We're stepping through the awesome research by Ian Ahl (TekDefense) in the article Analyzing DarkComet in Memory he wrote after attending and reviewing the Volatility training. He pulled some DarkComet samples from AV databases and infected some lab systems to study the malware and developed indicators to help with a case they were working.
Just a few iPython things to get setup to use Rekall:
In [ ]:
from rekall import interactive
interactive.ImportEnvironment()
In [11]:
rekal filename='/Users/adric/Desktop/mess/WIN-TTUMF6EI3O3-20140203-123134.raw'
Initializing Rekall session.
Done!
It's always good to start memory analysis with imageinfo. In Volatility you often have to anyway to find out the profile to use. Rekall doesn't need that since it auto detects profiles handily (detailed at their blog) but it does help verify that your image is loaded and things are working before you ask harder questions.
In [17]:
imageinfo
Fact Value
-------------------- -----
Kernel DTB 0x185000
NT Build 7601.win7sp1_gdr.130828-1532
NT Build Ex 7601.18247.x86fre.win7sp1_gdr.130828-1532
Signed Drivers True
Time (UTC) 2014-02-03 12:31:36+0000
Time (Local) 2014-02-03 17:31:36+0000
Sec Since Boot 12507.1617736
NtSystemRoot C:\Windows
**************** Physical Layout ****************
Physical Start Physical End Number of Pages
-------------- ------------ ---------------
0x00001000 0x0009f000 158
0x00100000 0x3fee0000 261600
0x3ff00000 0x40000000 256
Usually we can use network connection data to find interesting processes, but not so for this sample as it was prepared without an active malware-related network connection.
Use netscan for modern Windows systems and connections for XP & 2003 (Details in the Volatility command reference).
In [21]:
netscan
Offset(P) Proto Local Address Remote Address State Pid Owner Created
---------- -------- -------------------- -------------------- ---------------- ----- -------------- -------
0x3e83a360 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 664 svchost.exe -
0x3e83c1d8 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 388 wininit.exe -
0x3e83ca20 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 664 svchost.exe -
0x3e83ca20 TCPv6 :::135 :::0 LISTENING 664 svchost.exe -
0x3e840248 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 388 wininit.exe -
0x3e840248 TCPv6 :::49152 :::0 LISTENING 388 wininit.exe -
0x3e861430 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 752 svchost.exe -
0x3e863840 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 752 svchost.exe -
0x3e863840 TCPv6 :::49153 :::0 LISTENING 752 svchost.exe -
0x3e916360 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 664 svchost.exe -
0x3e9181d8 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 388 wininit.exe -
0x3e918a20 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 664 svchost.exe -
0x3e918a20 TCPv6 :::135 :::0 LISTENING 664 svchost.exe -
0x3e91c248 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 388 wininit.exe -
0x3e91c248 TCPv6 :::49152 :::0 LISTENING 388 wininit.exe -
0x3e93d430 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 752 svchost.exe -
0x3e93f840 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 752 svchost.exe -
0x3e93f840 TCPv6 :::49153 :::0 LISTENING 752 svchost.exe -
0x3eb9e598 TCPv4 192.168.26.136:139 0.0.0.0:0 LISTENING 4 System -
0x3ecf52b0 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 492 lsass.exe -
0x3ecf52b0 TCPv6 :::49154 :::0 LISTENING 492 lsass.exe -
0x3ecff2e8 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 492 lsass.exe -
0x3ed0e340 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 844 svchost.exe -
0x3ed25098 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 844 svchost.exe -
0x3ed25098 TCPv6 :::49155 :::0 LISTENING 844 svchost.exe -
0x3ee9c588 TCPv4 0.0.0.0:445 0.0.0.0:0 LISTENING 4 System -
0x3ee9c588 TCPv6 :::445 :::0 LISTENING 4 System -
0x3eea50b0 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 484 services.exe -
0x3eea50b0 TCPv6 :::49156 :::0 LISTENING 484 services.exe -
0x3eea7880 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 484 services.exe -
0x3eef1628 TCPv4 192.168.26.136:49744 176.106.48.182:1604 SYN_SENT ----- -------------- -
0x3fb4ba70 TCPv4 192.168.26.136:49735 176.106.48.182:1604 CLOSED ----- -------------- -
0x3e6e3710 UDPv4 192.168.26.136:138 *:* 4 System 2014-02-03 09:04:31+0000
0x3e6eb100 UDPv4 127.0.0.1:54101 *:* 2272 conhost.exe 2014-02-03 12:28:31+0000
0x3e6f4d08 UDPv6 fe80::38de:3b28:c3d4:638b:1900 *:* 1248 svchost.exe 2014-02-03 09:08:28+0000
0x3e724490 UDPv4 0.0.0.0:0 *:* 1176 svchost.exe 2014-02-03 09:04:32+0000
0x3e724490 UDPv6 :::0 *:* 1176 svchost.exe 2014-02-03 09:04:32+0000
0x3e762d30 UDPv6 ::1:55752 *:* 1248 svchost.exe 2014-02-03 09:08:28+0000
0x3e7864e0 UDPv4 0.0.0.0:5355 *:* 1176 svchost.exe 2014-02-03 12:19:25+0000
0x3e807df0 UDPv4 192.168.26.136:137 *:* 4 System 2014-02-03 09:04:31+0000
0x3e810bd8 UDPv4 127.0.0.1:63702 *:* 2190918940 2014-02-03 12:27:07+0000
0x3e8e3df0 UDPv4 192.168.26.136:137 *:* 4 System 2014-02-03 09:04:31+0000
0x3e8ecbd8 UDPv4 127.0.0.1:63702 *:* 2190918940 2014-02-03 12:27:07+0000
0x3e9bfdf0 UDPv4 192.168.26.136:137 *:* 4 System 2014-02-03 09:04:31+0000
0x3e9c8bd8 UDPv4 127.0.0.1:63702 *:* 2190918940 2014-02-03 12:27:07+0000
0x3ecc0cc8 UDPv4 0.0.0.0:5355 *:* 1176 svchost.exe 2014-02-03 12:19:25+0000
0x3ecc0cc8 UDPv6 :::5355 *:* 1176 svchost.exe 2014-02-03 12:19:25+0000
0x3ee12960 UDPv6 ::1:1900 *:* 1248 svchost.exe 2014-02-03 09:08:28+0000
0x3eebe7d0 UDPv4 192.168.26.136:1900 *:* 1248 svchost.exe 2014-02-03 09:08:28+0000
0x3f598d50 UDPv4 127.0.0.1:55753 *:* 1248 svchost.exe 2014-02-03 09:08:28+0000
0x3f599488 UDPv4 127.0.0.1:1900 *:* 1248 svchost.exe 2014-02-03 09:08:28+0000
0x3faf01f8 UDPv4 0.0.0.0:59764 *:* 1176 svchost.exe 2014-02-03 12:32:17+0000
0x3fb13868 UDPv4 127.0.0.1:61756 *:* 0 2014-02-03 12:20:48+0000
The psxview plugin looks through memory in seven (and counting) ways and compares the results to help detect hiding or suspicious processes.
There are details about the various process plugins in the Volatility command reference.
In [13]:
psxview
Offset(V) Name PID CSRSS Handles PSScan PsActiveProcessHead PspCidTable Sessions Thrdproc
---------- -------------------- ------ ----- ------- ------ ------------------- ----------- -------- --------
0x85cab690 e 2 False True False False False False False
0x841389e8 System 4 False False True True True False True
0x85a68030 taskhost.exe 140 True True True True True True True
0x84b78020 smss.exe 248 False True True True True False True
0x852e74c8 csrss.exe 336 False True True True True True True
0x849f29c0 dwm.exe 340 True True True True True True True
0x855a4388 csrss.exe 380 False True True True True True True
0x855a7bc0 wininit.exe 388 True True True True True True True
0x84a21530 winlogon.exe 424 True True True True True True True
0x855dc030 services.exe 484 True True True True True True True
0x855e0030 lsass.exe 492 True True True True True True True
0x855e2860 lsm.exe 500 True True True True True True True
0x856214f8 svchost.exe 588 True True True True True True True
0x85634030 svchost.exe 664 True True True True True True True
0x85652030 svchost.exe 752 True True True True True True True
0x85661848 svchost.exe 792 True True True True True True True
0x85667030 svchost.exe 820 True True True True True True True
0x858ef030 msdtc.exe 840 True True True True True True True
0x856695a0 svchost.exe 844 True True True True True True True
0x84535d40 cmd.exe 1128 True True True True True True True
0x84a29030 svchost.exe 1176 True True True True True True True
0x859636f8 svchost.exe 1248 True True True True True True True
0x84a29d40 spoolsv.exe 1288 True True True True True True True
0x852c3910 svchost.exe 1316 True True True True True True True
0x85047290 vmtoolsd.exe 1516 True True True True True True True
0x84536030 runddl32.exe 1524 True True True True True True True
0x85649bf8 dllhost.exe 1676 False False True False False False False
0x850acb90 TPAutoConnSvc. 1688 True True True True True True True
0x8594ab18 SearchIndexer. 1712 True True True True True True True
0x850416c8 svchost.exe 1796 True True True True True True True
0x84506480 notepad.exe 1896 True True True True True True True
0x84ae9190 dllhost.exe 1920 False True True True False False False
0x85039810 dllhost.exe 2012 True True True True True True True
0x850d56f8 explorer.exe 2052 True True True True True True True
0x8459d9a0 conhost.exe 2088 True True True True True True True
0x84ae5b28 vmtoolsd.exe 2116 True True True True True True True
0x85a04570 conhost.exe 2272 True False True True True True True
0x859b6630 wuauclt.exe 2280 True True True True True True True
0x85a00d40 LogonUI.exe 2516 True True True True True True True
0x850e9870 svchost.exe 2644 True True True True True True True
0x85a72188 conhost.exe 2752 True True True True True True True
0x84a70440 DumpIt.exe 3060 True False True True True True True
0x85939a90 SearchFilterHo 3128 False False True False False True False
0x856b0800 SearchProtocol 3452 False True True False False False False
0x845a0b90 dllhost.exe 3636 False False True False False False False
0x85659af0 cmd.exe 3656 True True True True True True True
0x858e2540 conhost.exe 3916 True True True True True True True
0x84524030 audiodg.exe 3936 True True True True True True True
0x84ab64a0 TPAutoConnect. 4044 True True True True True True True
0x84ab3428 VMwareTray.exe 4092 True True True True True True True
To see the process relationships we can use pstree just as in Unix.
In [15]:
pstree
Name Pid PPid Thds Hnds Time
---------------------------------------- ------ ------ ------ ------ ------------------------
0x852E74C8:csrss.exe 336 328 9 394 2014-02-03 09:03:53+0000
0x855A7BC0:wininit.exe 388 328 3 81 2014-02-03 09:03:54+0000
. 0x855DC030:services.exe 484 388 7 199 2014-02-03 09:03:56+0000
.. 0x85A68030:taskhost.exe 140 484 9 253 2014-02-03 12:13:31+0000
.. 0x856214F8:svchost.exe 588 484 10 354 2014-02-03 09:04:01+0000
... 0x84AE9190:dllhost.exe 1920 588 0 ------ 2014-02-03 12:31:38+0000
.. 0x85634030:svchost.exe 664 484 7 270 2014-02-03 09:04:02+0000
.. 0x85652030:svchost.exe 752 484 19 476 2014-02-03 09:04:03+0000
... 0x84524030:audiodg.exe 3936 752 4 127 2014-02-03 12:20:49+0000
.. 0x85661848:svchost.exe 792 484 16 367 2014-02-03 09:04:03+0000
... 0x849F29C0:dwm.exe 340 792 5 129 2014-02-03 12:13:32+0000
.. 0x85667030:svchost.exe 820 484 12 543 2014-02-03 09:04:03+0000
.. 0x858EF030:msdtc.exe 840 484 12 145 2014-02-03 09:04:31+0000
.. 0x856695A0:svchost.exe 844 484 30 1084 2014-02-03 09:04:03+0000
... 0x859B6630:wuauclt.exe 2280 844 3 88 2014-02-03 12:14:02+0000
.. 0x84A29030:svchost.exe 1176 484 15 489 2014-02-03 09:04:11+0000
.. 0x859636F8:svchost.exe 1248 484 7 109 2014-02-03 09:08:27+0000
.. 0x84A29D40:spoolsv.exe 1288 484 13 347 2014-02-03 09:04:14+0000
.. 0x852C3910:svchost.exe 1316 484 20 301 2014-02-03 09:04:14+0000
.. 0x85047290:vmtoolsd.exe 1516 484 8 280 2014-02-03 09:04:18+0000
.. 0x850ACB90:TPAutoConnSvc. 1688 484 10 139 2014-02-03 09:04:23+0000
... 0x84AB64A0:TPAutoConnect. 4044 1688 5 121 2014-02-03 12:13:32+0000
.. 0x8594AB18:SearchIndexer. 1712 484 14 680 2014-02-03 09:04:34+0000
... 0x85939A90:SearchFilterHo 3128 1712 0 ------ 2014-02-03 12:31:24+0000
... 0x856B0800:SearchProtocol 3452 1712 0 ------ 2014-02-03 12:31:24+0000
.. 0x850416C8:svchost.exe 1796 484 6 92 2014-02-03 09:04:27+0000
.. 0x85039810:dllhost.exe 2012 484 13 191 2014-02-03 09:04:29+0000
.. 0x850E9870:svchost.exe 2644 484 14 356 2014-02-03 09:06:23+0000
. 0x855E0030:lsass.exe 492 388 6 539 2014-02-03 09:03:57+0000
. 0x855E2860:lsm.exe 500 388 10 147 2014-02-03 09:03:57+0000
. 0x85A00D40:LogonUI.exe 2516 388 5 156 2014-02-03 09:05:25+0000
0x85CAB690:e 2 6553710 3473477 ------ -
0x841389E8:System 4 0 85 511 2014-02-03 09:03:46+0000
. 0x84B78020:smss.exe 248 4 2 29 2014-02-03 09:03:46+0000
0x850D56F8:explorer.exe 2052 1808 31 974 2014-02-03 12:13:32+0000
. 0x84AE5B28:vmtoolsd.exe 2116 2052 5 170 2014-02-03 12:13:55+0000
. 0x84A70440:DumpIt.exe 3060 2052 5 38 2014-02-03 12:31:34+0000
. 0x84AB3428:VMwareTray.exe 4092 2052 5 75 2014-02-03 12:13:55+0000
0x855A4388:csrss.exe 380 372 10 294 2014-02-03 09:03:54+0000
. 0x8459D9A0:conhost.exe 2088 380 2 46 2014-02-03 12:27:17+0000
. 0x85A04570:conhost.exe 2272 380 2 49 2014-02-03 12:31:34+0000
. 0x85A72188:conhost.exe 2752 380 2 47 2014-02-03 12:27:17+0000
. 0x858E2540:conhost.exe 3916 380 1 33 2014-02-03 12:13:32+0000
0x84A21530:winlogon.exe 424 372 3 118 2014-02-03 09:03:54+0000
0x84535D40:cmd.exe 1128 3220 1 19 2014-02-03 12:27:17+0000
0x84536030:runddl32.exe 1524 3220 10 161 2014-02-03 12:27:18+0000
. 0x84506480:notepad.exe 1896 1524 2 57 2014-02-03 12:27:18+0000
0x85659AF0:cmd.exe 3656 3220 1 19 2014-02-03 12:27:17+0000
Anyone in this list look odd? :D
In [14]:
dlllist pid=1524
************************************************************************
runddl32.exe pid: 1524
Command line : "C:\Users\TEKDEF~1\AppData\Local\Temp\MSDCSC\runddl32.exe"
Service Pack 1
Base Size Path
---------- ---------- ----
0x00400000 0xb2000 C:\Users\TEKDEF~1\AppData\Local\Temp\MSDCSC\runddl32.exe
0x76dc0000 0x13c000 C:\Windows\SYSTEM32\ntdll.dll
0x75c20000 0xd4000 C:\Windows\system32\kernel32.dll
0x74f60000 0x4b000 C:\Windows\system32\KERNELBASE.dll
0x75830000 0x8f000 C:\Windows\system32\oleaut32.dll
0x752b0000 0x15c000 C:\Windows\system32\ole32.dll
0x75580000 0xac000 C:\Windows\system32\msvcrt.dll
0x75e20000 0x4e000 C:\Windows\system32\GDI32.dll
0x75b50000 0xc9000 C:\Windows\system32\USER32.dll
0x758c0000 0xa000 C:\Windows\system32\LPK.dll
0x75d80000 0x9d000 C:\Windows\system32\USP10.dll
0x75a90000 0xa2000 C:\Windows\system32\RPCRT4.dll
0x75410000 0xa0000 C:\Windows\system32\advapi32.dll
0x75290000 0x19000 C:\Windows\SYSTEM32\sechost.dll
0x742f0000 0x9000 C:\Windows\system32\version.dll
0x72eb0000 0x7000 C:\Windows\system32\wsock32.dll
0x76f00000 0x35000 C:\Windows\system32\WS2_32.dll
0x75b40000 0x6000 C:\Windows\system32\NSI.dll
0x75fd0000 0xc4a000 C:\Windows\system32\shell32.dll
0x76f90000 0x57000 C:\Windows\system32\SHLWAPI.dll
0x75160000 0x121000 C:\Windows\system32\URLMON.DLL
0x74eb0000 0x4000 C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
0x74e80000 0x4000 C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
0x74e90000 0x5000 C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
0x74ea0000 0x4000 C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
0x74ec0000 0x4000 C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
0x74f00000 0x3000 C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
0x75570000 0x3000 C:\Windows\system32\normaliz.DLL
0x75630000 0x1f8000 C:\Windows\system32\iertutil.dll
0x758d0000 0x1b8000 C:\Windows\system32\WININET.dll
0x6af90000 0x84000 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18201_none_ec80f00e8593ece5\comctl32.dll
0x733a0000 0x32000 C:\Windows\system32\winmm.dll
0x72780000 0x11000 C:\Windows\system32\netapi32.dll
0x72770000 0x9000 C:\Windows\system32\netutils.dll
0x74a60000 0x19000 C:\Windows\system32\srvcli.dll
0x72760000 0xf000 C:\Windows\system32\wkscli.dll
0x73840000 0x190000 C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
0x73070000 0x14000 C:\Windows\system32\msacm32.dll
0x719e0000 0x5000 C:\Windows\system32\SHFolder.dll
0x6efc0000 0x13000 C:\Windows\system32\AVICAP32.DLL
0x6ece0000 0x21000 C:\Windows\system32\MSVFW32.dll
0x75d60000 0x1f000 C:\Windows\system32\IMM32.DLL
0x75f00000 0xcc000 C:\Windows\system32\MSCTF.dll
0x73b00000 0x40000 C:\Windows\system32\uxtheme.dll
0x72fe0000 0x13000 C:\Windows\system32\dwmapi.dll
0x74d50000 0xc000 C:\Windows\system32\CRYPTBASE.dll
0x74d00000 0x4c000 C:\Windows\system32\apphelp.dll
0x73d80000 0x19e000 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
0x75e70000 0x83000 C:\Windows\system32\CLBCatQ.DLL
0x739f0000 0xf5000 C:\Windows\system32\propsys.dll
0x76c20000 0x19d000 C:\Windows\system32\SETUPAPI.dll
0x74f10000 0x27000 C:\Windows\system32\CFGMGR32.dll
0x74f40000 0x12000 C:\Windows\system32\DEVOBJ.dll
0x74830000 0x3c000 C:\Windows\system32\mswsock.dll
0x74380000 0x5000 C:\Windows\System32\wshtcpip.dll
0x73b40000 0x10000 C:\Windows\system32\NLAapi.dll
0x70b30000 0x10000 C:\Windows\system32\napinsp.dll
0x70b10000 0x12000 C:\Windows\system32\pnrpnsp.dll
0x746f0000 0x44000 C:\Windows\system32\DNSAPI.dll
0x714d0000 0x8000 C:\Windows\System32\winrnr.dll
0x70c40000 0xd000 C:\Windows\system32\wshbth.dll
0x72490000 0x1c000 C:\Windows\system32\IPHLPAPI.DLL
0x725b0000 0x7000 C:\Windows\system32\WINNSI.DLL
0x72510000 0x38000 C:\Windows\System32\fwpuclnt.dll
0x71670000 0x6000 C:\Windows\system32\rasadhlp.dll
Hmm, that doesn't look good. Our suspicious process has a child "notepad" in pstree ... Let's pull it's dlllist too:
In [16]:
dlllist pid=1896
************************************************************************
notepad.exe pid: 1896
Command line : notepad
Service Pack 1
Base Size Path
---------- ---------- ----
0x00440000 0x30000 C:\Windows\system32\notepad.exe
0x76dc0000 0x13c000 C:\Windows\SYSTEM32\ntdll.dll
0x75c20000 0xd4000 C:\Windows\system32\kernel32.dll
0x74f60000 0x4b000 C:\Windows\system32\KERNELBASE.dll
0x75410000 0xa0000 C:\Windows\system32\ADVAPI32.dll
0x75580000 0xac000 C:\Windows\system32\msvcrt.dll
0x75290000 0x19000 C:\Windows\SYSTEM32\sechost.dll
0x75a90000 0xa2000 C:\Windows\system32\RPCRT4.dll
0x75e20000 0x4e000 C:\Windows\system32\GDI32.dll
0x75b50000 0xc9000 C:\Windows\system32\USER32.dll
0x758c0000 0xa000 C:\Windows\system32\LPK.dll
0x75d80000 0x9d000 C:\Windows\system32\USP10.dll
0x754c0000 0x7b000 C:\Windows\system32\COMDLG32.dll
0x76f90000 0x57000 C:\Windows\system32\SHLWAPI.dll
0x73d80000 0x19e000 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\COMCTL32.dll
0x75fd0000 0xc4a000 C:\Windows\system32\SHELL32.dll
0x714f0000 0x51000 C:\Windows\system32\WINSPOOL.DRV
0x752b0000 0x15c000 C:\Windows\system32\ole32.dll
0x75830000 0x8f000 C:\Windows\system32\OLEAUT32.dll
0x742f0000 0x9000 C:\Windows\system32\VERSION.dll
0x75d60000 0x1f000 C:\Windows\system32\IMM32.DLL
0x75f00000 0xcc000 C:\Windows\system32\MSCTF.dll
0x74d50000 0xc000 C:\Windows\system32\CRYPTBASE.dll
0x73b00000 0x40000 C:\Windows\system32\uxtheme.dll
0x72fe0000 0x13000 C:\Windows\system32\dwmapi.dll
That's a lot of libraries for just notepad. There are many plugins for malware detection and analysis, including malfind that fuel process investigation further. Of course once you have identified the processes of interest you can extract them to disk for file analysis.
I've already dumped runddl32.exe_1524.dmp and notepad.exe_1896.dmp for this Rekal notebook demo and strings from both are quite interesting. Following TekDefense's lead and skipping a bit we find the DarkComet configuration variables in the strings for "runddl".
strings -a runddl32.exe_1524.dmp | grep -A22 DARKCOMET | head -20 > runddl_DC_strings.txt
And here they are:
In [20]:
! cat ~/Desktop/mess/runddl_DC_strings.txt
#BEGIN DARKCOMET DATA --
MUTEX={DC_MUTEX-KHNEW06}
SID={Guest16}
FWB={0}
NETDATA={test213.no-ip.info:1604}
GENCODE={F6FE8i2BxCpu}
INSTALL={1}
COMBOPATH={10}
EDTPATH={MSDCSC\runddl32.exe}
KEYNAME={MicroUpdate}
EDTDATE={16/04/2007}
PERSINST={1}
MELT={0}
CHANGEDATE={1}
DIRATTRIB={6}
FILEATTRIB={6}
SH1={1}
CHIDEF={1}
CHIDED={1}
PERS={1}
As he notes this view into the malware's configuration routines really cracked open the case. He dug in further and did some online research and other testing to discover what the variables affect and the details are in the article.
Additionally, TekDefense found the persistence mechanism in the first place he looked: the HKCU Run key. I'll just include his screenshot for this one so you can see him using printkey to pull registry key values from memory.
In [25]:
from IPython.display import Image
Image(url='http://www.tekdefense.com/storage/post-images/mp13.png?__SQUARESPACE_CACHEVERSION=1387835722090')
Out[25]:
In his research he also tracked down the keylogger files and grabbed the most recent one from memory, which showed him the work he had been doing in his analysis!
Here's the detailed output from malfind for "notepad". From the manual:
The malfind command helps find hidden or injected code/DLLs in user mode memory, based on characteristics such as VAD tag and page permissions.
You can read the details in the command reference online and in the Malware Analyst's Cookbook (book on Amazon. It's output quite verbose but as you scroll you'll start to see libraries and syscalls that don't sound right for real notepad before getting down to DarkComet key indicators like the mutex string DC_MUTEX-KHNEW06. Using this data @TekData was able to put together some Yara rules for DarkComet detection which he shares in his post.
In [18]:
malfind pid=1896
**************************************************
Process: notepad.exe Pid: 1896 Address: 0x1b0000
Vad Tag: VadS Protection: EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x1b0000 55 dc c6 75 84 cc c6 75 11 ea ba 75 66 c2 c6 75 U..u...u...uf..u
0x1b0010 d0 cd c6 75 82 20 c2 75 b0 c2 c6 75 e0 c3 c6 75 ...u...u...u...u
0x1b0020 08 f6 de 76 e7 54 c6 75 05 2c c6 75 58 e8 c6 75 ...v.T.u.,.uX..u
0x1b0030 3d 61 c7 75 c4 d7 c6 75 00 00 0a 00 00 00 0b 00 =a.u...u........
0x001b0000 55 PUSH EBP
0x001b0001 dcc6 FADD ST6, ST0
0x001b0003 7584 JNZ 0x1aff89
0x001b0005 cc INT 3
0x001b0006 c6 DB 0xc6
0x001b0007 7511 JNZ 0x1b001a
0x001b0009 eaba7566c2c675 JMP FAR 0x75c6:0xc26675ba
0x001b0010 d0cd ROR CH, 0x1
0x001b0012 c6 DB 0xc6
0x001b0013 7582 JNZ 0x1aff97
0x001b0015 20c2 AND DL, AL
0x001b0017 75b0 JNZ 0x1affc9
0x001b0019 c2c675 RET 0x75c6
0x001b001c e0c3 LOOPNZ 0x1affe1
0x001b001e c6 DB 0xc6
0x001b001f 7508 JNZ 0x1b0029
0x001b0021 f6de NEG DH
0x001b0023 76e7 JBE 0x1b000c
0x001b0025 54 PUSH ESP
0x001b0026 c6 DB 0xc6
0x001b0027 7505 JNZ 0x1b002e
0x001b0029 2cc6 SUB AL, 0xc6
0x001b002b 7558 JNZ 0x1b0085
0x001b002d e8c6753d61 CALL 0x615875f8
0x001b0032 c7 DB 0xc7
0x001b0033 75c4 JNZ 0x1afff9
0x001b0035 d7 XLAT BYTE [EBX+AL]
0x001b0036 c6 DB 0xc6
0x001b0037 7500 JNZ 0x1b0039
0x001b0039 000a ADD [EDX], CL
0x001b003b 0000 ADD [EAX], AL
0x001b003d 000b ADD [EBX], CL
0x001b003f 0000 ADD [EAX], AL
0x001b0041 000c00 ADD [EAX+EAX], CL
0x001b0044 0000 ADD [EAX], AL
0x001b0046 0d0000000f OR EAX, 0xf000000
0x001b004b 0000 ADD [EAX], AL
0x001b004d 0010 ADD [EAX], DL
0x001b004f 0000 ADD [EAX], AL
0x001b0051 0011 ADD [ECX], DL
0x001b0053 0000 ADD [EAX], AL
0x001b0055 000e ADD [ESI], CL
0x001b0057 0000 ADD [EAX], AL
0x001b0059 0019 ADD [ECX], BL
0x001b005b 0000 ADD [EAX], AL
0x001b005d 0018 ADD [EAX], BL
0x001b005f 0000 ADD [EAX], AL
0x001b0061 0012 ADD [EDX], DL
0x001b0063 0000 ADD [EAX], AL
0x001b0065 0013 ADD [EBX], DL
0x001b0067 0000 ADD [EAX], AL
0x001b0069 0017 ADD [EDI], DL
0x001b006b 0000 ADD [EAX], AL
0x001b006d 0016 ADD [ESI], DL
0x001b006f 0000 ADD [EAX], AL
0x001b0071 001400 ADD [EAX+EAX], DL
0x001b0074 0000 ADD [EAX], AL
0x001b0076 1a00 SBB AL, [EAX]
0x001b0078 0000 ADD [EAX], AL
0x001b007a 1500680700 ADC EAX, 0x76800
0x001b007f 0000 ADD [EAX], AL
0x001b0081 0000 ADD [EAX], AL
0x001b0083 0000 ADD [EAX], AL
0x001b0085 0000 ADD [EAX], AL
0x001b0087 0000 ADD [EAX], AL
**************************************************
Process: notepad.exe Pid: 1896 Address: 0xf0000
Vad Tag: VadS Protection: EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0xf0000 47 65 74 4c 61 73 74 45 72 72 6f 72 00 00 00 00 GetLastError....
0xf0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xf0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xf0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000f0000 47 INC EDI
0x000f0001 65744c JZ 0xf0050
0x000f0004 61 POPA
0x000f0005 7374 JAE 0xf007b
0x000f0007 45 INC EBP
0x000f0008 7272 JB 0xf007c
0x000f000a 6f OUTS DX, DWORD [ESI]
0x000f000b 7200 JB 0xf000d
0x000f000d 0000 ADD [EAX], AL
0x000f000f 0000 ADD [EAX], AL
0x000f0011 0000 ADD [EAX], AL
0x000f0013 0000 ADD [EAX], AL
0x000f0015 0000 ADD [EAX], AL
0x000f0017 0000 ADD [EAX], AL
0x000f0019 0000 ADD [EAX], AL
0x000f001b 0000 ADD [EAX], AL
0x000f001d 0000 ADD [EAX], AL
0x000f001f 0000 ADD [EAX], AL
0x000f0021 0000 ADD [EAX], AL
0x000f0023 0000 ADD [EAX], AL
0x000f0025 0000 ADD [EAX], AL
0x000f0027 0000 ADD [EAX], AL
0x000f0029 0000 ADD [EAX], AL
0x000f002b 0000 ADD [EAX], AL
0x000f002d 0000 ADD [EAX], AL
0x000f002f 0000 ADD [EAX], AL
0x000f0031 0000 ADD [EAX], AL
0x000f0033 0000 ADD [EAX], AL
0x000f0035 0000 ADD [EAX], AL
0x000f0037 0000 ADD [EAX], AL
0x000f0039 0000 ADD [EAX], AL
0x000f003b 0000 ADD [EAX], AL
0x000f003d 0000 ADD [EAX], AL
0x000f003f 0000 ADD [EAX], AL
0x000f0041 0000 ADD [EAX], AL
0x000f0043 0000 ADD [EAX], AL
0x000f0045 0000 ADD [EAX], AL
0x000f0047 0000 ADD [EAX], AL
0x000f0049 0000 ADD [EAX], AL
0x000f004b 0000 ADD [EAX], AL
0x000f004d 0000 ADD [EAX], AL
0x000f004f 0000 ADD [EAX], AL
0x000f0051 0000 ADD [EAX], AL
0x000f0053 0000 ADD [EAX], AL
0x000f0055 0000 ADD [EAX], AL
0x000f0057 0000 ADD [EAX], AL
0x000f0059 0000 ADD [EAX], AL
0x000f005b 0000 ADD [EAX], AL
0x000f005d 0000 ADD [EAX], AL
0x000f005f 0000 ADD [EAX], AL
0x000f0061 0000 ADD [EAX], AL
0x000f0063 0000 ADD [EAX], AL
0x000f0065 0000 ADD [EAX], AL
0x000f0067 0000 ADD [EAX], AL
0x000f0069 0000 ADD [EAX], AL
0x000f006b 0000 ADD [EAX], AL
0x000f006d 0000 ADD [EAX], AL
0x000f006f 0000 ADD [EAX], AL
0x000f0071 0000 ADD [EAX], AL
0x000f0073 0000 ADD [EAX], AL
0x000f0075 0000 ADD [EAX], AL
0x000f0077 0000 ADD [EAX], AL
0x000f0079 0000 ADD [EAX], AL
0x000f007b 0000 ADD [EAX], AL
0x000f007d 0000 ADD [EAX], AL
**************************************************
Process: notepad.exe Pid: 1896 Address: 0xb0000
Vad Tag: VadS Protection: EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0xb0000 75 73 65 72 33 32 2e 64 6c 6c 00 00 00 00 00 00 user32.dll......
0xb0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xb0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xb0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000b0000 7573 JNZ 0xb0075
0x000b0002 657233 JB 0xb0038
0x000b0005 322e XOR CH, [ESI]
0x000b0007 646c INS BYTE [ES:EDI], DX
0x000b0009 6c INS BYTE [ES:EDI], DX
0x000b000a 0000 ADD [EAX], AL
0x000b000c 0000 ADD [EAX], AL
0x000b000e 0000 ADD [EAX], AL
0x000b0010 0000 ADD [EAX], AL
0x000b0012 0000 ADD [EAX], AL
0x000b0014 0000 ADD [EAX], AL
0x000b0016 0000 ADD [EAX], AL
0x000b0018 0000 ADD [EAX], AL
0x000b001a 0000 ADD [EAX], AL
0x000b001c 0000 ADD [EAX], AL
0x000b001e 0000 ADD [EAX], AL
0x000b0020 0000 ADD [EAX], AL
0x000b0022 0000 ADD [EAX], AL
0x000b0024 0000 ADD [EAX], AL
0x000b0026 0000 ADD [EAX], AL
0x000b0028 0000 ADD [EAX], AL
0x000b002a 0000 ADD [EAX], AL
0x000b002c 0000 ADD [EAX], AL
0x000b002e 0000 ADD [EAX], AL
0x000b0030 0000 ADD [EAX], AL
0x000b0032 0000 ADD [EAX], AL
0x000b0034 0000 ADD [EAX], AL
0x000b0036 0000 ADD [EAX], AL
0x000b0038 0000 ADD [EAX], AL
0x000b003a 0000 ADD [EAX], AL
0x000b003c 0000 ADD [EAX], AL
0x000b003e 0000 ADD [EAX], AL
0x000b0040 0000 ADD [EAX], AL
0x000b0042 0000 ADD [EAX], AL
0x000b0044 0000 ADD [EAX], AL
0x000b0046 0000 ADD [EAX], AL
0x000b0048 0000 ADD [EAX], AL
0x000b004a 0000 ADD [EAX], AL
0x000b004c 0000 ADD [EAX], AL
0x000b004e 0000 ADD [EAX], AL
0x000b0050 0000 ADD [EAX], AL
0x000b0052 0000 ADD [EAX], AL
0x000b0054 0000 ADD [EAX], AL
0x000b0056 0000 ADD [EAX], AL
0x000b0058 0000 ADD [EAX], AL
0x000b005a 0000 ADD [EAX], AL
0x000b005c 0000 ADD [EAX], AL
0x000b005e 0000 ADD [EAX], AL
0x000b0060 0000 ADD [EAX], AL
0x000b0062 0000 ADD [EAX], AL
0x000b0064 0000 ADD [EAX], AL
0x000b0066 0000 ADD [EAX], AL
0x000b0068 0000 ADD [EAX], AL
0x000b006a 0000 ADD [EAX], AL
0x000b006c 0000 ADD [EAX], AL
0x000b006e 0000 ADD [EAX], AL
0x000b0070 0000 ADD [EAX], AL
0x000b0072 0000 ADD [EAX], AL
0x000b0074 0000 ADD [EAX], AL
0x000b0076 0000 ADD [EAX], AL
0x000b0078 0000 ADD [EAX], AL
0x000b007a 0000 ADD [EAX], AL
0x000b007c 0000 ADD [EAX], AL
0x000b007e 0000 ADD [EAX], AL
0x000b0080 0000 ADD [EAX], AL
**************************************************
Process: notepad.exe Pid: 1896 Address: 0xa0000
Vad Tag: VadS Protection: EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0xa0000 6b 65 72 6e 65 6c 33 32 2e 64 6c 6c 00 00 00 00 kernel32.dll....
0xa0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xa0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xa0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000a0000 6b65726e IMUL ESP, [EBP+0x72], 0x6e
0x000a0004 656c INS BYTE [ES:EDI], DX
0x000a0006 3332 XOR ESI, [EDX]
0x000a0008 2e646c INS BYTE [ES:EDI], DX
0x000a000b 6c INS BYTE [ES:EDI], DX
0x000a000c 0000 ADD [EAX], AL
0x000a000e 0000 ADD [EAX], AL
0x000a0010 0000 ADD [EAX], AL
0x000a0012 0000 ADD [EAX], AL
0x000a0014 0000 ADD [EAX], AL
0x000a0016 0000 ADD [EAX], AL
0x000a0018 0000 ADD [EAX], AL
0x000a001a 0000 ADD [EAX], AL
0x000a001c 0000 ADD [EAX], AL
0x000a001e 0000 ADD [EAX], AL
0x000a0020 0000 ADD [EAX], AL
0x000a0022 0000 ADD [EAX], AL
0x000a0024 0000 ADD [EAX], AL
0x000a0026 0000 ADD [EAX], AL
0x000a0028 0000 ADD [EAX], AL
0x000a002a 0000 ADD [EAX], AL
0x000a002c 0000 ADD [EAX], AL
0x000a002e 0000 ADD [EAX], AL
0x000a0030 0000 ADD [EAX], AL
0x000a0032 0000 ADD [EAX], AL
0x000a0034 0000 ADD [EAX], AL
0x000a0036 0000 ADD [EAX], AL
0x000a0038 0000 ADD [EAX], AL
0x000a003a 0000 ADD [EAX], AL
0x000a003c 0000 ADD [EAX], AL
0x000a003e 0000 ADD [EAX], AL
0x000a0040 0000 ADD [EAX], AL
0x000a0042 0000 ADD [EAX], AL
0x000a0044 0000 ADD [EAX], AL
0x000a0046 0000 ADD [EAX], AL
0x000a0048 0000 ADD [EAX], AL
0x000a004a 0000 ADD [EAX], AL
0x000a004c 0000 ADD [EAX], AL
0x000a004e 0000 ADD [EAX], AL
0x000a0050 0000 ADD [EAX], AL
0x000a0052 0000 ADD [EAX], AL
0x000a0054 0000 ADD [EAX], AL
0x000a0056 0000 ADD [EAX], AL
0x000a0058 0000 ADD [EAX], AL
0x000a005a 0000 ADD [EAX], AL
0x000a005c 0000 ADD [EAX], AL
0x000a005e 0000 ADD [EAX], AL
0x000a0060 0000 ADD [EAX], AL
0x000a0062 0000 ADD [EAX], AL
0x000a0064 0000 ADD [EAX], AL
0x000a0066 0000 ADD [EAX], AL
0x000a0068 0000 ADD [EAX], AL
0x000a006a 0000 ADD [EAX], AL
0x000a006c 0000 ADD [EAX], AL
0x000a006e 0000 ADD [EAX], AL
0x000a0070 0000 ADD [EAX], AL
0x000a0072 0000 ADD [EAX], AL
0x000a0074 0000 ADD [EAX], AL
0x000a0076 0000 ADD [EAX], AL
0x000a0078 0000 ADD [EAX], AL
0x000a007a 0000 ADD [EAX], AL
0x000a007c 0000 ADD [EAX], AL
0x000a007e 0000 ADD [EAX], AL
0x000a0080 0000 ADD [EAX], AL
0x000a0082 0000 ADD [EAX], AL
**************************************************
Process: notepad.exe Pid: 1896 Address: 0xd0000
Vad Tag: VadS Protection: EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0xd0000 4d 65 73 73 61 67 65 42 6f 78 41 00 00 00 00 00 MessageBoxA.....
0xd0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xd0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xd0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000d0000 4d DEC EBP
0x000d0001 657373 JAE 0xd0077
0x000d0004 61 POPA
0x000d0005 676542 INC EDX
0x000d0008 6f OUTS DX, DWORD [ESI]
0x000d0009 7841 JS 0xd004c
0x000d000b 0000 ADD [EAX], AL
0x000d000d 0000 ADD [EAX], AL
0x000d000f 0000 ADD [EAX], AL
0x000d0011 0000 ADD [EAX], AL
0x000d0013 0000 ADD [EAX], AL
0x000d0015 0000 ADD [EAX], AL
0x000d0017 0000 ADD [EAX], AL
0x000d0019 0000 ADD [EAX], AL
0x000d001b 0000 ADD [EAX], AL
0x000d001d 0000 ADD [EAX], AL
0x000d001f 0000 ADD [EAX], AL
0x000d0021 0000 ADD [EAX], AL
0x000d0023 0000 ADD [EAX], AL
0x000d0025 0000 ADD [EAX], AL
0x000d0027 0000 ADD [EAX], AL
0x000d0029 0000 ADD [EAX], AL
0x000d002b 0000 ADD [EAX], AL
0x000d002d 0000 ADD [EAX], AL
0x000d002f 0000 ADD [EAX], AL
0x000d0031 0000 ADD [EAX], AL
0x000d0033 0000 ADD [EAX], AL
0x000d0035 0000 ADD [EAX], AL
0x000d0037 0000 ADD [EAX], AL
0x000d0039 0000 ADD [EAX], AL
0x000d003b 0000 ADD [EAX], AL
0x000d003d 0000 ADD [EAX], AL
0x000d003f 0000 ADD [EAX], AL
0x000d0041 0000 ADD [EAX], AL
0x000d0043 0000 ADD [EAX], AL
0x000d0045 0000 ADD [EAX], AL
0x000d0047 0000 ADD [EAX], AL
0x000d0049 0000 ADD [EAX], AL
0x000d004b 0000 ADD [EAX], AL
0x000d004d 0000 ADD [EAX], AL
0x000d004f 0000 ADD [EAX], AL
0x000d0051 0000 ADD [EAX], AL
0x000d0053 0000 ADD [EAX], AL
0x000d0055 0000 ADD [EAX], AL
0x000d0057 0000 ADD [EAX], AL
0x000d0059 0000 ADD [EAX], AL
0x000d005b 0000 ADD [EAX], AL
0x000d005d 0000 ADD [EAX], AL
0x000d005f 0000 ADD [EAX], AL
0x000d0061 0000 ADD [EAX], AL
0x000d0063 0000 ADD [EAX], AL
0x000d0065 0000 ADD [EAX], AL
0x000d0067 0000 ADD [EAX], AL
0x000d0069 0000 ADD [EAX], AL
0x000d006b 0000 ADD [EAX], AL
0x000d006d 0000 ADD [EAX], AL
0x000d006f 0000 ADD [EAX], AL
0x000d0071 0000 ADD [EAX], AL
0x000d0073 0000 ADD [EAX], AL
0x000d0075 0000 ADD [EAX], AL
0x000d0077 0000 ADD [EAX], AL
0x000d0079 0000 ADD [EAX], AL
0x000d007b 0000 ADD [EAX], AL
0x000d007d 0000 ADD [EAX], AL
0x000d007f 0000 ADD [EAX], AL
**************************************************
Process: notepad.exe Pid: 1896 Address: 0xc0000
Vad Tag: VadS Protection: EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0xc0000 53 6c 65 65 70 00 00 00 00 00 00 00 00 00 00 00 Sleep...........
0xc0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xc0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xc0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000c0000 53 PUSH EBX
0x000c0001 6c INS BYTE [ES:EDI], DX
0x000c0002 65657000 JO 0xc0006
0x000c0006 0000 ADD [EAX], AL
0x000c0008 0000 ADD [EAX], AL
0x000c000a 0000 ADD [EAX], AL
0x000c000c 0000 ADD [EAX], AL
0x000c000e 0000 ADD [EAX], AL
0x000c0010 0000 ADD [EAX], AL
0x000c0012 0000 ADD [EAX], AL
0x000c0014 0000 ADD [EAX], AL
0x000c0016 0000 ADD [EAX], AL
0x000c0018 0000 ADD [EAX], AL
0x000c001a 0000 ADD [EAX], AL
0x000c001c 0000 ADD [EAX], AL
0x000c001e 0000 ADD [EAX], AL
0x000c0020 0000 ADD [EAX], AL
0x000c0022 0000 ADD [EAX], AL
0x000c0024 0000 ADD [EAX], AL
0x000c0026 0000 ADD [EAX], AL
0x000c0028 0000 ADD [EAX], AL
0x000c002a 0000 ADD [EAX], AL
0x000c002c 0000 ADD [EAX], AL
0x000c002e 0000 ADD [EAX], AL
0x000c0030 0000 ADD [EAX], AL
0x000c0032 0000 ADD [EAX], AL
0x000c0034 0000 ADD [EAX], AL
0x000c0036 0000 ADD [EAX], AL
0x000c0038 0000 ADD [EAX], AL
0x000c003a 0000 ADD [EAX], AL
0x000c003c 0000 ADD [EAX], AL
0x000c003e 0000 ADD [EAX], AL
0x000c0040 0000 ADD [EAX], AL
0x000c0042 0000 ADD [EAX], AL
0x000c0044 0000 ADD [EAX], AL
0x000c0046 0000 ADD [EAX], AL
0x000c0048 0000 ADD [EAX], AL
0x000c004a 0000 ADD [EAX], AL
0x000c004c 0000 ADD [EAX], AL
0x000c004e 0000 ADD [EAX], AL
0x000c0050 0000 ADD [EAX], AL
0x000c0052 0000 ADD [EAX], AL
0x000c0054 0000 ADD [EAX], AL
0x000c0056 0000 ADD [EAX], AL
0x000c0058 0000 ADD [EAX], AL
0x000c005a 0000 ADD [EAX], AL
0x000c005c 0000 ADD [EAX], AL
0x000c005e 0000 ADD [EAX], AL
0x000c0060 0000 ADD [EAX], AL
0x000c0062 0000 ADD [EAX], AL
0x000c0064 0000 ADD [EAX], AL
0x000c0066 0000 ADD [EAX], AL
0x000c0068 0000 ADD [EAX], AL
0x000c006a 0000 ADD [EAX], AL
0x000c006c 0000 ADD [EAX], AL
0x000c006e 0000 ADD [EAX], AL
0x000c0070 0000 ADD [EAX], AL
0x000c0072 0000 ADD [EAX], AL
0x000c0074 0000 ADD [EAX], AL
0x000c0076 0000 ADD [EAX], AL
0x000c0078 0000 ADD [EAX], AL
0x000c007a 0000 ADD [EAX], AL
0x000c007c 0000 ADD [EAX], AL
0x000c007e 0000 ADD [EAX], AL
0x000c0080 0000 ADD [EAX], AL
**************************************************
Process: notepad.exe Pid: 1896 Address: 0xe0000
Vad Tag: VadS Protection: EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0xe0000 43 72 65 61 74 65 50 72 6f 63 65 73 73 41 00 00 CreateProcessA..
0xe0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xe0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xe0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000e0000 43 INC EBX
0x000e0001 7265 JB 0xe0068
0x000e0003 61 POPA
0x000e0004 7465 JZ 0xe006b
0x000e0006 50 PUSH EAX
0x000e0007 726f JB 0xe0078
0x000e0009 636573 ARPL [EBP+0x73], SP
0x000e000c 7341 JAE 0xe004f
0x000e000e 0000 ADD [EAX], AL
0x000e0010 0000 ADD [EAX], AL
0x000e0012 0000 ADD [EAX], AL
0x000e0014 0000 ADD [EAX], AL
0x000e0016 0000 ADD [EAX], AL
0x000e0018 0000 ADD [EAX], AL
0x000e001a 0000 ADD [EAX], AL
0x000e001c 0000 ADD [EAX], AL
0x000e001e 0000 ADD [EAX], AL
0x000e0020 0000 ADD [EAX], AL
0x000e0022 0000 ADD [EAX], AL
0x000e0024 0000 ADD [EAX], AL
0x000e0026 0000 ADD [EAX], AL
0x000e0028 0000 ADD [EAX], AL
0x000e002a 0000 ADD [EAX], AL
0x000e002c 0000 ADD [EAX], AL
0x000e002e 0000 ADD [EAX], AL
0x000e0030 0000 ADD [EAX], AL
0x000e0032 0000 ADD [EAX], AL
0x000e0034 0000 ADD [EAX], AL
0x000e0036 0000 ADD [EAX], AL
0x000e0038 0000 ADD [EAX], AL
0x000e003a 0000 ADD [EAX], AL
0x000e003c 0000 ADD [EAX], AL
0x000e003e 0000 ADD [EAX], AL
0x000e0040 0000 ADD [EAX], AL
0x000e0042 0000 ADD [EAX], AL
0x000e0044 0000 ADD [EAX], AL
0x000e0046 0000 ADD [EAX], AL
0x000e0048 0000 ADD [EAX], AL
0x000e004a 0000 ADD [EAX], AL
0x000e004c 0000 ADD [EAX], AL
0x000e004e 0000 ADD [EAX], AL
0x000e0050 0000 ADD [EAX], AL
0x000e0052 0000 ADD [EAX], AL
0x000e0054 0000 ADD [EAX], AL
0x000e0056 0000 ADD [EAX], AL
0x000e0058 0000 ADD [EAX], AL
0x000e005a 0000 ADD [EAX], AL
0x000e005c 0000 ADD [EAX], AL
0x000e005e 0000 ADD [EAX], AL
0x000e0060 0000 ADD [EAX], AL
0x000e0062 0000 ADD [EAX], AL
0x000e0064 0000 ADD [EAX], AL
0x000e0066 0000 ADD [EAX], AL
0x000e0068 0000 ADD [EAX], AL
0x000e006a 0000 ADD [EAX], AL
0x000e006c 0000 ADD [EAX], AL
0x000e006e 0000 ADD [EAX], AL
0x000e0070 0000 ADD [EAX], AL
0x000e0072 0000 ADD [EAX], AL
0x000e0074 0000 ADD [EAX], AL
0x000e0076 0000 ADD [EAX], AL
0x000e0078 0000 ADD [EAX], AL
0x000e007a 0000 ADD [EAX], AL
0x000e007c 0000 ADD [EAX], AL
0x000e007e 0000 ADD [EAX], AL
**************************************************
Process: notepad.exe Pid: 1896 Address: 0x170000
Vad Tag: VadS Protection: EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x170000 47 65 74 45 78 69 74 43 6f 64 65 50 72 6f 63 65 GetExitCodeProce
0x170010 73 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ss..............
0x170020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x170030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00170000 47 INC EDI
0x00170001 657445 JZ 0x170049
0x00170004 7869 JS 0x17006f
0x00170006 7443 JZ 0x17004b
0x00170008 6f OUTS DX, DWORD [ESI]
0x00170009 646550 PUSH EAX
0x0017000c 726f JB 0x17007d
0x0017000e 636573 ARPL [EBP+0x73], SP
0x00170011 7300 JAE 0x170013
0x00170013 0000 ADD [EAX], AL
0x00170015 0000 ADD [EAX], AL
0x00170017 0000 ADD [EAX], AL
0x00170019 0000 ADD [EAX], AL
0x0017001b 0000 ADD [EAX], AL
0x0017001d 0000 ADD [EAX], AL
0x0017001f 0000 ADD [EAX], AL
0x00170021 0000 ADD [EAX], AL
0x00170023 0000 ADD [EAX], AL
0x00170025 0000 ADD [EAX], AL
0x00170027 0000 ADD [EAX], AL
0x00170029 0000 ADD [EAX], AL
0x0017002b 0000 ADD [EAX], AL
0x0017002d 0000 ADD [EAX], AL
0x0017002f 0000 ADD [EAX], AL
0x00170031 0000 ADD [EAX], AL
0x00170033 0000 ADD [EAX], AL
0x00170035 0000 ADD [EAX], AL
0x00170037 0000 ADD [EAX], AL
0x00170039 0000 ADD [EAX], AL
0x0017003b 0000 ADD [EAX], AL
0x0017003d 0000 ADD [EAX], AL
0x0017003f 0000 ADD [EAX], AL
0x00170041 0000 ADD [EAX], AL
0x00170043 0000 ADD [EAX], AL
0x00170045 0000 ADD [EAX], AL
0x00170047 0000 ADD [EAX], AL
0x00170049 0000 ADD [EAX], AL
0x0017004b 0000 ADD [EAX], AL
0x0017004d 0000 ADD [EAX], AL
0x0017004f 0000 ADD [EAX], AL
0x00170051 0000 ADD [EAX], AL
0x00170053 0000 ADD [EAX], AL
0x00170055 0000 ADD [EAX], AL
0x00170057 0000 ADD [EAX], AL
0x00170059 0000 ADD [EAX], AL
0x0017005b 0000 ADD [EAX], AL
0x0017005d 0000 ADD [EAX], AL
0x0017005f 0000 ADD [EAX], AL
0x00170061 0000 ADD [EAX], AL
0x00170063 0000 ADD [EAX], AL
0x00170065 0000 ADD [EAX], AL
0x00170067 0000 ADD [EAX], AL
0x00170069 0000 ADD [EAX], AL
0x0017006b 0000 ADD [EAX], AL
0x0017006d 0000 ADD [EAX], AL
0x0017006f 0000 ADD [EAX], AL
0x00170071 0000 ADD [EAX], AL
0x00170073 0000 ADD [EAX], AL
0x00170075 0000 ADD [EAX], AL
0x00170077 0000 ADD [EAX], AL
0x00170079 0000 ADD [EAX], AL
0x0017007b 0000 ADD [EAX], AL
0x0017007d 0000 ADD [EAX], AL
0x0017007f 0000 ADD [EAX], AL
0x00170081 0000 ADD [EAX], AL
**************************************************
Process: notepad.exe Pid: 1896 Address: 0x130000
Vad Tag: VadS Protection: EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x130000 45 78 69 74 54 68 72 65 61 64 00 00 00 00 00 00 ExitThread......
0x130010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x130020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x130030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00130000 45 INC EBP
0x00130001 7869 JS 0x13006c
0x00130003 7454 JZ 0x130059
0x00130005 6872656164 PUSH DWORD 0x64616572
0x0013000a 0000 ADD [EAX], AL
0x0013000c 0000 ADD [EAX], AL
0x0013000e 0000 ADD [EAX], AL
0x00130010 0000 ADD [EAX], AL
0x00130012 0000 ADD [EAX], AL
0x00130014 0000 ADD [EAX], AL
0x00130016 0000 ADD [EAX], AL
0x00130018 0000 ADD [EAX], AL
0x0013001a 0000 ADD [EAX], AL
0x0013001c 0000 ADD [EAX], AL
0x0013001e 0000 ADD [EAX], AL
0x00130020 0000 ADD [EAX], AL
0x00130022 0000 ADD [EAX], AL
0x00130024 0000 ADD [EAX], AL
0x00130026 0000 ADD [EAX], AL
0x00130028 0000 ADD [EAX], AL
0x0013002a 0000 ADD [EAX], AL
0x0013002c 0000 ADD [EAX], AL
0x0013002e 0000 ADD [EAX], AL
0x00130030 0000 ADD [EAX], AL
0x00130032 0000 ADD [EAX], AL
0x00130034 0000 ADD [EAX], AL
0x00130036 0000 ADD [EAX], AL
0x00130038 0000 ADD [EAX], AL
0x0013003a 0000 ADD [EAX], AL
0x0013003c 0000 ADD [EAX], AL
0x0013003e 0000 ADD [EAX], AL
0x00130040 0000 ADD [EAX], AL
0x00130042 0000 ADD [EAX], AL
0x00130044 0000 ADD [EAX], AL
0x00130046 0000 ADD [EAX], AL
0x00130048 0000 ADD [EAX], AL
0x0013004a 0000 ADD [EAX], AL
0x0013004c 0000 ADD [EAX], AL
0x0013004e 0000 ADD [EAX], AL
0x00130050 0000 ADD [EAX], AL
0x00130052 0000 ADD [EAX], AL
0x00130054 0000 ADD [EAX], AL
0x00130056 0000 ADD [EAX], AL
0x00130058 0000 ADD [EAX], AL
0x0013005a 0000 ADD [EAX], AL
0x0013005c 0000 ADD [EAX], AL
0x0013005e 0000 ADD [EAX], AL
0x00130060 0000 ADD [EAX], AL
0x00130062 0000 ADD [EAX], AL
0x00130064 0000 ADD [EAX], AL
0x00130066 0000 ADD [EAX], AL
0x00130068 0000 ADD [EAX], AL
0x0013006a 0000 ADD [EAX], AL
0x0013006c 0000 ADD [EAX], AL
0x0013006e 0000 ADD [EAX], AL
0x00130070 0000 ADD [EAX], AL
0x00130072 0000 ADD [EAX], AL
0x00130074 0000 ADD [EAX], AL
0x00130076 0000 ADD [EAX], AL
0x00130078 0000 ADD [EAX], AL
0x0013007a 0000 ADD [EAX], AL
0x0013007c 0000 ADD [EAX], AL
0x0013007e 0000 ADD [EAX], AL
0x00130080 0000 ADD [EAX], AL
0x00130082 0000 ADD [EAX], AL
**************************************************
Process: notepad.exe Pid: 1896 Address: 0x110000
Vad Tag: VadS Protection: EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x110000 43 72 65 61 74 65 4d 75 74 65 78 41 00 00 00 00 CreateMutexA....
0x110010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x110020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x110030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00110000 43 INC EBX
0x00110001 7265 JB 0x110068
0x00110003 61 POPA
0x00110004 7465 JZ 0x11006b
0x00110006 4d DEC EBP
0x00110007 7574 JNZ 0x11007d
0x00110009 657841 JS 0x11004d
0x0011000c 0000 ADD [EAX], AL
0x0011000e 0000 ADD [EAX], AL
0x00110010 0000 ADD [EAX], AL
0x00110012 0000 ADD [EAX], AL
0x00110014 0000 ADD [EAX], AL
0x00110016 0000 ADD [EAX], AL
0x00110018 0000 ADD [EAX], AL
0x0011001a 0000 ADD [EAX], AL
0x0011001c 0000 ADD [EAX], AL
0x0011001e 0000 ADD [EAX], AL
0x00110020 0000 ADD [EAX], AL
0x00110022 0000 ADD [EAX], AL
0x00110024 0000 ADD [EAX], AL
0x00110026 0000 ADD [EAX], AL
0x00110028 0000 ADD [EAX], AL
0x0011002a 0000 ADD [EAX], AL
0x0011002c 0000 ADD [EAX], AL
0x0011002e 0000 ADD [EAX], AL
0x00110030 0000 ADD [EAX], AL
0x00110032 0000 ADD [EAX], AL
0x00110034 0000 ADD [EAX], AL
0x00110036 0000 ADD [EAX], AL
0x00110038 0000 ADD [EAX], AL
0x0011003a 0000 ADD [EAX], AL
0x0011003c 0000 ADD [EAX], AL
0x0011003e 0000 ADD [EAX], AL
0x00110040 0000 ADD [EAX], AL
0x00110042 0000 ADD [EAX], AL
0x00110044 0000 ADD [EAX], AL
0x00110046 0000 ADD [EAX], AL
0x00110048 0000 ADD [EAX], AL
0x0011004a 0000 ADD [EAX], AL
0x0011004c 0000 ADD [EAX], AL
0x0011004e 0000 ADD [EAX], AL
0x00110050 0000 ADD [EAX], AL
0x00110052 0000 ADD [EAX], AL
0x00110054 0000 ADD [EAX], AL
0x00110056 0000 ADD [EAX], AL
0x00110058 0000 ADD [EAX], AL
0x0011005a 0000 ADD [EAX], AL
0x0011005c 0000 ADD [EAX], AL
0x0011005e 0000 ADD [EAX], AL
0x00110060 0000 ADD [EAX], AL
0x00110062 0000 ADD [EAX], AL
0x00110064 0000 ADD [EAX], AL
0x00110066 0000 ADD [EAX], AL
0x00110068 0000 ADD [EAX], AL
0x0011006a 0000 ADD [EAX], AL
0x0011006c 0000 ADD [EAX], AL
0x0011006e 0000 ADD [EAX], AL
0x00110070 0000 ADD [EAX], AL
0x00110072 0000 ADD [EAX], AL
0x00110074 0000 ADD [EAX], AL
0x00110076 0000 ADD [EAX], AL
0x00110078 0000 ADD [EAX], AL
0x0011007a 0000 ADD [EAX], AL
0x0011007c 0000 ADD [EAX], AL
0x0011007e 0000 ADD [EAX], AL
**************************************************
Process: notepad.exe Pid: 1896 Address: 0x100000
Vad Tag: VadS Protection: EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x100000 53 65 74 4c 61 73 74 45 72 72 6f 72 00 00 00 00 SetLastError....
0x100010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x100020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x100030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00100000 53 PUSH EBX
0x00100001 65744c JZ 0x100050
0x00100004 61 POPA
0x00100005 7374 JAE 0x10007b
0x00100007 45 INC EBP
0x00100008 7272 JB 0x10007c
0x0010000a 6f OUTS DX, DWORD [ESI]
0x0010000b 7200 JB 0x10000d
0x0010000d 0000 ADD [EAX], AL
0x0010000f 0000 ADD [EAX], AL
0x00100011 0000 ADD [EAX], AL
0x00100013 0000 ADD [EAX], AL
0x00100015 0000 ADD [EAX], AL
0x00100017 0000 ADD [EAX], AL
0x00100019 0000 ADD [EAX], AL
0x0010001b 0000 ADD [EAX], AL
0x0010001d 0000 ADD [EAX], AL
0x0010001f 0000 ADD [EAX], AL
0x00100021 0000 ADD [EAX], AL
0x00100023 0000 ADD [EAX], AL
0x00100025 0000 ADD [EAX], AL
0x00100027 0000 ADD [EAX], AL
0x00100029 0000 ADD [EAX], AL
0x0010002b 0000 ADD [EAX], AL
0x0010002d 0000 ADD [EAX], AL
0x0010002f 0000 ADD [EAX], AL
0x00100031 0000 ADD [EAX], AL
0x00100033 0000 ADD [EAX], AL
0x00100035 0000 ADD [EAX], AL
0x00100037 0000 ADD [EAX], AL
0x00100039 0000 ADD [EAX], AL
0x0010003b 0000 ADD [EAX], AL
0x0010003d 0000 ADD [EAX], AL
0x0010003f 0000 ADD [EAX], AL
0x00100041 0000 ADD [EAX], AL
0x00100043 0000 ADD [EAX], AL
0x00100045 0000 ADD [EAX], AL
0x00100047 0000 ADD [EAX], AL
0x00100049 0000 ADD [EAX], AL
0x0010004b 0000 ADD [EAX], AL
0x0010004d 0000 ADD [EAX], AL
0x0010004f 0000 ADD [EAX], AL
0x00100051 0000 ADD [EAX], AL
0x00100053 0000 ADD [EAX], AL
0x00100055 0000 ADD [EAX], AL
0x00100057 0000 ADD [EAX], AL
0x00100059 0000 ADD [EAX], AL
0x0010005b 0000 ADD [EAX], AL
0x0010005d 0000 ADD [EAX], AL
0x0010005f 0000 ADD [EAX], AL
0x00100061 0000 ADD [EAX], AL
0x00100063 0000 ADD [EAX], AL
0x00100065 0000 ADD [EAX], AL
0x00100067 0000 ADD [EAX], AL
0x00100069 0000 ADD [EAX], AL
0x0010006b 0000 ADD [EAX], AL
0x0010006d 0000 ADD [EAX], AL
0x0010006f 0000 ADD [EAX], AL
0x00100071 0000 ADD [EAX], AL
0x00100073 0000 ADD [EAX], AL
0x00100075 0000 ADD [EAX], AL
0x00100077 0000 ADD [EAX], AL
0x00100079 0000 ADD [EAX], AL
0x0010007b 0000 ADD [EAX], AL
0x0010007d 0000 ADD [EAX], AL
**************************************************
Process: notepad.exe Pid: 1896 Address: 0x120000
Vad Tag: VadS Protection: EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x120000 43 6c 6f 73 65 48 61 6e 64 6c 65 00 00 00 00 00 CloseHandle.....
0x120010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x120020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x120030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00120000 43 INC EBX
0x00120001 6c INS BYTE [ES:EDI], DX
0x00120002 6f OUTS DX, DWORD [ESI]
0x00120003 7365 JAE 0x12006a
0x00120005 48 DEC EAX
0x00120006 61 POPA
0x00120007 6e OUTS DX, BYTE [ESI]
0x00120008 646c INS BYTE [ES:EDI], DX
0x0012000a 650000 ADD [GS:EAX], AL
0x0012000d 0000 ADD [EAX], AL
0x0012000f 0000 ADD [EAX], AL
0x00120011 0000 ADD [EAX], AL
0x00120013 0000 ADD [EAX], AL
0x00120015 0000 ADD [EAX], AL
0x00120017 0000 ADD [EAX], AL
0x00120019 0000 ADD [EAX], AL
0x0012001b 0000 ADD [EAX], AL
0x0012001d 0000 ADD [EAX], AL
0x0012001f 0000 ADD [EAX], AL
0x00120021 0000 ADD [EAX], AL
0x00120023 0000 ADD [EAX], AL
0x00120025 0000 ADD [EAX], AL
0x00120027 0000 ADD [EAX], AL
0x00120029 0000 ADD [EAX], AL
0x0012002b 0000 ADD [EAX], AL
0x0012002d 0000 ADD [EAX], AL
0x0012002f 0000 ADD [EAX], AL
0x00120031 0000 ADD [EAX], AL
0x00120033 0000 ADD [EAX], AL
0x00120035 0000 ADD [EAX], AL
0x00120037 0000 ADD [EAX], AL
0x00120039 0000 ADD [EAX], AL
0x0012003b 0000 ADD [EAX], AL
0x0012003d 0000 ADD [EAX], AL
0x0012003f 0000 ADD [EAX], AL
0x00120041 0000 ADD [EAX], AL
0x00120043 0000 ADD [EAX], AL
0x00120045 0000 ADD [EAX], AL
0x00120047 0000 ADD [EAX], AL
0x00120049 0000 ADD [EAX], AL
0x0012004b 0000 ADD [EAX], AL
0x0012004d 0000 ADD [EAX], AL
0x0012004f 0000 ADD [EAX], AL
0x00120051 0000 ADD [EAX], AL
0x00120053 0000 ADD [EAX], AL
0x00120055 0000 ADD [EAX], AL
0x00120057 0000 ADD [EAX], AL
0x00120059 0000 ADD [EAX], AL
0x0012005b 0000 ADD [EAX], AL
0x0012005d 0000 ADD [EAX], AL
0x0012005f 0000 ADD [EAX], AL
0x00120061 0000 ADD [EAX], AL
0x00120063 0000 ADD [EAX], AL
0x00120065 0000 ADD [EAX], AL
0x00120067 0000 ADD [EAX], AL
0x00120069 0000 ADD [EAX], AL
0x0012006b 0000 ADD [EAX], AL
0x0012006d 0000 ADD [EAX], AL
0x0012006f 0000 ADD [EAX], AL
0x00120071 0000 ADD [EAX], AL
0x00120073 0000 ADD [EAX], AL
0x00120075 0000 ADD [EAX], AL
0x00120077 0000 ADD [EAX], AL
0x00120079 0000 ADD [EAX], AL
0x0012007b 0000 ADD [EAX], AL
**************************************************
Process: notepad.exe Pid: 1896 Address: 0x150000
Vad Tag: VadS Protection: EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x150000 44 43 50 45 52 53 46 57 42 50 00 00 00 00 00 00 DCPERSFWBP......
0x150010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x150020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x150030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00150000 44 INC ESP
0x00150001 43 INC EBX
0x00150002 50 PUSH EAX
0x00150003 45 INC EBP
0x00150004 52 PUSH EDX
0x00150005 53 PUSH EBX
0x00150006 46 INC ESI
0x00150007 57 PUSH EDI
0x00150008 42 INC EDX
0x00150009 50 PUSH EAX
0x0015000a 0000 ADD [EAX], AL
0x0015000c 0000 ADD [EAX], AL
0x0015000e 0000 ADD [EAX], AL
0x00150010 0000 ADD [EAX], AL
0x00150012 0000 ADD [EAX], AL
0x00150014 0000 ADD [EAX], AL
0x00150016 0000 ADD [EAX], AL
0x00150018 0000 ADD [EAX], AL
0x0015001a 0000 ADD [EAX], AL
0x0015001c 0000 ADD [EAX], AL
0x0015001e 0000 ADD [EAX], AL
0x00150020 0000 ADD [EAX], AL
0x00150022 0000 ADD [EAX], AL
0x00150024 0000 ADD [EAX], AL
0x00150026 0000 ADD [EAX], AL
0x00150028 0000 ADD [EAX], AL
0x0015002a 0000 ADD [EAX], AL
0x0015002c 0000 ADD [EAX], AL
0x0015002e 0000 ADD [EAX], AL
0x00150030 0000 ADD [EAX], AL
0x00150032 0000 ADD [EAX], AL
0x00150034 0000 ADD [EAX], AL
0x00150036 0000 ADD [EAX], AL
0x00150038 0000 ADD [EAX], AL
0x0015003a 0000 ADD [EAX], AL
0x0015003c 0000 ADD [EAX], AL
0x0015003e 0000 ADD [EAX], AL
0x00150040 0000 ADD [EAX], AL
0x00150042 0000 ADD [EAX], AL
0x00150044 0000 ADD [EAX], AL
0x00150046 0000 ADD [EAX], AL
0x00150048 0000 ADD [EAX], AL
0x0015004a 0000 ADD [EAX], AL
0x0015004c 0000 ADD [EAX], AL
0x0015004e 0000 ADD [EAX], AL
0x00150050 0000 ADD [EAX], AL
0x00150052 0000 ADD [EAX], AL
0x00150054 0000 ADD [EAX], AL
0x00150056 0000 ADD [EAX], AL
0x00150058 0000 ADD [EAX], AL
0x0015005a 0000 ADD [EAX], AL
0x0015005c 0000 ADD [EAX], AL
0x0015005e 0000 ADD [EAX], AL
0x00150060 0000 ADD [EAX], AL
0x00150062 0000 ADD [EAX], AL
0x00150064 0000 ADD [EAX], AL
0x00150066 0000 ADD [EAX], AL
0x00150068 0000 ADD [EAX], AL
0x0015006a 0000 ADD [EAX], AL
0x0015006c 0000 ADD [EAX], AL
0x0015006e 0000 ADD [EAX], AL
0x00150070 0000 ADD [EAX], AL
0x00150072 0000 ADD [EAX], AL
0x00150074 0000 ADD [EAX], AL
0x00150076 0000 ADD [EAX], AL
**************************************************
Process: notepad.exe Pid: 1896 Address: 0x140000
Vad Tag: VadS Protection: EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x140000 4f 70 65 6e 50 72 6f 63 65 73 73 00 00 00 00 00 OpenProcess.....
0x140010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x140020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x140030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00140000 4f DEC EDI
0x00140001 7065 JO 0x140068
0x00140003 6e OUTS DX, BYTE [ESI]
0x00140004 50 PUSH EAX
0x00140005 726f JB 0x140076
0x00140007 636573 ARPL [EBP+0x73], SP
0x0014000a 7300 JAE 0x14000c
0x0014000c 0000 ADD [EAX], AL
0x0014000e 0000 ADD [EAX], AL
0x00140010 0000 ADD [EAX], AL
0x00140012 0000 ADD [EAX], AL
0x00140014 0000 ADD [EAX], AL
0x00140016 0000 ADD [EAX], AL
0x00140018 0000 ADD [EAX], AL
0x0014001a 0000 ADD [EAX], AL
0x0014001c 0000 ADD [EAX], AL
0x0014001e 0000 ADD [EAX], AL
0x00140020 0000 ADD [EAX], AL
0x00140022 0000 ADD [EAX], AL
0x00140024 0000 ADD [EAX], AL
0x00140026 0000 ADD [EAX], AL
0x00140028 0000 ADD [EAX], AL
0x0014002a 0000 ADD [EAX], AL
0x0014002c 0000 ADD [EAX], AL
0x0014002e 0000 ADD [EAX], AL
0x00140030 0000 ADD [EAX], AL
0x00140032 0000 ADD [EAX], AL
0x00140034 0000 ADD [EAX], AL
0x00140036 0000 ADD [EAX], AL
0x00140038 0000 ADD [EAX], AL
0x0014003a 0000 ADD [EAX], AL
0x0014003c 0000 ADD [EAX], AL
0x0014003e 0000 ADD [EAX], AL
0x00140040 0000 ADD [EAX], AL
0x00140042 0000 ADD [EAX], AL
0x00140044 0000 ADD [EAX], AL
0x00140046 0000 ADD [EAX], AL
0x00140048 0000 ADD [EAX], AL
0x0014004a 0000 ADD [EAX], AL
0x0014004c 0000 ADD [EAX], AL
0x0014004e 0000 ADD [EAX], AL
0x00140050 0000 ADD [EAX], AL
0x00140052 0000 ADD [EAX], AL
0x00140054 0000 ADD [EAX], AL
0x00140056 0000 ADD [EAX], AL
0x00140058 0000 ADD [EAX], AL
0x0014005a 0000 ADD [EAX], AL
0x0014005c 0000 ADD [EAX], AL
0x0014005e 0000 ADD [EAX], AL
0x00140060 0000 ADD [EAX], AL
0x00140062 0000 ADD [EAX], AL
0x00140064 0000 ADD [EAX], AL
0x00140066 0000 ADD [EAX], AL
0x00140068 0000 ADD [EAX], AL
0x0014006a 0000 ADD [EAX], AL
0x0014006c 0000 ADD [EAX], AL
0x0014006e 0000 ADD [EAX], AL
0x00140070 0000 ADD [EAX], AL
0x00140072 0000 ADD [EAX], AL
0x00140074 0000 ADD [EAX], AL
0x00140076 0000 ADD [EAX], AL
0x00140078 0000 ADD [EAX], AL
0x0014007a 0000 ADD [EAX], AL
0x0014007c 0000 ADD [EAX], AL
0x0014007e 0000 ADD [EAX], AL
**************************************************
Process: notepad.exe Pid: 1896 Address: 0x160000
Vad Tag: VadS Protection: EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x160000 54 65 72 6d 69 6e 61 74 65 50 72 6f 63 65 73 73 TerminateProcess
0x160010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x160020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x160030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00160000 54 PUSH ESP
0x00160001 65726d JB 0x160071
0x00160004 696e6174655072 IMUL EBP, [ESI+0x61], 0x72506574
0x0016000b 6f OUTS DX, DWORD [ESI]
0x0016000c 636573 ARPL [EBP+0x73], SP
0x0016000f 7300 JAE 0x160011
0x00160011 0000 ADD [EAX], AL
0x00160013 0000 ADD [EAX], AL
0x00160015 0000 ADD [EAX], AL
0x00160017 0000 ADD [EAX], AL
0x00160019 0000 ADD [EAX], AL
0x0016001b 0000 ADD [EAX], AL
0x0016001d 0000 ADD [EAX], AL
0x0016001f 0000 ADD [EAX], AL
0x00160021 0000 ADD [EAX], AL
0x00160023 0000 ADD [EAX], AL
0x00160025 0000 ADD [EAX], AL
0x00160027 0000 ADD [EAX], AL
0x00160029 0000 ADD [EAX], AL
0x0016002b 0000 ADD [EAX], AL
0x0016002d 0000 ADD [EAX], AL
0x0016002f 0000 ADD [EAX], AL
0x00160031 0000 ADD [EAX], AL
0x00160033 0000 ADD [EAX], AL
0x00160035 0000 ADD [EAX], AL
0x00160037 0000 ADD [EAX], AL
0x00160039 0000 ADD [EAX], AL
0x0016003b 0000 ADD [EAX], AL
0x0016003d 0000 ADD [EAX], AL
0x0016003f 0000 ADD [EAX], AL
0x00160041 0000 ADD [EAX], AL
0x00160043 0000 ADD [EAX], AL
0x00160045 0000 ADD [EAX], AL
0x00160047 0000 ADD [EAX], AL
0x00160049 0000 ADD [EAX], AL
0x0016004b 0000 ADD [EAX], AL
0x0016004d 0000 ADD [EAX], AL
0x0016004f 0000 ADD [EAX], AL
0x00160051 0000 ADD [EAX], AL
0x00160053 0000 ADD [EAX], AL
0x00160055 0000 ADD [EAX], AL
0x00160057 0000 ADD [EAX], AL
0x00160059 0000 ADD [EAX], AL
0x0016005b 0000 ADD [EAX], AL
0x0016005d 0000 ADD [EAX], AL
0x0016005f 0000 ADD [EAX], AL
0x00160061 0000 ADD [EAX], AL
0x00160063 0000 ADD [EAX], AL
0x00160065 0000 ADD [EAX], AL
0x00160067 0000 ADD [EAX], AL
0x00160069 0000 ADD [EAX], AL
0x0016006b 0000 ADD [EAX], AL
0x0016006d 0000 ADD [EAX], AL
0x0016006f 0000 ADD [EAX], AL
0x00160071 0000 ADD [EAX], AL
0x00160073 0000 ADD [EAX], AL
0x00160075 0000 ADD [EAX], AL
0x00160077 0000 ADD [EAX], AL
0x00160079 0000 ADD [EAX], AL
0x0016007b 0000 ADD [EAX], AL
0x0016007d 0000 ADD [EAX], AL
0x0016007f 0000 ADD [EAX], AL
0x00160081 0000 ADD [EAX], AL
0x00160083 0000 ADD [EAX], AL
0x00160085 0000 ADD [EAX], AL
**************************************************
Process: notepad.exe Pid: 1896 Address: 0x190000
Vad Tag: VadS Protection: EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x190000 57 61 69 74 46 6f 72 53 69 6e 67 6c 65 4f 62 6a WaitForSingleObj
0x190010 65 63 74 00 00 00 00 00 00 00 00 00 00 00 00 00 ect.............
0x190020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x190030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00190000 57 PUSH EDI
0x00190001 61 POPA
0x00190002 6974466f7253696e IMUL ESI, [ESI+EAX*2+0x6f], 0x6e695372
0x0019000a 676c INS BYTE [ES:DI], DX
0x0019000c 654f DEC EDI
0x0019000e 626a65 BOUND EBP, [EDX+0x65]
0x00190011 63740000 ARPL [EAX+EAX+0x0], SI
0x00190015 0000 ADD [EAX], AL
0x00190017 0000 ADD [EAX], AL
0x00190019 0000 ADD [EAX], AL
0x0019001b 0000 ADD [EAX], AL
0x0019001d 0000 ADD [EAX], AL
0x0019001f 0000 ADD [EAX], AL
0x00190021 0000 ADD [EAX], AL
0x00190023 0000 ADD [EAX], AL
0x00190025 0000 ADD [EAX], AL
0x00190027 0000 ADD [EAX], AL
0x00190029 0000 ADD [EAX], AL
0x0019002b 0000 ADD [EAX], AL
0x0019002d 0000 ADD [EAX], AL
0x0019002f 0000 ADD [EAX], AL
0x00190031 0000 ADD [EAX], AL
0x00190033 0000 ADD [EAX], AL
0x00190035 0000 ADD [EAX], AL
0x00190037 0000 ADD [EAX], AL
0x00190039 0000 ADD [EAX], AL
0x0019003b 0000 ADD [EAX], AL
0x0019003d 0000 ADD [EAX], AL
0x0019003f 0000 ADD [EAX], AL
0x00190041 0000 ADD [EAX], AL
0x00190043 0000 ADD [EAX], AL
0x00190045 0000 ADD [EAX], AL
0x00190047 0000 ADD [EAX], AL
0x00190049 0000 ADD [EAX], AL
0x0019004b 0000 ADD [EAX], AL
0x0019004d 0000 ADD [EAX], AL
0x0019004f 0000 ADD [EAX], AL
0x00190051 0000 ADD [EAX], AL
0x00190053 0000 ADD [EAX], AL
0x00190055 0000 ADD [EAX], AL
0x00190057 0000 ADD [EAX], AL
0x00190059 0000 ADD [EAX], AL
0x0019005b 0000 ADD [EAX], AL
0x0019005d 0000 ADD [EAX], AL
0x0019005f 0000 ADD [EAX], AL
0x00190061 0000 ADD [EAX], AL
0x00190063 0000 ADD [EAX], AL
0x00190065 0000 ADD [EAX], AL
0x00190067 0000 ADD [EAX], AL
0x00190069 0000 ADD [EAX], AL
0x0019006b 0000 ADD [EAX], AL
0x0019006d 0000 ADD [EAX], AL
0x0019006f 0000 ADD [EAX], AL
0x00190071 0000 ADD [EAX], AL
0x00190073 0000 ADD [EAX], AL
0x00190075 0000 ADD [EAX], AL
0x00190077 0000 ADD [EAX], AL
0x00190079 0000 ADD [EAX], AL
0x0019007b 0000 ADD [EAX], AL
0x0019007d 0000 ADD [EAX], AL
0x0019007f 0000 ADD [EAX], AL
0x00190081 0000 ADD [EAX], AL
0x00190083 0000 ADD [EAX], AL
0x00190085 0000 ADD [EAX], AL
0x00190087 0000 ADD [EAX], AL
**************************************************
Process: notepad.exe Pid: 1896 Address: 0x180000
Vad Tag: VadS Protection: EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x180000 44 43 5f 4d 55 54 45 58 2d 4b 48 4e 45 57 30 36 DC_MUTEX-KHNEW06
0x180010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x180020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x180030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00180000 44 INC ESP
0x00180001 43 INC EBX
0x00180002 5f POP EDI
0x00180003 4d DEC EBP
0x00180004 55 PUSH EBP
0x00180005 54 PUSH ESP
0x00180006 45 INC EBP
0x00180007 58 POP EAX
0x00180008 2d4b484e45 SUB EAX, 0x454e484b
0x0018000d 57 PUSH EDI
0x0018000e 3036 XOR [ESI], DH
0x00180010 0000 ADD [EAX], AL
0x00180012 0000 ADD [EAX], AL
0x00180014 0000 ADD [EAX], AL
0x00180016 0000 ADD [EAX], AL
0x00180018 0000 ADD [EAX], AL
0x0018001a 0000 ADD [EAX], AL
0x0018001c 0000 ADD [EAX], AL
0x0018001e 0000 ADD [EAX], AL
0x00180020 0000 ADD [EAX], AL
0x00180022 0000 ADD [EAX], AL
0x00180024 0000 ADD [EAX], AL
0x00180026 0000 ADD [EAX], AL
0x00180028 0000 ADD [EAX], AL
0x0018002a 0000 ADD [EAX], AL
0x0018002c 0000 ADD [EAX], AL
0x0018002e 0000 ADD [EAX], AL
0x00180030 0000 ADD [EAX], AL
0x00180032 0000 ADD [EAX], AL
0x00180034 0000 ADD [EAX], AL
0x00180036 0000 ADD [EAX], AL
0x00180038 0000 ADD [EAX], AL
0x0018003a 0000 ADD [EAX], AL
0x0018003c 0000 ADD [EAX], AL
0x0018003e 0000 ADD [EAX], AL
0x00180040 0000 ADD [EAX], AL
0x00180042 0000 ADD [EAX], AL
0x00180044 0000 ADD [EAX], AL
0x00180046 0000 ADD [EAX], AL
0x00180048 0000 ADD [EAX], AL
0x0018004a 0000 ADD [EAX], AL
0x0018004c 0000 ADD [EAX], AL
0x0018004e 0000 ADD [EAX], AL
0x00180050 0000 ADD [EAX], AL
0x00180052 0000 ADD [EAX], AL
0x00180054 0000 ADD [EAX], AL
0x00180056 0000 ADD [EAX], AL
0x00180058 0000 ADD [EAX], AL
0x0018005a 0000 ADD [EAX], AL
0x0018005c 0000 ADD [EAX], AL
0x0018005e 0000 ADD [EAX], AL
0x00180060 0000 ADD [EAX], AL
0x00180062 0000 ADD [EAX], AL
0x00180064 0000 ADD [EAX], AL
0x00180066 0000 ADD [EAX], AL
0x00180068 0000 ADD [EAX], AL
0x0018006a 0000 ADD [EAX], AL
0x0018006c 0000 ADD [EAX], AL
0x0018006e 0000 ADD [EAX], AL
0x00180070 0000 ADD [EAX], AL
0x00180072 0000 ADD [EAX], AL
0x00180074 0000 ADD [EAX], AL
0x00180076 0000 ADD [EAX], AL
0x00180078 0000 ADD [EAX], AL
0x0018007a 0000 ADD [EAX], AL
**************************************************
Process: notepad.exe Pid: 1896 Address: 0x1a0000
Vad Tag: VadS Protection: EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x1a0000 43 3a 5c 55 73 65 72 73 5c 54 45 4b 44 45 46 7e C:\Users\TEKDEF~
0x1a0010 31 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 1\AppData\Local\
0x1a0020 54 65 6d 70 5c 4d 53 44 43 53 43 5c 72 75 6e 64 Temp\MSDCSC\rund
0x1a0030 64 6c 33 32 2e 65 78 65 00 00 00 00 00 00 00 00 dl32.exe........
0x001a0000 43 INC EBX
0x001a0001 3a5c5573 CMP BL, [EBP+EDX*2+0x73]
0x001a0005 657273 JB 0x1a007b
0x001a0008 5c POP ESP
0x001a0009 54 PUSH ESP
0x001a000a 45 INC EBP
0x001a000b 4b DEC EBX
0x001a000c 44 INC ESP
0x001a000d 45 INC EBP
0x001a000e 46 INC ESI
0x001a000f 7e31 JLE 0x1a0042
0x001a0011 5c POP ESP
0x001a0012 41 INC ECX
0x001a0013 7070 JO 0x1a0085
0x001a0015 44 INC ESP
0x001a0016 61 POPA
0x001a0017 7461 JZ 0x1a007a
0x001a0019 5c POP ESP
0x001a001a 4c DEC ESP
0x001a001b 6f OUTS DX, DWORD [ESI]
0x001a001c 63616c ARPL [ECX+0x6c], SP
0x001a001f 5c POP ESP
0x001a0020 54 PUSH ESP
0x001a0021 656d INS DWORD [ES:EDI], DX
0x001a0023 705c JO 0x1a0081
0x001a0025 4d DEC EBP
0x001a0026 53 PUSH EBX
0x001a0027 44 INC ESP
0x001a0028 43 INC EBX
0x001a0029 53 PUSH EBX
0x001a002a 43 INC EBX
0x001a002b 5c POP ESP
0x001a002c 7275 JB 0x1a00a3
0x001a002e 6e OUTS DX, BYTE [ESI]
0x001a002f 64646c INS BYTE [ES:EDI], DX
0x001a0032 3332 XOR ESI, [EDX]
0x001a0034 2e657865 JS 0x1a009d ;NOT TAKEN
0x001a0038 0000 ADD [EAX], AL
0x001a003a 0000 ADD [EAX], AL
0x001a003c 0000 ADD [EAX], AL
0x001a003e 0000 ADD [EAX], AL
0x001a0040 0000 ADD [EAX], AL
0x001a0042 0000 ADD [EAX], AL
0x001a0044 0000 ADD [EAX], AL
0x001a0046 0000 ADD [EAX], AL
0x001a0048 0000 ADD [EAX], AL
0x001a004a 0000 ADD [EAX], AL
0x001a004c 0000 ADD [EAX], AL
0x001a004e 0000 ADD [EAX], AL
0x001a0050 0000 ADD [EAX], AL
0x001a0052 0000 ADD [EAX], AL
0x001a0054 0000 ADD [EAX], AL
0x001a0056 0000 ADD [EAX], AL
0x001a0058 0000 ADD [EAX], AL
0x001a005a 0000 ADD [EAX], AL
0x001a005c 0000 ADD [EAX], AL
0x001a005e 0000 ADD [EAX], AL
0x001a0060 0000 ADD [EAX], AL
0x001a0062 0000 ADD [EAX], AL
0x001a0064 0000 ADD [EAX], AL
0x001a0066 0000 ADD [EAX], AL
0x001a0068 0000 ADD [EAX], AL
0x001a006a 0000 ADD [EAX], AL
0x001a006c 0000 ADD [EAX], AL
0x001a006e 0000 ADD [EAX], AL
**************************************************
Process: notepad.exe Pid: 1896 Address: 0x1c0000
Vad Tag: VadS Protection: EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x1c0000 55 8b ec 83 c4 ac 53 56 57 8b 5d 08 8b 43 40 50 U.....SVW.]..C@P
0x1c0010 8b 43 38 50 ff 13 50 ff 53 04 89 43 0c 8b 43 44 .C8P..P.S..C..CD
0x1c0020 50 8b 43 3c 50 ff 13 50 ff 53 04 89 43 08 8b 43 P.C<P..P.S..C..C
0x1c0030 54 50 8b 43 38 50 ff 13 50 ff 53 04 89 43 14 8b TP.C8P..P.S..C..
0x001c0000 55 PUSH EBP
0x001c0001 8bec MOV EBP, ESP
0x001c0003 83c4ac ADD ESP, -0x54
0x001c0006 53 PUSH EBX
0x001c0007 56 PUSH ESI
0x001c0008 57 PUSH EDI
0x001c0009 8b5d08 MOV EBX, [EBP+0x8]
0x001c000c 8b4340 MOV EAX, [EBX+0x40]
0x001c000f 50 PUSH EAX
0x001c0010 8b4338 MOV EAX, [EBX+0x38]
0x001c0013 50 PUSH EAX
0x001c0014 ff13 CALL DWORD [EBX]
0x001c0016 50 PUSH EAX
0x001c0017 ff5304 CALL DWORD [EBX+0x4]
0x001c001a 89430c MOV [EBX+0xc], EAX
0x001c001d 8b4344 MOV EAX, [EBX+0x44]
0x001c0020 50 PUSH EAX
0x001c0021 8b433c MOV EAX, [EBX+0x3c]
0x001c0024 50 PUSH EAX
0x001c0025 ff13 CALL DWORD [EBX]
0x001c0027 50 PUSH EAX
0x001c0028 ff5304 CALL DWORD [EBX+0x4]
0x001c002b 894308 MOV [EBX+0x8], EAX
0x001c002e 8b4354 MOV EAX, [EBX+0x54]
0x001c0031 50 PUSH EAX
0x001c0032 8b4338 MOV EAX, [EBX+0x38]
0x001c0035 50 PUSH EAX
0x001c0036 ff13 CALL DWORD [EBX]
0x001c0038 50 PUSH EAX
0x001c0039 ff5304 CALL DWORD [EBX+0x4]
0x001c003c 894314 MOV [EBX+0x14], EAX
0x001c003f 8b4358 MOV EAX, [EBX+0x58]
0x001c0042 50 PUSH EAX
0x001c0043 8b4338 MOV EAX, [EBX+0x38]
0x001c0046 50 PUSH EAX
0x001c0047 ff13 CALL DWORD [EBX]
0x001c0049 50 PUSH EAX
0x001c004a ff5304 CALL DWORD [EBX+0x4]
0x001c004d 894318 MOV [EBX+0x18], EAX
0x001c0050 8b4348 MOV EAX, [EBX+0x48]
0x001c0053 50 PUSH EAX
0x001c0054 8b4338 MOV EAX, [EBX+0x38]
0x001c0057 50 PUSH EAX
0x001c0058 ff13 CALL DWORD [EBX]
0x001c005a 50 PUSH EAX
0x001c005b ff5304 CALL DWORD [EBX+0x4]
0x001c005e 894310 MOV [EBX+0x10], EAX
0x001c0061 8b434c MOV EAX, [EBX+0x4c]
0x001c0064 50 PUSH EAX
0x001c0065 8b4338 MOV EAX, [EBX+0x38]
0x001c0068 50 PUSH EAX
0x001c0069 ff13 CALL DWORD [EBX]
0x001c006b 50 PUSH EAX
0x001c006c ff5304 CALL DWORD [EBX+0x4]
0x001c006f 89431c MOV [EBX+0x1c], EAX
0x001c0072 8b4350 MOV EAX, [EBX+0x50]
0x001c0075 50 PUSH EAX
0x001c0076 8b4338 MOV EAX, [EBX+0x38]
0x001c0079 50 PUSH EAX
0x001c007a ff13 CALL DWORD [EBX]
0x001c007c 50 PUSH EAX
0x001c007d ff5304 CALL DWORD [EBX+0x4]
0x001c0080 894334 MOV [EBX+0x34], EAX
0x001c0083 8b4360 MOV EAX, [EBX+0x60]
0x001c0086 50 PUSH EAX
And then lastly this "notepad" includes the full path to it's parent process amongst all of the disassembly from malfind.
Ian Ahl, Analyzing DarkComet in Memory, http://www.TekDefence.com
Volatility Project. Volatility 2.3 Command Reference, https://code.google.com/p/volatility/wiki/CommandReference23
Rekall Project. Rekall Memory Forensics Tutorial. Notebook. http://docs.rekall.googlecode.com/git/notebooks/Rekall%20Tutorial.html
Michael Sikorski and Andrew Honig. Practical Malware Analysis. No Starch Press. http://www.nostarch.com/malware
Content source: adricnet/dfirnotes
Similar notebooks: