Analysis Report
Overview
General Information |
---|
Analysis ID: | 0 |
Start time: | 14:54:49 |
Start date: | 05/02/2015 |
Overall analysis duration: | 0h 4m 37s |
Report type: | full |
Sample file name: | Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 7 |
Number of analysed new started processes analysed: | 6 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 7 |
HCA enabled: | true |
HCA success: |
|
Warnings: |
|
Detection |
---|
Strategy | Report FP/FN | |
---|---|---|
Threshold |
Signature Overview |
---|
Protection of GUI: |
---|
Contains functionality to create a new desktop | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_003CD865 |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Contains functionality to read the clipboard data | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_003BBECC |
Contains functionality to retrieve information about pressed keystrokes | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_003CAEFC |
Hooks clipboard functions (used to sniff clipboard data) | Show sources |
Source: explorer.exe | IAT, EAT or inline hook detected: |
E-Banking Fraud: |
---|
Hooks winsocket function (used for sniffing or altering network traffic) | Show sources |
Source: explorer.exe | File created: |
Networking: |
---|
Urls found in memory or binary data | Show sources |
Source: Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | String found in binary or memory: | ||
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr | String found in binary or memory: | ||
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr | String found in binary or memory: | ||
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr | String found in binary or memory: | ||
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr | String found in binary or memory: | ||
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr | String found in binary or memory: | ||
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr | String found in binary or memory: | ||
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr | String found in binary or memory: | ||
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr | String found in binary or memory: | ||
Source: Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | String found in binary or memory: | ||
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr | String found in binary or memory: | ||
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr | String found in binary or memory: | ||
Source: Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | String found in binary or memory: | ||
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr | String found in binary or memory: | ||
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr | String found in binary or memory: |
Contains functionality to download additional files from the internet | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_003BBECC |
Downloads a pdf file with wrong header | Show sources |
Source: http | Bad PDF prefix: |
Downloads files from webservers via HTTP | Show sources |
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: |
Performs DNS lookups | Show sources |
Source: unknown | DNS traffic detected: |
Posts data to webserver | Show sources |
Source: unknown | HTTP traffic detected: |
Uses a known web browser user agent for HTTP communication | Show sources |
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: |
Detected TCP or UDP traffic on non-standard ports | Show sources |
Source: global traffic | TCP traffic: |
Boot Survival: |
---|
Creates an autostart registry key | Show sources |
Source: C:\Windows\System32\taskhost.exe | Registry value created or modified: | ||
Source: C:\Windows\System32\taskhost.exe | Registry value created or modified: |
Monitors registry run keys for changes | Show sources |
Source: C:\Windows\System32\taskhost.exe | Registry key monitored: |
Remote Access Functionality: |
---|
Contains functionality to open a port and listen for incoming connection (possibly a backdoor) | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_003C67DB | |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_003C64FD | |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_004167DB | |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_004164FD | |
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Code function: | 1_2_004167DB | |
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Code function: | 1_2_004164FD | |
Source: C:\Windows\System32\taskhost.exe | Code function: | 2_2_011A64FD | |
Source: C:\Windows\System32\taskhost.exe | Code function: | 2_2_011A67DB | |
Source: C:\Windows\System32\dwm.exe | Code function: | 4_2_006464FD | |
Source: C:\Windows\System32\dwm.exe | Code function: | 4_2_006467DB | |
Source: C:\Windows\explorer.exe | Code function: | 5_2_01B664FD | |
Source: C:\Windows\explorer.exe | Code function: | 5_2_01B667DB | |
Source: C:\Windows\System32\conhost.exe | Code function: | 6_2_000C67DB | |
Source: C:\Windows\System32\conhost.exe | Code function: | 6_2_000C64FD | |
Source: C:\Windows\System32\taskhost.exe | Code function: | 7_2_005167DB | |
Source: C:\Windows\System32\taskhost.exe | Code function: | 7_2_005164FD | |
Source: C:\Windows\System32\WinSAT.exe | Code function: | 8_2_01D264FD | |
Source: C:\Windows\System32\WinSAT.exe | Code function: | 8_2_01D267DB | |
Source: C:\Windows\System32\conhost.exe | Code function: | 9_2_001B67DB | |
Source: C:\Windows\System32\conhost.exe | Code function: | 9_2_001B64FD | |
Source: C:\Windows\System32\cmd.exe | Code function: | 10_2_000467DB | |
Source: C:\Windows\System32\cmd.exe | Code function: | 10_2_000464FD |
Contains VNC / remote desktop functionality (RFB version string found) | Show sources |
Source: Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | String found in binary or memory: |
Stealing of Sensitive Information: |
---|
Steals Internet Explorer cookies | Show sources |
Source: C:\Windows\System32\taskhost.exe | File read: | ||
Source: C:\Windows\System32\taskhost.exe | File read: | ||
Source: C:\Windows\System32\taskhost.exe | File read: | ||
Source: C:\Windows\System32\taskhost.exe | File read: | ||
Source: C:\Windows\System32\taskhost.exe | File read: | ||
Source: C:\Windows\System32\taskhost.exe | File read: | ||
Source: C:\Windows\System32\taskhost.exe | File read: | ||
Source: C:\Windows\System32\taskhost.exe | File read: | ||
Source: C:\Windows\System32\taskhost.exe | File read: | ||
Source: C:\Windows\System32\taskhost.exe | File read: | ||
Source: C:\Windows\System32\taskhost.exe | File read: | ||
Source: C:\Windows\System32\taskhost.exe | File read: | ||
Source: C:\Windows\System32\taskhost.exe | File read: | ||
Source: C:\Windows\System32\taskhost.exe | File read: | ||
Source: C:\Windows\System32\taskhost.exe | File read: | ||
Source: C:\Windows\System32\taskhost.exe | File read: | ||
Source: C:\Windows\System32\taskhost.exe | File read: | ||
Source: C:\Windows\System32\taskhost.exe | File read: | ||
Source: C:\Windows\System32\taskhost.exe | File read: | ||
Source: C:\Windows\System32\taskhost.exe | File read: | ||
Source: C:\Windows\System32\taskhost.exe | File read: |
Searches for Windows Mail specific files | Show sources |
Source: C:\Windows\System32\taskhost.exe | Directory queried: | ||
Source: C:\Windows\System32\taskhost.exe | Directory queried: | ||
Source: C:\Windows\System32\taskhost.exe | Directory queried: | ||
Source: C:\Windows\System32\taskhost.exe | Directory queried: | ||
Source: C:\Windows\System32\taskhost.exe | Directory queried: | ||
Source: C:\Windows\System32\taskhost.exe | Directory queried: | ||
Source: C:\Windows\System32\taskhost.exe | Directory queried: | ||
Source: C:\Windows\System32\taskhost.exe | Directory queried: |
Persistence and Installation Behavior: |
---|
Drops PE files | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | File created: |
Data Obfuscation: |
---|
Contains functionality to dynamically determine API calls | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_003C70A1 |
PE file contains an invalid checksum | Show sources |
Source: initial sample | Static PE information: |
Spreading: |
---|
Contains functionality to enumerate / list files inside a directory | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_003C8AE4 |
System Summary: |
---|
Binary contains paths to debug symbols | Show sources |
Source: | Binary string: |
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication) | Show sources |
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr | Binary string: |
Contains functionality to access the windows certificate store | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_003CD5FB | |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_003CD486 | |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_0041D5FB | |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_0041D486 | |
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Code function: | 1_2_0041D5FB | |
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Code function: | 1_2_0041D486 | |
Source: C:\Windows\System32\taskhost.exe | Code function: | 2_2_011AD5FB | |
Source: C:\Windows\System32\taskhost.exe | Code function: | 2_2_011AD486 | |
Source: C:\Windows\System32\dwm.exe | Code function: | 4_2_0064D486 | |
Source: C:\Windows\System32\dwm.exe | Code function: | 4_2_0064D5FB | |
Source: C:\Windows\explorer.exe | Code function: | 5_2_01B6D5FB | |
Source: C:\Windows\explorer.exe | Code function: | 5_2_01B6D486 | |
Source: C:\Windows\System32\conhost.exe | Code function: | 6_2_000CD486 | |
Source: C:\Windows\System32\conhost.exe | Code function: | 6_2_000CD5FB | |
Source: C:\Windows\System32\taskhost.exe | Code function: | 7_2_0051D5FB | |
Source: C:\Windows\System32\taskhost.exe | Code function: | 7_2_0051D486 | |
Source: C:\Windows\System32\WinSAT.exe | Code function: | 8_2_01D2D5FB | |
Source: C:\Windows\System32\WinSAT.exe | Code function: | 8_2_01D2D486 | |
Source: C:\Windows\System32\conhost.exe | Code function: | 9_2_001BD486 | |
Source: C:\Windows\System32\conhost.exe | Code function: | 9_2_001BD5FB | |
Source: C:\Windows\System32\cmd.exe | Code function: | 10_2_0004D5FB | |
Source: C:\Windows\System32\cmd.exe | Code function: | 10_2_0004D486 |
Contains functionality to adjust token privileges (e.g. debug / backup) | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_003C4A87 |
Contains functionality to enum processes or threads | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_003C4A30 |
Creates files inside the user directory | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | File created: |
Creates temporary files | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | File created: |
Executes batch files | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Process created: |
PE file has an executable .text section and no other executable section | Show sources |
Source: initial sample | Static PE information: |
Spawns processes | Show sources |
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Process created: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Process created: |
Uses an in-process (OLE) Automation server | Show sources |
Source: C:\Windows\System32\WinSAT.exe | Key value queried: |
Contains functionality to call native functions | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_003BBECC |
Contains functionality to launch a process as a different user | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_003C4CDD |
Contains functionality to shutdown / reboot the system | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_003C2D01 |
Creates files inside the system directory | Show sources |
Source: C:\Windows\System32\WinSAT.exe | File created: |
Creates mutexes | Show sources |
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Mutant created: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Windows\System32\taskhost.exe | Mutant created: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Mutant created: | ||
Source: C:\Windows\System32\cmd.exe | Mutant created: |
Deletes Internet Explorer cookies via registry | Show sources |
Source: C:\Windows\System32\taskhost.exe | Registry key value created / modified: |
Enables security privileges | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Process token adjusted: |
Reads the hosts file | Show sources |
Source: C:\Windows\System32\taskhost.exe | File read: |
HIPS / PFW / Operating System Protection Evasion: |
---|
Contains functionality to add an ACL to a security descriptor | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_003C69AA |
Allocates memory in foreign processes | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory allocated: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory allocated: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory allocated: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory allocated: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory allocated: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory allocated: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory allocated: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory allocated: | ||
Source: C:\Windows\System32\taskhost.exe | Memory allocated: | ||
Source: C:\Windows\System32\taskhost.exe | Memory allocated: |
Changes memory attributes in foreign processes to executable or writable | Show sources |
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory protected: | ||
Source: C:\Windows\System32\taskhost.exe | Memory protected: | ||
Source: C:\Windows\System32\taskhost.exe | Memory protected: | ||
Source: C:\Windows\System32\taskhost.exe | Memory protected: | ||
Source: C:\Windows\System32\taskhost.exe | Memory protected: | ||
Source: C:\Windows\System32\taskhost.exe | Memory protected: | ||
Source: C:\Windows\System32\taskhost.exe | Memory protected: | ||
Source: C:\Windows\System32\taskhost.exe | Memory protected: | ||
Source: C:\Windows\System32\taskhost.exe | Memory protected: |
Creates a thread in another existing process (thread injection) | Show sources |
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Threat created: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Threat created: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Threat created: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Threat created: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Threat created: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Threat created: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Threat created: | ||
Source: C:\Windows\System32\taskhost.exe | Threat created: |
Injects a PE file into a foreign processes | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: |
Injects code into the Windows Explorer (explorer.exe) | Show sources |
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: |
Modifies the context of a thread in another process (thread injection) | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Thread register set: |
Sets debug register (to hijack the execution of another thread) | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Thread register set: |
Writes to foreign memory regions | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: |
Anti Debugging and Sandbox Evasion: |
---|
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress) | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_003CC5CA |
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging | Show sources |
Source: C:\Windows\System32\cmd.exe | Code function: | 10_2_00047BF7 |
Contains functionality to dynamically determine API calls | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_003C70A1 |
Contains functionality which may be used to detect a debugger (GetProcessHeap) | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_003C20C4 |
May sleep (evasive loops) to hinder dynamic analysis | Show sources |
Source: C:\Windows\System32\taskhost.exe TID: 3760 | Thread sleep time: | ||
Source: C:\Windows\System32\taskhost.exe TID: 3760 | Thread sleep time: |
Virtual Machine Detection: |
---|
Contains functionality to enumerate / list files inside a directory | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_003C8AE4 |
Queries a list of all running processes | Show sources |
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Process information queried: |
May tried to detect the virtual machine to hinder analysis (VM artifact strings found in memory) | Show sources |
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr | Binary or memory string: | ||
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr | Binary or memory string: | ||
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr | Binary or memory string: | ||
Source: TempWinSAT-Disk-2015-02-05-14-57-01-05.tmp.dr | Binary or memory string: |
Queries disk information (often used to detect virtual machines) | Show sources |
Source: C:\Windows\System32\WinSAT.exe | File opened: |
Hooking and other Techniques for Hiding and Protection: |
---|
Disables application error messsages (SetErrorMode) | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Process information set: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Process information set: | ||
Source: C:\Users\admin\AppData\Roaming\Oddyn\madog.exe | Process information set: | ||
Source: C:\Windows\System32\cmd.exe | Process information set: |
Extensive use of GetProcAddress (often used to hide API calls) | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_003BEA11 |
Deletes itself after installation | Show sources |
Source: C:\Windows\System32\cmd.exe | File deleted: |
Hooks files or directories query functions (used to hide files and directories) | Show sources |
Source: explorer.exe | IAT, EAT, inline or SSDT hook detected: |
Modifies the prolog of user mode functions (user mode inline hooks) | Show sources |
Source: explorer.exe | User mode code has chanced: |
Overwrites code with function prologues | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\System32\dwm.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\explorer.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\taskhost.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\WinSAT.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\conhost.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: | ||
Source: C:\Windows\System32\cmd.exe | Memory written: |
Lowering of HIPS / PFW / Operating System Security Settings: |
---|
May initialize a security null descriptor | Show sources |
Source: Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Binary or memory string: |
Disables Internet Explorer cookie cleaning (a user can no longer delete cookies) | Show sources |
Source: C:\Windows\System32\taskhost.exe | Key value created or modified: |
Modifies Internet Explorer zone settings | Show sources |
Source: C:\Windows\System32\taskhost.exe | Registry key created or modified: | ||
Source: C:\Windows\System32\taskhost.exe | Registry key created or modified: | ||
Source: C:\Windows\System32\taskhost.exe | Registry key created or modified: | ||
Source: C:\Windows\System32\taskhost.exe | Registry key created or modified: |
Language, Device and Operating System Detection: |
---|
Contains functionality to query local / system time | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_003CD64B |
Contains functionality to query the account / user name | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_003B6010 |
Contains functionality to query time zone information | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_003C34E5 |
Contains functionality to query windows version | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Code function: | 0_2_003B70A6 |
Queries the cryptographic machine GUID | Show sources |
Source: C:\Windows\System32\taskhost.exe | Key value queried: |
Queries the installation date of Windows | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Key value queried: |
Queries the installation date of Windows | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Registry key value queried: |
Queries the product ID of Windows | Show sources |
Source: C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe | Key value queried: |
Queries the volume information (name, serial number etc) of a device | Show sources |
Source: C:\Windows\System32\cmd.exe | Qeruies volume information: |
Yara Overview |
---|
No Yara matches |
---|
Screenshot |
---|
Startup |
---|
|
Created / dropped Files |
---|
File Path | Type and Hashes |
---|---|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
|
Contacted Domains/Contacted IPs |
---|
Contacted Domains |
---|
Name | IP | Name Server | Active | Registrar | |
---|---|---|---|---|---|
www.microsoft.com | 23.2.52.54 | unknown | true | unknown | unknown |
ocsp.verisign.com | 23.43.139.27 | unknown | true | unknown | unknown |
crl.microsoft.com | 80.239.247.17 | unknown | true | unknown | unknown |
www.download.windowsupdate.com | 93.158.110.250 | unknown | true | unknown | unknown |
validation.sls.microsoft.com | 65.52.98.231 | unknown | true | unknown | unknown |
wer.microsoft.com | 157.56.141.114 | unknown | true | unknown | unknown |
watson.microsoft.com | 65.55.252.71 | unknown | true | unknown | unknown |
fiu-eu.org | 78.47.223.171 | unknown | true | unknown | unknown |
go.microsoft.com | 134.170.184.137 | unknown | true | unknown | unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Country | Pingable | Open Ports |
---|---|---|---|
65.52.98.231 | United States | unknown | unknown |
23.43.139.27 | United States | unknown | unknown |
224.0.0.252 | Reserved | unknown | unknown |
8.8.8.8 | United States | unknown | unknown |
80.239.247.17 | European Union | unknown | unknown |
78.47.223.171 | Germany | unknown | unknown |
80.239.149.10 | European Union | unknown | unknown |
157.56.141.114 | United States | unknown | unknown |
93.158.110.250 | Sweden | unknown | unknown |
134.170.184.137 | United States | unknown | unknown |
23.2.52.54 | United States | unknown | unknown |
65.55.252.71 | United States | unknown | unknown |
Static File Info |
---|
General | |
---|---|
File type: | MS-DOS executable |
TrID: |
|
File name: | Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe |
File size: | 141824 |
MD5: | 4d08934bd040ed25dfa46542e396cb05 |
SHA1: | 848a4e54ea0b6e6cee8a2a31ff77034f7145b048 |
SHA256: | 082a527e31cc1a969e3c41a5e1d1f6d817a742cb5783e9d7c87993a0924073b4 |
SHA512: | a7f4083ea402c6572f6179ccc997fec2201a827e95f2f2b126942e91ac4b7939f7811f186d77714c8fd4fa6ccc1938156719454e579a2d03c773c0e025512a4c |
File Icon |
---|
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x413048 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | TERMINAL_SERVER_AWARE, NX_COMPAT |
Time Stamp: | 0x52B23975 [Thu Dec 19 00:10:29 2013 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Entrypoint Preview |
---|
Instruction |
---|
push ebp |
mov ebp, esp |
sub esp, 10h |
push ebx |
push 00000000h |
xor bl, bl |
call 00007F71FC2A2B91h |
test al, al |
je 00007F71FC2A3BFAh |
push 00008007h |
mov byte ptr [ebp-10h], bl |
mov byte ptr [ebp-0Ch], 00000001h |
mov byte ptr [ebp-01h], bl |
call dword ptr [004011E4h] |
lea eax, dword ptr [ebp-08h] |
push eax |
call dword ptr [004011E8h] |
push eax |
call dword ptr [004012CCh] |
test eax, eax |
je 00007F71FC2A3BA7h |
xor edx, edx |
cmp dword ptr [ebp-08h], edx |
jle 00007F71FC2A3B61h |
mov ecx, dword ptr [eax+edx*4] |
test ecx, ecx |
je 00007F71FC2A3B54h |
cmp word ptr [ecx], 002Dh |
jne 00007F71FC2A3B4Eh |
movzx ecx, word ptr [ecx+02h] |
cmp ecx, 66h |
je 00007F71FC2A3B41h |
cmp ecx, 69h |
je 00007F71FC2A3B38h |
cmp ecx, 6Eh |
je 00007F71FC2A3B2Dh |
cmp ecx, 76h |
jne 00007F71FC2A3B36h |
mov byte ptr [ebp-01h], 00000001h |
jmp 00007F71FC2A3B30h |
mov byte ptr [ebp-0Ch], 00000000h |
jmp 00007F71FC2A3B2Ah |
mov bl, 01h |
jmp 00007F71FC2A3B26h |
mov byte ptr [ebp-10h], 00000001h |
inc edx |
cmp edx, dword ptr [ebp-08h] |
jl 00007F71FC2A3AE3h |
push eax |
call dword ptr [00401238h] |
test bl, bl |
je 00007F71FC2A3B29h |
call 00007F71FC2A3549h |
jmp 00007F71FC2A3B56h |
cmp byte ptr [ebp-01h], 00000000h |
je 00007F71FC2A3B45h |
call 00007F71FC29EB2Fh |
call 00007F71FC296625h |
test byte ptr [00422BF8h], 00000004h |
mov bl, al |
je 00007F71FC2A3B3Dh |
push 00000000h |
mov eax, 00422868h |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1f7a4 | 0x118 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x25000 | 0x11ac | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x5a0 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Xored PE | ZLIB Complexity | File Type | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x20684 | 0x20800 | 6.69685920515 | False | 0.640414663462 | data | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0x22000 | 0x2050 | 0x400 | 1.61257943446 | False | 0.208984375 | data | IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x25000 | 0x167c | 0x1800 | 5.65098729976 | False | 0.629557291667 | data | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | GetEnvironmentVariableW, FileTimeToDosDateTime, GetTempFileNameW, HeapReAlloc, FindFirstFileW, SetEndOfFile, CreateProcessW, HeapAlloc, SystemTimeToFileTime, SetFilePointerEx, HeapFree, CreateDirectoryW, GetProcessHeap, IsBadReadPtr, SetFileTime, VirtualQueryEx, WriteFile, Thread32First, WideCharToMultiByte, ReadProcessMemory, HeapDestroy, HeapCreate, Thread32Next, ReadFile, GetTimeZoneInformation, GetFileAttributesExW, CreateToolhelp32Snapshot, FlushFileBuffers, GetTempPathW, GetFileSizeEx, OpenMutexW, GetLastError, VirtualAlloc, VirtualProtectEx, VirtualAllocEx, FindClose, RemoveDirectoryW, FindNextFileW, VirtualProtect, GetFileTime, FileTimeToLocalFileTime, GetVolumeNameForVolumeMountPointW, DeleteFileW, GetFileInformationByHandle, SetFileAttributesW, GlobalLock, GlobalUnlock, GetThreadContext, SetThreadContext, GetProcessId, WTSGetActiveConsoleSessionId, GetModuleHandleW, ReleaseMutex, Process32NextW, Process32FirstW, OpenProcess, CreateRemoteThread, WriteProcessMemory, GetCurrentProcessId, DuplicateHandle, OpenEventW, VirtualFreeEx, GetCurrentThreadId, SetLastError, VirtualFree, GetComputerNameW, SetErrorMode, GetCommandLineW, ExitProcess, CreateThread, GetSystemTime, GetLocalTime, LoadLibraryA, TlsFree, TlsAlloc, CreateFileMappingW, UnmapViewOfFile, MapViewOfFile, MultiByteToWideChar, CreateMutexW, ExpandEnvironmentStringsW, GetProcAddress, GetPrivateProfileIntW, LoadLibraryW, GetPrivateProfileStringW, FreeLibrary, lstrcmpiA, LocalFree, GetVersionExW, GetNativeSystemInfo, GetUserDefaultUILanguage, lstrcmpiW, GetModuleFileNameW, GetFileAttributesW, Sleep, GetTickCount, MoveFileExW, ResetEvent, SetThreadPriority, TerminateProcess, TlsSetValue, GetCurrentThread, SetEvent, TlsGetValue, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, CloseHandle, WaitForMultipleObjects, CreateEventW, CreateFileW, WaitForSingleObject |
USER32.dll | EndMenu, GetShellWindow, GetSystemMetrics, RegisterClassExA, DefDlgProcW, DefFrameProcA, OpenInputDesktop, TranslateMessage, RegisterClassExW, GetClipboardData, DefWindowProcA, DefMDIChildProcW, SwitchDesktop, DefDlgProcA, DefMDIChildProcA, RegisterClassW, CallWindowProcA, GetUserObjectInformationW, DefFrameProcW, RegisterClassA, GetMessageA, GetWindowRect, SetCapture, GetParent, GetClassLongW, ExitWindowsEx, SetCursorPos, GetWindowLongW, GetAncestor, PeekMessageW, PeekMessageA, CreateDesktopW, SetProcessWindowStation, DispatchMessageW, CloseWindowStation, CreateWindowStationW, GetProcessWindowStation, CloseDesktop, SetThreadDesktop, OpenWindowStationW, CharLowerW, GetKeyboardState, ToUnicode, MapVirtualKeyW, GetTopWindow, LoadImageW, MsgWaitForMultipleObjects, WindowFromPoint, CharToOemW, CharLowerA, CharUpperW, SetWindowLongW, DrawIcon, GetIconInfo, GetMenuItemCount, RegisterWindowMessageW, GetWindow, CallWindowProcW, GetThreadDesktop, HiliteMenuItem, SetKeyboardState, GetSubMenu, IsRectEmpty, DefWindowProcW, OpenDesktopW, MenuItemFromPoint, GetMenu, GetMenuItemRect, SetWindowPos, GetCursorPos, SendMessageTimeoutW, IsWindow, ReleaseCapture, MapWindowPoints, GetMessagePos, GetWindowThreadProcessId, CharLowerBuffA, EndPaint, GetUpdateRgn, GetMessageW, GetWindowDC, FillRect, PostMessageW, GetWindowInfo, DrawEdge, BeginPaint, TrackPopupMenuEx, SystemParametersInfoW, GetClassNameW, GetMenuState, GetCapture, SendMessageW, PrintWindow, EqualRect, PostThreadMessageW, ReleaseDC, GetDCEx, IntersectRect, GetDC, GetUpdateRect, GetMenuItemID |
ADVAPI32.dll | ConvertSidToStringSidW, RegOpenKeyExW, RegEnumKeyExW, RegCloseKey, InitiateSystemShutdownExW, IsWellKnownSid, GetLengthSid, CryptGetHashParam, OpenProcessToken, GetSidSubAuthority, CryptAcquireContextW, OpenThreadToken, GetSidSubAuthorityCount, GetTokenInformation, RegCreateKeyExW, CryptReleaseContext, RegQueryValueExW, CreateProcessAsUserW, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, SetNamedSecurityInfoW, LookupPrivilegeValueW, CryptCreateHash, ConvertStringSecurityDescriptorToSecurityDescriptorW, GetSecurityDescriptorSacl, SetSecurityDescriptorSacl, CryptDestroyHash, AdjustTokenPrivileges, RegSetValueExW, CryptHashData, EqualSid |
SHLWAPI.dll | StrStrIW, PathRenameExtensionW, StrCmpNIW, wvnsprintfA, StrCmpNIA, PathMatchSpecW, PathUnquoteSpacesW, PathAddExtensionW, PathCombineW, SHDeleteKeyW, PathSkipRootW, SHDeleteValueW, PathAddBackslashW, PathFindFileNameW, PathIsDirectoryW, wvnsprintfW, UrlUnescapeA, PathRemoveBackslashW, PathIsURLW, PathQuoteSpacesW, StrStrIA, PathRemoveFileSpecW |
SHELL32.dll | ShellExecuteW, SHGetFolderPathW, CommandLineToArgvW |
Secur32.dll | GetUserNameExW |
ole32.dll | StringFromGUID2, CLSIDFromString, CoUninitialize, CoCreateInstance, CoInitializeEx |
GDI32.dll | GetDeviceCaps, CreateCompatibleBitmap, CreateDIBSection, SetViewportOrgEx, DeleteDC, GdiFlush, DeleteObject, SelectObject, SetRectRgn, CreateCompatibleDC, GetDIBits, RestoreDC, SaveDC |
WS2_32.dll | WSASend, freeaddrinfo, getaddrinfo, WSAIoctl, WSAAddressToStringW, WSAEventSelect |
CRYPT32.dll | CertDuplicateCertificateContext, CertEnumCertificatesInStore, CertCloseStore, CertOpenSystemStoreW, CertDeleteCertificateFromStore, PFXImportCertStore, CryptUnprotectData, PFXExportCertStoreEx |
WININET.dll | HttpAddRequestHeadersW, InternetSetStatusCallbackW, GetUrlCacheEntryInfoW, InternetQueryOptionA, InternetSetOptionA, InternetQueryOptionW, InternetOpenA, HttpAddRequestHeadersA, HttpOpenRequestA, InternetCrackUrlA, InternetConnectA, HttpSendRequestA, HttpSendRequestW, InternetReadFile, InternetReadFileExA, InternetQueryDataAvailable, HttpSendRequestExW, HttpQueryInfoA, HttpSendRequestExA, InternetCloseHandle |
OLEAUT32.dll | |
NETAPI32.dll | NetApiBufferFree, NetUserEnum, NetUserGetInfo |
Network Behavior |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 5, 2015 14:55:12.964571953 CET | 54262 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:55:13.102699995 CET | 53 | 54262 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:55:13.123143911 CET | 64859 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:55:13.123236895 CET | 53 | 64859 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:55:13.123701096 CET | 49188 | 80 | 192.168.2.151 | 65.55.252.71 |
Feb 5, 2015 14:55:13.123727083 CET | 80 | 49188 | 65.55.252.71 | 192.168.2.151 |
Feb 5, 2015 14:55:13.123806953 CET | 49188 | 80 | 192.168.2.151 | 65.55.252.71 |
Feb 5, 2015 14:55:13.123955011 CET | 49188 | 80 | 192.168.2.151 | 65.55.252.71 |
Feb 5, 2015 14:55:13.123969078 CET | 80 | 49188 | 65.55.252.71 | 192.168.2.151 |
Feb 5, 2015 14:55:13.605523109 CET | 80 | 49188 | 65.55.252.71 | 192.168.2.151 |
Feb 5, 2015 14:55:13.882472038 CET | 49188 | 80 | 192.168.2.151 | 65.55.252.71 |
Feb 5, 2015 14:55:14.190958023 CET | 50036 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:55:14.190963030 CET | 50036 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:55:14.288986921 CET | 50036 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:55:14.288990974 CET | 50036 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:55:19.940532923 CET | 54387 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:55:20.082818985 CET | 53 | 54387 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:55:20.085113049 CET | 63011 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:55:20.085186005 CET | 53 | 63011 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:55:20.085663080 CET | 49189 | 443 | 192.168.2.151 | 157.56.141.114 |
Feb 5, 2015 14:55:20.085689068 CET | 443 | 49189 | 157.56.141.114 | 192.168.2.151 |
Feb 5, 2015 14:55:20.085850000 CET | 49189 | 443 | 192.168.2.151 | 157.56.141.114 |
Feb 5, 2015 14:55:20.087016106 CET | 49189 | 443 | 192.168.2.151 | 157.56.141.114 |
Feb 5, 2015 14:55:20.087035894 CET | 443 | 49189 | 157.56.141.114 | 192.168.2.151 |
Feb 5, 2015 14:55:20.651732922 CET | 443 | 49189 | 157.56.141.114 | 192.168.2.151 |
Feb 5, 2015 14:55:20.698291063 CET | 443 | 49189 | 157.56.141.114 | 192.168.2.151 |
Feb 5, 2015 14:55:20.698307037 CET | 443 | 49189 | 157.56.141.114 | 192.168.2.151 |
Feb 5, 2015 14:55:20.764261961 CET | 49189 | 443 | 192.168.2.151 | 157.56.141.114 |
Feb 5, 2015 14:55:20.764282942 CET | 443 | 49189 | 157.56.141.114 | 192.168.2.151 |
Feb 5, 2015 14:55:20.765862942 CET | 49189 | 443 | 192.168.2.151 | 157.56.141.114 |
Feb 5, 2015 14:55:20.765892029 CET | 443 | 49189 | 157.56.141.114 | 192.168.2.151 |
Feb 5, 2015 14:55:21.006974936 CET | 443 | 49189 | 157.56.141.114 | 192.168.2.151 |
Feb 5, 2015 14:55:21.290558100 CET | 49189 | 443 | 192.168.2.151 | 157.56.141.114 |
Feb 5, 2015 14:55:36.699021101 CET | 63760 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:55:36.812969923 CET | 53 | 63760 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:55:36.975482941 CET | 57104 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:55:36.975572109 CET | 53 | 57104 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:55:36.975960970 CET | 49190 | 80 | 192.168.2.151 | 93.158.110.250 |
Feb 5, 2015 14:55:36.975986004 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:36.976046085 CET | 49190 | 80 | 192.168.2.151 | 93.158.110.250 |
Feb 5, 2015 14:55:36.976176023 CET | 49190 | 80 | 192.168.2.151 | 93.158.110.250 |
Feb 5, 2015 14:55:36.976187944 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.119700909 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.120810986 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.120831966 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.120934010 CET | 49190 | 80 | 192.168.2.151 | 93.158.110.250 |
Feb 5, 2015 14:55:37.120949984 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.121473074 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.121493101 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.121552944 CET | 49190 | 80 | 192.168.2.151 | 93.158.110.250 |
Feb 5, 2015 14:55:37.121570110 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.136929989 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.136950970 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.137001038 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.137016058 CET | 49190 | 80 | 192.168.2.151 | 93.158.110.250 |
Feb 5, 2015 14:55:37.137027979 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.137207985 CET | 49190 | 80 | 192.168.2.151 | 93.158.110.250 |
Feb 5, 2015 14:55:37.137211084 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.137227058 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.137271881 CET | 49190 | 80 | 192.168.2.151 | 93.158.110.250 |
Feb 5, 2015 14:55:37.137623072 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.137634039 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.137640953 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.137718916 CET | 49190 | 80 | 192.168.2.151 | 93.158.110.250 |
Feb 5, 2015 14:55:37.137917042 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.137928009 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.137934923 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.138021946 CET | 49190 | 80 | 192.168.2.151 | 93.158.110.250 |
Feb 5, 2015 14:55:37.138362885 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.138389111 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.138397932 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.138446093 CET | 49190 | 80 | 192.168.2.151 | 93.158.110.250 |
Feb 5, 2015 14:55:37.138458014 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.153579950 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.153599977 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.153665066 CET | 49190 | 80 | 192.168.2.151 | 93.158.110.250 |
Feb 5, 2015 14:55:37.153677940 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.153723955 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.153762102 CET | 49190 | 80 | 192.168.2.151 | 93.158.110.250 |
Feb 5, 2015 14:55:37.153773069 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.154066086 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.154077053 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.154129028 CET | 49190 | 80 | 192.168.2.151 | 93.158.110.250 |
Feb 5, 2015 14:55:37.154140949 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.154505014 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.154515982 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.154586077 CET | 49190 | 80 | 192.168.2.151 | 93.158.110.250 |
Feb 5, 2015 14:55:37.154597044 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.154758930 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.154768944 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.154833078 CET | 49190 | 80 | 192.168.2.151 | 93.158.110.250 |
Feb 5, 2015 14:55:37.154843092 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.155162096 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.155173063 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.155241013 CET | 49190 | 80 | 192.168.2.151 | 93.158.110.250 |
Feb 5, 2015 14:55:37.155251980 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.155322075 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.155383110 CET | 49190 | 80 | 192.168.2.151 | 93.158.110.250 |
Feb 5, 2015 14:55:37.155392885 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.164141893 CET | 49190 | 80 | 192.168.2.151 | 93.158.110.250 |
Feb 5, 2015 14:55:37.164155960 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.167644024 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.167736053 CET | 49190 | 80 | 192.168.2.151 | 93.158.110.250 |
Feb 5, 2015 14:55:37.167751074 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.178174973 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.178193092 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.178272009 CET | 49190 | 80 | 192.168.2.151 | 93.158.110.250 |
Feb 5, 2015 14:55:37.178284883 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.398431063 CET | 49190 | 80 | 192.168.2.151 | 93.158.110.250 |
Feb 5, 2015 14:55:37.398458958 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 |
Feb 5, 2015 14:55:37.602509975 CET | 49190 | 80 | 192.168.2.151 | 93.158.110.250 |
Feb 5, 2015 14:55:38.861774921 CET | 49189 | 443 | 192.168.2.151 | 157.56.141.114 |
Feb 5, 2015 14:55:38.861804008 CET | 443 | 49189 | 157.56.141.114 | 192.168.2.151 |
Feb 5, 2015 14:55:38.863418102 CET | 49189 | 443 | 192.168.2.151 | 157.56.141.114 |
Feb 5, 2015 14:55:38.863432884 CET | 443 | 49189 | 157.56.141.114 | 192.168.2.151 |
Feb 5, 2015 14:55:39.335752964 CET | 443 | 49189 | 157.56.141.114 | 192.168.2.151 |
Feb 5, 2015 14:55:39.357944012 CET | 443 | 49189 | 157.56.141.114 | 192.168.2.151 |
Feb 5, 2015 14:55:39.358040094 CET | 49189 | 443 | 192.168.2.151 | 157.56.141.114 |
Feb 5, 2015 14:55:39.358058929 CET | 443 | 49189 | 157.56.141.114 | 192.168.2.151 |
Feb 5, 2015 14:55:39.602073908 CET | 49189 | 443 | 192.168.2.151 | 157.56.141.114 |
Feb 5, 2015 14:55:51.217617989 CET | 49189 | 443 | 192.168.2.151 | 157.56.141.114 |
Feb 5, 2015 14:55:51.217839003 CET | 49188 | 80 | 192.168.2.151 | 65.55.252.71 |
Feb 5, 2015 14:55:51.218091965 CET | 49190 | 80 | 192.168.2.151 | 93.158.110.250 |
Feb 5, 2015 14:55:59.378469944 CET | 51014 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:55:59.551525116 CET | 53 | 51014 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:55:59.758740902 CET | 61851 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:55:59.758869886 CET | 53 | 61851 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:55:59.759288073 CET | 49191 | 80 | 192.168.2.151 | 80.239.247.17 |
Feb 5, 2015 14:55:59.759315968 CET | 80 | 49191 | 80.239.247.17 | 192.168.2.151 |
Feb 5, 2015 14:55:59.759383917 CET | 49191 | 80 | 192.168.2.151 | 80.239.247.17 |
Feb 5, 2015 14:55:59.759532928 CET | 49191 | 80 | 192.168.2.151 | 80.239.247.17 |
Feb 5, 2015 14:55:59.759545088 CET | 80 | 49191 | 80.239.247.17 | 192.168.2.151 |
Feb 5, 2015 14:55:59.969969988 CET | 80 | 49191 | 80.239.247.17 | 192.168.2.151 |
Feb 5, 2015 14:56:00.198478937 CET | 49191 | 80 | 192.168.2.151 | 80.239.247.17 |
Feb 5, 2015 14:56:00.198529005 CET | 80 | 49191 | 80.239.247.17 | 192.168.2.151 |
Feb 5, 2015 14:56:00.398469925 CET | 49191 | 80 | 192.168.2.151 | 80.239.247.17 |
Feb 5, 2015 14:56:09.146416903 CET | 49191 | 80 | 192.168.2.151 | 80.239.247.17 |
Feb 5, 2015 14:56:09.146446943 CET | 80 | 49191 | 80.239.247.17 | 192.168.2.151 |
Feb 5, 2015 14:56:09.249943972 CET | 80 | 49191 | 80.239.247.17 | 192.168.2.151 |
Feb 5, 2015 14:56:09.494468927 CET | 49191 | 80 | 192.168.2.151 | 80.239.247.17 |
Feb 5, 2015 14:56:09.494509935 CET | 80 | 49191 | 80.239.247.17 | 192.168.2.151 |
Feb 5, 2015 14:56:09.698471069 CET | 49191 | 80 | 192.168.2.151 | 80.239.247.17 |
Feb 5, 2015 14:56:14.066591978 CET | 59147 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:56:14.303567886 CET | 53 | 59147 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:56:14.437726974 CET | 57914 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:56:14.437836885 CET | 53 | 57914 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:56:14.438242912 CET | 49192 | 80 | 192.168.2.151 | 23.2.52.54 |
Feb 5, 2015 14:56:14.438271999 CET | 80 | 49192 | 23.2.52.54 | 192.168.2.151 |
Feb 5, 2015 14:56:14.438337088 CET | 49192 | 80 | 192.168.2.151 | 23.2.52.54 |
Feb 5, 2015 14:56:14.438479900 CET | 49192 | 80 | 192.168.2.151 | 23.2.52.54 |
Feb 5, 2015 14:56:14.438493967 CET | 80 | 49192 | 23.2.52.54 | 192.168.2.151 |
Feb 5, 2015 14:56:14.664921999 CET | 80 | 49192 | 23.2.52.54 | 192.168.2.151 |
Feb 5, 2015 14:56:14.898452997 CET | 49192 | 80 | 192.168.2.151 | 23.2.52.54 |
Feb 5, 2015 14:56:14.898488998 CET | 80 | 49192 | 23.2.52.54 | 192.168.2.151 |
Feb 5, 2015 14:56:15.101094961 CET | 49192 | 80 | 192.168.2.151 | 23.2.52.54 |
Feb 5, 2015 14:56:20.890158892 CET | 64208 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:56:20.890162945 CET | 64208 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:56:21.039073944 CET | 64208 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:56:21.039077997 CET | 64208 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:56:23.777149916 CET | 61431 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:56:23.885358095 CET | 53 | 61431 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:56:23.893799067 CET | 61124 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:56:23.893893957 CET | 53 | 61124 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:56:23.894260883 CET | 49193 | 80 | 192.168.2.151 | 134.170.184.137 |
Feb 5, 2015 14:56:23.894289017 CET | 80 | 49193 | 134.170.184.137 | 192.168.2.151 |
Feb 5, 2015 14:56:23.894350052 CET | 49193 | 80 | 192.168.2.151 | 134.170.184.137 |
Feb 5, 2015 14:56:23.894489050 CET | 49193 | 80 | 192.168.2.151 | 134.170.184.137 |
Feb 5, 2015 14:56:23.894501925 CET | 80 | 49193 | 134.170.184.137 | 192.168.2.151 |
Feb 5, 2015 14:56:24.369798899 CET | 80 | 49193 | 134.170.184.137 | 192.168.2.151 |
Feb 5, 2015 14:56:24.602458000 CET | 49193 | 80 | 192.168.2.151 | 134.170.184.137 |
Feb 5, 2015 14:56:24.602492094 CET | 80 | 49193 | 134.170.184.137 | 192.168.2.151 |
Feb 5, 2015 14:56:24.795311928 CET | 56831 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:56:24.795315981 CET | 56831 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:56:24.898459911 CET | 49193 | 80 | 192.168.2.151 | 134.170.184.137 |
Feb 5, 2015 14:56:24.898730993 CET | 56831 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:56:24.898735046 CET | 56831 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:56:27.760350943 CET | 58211 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:56:27.909050941 CET | 53 | 58211 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:56:28.144205093 CET | 64824 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:56:28.144314051 CET | 53 | 64824 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:56:28.144680977 CET | 49194 | 443 | 192.168.2.151 | 65.52.98.231 |
Feb 5, 2015 14:56:28.144706011 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:56:28.144779921 CET | 49194 | 443 | 192.168.2.151 | 65.52.98.231 |
Feb 5, 2015 14:56:28.145667076 CET | 49194 | 443 | 192.168.2.151 | 65.52.98.231 |
Feb 5, 2015 14:56:28.145683050 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:56:28.626745939 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:56:28.686671972 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:56:28.686693907 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:56:28.686798096 CET | 49194 | 443 | 192.168.2.151 | 65.52.98.231 |
Feb 5, 2015 14:56:28.686820030 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:56:28.760639906 CET | 49194 | 443 | 192.168.2.151 | 65.52.98.231 |
Feb 5, 2015 14:56:28.760672092 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:56:29.024473906 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:56:29.054987907 CET | 49194 | 443 | 192.168.2.151 | 65.52.98.231 |
Feb 5, 2015 14:56:29.055020094 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:56:29.289133072 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:56:29.494451046 CET | 49194 | 443 | 192.168.2.151 | 65.52.98.231 |
Feb 5, 2015 14:56:29.494486094 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:56:29.695612907 CET | 49194 | 443 | 192.168.2.151 | 65.52.98.231 |
Feb 5, 2015 14:57:02.506175995 CET | 60869 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:57:02.506180048 CET | 60869 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:57:02.606559038 CET | 60869 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:57:02.606563091 CET | 60869 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:57:05.062690020 CET | 49193 | 80 | 192.168.2.151 | 134.170.184.137 |
Feb 5, 2015 14:57:05.062721014 CET | 80 | 49193 | 134.170.184.137 | 192.168.2.151 |
Feb 5, 2015 14:57:05.344197989 CET | 80 | 49193 | 134.170.184.137 | 192.168.2.151 |
Feb 5, 2015 14:57:05.629642963 CET | 49193 | 80 | 192.168.2.151 | 134.170.184.137 |
Feb 5, 2015 14:57:06.924545050 CET | 51002 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:57:06.924555063 CET | 51002 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:57:07.025141954 CET | 51002 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:57:07.025146008 CET | 51002 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:57:09.484070063 CET | 49194 | 443 | 192.168.2.151 | 65.52.98.231 |
Feb 5, 2015 14:57:09.484092951 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:57:09.484308958 CET | 49194 | 443 | 192.168.2.151 | 65.52.98.231 |
Feb 5, 2015 14:57:09.484321117 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:57:09.484383106 CET | 49194 | 443 | 192.168.2.151 | 65.52.98.231 |
Feb 5, 2015 14:57:09.484390020 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:57:09.892282009 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:57:09.902076960 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:57:09.902156115 CET | 49194 | 443 | 192.168.2.151 | 65.52.98.231 |
Feb 5, 2015 14:57:09.902170897 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:57:09.909598112 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:57:09.909610033 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:57:09.909674883 CET | 49194 | 443 | 192.168.2.151 | 65.52.98.231 |
Feb 5, 2015 14:57:09.909688950 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:57:09.934995890 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:57:09.935007095 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:57:09.935075045 CET | 49194 | 443 | 192.168.2.151 | 65.52.98.231 |
Feb 5, 2015 14:57:09.935090065 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:57:10.127021074 CET | 49194 | 443 | 192.168.2.151 | 65.52.98.231 |
Feb 5, 2015 14:57:16.084475994 CET | 57997 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:57:16.307493925 CET | 49193 | 80 | 192.168.2.151 | 134.170.184.137 |
Feb 5, 2015 14:57:16.307519913 CET | 80 | 49193 | 134.170.184.137 | 192.168.2.151 |
Feb 5, 2015 14:57:16.576180935 CET | 80 | 49193 | 134.170.184.137 | 192.168.2.151 |
Feb 5, 2015 14:57:16.576783895 CET | 49194 | 443 | 192.168.2.151 | 65.52.98.231 |
Feb 5, 2015 14:57:16.576809883 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:57:16.578299999 CET | 49194 | 443 | 192.168.2.151 | 65.52.98.231 |
Feb 5, 2015 14:57:16.578319073 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:57:16.578404903 CET | 49194 | 443 | 192.168.2.151 | 65.52.98.231 |
Feb 5, 2015 14:57:16.578413963 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:57:16.767573118 CET | 49193 | 80 | 192.168.2.151 | 134.170.184.137 |
Feb 5, 2015 14:57:16.769565105 CET | 53 | 57997 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:57:16.789750099 CET | 49195 | 80 | 192.168.2.151 | 78.47.223.171 |
Feb 5, 2015 14:57:16.789778948 CET | 80 | 49195 | 78.47.223.171 | 192.168.2.151 |
Feb 5, 2015 14:57:16.789839029 CET | 49195 | 80 | 192.168.2.151 | 78.47.223.171 |
Feb 5, 2015 14:57:16.790643930 CET | 49195 | 80 | 192.168.2.151 | 78.47.223.171 |
Feb 5, 2015 14:57:16.790662050 CET | 80 | 49195 | 78.47.223.171 | 192.168.2.151 |
Feb 5, 2015 14:57:17.247004986 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:57:17.264353991 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:57:17.264369011 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:57:17.264492989 CET | 49194 | 443 | 192.168.2.151 | 65.52.98.231 |
Feb 5, 2015 14:57:17.264516115 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:57:17.461056948 CET | 49194 | 443 | 192.168.2.151 | 65.52.98.231 |
Feb 5, 2015 14:57:17.461076021 CET | 443 | 49194 | 65.52.98.231 | 192.168.2.151 |
Feb 5, 2015 14:57:17.662297964 CET | 49194 | 443 | 192.168.2.151 | 65.52.98.231 |
Feb 5, 2015 14:57:18.244987011 CET | 49191 | 80 | 192.168.2.151 | 80.239.247.17 |
Feb 5, 2015 14:57:18.245352983 CET | 49192 | 80 | 192.168.2.151 | 23.2.52.54 |
Feb 5, 2015 14:57:18.245466948 CET | 49193 | 80 | 192.168.2.151 | 134.170.184.137 |
Feb 5, 2015 14:57:18.245573997 CET | 49194 | 443 | 192.168.2.151 | 65.52.98.231 |
Feb 5, 2015 14:57:27.579051971 CET | 54096 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:57:27.773164034 CET | 53 | 54096 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:57:27.787072897 CET | 61055 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:57:27.787142992 CET | 53 | 61055 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:57:27.788491964 CET | 49196 | 80 | 192.168.2.151 | 80.239.149.10 |
Feb 5, 2015 14:57:27.788517952 CET | 80 | 49196 | 80.239.149.10 | 192.168.2.151 |
Feb 5, 2015 14:57:27.788575888 CET | 49196 | 80 | 192.168.2.151 | 80.239.149.10 |
Feb 5, 2015 14:57:27.789047003 CET | 49196 | 80 | 192.168.2.151 | 80.239.149.10 |
Feb 5, 2015 14:57:27.789066076 CET | 80 | 49196 | 80.239.149.10 | 192.168.2.151 |
Feb 5, 2015 14:57:28.000060081 CET | 80 | 49196 | 80.239.149.10 | 192.168.2.151 |
Feb 5, 2015 14:57:28.202855110 CET | 49196 | 80 | 192.168.2.151 | 80.239.149.10 |
Feb 5, 2015 14:57:28.202878952 CET | 80 | 49196 | 80.239.149.10 | 192.168.2.151 |
Feb 5, 2015 14:57:28.453022957 CET | 49196 | 80 | 192.168.2.151 | 80.239.149.10 |
Feb 5, 2015 14:57:29.894326925 CET | 49196 | 80 | 192.168.2.151 | 80.239.149.10 |
Feb 5, 2015 14:58:02.965929985 CET | 61838 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:58:03.023427010 CET | 53 | 61838 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:58:03.026885033 CET | 63062 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:58:03.026947975 CET | 53 | 63062 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:58:03.027478933 CET | 49197 | 80 | 192.168.2.151 | 23.43.139.27 |
Feb 5, 2015 14:58:03.027503014 CET | 80 | 49197 | 23.43.139.27 | 192.168.2.151 |
Feb 5, 2015 14:58:03.027565002 CET | 49197 | 80 | 192.168.2.151 | 23.43.139.27 |
Feb 5, 2015 14:58:03.027765036 CET | 49197 | 80 | 192.168.2.151 | 23.43.139.27 |
Feb 5, 2015 14:58:03.027777910 CET | 80 | 49197 | 23.43.139.27 | 192.168.2.151 |
Feb 5, 2015 14:58:03.168879032 CET | 80 | 49197 | 23.43.139.27 | 192.168.2.151 |
Feb 5, 2015 14:58:03.198731899 CET | 80 | 49197 | 23.43.139.27 | 192.168.2.151 |
Feb 5, 2015 14:58:03.198878050 CET | 49197 | 80 | 192.168.2.151 | 23.43.139.27 |
Feb 5, 2015 14:58:03.198900938 CET | 80 | 49197 | 23.43.139.27 | 192.168.2.151 |
Feb 5, 2015 14:58:03.401144981 CET | 49197 | 80 | 192.168.2.151 | 23.43.139.27 |
Feb 5, 2015 14:58:27.169615984 CET | 49195 | 80 | 192.168.2.151 | 78.47.223.171 |
Feb 5, 2015 14:58:27.169750929 CET | 80 | 49195 | 78.47.223.171 | 192.168.2.151 |
Feb 5, 2015 14:58:27.169840097 CET | 49195 | 80 | 192.168.2.151 | 78.47.223.171 |
Feb 5, 2015 14:58:27.219616890 CET | 49198 | 80 | 192.168.2.151 | 78.47.223.171 |
Feb 5, 2015 14:58:27.219652891 CET | 80 | 49198 | 78.47.223.171 | 192.168.2.151 |
Feb 5, 2015 14:58:27.219738960 CET | 49198 | 80 | 192.168.2.151 | 78.47.223.171 |
Feb 5, 2015 14:58:27.220581055 CET | 49198 | 80 | 192.168.2.151 | 78.47.223.171 |
Feb 5, 2015 14:58:27.220603943 CET | 80 | 49198 | 78.47.223.171 | 192.168.2.151 |
Feb 5, 2015 14:59:03.195441961 CET | 49197 | 80 | 192.168.2.151 | 23.43.139.27 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 5, 2015 14:55:12.964571953 CET | 54262 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:55:13.102699995 CET | 53 | 54262 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:55:13.123143911 CET | 64859 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:55:13.123236895 CET | 53 | 64859 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:55:14.190958023 CET | 50036 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:55:14.190963030 CET | 50036 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:55:14.288986921 CET | 50036 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:55:14.288990974 CET | 50036 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:55:19.940532923 CET | 54387 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:55:20.082818985 CET | 53 | 54387 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:55:20.085113049 CET | 63011 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:55:20.085186005 CET | 53 | 63011 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:55:36.699021101 CET | 63760 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:55:36.812969923 CET | 53 | 63760 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:55:36.975482941 CET | 57104 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:55:36.975572109 CET | 53 | 57104 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:55:59.378469944 CET | 51014 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:55:59.551525116 CET | 53 | 51014 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:55:59.758740902 CET | 61851 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:55:59.758869886 CET | 53 | 61851 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:56:14.066591978 CET | 59147 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:56:14.303567886 CET | 53 | 59147 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:56:14.437726974 CET | 57914 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:56:14.437836885 CET | 53 | 57914 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:56:20.890158892 CET | 64208 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:56:20.890162945 CET | 64208 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:56:21.039073944 CET | 64208 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:56:21.039077997 CET | 64208 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:56:23.777149916 CET | 61431 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:56:23.885358095 CET | 53 | 61431 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:56:23.893799067 CET | 61124 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:56:23.893893957 CET | 53 | 61124 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:56:24.795311928 CET | 56831 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:56:24.795315981 CET | 56831 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:56:24.898730993 CET | 56831 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:56:24.898735046 CET | 56831 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:56:27.760350943 CET | 58211 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:56:27.909050941 CET | 53 | 58211 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:56:28.144205093 CET | 64824 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:56:28.144314051 CET | 53 | 64824 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:57:02.506175995 CET | 60869 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:57:02.506180048 CET | 60869 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:57:02.606559038 CET | 60869 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:57:02.606563091 CET | 60869 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:57:06.924545050 CET | 51002 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:57:06.924555063 CET | 51002 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:57:07.025141954 CET | 51002 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:57:07.025146008 CET | 51002 | 5355 | 192.168.2.151 | 224.0.0.252 |
Feb 5, 2015 14:57:16.084475994 CET | 57997 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:57:16.769565105 CET | 53 | 57997 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:57:27.579051971 CET | 54096 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:57:27.773164034 CET | 53 | 54096 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:57:27.787072897 CET | 61055 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:57:27.787142992 CET | 53 | 61055 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:58:02.965929985 CET | 61838 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:58:03.023427010 CET | 53 | 61838 | 8.8.8.8 | 192.168.2.151 |
Feb 5, 2015 14:58:03.026885033 CET | 63062 | 53 | 192.168.2.151 | 8.8.8.8 |
Feb 5, 2015 14:58:03.026947975 CET | 53 | 63062 | 8.8.8.8 | 192.168.2.151 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Feb 5, 2015 14:55:12.964571953 CET | 192.168.2.151 | 8.8.8.8 | 0xc64d | Standard query (0) | watson.microsoft.com | A (IP address) | IN (0x0001) |
Feb 5, 2015 14:55:13.123143911 CET | 192.168.2.151 | 8.8.8.8 | 0x6d10 | Standard query (0) | watson.microsoft.com | A (IP address) | IN (0x0001) |
Feb 5, 2015 14:55:19.940532923 CET | 192.168.2.151 | 8.8.8.8 | 0xd6dc | Standard query (0) | wer.microsoft.com | A (IP address) | IN (0x0001) |
Feb 5, 2015 14:55:20.085113049 CET | 192.168.2.151 | 8.8.8.8 | 0xf309 | Standard query (0) | wer.microsoft.com | A (IP address) | IN (0x0001) |
Feb 5, 2015 14:55:36.699021101 CET | 192.168.2.151 | 8.8.8.8 | 0xc60f | Standard query (0) | www.download.windowsupdate.com | A (IP address) | IN (0x0001) |
Feb 5, 2015 14:55:36.975482941 CET | 192.168.2.151 | 8.8.8.8 | 0x9ddf | Standard query (0) | www.download.windowsupdate.com | A (IP address) | IN (0x0001) |
Feb 5, 2015 14:55:59.378469944 CET | 192.168.2.151 | 8.8.8.8 | 0xd267 | Standard query (0) | crl.microsoft.com | A (IP address) | IN (0x0001) |
Feb 5, 2015 14:55:59.758740902 CET | 192.168.2.151 | 8.8.8.8 | 0x3a81 | Standard query (0) | crl.microsoft.com | A (IP address) | IN (0x0001) |
Feb 5, 2015 14:56:14.066591978 CET | 192.168.2.151 | 8.8.8.8 | 0x38bd | Standard query (0) | www.microsoft.com | A (IP address) | IN (0x0001) |
Feb 5, 2015 14:56:14.437726974 CET | 192.168.2.151 | 8.8.8.8 | 0xef1f | Standard query (0) | www.microsoft.com | A (IP address) | IN (0x0001) |
Feb 5, 2015 14:56:23.777149916 CET | 192.168.2.151 | 8.8.8.8 | 0x3d16 | Standard query (0) | go.microsoft.com | A (IP address) | IN (0x0001) |
Feb 5, 2015 14:56:23.893799067 CET | 192.168.2.151 | 8.8.8.8 | 0xb28a | Standard query (0) | go.microsoft.com | A (IP address) | IN (0x0001) |
Feb 5, 2015 14:56:27.760350943 CET | 192.168.2.151 | 8.8.8.8 | 0xb570 | Standard query (0) | validation.sls.microsoft.com | A (IP address) | IN (0x0001) |
Feb 5, 2015 14:56:28.144205093 CET | 192.168.2.151 | 8.8.8.8 | 0x8695 | Standard query (0) | validation.sls.microsoft.com | A (IP address) | IN (0x0001) |
Feb 5, 2015 14:57:16.084475994 CET | 192.168.2.151 | 8.8.8.8 | 0x860a | Standard query (0) | fiu-eu.org | A (IP address) | IN (0x0001) |
Feb 5, 2015 14:57:27.579051971 CET | 192.168.2.151 | 8.8.8.8 | 0xbc5b | Standard query (0) | crl.microsoft.com | A (IP address) | IN (0x0001) |
Feb 5, 2015 14:57:27.787072897 CET | 192.168.2.151 | 8.8.8.8 | 0xb181 | Standard query (0) | crl.microsoft.com | A (IP address) | IN (0x0001) |
Feb 5, 2015 14:58:02.965929985 CET | 192.168.2.151 | 8.8.8.8 | 0x7f9f | Standard query (0) | ocsp.verisign.com | A (IP address) | IN (0x0001) |
Feb 5, 2015 14:58:03.026885033 CET | 192.168.2.151 | 8.8.8.8 | 0x187a | Standard query (0) | ocsp.verisign.com | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Replay Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Feb 5, 2015 14:55:13.102699995 CET | 8.8.8.8 | 192.168.2.151 | 0xc64d | No error (0) | watson.microsoft.com | 65.55.252.71 | A (IP address) | IN (0x0001) | |
Feb 5, 2015 14:55:13.123236895 CET | 8.8.8.8 | 192.168.2.151 | 0x6d10 | No error (0) | watson.microsoft.com | 65.55.252.71 | A (IP address) | IN (0x0001) | |
Feb 5, 2015 14:55:20.082818985 CET | 8.8.8.8 | 192.168.2.151 | 0xd6dc | No error (0) | wer.microsoft.com | 157.56.141.114 | A (IP address) | IN (0x0001) | |
Feb 5, 2015 14:55:20.085186005 CET | 8.8.8.8 | 192.168.2.151 | 0xf309 | No error (0) | wer.microsoft.com | 157.56.141.114 | A (IP address) | IN (0x0001) | |
Feb 5, 2015 14:55:36.812969923 CET | 8.8.8.8 | 192.168.2.151 | 0xc60f | No error (0) | www.download.windowsupdate.com | 93.158.110.250 | A (IP address) | IN (0x0001) | |
Feb 5, 2015 14:55:36.975572109 CET | 8.8.8.8 | 192.168.2.151 | 0x9ddf | No error (0) | www.download.windowsupdate.com | 93.158.110.250 | A (IP address) | IN (0x0001) | |
Feb 5, 2015 14:55:59.551525116 CET | 8.8.8.8 | 192.168.2.151 | 0xd267 | No error (0) | crl.microsoft.com | 80.239.247.17 | A (IP address) | IN (0x0001) | |
Feb 5, 2015 14:55:59.758869886 CET | 8.8.8.8 | 192.168.2.151 | 0x3a81 | No error (0) | crl.microsoft.com | 80.239.247.17 | A (IP address) | IN (0x0001) | |
Feb 5, 2015 14:56:14.303567886 CET | 8.8.8.8 | 192.168.2.151 | 0x38bd | No error (0) | www.microsoft.com | 23.2.52.54 | A (IP address) | IN (0x0001) | |
Feb 5, 2015 14:56:14.437836885 CET | 8.8.8.8 | 192.168.2.151 | 0xef1f | No error (0) | www.microsoft.com | 23.2.52.54 | A (IP address) | IN (0x0001) | |
Feb 5, 2015 14:56:23.885358095 CET | 8.8.8.8 | 192.168.2.151 | 0x3d16 | No error (0) | go.microsoft.com | 134.170.184.137 | A (IP address) | IN (0x0001) | |
Feb 5, 2015 14:56:23.893893957 CET | 8.8.8.8 | 192.168.2.151 | 0xb28a | No error (0) | go.microsoft.com | 134.170.184.137 | A (IP address) | IN (0x0001) | |
Feb 5, 2015 14:56:27.909050941 CET | 8.8.8.8 | 192.168.2.151 | 0xb570 | No error (0) | validation.sls.microsoft.com | 65.52.98.231 | A (IP address) | IN (0x0001) | |
Feb 5, 2015 14:56:28.144314051 CET | 8.8.8.8 | 192.168.2.151 | 0x8695 | No error (0) | validation.sls.microsoft.com | 65.52.98.231 | A (IP address) | IN (0x0001) | |
Feb 5, 2015 14:57:16.769565105 CET | 8.8.8.8 | 192.168.2.151 | 0x860a | No error (0) | fiu-eu.org | 78.47.223.171 | A (IP address) | IN (0x0001) | |
Feb 5, 2015 14:57:27.773164034 CET | 8.8.8.8 | 192.168.2.151 | 0xbc5b | No error (0) | crl.microsoft.com | 80.239.149.10 | A (IP address) | IN (0x0001) | |
Feb 5, 2015 14:57:27.787142992 CET | 8.8.8.8 | 192.168.2.151 | 0xb181 | No error (0) | crl.microsoft.com | 80.239.149.10 | A (IP address) | IN (0x0001) | |
Feb 5, 2015 14:58:03.023427010 CET | 8.8.8.8 | 192.168.2.151 | 0x7f9f | No error (0) | ocsp.verisign.com | 23.43.139.27 | A (IP address) | IN (0x0001) | |
Feb 5, 2015 14:58:03.026947975 CET | 8.8.8.8 | 192.168.2.151 | 0x187a | No error (0) | ocsp.verisign.com | 23.43.139.27 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Header | Total Bytes Transfered (KB) |
---|---|---|---|---|---|---|
Feb 5, 2015 14:55:13.123955011 CET | 49188 | 80 | 192.168.2.151 | 65.55.252.71 | 0 | |
Feb 5, 2015 14:55:13.605523109 CET | 80 | 49188 | 65.55.252.71 | 192.168.2.151 | 1 | |
Feb 5, 2015 14:55:36.976176023 CET | 49190 | 80 | 192.168.2.151 | 93.158.110.250 | 9 | |
Feb 5, 2015 14:55:37.119700909 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 9 | |
Feb 5, 2015 14:55:37.120810986 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 11 | |
Feb 5, 2015 14:55:37.120831966 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 12 | |
Feb 5, 2015 14:55:37.120949984 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 13 | |
Feb 5, 2015 14:55:37.121473074 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 15 | |
Feb 5, 2015 14:55:37.121493101 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 16 | |
Feb 5, 2015 14:55:37.121570110 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 17 | |
Feb 5, 2015 14:55:37.136929989 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 19 | |
Feb 5, 2015 14:55:37.136950970 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 20 | |
Feb 5, 2015 14:55:37.137001038 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 22 | |
Feb 5, 2015 14:55:37.137027979 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 22 | |
Feb 5, 2015 14:55:37.137211084 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 23 | |
Feb 5, 2015 14:55:37.137227058 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 25 | |
Feb 5, 2015 14:55:37.137623072 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 26 | |
Feb 5, 2015 14:55:37.137634039 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 28 | |
Feb 5, 2015 14:55:37.137640953 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 28 | |
Feb 5, 2015 14:55:37.137917042 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 30 | |
Feb 5, 2015 14:55:37.137928009 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 31 | |
Feb 5, 2015 14:55:37.137934923 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 32 | |
Feb 5, 2015 14:55:37.138362885 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 34 | |
Feb 5, 2015 14:55:37.138389111 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 35 | |
Feb 5, 2015 14:55:37.138397932 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 36 | |
Feb 5, 2015 14:55:37.138458014 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 37 | |
Feb 5, 2015 14:55:37.153579950 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 38 | |
Feb 5, 2015 14:55:37.153599977 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 40 | |
Feb 5, 2015 14:55:37.153677940 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 41 | |
Feb 5, 2015 14:55:37.153723955 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 43 | |
Feb 5, 2015 14:55:37.153773069 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 43 | |
Feb 5, 2015 14:55:37.154066086 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 44 | |
Feb 5, 2015 14:55:37.154077053 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 46 | |
Feb 5, 2015 14:55:37.154140949 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 46 | |
Feb 5, 2015 14:55:37.154505014 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 48 | |
Feb 5, 2015 14:55:37.154515982 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 49 | |
Feb 5, 2015 14:55:37.154597044 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 51 | |
Feb 5, 2015 14:55:37.154758930 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 52 | |
Feb 5, 2015 14:55:37.154768944 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 53 | |
Feb 5, 2015 14:55:37.154843092 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 55 | |
Feb 5, 2015 14:55:37.155162096 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 56 | |
Feb 5, 2015 14:55:37.155173063 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 58 | |
Feb 5, 2015 14:55:37.155251980 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 59 | |
Feb 5, 2015 14:55:37.155322075 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 60 | |
Feb 5, 2015 14:55:37.155392885 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 60 | |
Feb 5, 2015 14:55:37.164155960 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 62 | |
Feb 5, 2015 14:55:37.167644024 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 63 | |
Feb 5, 2015 14:55:37.167751074 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 64 | |
Feb 5, 2015 14:55:37.178174973 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 65 | |
Feb 5, 2015 14:55:37.178193092 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 67 | |
Feb 5, 2015 14:55:37.178284883 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 68 | |
Feb 5, 2015 14:55:37.398458958 CET | 80 | 49190 | 93.158.110.250 | 192.168.2.151 | 69 | |
Feb 5, 2015 14:55:59.759532928 CET | 49191 | 80 | 192.168.2.151 | 80.239.247.17 | 74 | |
Feb 5, 2015 14:55:59.969969988 CET | 80 | 49191 | 80.239.247.17 | 192.168.2.151 | 74 | |
Feb 5, 2015 14:56:00.198529005 CET | 80 | 49191 | 80.239.247.17 | 192.168.2.151 | 75 | |
Feb 5, 2015 14:56:09.146416903 CET | 49191 | 80 | 192.168.2.151 | 80.239.247.17 | 76 | |
Feb 5, 2015 14:56:09.249943972 CET | 80 | 49191 | 80.239.247.17 | 192.168.2.151 | 76 | |
Feb 5, 2015 14:56:09.494509935 CET | 80 | 49191 | 80.239.247.17 | 192.168.2.151 | 77 | |
Feb 5, 2015 14:56:14.438479900 CET | 49192 | 80 | 192.168.2.151 | 23.2.52.54 | 78 | |
Feb 5, 2015 14:56:14.664921999 CET | 80 | 49192 | 23.2.52.54 | 192.168.2.151 | 78 | |
Feb 5, 2015 14:56:14.898488998 CET | 80 | 49192 | 23.2.52.54 | 192.168.2.151 | 79 | |
Feb 5, 2015 14:56:23.894489050 CET | 49193 | 80 | 192.168.2.151 | 134.170.184.137 | 80 | |
Feb 5, 2015 14:56:24.369798899 CET | 80 | 49193 | 134.170.184.137 | 192.168.2.151 | 81 | |
Feb 5, 2015 14:56:24.602492094 CET | 80 | 49193 | 134.170.184.137 | 192.168.2.151 | 81 | |
Feb 5, 2015 14:57:05.062690020 CET | 49193 | 80 | 192.168.2.151 | 134.170.184.137 | 89 | |
Feb 5, 2015 14:57:05.344197989 CET | 80 | 49193 | 134.170.184.137 | 192.168.2.151 | 90 | |
Feb 5, 2015 14:57:16.307493925 CET | 49193 | 80 | 192.168.2.151 | 134.170.184.137 | 110 | |
Feb 5, 2015 14:57:16.576180935 CET | 80 | 49193 | 134.170.184.137 | 192.168.2.151 | 111 | |
Feb 5, 2015 14:57:16.790643930 CET | 49195 | 80 | 192.168.2.151 | 78.47.223.171 | 133 | |
Feb 5, 2015 14:57:27.789047003 CET | 49196 | 80 | 192.168.2.151 | 80.239.149.10 | 139 | |
Feb 5, 2015 14:57:28.000060081 CET | 80 | 49196 | 80.239.149.10 | 192.168.2.151 | 140 | |
Feb 5, 2015 14:57:28.202878952 CET | 80 | 49196 | 80.239.149.10 | 192.168.2.151 | 140 | |
Feb 5, 2015 14:58:03.027765036 CET | 49197 | 80 | 192.168.2.151 | 23.43.139.27 | 141 | |
Feb 5, 2015 14:58:03.168879032 CET | 80 | 49197 | 23.43.139.27 | 192.168.2.151 | 142 | |
Feb 5, 2015 14:58:03.198731899 CET | 80 | 49197 | 23.43.139.27 | 192.168.2.151 | 143 | |
Feb 5, 2015 14:58:03.198900938 CET | 80 | 49197 | 23.43.139.27 | 192.168.2.151 | 144 | |
Feb 5, 2015 14:58:27.220581055 CET | 49198 | 80 | 192.168.2.151 | 78.47.223.171 | 144 |
Hooks - Code Manipulation Behavior |
---|
User Modules |
---|
Hook Summary |
---|
Function Name | Hook Type | Active in Processes |
---|---|---|
CallWindowProcA | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
CallWindowProcW | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
EndPaint | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
GetDCEx | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
DefWindowProcW | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
DefDlgProcA | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
DefDlgProcW | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
DefWindowProcA | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
PeekMessageA | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
PeekMessageW | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
RegisterClassW | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
RegisterClassA | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
SetCapture | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
DefFrameProcA | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
DefFrameProcW | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
RegisterClassExW | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
TranslateMessage | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
BeginPaint | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
RegisterClassExA | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
GetMessagePos | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
ReleaseCapture | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
GetUpdateRect | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
GetUpdateRgn | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
GetCapture | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
GetMessageA | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
GetMessageW | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
GetDC | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
GetClipboardData | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
OpenInputDesktop | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
GetWindowDC | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
ReleaseDC | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
DefMDIChildProcA | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
DefMDIChildProcW | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
GetCursorPos | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
SwitchDesktop | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
SetCursorPos | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
InternetReadFile | INLINE | explorer.exe |
HttpSendRequestA | INLINE | explorer.exe |
HttpSendRequestW | INLINE | explorer.exe |
InternetQueryDataAvailable | INLINE | explorer.exe |
InternetReadFileExA | INLINE | explorer.exe |
HttpSendRequestExA | INLINE | explorer.exe |
HttpQueryInfoA | INLINE | explorer.exe |
HttpSendRequestExW | INLINE | explorer.exe |
InternetCloseHandle | INLINE | explorer.exe |
GetFileAttributesExW | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
PFXImportCertStore | INLINE | explorer.exe, dwm.exe |
LdrLoadDll | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
NtCreateUserProcess | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
ZwCreateUserProcess | INLINE | explorer.exe, dwm.exe, taskhost.exe, conhost.exe |
closesocket | INLINE | explorer.exe |
send | INLINE | explorer.exe |
WSASend | INLINE | explorer.exe |
Processes |
---|
Process: explorer.exe, Module: USER32.dll |
---|
Function Name | Hook Type | New Data |
---|---|---|
CallWindowProcA | INLINE | 0xE9 0x9F 0xF8 0x8A 0xA4 0x4B |
CallWindowProcW | INLINE | 0xE9 0x9B 0xB3 0x3A 0xA2 0x2B |
EndPaint | INLINE | 0xE9 0x93 0x30 0x0D 0xDD 0xDB |
GetDCEx | INLINE | 0xE9 0x9C 0xCD 0xD1 0x13 0x3B |
DefWindowProcW | INLINE | 0xE9 0x90 0x0C 0xC7 0x72 0x2B |
DefDlgProcA | INLINE | 0xE9 0x95 0x52 0x25 0x54 0x4B |
DefDlgProcW | INLINE | 0xE9 0x98 0x8A 0xA2 0x29 0x9B |
DefWindowProcA | INLINE | 0xE9 0x9B 0xB9 0x90 0x03 0x3B |
PeekMessageA | INLINE | 0xE9 0x97 0x7D 0xD8 0x8C 0xCB |
PeekMessageW | INLINE | 0xE9 0x94 0x4F 0xF2 0x29 0x9B |
RegisterClassW | INLINE | 0xE9 0x94 0x40 0x0B 0xBF 0xFB |
RegisterClassA | INLINE | 0xE9 0x98 0x83 0x30 0x05 0x5B |
SetCapture | INLINE | 0xE9 0x94 0x41 0x14 0x4E 0xEB |
DefFrameProcA | INLINE | 0xE9 0x91 0x1D 0xDA 0xA7 0x7B |
DefFrameProcW | INLINE | 0xE9 0x9A 0xA3 0x3A 0xA8 0x8B |
RegisterClassExW | INLINE | 0xE9 0x9C 0xCA 0xAC 0xC6 0x6B |
TranslateMessage | INLINE | 0xE9 0x9E 0xE8 0x81 0x1D 0xDB |
BeginPaint | INLINE | 0xE9 0x9A 0xAC 0xCD 0xDC 0xCB |
RegisterClassExA | INLINE | 0xE9 0x94 0x4F 0xF8 0x87 0x7B |
GetMessagePos | INLINE | 0xE9 0x93 0x30 0x05 0x51 0x1B |
ReleaseCapture | INLINE | 0xE9 0x92 0x27 0x7F 0xF5 0x5B |
GetUpdateRect | INLINE | 0xE9 0x99 0x97 0x79 0x97 0x7B |
GetUpdateRgn | INLINE | 0xE9 0x91 0x1B 0xB1 0x1A 0xAB |
GetCapture | INLINE | 0xE9 0x96 0x62 0x2F 0xFE 0xEB |
GetMessageA | INLINE | 0xE9 0x96 0x6D 0xD9 0x92 0x2B |
GetMessageW | INLINE | 0xE9 0x91 0x1D 0xD2 0x2B 0xBB |
GetDC | INLINE | 0xE9 0x9F 0xFD 0xDE 0xE8 0x8B |
GetClipboardData | INLINE | 0xE9 0x91 0x16 0x66 0x65 0x5B |
OpenInputDesktop | INLINE | 0xE9 0x98 0x8F 0xF8 0x88 0x8B |
GetWindowDC | INLINE | 0xE9 0x99 0x93 0x3F 0xF0 0x0B |
ReleaseDC | INLINE | 0xE9 0x96 0x67 0x7E 0xE9 0x9B |
DefMDIChildProcA | INLINE | 0xE9 0x90 0x0E 0xEB 0xB2 0x2B |
DefMDIChildProcW | INLINE | 0xE9 0x98 0x87 0x7A 0xAA 0xAB |
GetCursorPos | INLINE | 0xE9 0x94 0x4F 0xFF 0xF7 0x7B |
SwitchDesktop | INLINE | 0xE9 0x94 0x4C 0xCC 0xCC 0xCB |
SetCursorPos | INLINE | 0xE9 0x95 0x56 0x6F 0xF7 0x7B |
Process: explorer.exe, Module: WININET.dll |
---|
Function Name | Hook Type | New Data |
---|---|---|
InternetReadFile | INLINE | 0xE9 0x99 0x90 0x0C 0xC8 0x8D |
HttpSendRequestA | INLINE | 0xE9 0x9B 0xB1 0x1A 0xA3 0x3C |
HttpSendRequestW | INLINE | 0xE9 0x91 0x1E 0xEB 0xBA 0xAD |
InternetQueryDataAvailable | INLINE | 0xE9 0x9B 0xB2 0x26 0x69 0x9D |
InternetReadFileExA | INLINE | 0xE9 0x91 0x1A 0xA9 0x98 0x8D |
HttpSendRequestExA | INLINE | 0xE9 0x98 0x87 0x7A 0xA5 0x5C |
HttpQueryInfoA | INLINE | 0xE9 0x9E 0xE7 0x7D 0xDF 0xFD |
HttpSendRequestExW | INLINE | 0xE9 0x93 0x35 0x51 0x1B 0xBD |
InternetCloseHandle | INLINE | 0xE9 0x97 0x73 0x3E 0xE2 0x2D |
Process: explorer.exe, Module: kernel32.dll |
---|
Function Name | Hook Type | New Data |
---|---|---|
GetFileAttributesExW | INLINE | 0xE9 0x92 0x27 0x76 0x67 0x7F |
Process: explorer.exe, Module: CRYPT32.dll |
---|
Function Name | Hook Type | New Data |
---|---|---|
PFXImportCertStore | INLINE | 0xE9 0x9E 0xE6 0x6C 0xC8 0x87 |
Process: explorer.exe, Module: ntdll.dll |
---|
Function Name | Hook Type | New Data |
---|---|---|
LdrLoadDll | INLINE | 0xE9 0x91 0x10 0x0D 0xD0 0x09 |
NtCreateUserProcess | INLINE | 0xE9 0x97 0x76 0x67 0x7A 0xA9 |
ZwCreateUserProcess | INLINE | 0xE9 0x97 0x76 0x67 0x7A 0xA9 |
Process: explorer.exe, Module: WS2_32.dll |
---|
Function Name | Hook Type | New Data |
---|---|---|
closesocket | INLINE | 0xE9 0x92 0x2E 0xE1 0x17 0x78 |
send | INLINE | 0xE9 0x98 0x8B 0xB8 0x8E 0xE8 |
WSASend | INLINE | 0xE9 0x9C 0xCD 0xDE 0xEA 0xA8 |
Process: dwm.exe, Module: USER32.dll |
---|
Function Name | Hook Type | New Data |
---|---|---|
CallWindowProcA | INLINE | 0xE9 0x9F 0xF8 0x8A 0xA4 0x46 |
CallWindowProcW | INLINE | 0xE9 0x9B 0xB3 0x3A 0xA2 0x26 |
EndPaint | INLINE | 0xE9 0x93 0x30 0x0D 0xDD 0xD6 |
GetDCEx | INLINE | 0xE9 0x9C 0xCD 0xD1 0x13 0x36 |
DefWindowProcW | INLINE | 0xE9 0x90 0x0C 0xC7 0x72 0x26 |
DefDlgProcA | INLINE | 0xE9 0x95 0x52 0x25 0x54 0x46 |
DefDlgProcW | INLINE | 0xE9 0x98 0x8A 0xA2 0x29 0x96 |
DefWindowProcA | INLINE | 0xE9 0x9B 0xB9 0x90 0x03 0x36 |
PeekMessageA | INLINE | 0xE9 0x97 0x7D 0xD8 0x8C 0xC6 |
PeekMessageW | INLINE | 0xE9 0x94 0x4F 0xF2 0x29 0x96 |
RegisterClassW | INLINE | 0xE9 0x94 0x40 0x0B 0xBF 0xF6 |
RegisterClassA | INLINE | 0xE9 0x98 0x83 0x30 0x05 0x56 |
SetCapture | INLINE | 0xE9 0x94 0x41 0x14 0x4E 0xE6 |
DefFrameProcA | INLINE | 0xE9 0x91 0x1D 0xDA 0xA7 0x76 |
DefFrameProcW | INLINE | 0xE9 0x9A 0xA3 0x3A 0xA8 0x86 |
RegisterClassExW | INLINE | 0xE9 0x9C 0xCA 0xAC 0xC6 0x66 |
TranslateMessage | INLINE | 0xE9 0x9E 0xE8 0x81 0x1D 0xD6 |
BeginPaint | INLINE | 0xE9 0x9A 0xAC 0xCD 0xDC 0xC6 |
RegisterClassExA | INLINE | 0xE9 0x94 0x4F 0xF8 0x87 0x76 |
GetMessagePos | INLINE | 0xE9 0x93 0x30 0x05 0x51 0x16 |
ReleaseCapture | INLINE | 0xE9 0x92 0x27 0x7F 0xF5 0x56 |
GetUpdateRect | INLINE | 0xE9 0x99 0x97 0x79 0x97 0x76 |
GetUpdateRgn | INLINE | 0xE9 0x91 0x1B 0xB1 0x1A 0xA6 |
GetCapture | INLINE | 0xE9 0x96 0x62 0x2F 0xFE 0xE6 |
GetMessageA | INLINE | 0xE9 0x96 0x6D 0xD9 0x92 0x26 |
GetMessageW | INLINE | 0xE9 0x91 0x1D 0xD2 0x2B 0xB6 |
GetDC | INLINE | 0xE9 0x9F 0xFD 0xDE 0xE8 0x86 |
GetClipboardData | INLINE | 0xE9 0x91 0x16 0x66 0x65 0x56 |
OpenInputDesktop | INLINE | 0xE9 0x98 0x8F 0xF8 0x88 0x86 |
GetWindowDC | INLINE | 0xE9 0x99 0x93 0x3F 0xF0 0x06 |
ReleaseDC | INLINE | 0xE9 0x96 0x67 0x7E 0xE9 0x96 |
DefMDIChildProcA | INLINE | 0xE9 0x90 0x0E 0xEB 0xB2 0x26 |
DefMDIChildProcW | INLINE | 0xE9 0x98 0x87 0x7A 0xAA 0xA6 |
GetCursorPos | INLINE | 0xE9 0x94 0x4F 0xFF 0xF7 0x76 |
SwitchDesktop | INLINE | 0xE9 0x94 0x4C 0xCC 0xCC 0xC6 |
SetCursorPos | INLINE | 0xE9 0x95 0x56 0x6F 0xF7 0x76 |
Process: dwm.exe, Module: CRYPT32.dll |
---|
Function Name | Hook Type | New Data |
---|---|---|
PFXImportCertStore | INLINE | 0xE9 0x9E 0xE6 0x6C 0xC8 0x82 |
Process: dwm.exe, Module: ntdll.dll |
---|
Function Name | Hook Type | New Data |
---|---|---|
LdrLoadDll | INLINE | 0xE9 0x91 0x10 0x0D 0xD0 0x04 |
NtCreateUserProcess | INLINE | 0xE9 0x97 0x76 0x67 0x7A 0xA4 |
ZwCreateUserProcess | INLINE | 0xE9 0x97 0x76 0x67 0x7A 0xA4 |
Process: dwm.exe, Module: kernel32.dll |
---|
Function Name | Hook Type | New Data |
---|---|---|
GetFileAttributesExW | INLINE | 0xE9 0x92 0x27 0x76 0x67 0x79 |
Process: taskhost.exe, Module: USER32.dll |
---|
Function Name | Hook Type | New Data |
---|---|---|
CallWindowProcA | INLINE | 0xE9 0x9F 0xF8 0x8A 0xA4 0x41 |
CallWindowProcW | INLINE | 0xE9 0x9B 0xB3 0x3A 0xA2 0x21 |
EndPaint | INLINE | 0xE9 0x93 0x30 0x0D 0xDD 0xD1 |
GetDCEx | INLINE | 0xE9 0x9C 0xCD 0xD1 0x13 0x31 |
DefWindowProcW | INLINE | 0xE9 0x90 0x0C 0xC7 0x72 0x21 |
DefDlgProcA | INLINE | 0xE9 0x95 0x52 0x25 0x54 0x41 |
DefDlgProcW | INLINE | 0xE9 0x98 0x8A 0xA2 0x29 0x91 |
DefWindowProcA | INLINE | 0xE9 0x9B 0xB9 0x90 0x03 0x31 |
PeekMessageA | INLINE | 0xE9 0x97 0x7D 0xD8 0x8C 0xC1 |
PeekMessageW | INLINE | 0xE9 0x94 0x4F 0xF2 0x29 0x91 |
RegisterClassW | INLINE | 0xE9 0x94 0x40 0x0B 0xBF 0xF1 |
RegisterClassA | INLINE | 0xE9 0x98 0x83 0x30 0x05 0x51 |
SetCapture | INLINE | 0xE9 0x94 0x41 0x14 0x4E 0xE1 |
DefFrameProcA | INLINE | 0xE9 0x91 0x1D 0xDA 0xA7 0x71 |
DefFrameProcW | INLINE | 0xE9 0x9A 0xA3 0x3A 0xA8 0x81 |
RegisterClassExW | INLINE | 0xE9 0x9C 0xCA 0xAC 0xC6 0x61 |
TranslateMessage | INLINE | 0xE9 0x9E 0xE8 0x81 0x1D 0xD1 |
BeginPaint | INLINE | 0xE9 0x9A 0xAC 0xCD 0xDC 0xC1 |
RegisterClassExA | INLINE | 0xE9 0x94 0x4F 0xF8 0x87 0x71 |
GetMessagePos | INLINE | 0xE9 0x93 0x30 0x05 0x51 0x11 |
ReleaseCapture | INLINE | 0xE9 0x92 0x27 0x7F 0xF5 0x51 |
GetUpdateRect | INLINE | 0xE9 0x99 0x97 0x79 0x97 0x71 |
GetUpdateRgn | INLINE | 0xE9 0x91 0x1B 0xB1 0x1A 0xA1 |
GetCapture | INLINE | 0xE9 0x96 0x62 0x2F 0xFE 0xE1 |
GetMessageA | INLINE | 0xE9 0x96 0x6D 0xD9 0x92 0x21 |
GetMessageW | INLINE | 0xE9 0x91 0x1D 0xD2 0x2B 0xB1 |
GetDC | INLINE | 0xE9 0x9F 0xFD 0xDE 0xE8 0x81 |
GetClipboardData | INLINE | 0xE9 0x91 0x16 0x66 0x65 0x51 |
OpenInputDesktop | INLINE | 0xE9 0x98 0x8F 0xF8 0x88 0x81 |
GetWindowDC | INLINE | 0xE9 0x99 0x93 0x3F 0xF0 0x01 |
ReleaseDC | INLINE | 0xE9 0x96 0x67 0x7E 0xE9 0x91 |
DefMDIChildProcA | INLINE | 0xE9 0x90 0x0E 0xEB 0xB2 0x21 |
DefMDIChildProcW | INLINE | 0xE9 0x98 0x87 0x7A 0xAA 0xA1 |
GetCursorPos | INLINE | 0xE9 0x94 0x4F 0xFF 0xF7 0x71 |
SwitchDesktop | INLINE | 0xE9 0x94 0x4C 0xCC 0xCC 0xC1 |
SetCursorPos | INLINE | 0xE9 0x95 0x56 0x6F 0xF7 0x71 |
Process: taskhost.exe, Module: ntdll.dll |
---|
Function Name | Hook Type | New Data |
---|---|---|
LdrLoadDll | INLINE | 0xE9 0x91 0x10 0x0D 0xD0 0x00 |
NtCreateUserProcess | INLINE | 0xE9 0x97 0x76 0x67 0x7A 0xA0 |
ZwCreateUserProcess | INLINE | 0xE9 0x97 0x76 0x67 0x7A 0xA0 |
Process: taskhost.exe, Module: kernel32.dll |
---|
Function Name | Hook Type | New Data |
---|---|---|
GetFileAttributesExW | INLINE | 0xE9 0x92 0x27 0x76 0x67 0x75 |
Process: conhost.exe, Module: USER32.dll |
---|
Function Name | Hook Type | New Data |
---|---|---|
CallWindowProcA | INLINE | 0xE9 0x9F 0xF8 0x8A 0xA4 0x40 |
CallWindowProcW | INLINE | 0xE9 0x9B 0xB3 0x3A 0xA2 0x20 |
EndPaint | INLINE | 0xE9 0x93 0x30 0x0D 0xDD 0xD0 |
GetDCEx | INLINE | 0xE9 0x9C 0xCD 0xD1 0x13 0x30 |
DefWindowProcW | INLINE | 0xE9 0x90 0x0C 0xC7 0x72 0x20 |
DefDlgProcA | INLINE | 0xE9 0x95 0x52 0x25 0x54 0x40 |
DefDlgProcW | INLINE | 0xE9 0x98 0x8A 0xA2 0x29 0x91 |
DefWindowProcA | INLINE | 0xE9 0x9B 0xB9 0x90 0x03 0x31 |
PeekMessageA | INLINE | 0xE9 0x97 0x7D 0xD8 0x8C 0xC0 |
PeekMessageW | INLINE | 0xE9 0x94 0x4F 0xF2 0x29 0x90 |
RegisterClassW | INLINE | 0xE9 0x94 0x40 0x0B 0xBF 0xF0 |
RegisterClassA | INLINE | 0xE9 0x98 0x83 0x30 0x05 0x51 |
SetCapture | INLINE | 0xE9 0x94 0x41 0x14 0x4E 0xE0 |
DefFrameProcA | INLINE | 0xE9 0x91 0x1D 0xDA 0xA7 0x70 |
DefFrameProcW | INLINE | 0xE9 0x9A 0xA3 0x3A 0xA8 0x80 |
RegisterClassExW | INLINE | 0xE9 0x9C 0xCA 0xAC 0xC6 0x60 |
TranslateMessage | INLINE | 0xE9 0x9E 0xE8 0x81 0x1D 0xD1 |
BeginPaint | INLINE | 0xE9 0x9A 0xAC 0xCD 0xDC 0xC0 |
RegisterClassExA | INLINE | 0xE9 0x94 0x4F 0xF8 0x87 0x71 |
GetMessagePos | INLINE | 0xE9 0x93 0x30 0x05 0x51 0x10 |
ReleaseCapture | INLINE | 0xE9 0x92 0x27 0x7F 0xF5 0x50 |
GetUpdateRect | INLINE | 0xE9 0x99 0x97 0x79 0x97 0x70 |
GetUpdateRgn | INLINE | 0xE9 0x91 0x1B 0xB1 0x1A 0xA0 |
GetCapture | INLINE | 0xE9 0x96 0x62 0x2F 0xFE 0xE0 |
GetMessageA | INLINE | 0xE9 0x96 0x6D 0xD9 0x92 0x20 |
GetMessageW | INLINE | 0xE9 0x91 0x1D 0xD2 0x2B 0xB0 |
GetDC | INLINE | 0xE9 0x9F 0xFD 0xDE 0xE8 0x80 |
GetClipboardData | INLINE | 0xE9 0x91 0x16 0x66 0x65 0x50 |
OpenInputDesktop | INLINE | 0xE9 0x98 0x8F 0xF8 0x88 0x81 |
GetWindowDC | INLINE | 0xE9 0x99 0x93 0x3F 0xF0 0x00 |
ReleaseDC | INLINE | 0xE9 0x96 0x67 0x7E 0xE9 0x90 |
DefMDIChildProcA | INLINE | 0xE9 0x90 0x0E 0xEB 0xB2 0x20 |
DefMDIChildProcW | INLINE | 0xE9 0x98 0x87 0x7A 0xAA 0xA0 |
GetCursorPos | INLINE | 0xE9 0x94 0x4F 0xFF 0xF7 0x70 |
SwitchDesktop | INLINE | 0xE9 0x94 0x4C 0xCC 0xCC 0xC1 |
SetCursorPos | INLINE | 0xE9 0x95 0x56 0x6F 0xF7 0x70 |
Process: conhost.exe, Module: ntdll.dll |
---|
Function Name | Hook Type | New Data |
---|---|---|
LdrLoadDll | INLINE | 0xE9 0x91 0x10 0x0D 0xD0 0x0F |
NtCreateUserProcess | INLINE | 0xE9 0x97 0x76 0x67 0x7A 0xAF |
ZwCreateUserProcess | INLINE | 0xE9 0x97 0x76 0x67 0x7A 0xAF |
Process: conhost.exe, Module: kernel32.dll |
---|
Function Name | Hook Type | New Data |
---|---|---|
GetFileAttributesExW | INLINE | 0xE9 0x92 0x27 0x76 0x67 0x74 |
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
System Behavior |
---|
General |
---|
Start time: | 14:57:10 |
Start date: | 05/02/2015 |
Path: | C:\Zeus_binary_4d08934bd040ed25dfa46542e396cb05.exe |
Wow64 process (32bit): | false |
Commandline: | unknown |
Imagebase: | 0x400000 |
File size: | 141824 bytes |
MD5 hash: | 4D08934BD040ED25DFA46542E396CB05 |
General |
---|
Start time: | 14:57:11 |
Start date: | 05/02/2015 |
Path: | C:\Users\admin\AppData\Roaming\Oddyn\madog.exe |
Wow64 process (32bit): | false |
Commandline: | C:\Users\admin\AppData\Roaming\Oddyn\madog.exe |
Imagebase: | 0x77130000 |
File size: | 141824 bytes |
MD5 hash: | 7E7B95B944D3FD8A2AA8EEA7CE4B19BF |
General |
---|
Start time: | 14:57:11 |
Start date: | 05/02/2015 |
Path: | C:\Windows\System32\taskhost.exe |
Wow64 process (32bit): | false |
Commandline: | taskhost.exe |
Imagebase: | 0x570000 |
File size: | 49152 bytes |
MD5 hash: | 8F4F5A5C1BAE72CE6EAEEA1CA3F98CA2 |
General |
---|
Start time: | 14:57:21 |
Start date: | 05/02/2015 |
Path: | C:\Windows\System32\dwm.exe |
Wow64 process (32bit): | false |
Commandline: | C:\Windows\system32\Dwm.exe |
Imagebase: | 0xe60000 |
File size: | 92672 bytes |
MD5 hash: | 505BF4D1CADEB8D4F8BCD08D944DE25D |
General |
---|
Start time: | 14:57:22 |
Start date: | 05/02/2015 |
Path: | C:\Windows\explorer.exe |
Wow64 process (32bit): | false |
Commandline: | C:\Windows\Explorer.EXE |
Imagebase: | 0xc30000 |
File size: | 2614272 bytes |
MD5 hash: | 2626FC9755BE22F805D3CFA0CE3EE727 |
General |
---|
Start time: | 14:57:29 |
Start date: | 05/02/2015 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | C:\Windows\system32\conhost.exe |
Imagebase: | 0x5c0000 |
File size: | 271360 bytes |
MD5 hash: | 29D9FCDF65B7C823688A035937BB6697 |
General |
---|
Start time: | 14:57:29 |
Start date: | 05/02/2015 |
Path: | C:\Windows\System32\taskhost.exe |
Wow64 process (32bit): | false |
Commandline: | taskhost.exe |
Imagebase: | 0x570000 |
File size: | 49152 bytes |
MD5 hash: | 8F4F5A5C1BAE72CE6EAEEA1CA3F98CA2 |
General |
---|
Start time: | 14:57:30 |
Start date: | 05/02/2015 |
Path: | C:\Windows\System32\WinSAT.exe |
Wow64 process (32bit): | false |
Commandline: | C:\Windows\system32\winsat.exe formal -log -cancelevent dadd25ac-04b1-4563-96a2-ed65603ab78c |
Imagebase: | 0x110000 |
File size: | 3367424 bytes |
MD5 hash: | 800C5B51F0FB6E2183FB0D41E2B74EB9 |
General |
---|
Start time: | 14:57:31 |
Start date: | 05/02/2015 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | C:\Windows\system32\conhost.exe |
Imagebase: | 0x5c0000 |
File size: | 271360 bytes |
MD5 hash: | 29D9FCDF65B7C823688A035937BB6697 |
General |
---|
Start time: | 14:57:32 |
Start date: | 05/02/2015 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | C:\Windows\system32\cmd.exe /c C:\Users\admin\AppData\Local\Temp\tmp02840f01.bat |
Imagebase: | 0x4aae0000 |
File size: | 301568 bytes |
MD5 hash: | 8AE6DD9A6D246004DA047F704F0CC487 |
Disassembly |
---|
Code Analysis |
---|