Add image1 report
This commit is contained in:
parent
c650d73153
commit
f09d7d2652
4
connections-image1.txt
Normal file
4
connections-image1.txt
Normal file
@ -0,0 +1,4 @@
|
||||
Offset(P) Local Address Remote Address Pid
|
||||
---------- ------------------------- ------------------------- ---
|
||||
0x01ff1330 192.168.187.130:1037 99.1.23.71:443 3708
|
||||
0x023c9638 192.168.187.130:1035 2.21.99.235:443 1032
|
||||
333
envars-image1.txt
Normal file
333
envars-image1.txt
Normal file
@ -0,0 +1,333 @@
|
||||
Volatility 3 Framework 1.0.1
|
||||
|
||||
PID Process Block Variable Value
|
||||
|
||||
600 csrss.exe 0x110048 ComSpec C:\WINDOWS\system32\cmd.exe
|
||||
600 csrss.exe 0x110048 FP_NO_HOST_CHECK NO
|
||||
600 csrss.exe 0x110048 NUMBER_OF_PROCESSORS 1
|
||||
600 csrss.exe 0x110048 OS Windows_NT
|
||||
600 csrss.exe 0x110048 Path C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
|
||||
600 csrss.exe 0x110048 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
|
||||
600 csrss.exe 0x110048 PROCESSOR_ARCHITECTURE x86
|
||||
600 csrss.exe 0x110048 PROCESSOR_IDENTIFIER x86 Family 6 Model 37 Stepping 2, GenuineIntel
|
||||
600 csrss.exe 0x110048 PROCESSOR_LEVEL 6
|
||||
600 csrss.exe 0x110048 PROCESSOR_REVISION 2502
|
||||
600 csrss.exe 0x110048 SystemDrive C:
|
||||
600 csrss.exe 0x110048 SystemRoot C:\WINDOWS
|
||||
600 csrss.exe 0x110048 TEMP C:\WINDOWS\TEMP
|
||||
600 csrss.exe 0x110048 TMP C:\WINDOWS\TEMP
|
||||
600 csrss.exe 0x110048 windir C:\WINDOWS
|
||||
624 winlogon.exe 0x20048 ALLUSERSPROFILE C:\Documents and Settings\All Users
|
||||
624 winlogon.exe 0x20048 APPDATA C:\Documents and Settings\Administrator\Application Data
|
||||
624 winlogon.exe 0x20048 CommonProgramFiles C:\Program Files\Common Files
|
||||
624 winlogon.exe 0x20048 COMPUTERNAME SECURITY-91B8EC
|
||||
624 winlogon.exe 0x20048 ComSpec C:\WINDOWS\system32\cmd.exe
|
||||
624 winlogon.exe 0x20048 FP_NO_HOST_CHECK NO
|
||||
624 winlogon.exe 0x20048 LOGONSERVER \\SECURITY-91B8EC
|
||||
624 winlogon.exe 0x20048 NUMBER_OF_PROCESSORS 1
|
||||
624 winlogon.exe 0x20048 OS Windows_NT
|
||||
624 winlogon.exe 0x20048 Path C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
|
||||
624 winlogon.exe 0x20048 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
|
||||
624 winlogon.exe 0x20048 PROCESSOR_ARCHITECTURE x86
|
||||
624 winlogon.exe 0x20048 PROCESSOR_IDENTIFIER x86 Family 6 Model 37 Stepping 2, GenuineIntel
|
||||
624 winlogon.exe 0x20048 PROCESSOR_LEVEL 6
|
||||
624 winlogon.exe 0x20048 PROCESSOR_REVISION 2502
|
||||
624 winlogon.exe 0x20048 ProgramFiles C:\Program Files
|
||||
624 winlogon.exe 0x20048 SystemDrive C:
|
||||
624 winlogon.exe 0x20048 SystemRoot C:\WINDOWS
|
||||
624 winlogon.exe 0x20048 TEMP C:\WINDOWS\TEMP
|
||||
624 winlogon.exe 0x20048 TMP C:\WINDOWS\TEMP
|
||||
1032 svchost.exe 0x20048 ALLUSERSPROFILE C:\Documents and Settings\All Users
|
||||
1032 svchost.exe 0x20048 CommonProgramFiles C:\Program Files\Common Files
|
||||
1032 svchost.exe 0x20048 COMPUTERNAME SECURITY-91B8EC
|
||||
1032 svchost.exe 0x20048 ComSpec C:\WINDOWS\system32\cmd.exe
|
||||
1032 svchost.exe 0x20048 FP_NO_HOST_CHECK NO
|
||||
1032 svchost.exe 0x20048 NUMBER_OF_PROCESSORS 1
|
||||
1032 svchost.exe 0x20048 OS Windows_NT
|
||||
1032 svchost.exe 0x20048 Path C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
|
||||
1032 svchost.exe 0x20048 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
|
||||
1032 svchost.exe 0x20048 PROCESSOR_ARCHITECTURE x86
|
||||
1032 svchost.exe 0x20048 PROCESSOR_IDENTIFIER x86 Family 6 Model 37 Stepping 2, GenuineIntel
|
||||
1032 svchost.exe 0x20048 PROCESSOR_LEVEL 6
|
||||
1032 svchost.exe 0x20048 PROCESSOR_REVISION 2502
|
||||
1032 svchost.exe 0x20048 ProgramFiles C:\Program Files
|
||||
1032 svchost.exe 0x20048 SystemDrive C:
|
||||
1032 svchost.exe 0x20048 SystemRoot C:\WINDOWS
|
||||
1032 svchost.exe 0x20048 TEMP C:\WINDOWS\TEMP
|
||||
1032 svchost.exe 0x20048 TMP C:\WINDOWS\TEMP
|
||||
1032 svchost.exe 0x20048 USERPROFILE C:\Documents and Settings\NetworkService
|
||||
1032 svchost.exe 0x20048 windir C:\WINDOWS
|
||||
1512 explorer.exe 0x20048 ALLUSERSPROFILE C:\Documents and Settings\All Users
|
||||
1512 explorer.exe 0x20048 APPDATA C:\Documents and Settings\Administrator\Application Data
|
||||
1512 explorer.exe 0x20048 CLIENTNAME Console
|
||||
1512 explorer.exe 0x20048 CommonProgramFiles C:\Program Files\Common Files
|
||||
1512 explorer.exe 0x20048 COMPUTERNAME SECURITY-91B8EC
|
||||
1512 explorer.exe 0x20048 ComSpec C:\WINDOWS\system32\cmd.exe
|
||||
1512 explorer.exe 0x20048 FP_NO_HOST_CHECK NO
|
||||
1512 explorer.exe 0x20048 HOMEDRIVE C:
|
||||
1512 explorer.exe 0x20048 HOMEPATH \Documents and Settings\Administrator
|
||||
1512 explorer.exe 0x20048 LOGONSERVER \\SECURITY-91B8EC
|
||||
1512 explorer.exe 0x20048 NUMBER_OF_PROCESSORS 1
|
||||
1512 explorer.exe 0x20048 OS Windows_NT
|
||||
1512 explorer.exe 0x20048 Path C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
|
||||
1512 explorer.exe 0x20048 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
|
||||
1512 explorer.exe 0x20048 PROCESSOR_ARCHITECTURE x86
|
||||
1512 explorer.exe 0x20048 PROCESSOR_IDENTIFIER x86 Family 6 Model 37 Stepping 2, GenuineIntel
|
||||
1512 explorer.exe 0x20048 PROCESSOR_LEVEL 6
|
||||
1512 explorer.exe 0x20048 PROCESSOR_REVISION 2502
|
||||
1512 explorer.exe 0x20048 ProgramFiles C:\Program Files
|
||||
1512 explorer.exe 0x20048 SESSIONNAME Console
|
||||
1512 explorer.exe 0x20048 SystemDrive C:
|
||||
1512 explorer.exe 0x20048 SystemRoot C:\WINDOWS
|
||||
1512 explorer.exe 0x20048 TEMP C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
|
||||
1752 VMwareTray.exe 0x20048 ALLUSERSPROFILE C:\Documents and Settings\All Users
|
||||
1752 VMwareTray.exe 0x20048 APPDATA C:\Documents and Settings\Administrator\Application Data
|
||||
1752 VMwareTray.exe 0x20048 CLIENTNAME Console
|
||||
1752 VMwareTray.exe 0x20048 CommonProgramFiles C:\Program Files\Common Files
|
||||
1752 VMwareTray.exe 0x20048 COMPUTERNAME SECURITY-91B8EC
|
||||
1752 VMwareTray.exe 0x20048 ComSpec C:\WINDOWS\system32\cmd.exe
|
||||
1752 VMwareTray.exe 0x20048 FP_NO_HOST_CHECK NO
|
||||
1752 VMwareTray.exe 0x20048 HOMEDRIVE C:
|
||||
1752 VMwareTray.exe 0x20048 HOMEPATH \Documents and Settings\Administrator
|
||||
1752 VMwareTray.exe 0x20048 LOGONSERVER \\SECURITY-91B8EC
|
||||
1752 VMwareTray.exe 0x20048 NUMBER_OF_PROCESSORS 1
|
||||
1752 VMwareTray.exe 0x20048 OS Windows_NT
|
||||
1752 VMwareTray.exe 0x20048 Path C:\Program Files\VMware\VMware Tools\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
|
||||
1752 VMwareTray.exe 0x20048 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
|
||||
1752 VMwareTray.exe 0x20048 PROCESSOR_ARCHITECTURE x86
|
||||
1752 VMwareTray.exe 0x20048 PROCESSOR_IDENTIFIER x86 Family 6 Model 37 Stepping 2, GenuineIntel
|
||||
1752 VMwareTray.exe 0x20048 PROCESSOR_LEVEL 6
|
||||
1752 VMwareTray.exe 0x20048 PROCESSOR_REVISION 2502
|
||||
1752 VMwareTray.exe 0x20048 ProgramFiles C:\Program Files
|
||||
1752 VMwareTray.exe 0x20048 SESSIONNAME Console
|
||||
1752 VMwareTray.exe 0x20048 SystemDrive C:
|
||||
1752 VMwareTray.exe 0x20048 SystemRoot C:\WINDOWS
|
||||
1752 VMwareTray.exe 0x20048 TEMP C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
|
||||
1752 VMwareTray.exe 0x20048 TMP C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
|
||||
1752 VMwareTray.exe 0x20048 USERDOMAIN SECURITY-91B8EC
|
||||
1752 VMwareTray.exe 0x20048 USERNAME Administrator
|
||||
1772 VMwareUser.exe 0x20048 ALLUSERSPROFILE C:\Documents and Settings\All Users
|
||||
1772 VMwareUser.exe 0x20048 APPDATA C:\Documents and Settings\Administrator\Application Data
|
||||
1772 VMwareUser.exe 0x20048 CLIENTNAME Console
|
||||
1772 VMwareUser.exe 0x20048 CommonProgramFiles C:\Program Files\Common Files
|
||||
1772 VMwareUser.exe 0x20048 COMPUTERNAME SECURITY-91B8EC
|
||||
1772 VMwareUser.exe 0x20048 ComSpec C:\WINDOWS\system32\cmd.exe
|
||||
1772 VMwareUser.exe 0x20048 FP_NO_HOST_CHECK NO
|
||||
1772 VMwareUser.exe 0x20048 HOMEDRIVE C:
|
||||
1772 VMwareUser.exe 0x20048 HOMEPATH \Documents and Settings\Administrator
|
||||
1772 VMwareUser.exe 0x20048 LOGONSERVER \\SECURITY-91B8EC
|
||||
1772 VMwareUser.exe 0x20048 NUMBER_OF_PROCESSORS 1
|
||||
1772 VMwareUser.exe 0x20048 OS Windows_NT
|
||||
1772 VMwareUser.exe 0x20048 Path C:\Program Files\VMware\VMware Tools\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
|
||||
1772 VMwareUser.exe 0x20048 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
|
||||
1772 VMwareUser.exe 0x20048 PROCESSOR_ARCHITECTURE x86
|
||||
1772 VMwareUser.exe 0x20048 PROCESSOR_IDENTIFIER x86 Family 6 Model 37 Stepping 2, GenuineIntel
|
||||
1772 VMwareUser.exe 0x20048 PROCESSOR_LEVEL 6
|
||||
1772 VMwareUser.exe 0x20048 PROCESSOR_REVISION 2502
|
||||
1772 VMwareUser.exe 0x20048 ProgramFiles C:\Program Files
|
||||
1772 VMwareUser.exe 0x20048 SESSIONNAME Console
|
||||
1772 VMwareUser.exe 0x20048 SystemDrive C:
|
||||
1772 VMwareUser.exe 0x20048 SystemRoot C:\WINDOWS
|
||||
1772 VMwareUser.exe 0x20048 TEMP C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
|
||||
1772 VMwareUser.exe 0x20048 TMP C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
|
||||
1772 VMwareUser.exe 0x20048 USERDOMAIN SECURITY-91B8EC
|
||||
1772 VMwareUser.exe 0x20048 USERNAME Administrator
|
||||
1796 AdobeARM.exe 0x20048 ALLUSERSPROFILE C:\Documents and Settings\All Users
|
||||
1796 AdobeARM.exe 0x20048 APPDATA C:\Documents and Settings\Administrator\Application Data
|
||||
1796 AdobeARM.exe 0x20048 CLIENTNAME Console
|
||||
1796 AdobeARM.exe 0x20048 CommonProgramFiles C:\Program Files\Common Files
|
||||
1796 AdobeARM.exe 0x20048 COMPUTERNAME SECURITY-91B8EC
|
||||
1796 AdobeARM.exe 0x20048 ComSpec C:\WINDOWS\system32\cmd.exe
|
||||
1796 AdobeARM.exe 0x20048 FP_NO_HOST_CHECK NO
|
||||
1796 AdobeARM.exe 0x20048 HOMEDRIVE C:
|
||||
1796 AdobeARM.exe 0x20048 HOMEPATH \Documents and Settings\Administrator
|
||||
1796 AdobeARM.exe 0x20048 LOGONSERVER \\SECURITY-91B8EC
|
||||
1796 AdobeARM.exe 0x20048 NUMBER_OF_PROCESSORS 1
|
||||
1796 AdobeARM.exe 0x20048 OS Windows_NT
|
||||
1796 AdobeARM.exe 0x20048 Path C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
|
||||
1796 AdobeARM.exe 0x20048 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
|
||||
1796 AdobeARM.exe 0x20048 PROCESSOR_ARCHITECTURE x86
|
||||
1796 AdobeARM.exe 0x20048 PROCESSOR_IDENTIFIER x86 Family 6 Model 37 Stepping 2, GenuineIntel
|
||||
1796 AdobeARM.exe 0x20048 PROCESSOR_LEVEL 6
|
||||
1796 AdobeARM.exe 0x20048 PROCESSOR_REVISION 2502
|
||||
1796 AdobeARM.exe 0x20048 ProgramFiles C:\Program Files
|
||||
1796 AdobeARM.exe 0x20048 SESSIONNAME Console
|
||||
1796 AdobeARM.exe 0x20048 SystemDrive C:
|
||||
1796 AdobeARM.exe 0x20048 SystemRoot C:\WINDOWS
|
||||
1796 AdobeARM.exe 0x20048 TEMP C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
|
||||
1796 AdobeARM.exe 0x20048 TMP C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
|
||||
1796 AdobeARM.exe 0x20048 USERDOMAIN SECURITY-91B8EC
|
||||
1796 AdobeARM.exe 0x20048 USERNAME Administrator
|
||||
1796 AdobeARM.exe 0x20048 USERPROFILE C:\Documents and Settings\Administrator
|
||||
252 vmtoolsd.exe 0x20048 ALLUSERSPROFILE C:\Documents and Settings\All Users
|
||||
252 vmtoolsd.exe 0x20048 CommonProgramFiles C:\Program Files\Common Files
|
||||
252 vmtoolsd.exe 0x20048 COMPUTERNAME SECURITY-91B8EC
|
||||
252 vmtoolsd.exe 0x20048 ComSpec C:\WINDOWS\system32\cmd.exe
|
||||
252 vmtoolsd.exe 0x20048 FP_NO_HOST_CHECK NO
|
||||
252 vmtoolsd.exe 0x20048 NUMBER_OF_PROCESSORS 1
|
||||
252 vmtoolsd.exe 0x20048 OS Windows_NT
|
||||
252 vmtoolsd.exe 0x20048 Path C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
|
||||
252 vmtoolsd.exe 0x20048 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
|
||||
252 vmtoolsd.exe 0x20048 PROCESSOR_ARCHITECTURE x86
|
||||
252 vmtoolsd.exe 0x20048 PROCESSOR_IDENTIFIER x86 Family 6 Model 37 Stepping 2, GenuineIntel
|
||||
252 vmtoolsd.exe 0x20048 PROCESSOR_LEVEL 6
|
||||
252 vmtoolsd.exe 0x20048 PROCESSOR_REVISION 2502
|
||||
252 vmtoolsd.exe 0x20048 ProgramFiles C:\Program Files
|
||||
252 vmtoolsd.exe 0x20048 SystemDrive C:
|
||||
252 vmtoolsd.exe 0x20048 SystemRoot C:\WINDOWS
|
||||
252 vmtoolsd.exe 0x20048 TEMP C:\WINDOWS\TEMP
|
||||
252 vmtoolsd.exe 0x20048 TMP C:\WINDOWS\TEMP
|
||||
252 vmtoolsd.exe 0x20048 USERPROFILE C:\Documents and Settings\LocalService
|
||||
252 vmtoolsd.exe 0x20048 windir C:\WINDOWS
|
||||
992 wmiprvse.exe 0x20048 ALLUSERSPROFILE C:\Documents and Settings\All Users
|
||||
992 wmiprvse.exe 0x20048 CommonProgramFiles C:\Program Files\Common Files
|
||||
992 wmiprvse.exe 0x20048 COMPUTERNAME SECURITY-91B8EC
|
||||
992 wmiprvse.exe 0x20048 ComSpec C:\WINDOWS\system32\cmd.exe
|
||||
992 wmiprvse.exe 0x20048 FP_NO_HOST_CHECK NO
|
||||
992 wmiprvse.exe 0x20048 NUMBER_OF_PROCESSORS 1
|
||||
992 wmiprvse.exe 0x20048 OS Windows_NT
|
||||
992 wmiprvse.exe 0x20048 Path C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
|
||||
992 wmiprvse.exe 0x20048 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
|
||||
992 wmiprvse.exe 0x20048 PROCESSOR_ARCHITECTURE x86
|
||||
992 wmiprvse.exe 0x20048 PROCESSOR_IDENTIFIER x86 Family 6 Model 37 Stepping 2, GenuineIntel
|
||||
992 wmiprvse.exe 0x20048 PROCESSOR_LEVEL 6
|
||||
992 wmiprvse.exe 0x20048 PROCESSOR_REVISION 2502
|
||||
992 wmiprvse.exe 0x20048 ProgramFiles C:\Program Files
|
||||
992 wmiprvse.exe 0x20048 SystemDrive C:
|
||||
992 wmiprvse.exe 0x20048 SystemRoot C:\WINDOWS
|
||||
992 wmiprvse.exe 0x20048 TEMP C:\WINDOWS\TEMP
|
||||
992 wmiprvse.exe 0x20048 TMP C:\WINDOWS\TEMP
|
||||
992 wmiprvse.exe 0x20048 USERPROFILE C:\WINDOWS\system32\config\systemprofile
|
||||
992 wmiprvse.exe 0x20048 windir C:\WINDOWS
|
||||
1132 wuauclt.exe 0x20048 ALLUSERSPROFILE C:\Documents and Settings\All Users
|
||||
1132 wuauclt.exe 0x20048 CommonProgramFiles C:\Program Files\Common Files
|
||||
1132 wuauclt.exe 0x20048 COMPUTERNAME SECURITY-91B8EC
|
||||
1132 wuauclt.exe 0x20048 ComSpec C:\WINDOWS\system32\cmd.exe
|
||||
1132 wuauclt.exe 0x20048 FP_NO_HOST_CHECK NO
|
||||
1132 wuauclt.exe 0x20048 NUMBER_OF_PROCESSORS 1
|
||||
1132 wuauclt.exe 0x20048 OS Windows_NT
|
||||
1132 wuauclt.exe 0x20048 Path C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
|
||||
1132 wuauclt.exe 0x20048 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
|
||||
1132 wuauclt.exe 0x20048 PROCESSOR_ARCHITECTURE x86
|
||||
1132 wuauclt.exe 0x20048 PROCESSOR_IDENTIFIER x86 Family 6 Model 37 Stepping 2, GenuineIntel
|
||||
1132 wuauclt.exe 0x20048 PROCESSOR_LEVEL 6
|
||||
1132 wuauclt.exe 0x20048 PROCESSOR_REVISION 2502
|
||||
1132 wuauclt.exe 0x20048 ProgramFiles C:\Program Files
|
||||
1132 wuauclt.exe 0x20048 SystemDrive C:
|
||||
1132 wuauclt.exe 0x20048 SystemRoot C:\WINDOWS
|
||||
1132 wuauclt.exe 0x20048 TEMP C:\WINDOWS\TEMP
|
||||
1132 wuauclt.exe 0x20048 TMP C:\WINDOWS\TEMP
|
||||
1132 wuauclt.exe 0x20048 USERPROFILE C:\Documents and Settings\NetworkService
|
||||
1132 wuauclt.exe 0x20048 windir C:\WINDOWS
|
||||
3692 AcroRd32.exe 0x20048 ALLUSERSPROFILE C:\Documents and Settings\All Users
|
||||
3692 AcroRd32.exe 0x20048 APPDATA C:\Documents and Settings\Administrator\Application Data
|
||||
3692 AcroRd32.exe 0x20048 CLIENTNAME Console
|
||||
3692 AcroRd32.exe 0x20048 CommonProgramFiles C:\Program Files\Common Files
|
||||
3692 AcroRd32.exe 0x20048 COMPUTERNAME SECURITY-91B8EC
|
||||
3692 AcroRd32.exe 0x20048 ComSpec C:\WINDOWS\system32\cmd.exe
|
||||
3692 AcroRd32.exe 0x20048 FP_NO_HOST_CHECK NO
|
||||
3692 AcroRd32.exe 0x20048 HOMEDRIVE C:
|
||||
3692 AcroRd32.exe 0x20048 HOMEPATH \Documents and Settings\Administrator
|
||||
3692 AcroRd32.exe 0x20048 LOGONSERVER \\SECURITY-91B8EC
|
||||
3692 AcroRd32.exe 0x20048 NUMBER_OF_PROCESSORS 1
|
||||
3692 AcroRd32.exe 0x20048 OS Windows_NT
|
||||
3692 AcroRd32.exe 0x20048 Path C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins;C:\Program Files\Adobe\Reader 9.0\Reader\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
|
||||
3692 AcroRd32.exe 0x20048 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
|
||||
3692 AcroRd32.exe 0x20048 PROCESSOR_ARCHITECTURE x86
|
||||
3692 AcroRd32.exe 0x20048 PROCESSOR_IDENTIFIER x86 Family 6 Model 37 Stepping 2, GenuineIntel
|
||||
3692 AcroRd32.exe 0x20048 PROCESSOR_LEVEL 6
|
||||
3692 AcroRd32.exe 0x20048 PROCESSOR_REVISION 2502
|
||||
3692 AcroRd32.exe 0x20048 ProgramFiles C:\Program Files
|
||||
3692 AcroRd32.exe 0x20048 SESSIONNAME Console
|
||||
3692 AcroRd32.exe 0x20048 SystemDrive C:
|
||||
3692 AcroRd32.exe 0x20048 SystemRoot C:\WINDOWS
|
||||
3692 AcroRd32.exe 0x20048 TEMP C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
|
||||
3692 AcroRd32.exe 0x20048 TMP C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
|
||||
3692 AcroRd32.exe 0x20048 USERDOMAIN SECURITY-91B8EC
|
||||
3692 AcroRd32.exe 0x20048 USERNAME Administrator
|
||||
3692 AcroRd32.exe 0x20048 USERPROFILE C:\Documents and Settings\Administrator
|
||||
3692 AcroRd32.exe 0x20048 windir C:\WINDOWS
|
||||
3728 AcroRd32Info.ex 0x20048 ALLUSERSPROFILE C:\Documents and Settings\All Users
|
||||
3728 AcroRd32Info.ex 0x20048 APPDATA C:\Documents and Settings\Administrator\Application Data
|
||||
3728 AcroRd32Info.ex 0x20048 CLIENTNAME Console
|
||||
3728 AcroRd32Info.ex 0x20048 CommonProgramFiles C:\Program Files\Common Files
|
||||
3728 AcroRd32Info.ex 0x20048 COMPUTERNAME SECURITY-91B8EC
|
||||
3728 AcroRd32Info.ex 0x20048 ComSpec C:\WINDOWS\system32\cmd.exe
|
||||
3728 AcroRd32Info.ex 0x20048 FP_NO_HOST_CHECK NO
|
||||
3728 AcroRd32Info.ex 0x20048 HOMEDRIVE C:
|
||||
3728 AcroRd32Info.ex 0x20048 HOMEPATH \Documents and Settings\Administrator
|
||||
3728 AcroRd32Info.ex 0x20048 LOGONSERVER \\SECURITY-91B8EC
|
||||
3728 AcroRd32Info.ex 0x20048 NUMBER_OF_PROCESSORS 1
|
||||
3728 AcroRd32Info.ex 0x20048 OS Windows_NT
|
||||
3728 AcroRd32Info.ex 0x20048 Path C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
|
||||
3728 AcroRd32Info.ex 0x20048 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
|
||||
3728 AcroRd32Info.ex 0x20048 PROCESSOR_ARCHITECTURE x86
|
||||
3728 AcroRd32Info.ex 0x20048 PROCESSOR_IDENTIFIER x86 Family 6 Model 37 Stepping 2, GenuineIntel
|
||||
3728 AcroRd32Info.ex 0x20048 PROCESSOR_LEVEL 6
|
||||
3728 AcroRd32Info.ex 0x20048 PROCESSOR_REVISION 2502
|
||||
3728 AcroRd32Info.ex 0x20048 ProgramFiles C:\Program Files
|
||||
3728 AcroRd32Info.ex 0x20048 SESSIONNAME Console
|
||||
3728 AcroRd32Info.ex 0x20048 SystemDrive C:
|
||||
3728 AcroRd32Info.ex 0x20048 SystemRoot C:\WINDOWS
|
||||
3728 AcroRd32Info.ex 0x20048 TEMP C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
|
||||
3728 AcroRd32Info.ex 0x20048 TMP C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
|
||||
3728 AcroRd32Info.ex 0x20048 USERDOMAIN SECURITY-91B8EC
|
||||
3728 AcroRd32Info.ex 0x20048 USERNAME Administrator
|
||||
3728 AcroRd32Info.ex 0x20048 USERPROFILE C:\Documents and Settings\Administrator
|
||||
3728 AcroRd32Info.ex 0x20048 windir C:\WINDOWS
|
||||
3968 rundll32.exe 0x20048 ALLUSERSPROFILE C:\Documents and Settings\All Users
|
||||
3968 rundll32.exe 0x20048 APPDATA C:\Documents and Settings\Administrator\Application Data
|
||||
3968 rundll32.exe 0x20048 CLIENTNAME Console
|
||||
3968 rundll32.exe 0x20048 CommonProgramFiles C:\Program Files\Common Files
|
||||
3968 rundll32.exe 0x20048 COMPUTERNAME SECURITY-91B8EC
|
||||
3968 rundll32.exe 0x20048 ComSpec C:\WINDOWS\system32\cmd.exe
|
||||
3968 rundll32.exe 0x20048 FP_NO_HOST_CHECK NO
|
||||
3968 rundll32.exe 0x20048 HOMEDRIVE C:
|
||||
3968 rundll32.exe 0x20048 HOMEPATH \Documents and Settings\Administrator
|
||||
3968 rundll32.exe 0x20048 LOGONSERVER \\SECURITY-91B8EC
|
||||
3968 rundll32.exe 0x20048 NUMBER_OF_PROCESSORS 1
|
||||
3968 rundll32.exe 0x20048 OS Windows_NT
|
||||
3968 rundll32.exe 0x20048 Path C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins;C:\Program Files\Adobe\Reader 9.0\Reader\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
|
||||
3968 rundll32.exe 0x20048 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
|
||||
3968 rundll32.exe 0x20048 PROCESSOR_ARCHITECTURE x86
|
||||
3968 rundll32.exe 0x20048 PROCESSOR_IDENTIFIER x86 Family 6 Model 37 Stepping 2, GenuineIntel
|
||||
3968 rundll32.exe 0x20048 PROCESSOR_LEVEL 6
|
||||
3968 rundll32.exe 0x20048 PROCESSOR_REVISION 2502
|
||||
3968 rundll32.exe 0x20048 ProgramFiles C:\Program Files
|
||||
3968 rundll32.exe 0x20048 SESSIONNAME Console
|
||||
3968 rundll32.exe 0x20048 SystemDrive C:
|
||||
3968 rundll32.exe 0x20048 SystemRoot C:\WINDOWS
|
||||
3968 rundll32.exe 0x20048 TEMP C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
|
||||
3968 rundll32.exe 0x20048 TMP C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
|
||||
3968 rundll32.exe 0x20048 USERDOMAIN SECURITY-91B8EC
|
||||
3968 rundll32.exe 0x20048 USERNAME Administrator
|
||||
3968 rundll32.exe 0x20048 USERPROFILE C:\Documents and Settings\Administrator
|
||||
3968 rundll32.exe 0x20048 windir C:\WINDOWS
|
||||
3976 Netlogon.exe 0x20048 ALLUSERSPROFILE C:\Documents and Settings\All Users
|
||||
3976 Netlogon.exe 0x20048 APPDATA C:\Documents and Settings\Administrator\Application Data
|
||||
3976 Netlogon.exe 0x20048 CLIENTNAME Console
|
||||
3976 Netlogon.exe 0x20048 CommonProgramFiles C:\Program Files\Common Files
|
||||
3976 Netlogon.exe 0x20048 COMPUTERNAME SECURITY-91B8EC
|
||||
3976 Netlogon.exe 0x20048 ComSpec C:\WINDOWS\system32\cmd.exe
|
||||
3976 Netlogon.exe 0x20048 FP_NO_HOST_CHECK NO
|
||||
3976 Netlogon.exe 0x20048 HOMEDRIVE C:
|
||||
3976 Netlogon.exe 0x20048 HOMEPATH \Documents and Settings\Administrator
|
||||
3976 Netlogon.exe 0x20048 LOGONSERVER \\SECURITY-91B8EC
|
||||
3976 Netlogon.exe 0x20048 NUMBER_OF_PROCESSORS 1
|
||||
3976 Netlogon.exe 0x20048 OS Windows_NT
|
||||
3976 Netlogon.exe 0x20048 Path C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
|
||||
3976 Netlogon.exe 0x20048 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
|
||||
3976 Netlogon.exe 0x20048 PROCESSOR_ARCHITECTURE x86
|
||||
3976 Netlogon.exe 0x20048 PROCESSOR_IDENTIFIER x86 Family 6 Model 37 Stepping 2, GenuineIntel
|
||||
3976 Netlogon.exe 0x20048 PROCESSOR_LEVEL 6
|
||||
3976 Netlogon.exe 0x20048 PROCESSOR_REVISION 2502
|
||||
3976 Netlogon.exe 0x20048 ProgramFiles C:\Program Files
|
||||
3976 Netlogon.exe 0x20048 SESSIONNAME Console
|
||||
3976 Netlogon.exe 0x20048 SystemDrive C:
|
||||
3976 Netlogon.exe 0x20048 SystemRoot C:\WINDOWS
|
||||
3976 Netlogon.exe 0x20048 TEMP C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
|
||||
3976 Netlogon.exe 0x20048 TMP C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
|
||||
3976 Netlogon.exe 0x20048 USERDOMAIN SECURITY-91B8EC
|
||||
3976 Netlogon.exe 0x20048 USERNAME Administrator
|
||||
3976 Netlogon.exe 0x20048 USERPROFILE C:\Documents and Settings\Administrator
|
||||
3976 Netlogon.exe 0x20048 windir C:\WINDOWS
|
||||
12
iehistory-image1.txt
Normal file
12
iehistory-image1.txt
Normal file
@ -0,0 +1,12 @@
|
||||
**************************************************
|
||||
Process: 1512 explorer.exe
|
||||
Cache type "DEST" at 0x15c445
|
||||
Last modified: 2011-11-30 12:12:28 UTC+0000
|
||||
Last accessed: 2011-11-30 11:12:30 UTC+0000
|
||||
URL: Administrator@file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/navy%20procurement.pdf
|
||||
**************************************************
|
||||
Process: 1512 explorer.exe
|
||||
Cache type "DEST" at 0x15c6ed
|
||||
Last modified: 2011-11-30 12:12:28 UTC+0000
|
||||
Last accessed: 2011-11-30 11:12:30 UTC+0000
|
||||
URL: Administrator@file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/navy%20procurement.pdf
|
||||
12
imageinfo-image1.txt
Normal file
12
imageinfo-image1.txt
Normal file
@ -0,0 +1,12 @@
|
||||
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
|
||||
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
|
||||
AS Layer2 : FileAddressSpace (/home/zenon/Nextcloud/uni/2021WS/df/assignment2/image1.vmem)
|
||||
PAE type : PAE
|
||||
DTB : 0x319000L
|
||||
KDBG : 0x80545b60L
|
||||
Number of Processors : 1
|
||||
Image Type (Service Pack) : 3
|
||||
KPCR for CPU 0 : 0xffdff000L
|
||||
KUSER_SHARED_DATA : 0xffdf0000L
|
||||
Image date and time : 2011-11-30 11:14:10 UTC+0000
|
||||
Image local date and time : 2011-11-30 12:14:10 +0100
|
||||
45
malfind-image1.txt
Normal file
45
malfind-image1.txt
Normal file
@ -0,0 +1,45 @@
|
||||
Volatility 3 Framework 1.0.1
|
||||
|
||||
PID Process Start VPN End VPN Tag Protection CommitCharge PrivateMemory File output Hexdump Disasm
|
||||
|
||||
3708 svchost.exe 0x400000 0x404fff VadS PAGE_EXECUTE_READWRITE 5 1 Disabled
|
||||
00 00 00 00 00 00 00 00 ........
|
||||
00 00 00 00 00 00 00 00 ........
|
||||
00 00 00 00 00 00 00 00 ........
|
||||
00 00 00 00 00 00 00 00 ........
|
||||
00 00 00 00 00 00 00 00 ........
|
||||
00 00 00 00 00 00 00 00 ........
|
||||
00 00 00 00 00 00 00 00 ........
|
||||
00 00 00 00 00 00 00 00 ........
|
||||
0x400000: add byte ptr [eax], al
|
||||
0x400002: add byte ptr [eax], al
|
||||
0x400004: add byte ptr [eax], al
|
||||
0x400006: add byte ptr [eax], al
|
||||
0x400008: add byte ptr [eax], al
|
||||
0x40000a: add byte ptr [eax], al
|
||||
0x40000c: add byte ptr [eax], al
|
||||
0x40000e: add byte ptr [eax], al
|
||||
0x400010: add byte ptr [eax], al
|
||||
0x400012: add byte ptr [eax], al
|
||||
0x400014: add byte ptr [eax], al
|
||||
0x400016: add byte ptr [eax], al
|
||||
0x400018: add byte ptr [eax], al
|
||||
0x40001a: add byte ptr [eax], al
|
||||
0x40001c: add byte ptr [eax], al
|
||||
0x40001e: add byte ptr [eax], al
|
||||
0x400020: add byte ptr [eax], al
|
||||
0x400022: add byte ptr [eax], al
|
||||
0x400024: add byte ptr [eax], al
|
||||
0x400026: add byte ptr [eax], al
|
||||
0x400028: add byte ptr [eax], al
|
||||
0x40002a: add byte ptr [eax], al
|
||||
0x40002c: add byte ptr [eax], al
|
||||
0x40002e: add byte ptr [eax], al
|
||||
0x400030: add byte ptr [eax], al
|
||||
0x400032: add byte ptr [eax], al
|
||||
0x400034: add byte ptr [eax], al
|
||||
0x400036: add byte ptr [eax], al
|
||||
0x400038: add byte ptr [eax], al
|
||||
0x40003a: add byte ptr [eax], al
|
||||
0x40003c: add byte ptr [eax], al
|
||||
0x40003e: add byte ptr [eax], al
|
||||
39
processes-image1.txt
Normal file
39
processes-image1.txt
Normal file
@ -0,0 +1,39 @@
|
||||
Volatility 3 Framework 1.0.1
|
||||
|
||||
PID PPID ImageFileName Offset Threads Handles SessionId Wow64 CreateTime ExitTime File output
|
||||
|
||||
3692 1512 AcroRd32.exe 0x1fc5958 4 161 0 False 2011-11-30 11:12:27.000000 N/A Disabled
|
||||
3728 860 AcroRd32Info.ex 0x1ffa918 7 149 0 False 2011-11-30 11:12:28.000000 N/A Disabled
|
||||
3560 1032 wuauclt.exe 0x201cb08 6 118 0 False 2011-11-30 11:11:55.000000 N/A Disabled
|
||||
992 860 wmiprvse.exe 0x2023878 5 189 0 False 2011-11-30 11:10:54.000000 N/A Disabled
|
||||
252 676 vmtoolsd.exe 0x2027da0 6 222 0 False 2011-11-30 11:10:51.000000 N/A Disabled
|
||||
3976 1512 Netlogon.exe 0x2067308 1 14 0 False 2011-11-30 11:14:06.000000 N/A Disabled
|
||||
1028 1036 wuauclt.exe 0x2075be0 0 - 0 False 2011-11-30 11:05:21.000000 2011-11-30 11:10:23.000000 Disabled
|
||||
1804 1512 ctfmon.exe 0x207a2a0 1 99 0 False 2011-11-30 11:10:43.000000 N/A Disabled
|
||||
1796 1512 AdobeARM.exe 0x207d020 8 143 0 False 2011-11-30 11:10:43.000000 N/A Disabled
|
||||
1620 676 spoolsv.exe 0x20a1558 14 123 0 False 2011-11-30 11:10:42.000000 N/A Disabled
|
||||
1088 668 svchost.exe 0x20d3c50 7 0 0 False 2011-11-30 11:05:07.000000 N/A Disabled
|
||||
932 668 svchost.exe 0x2107160 10 - 0 False 2011-11-30 11:05:07.000000 N/A Disabled
|
||||
1080 676 svchost.exe 0x2296748 5 - 0 False 2011-11-30 11:10:40.000000 N/A Disabled
|
||||
688 624 lsass.exe 0x22a3aa8 24 362 0 False 2011-11-30 11:10:40.000000 N/A Disabled
|
||||
940 676 svchost.exe 0x2300b28 9 261 0 False 2011-11-30 11:10:40.000000 N/A Disabled
|
||||
1124 676 svchost.exe 0x239d578 15 210 0 False 2011-11-30 11:10:41.000000 N/A Disabled
|
||||
1132 1032 wuauclt.exe 0x23a1650 8 177 0 False 2011-11-30 11:10:54.000000 N/A Disabled
|
||||
512 676 VMUpgradeHelper 0x23a23c0 6 97 0 False 2011-11-30 11:10:54.000000 N/A Disabled
|
||||
3708 3632 svchost.exe 0x23d7da0 5 144 0 False 2011-11-30 11:12:28.000000 N/A Disabled
|
||||
1368 676 alg.exe 0x23e3260 7 104 0 False 2011-11-30 11:10:56.000000 N/A Disabled
|
||||
1988 1032 wscntfy.exe 0x23ea4c0 1 39 0 False 2011-11-30 11:10:56.000000 N/A Disabled
|
||||
416 1828 svchost.exe 0x23fb3d8 4 138 0 False 2011-11-30 11:10:53.000000 N/A Disabled
|
||||
1772 1512 VMwareUser.exe 0x2403da0 6 211 0 False 2011-11-30 11:10:43.000000 N/A Disabled
|
||||
1512 1460 explorer.exe 0x240ac08 16 424 0 False 2011-11-30 11:10:42.000000 N/A Disabled
|
||||
1752 1512 VMwareTray.exe 0x24149f8 1 58 0 False 2011-11-30 11:10:43.000000 N/A Disabled
|
||||
552 4 smss.exe 0x24224c8 3 19 N/A False 2011-11-30 11:10:38.000000 N/A Disabled
|
||||
844 676 vmacthlp.exe 0x2425020 1 25 0 False 2011-11-30 11:10:40.000000 N/A Disabled
|
||||
860 676 svchost.exe 0x2428020 19 204 0 False 2011-11-30 11:10:40.000000 N/A Disabled
|
||||
624 552 winlogon.exe 0x24479c0 24 522 0 False 2011-11-30 11:10:40.000000 N/A Disabled
|
||||
3968 3692 rundll32.exe 0x248c400 1 59 0 False 2011-11-30 11:14:06.000000 N/A Disabled
|
||||
3832 3692 dumprep.exe 0x248dd48 0 - 0 False 2011-11-30 11:12:31.000000 2011-11-30 11:12:31.000000 Disabled
|
||||
1032 676 svchost.exe 0x2493728 84 1552 0 False 2011-11-30 11:10:40.000000 N/A Disabled
|
||||
676 624 services.exe 0x249db68 15 259 0 False 2011-11-30 11:10:40.000000 N/A Disabled
|
||||
600 552 csrss.exe 0x24aaae0 10 431 0 False 2011-11-30 11:10:39.000000 N/A Disabled
|
||||
4 0 System 0x25c8830 56 252 N/A False N/A N/A Disabled
|
||||
84
report.tex
84
report.tex
@ -4,6 +4,22 @@
|
||||
\usepackage[english]{babel}
|
||||
\usepackage{microtype}
|
||||
\usepackage{hyperref}
|
||||
\usepackage{listings}
|
||||
\usepackage{graphicx}
|
||||
|
||||
\lstdefinestyle{mystyle}{
|
||||
basicstyle=\ttfamily\footnotesize,
|
||||
breakatwhitespace=false,
|
||||
breaklines=true,
|
||||
captionpos=b,
|
||||
keepspaces=true,
|
||||
showspaces=false,
|
||||
showstringspaces=false,
|
||||
showtabs=false,
|
||||
tabsize=2
|
||||
}
|
||||
|
||||
\lstset{style=mystyle}
|
||||
|
||||
\setlength{\parindent}{0pt}
|
||||
|
||||
@ -16,11 +32,79 @@
|
||||
|
||||
\section{Introduction}
|
||||
|
||||
This report documents the findings and the analysis of those findings while
|
||||
performing extensive forensic analysis on a RAM dump. The RAM dump was obtained
|
||||
after a computer showed suspicious activity and was subsequently shut down. The
|
||||
dump is provided via a zip file which is extracted to be able to perform
|
||||
forensic analysis.
|
||||
|
||||
A second RAM dump is analyzed to find information about a PC running in the
|
||||
server room which has no apparent owner or user. This dump is also provided as a
|
||||
zip file and is password protected with the password \texttt{infected}.
|
||||
|
||||
\section{Findings}
|
||||
|
||||
All information is obtained through the use of the open soure \texttt{Volatility
|
||||
3 Framework} at version \texttt{1.0.1} except for the screenshot for the first
|
||||
RAM dump, because this command requires the \texttt{Volatility Framework 2.6}.
|
||||
|
||||
\subsection{Image 1}
|
||||
|
||||
\subsubsection{Basic Information}
|
||||
|
||||
This image is running Windows XP with the Service Pack 2. It was created on
|
||||
2011-11-30 12:14:10. The machine is running an Intel x86 processor and is named
|
||||
\texttt{SECURITY-91B8EC}. The user logged in at the time of the dump was the
|
||||
\texttt{Administrator} user. This information is provided by the volatility
|
||||
\texttt{windows.info.Info} and \texttt{windows.envars.Envars} commands.
|
||||
|
||||
\subsubsection{Processes and Network Connections}
|
||||
|
||||
The process list is obtained with the \texttt{pslist} command. It includes
|
||||
common Windows processes as well as \texttt{AcroRd32.exe} and
|
||||
\texttt{VMWareUser.exe}. There are also multiple \texttt{svchost.exe} processes
|
||||
running.
|
||||
|
||||
\subsubsection{Other Information}
|
||||
|
||||
Interesting information can also be found with the \texttt{iehistory},
|
||||
\texttt{screenshot} and \texttt{malfind} commands. \texttt{IEHistory} shows that
|
||||
the user \texttt{Administrator} accessed a file on the filesystem called
|
||||
\texttt{navy procurement.pdf}. Furthermore, the \texttt{screenshot} command
|
||||
attempts to reconstruct the user's view just before the dump was created. The
|
||||
image shows that the \texttt{navy procurement.pdf} file was opened in Adobe
|
||||
Acrobat Reader with a message saying that Windows has closed this program to
|
||||
protect the computer.
|
||||
|
||||
\begin{center}
|
||||
\begin{figure}
|
||||
\includegraphics[width=1\textwidth]{./screenshot.png}
|
||||
\caption{\texttt{navy procurement.pdf} open in Adobe Acrobat Reader}
|
||||
\end{figure}
|
||||
\end{center}
|
||||
|
||||
\subsection{Image 2}
|
||||
|
||||
\section{Analysis}
|
||||
|
||||
\subsection{Image 1}
|
||||
|
||||
The information gathered with volatility strongly suggests that the computer had
|
||||
been infected with malware. The malware seems to have been installed after
|
||||
opening the \texttt{navy procurement.pdf} file and is also most likely running
|
||||
as an additional \texttt{svchost.exe} process. This process could be responsible
|
||||
for the connection made to the IP-address \texttt{99.1.23.71}. A WHOIS lookup
|
||||
provides the company who has the address: \texttt{SUN COUNTRY MEDICAL
|
||||
EQUIPMENT} based in Texas, US.
|
||||
|
||||
\subsection{Image 2}
|
||||
|
||||
\section{Appendix}
|
||||
|
||||
\lstinputlisting[caption=Image1 Info]{imageinfo-image1.txt}
|
||||
\lstinputlisting[caption=Image1 Processes List]{processes-image1.txt}
|
||||
\lstinputlisting[caption=Image1 Connections]{connections-image1.txt}
|
||||
\lstinputlisting[caption=Image1 IEHistory]{iehistory-image1.txt}
|
||||
\lstinputlisting[caption=Image1 MalFind]{malfind-image1.txt}
|
||||
|
||||
\end{document}
|
||||
|
||||
BIN
screenshot.png
Normal file
BIN
screenshot.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 7.9 KiB |
Loading…
x
Reference in New Issue
Block a user