legal contact rss

getting network connections

Do analyse your memory for unwanted activeties, the netscan command is a very importand bit of work.

This is similar to the "netstat -tulpen" command in linux.


vol.exe -f vaio_mem.dmp --profile=Win7SP1x64 netscan >netscan.txt

Datei "netscan.txt"


vol.exe -f vaio_mem.dmp --profile=Win7SP1x64 connscan >connscan.txt

By looking closer at the "Remote Address" and checking it's reputation, you will (hopefully) find a beacon or "phone home" connection of the unwanted software.

Note down the PID, Owner and Port that makes the connection as we need that information later.

A good way of analyzing was to import the txt file into Excel and use the filter function.

Deselect the well known program stuff.

The change to the destination addresses and deselect the connections you know are good.

After that, you might want to sort the whole list on your program names for better readability.

The findings

Below findings get my attantion as the owners name are scrambled.

As the all are CLOSED connections, it's quite usual not to find anything in the process list. But lets note the lines for later use.

So, let's look at active stuff and do some digging: