_ ___ _ __ __ /\ /\___ | | / (_)/ _|/ _| \ \ / / _ \| | / /\ / | |_| |_ \ V / (_) | |/ /_//| | _| _| \_/ \___/|_/___,' |_|_| |_| Volatility analysis report generated by VolDiff v2.1 Download the latest VolDiff version from https://github.com/aim4r/VolDiff/ Baseline memory image: baseline.vmem Infected memory image: infected.vmem Profile: Win8SP1x86 Date and time: 25/06/2015 19:57 New pslist entries. ========================================================================================================================== Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0x874fecc0 svchost.exe 2976 2968 5 0 1 0 2015-06-14 16:12:10 UTC+0000 0x874d8cc0 svchost.exe 3000 548 3 0 0 0 2015-06-14 16:12:10 UTC+0000 New psscan entries. ========================================================================================================================== Offset(P) Name PID PPID PDB Time created Time exited ------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------ 0x000000007cad8cc0 svchost.exe 3000 548 0x7e23a2c0 2015-06-14 16:12:10 UTC+0000 0x000000007cafecc0 svchost.exe 2976 2968 0x7e23a2a0 2015-06-14 16:12:10 UTC+0000 New psxview entries. ========================================================================================================================== Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime ---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- -------- 0x7dae7cc0 svchost.exe 904 True True True False True True False 0x7db67cc0 svchost.exe 1204 True False True False True True False 0x7cad8cc0 svchost.exe 3000 True True True False True True False 0x7cafecc0 svchost.exe 2976 True True True False True True False New netscan entries. ========================================================================================================================== Offset(P) Proto Local Address Foreign Address State Pid Owner Created 0x7c668470 UDPv4 0.0.0.0:0 *:* 0 ?A???? 2015-06-14 16:07:20 UTC+0000 0x7cadb858 TCPv4 172.16.240.128:49159 -:443 ESTABLISHED 2976 svchost.exe New malfind entries. ========================================================================================================================== Process: svchost.exe Pid: 2976 Address: 0xed0000 Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE Flags: PrivateMemory: 1, Protection: 6 0x00ed0000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. 0x00ed0010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0x00ed0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00ed0030 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 ................ 0xed0000 4d DEC EBP 0xed0001 5a POP EDX 0xed0002 90 NOP 0xed0003 0003 ADD [EBX], AL 0xed0005 0000 ADD [EAX], AL 0xed0007 000400 ADD [EAX+EAX], AL 0xed000a 0000 ADD [EAX], AL 0xed000c ff DB 0xff 0xed000d ff00 INC DWORD [EAX] 0xed000f 00b800000000 ADD [EAX+0x0], BH 0xed0015 0000 ADD [EAX], AL 0xed0017 004000 ADD [EAX+0x0], AL 0xed001a 0000 ADD [EAX], AL 0xed001c 0000 ADD [EAX], AL 0xed001e 0000 ADD [EAX], AL 0xed0020 0000 ADD [EAX], AL 0xed0022 0000 ADD [EAX], AL 0xed0024 0000 ADD [EAX], AL 0xed0026 0000 ADD [EAX], AL 0xed0028 0000 ADD [EAX], AL 0xed002a 0000 ADD [EAX], AL 0xed002c 0000 ADD [EAX], AL 0xed002e 0000 ADD [EAX], AL 0xed0030 0000 ADD [EAX], AL 0xed0032 0000 ADD [EAX], AL 0xed0034 0000 ADD [EAX], AL 0xed0036 0000 ADD [EAX], AL 0xed0038 0000 ADD [EAX], AL 0xed003a 0000 ADD [EAX], AL 0xed003c c8000000 ENTER 0x0, 0x0 Process: svchost.exe Pid: 2976 Address: 0x12d0000 Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE Flags: PrivateMemory: 1, Protection: 6 0x012d0000 0f 01 0d 30 fa e9 00 c3 00 00 00 00 00 00 00 00 ...0............ 0x012d0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x012d0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x012d0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x12d0000 0f010d30fae900 SIDT DWORD [0xe9fa30] 0x12d0007 c3 RET 0x12d0008 0000 ADD [EAX], AL 0x12d000a 0000 ADD [EAX], AL 0x12d000c 0000 ADD [EAX], AL 0x12d000e 0000 ADD [EAX], AL 0x12d0010 0000 ADD [EAX], AL 0x12d0012 0000 ADD [EAX], AL 0x12d0014 0000 ADD [EAX], AL 0x12d0016 0000 ADD [EAX], AL 0x12d0018 0000 ADD [EAX], AL 0x12d001a 0000 ADD [EAX], AL 0x12d001c 0000 ADD [EAX], AL 0x12d001e 0000 ADD [EAX], AL 0x12d0020 0000 ADD [EAX], AL 0x12d0022 0000 ADD [EAX], AL 0x12d0024 0000 ADD [EAX], AL 0x12d0026 0000 ADD [EAX], AL 0x12d0028 0000 ADD [EAX], AL 0x12d002a 0000 ADD [EAX], AL 0x12d002c 0000 ADD [EAX], AL 0x12d002e 0000 ADD [EAX], AL 0x12d0030 0000 ADD [EAX], AL 0x12d0032 0000 ADD [EAX], AL 0x12d0034 0000 ADD [EAX], AL 0x12d0036 0000 ADD [EAX], AL 0x12d0038 0000 ADD [EAX], AL 0x12d003a 0000 ADD [EAX], AL 0x12d003c 0000 ADD [EAX], AL 0x12d003e 0000 ADD [EAX], AL New sessions entries. ========================================================================================================================== Process: 3000 svchost.exe 2015-06-14 16:12:10 UTC+0000 Session(V): 8dccc000 ID: 1 Processes: 7 Process: 2976 svchost.exe 2015-06-14 16:12:10 UTC+0000 New messagehooks entries. ========================================================================================================================== Offset(V) Sess Desktop Thread Filter Flags Function Module ---------- ------ -------------------- ------------------------------ -------------------- -------------------- ---------- ------ 0x90998b38 0 Service-0...\Default 3008 (svchost.exe 3000) WH_KEYBOARD 5570628 0x0042004b 0x2e0053L 0x90998b38 0 Service-0...\Default 2144 (svchost.exe 856) WH_KEYBOARD 5570628 0x0042004b 0x2e0053L 0x90998b38 0 Service-0...\Default 1364 (svchost.exe 856) WH_KEYBOARD 5570628 0x0042004b 0x2e0053L 0x90998b38 0 Service-0...\Default 2680 (vmtoolsd.exe 1828) WH_KEYBOARD 5570628 0x0042004b 0x2e0053L 0x909c7c18 1 WinSta0\Default 2980 (svchost.exe 2976) WH_SYSMSGFILTER 5439565 0x00000000 0x540043L 0x909c7c18 1 WinSta0\Default 2612 (vmtoolsd.exe 2600) WH_SYSMSGFILTER 5439565 0x00000000 0x540043L 0x909c7c18 1 WinSta0\Default 2616 (vmtoolsd.exe 2600) WH_SYSMSGFILTER 5439565 0x00000000 0x540043L New cmdline entries. ========================================================================================================================== ************************************************************************ svchost.exe pid: 2976 Command line : svchost.exe ************************************************************************ svchost.exe pid: 3000 Command line : C:\Windows\System32\svchost.exe -k WerSvcGroup New driverscan entries. ========================================================================================================================== Offset(P) #Ptr #Hnd Start Size Service Key Name Driver Name ------------------ -------- -------- ---------- ---------- -------------------- ------------ ----------- 0x000000007c40e5a8 3 0 0x805d3000 0x1a000 ??? ?? 0x000000007c413790 7 0 0x805ed000 0x7000 ??? 0x000000007c41b670 3 0 0xa1003000 0xa1000 ?h??? (08X 0x000000007c41f818 4 0 0xa10a4000 0xa000 ?? 0x000000007c578520 3 0 0x80400000 0x25000 ????????? 0x000000007e619840 13 0 0x821ba000 0x46000 FltMgr FltMgr \FileSystem\FltMgr 0x000000007e877d18 3 0 0xa19e4000 0xd000 condrv condrv \Driver\condrv New driverirp entries. ========================================================================================================================== DriverName: condrv DriverStart: 0xa19e4000 DriverSize: 0xd000 DriverStartIo: 0x0 0 IRP_MJ_CREATE 0xa19e8420 condrv.sys 1 IRP_MJ_CREATE_NAMED_PIPE 0x8192148e ntoskrnl.exe 2 IRP_MJ_CLOSE 0xa19e82f0 condrv.sys 3 IRP_MJ_READ 0xa19ec778 condrv.sys 4 IRP_MJ_WRITE 0xa19e86b0 condrv.sys 5 IRP_MJ_QUERY_INFORMATION 0x8192148e ntoskrnl.exe 6 IRP_MJ_SET_INFORMATION 0x8192148e ntoskrnl.exe 7 IRP_MJ_QUERY_EA 0x8192148e ntoskrnl.exe 8 IRP_MJ_SET_EA 0x8192148e ntoskrnl.exe 9 IRP_MJ_FLUSH_BUFFERS 0xa19ec72a condrv.sys 10 IRP_MJ_QUERY_VOLUME_INFORMATION 0x8192148e ntoskrnl.exe 11 IRP_MJ_SET_VOLUME_INFORMATION 0x8192148e ntoskrnl.exe 12 IRP_MJ_DIRECTORY_CONTROL 0x8192148e ntoskrnl.exe 13 IRP_MJ_FILE_SYSTEM_CONTROL 0x8192148e ntoskrnl.exe 14 IRP_MJ_DEVICE_CONTROL 0xa19e9610 condrv.sys 15 IRP_MJ_INTERNAL_DEVICE_CONTROL 0x8192148e ntoskrnl.exe 16 IRP_MJ_SHUTDOWN 0x8192148e ntoskrnl.exe 17 IRP_MJ_LOCK_CONTROL 0x8192148e ntoskrnl.exe 18 IRP_MJ_CLEANUP 0xa19e8670 condrv.sys 19 IRP_MJ_CREATE_MAILSLOT 0x8192148e ntoskrnl.exe 20 IRP_MJ_QUERY_SECURITY 0xa19e8010 condrv.sys 21 IRP_MJ_SET_SECURITY 0xa19ec7c6 condrv.sys 22 IRP_MJ_POWER 0x8192148e ntoskrnl.exe 23 IRP_MJ_SYSTEM_CONTROL 0x8192148e ntoskrnl.exe 24 IRP_MJ_DEVICE_CHANGE 0x8192148e ntoskrnl.exe 25 IRP_MJ_QUERY_QUOTA 0x8192148e ntoskrnl.exe 26 IRP_MJ_SET_QUOTA 0x8192148e ntoskrnl.exe 27 IRP_MJ_PNP 0x8192148e ntoskrnl.exe -------------------------------------------------- New modules entries. ========================================================================================================================== Offset(V) Name Base Size File ---------- -------------------- ---------- ---------- ---- 0x874ed4f0 condrv.sys 0xa19e4000 0xd000 \SystemRoot\System32\drivers\condrv.sys New modscan entries. ========================================================================================================================== Offset(P) Name Base Size File ------------------ -------------------- ---------- ---------- ---- 0x000000007c41b148 ?? 0xa10ae000 0x33000 0x000000007c577008 0x80400000 0x25000 0x000000007caed4f0 condrv.sys 0xa19e4000 0xd000 \SystemRoot\System32\drivers\condrv.sys New devicetree entries. ========================================================================================================================== DRV 0x7c40e5a8 ?? DRV 0x7c413790 DRV 0x7c41b670 (08X DRV 0x7c41f818 ?? DRV 0x7c578520 ????????? ---| DEV 0x80000070 UNKNOWN ------| ATT 0x85c48ee0 - \FileSystem\FltMgr FILE_DEVICE_MAILSLOT ------| ATT 0x86711a48 - \FileSystem\FltMgr FILE_DEVICE_NAMED_PIPE ---| DEV 0x87503680 FILE_DEVICE_DISK_FILE_SYSTEM ---| DEV 0x85c48ee0 FILE_DEVICE_MAILSLOT ---| DEV 0x86711a48 FILE_DEVICE_NAMED_PIPE DRV 0x7e877d18 \Driver\condrv ---| DEV 0x85677bf8 ConDrv UNKNOWN ---| DEV 0x874a78e8 FILE_DEVICE_DISK_FILE_SYSTEM ------| ATT 0x87503680 - \FileSystem\FltMgr FILE_DEVICE_DISK_FILE_SYSTEM New mutantscan entries. ========================================================================================================================== .NET CLR Data_Perf_Library_Lock_PID_724 .NET CLR Networking 4.0.0.0_Perf_Library_Lock_PID_724 .NET CLR Networking_Perf_Library_Lock_PID_724 .NET Data Provider for Oracle_Perf_Library_Lock_PID_724 .NET Data Provider for SqlServer_Perf_Library_Lock_PID_724 .NET Memory Cache 4.0_Perf_Library_Lock_PID_724 .NETFramework_Perf_Library_Lock_PID_724 273...4:0 748:752 BITS_Perf_Library_Lock_PID_724 DBWinMutex ESENT_Perf_Library_Lock_PID_724 LOADPERF_MUTEX Lsa_Perf_Library_Lock_PID_724 MSDTC Bridge 3.0.0.0_Perf_Library_Lock_PID_724 MSDTC Bridge 4.0.0.0_Perf_Library_Lock_PID_724 MSDTC_Perf_Library_Lock_PID_724 MSSCNTRS_Perf_Library_Lock_PID_724 PerfDisk_Perf_Library_Lock_PID_724 PerfNet_Perf_Library_Lock_PID_724 PerfOS_Perf_Library_Lock_PID_724 PerfProc_Perf_Library_Lock_PID_724 RemoteAccess_Perf_Library_Lock_PID_724 SMSvcHost 3.0.0.0_Perf_Library_Lock_PID_724 SMSvcHost 4.0.0.0_Perf_Library_Lock_PID_724 ServiceModelEndpoint 3.0.0.0_Perf_Library_Lock_PID_724 ServiceModelOperation 3.0.0.0_Perf_Library_Lock_PID_724 ServiceModelService 3.0.0.0_Perf_Library_Lock_PID_724 SmartScreen_AppRepSettings_Mutex Spooler_Perf_Library_Lock_PID_724 TapiSrv_Perf_Library_Lock_PID_724 Tcpip_Perf_Library_Lock_PID_724 TermService_Perf_Library_Lock_PID_724 UGTHRSVC_Perf_Library_Lock_PID_724 UGatherer_Perf_Library_Lock_PID_724 WSearchIdxPi_Perf_Library_Lock_PID_724 Windows Workflow Foundation 3.0.0.0_Perf_Library_Lock_PID_724 Windows Workflow Foundation 4.0.0.0_Perf_Library_Lock_PID_724 WmiApRpl_Perf_Library_Lock_PID_724 _SHuassist.mtx rdyboost_Perf_Library_Lock_PID_724 usbhub_Perf_Library_Lock_PID_724 No notable changes to highlight from the following plugins. ========================================================================================================================== iehistory privs eventhooks envars shimcache shellbags consoles hashdump drivermodule unloadedmodules callbacks threads symlinkscan ssdt Plugins that were executed but are not included in the report above. ========================================================================================================================== filescan handles getsids deskscan dlllist ldrmodules atoms svcscan atomscan idt gdt timers gditimers _ _ _ __ _ _ /_\ _ __ __ _| |_ _ ___(_)___ /__\ ___ ___ _ _| | |_ ___ //_\\| '_ \ / _\`| | | | / __| / __| / \/// _ \/ __| | | | | __/ __| / _ \ | | | (_| | | |_| \__ \ \__ \ / _ \ __/\__ \ |_| | | |_\__ \ \_/ \_/_| |_|\__,_|_|\__, |___/_|___/ \/ \_/\___||___/\__,_|_|\__|___/ |___/ IP addresses found in netscan output. ========================================================================================================================== 172.16.240.128 Parent process with PPID 2968 is not listed in psscan output. ========================================================================================================================== Offset(P) Name PID PPID PDB Time created Time exited ------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------ 0x000000007cafecc0 svchost.exe 2976 2968 0x7e23a2a0 2015-06-14 16:12:10 UTC+0000 Parent process with PPID 496 is not listed in psscan output. ========================================================================================================================== Offset(P) Name PID PPID PDB Time created Time exited ------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------ 0x000000007d46dcc0 LogonUI.exe 2716 496 0x7e4782a0 2015-06-14 16:07:55 UTC+0000 Parent process with PPID 552 is not listed in psscan output. ========================================================================================================================== Offset(P) Name PID PPID PDB Time created Time exited ------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------ 0x000000007c448c00 dllhost.exe 292 552 0x7e478380 2015-06-14 16:07:19 UTC+0000 0x000000007c527940 svchost.exe 632 552 0x7e478360 2015-06-14 16:07:19 UTC+0000 0x000000007c6004c0 svchost.exe 844 552 0x7e4781a0 2015-06-14 16:07:15 UTC+0000 0x000000007c61ccc0 svchost.exe 900 552 0x7e4781c0 2015-06-14 16:07:15 UTC+0000 0x000000007c6362c0 svchost.exe 960 552 0x7e4781e0 2015-06-14 16:07:15 UTC+0000 0x000000007c653040 svchost.exe 1052 552 0x7e478200 2015-06-14 16:07:15 UTC+0000 0x000000007d461700 spoolsv.exe 1240 552 0x7e478240 2015-06-14 16:07:16 UTC+0000 0x000000007d4807c0 svchost.exe 1284 552 0x7e478260 2015-06-14 16:07:16 UTC+0000 0x000000007d581cc0 svchost.exe 768 552 0x7e478180 2015-06-14 16:07:14 UTC+0000 0x000000007d592300 svchost.exe 616 552 0x7e478100 2015-06-14 16:07:14 UTC+0000 0x000000007d59a540 svchost.exe 644 552 0x7e478120 2015-06-14 16:07:14 UTC+0000 Process svchost.exe (2976) is running in unexpected session (1 instead of 0). ========================================================================================================================== Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0x874fecc0 svchost.exe 2976 2968 5 0 1 0 2015-06-14 16:12:10 UTC+0000 Process svchost.exe (2976) is running from an unexpected path (svchost.exe instead of \windows\system32\svchost.exe). ========================================================================================================================== Offset(P) Name PID PPID PDB Time created Time exited ------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------ 0x000000007cafecc0 svchost.exe 2976 2968 0x7e23a2a0 2015-06-14 16:12:10 UTC+0000 Potential process hollowing detected in svchost.exe (based on size). ========================================================================================================================== Process PID Size ---------------------------- svchost.exe 1052 22528 svchost.exe 1776 22528 svchost.exe 2976 59392 svchost.exe 3000 22528 svchost.exe 616 22528 svchost.exe 648 22528 svchost.exe 828 22528 svchost.exe 856 22528 svchost.exe 904 22528 svchost.exe 952 22528 svchost.exe 988 22528 Prefetch artifacts (mftparser). ==========================================================================================================================