From f326c85522beac3be0855f46752b4be180857c55 Mon Sep 17 00:00:00 2001 From: Jan Vales Date: Fri, 6 Jun 2014 23:21:31 +0200 Subject: [PATCH] nicer formatting --- report3/content.tex | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/report3/content.tex b/report3/content.tex index f5fdb55..b470266 100644 --- a/report3/content.tex +++ b/report3/content.tex @@ -85,7 +85,9 @@ Offset(P) PID Port Proto Protocol Address Create Time \subsection{Can you find traces of Malware?} emph{\textbf{rundll32.exe}} could hint that the system has been compromised.\\ -Extracting screenshots with \ttfamily{volatility -f image1.vmem --profile=WinXPSP2x86 screenshot --dump-dir screenshots} brings an image named \emph{\textbf{IMAGE1:/screenshots/session\_0.WinSta0.Default.png}} containing an outline with a Message where DEP is closing Acrobat with an open file named \emph{\textbf{navy procurement.pdf}}.\\ +Extracting screenshots with:\\ +\ttfamily{volatility -f image1.vmem --profile=WinXPSP2x86 screenshot --dump-dir screenshots}\\ +brings an image named \emph{\textbf{IMAGE1:/screenshots/session\_0.WinSta0.Default.png}} extracts an image containing an outline with a Message where DEP is closing Acrobat with an open file named \emph{\textbf{navy procurement.pdf}}.\\ This could hint at a compromised PDF.\\ The TCP-LISTEN on port 1031 seems to be used by malware as described by \url{http://de.adminsub.net/tcp-udp-port-finder/1031} or \url{http://www.auditmypc.com/tcp-port-1031.asp}.\\ -- 2.43.0