Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
svchost::svchost B2 46 This piece of software contains a decompression algorithm used by version 3.03 of the UPX executable packer. A9 A2 This program appears to be opening a raw socket. Malware applications often open up raw sockets for use in ping flooding/DDOS attacks 38 CD Program is determining the layout of the keyboard. 21 B8 Storing URL files. B4 0B Program appears to be compiled in Delphi. 38 A6 Program appears to communicate over the network. 45 45 Program appears to communicate over the network or over a named pipe. 8E 44 Program appears to communicate over the network or over a named pipe. iexplore::iexplore B2 46 This piece of software contains a decompression algorithm used by version 3.03 of the UPX executable packer. AC C8 Potential service accessing Internet Explorer settings 5F D9 Program can turn on the audio microphone and record audio. 38 CD Program is determining the layout of the keyboard. B8 98 Program appears to communicate over the network using TCP/IP. DF 37 Program uses web or ftp addresses and possibly URL's to access one or more sites on the Internet for downloading files or posting up data. 1C 0E This module may enable audio recording. 83 69 Program appears to communicate over the network using TCP/IP. 21 B8 Storing URL files. C1 7C Program appears to communicate over the network using TCP/IP. It appears to use, check, or log the IP address of the remote connection point. B4 0B Program appears to be compiled in Delphi. 7E 1E Program appears to communicate over the network using TCP/IP. E7 9F Program appears to communicate over the network using TCP/IP. B4 EE Translates network to host byte orders, common to winsock and sockets implementations. AE DA This trait is an indicator that this program may be writing outgoing data on a socket. 0E DF Program appears to communicate over the network using TCP/IP. 79 D8 Program appears to communicate over the network using TCP/IP. C6 E4 Program appears to communicate over the network using TCP/IP. 05 81 Program appears to use the UDP protocol and receive packets. svchost::memorymod-pe-0x00d90000-0x00e82000 80 08 This appears to be a hidden module, possibly injected. C6 AA Program may have remote process injection capability. A9 A2 This program appears to be opening a raw socket. Malware applications often open up raw sockets for use in ping flooding/DDOS attacks 9B E1 Possible scans UNC paths. 68 5A Protected storage COM interface DLL - could indicate scanning for username/passwords 45 3C This module may use an undocumented windows call to load dlls. EE 51 Program can communicate from usermode to kernelmode using a command channel. This is common to any program that has a device driver component, or accesses hardware via a device driver. 27 E1 This program understands the SMTP and/or ESMTP mail protocols. These protocols can be used to send SPAM or to communicate with remote machines. 25 6A Program may be using named pipes. This is a method for two processes to communicate with one another. B8 F6 The program may use win.ini 78 9A Program appears to be using mail slots. Mail slots can be used between two different programs so they can communicate with one another. Some exploits are known to use mail slots. 0E 6F Program may be using named pipes. This is a method for two processes to communicate with one another. 61 9B Program opens a handle to a running process on the system. This is done before some manipulation or information query made against the process. 4A 31 Program may be moving files over the network or copying files on the filesystem. iexplore::flash6.ocx 70 AE This module appears to have a binary embedded resource which is common to malware droppers. 5F D9 Program can turn on the audio microphone and record audio. 1C 0E This module may enable audio recording. 13 A9 This module may capture screen shots. 1B D2 This module may have embedded resources. 5D 09 The program uses the windows shell to access a local file on the system. 4C EC The program is reading the system time and converting it to a file time. B4 EE Translates network to host byte orders, common to winsock and sockets implementations. E7 9F Program appears to communicate over the network using TCP/IP. 4C 5D A method for intercepting keystrokes from the data path that relies on an event, callback, or signal being delivered to the sniffing program. This is not suspicious by itself and is used by many GUI based apps on windows. 7A A0 Explorer settings winlogon::msgina.dll F6 E3 Process may inject or write data into other processes. 1B 2A Program is reading the memory of another process. This is not typical to most programs and is usually only found in system utilities, debuggers, and hacking utilities. 66 09 This module opens an existing local process object. 4C 5D A method for intercepting keystrokes from the data path that relies on an event, callback, or signal being delivered to the sniffing program. This is not suspicious by itself and is used by many GUI based apps on windows. System::tcpip.sys DD 33 Driver appears to use the windows internal IP stack. This is common to networking drivers, desktop firewalls, and security software. However, it is also common to kernel mode rootkits. 0E 3A Driver appears to use the windows internal IP stack. This is common to networking drivers, desktop firewalls, and security software. However, it is also common to kernel mode rootkits. 64 31 This device driver queries and obtains the EPROCESS block for the current process. This is not by itself suspicious, but is used some rootkits that remove process entries for stealth. 3C 02 This networking driver is accessing the filesystem, check for a backdoor 93 75 Indicates that this module is opening a registry key. 5F 2B Indicates that this module is sending control code directly to drivers System::oreans32.sys 73 24 Kernel driver appears to query the system call table. This can potentially mean hooks are being used. 64 31 This device driver queries and obtains the EPROCESS block for the current process. This is not by itself suspicious, but is used some rootkits that remove process entries for stealth.