55 8B EC E9 0D 8E 77 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A003C value: 8B FF 55 8B EC E9 4D 04 7D 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A0046 value: 8B FF 55 8B EC E9 F3 C7 75 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A0050 value: 8B FF 55 8B EC E9 0F E2 75 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A005A value: 8B FF 55 8B EC E9 BA 12 78 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A0064 value: 8B FF 55 8B EC E9 62 41 76 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A006E value: 8B FF 55 8B EC E9 4F CB 75 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A0078 value: 8B FF 55 8B EC E9 70 3B C8 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A0082 value: 8B FF 55 8B EC E9 41 C4 C8 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A008C value: 8B FF 55 8B EC E9 16 68 C8 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A00A0 value: 8B FF 55 8B EC E9 48 17 91 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A00C2 value: 8B FF 55 8B EC E9 92 BA 91 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A00CC value: 8B FF 55 8B EC E9 06 90 93 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A00D6 value: 8B FF 55 8B EC E9 F1 3B 94 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A00E0 value: 8B FF 55 8B EC E9 B6 3D 94 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A00EA value: 8B FF 55 8B EC E9 8B 3A 94 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A00F4 value: 8B FF 55 8B EC E9 40 33 94 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A00FE value: 8B FF 55 8B EC E9 D7 42 92 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A0108 value: 8B FF 55 8B EC E9 D1 40 94 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A0112 value: 8B FF 55 8B EC E9 04 27 92 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A011C value: 8B FF 55 8B EC E9 04 E1 91 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A0126 value: 8B FF 55 8B EC E9 00 20 92 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A0130 value: 8B FF 55 8B EC E9 C3 5F 91 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A016C value: 8B FF 55 8B EC E9 E4 6E 92 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A0176 value: 8B FF 55 8B EC E9 EA C0 91 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A0180 value: 8B FF 55 8B EC E9 EF 3E 94 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A0196 value: 8B FF 55 8B EC E9 FD BF 91 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A01A0 value: 8B FF 55 8B EC E9 33 C0 95 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A01CA value: 8B FF 55 8B EC E9 C8 8D 92 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A01D4 value: 8B FF 55 8B EC E9 96 26 92 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A01DE value: 8B FF 55 8B EC E9 D2 8F 92 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A01E8 value: 8B FF 55 8B EC E9 C5 2C 92 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A01F2 value: 8B FF 55 8B EC E9 18 8F 92 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A01FC value: 8B FF 55 8B EC E9 46 49 93 76
Source: C:\Windows\System32\dwm.exeMemory written: PID: 2020 base: 6A0206 value: 8B FF 55 8B EC E9 55 0B D6 74
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B8000A value: 8B FF 55 8B EC E9 A6 F5 60 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B80014 value: 8B FF 55 8B EC E9 34 5F 0D 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B8001E value: 8B FF 55 8B EC E9 90 EE 27 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B80028 value: 8B FF 55 8B EC E9 47 05 2F 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B80032 value: 8B FF 55 8B EC E9 0D 8E 29 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B8003C value: 8B FF 55 8B EC E9 4D 04 2F 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B80046 value: 8B FF 55 8B EC E9 F3 C7 27 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B80050 value: 8B FF 55 8B EC E9 0F E2 27 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B8005A value: 8B FF 55 8B EC E9 BA 12 2A 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B80064 value: 8B FF 55 8B EC E9 62 41 28 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B8006E value: 8B FF 55 8B EC E9 4F CB 27 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B80078 value: 8B FF 55 8B EC E9 70 3B 7A 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B80082 value: 8B FF 55 8B EC E9 41 C4 7A 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B8008C value: 8B FF 55 8B EC E9 16 68 7A 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B800A0 value: 8B FF 55 8B EC E9 48 17 43 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B800C2 value: 8B FF 55 8B EC E9 92 BA 43 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B800CC value: 8B FF 55 8B EC E9 06 90 45 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B800D6 value: 8B FF 55 8B EC E9 F1 3B 46 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B800E0 value: 8B FF 55 8B EC E9 B6 3D 46 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B800EA value: 8B FF 55 8B EC E9 8B 3A 46 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B800F4 value: 8B FF 55 8B EC E9 40 33 46 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B800FE value: 8B FF 55 8B EC E9 D7 42 44 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B80108 value: 8B FF 55 8B EC E9 D1 40 46 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B80112 value: 8B FF 55 8B EC E9 04 27 44 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B8011C value: 8B FF 55 8B EC E9 04 E1 43 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B80126 value: 8B FF 55 8B EC E9 00 20 44 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B80130 value: 8B FF 55 8B EC E9 C3 5F 43 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B8016C value: 8B FF 55 8B EC E9 E4 6E 44 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B80176 value: 8B FF 55 8B EC E9 EA C0 43 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B80180 value: 8B FF 55 8B EC E9 EF 3E 46 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B80196 value: 8B FF 55 8B EC E9 FD BF 43 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B801A0 value: 8B FF 55 8B EC E9 33 C0 47 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B801CA value: 8B FF 55 8B EC E9 C8 8D 44 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B801D4 value: 8B FF 55 8B EC E9 96 26 44 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B801DE value: 8B FF 55 8B EC E9 D2 8F 44 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B801E8 value: 8B FF 55 8B EC E9 C5 2C 44 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B801F2 value: 8B FF 55 8B EC E9 18 8F 44 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B801FC value: 8B FF 55 8B EC E9 46 49 45 75
Source: C:\Windows\explorer.exeMemory written: PID: 2032 base: 1B80206 value: 8B FF 55 8B EC E9 55 0B 88 73
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E000A value: 8B FF 55 8B EC E9 A6 F5 FA 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E0014 value: 8B FF 55 8B EC E9 34 5F A7 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E001E value: 8B FF 55 8B EC E9 90 EE C1 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E0028 value: 8B FF 55 8B EC E9 47 05 C9 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E0032 value: 8B FF 55 8B EC E9 0D 8E C3 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E003C value: 8B FF 55 8B EC E9 4D 04 C9 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E0046 value: 8B FF 55 8B EC E9 F3 C7 C1 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E0050 value: 8B FF 55 8B EC E9 0F E2 C1 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E005A value: 8B FF 55 8B EC E9 BA 12 C4 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E0064 value: 8B FF 55 8B EC E9 62 41 C2 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E006E value: 8B FF 55 8B EC E9 4F CB C1 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E0078 value: 8B FF 55 8B EC E9 70 3B 14 77
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E0082 value: 8B FF 55 8B EC E9 41 C4 14 77
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E008C value: 8B FF 55 8B EC E9 16 68 14 77
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E00A0 value: 8B FF 55 8B EC E9 48 17 DD 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E00C2 value: 8B FF 55 8B EC E9 92 BA DD 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E00CC value: 8B FF 55 8B EC E9 06 90 DF 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E00D6 value: 8B FF 55 8B EC E9 F1 3B E0 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E00E0 value: 8B FF 55 8B EC E9 B6 3D E0 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E00EA value: 8B FF 55 8B EC E9 8B 3A E0 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E00F4 value: 8B FF 55 8B EC E9 40 33 E0 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E00FE value: 8B FF 55 8B EC E9 D7 42 DE 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E0108 value: 8B FF 55 8B EC E9 D1 40 E0 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E0112 value: 8B FF 55 8B EC E9 04 27 DE 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E011C value: 8B FF 55 8B EC E9 04 E1 DD 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E0126 value: 8B FF 55 8B EC E9 00 20 DE 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E0130 value: 8B FF 55 8B EC E9 C3 5F DD 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E016C value: 8B FF 55 8B EC E9 E4 6E DE 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E0176 value: 8B FF 55 8B EC E9 EA C0 DD 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E0180 value: 8B FF 55 8B EC E9 EF 3E E0 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E0196 value: 8B FF 55 8B EC E9 FD BF DD 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E01A0 value: 8B FF 55 8B EC E9 33 C0 E1 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E01CA value: 8B FF 55 8B EC E9 C8 8D DE 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E01D4 value: 8B FF 55 8B EC E9 96 26 DE 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E01DE value: 8B FF 55 8B EC E9 D2 8F DE 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E01E8 value: 8B FF 55 8B EC E9 C5 2C DE 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E01F2 value: 8B FF 55 8B EC E9 18 8F DE 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E01FC value: 8B FF 55 8B EC E9 46 49 DF 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 1132 base: 1E0206 value: 8B FF 55 8B EC E9 55 0B 22 75
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 53000A value: 8B FF 55 8B EC E9 A6 F5 C5 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 530014 value: 8B FF 55 8B EC E9 34 5F 72 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 53001E value: 8B FF 55 8B EC E9 90 EE 8C 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 530028 value: 8B FF 55 8B EC E9 47 05 94 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 530032 value: 8B FF 55 8B EC E9 0D 8E 8E 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 53003C value: 8B FF 55 8B EC E9 4D 04 94 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 530046 value: 8B FF 55 8B EC E9 F3 C7 8C 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 530050 value: 8B FF 55 8B EC E9 0F E2 8C 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 53005A value: 8B FF 55 8B EC E9 BA 12 8F 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 530064 value: 8B FF 55 8B EC E9 62 41 8D 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 53006E value: 8B FF 55 8B EC E9 4F CB 8C 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 530078 value: 8B FF 55 8B EC E9 70 3B DF 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 530082 value: 8B FF 55 8B EC E9 41 C4 DF 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 53008C value: 8B FF 55 8B EC E9 16 68 DF 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 5300A0 value: 8B FF 55 8B EC E9 48 17 A8 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 5300C2 value: 8B FF 55 8B EC E9 92 BA A8 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 5300CC value: 8B FF 55 8B EC E9 06 90 AA 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 5300D6 value: 8B FF 55 8B EC E9 F1 3B AB 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 5300E0 value: 8B FF 55 8B EC E9 B6 3D AB 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 5300EA value: 8B FF 55 8B EC E9 8B 3A AB 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 5300F4 value: 8B FF 55 8B EC E9 40 33 AB 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 5300FE value: 8B FF 55 8B EC E9 D7 42 A9 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 530108 value: 8B FF 55 8B EC E9 D1 40 AB 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 530112 value: 8B FF 55 8B EC E9 04 27 A9 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 53011C value: 8B FF 55 8B EC E9 04 E1 A8 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 530126 value: 8B FF 55 8B EC E9 00 20 A9 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 530130 value: 8B FF 55 8B EC E9 C3 5F A8 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 53016C value: 8B FF 55 8B EC E9 E4 6E A9 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 530176 value: 8B FF 55 8B EC E9 EA C0 A8 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 530180 value: 8B FF 55 8B EC E9 EF 3E AB 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 530196 value: 8B FF 55 8B EC E9 FD BF A8 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 5301A0 value: 8B FF 55 8B EC E9 33 C0 AC 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 5301CA value: 8B FF 55 8B EC E9 C8 8D A9 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 5301D4 value: 8B FF 55 8B EC E9 96 26 A9 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 5301DE value: 8B FF 55 8B EC E9 D2 8F A9 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 5301E8 value: 8B FF 55 8B EC E9 C5 2C A9 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 5301F2 value: 8B FF 55 8B EC E9 18 8F A9 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 5301FC value: 8B FF 55 8B EC E9 46 49 AA 76
Source: C:\Windows\System32\taskhost.exeMemory written: PID: 540 base: 530206 value: 8B FF 55 8B EC E9 55 0B ED 74
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 71000A value: 8B FF 55 8B EC E9 A6 F5 A7 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 710014 value: 8B FF 55 8B EC E9 34 5F 54 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 71001E value: 8B FF 55 8B EC E9 90 EE 6E 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 710028 value: 8B FF 55 8B EC E9 47 05 76 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 710032 value: 8B FF 55 8B EC E9 0D 8E 70 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 71003C value: 8B FF 55 8B EC E9 4D 04 76 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 710046 value: 8B FF 55 8B EC E9 F3 C7 6E 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 710050 value: 8B FF 55 8B EC E9 0F E2 6E 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 71005A value: 8B FF 55 8B EC E9 BA 12 71 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 710064 value: 8B FF 55 8B EC E9 62 41 6F 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 71006E value: 8B FF 55 8B EC E9 4F CB 6E 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 710078 value: 8B FF 55 8B EC E9 70 3B C1 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 710082 value: 8B FF 55 8B EC E9 41 C4 C1 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 71008C value: 8B FF 55 8B EC E9 16 68 C1 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 7100A0 value: 8B FF 55 8B EC E9 48 17 8A 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 7100C2 value: 8B FF 55 8B EC E9 92 BA 8A 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 7100CC value: 8B FF 55 8B EC E9 06 90 8C 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 7100D6 value: 8B FF 55 8B EC E9 F1 3B 8D 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 7100E0 value: 8B FF 55 8B EC E9 B6 3D 8D 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 7100EA value: 8B FF 55 8B EC E9 8B 3A 8D 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 7100F4 value: 8B FF 55 8B EC E9 40 33 8D 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 7100FE value: 8B FF 55 8B EC E9 D7 42 8B 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 710108 value: 8B FF 55 8B EC E9 D1 40 8D 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 710112 value: 8B FF 55 8B EC E9 04 27 8B 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 71011C value: 8B FF 55 8B EC E9 04 E1 8A 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 710126 value: 8B FF 55 8B EC E9 00 20 8B 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 710130 value: 8B FF 55 8B EC E9 C3 5F 8A 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 71016C value: 8B FF 55 8B EC E9 E4 6E 8B 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 710176 value: 8B FF 55 8B EC E9 EA C0 8A 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 710180 value: 8B FF 55 8B EC E9 EF 3E 8D 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 710196 value: 8B FF 55 8B EC E9 FD BF 8A 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 7101A0 value: 8B FF 55 8B EC E9 33 C0 8E 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 7101CA value: 8B FF 55 8B EC E9 C8 8D 8B 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 7101D4 value: 8B FF 55 8B EC E9 96 26 8B 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 7101DE value: 8B FF 55 8B EC E9 D2 8F 8B 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 7101E8 value: 8B FF 55 8B EC E9 C5 2C 8B 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 7101F2 value: 8B FF 55 8B EC E9 18 8F 8B 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 7101FC value: 8B FF 55 8B EC E9 46 49 8C 76
Source: C:\Windows\System32\WinSAT.exeMemory written: PID: 1352 base: 710206 value: 8B FF 55 8B EC E9 55 0B CF 74
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E000A value: 8B FF 55 8B EC E9 A6 F5 FA 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E0014 value: 8B FF 55 8B EC E9 34 5F A7 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E001E value: 8B FF 55 8B EC E9 90 EE C1 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E0028 value: 8B FF 55 8B EC E9 47 05 C9 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E0032 value: 8B FF 55 8B EC E9 0D 8E C3 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E003C value: 8B FF 55 8B EC E9 4D 04 C9 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E0046 value: 8B FF 55 8B EC E9 F3 C7 C1 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E0050 value: 8B FF 55 8B EC E9 0F E2 C1 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E005A value: 8B FF 55 8B EC E9 BA 12 C4 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E0064 value: 8B FF 55 8B EC E9 62 41 C2 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E006E value: 8B FF 55 8B EC E9 4F CB C1 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E0078 value: 8B FF 55 8B EC E9 70 3B 14 77
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E0082 value: 8B FF 55 8B EC E9 41 C4 14 77
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E008C value: 8B FF 55 8B EC E9 16 68 14 77
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E00A0 value: 8B FF 55 8B EC E9 48 17 DD 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E00C2 value: 8B FF 55 8B EC E9 92 BA DD 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E00CC value: 8B FF 55 8B EC E9 06 90 DF 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E00D6 value: 8B FF 55 8B EC E9 F1 3B E0 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E00E0 value: 8B FF 55 8B EC E9 B6 3D E0 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E00EA value: 8B FF 55 8B EC E9 8B 3A E0 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E00F4 value: 8B FF 55 8B EC E9 40 33 E0 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E00FE value: 8B FF 55 8B EC E9 D7 42 DE 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E0108 value: 8B FF 55 8B EC E9 D1 40 E0 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E0112 value: 8B FF 55 8B EC E9 04 27 DE 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E011C value: 8B FF 55 8B EC E9 04 E1 DD 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E0126 value: 8B FF 55 8B EC E9 00 20 DE 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E0130 value: 8B FF 55 8B EC E9 C3 5F DD 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E016C value: 8B FF 55 8B EC E9 E4 6E DE 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E0176 value: 8B FF 55 8B EC E9 EA C0 DD 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E0180 value: 8B FF 55 8B EC E9 EF 3E E0 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E0196 value: 8B FF 55 8B EC E9 FD BF DD 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E01A0 value: 8B FF 55 8B EC E9 33 C0 E1 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E01CA value: 8B FF 55 8B EC E9 C8 8D DE 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E01D4 value: 8B FF 55 8B EC E9 96 26 DE 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E01DE value: 8B FF 55 8B EC E9 D2 8F DE 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E01E8 value: 8B FF 55 8B EC E9 C5 2C DE 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E01F2 value: 8B FF 55 8B EC E9 18 8F DE 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E01FC value: 8B FF 55 8B EC E9 46 49 DF 76
Source: C:\Windows\System32\conhost.exeMemory written: PID: 2072 base: 1E0206 value: 8B FF 55 8B EC E9 55 0B 22 75
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 26000A value: 8B FF 55 8B EC E9 A6 F5 F2 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 260014 value: 8B FF 55 8B EC E9 34 5F 9F 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 26001E value: 8B FF 55 8B EC E9 90 EE B9 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 260028 value: 8B FF 55 8B EC E9 47 05 C1 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 260032 value: 8B FF 55 8B EC E9 0D 8E BB 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 26003C value: 8B FF 55 8B EC E9 4D 04 C1 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 260046 value: 8B FF 55 8B EC E9 F3 C7 B9 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 260050 value: 8B FF 55 8B EC E9 0F E2 B9 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 26005A value: 8B FF 55 8B EC E9 BA 12 BC 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 260064 value: 8B FF 55 8B EC E9 62 41 BA 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 26006E value: 8B FF 55 8B EC E9 4F CB B9 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 260078 value: 8B FF 55 8B EC E9 70 3B 0C 77
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 260082 value: 8B FF 55 8B EC E9 41 C4 0C 77
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 26008C value: 8B FF 55 8B EC E9 16 68 0C 77
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 2600A0 value: 8B FF 55 8B EC E9 48 17 D5 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 2600C2 value: 8B FF 55 8B EC E9 92 BA D5 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 2600CC value: 8B FF 55 8B EC E9 06 90 D7 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 2600D6 value: 8B FF 55 8B EC E9 F1 3B D8 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 2600E0 value: 8B FF 55 8B EC E9 B6 3D D8 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 2600EA value: 8B FF 55 8B EC E9 8B 3A D8 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 2600F4 value: 8B FF 55 8B EC E9 40 33 D8 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 2600FE value: 8B FF 55 8B EC E9 D7 42 D6 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 260108 value: 8B FF 55 8B EC E9 D1 40 D8 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 260112 value: 8B FF 55 8B EC E9 04 27 D6 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 26011C value: 8B FF 55 8B EC E9 04 E1 D5 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 260126 value: 8B FF 55 8B EC E9 00 20 D6 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 260130 value: 8B FF 55 8B EC E9 C3 5F D5 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 26016C value: 8B FF 55 8B EC E9 E4 6E D6 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 260176 value: 8B FF 55 8B EC E9 EA C0 D5 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 260180 value: 8B FF 55 8B EC E9 EF 3E D8 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 260196 value: 8B FF 55 8B EC E9 FD BF D5 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 2601A0 value: 8B FF 55 8B EC E9 33 C0 D9 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 2601CA value: 8B FF 55 8B EC E9 C8 8D D6 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 2601D4 value: 8B FF 55 8B EC E9 96 26 D6 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 2601DE value: 8B FF 55 8B EC E9 D2 8F D6 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 2601E8 value: 8B FF 55 8B EC E9 C5 2C D6 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 2601F2 value: 8B FF 55 8B EC E9 18 8F D6 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 2601FC value: 8B FF 55 8B EC E9 46 49 D7 76
Source: C:\Windows\System32\cmd.exeMemory written: PID: 4008 base: 260206 value: 8B FF 55 8B EC E9 55 0B 1A 75

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
May initialize a security null descriptorShow sources
Source: Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeBinary or memory string: S:(ML;;NRNWNX;;;LW)
Disables Internet Explorer cookie cleaning (a user can no longer delete cookies)Show sources
Source: C:\Windows\System32\taskhost.exeKey value created or modified: HKEY_USERS\Software\Microsoft\Internet Explorer\Privacy CleanCookies
Modifies Internet Explorer zone settingsShow sources
Source: C:\Windows\System32\taskhost.exeRegistry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1406
Source: C:\Windows\System32\taskhost.exeRegistry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1609
Source: C:\Windows\System32\taskhost.exeRegistry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1406
Source: C:\Windows\System32\taskhost.exeRegistry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1609

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_003CD64B PFXImportCertStore,GetSystemTime,0_2_003CD64B
Contains functionality to query the account / user nameShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_003B6010 GetTickCount,GetUserDefaultUILanguage,GetModuleFileNameW,GetUserNameExW,0_2_003B6010
Contains functionality to query time zone informationShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_003C34E5 GetTimeZoneInformation,0_2_003C34E5
Contains functionality to query windows versionShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeCode function: 0_2_003B70A6 GetVersionExW,GetNativeSystemInfo,0_2_003B70A6
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\taskhost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Queries the installation date of WindowsShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Queries the installation date of WindowsShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeRegistry key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Queries the product ID of WindowsShow sources
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\cmd.exeQeruies volume information: C:\ VolumeInformation

Yara Overview

No Yara matches

Screenshot

windows-stand

Startup

  • system is w7
  • Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe (PID: 3684 MD5: 4D08934BD040ED25DFA46542E396CB05)
    • madog.exe (PID: 3700 MD5: 7E7B95B944D3FD8A2AA8EEA7CE4B19BF)
      • taskhost.exe (PID: 1292 MD5: 8F4F5A5C1BAE72CE6EAEEA1CA3F98CA2)
        • dwm.exe (PID: 2020 MD5: 505BF4D1CADEB8D4F8BCD08D944DE25D)
      • explorer.exe (PID: 2032 MD5: 2626FC9755BE22F805D3CFA0CE3EE727)
      • conhost.exe (PID: 1132 MD5: 29D9FCDF65B7C823688A035937BB6697)
      • taskhost.exe (PID: 540 MD5: 8F4F5A5C1BAE72CE6EAEEA1CA3F98CA2)
      • WinSAT.exe (PID: 1352 MD5: 800C5B51F0FB6E2183FB0D41E2B74EB9)
      • conhost.exe (PID: 2072 MD5: 29D9FCDF65B7C823688A035937BB6697)
    • cmd.exe (PID: 4008 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\admin\AppData\Local\Temp\tmp02840f01.bat MD5: 8AE6DD9A6D246004DA047F704F0CC487)
  • cleanup

Created / dropped Files

File PathType and Hashes
C:\Users\admin\AppData\Local\Temp\TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp
  • Type: data
  • MD5: E3896467DF38133E6F51BF928AD5182B
  • SHA: DC18488CB61C183300BBFB7455243E540E775B8D
  • SHA-256: 5627937A91B338B2636807B4941398616B95AAD0ADCB1ABF4665F71A0509612F
  • SHA-512: A623A713D8E3CBA13A95F0C79F93E67DD306B247B9E50295F5188ADB5B5DB2740FBE1FC47F600E13347E7AE89498081A388B9043E0485E5C16785383D07CF4B9
C:\Users\admin\AppData\Local\Temp\tmp02840f01.bat
  • Type: DOS batch file, ASCII text, with CRLF line terminators
  • MD5: 036C2F7E5A28A1E58A766FD0D7510DB0
  • SHA: 0CCFB2451968778F960C6C8DAC9FEEABE9FC8B7B
  • SHA-256: 5DA1E011A64FB3F334D6A18EB7A13E5083185D0BCE9C98BCDD078A929B43BC7B
  • SHA-512: 294A3A994C904E8DA3D2120DE0B468BDE66EC8D8B77EFB50CAD00509250ED37193A211FE0949AEDB95EBAE2B8C8003DEDE6DA1D3861712054E62E4FA0E0CF1AF
C:\Users\admin\AppData\Roaming\Oddyn\madog.exe
  • Type: MS-DOS executable
  • MD5: 7E7B95B944D3FD8A2AA8EEA7CE4B19BF
  • SHA: 748C16771E2CBA9F030D9CB6C9E7566D6281BB39
  • SHA-256: 705140D7A8E4AAE9AB13055AE00E2C595DEF3038AE68FE89358A4E18B9DFF1C9
  • SHA-512: 46046A9F02E77CF9FBA70404C8FFFDB78F8FA72C71EE5FCD69D373071257D010D33012C4FEBBFA8A67272D14A84F5BF597F019F912FAEFB1A13C6E6C35CB5FB6
C:\Users\admin\AppData\Roaming\Yfheor\vyyno.agx
  • Type: data
  • MD5: BBC804AE661C2EC8A07C11DE8076F2CB
  • SHA: 6A865013FC98FFDC953A6E255024F86DA9B5ABA8
  • SHA-256: 8DFD1ECAB6150D69A365BB273CFCE04FF1E18532382ADACEE1B7571B444A6D20
  • SHA-512: 586E76F1FFFB61D99E110942EC52643AD9C6DA10ABB391D47FA8C4B00D3877A8B55F235E40F14371F56E2C7C329391797C11A7F9B094316B954F5BEAB419BBA4
C:\Users\admin\AppData\Roaming\Yfheor\vyyno.tmp (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Performance\WinSAT\DataStore\2015-02-05 14.55.11.358 Cpu.Assessment (Recent).WinSAT.xml
  • Type: XML document, Little-endian UTF-16 Unicode text, with very long lines, with no line terminators
  • MD5: 9E1B709BCD8D1ADFC7986A1CB3CE9815
  • SHA: 1089528ADFD5AFE1ED90A067EC9F4F457FC2598D
  • SHA-256: 3CB39FA29266E880EB4B1763DACD8E37E58A0D9D22A2ABFB6F7BB05FDE3D7C5A
  • SHA-512: 91423EC695CBBD339820425148B5F82C4C1B6BCD16F04EECAF761E993FC89B79743BAD6E297120BAFBAF63594BD5848A4A0D4771389E56E628C4984876EE70A2
C:\Windows\Performance\WinSAT\DataStore\2015-02-05 14.55.11.358 DWM.Assessment (Recent).WinSAT.xml
  • Type: XML document, Little-endian UTF-16 Unicode text, with very long lines, with no line terminators
  • MD5: 18342581FE92582BE0137E6F0AFDAB38
  • SHA: 65FDE343D6E16CFB815F22D973FBFFA2B34E9891
  • SHA-256: 48EFA081E933C4C8BF6B620793B41A5467A1CC990815D777435A148FE63AC337
  • SHA-512: D9E20281962F98C27274CB01369022E68386848E8D97E44883DF91213790FBBFEBC30CA984D3A14F44F8F50F779D0E6E887B5FC4639817D400989EB740273890
C:\Windows\Performance\WinSAT\DataStore\2015-02-05 14.55.11.358 Disk.Assessment (Recent).WinSAT.xml
  • Type: XML document, Little-endian UTF-16 Unicode text, with very long lines, with no line terminators
  • MD5: 89BEBCB9CC2A784E02A3C9E9DA21CA90
  • SHA: E660B0A2CEC9F0BDAF479C35AD51D0EC016FF731
  • SHA-256: 491BB2C35DD9223476C4ED75436310F235238132CF7DAA26E1F8D14EA0FC7D72
  • SHA-512: 803E20CBFC21AF4352E5967D75F4E7CA9BC22809E6A7A4CBC4C4495347C8DC59751588FA8F4342DEE7A3D298C05F16F210AEF4CEC25063E0A61EB3BE26E96C36
C:\Windows\Performance\WinSAT\DataStore\2015-02-05 14.55.11.358 Graphics3D.Assessment (Recent).WinSAT.xml
  • Type: XML document, Little-endian UTF-16 Unicode text, with very long lines, with no line terminators
  • MD5: FC970EA6EDEF0511CAC59A643E80E699
  • SHA: 093FC58C9931E9F3B323E2EF01A8FD663E0A95E2
  • SHA-256: 01366F5AE3212219D4001305F770010AA59ED1CCB1BD987C7F1D25182BC99379
  • SHA-512: 663598500665F8D54C69872252DF21F508EDD529AD01DD3D461E7A76ED1996952FF103CCA779005CE5F3891D16B9C9397883A786C401E090F42F9C1DAD24F564
C:\Windows\Performance\WinSAT\DataStore\2015-02-05 14.55.11.358 GraphicsMedia.Assessment (Recent).WinSAT.xml
  • Type: XML document, Little-endian UTF-16 Unicode text, with very long lines, with no line terminators
  • MD5: 48D898E77F21816646D8390C14D88041
  • SHA: 63A03C794D6FCACA99B200F27B9319670368C1D8
  • SHA-256: 73FA6DABCD91B42CCF776FFE0F8A10F624FBE0EDD44E376ED20081A9E20315D2
  • SHA-512: 133E6AE1713E8B8D18CA94C1755058DA3CC86110C5AADAAF0CCF6909573DD52505D1F10FE2D2D662333D80923F7989B8E1614EBB9B05A8D9621F7DB83534D884
C:\Windows\Performance\WinSAT\DataStore\2015-02-05 14.55.11.358 Mem.Assessment (Recent).WinSAT.xml
  • Type: XML document, Little-endian UTF-16 Unicode text, with very long lines, with no line terminators
  • MD5: D5C150FB51F19CFE4D5CDADE4A59D420
  • SHA: 7D87AE6265D3699399592556BE6F34EA7A6711F5
  • SHA-256: A61C6AEAF8114D1E58EB5DE81AC1BB45D4802E7E517EEFA586688723B0D9DB43
  • SHA-512: EDEB56CD90D0C46FDC7E3C6614BC856A4E99C7FF8FC1E44A962C2EE7D3AA4065834F9C294275A6A858537C5D42C948029FB8346C94E1E71904C4DF8511730764
C:\Windows\Performance\WinSAT\winsat.log
  • Type: ASCII English text, with CRLF line terminators
  • MD5: 6E8FF58996EBCEDC33E00FB210C8D8F9
  • SHA: 8177E78A01BC6B27CE4F49DA67055EB4A42EEFCC
  • SHA-256: B4D94DD653579E520756A42BDD29FC9E60EBEEEFCEBCE8D008096C6B1424C876
  • SHA-512: E100F57C04008E2220B03950AD0966325C1DA1E8993D3C71FB704B298A7D5585C912FA2F4180DBE0D6AB35E5DA8A9540D2CDE7B72BFE5820D722B78829ACF9B0

Contacted Domains/Contacted IPs

Contacted Domains

NameIPName ServerActiveRegistrare-Mail
www.microsoft.com23.2.52.54unknowntrueunknownunknown
ocsp.verisign.com23.43.139.27unknowntrueunknownunknown
crl.microsoft.com80.239.247.17unknowntrueunknownunknown
www.download.windowsupdate.com93.158.110.250unknowntrueunknownunknown
validation.sls.microsoft.com65.52.98.231unknowntrueunknownunknown
wer.microsoft.com157.56.141.114unknowntrueunknownunknown
watson.microsoft.com65.55.252.71unknowntrueunknownunknown
fiu-eu.org78.47.223.171unknowntrueunknownunknown
go.microsoft.com134.170.184.137unknowntrueunknownunknown

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPCountryPingableOpen Ports
65.52.98.231United Statesunknownunknown
23.43.139.27United Statesunknownunknown
224.0.0.252Reservedunknownunknown
8.8.8.8United Statesunknownunknown
80.239.247.17European Unionunknownunknown
78.47.223.171Germanyunknownunknown
80.239.149.10European Unionunknownunknown
157.56.141.114United Statesunknownunknown
93.158.110.250Swedenunknownunknown
134.170.184.137United Statesunknownunknown
23.2.52.54United Statesunknownunknown
65.55.252.71United Statesunknownunknown

Static File Info

General

File type:MS-DOS executable
TrID:
  • Win32 Executable (generic) (4510/7) 42.48%
  • DOS Executable Borland Pascal 7.0x (2037/25) 19.19%
  • Generic Win/DOS Executable (2004/3) 18.88%
  • DOS Executable Generic (2002/1) 18.86%
  • VXD Driver (31/22) 0.29%
File name:Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe
File size:141824
MD5:4d08934bd040ed25dfa46542e396cb05
SHA1:848a4e54ea0b6e6cee8a2a31ff77034f7145b048
SHA256:082a527e31cc1a969e3c41a5e1d1f6d817a742cb5783e9d7c87993a0924073b4
SHA512:a7f4083ea402c6572f6179ccc997fec2201a827e95f2f2b126942e91ac4b7939f7811f186d77714c8fd4fa6ccc1938156719454e579a2d03c773c0e025512a4c

File Icon

Static PE Info

General

Entrypoint:0x413048
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:0x52B23975 [Thu Dec 19 00:10:29 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 10h
push ebx
push 00000000h
xor bl, bl
call 00007F71FC2A2B91h
test al, al
je 00007F71FC2A3BFAh
push 00008007h
mov byte ptr [ebp-10h], bl
mov byte ptr [ebp-0Ch], 00000001h
mov byte ptr [ebp-01h], bl
call dword ptr [004011E4h]
lea eax, dword ptr [ebp-08h]
push eax
call dword ptr [004011E8h]
push eax
call dword ptr [004012CCh]
test eax, eax
je 00007F71FC2A3BA7h
xor edx, edx
cmp dword ptr [ebp-08h], edx
jle 00007F71FC2A3B61h
mov ecx, dword ptr [eax+edx*4]
test ecx, ecx
je 00007F71FC2A3B54h
cmp word ptr [ecx], 002Dh
jne 00007F71FC2A3B4Eh
movzx ecx, word ptr [ecx+02h]
cmp ecx, 66h
je 00007F71FC2A3B41h
cmp ecx, 69h
je 00007F71FC2A3B38h
cmp ecx, 6Eh
je 00007F71FC2A3B2Dh
cmp ecx, 76h
jne 00007F71FC2A3B36h
mov byte ptr [ebp-01h], 00000001h
jmp 00007F71FC2A3B30h
mov byte ptr [ebp-0Ch], 00000000h
jmp 00007F71FC2A3B2Ah
mov bl, 01h
jmp 00007F71FC2A3B26h
mov byte ptr [ebp-10h], 00000001h
inc edx
cmp edx, dword ptr [ebp-08h]
jl 00007F71FC2A3AE3h
push eax
call dword ptr [00401238h]
test bl, bl
je 00007F71FC2A3B29h
call 00007F71FC2A3549h
jmp 00007F71FC2A3B56h
cmp byte ptr [ebp-01h], 00000000h
je 00007F71FC2A3B45h
call 00007F71FC29EB2Fh
call 00007F71FC296625h
test byte ptr [00422BF8h], 00000004h
mov bl, al
je 00007F71FC2A3B3Dh
push 00000000h
mov eax, 00422868h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x1f7a40x118.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x250000x11ac.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x10000x5a0.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeEntropyXored PEZLIB ComplexityFile TypeCharacteristics
.text0x10000x206840x208006.69685920515False0.640414663462dataIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x220000x20500x4001.61257943446False0.208984375dataIMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x250000x167c0x18005.65098729976False0.629557291667dataIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLLImport
KERNEL32.dllGetEnvironmentVariableW, FileTimeToDosDateTime, GetTempFileNameW, HeapReAlloc, FindFirstFileW, SetEndOfFile, CreateProcessW, HeapAlloc, SystemTimeToFileTime, SetFilePointerEx, HeapFree, CreateDirectoryW, GetProcessHeap, IsBadReadPtr, SetFileTime, VirtualQueryEx, WriteFile, Thread32First, WideCharToMultiByte, ReadProcessMemory, HeapDestroy, HeapCreate, Thread32Next, ReadFile, GetTimeZoneInformation, GetFileAttributesExW, CreateToolhelp32Snapshot, FlushFileBuffers, GetTempPathW, GetFileSizeEx, OpenMutexW, GetLastError, VirtualAlloc, VirtualProtectEx, VirtualAllocEx, FindClose, RemoveDirectoryW, FindNextFileW, VirtualProtect, GetFileTime, FileTimeToLocalFileTime, GetVolumeNameForVolumeMountPointW, DeleteFileW, GetFileInformationByHandle, SetFileAttributesW, GlobalLock, GlobalUnlock, GetThreadContext, SetThreadContext, GetProcessId, WTSGetActiveConsoleSessionId, GetModuleHandleW, ReleaseMutex, Process32NextW, Process32FirstW, OpenProcess, CreateRemoteThread, WriteProcessMemory, GetCurrentProcessId, DuplicateHandle, OpenEventW, VirtualFreeEx, GetCurrentThreadId, SetLastError, VirtualFree, GetComputerNameW, SetErrorMode, GetCommandLineW, ExitProcess, CreateThread, GetSystemTime, GetLocalTime, LoadLibraryA, TlsFree, TlsAlloc, CreateFileMappingW, UnmapViewOfFile, MapViewOfFile, MultiByteToWideChar, CreateMutexW, ExpandEnvironmentStringsW, GetProcAddress, GetPrivateProfileIntW, LoadLibraryW, GetPrivateProfileStringW, FreeLibrary, lstrcmpiA, LocalFree, GetVersionExW, GetNativeSystemInfo, GetUserDefaultUILanguage, lstrcmpiW, GetModuleFileNameW, GetFileAttributesW, Sleep, GetTickCount, MoveFileExW, ResetEvent, SetThreadPriority, TerminateProcess, TlsSetValue, GetCurrentThread, SetEvent, TlsGetValue, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, CloseHandle, WaitForMultipleObjects, CreateEventW, CreateFileW, WaitForSingleObject
USER32.dllEndMenu, GetShellWindow, GetSystemMetrics, RegisterClassExA, DefDlgProcW, DefFrameProcA, OpenInputDesktop, TranslateMessage, RegisterClassExW, GetClipboardData, DefWindowProcA, DefMDIChildProcW, SwitchDesktop, DefDlgProcA, DefMDIChildProcA, RegisterClassW, CallWindowProcA, GetUserObjectInformationW, DefFrameProcW, RegisterClassA, GetMessageA, GetWindowRect, SetCapture, GetParent, GetClassLongW, ExitWindowsEx, SetCursorPos, GetWindowLongW, GetAncestor, PeekMessageW, PeekMessageA, CreateDesktopW, SetProcessWindowStation, DispatchMessageW, CloseWindowStation, CreateWindowStationW, GetProcessWindowStation, CloseDesktop, SetThreadDesktop, OpenWindowStationW, CharLowerW, GetKeyboardState, ToUnicode, MapVirtualKeyW, GetTopWindow, LoadImageW, MsgWaitForMultipleObjects, WindowFromPoint, CharToOemW, CharLowerA, CharUpperW, SetWindowLongW, DrawIcon, GetIconInfo, GetMenuItemCount, RegisterWindowMessageW, GetWindow, CallWindowProcW, GetThreadDesktop, HiliteMenuItem, SetKeyboardState, GetSubMenu, IsRectEmpty, DefWindowProcW, OpenDesktopW, MenuItemFromPoint, GetMenu, GetMenuItemRect, SetWindowPos, GetCursorPos, SendMessageTimeoutW, IsWindow, ReleaseCapture, MapWindowPoints, GetMessagePos, GetWindowThreadProcessId, CharLowerBuffA, EndPaint, GetUpdateRgn, GetMessageW, GetWindowDC, FillRect, PostMessageW, GetWindowInfo, DrawEdge, BeginPaint, TrackPopupMenuEx, SystemParametersInfoW, GetClassNameW, GetMenuState, GetCapture, SendMessageW, PrintWindow, EqualRect, PostThreadMessageW, ReleaseDC, GetDCEx, IntersectRect, GetDC, GetUpdateRect, GetMenuItemID
ADVAPI32.dllConvertSidToStringSidW, RegOpenKeyExW, RegEnumKeyExW, RegCloseKey, InitiateSystemShutdownExW, IsWellKnownSid, GetLengthSid, CryptGetHashParam, OpenProcessToken, GetSidSubAuthority, CryptAcquireContextW, OpenThreadToken, GetSidSubAuthorityCount, GetTokenInformation, RegCreateKeyExW, CryptReleaseContext, RegQueryValueExW, CreateProcessAsUserW, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, SetNamedSecurityInfoW, LookupPrivilegeValueW, CryptCreateHash, ConvertStringSecurityDescriptorToSecurityDescriptorW, GetSecurityDescriptorSacl, SetSecurityDescriptorSacl, CryptDestroyHash, AdjustTokenPrivileges, RegSetValueExW, CryptHashData, EqualSid
SHLWAPI.dllStrStrIW, PathRenameExtensionW, StrCmpNIW, wvnsprintfA, StrCmpNIA, PathMatchSpecW, PathUnquoteSpacesW, PathAddExtensionW, PathCombineW, SHDeleteKeyW, PathSkipRootW, SHDeleteValueW, PathAddBackslashW, PathFindFileNameW, PathIsDirectoryW, wvnsprintfW, UrlUnescapeA, PathRemoveBackslashW, PathIsURLW, PathQuoteSpacesW, StrStrIA, PathRemoveFileSpecW
SHELL32.dllShellExecuteW, SHGetFolderPathW, CommandLineToArgvW
Secur32.dllGetUserNameExW
ole32.dllStringFromGUID2, CLSIDFromString, CoUninitialize, CoCreateInstance, CoInitializeEx
GDI32.dllGetDeviceCaps, CreateCompatibleBitmap, CreateDIBSection, SetViewportOrgEx, DeleteDC, GdiFlush, DeleteObject, SelectObject, SetRectRgn, CreateCompatibleDC, GetDIBits, RestoreDC, SaveDC
WS2_32.dllWSASend, freeaddrinfo, getaddrinfo, WSAIoctl, WSAAddressToStringW, WSAEventSelect
CRYPT32.dllCertDuplicateCertificateContext, CertEnumCertificatesInStore, CertCloseStore, CertOpenSystemStoreW, CertDeleteCertificateFromStore, PFXImportCertStore, CryptUnprotectData, PFXExportCertStoreEx
WININET.dllHttpAddRequestHeadersW, InternetSetStatusCallbackW, GetUrlCacheEntryInfoW, InternetQueryOptionA, InternetSetOptionA, InternetQueryOptionW, InternetOpenA, HttpAddRequestHeadersA, HttpOpenRequestA, InternetCrackUrlA, InternetConnectA, HttpSendRequestA, HttpSendRequestW, InternetReadFile, InternetReadFileExA, InternetQueryDataAvailable, HttpSendRequestExW, HttpQueryInfoA, HttpSendRequestExA, InternetCloseHandle
OLEAUT32.dll
NETAPI32.dllNetApiBufferFree, NetUserEnum, NetUserGetInfo

Network Behavior

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Feb 5, 2015 14:55:12.964571953 CET5426253192.168.2.1518.8.8.8
Feb 5, 2015 14:55:13.102699995 CET53542628.8.8.8192.168.2.151
Feb 5, 2015 14:55:13.123143911 CET6485953192.168.2.1518.8.8.8
Feb 5, 2015 14:55:13.123236895 CET53648598.8.8.8192.168.2.151
Feb 5, 2015 14:55:13.123701096 CET4918880192.168.2.15165.55.252.71
Feb 5, 2015 14:55:13.123727083 CET804918865.55.252.71192.168.2.151
Feb 5, 2015 14:55:13.123806953 CET4918880192.168.2.15165.55.252.71
Feb 5, 2015 14:55:13.123955011 CET4918880192.168.2.15165.55.252.71
Feb 5, 2015 14:55:13.123969078 CET804918865.55.252.71192.168.2.151
Feb 5, 2015 14:55:13.605523109 CET804918865.55.252.71192.168.2.151
Feb 5, 2015 14:55:13.882472038 CET4918880192.168.2.15165.55.252.71
Feb 5, 2015 14:55:14.190958023 CET500365355192.168.2.151224.0.0.252
Feb 5, 2015 14:55:14.190963030 CET500365355192.168.2.151224.0.0.252
Feb 5, 2015 14:55:14.288986921 CET500365355192.168.2.151224.0.0.252
Feb 5, 2015 14:55:14.288990974 CET500365355192.168.2.151224.0.0.252
Feb 5, 2015 14:55:19.940532923 CET5438753192.168.2.1518.8.8.8
Feb 5, 2015 14:55:20.082818985 CET53543878.8.8.8192.168.2.151
Feb 5, 2015 14:55:20.085113049 CET6301153192.168.2.1518.8.8.8
Feb 5, 2015 14:55:20.085186005 CET53630118.8.8.8192.168.2.151
Feb 5, 2015 14:55:20.085663080 CET49189443192.168.2.151157.56.141.114
Feb 5, 2015 14:55:20.085689068 CET44349189157.56.141.114192.168.2.151
Feb 5, 2015 14:55:20.085850000 CET49189443192.168.2.151157.56.141.114
Feb 5, 2015 14:55:20.087016106 CET49189443192.168.2.151157.56.141.114
Feb 5, 2015 14:55:20.087035894 CET44349189157.56.141.114192.168.2.151
Feb 5, 2015 14:55:20.651732922 CET44349189157.56.141.114192.168.2.151
Feb 5, 2015 14:55:20.698291063 CET44349189157.56.141.114192.168.2.151
Feb 5, 2015 14:55:20.698307037 CET44349189157.56.141.114192.168.2.151
Feb 5, 2015 14:55:20.764261961 CET49189443192.168.2.151157.56.141.114
Feb 5, 2015 14:55:20.764282942 CET44349189157.56.141.114192.168.2.151
Feb 5, 2015 14:55:20.765862942 CET49189443192.168.2.151157.56.141.114
Feb 5, 2015 14:55:20.765892029 CET44349189157.56.141.114192.168.2.151
Feb 5, 2015 14:55:21.006974936 CET44349189157.56.141.114192.168.2.151
Feb 5, 2015 14:55:21.290558100 CET49189443192.168.2.151157.56.141.114
Feb 5, 2015 14:55:36.699021101 CET6376053192.168.2.1518.8.8.8
Feb 5, 2015 14:55:36.812969923 CET53637608.8.8.8192.168.2.151
Feb 5, 2015 14:55:36.975482941 CET5710453192.168.2.1518.8.8.8
Feb 5, 2015 14:55:36.975572109 CET53571048.8.8.8192.168.2.151
Feb 5, 2015 14:55:36.975960970 CET4919080192.168.2.15193.158.110.250
Feb 5, 2015 14:55:36.975986004 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:36.976046085 CET4919080192.168.2.15193.158.110.250
Feb 5, 2015 14:55:36.976176023 CET4919080192.168.2.15193.158.110.250
Feb 5, 2015 14:55:36.976187944 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.119700909 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.120810986 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.120831966 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.120934010 CET4919080192.168.2.15193.158.110.250
Feb 5, 2015 14:55:37.120949984 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.121473074 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.121493101 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.121552944 CET4919080192.168.2.15193.158.110.250
Feb 5, 2015 14:55:37.121570110 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.136929989 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.136950970 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.137001038 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.137016058 CET4919080192.168.2.15193.158.110.250
Feb 5, 2015 14:55:37.137027979 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.137207985 CET4919080192.168.2.15193.158.110.250
Feb 5, 2015 14:55:37.137211084 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.137227058 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.137271881 CET4919080192.168.2.15193.158.110.250
Feb 5, 2015 14:55:37.137623072 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.137634039 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.137640953 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.137718916 CET4919080192.168.2.15193.158.110.250
Feb 5, 2015 14:55:37.137917042 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.137928009 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.137934923 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.138021946 CET4919080192.168.2.15193.158.110.250
Feb 5, 2015 14:55:37.138362885 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.138389111 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.138397932 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.138446093 CET4919080192.168.2.15193.158.110.250
Feb 5, 2015 14:55:37.138458014 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.153579950 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.153599977 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.153665066 CET4919080192.168.2.15193.158.110.250
Feb 5, 2015 14:55:37.153677940 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.153723955 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.153762102 CET4919080192.168.2.15193.158.110.250
Feb 5, 2015 14:55:37.153773069 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.154066086 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.154077053 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.154129028 CET4919080192.168.2.15193.158.110.250
Feb 5, 2015 14:55:37.154140949 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.154505014 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.154515982 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.154586077 CET4919080192.168.2.15193.158.110.250
Feb 5, 2015 14:55:37.154597044 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.154758930 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.154768944 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.154833078 CET4919080192.168.2.15193.158.110.250
Feb 5, 2015 14:55:37.154843092 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.155162096 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.155173063 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.155241013 CET4919080192.168.2.15193.158.110.250
Feb 5, 2015 14:55:37.155251980 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.155322075 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.155383110 CET4919080192.168.2.15193.158.110.250
Feb 5, 2015 14:55:37.155392885 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.164141893 CET4919080192.168.2.15193.158.110.250
Feb 5, 2015 14:55:37.164155960 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.167644024 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.167736053 CET4919080192.168.2.15193.158.110.250
Feb 5, 2015 14:55:37.167751074 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.178174973 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.178193092 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.178272009 CET4919080192.168.2.15193.158.110.250
Feb 5, 2015 14:55:37.178284883 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.398431063 CET4919080192.168.2.15193.158.110.250
Feb 5, 2015 14:55:37.398458958 CET804919093.158.110.250192.168.2.151
Feb 5, 2015 14:55:37.602509975 CET4919080192.168.2.15193.158.110.250
Feb 5, 2015 14:55:38.861774921 CET49189443192.168.2.151157.56.141.114
Feb 5, 2015 14:55:38.861804008 CET44349189157.56.141.114192.168.2.151
Feb 5, 2015 14:55:38.863418102 CET49189443192.168.2.151157.56.141.114
Feb 5, 2015 14:55:38.863432884 CET44349189157.56.141.114192.168.2.151
Feb 5, 2015 14:55:39.335752964 CET44349189157.56.141.114192.168.2.151
Feb 5, 2015 14:55:39.357944012 CET44349189157.56.141.114192.168.2.151
Feb 5, 2015 14:55:39.358040094 CET49189443192.168.2.151157.56.141.114
Feb 5, 2015 14:55:39.358058929 CET44349189157.56.141.114192.168.2.151
Feb 5, 2015 14:55:39.602073908 CET49189443192.168.2.151157.56.141.114
Feb 5, 2015 14:55:51.217617989 CET49189443192.168.2.151157.56.141.114
Feb 5, 2015 14:55:51.217839003 CET4918880192.168.2.15165.55.252.71
Feb 5, 2015 14:55:51.218091965 CET4919080192.168.2.15193.158.110.250
Feb 5, 2015 14:55:59.378469944 CET5101453192.168.2.1518.8.8.8
Feb 5, 2015 14:55:59.551525116 CET53510148.8.8.8192.168.2.151
Feb 5, 2015 14:55:59.758740902 CET6185153192.168.2.1518.8.8.8
Feb 5, 2015 14:55:59.758869886 CET53618518.8.8.8192.168.2.151
Feb 5, 2015 14:55:59.759288073 CET4919180192.168.2.15180.239.247.17
Feb 5, 2015 14:55:59.759315968 CET804919180.239.247.17192.168.2.151
Feb 5, 2015 14:55:59.759383917 CET4919180192.168.2.15180.239.247.17
Feb 5, 2015 14:55:59.759532928 CET4919180192.168.2.15180.239.247.17
Feb 5, 2015 14:55:59.759545088 CET804919180.239.247.17192.168.2.151
Feb 5, 2015 14:55:59.969969988 CET804919180.239.247.17192.168.2.151
Feb 5, 2015 14:56:00.198478937 CET4919180192.168.2.15180.239.247.17
Feb 5, 2015 14:56:00.198529005 CET804919180.239.247.17192.168.2.151
Feb 5, 2015 14:56:00.398469925 CET4919180192.168.2.15180.239.247.17
Feb 5, 2015 14:56:09.146416903 CET4919180192.168.2.15180.239.247.17
Feb 5, 2015 14:56:09.146446943 CET804919180.239.247.17192.168.2.151
Feb 5, 2015 14:56:09.249943972 CET804919180.239.247.17192.168.2.151
Feb 5, 2015 14:56:09.494468927 CET4919180192.168.2.15180.239.247.17
Feb 5, 2015 14:56:09.494509935 CET804919180.239.247.17192.168.2.151
Feb 5, 2015 14:56:09.698471069 CET4919180192.168.2.15180.239.247.17
Feb 5, 2015 14:56:14.066591978 CET5914753192.168.2.1518.8.8.8
Feb 5, 2015 14:56:14.303567886 CET53591478.8.8.8192.168.2.151
Feb 5, 2015 14:56:14.437726974 CET5791453192.168.2.1518.8.8.8
Feb 5, 2015 14:56:14.437836885 CET53579148.8.8.8192.168.2.151
Feb 5, 2015 14:56:14.438242912 CET4919280192.168.2.15123.2.52.54
Feb 5, 2015 14:56:14.438271999 CET804919223.2.52.54192.168.2.151
Feb 5, 2015 14:56:14.438337088 CET4919280192.168.2.15123.2.52.54
Feb 5, 2015 14:56:14.438479900 CET4919280192.168.2.15123.2.52.54
Feb 5, 2015 14:56:14.438493967 CET804919223.2.52.54192.168.2.151
Feb 5, 2015 14:56:14.664921999 CET804919223.2.52.54192.168.2.151
Feb 5, 2015 14:56:14.898452997 CET4919280192.168.2.15123.2.52.54
Feb 5, 2015 14:56:14.898488998 CET804919223.2.52.54192.168.2.151
Feb 5, 2015 14:56:15.101094961 CET4919280192.168.2.15123.2.52.54
Feb 5, 2015 14:56:20.890158892 CET642085355192.168.2.151224.0.0.252
Feb 5, 2015 14:56:20.890162945 CET642085355192.168.2.151224.0.0.252
Feb 5, 2015 14:56:21.039073944 CET642085355192.168.2.151224.0.0.252
Feb 5, 2015 14:56:21.039077997 CET642085355192.168.2.151224.0.0.252
Feb 5, 2015 14:56:23.777149916 CET6143153192.168.2.1518.8.8.8
Feb 5, 2015 14:56:23.885358095 CET53614318.8.8.8192.168.2.151
Feb 5, 2015 14:56:23.893799067 CET6112453192.168.2.1518.8.8.8
Feb 5, 2015 14:56:23.893893957 CET53611248.8.8.8192.168.2.151
Feb 5, 2015 14:56:23.894260883 CET4919380192.168.2.151134.170.184.137
Feb 5, 2015 14:56:23.894289017 CET8049193134.170.184.137192.168.2.151
Feb 5, 2015 14:56:23.894350052 CET4919380192.168.2.151134.170.184.137
Feb 5, 2015 14:56:23.894489050 CET4919380192.168.2.151134.170.184.137
Feb 5, 2015 14:56:23.894501925 CET8049193134.170.184.137192.168.2.151
Feb 5, 2015 14:56:24.369798899 CET8049193134.170.184.137192.168.2.151
Feb 5, 2015 14:56:24.602458000 CET4919380192.168.2.151134.170.184.137
Feb 5, 2015 14:56:24.602492094 CET8049193134.170.184.137192.168.2.151
Feb 5, 2015 14:56:24.795311928 CET568315355192.168.2.151224.0.0.252
Feb 5, 2015 14:56:24.795315981 CET568315355192.168.2.151224.0.0.252
Feb 5, 2015 14:56:24.898459911 CET4919380192.168.2.151134.170.184.137
Feb 5, 2015 14:56:24.898730993 CET568315355192.168.2.151224.0.0.252
Feb 5, 2015 14:56:24.898735046 CET568315355192.168.2.151224.0.0.252
Feb 5, 2015 14:56:27.760350943 CET5821153192.168.2.1518.8.8.8
Feb 5, 2015 14:56:27.909050941 CET53582118.8.8.8192.168.2.151
Feb 5, 2015 14:56:28.144205093 CET6482453192.168.2.1518.8.8.8
Feb 5, 2015 14:56:28.144314051 CET53648248.8.8.8192.168.2.151
Feb 5, 2015 14:56:28.144680977 CET49194443192.168.2.15165.52.98.231
Feb 5, 2015 14:56:28.144706011 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:56:28.144779921 CET49194443192.168.2.15165.52.98.231
Feb 5, 2015 14:56:28.145667076 CET49194443192.168.2.15165.52.98.231
Feb 5, 2015 14:56:28.145683050 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:56:28.626745939 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:56:28.686671972 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:56:28.686693907 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:56:28.686798096 CET49194443192.168.2.15165.52.98.231
Feb 5, 2015 14:56:28.686820030 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:56:28.760639906 CET49194443192.168.2.15165.52.98.231
Feb 5, 2015 14:56:28.760672092 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:56:29.024473906 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:56:29.054987907 CET49194443192.168.2.15165.52.98.231
Feb 5, 2015 14:56:29.055020094 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:56:29.289133072 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:56:29.494451046 CET49194443192.168.2.15165.52.98.231
Feb 5, 2015 14:56:29.494486094 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:56:29.695612907 CET49194443192.168.2.15165.52.98.231
Feb 5, 2015 14:57:02.506175995 CET608695355192.168.2.151224.0.0.252
Feb 5, 2015 14:57:02.506180048 CET608695355192.168.2.151224.0.0.252
Feb 5, 2015 14:57:02.606559038 CET608695355192.168.2.151224.0.0.252
Feb 5, 2015 14:57:02.606563091 CET608695355192.168.2.151224.0.0.252
Feb 5, 2015 14:57:05.062690020 CET4919380192.168.2.151134.170.184.137
Feb 5, 2015 14:57:05.062721014 CET8049193134.170.184.137192.168.2.151
Feb 5, 2015 14:57:05.344197989 CET8049193134.170.184.137192.168.2.151
Feb 5, 2015 14:57:05.629642963 CET4919380192.168.2.151134.170.184.137
Feb 5, 2015 14:57:06.924545050 CET510025355192.168.2.151224.0.0.252
Feb 5, 2015 14:57:06.924555063 CET510025355192.168.2.151224.0.0.252
Feb 5, 2015 14:57:07.025141954 CET510025355192.168.2.151224.0.0.252
Feb 5, 2015 14:57:07.025146008 CET510025355192.168.2.151224.0.0.252
Feb 5, 2015 14:57:09.484070063 CET49194443192.168.2.15165.52.98.231
Feb 5, 2015 14:57:09.484092951 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:57:09.484308958 CET49194443192.168.2.15165.52.98.231
Feb 5, 2015 14:57:09.484321117 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:57:09.484383106 CET49194443192.168.2.15165.52.98.231
Feb 5, 2015 14:57:09.484390020 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:57:09.892282009 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:57:09.902076960 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:57:09.902156115 CET49194443192.168.2.15165.52.98.231
Feb 5, 2015 14:57:09.902170897 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:57:09.909598112 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:57:09.909610033 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:57:09.909674883 CET49194443192.168.2.15165.52.98.231
Feb 5, 2015 14:57:09.909688950 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:57:09.934995890 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:57:09.935007095 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:57:09.935075045 CET49194443192.168.2.15165.52.98.231
Feb 5, 2015 14:57:09.935090065 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:57:10.127021074 CET49194443192.168.2.15165.52.98.231
Feb 5, 2015 14:57:16.084475994 CET5799753192.168.2.1518.8.8.8
Feb 5, 2015 14:57:16.307493925 CET4919380192.168.2.151134.170.184.137
Feb 5, 2015 14:57:16.307519913 CET8049193134.170.184.137192.168.2.151
Feb 5, 2015 14:57:16.576180935 CET8049193134.170.184.137192.168.2.151
Feb 5, 2015 14:57:16.576783895 CET49194443192.168.2.15165.52.98.231
Feb 5, 2015 14:57:16.576809883 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:57:16.578299999 CET49194443192.168.2.15165.52.98.231
Feb 5, 2015 14:57:16.578319073 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:57:16.578404903 CET49194443192.168.2.15165.52.98.231
Feb 5, 2015 14:57:16.578413963 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:57:16.767573118 CET4919380192.168.2.151134.170.184.137
Feb 5, 2015 14:57:16.769565105 CET53579978.8.8.8192.168.2.151
Feb 5, 2015 14:57:16.789750099 CET4919580192.168.2.15178.47.223.171
Feb 5, 2015 14:57:16.789778948 CET804919578.47.223.171192.168.2.151
Feb 5, 2015 14:57:16.789839029 CET4919580192.168.2.15178.47.223.171
Feb 5, 2015 14:57:16.790643930 CET4919580192.168.2.15178.47.223.171
Feb 5, 2015 14:57:16.790662050 CET804919578.47.223.171192.168.2.151
Feb 5, 2015 14:57:17.247004986 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:57:17.264353991 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:57:17.264369011 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:57:17.264492989 CET49194443192.168.2.15165.52.98.231
Feb 5, 2015 14:57:17.264516115 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:57:17.461056948 CET49194443192.168.2.15165.52.98.231
Feb 5, 2015 14:57:17.461076021 CET4434919465.52.98.231192.168.2.151
Feb 5, 2015 14:57:17.662297964 CET49194443192.168.2.15165.52.98.231
Feb 5, 2015 14:57:18.244987011 CET4919180192.168.2.15180.239.247.17
Feb 5, 2015 14:57:18.245352983 CET4919280192.168.2.15123.2.52.54
Feb 5, 2015 14:57:18.245466948 CET4919380192.168.2.151134.170.184.137
Feb 5, 2015 14:57:18.245573997 CET49194443192.168.2.15165.52.98.231
Feb 5, 2015 14:57:27.579051971 CET5409653192.168.2.1518.8.8.8
Feb 5, 2015 14:57:27.773164034 CET53540968.8.8.8192.168.2.151
Feb 5, 2015 14:57:27.787072897 CET6105553192.168.2.1518.8.8.8
Feb 5, 2015 14:57:27.787142992 CET53610558.8.8.8192.168.2.151
Feb 5, 2015 14:57:27.788491964 CET4919680192.168.2.15180.239.149.10
Feb 5, 2015 14:57:27.788517952 CET804919680.239.149.10192.168.2.151
Feb 5, 2015 14:57:27.788575888 CET4919680192.168.2.15180.239.149.10
Feb 5, 2015 14:57:27.789047003 CET4919680192.168.2.15180.239.149.10
Feb 5, 2015 14:57:27.789066076 CET804919680.239.149.10192.168.2.151
Feb 5, 2015 14:57:28.000060081 CET804919680.239.149.10192.168.2.151
Feb 5, 2015 14:57:28.202855110 CET4919680192.168.2.15180.239.149.10
Feb 5, 2015 14:57:28.202878952 CET804919680.239.149.10192.168.2.151
Feb 5, 2015 14:57:28.453022957 CET4919680192.168.2.15180.239.149.10
Feb 5, 2015 14:57:29.894326925 CET4919680192.168.2.15180.239.149.10
Feb 5, 2015 14:58:02.965929985 CET6183853192.168.2.1518.8.8.8
Feb 5, 2015 14:58:03.023427010 CET53618388.8.8.8192.168.2.151
Feb 5, 2015 14:58:03.026885033 CET6306253192.168.2.1518.8.8.8
Feb 5, 2015 14:58:03.026947975 CET53630628.8.8.8192.168.2.151
Feb 5, 2015 14:58:03.027478933 CET4919780192.168.2.15123.43.139.27
Feb 5, 2015 14:58:03.027503014 CET804919723.43.139.27192.168.2.151
Feb 5, 2015 14:58:03.027565002 CET4919780192.168.2.15123.43.139.27
Feb 5, 2015 14:58:03.027765036 CET4919780192.168.2.15123.43.139.27
Feb 5, 2015 14:58:03.027777910 CET804919723.43.139.27192.168.2.151
Feb 5, 2015 14:58:03.168879032 CET804919723.43.139.27192.168.2.151
Feb 5, 2015 14:58:03.198731899 CET804919723.43.139.27192.168.2.151
Feb 5, 2015 14:58:03.198878050 CET4919780192.168.2.15123.43.139.27
Feb 5, 2015 14:58:03.198900938 CET804919723.43.139.27192.168.2.151
Feb 5, 2015 14:58:03.401144981 CET4919780192.168.2.15123.43.139.27
Feb 5, 2015 14:58:27.169615984 CET4919580192.168.2.15178.47.223.171
Feb 5, 2015 14:58:27.169750929 CET804919578.47.223.171192.168.2.151
Feb 5, 2015 14:58:27.169840097 CET4919580192.168.2.15178.47.223.171
Feb 5, 2015 14:58:27.219616890 CET4919880192.168.2.15178.47.223.171
Feb 5, 2015 14:58:27.219652891 CET804919878.47.223.171192.168.2.151
Feb 5, 2015 14:58:27.219738960 CET4919880192.168.2.15178.47.223.171
Feb 5, 2015 14:58:27.220581055 CET4919880192.168.2.15178.47.223.171
Feb 5, 2015 14:58:27.220603943 CET804919878.47.223.171192.168.2.151
Feb 5, 2015 14:59:03.195441961 CET4919780192.168.2.15123.43.139.27

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Feb 5, 2015 14:55:12.964571953 CET5426253192.168.2.1518.8.8.8
Feb 5, 2015 14:55:13.102699995 CET53542628.8.8.8192.168.2.151
Feb 5, 2015 14:55:13.123143911 CET6485953192.168.2.1518.8.8.8
Feb 5, 2015 14:55:13.123236895 CET53648598.8.8.8192.168.2.151
Feb 5, 2015 14:55:14.190958023 CET500365355192.168.2.151224.0.0.252
Feb 5, 2015 14:55:14.190963030 CET500365355192.168.2.151224.0.0.252
Feb 5, 2015 14:55:14.288986921 CET500365355192.168.2.151224.0.0.252
Feb 5, 2015 14:55:14.288990974 CET500365355192.168.2.151224.0.0.252
Feb 5, 2015 14:55:19.940532923 CET5438753192.168.2.1518.8.8.8
Feb 5, 2015 14:55:20.082818985 CET53543878.8.8.8192.168.2.151
Feb 5, 2015 14:55:20.085113049 CET6301153192.168.2.1518.8.8.8
Feb 5, 2015 14:55:20.085186005 CET53630118.8.8.8192.168.2.151
Feb 5, 2015 14:55:36.699021101 CET6376053192.168.2.1518.8.8.8
Feb 5, 2015 14:55:36.812969923 CET53637608.8.8.8192.168.2.151
Feb 5, 2015 14:55:36.975482941 CET5710453192.168.2.1518.8.8.8
Feb 5, 2015 14:55:36.975572109 CET53571048.8.8.8192.168.2.151
Feb 5, 2015 14:55:59.378469944 CET5101453192.168.2.1518.8.8.8
Feb 5, 2015 14:55:59.551525116 CET53510148.8.8.8192.168.2.151
Feb 5, 2015 14:55:59.758740902 CET6185153192.168.2.1518.8.8.8
Feb 5, 2015 14:55:59.758869886 CET53618518.8.8.8192.168.2.151
Feb 5, 2015 14:56:14.066591978 CET5914753192.168.2.1518.8.8.8
Feb 5, 2015 14:56:14.303567886 CET53591478.8.8.8192.168.2.151
Feb 5, 2015 14:56:14.437726974 CET5791453192.168.2.1518.8.8.8
Feb 5, 2015 14:56:14.437836885 CET53579148.8.8.8192.168.2.151
Feb 5, 2015 14:56:20.890158892 CET642085355192.168.2.151224.0.0.252
Feb 5, 2015 14:56:20.890162945 CET642085355192.168.2.151224.0.0.252
Feb 5, 2015 14:56:21.039073944 CET642085355192.168.2.151224.0.0.252
Feb 5, 2015 14:56:21.039077997 CET642085355192.168.2.151224.0.0.252
Feb 5, 2015 14:56:23.777149916 CET6143153192.168.2.1518.8.8.8
Feb 5, 2015 14:56:23.885358095 CET53614318.8.8.8192.168.2.151
Feb 5, 2015 14:56:23.893799067 CET6112453192.168.2.1518.8.8.8
Feb 5, 2015 14:56:23.893893957 CET53611248.8.8.8192.168.2.151
Feb 5, 2015 14:56:24.795311928 CET568315355192.168.2.151224.0.0.252
Feb 5, 2015 14:56:24.795315981 CET568315355192.168.2.151224.0.0.252
Feb 5, 2015 14:56:24.898730993 CET568315355192.168.2.151224.0.0.252
Feb 5, 2015 14:56:24.898735046 CET568315355192.168.2.151224.0.0.252
Feb 5, 2015 14:56:27.760350943 CET5821153192.168.2.1518.8.8.8
Feb 5, 2015 14:56:27.909050941 CET53582118.8.8.8192.168.2.151
Feb 5, 2015 14:56:28.144205093 CET6482453192.168.2.1518.8.8.8
Feb 5, 2015 14:56:28.144314051 CET53648248.8.8.8192.168.2.151
Feb 5, 2015 14:57:02.506175995 CET608695355192.168.2.151224.0.0.252
Feb 5, 2015 14:57:02.506180048 CET608695355192.168.2.151224.0.0.252
Feb 5, 2015 14:57:02.606559038 CET608695355192.168.2.151224.0.0.252
Feb 5, 2015 14:57:02.606563091 CET608695355192.168.2.151224.0.0.252
Feb 5, 2015 14:57:06.924545050 CET510025355192.168.2.151224.0.0.252
Feb 5, 2015 14:57:06.924555063 CET510025355192.168.2.151224.0.0.252
Feb 5, 2015 14:57:07.025141954 CET510025355192.168.2.151224.0.0.252
Feb 5, 2015 14:57:07.025146008 CET510025355192.168.2.151224.0.0.252
Feb 5, 2015 14:57:16.084475994 CET5799753192.168.2.1518.8.8.8
Feb 5, 2015 14:57:16.769565105 CET53579978.8.8.8192.168.2.151
Feb 5, 2015 14:57:27.579051971 CET5409653192.168.2.1518.8.8.8
Feb 5, 2015 14:57:27.773164034 CET53540968.8.8.8192.168.2.151
Feb 5, 2015 14:57:27.787072897 CET6105553192.168.2.1518.8.8.8
Feb 5, 2015 14:57:27.787142992 CET53610558.8.8.8192.168.2.151
Feb 5, 2015 14:58:02.965929985 CET6183853192.168.2.1518.8.8.8
Feb 5, 2015 14:58:03.023427010 CET53618388.8.8.8192.168.2.151
Feb 5, 2015 14:58:03.026885033 CET6306253192.168.2.1518.8.8.8
Feb 5, 2015 14:58:03.026947975 CET53630628.8.8.8192.168.2.151

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Feb 5, 2015 14:55:12.964571953 CET192.168.2.1518.8.8.80xc64dStandard query (0)watson.microsoft.comA (IP address)IN (0x0001)
Feb 5, 2015 14:55:13.123143911 CET192.168.2.1518.8.8.80x6d10Standard query (0)watson.microsoft.comA (IP address)IN (0x0001)
Feb 5, 2015 14:55:19.940532923 CET192.168.2.1518.8.8.80xd6dcStandard query (0)wer.microsoft.comA (IP address)IN (0x0001)
Feb 5, 2015 14:55:20.085113049 CET192.168.2.1518.8.8.80xf309Standard query (0)wer.microsoft.comA (IP address)IN (0x0001)
Feb 5, 2015 14:55:36.699021101 CET192.168.2.1518.8.8.80xc60fStandard query (0)www.download.windowsupdate.comA (IP address)IN (0x0001)
Feb 5, 2015 14:55:36.975482941 CET192.168.2.1518.8.8.80x9ddfStandard query (0)www.download.windowsupdate.comA (IP address)IN (0x0001)
Feb 5, 2015 14:55:59.378469944 CET192.168.2.1518.8.8.80xd267Standard query (0)crl.microsoft.comA (IP address)IN (0x0001)
Feb 5, 2015 14:55:59.758740902 CET192.168.2.1518.8.8.80x3a81Standard query (0)crl.microsoft.comA (IP address)IN (0x0001)
Feb 5, 2015 14:56:14.066591978 CET192.168.2.1518.8.8.80x38bdStandard query (0)www.microsoft.comA (IP address)IN (0x0001)
Feb 5, 2015 14:56:14.437726974 CET192.168.2.1518.8.8.80xef1fStandard query (0)www.microsoft.comA (IP address)IN (0x0001)
Feb 5, 2015 14:56:23.777149916 CET192.168.2.1518.8.8.80x3d16Standard query (0)go.microsoft.comA (IP address)IN (0x0001)
Feb 5, 2015 14:56:23.893799067 CET192.168.2.1518.8.8.80xb28aStandard query (0)go.microsoft.comA (IP address)IN (0x0001)
Feb 5, 2015 14:56:27.760350943 CET192.168.2.1518.8.8.80xb570Standard query (0)validation.sls.microsoft.comA (IP address)IN (0x0001)
Feb 5, 2015 14:56:28.144205093 CET192.168.2.1518.8.8.80x8695Standard query (0)validation.sls.microsoft.comA (IP address)IN (0x0001)
Feb 5, 2015 14:57:16.084475994 CET192.168.2.1518.8.8.80x860aStandard query (0)fiu-eu.orgA (IP address)IN (0x0001)
Feb 5, 2015 14:57:27.579051971 CET192.168.2.1518.8.8.80xbc5bStandard query (0)crl.microsoft.comA (IP address)IN (0x0001)
Feb 5, 2015 14:57:27.787072897 CET192.168.2.1518.8.8.80xb181Standard query (0)crl.microsoft.comA (IP address)IN (0x0001)
Feb 5, 2015 14:58:02.965929985 CET192.168.2.1518.8.8.80x7f9fStandard query (0)ocsp.verisign.comA (IP address)IN (0x0001)
Feb 5, 2015 14:58:03.026885033 CET192.168.2.1518.8.8.80x187aStandard query (0)ocsp.verisign.comA (IP address)IN (0x0001)

DNS Answers

TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
Feb 5, 2015 14:55:13.102699995 CET8.8.8.8192.168.2.1510xc64dNo error (0)watson.microsoft.com65.55.252.71A (IP address)IN (0x0001)
Feb 5, 2015 14:55:13.123236895 CET8.8.8.8192.168.2.1510x6d10No error (0)watson.microsoft.com65.55.252.71A (IP address)IN (0x0001)
Feb 5, 2015 14:55:20.082818985 CET8.8.8.8192.168.2.1510xd6dcNo error (0)wer.microsoft.com157.56.141.114A (IP address)IN (0x0001)
Feb 5, 2015 14:55:20.085186005 CET8.8.8.8192.168.2.1510xf309No error (0)wer.microsoft.com157.56.141.114A (IP address)IN (0x0001)
Feb 5, 2015 14:55:36.812969923 CET8.8.8.8192.168.2.1510xc60fNo error (0)www.download.windowsupdate.com93.158.110.250A (IP address)IN (0x0001)
Feb 5, 2015 14:55:36.975572109 CET8.8.8.8192.168.2.1510x9ddfNo error (0)www.download.windowsupdate.com93.158.110.250A (IP address)IN (0x0001)
Feb 5, 2015 14:55:59.551525116 CET8.8.8.8192.168.2.1510xd267No error (0)crl.microsoft.com80.239.247.17A (IP address)IN (0x0001)
Feb 5, 2015 14:55:59.758869886 CET8.8.8.8192.168.2.1510x3a81No error (0)crl.microsoft.com80.239.247.17A (IP address)IN (0x0001)
Feb 5, 2015 14:56:14.303567886 CET8.8.8.8192.168.2.1510x38bdNo error (0)www.microsoft.com23.2.52.54A (IP address)IN (0x0001)
Feb 5, 2015 14:56:14.437836885 CET8.8.8.8192.168.2.1510xef1fNo error (0)www.microsoft.com23.2.52.54A (IP address)IN (0x0001)
Feb 5, 2015 14:56:23.885358095 CET8.8.8.8192.168.2.1510x3d16No error (0)go.microsoft.com134.170.184.137A (IP address)IN (0x0001)
Feb 5, 2015 14:56:23.893893957 CET8.8.8.8192.168.2.1510xb28aNo error (0)go.microsoft.com134.170.184.137A (IP address)IN (0x0001)
Feb 5, 2015 14:56:27.909050941 CET8.8.8.8192.168.2.1510xb570No error (0)validation.sls.microsoft.com65.52.98.231A (IP address)IN (0x0001)
Feb 5, 2015 14:56:28.144314051 CET8.8.8.8192.168.2.1510x8695No error (0)validation.sls.microsoft.com65.52.98.231A (IP address)IN (0x0001)
Feb 5, 2015 14:57:16.769565105 CET8.8.8.8192.168.2.1510x860aNo error (0)fiu-eu.org78.47.223.171A (IP address)IN (0x0001)
Feb 5, 2015 14:57:27.773164034 CET8.8.8.8192.168.2.1510xbc5bNo error (0)crl.microsoft.com80.239.149.10A (IP address)IN (0x0001)
Feb 5, 2015 14:57:27.787142992 CET8.8.8.8192.168.2.1510xb181No error (0)crl.microsoft.com80.239.149.10A (IP address)IN (0x0001)
Feb 5, 2015 14:58:03.023427010 CET8.8.8.8192.168.2.1510x7f9fNo error (0)ocsp.verisign.com23.43.139.27A (IP address)IN (0x0001)
Feb 5, 2015 14:58:03.026947975 CET8.8.8.8192.168.2.1510x187aNo error (0)ocsp.verisign.com23.43.139.27A (IP address)IN (0x0001)

HTTP Request Dependency Graph

  • watson.microsoft.com
  • www.download.windowsupdate.com
  • crl.microsoft.com
  • www.microsoft.com
  • go.microsoft.com
  • fiu-eu.org
  • ocsp.verisign.com

HTTP Packets

TimestampSource PortDest PortSource IPDest IPHeaderTotal Bytes Transfered (KB)
Feb 5, 2015 14:55:13.123955011 CET4918880192.168.2.15165.55.252.71GET /StageOne/Generic/PnPRequestAdditionalSoftware/x86/USB_VID_80EE_PID_0021_REV_0100/6_1_0_0/0409/input_inf/_.htm?LCID=1033&OS=6.1.7600.2.00010100.0.0.48.16385&SM=innotek%20GmbH&SPN=VirtualBox&BV=VirtualBox&MID=4120A070-FD2D-4714-91B1-58190D826E31&Queue=1 HTTP/1.1
Connection: Keep-Alive
User-Agent: MSDW
Host: watson.microsoft.com
0
Feb 5, 2015 14:55:13.605523109 CET804918865.55.252.71192.168.2.151HTTP/1.1 200 OK
Content-Length: 43
Content-Type: text/html
Date: Thu, 05 Feb 2015 13:54:15 GMT
Data Raw: 42 75 63 6b 65 74 3d 31 31 33 38 31 35 35 32 34 34 0a 42 75 63 6b 65 74 54 61 62 6c 65 3d 35 0a 52 65 73 70 6f 6e 73 65 3d 31 0a
Data Ascii: Bucket=1138155244BucketTable=5Response=1
1
Feb 5, 2015 14:55:36.976176023 CET4919080192.168.2.15193.158.110.250GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86412
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 28 Jun 2011 16:26:26 GMT
If-None-Match: "0255720b035cc1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com
9
Feb 5, 2015 14:55:37.119700909 CET804919093.158.110.250192.168.2.151HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Fri, 23 Jan 2015 02:29:11 GMT
Accept-Ranges: bytes
ETag: "803565fb436d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 57591
Cache-Control: max-age=5564
Date: Thu, 05 Feb 2015 13:54:39 GMT
Connection: keep-alive
X-CCC: GB
X-CID: 2
Data Raw: 4d 53 43 46 00 00 00 00 f7 e0 00 00 00 00 00 00 2c 00 00 00 00 00 00 00 03 01 01 00 01 00 00 00 00 00 00 00 49 00 00 00 05 00 01 00 ea 12 02 00 00 00 00 00 00 00 36 46 6d 8f 20 00 61 75 74 68 72 6f 6f 74 2e 73 74 6c 00 d5 04 d6 ab c9 38 00 80 43 4b d4 9c 09 3c 54 dd ff c7 67 b8 76 21 4d f6 64 0d d9 66 10 25 64 df f7 7d 4b d6 90 35 fb 9a 06 d9 95 ec 64 4d 2a 4b 8b 92 4a 96 2c 25 4b 22 84 ca 1e 21 da 90 3d ff 6b d4 13 cf 9d a7 e7 c9 d3 ff f5 7b 3d 2f af 19 f7 9e 7b 67 e6 7e de e7
Data Ascii: MSCF,I6Fm authroot.stl8CK<Tgv!Mdf%d}K5dM*KJ,%K"!=k{=/{g~
9
Feb 5, 2015 14:55:37.120810986 CET804919093.158.110.250192.168.2.151Data Raw: 9c ef f9 de ef f9 9e 8b 0c c1 a1 1c c5 27 da 1f a6 18 36 bf 03 4e 80 93 03 ee 77 ad 17 b6 e1 c0 e1 28 12 24 11 3e 1e 37 19 2e 0e 1d 1e 0c 19 02 9f 93 c0 27 e2 c6 87 03 f0 60 11 62 78 0e b8 cf b7 5e c8 85 24 c5 27 fe 5e 8c 4b 84 43 84 80 b7 1d 98
Data Ascii: '6Nw($>7.'`bx^$'^KC<b=Ju@2eprusXqdijF$4KIQA2m:EP|(^p=G|m +6HeX'%$rY()|;V^rVM_*XI
11
Feb 5, 2015 14:55:37.120831966 CET804919093.158.110.250192.168.2.151Data Raw: c3 9d d9 64 94 c1 e1 93 9a ab bd e1 72 2e 1a 3e af 97 5e 74 ae fb 67 3f 1b 95 e1 50 88 4b 0e 95 1a 7b 3e de 6a 1f d5 e7 f1 26 b4 1d 7e b0 5d 88 3a 02 ed b7 9f 05 2d 0d 7e ca 39 7a 46 3d fe 79 96 dc 9e 52 0d 28 92 33 cb fc e7 fb 28 39 8c e1 72 65
Data Ascii: dr.>^tg?PK{>j&~]:-~9zF=yR(3(9re:8/)bw[_ U+N6U13(8TfqG{oe(<\{:8;IO8Zc}L24n(.==lPwc5+!irocfbM6, >
12
Feb 5, 2015 14:55:37.120949984 CET804919093.158.110.250192.168.2.151Data Raw: 14 ca a1 08 5f 56 72 3f ce 47 fd e1 78 3c 02 85 40 9c 44 2f 0e 8b 73 db e7 70 c3 89 f0 fd 4c 53 fd 90 a1 72 85 d5 93 02 85 fd 8f b8 6e a4 cd cc 9f 47 a5 cb 78 9b 5b cd c5 36 21 03 b6 70 70 06 1c 95 c1 aa 77 c5 dc f2 62 0f 3b 7c 6f 14 3a 98 63 5e
Data Ascii: _Vr?Gx<@D/spLSrnGx[6!ppwb;|o:c^%X};j2t}w@,Pt*hnrHEWL^V1{0{_dlA}11VCT.m}xg:[ ~NQ<O"uyBi2("+eQ![YL
13
Feb 5, 2015 14:55:37.121473074 CET804919093.158.110.250192.168.2.151Data Raw: e8 28 72 0f 4a e5 52 c9 c4 c7 cb 24 ef 28 85 ac e2 f4 85 f9 a9 df 35 92 56 25 6d bf 53 15 14 34 b1 44 ee b0 57 a2 7d 98 f4 e0 b4 75 73 7d 3e 7b fe ab a5 05 f8 54 c2 d1 8a 16 82 27 e5 ef 91 42 5b 58 ec 03 d8 64 41 f5 ba 98 50 9d 14 a8 5b 0a b4 2f
Data Ascii: (rJR$(5V%mS4DW}us}>{T'B[XdAP[/-5f@<JX>YV8[{@U3HNs}K]7kdXt(iEU+=6N=2=>sM]/&$>!IB!iE6C&-1Kl}OcHl0dm[}'o
15
Feb 5, 2015 14:55:37.121493101 CET804919093.158.110.250192.168.2.151Data Raw: 4f e7 7b ea a1 ea d7 76 d7 bb ff 70 7c c2 12 c2 6d 0f e8 99 ea 0a bb 4b c9 1a a5 c8 f3 c6 25 9f eb 90 ab 07 3f 87 53 54 59 c1 1b e7 41 ce 73 82 7a 18 b7 e9 8c 08 c3 e5 51 4d 84 78 2b 27 ae 02 7d bf 28 d1 f8 82 37 39 56 b7 e9 a4 fb 92 9b 42 84 f5
Data Ascii: O{vp|mK%?STYAszQMx+'}(79VBw7gsZh42TYmX'CZ(S'0i1!maZzrH/sSY*`O_W9gwoO][DU*QkSKzf&W=gwV:?6Iju
16
Feb 5, 2015 14:55:37.121570110 CET804919093.158.110.250192.168.2.151Data Raw: a4 f1 c8 38 aa 2b 2e ff 8e 68 17 ef 4a 79 d3 00 cb e5 35 0a 3f ad 55 89 e8 2c ea 33 a7 39 c3 2f ec 9a af bb e3 2f 41 ff 1c 65 48 f4 af a2 5d ea e0 ed 2a da 57 b3 87 21 d9 b5 45 a8 87 e8 99 af 2c 4a f8 d4 ac 07 2a 18 2e 04 65 b0 47 cd 46 6d 61 1f
Data Ascii: 8+.hJy5?U,39//AeH]*W!E,J*.eGFmaxU'.(#_~.wwy4$DAib)Up>~)KM8|rmmXx$)[cj($FpU-M:n+R>-%b>TahthN4Y
17
Feb 5, 2015 14:55:37.136929989 CET804919093.158.110.250192.168.2.151Data Raw: 85 4e 3e fd e8 b8 7a a0 43 68 8f 31 8c d6 98 49 a6 f5 e9 25 2b cc a2 86 3f e7 3c 62 cb b1 01 9b 41 de 08 23 d3 ad 37 27 04 ce 30 29 f0 92 f6 27 b1 be dd 47 ea b4 de 0c 68 b6 68 26 06 08 55 bb 2d 5b 23 d5 fb d9 a0 bc 22 d0 dc 14 26 21 76 4d 37 f7
Data Ascii: N>zCh1I%+?<bA#7'0)'Ghh&U-[#"&!vM7s{0`hyG|x7hvQ?Dm! !q$<0l.2+rJ{Fbx3-XA}*XX[@3d}&'W{{<~uK^FNud#gw=
19
Feb 5, 2015 14:55:37.136950970 CET804919093.158.110.250192.168.2.151Data Raw: 52 6b f8 90 e7 87 10 e2 e0 fc c5 33 51 d6 63 57 7e 8f d6 16 5e 57 e8 85 50 db 79 13 1c 9e d7 72 37 bb d0 61 88 35 76 25 6c 5d 63 6c e7 15 29 56 37 31 73 39 d5 80 0f cb 53 a8 ea 2d 34 9b e3 8e 73 57 b8 36 71 d3 f5 6a a5 bf cb bd 88 28 df 7e 5b bb
Data Ascii: Rk3QcW~^WPyr7a5v%l]cl)V71s9S-4sW6qj(~[h!I|({1k[21#K*fi#j}'|EvCFAJic>sXfqtiZST<w%TzJRMM;tp|$/;9~sKLx3f%],7w/\f?m
20
Feb 5, 2015 14:55:37.137001038 CET804919093.158.110.250192.168.2.151Data Raw: a1 a6 53 47 db 7d 6b 5b 4c d5 cb e3 06 aa 4f d2 dc 4d fe 60 4e 0d d9 0c 7d ee 1e da 5e 59 a6 1c 9a 76 94 c2 6a 92 d2 b1 f4 ff 8d 5a bf f2 99 7b 4f de 6c fe 25 36 ba a3 2b be 2c e4 12 0b a6 43 3f 6d 08 10 fe da c5 c4 2b b7 3b cf 4b 0d 5e 55 2d b4
Data Ascii: SG}k[LOM`N}^YvjZ{Ol%6+,C?m+;K^U-z(+9='=[qt1=u9Tn`O}q`W!f8$'B,/)6rE7n=K~|`)?FF\C_9:rf%"}
22
Feb 5, 2015 14:55:37.137027979 CET804919093.158.110.250192.168.2.151Data Raw: 70 6d 2c a3 79 5a f3 3c e7 94 d4 c5 d9 1b 07 26 99 6e 2a ee 28 f4 ec ff 4d a3 53 c3 c1 56 1a 26 79 14 28 f9 1d b0 e9 d2 f7 36 36 ae df 84 1a b0 fa be a6 ab 38 89 94 08 0c 7e 5a 54 3b 9d 8e 9c ce 20 3a 50 bc aa db 85 87 8f d7 74 ba 00 8d d6 1e 30
Data Ascii: pm,yZ<&n*(MSV&y(668~ZT; :Pt0ZM3J,Z-;^a
22
Feb 5, 2015 14:55:37.137211084 CET804919093.158.110.250192.168.2.151Data Raw: 7b 75 be 40 75 ac 3b 95 e3 94 6e 98 aa c7 16 8f c1 d7 37 43 c1 68 91 b3 84 d2 dc b2 3e 36 c5 32 13 96 d9 b3 3c 3e 99 a6 34 22 33 3a 5f af 36 2a e6 5c 68 6a 62 5b fd a7 76 a6 7f 42 eb c7 df 99 80 f7 58 40 9f 8a 1b b0 a3 85 c1 59 f0 a3 e8 50 9f 3b
Data Ascii: {u@u;n7Ch>62<>4"3:_6*\hjb[vBX@YP;,nWycd!W.IzLWgX^;%Xfm:oz@;[{{y['l+T1t2)0x"y\0#t szIb8M:`dF
23
Feb 5, 2015 14:55:37.137227058 CET804919093.158.110.250192.168.2.151Data Raw: fa cf ec cd 61 18 7c 94 ae e9 94 08 99 f7 f6 2f 69 92 a1 7a 0d 01 1d 59 97 88 68 81 86 11 88 2d 44 88 87 ef 0e 1a 73 cc 05 cf 15 d3 a3 a7 cc 5e 9c 22 75 3d 9d ab 9a 6c 3e e6 12 ff de 2a c6 b0 50 18 7e 81 1b 78 a7 20 54 aa fb ee e6 9c 8c a5 c7 d9
Data Ascii: a|/izYh-Ds^"u=l>*P~x Tk;Qd>-/=T`'4y!*qi$AO:'?o>K!.0MFgl]s8m)SQNTH*C8ax?/+~_}6M pH0eS'Y,k5
25
Feb 5, 2015 14:55:37.137623072 CET804919093.158.110.250192.168.2.151Data Raw: b9 a0 8e f9 40 35 d6 7a a6 d0 15 eb b8 bf bb e0 93 51 7a 94 5f cc ba 1f 1d ae 6b e8 5a 03 96 b2 20 0f 0b 5c a8 d5 66 e5 5e 85 57 45 e0 ef 07 66 5f de 2a 82 fa ab f8 17 8d f0 4f 93 2c bf 4f b0 6c e4 96 3d 44 51 dc 71 2a 40 20 42 20 0c 7e bd 0f 34
Data Ascii: @5zQz_kZ \f^WEf_*O,Ol=DQq*@ B ~4{8dmnC@0Z$G9R&gHH.bW5U$]|TV79=h[$e#;_K>S|C'4p>TqOyKW\B.=
26
Feb 5, 2015 14:55:37.137634039 CET804919093.158.110.250192.168.2.151Data Raw: 58 83 93 a6 4b 19 4f 03 16 66 55 31 24 3e 2b 79 23 9b 2f 6e 24 51 a3 18 ff 80 e5 f1 a5 d9 73 06 30 af 36 1c 51 4f 2e bc 77 df 30 7f 22 3c da 5a 44 4e a9 f4 11 71 8c f4 f5 8b 84 14 ac c3 c5 cd 81 de cf 7f 69 a7 40 9a 7c e8 80 96 07 af 25 ff 2a a8
Data Ascii: XKOfU1$>+y#/n$Qs06QO.w0"<ZDNqi@|%*PRK`2TJ}$qq&'2,WBM5F9yDLE~ty7.?gE=O(sOY2sJC^YVA9iv.(}E~N9T%zD\ioz#@V40:
28
Feb 5, 2015 14:55:37.137640953 CET804919093.158.110.250192.168.2.151Data Raw: 9e a2 cd c8 04 ed 83 58 4f 42 fe 1d 6b 86 c2 02 30 29 e0 8c dd d7 2c a9 32 ae 0e 47 05 d6 87 0c 4a 37 a1 dd ce 71 da 9f 64 73 a3 f6 95 25 1e fa 3e 32 72 17 34 5b ea 7b c9 f9 11 cb 74 b6 c5 8d eb 84 1b 57 17 cc d9 2f c4 29 e5 41 5e cd 7b 5a ee 64
Data Ascii: XOBk0),2GJ7qds%>2r4[{tW/)A^{Zd&I|]p{hItjJyjH*>OP~E~P873BZ[:NTS}3dC+TSc0'One2rh^'OMGYL,YUF_^
28
Feb 5, 2015 14:55:37.137917042 CET804919093.158.110.250192.168.2.151Data Raw: ae 26 6f 00 e8 f1 a3 7f c9 21 01 d6 b4 9d 5a ed da c9 01 48 f6 1a 43 cd bc e1 d6 48 57 e9 e7 5c 1a 91 b1 96 2e 15 23 b9 20 23 1e 98 82 ec d1 b7 ec c8 2a 2d b4 da 51 ae cb 3b 09 18 5d a0 e3 a7 b7 12 9c b4 3e 64 2d a0 dc 3e 3c 54 6b 86 8a dd a6 54
Data Ascii: &o!ZHCHW\.# #*-Q;