iPython Notebook Volatility For Memory Forensics
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

iPython Notebook Volatility For Memory Forensics

on

  • 592 views

 

Statistics

Views

Total Views
592
Views on SlideShare
592
Embed Views
0

Actions

Likes
0
Downloads
6
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

iPython Notebook Volatility For Memory Forensics Document Transcript

  • 1. 3/6/13 IPython Notebook Using iPython Notebook for Live Memory Forensics I [] fo Iyhncr.ipa ipr Iae n 1: rm Pto.oedsly mot mg fo Iyhncr.ipa ipr HM rm Pto.oedsly mot TL fo Iyhnlbdslyipr Yuueie rm Pto.i.ipa mot oTbVdo . . . iPython Notebook with Volatility 2.3 Alpha I [] n 8: aiok phos Dtc AIhosi poesadkre mmr eet P ok n rcs n enl eoy aos tm Pitssinadwno sainao tbe rn eso n idw tto tm als aosa tmcn Po sanrfr_T_TMTBE ol cne o RLAO_AL bokd isb Rastekyor bfe fo Ra Md mmr ed h ebad ufr rm el oe eoy clbcs alak Pitsse-ientfcto ruie rn ytmwd oiiain otns cibad lpor Etattecnet o tewnoscibad xrc h otns f h idw lpor cdcn msa Etatcmadhsoyb sann fr_OMN_ITR xrc omn itr y cnig o CMADHSOY cnetos oncin Pitls o oe cnetos[idw X ad20 Ol] rn it f pn oncin Wnos P n 03 ny cnsa oncn Sa Pyia mmr fr_CTOJC ojcs(c cnetos cn hscl eoy o TP_BET bet tp oncin) cnoe osls Etatcmadhsoyb sann fr_OSL_NOMTO xrc omn itr y cnig o CNOEIFRAIN cahno rsif Dm cahdm ifrain up rs-up nomto dssa ekcn Posae frtgEKO (ekos olcnr o aDSTP dstp) dvcte eiere So dvc te hw eie re dlup ldm Dm DL fo apoesadessae up Ls rm rcs drs pc dlit lls Pitls o lae dl frec poes rn it f odd ls o ah rcs dieip rvrr Die IPho dtcin rvr R ok eeto diesa rvrcn Sa frdie ojcs_RVROJC cn o rvr bet DIE_BET evr nas Dslypoesevrnetvrals ipa rcs niomn aibe eetok vnhos Pitdtiso wnoseethos rn eal n idw vn ok etos vlg EtatWnosEetLg (P20 ol) xrc idw vn os X/03 ny flsa iecn Sa Pyia mmr fr_IEOJC po alctos cn hscl eoy o FL_BET ol loain ghi at Dm teUE hnl tp ifrain up h SR ade ye nomto giies dtmr PitisaldGItmr adclbcs rn ntle D ies n alak gt d DslyGoa Dsrpo Tbe ipa lbl ecitr al gtevcsd esrieis Gttenmso srie i teRgsr adrtr Cluae SD e h ae f evcs n h eity n eun acltd I gtis esd PitteSD onn ec poes rn h Is wig ah rcs hnls ade Pitls o oe hnlsfrec poes rn it f pn ade o ah rcs hsdm ahup Dmspswrshse (MNL)fo mmr up asod ahs L/TM rm eoy hbno iif Dm hbrainfl ifrain up iento ie nomto hvdm ieup Pit otahv rns u ie hvls ieit Pitls o rgsr hvs rn it f eity ie. hvsa iecn Sa Pyia mmr fr_MIEojcs(eityhvs cn hscl eoy o CHV bet rgsr ie) haetat pkxrc Etatpyia mmr fo a HA fl xrc hscl eoy rm n PK ie haif pkno If o a HA fl no n n PK ie it d DslyItrutDsrpo Tbe ipa nerp ecitr al ihsoy eitr RcntutItre Epoe cce/hsoy eosrc nent xlrr ah itr iaeoy mgcp Cpe apyia adessaeota arwD iae ois hscl drs pc u s a D mg iaeno mgif Ietf ifrainfrteiae dniy nomto o h mg ipcn msa Sa frclst ipre fntos cn o al o motd ucin kbsa dgcn Sac fraddm ptnilKB vle erh o n up oeta DG aus kcsa prcn Sac fraddm ptnilKC vle erh o n up oeta PR aus lroue dmdls Dtc ulne DL eet nikd Ls laup sdm Dm (erpe)LAscesfo tergsr up dcytd S ert rm h eity mlid afn Fn hde adijce cd id idn n netd oe mrasr bpre Sasfradpre ptnilMse Bo Rcrs(Bs cn o n ass oeta atr ot eod MR) mmup edm Dm teadesbemmr frapoes up h drsal eoy o rcs mma emp Pittemmr mp rn h eoy a msaeok esghos Ls dstpadtra wno msaehos it eko n hed idw esg ok mtasr fpre Sasfradpre ptnilMTetis cn o n ass oeta F nre mdup odm Dm akre die t a eeual fl sml up enl rvr o n xctbe ie ape127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 1/14
  • 2. 3/6/13 IPython Notebook mdcn osa Sa Pyia mmr fr_D_AATBEETYojcs cn hscl eoy o LRDT_AL_NR bet mdls oue Pitls o lae mdls rn it f odd oue mtnsa uatcn Sa frmtn ojcs_MTN cn o uat bet KUAT pthr ace Pthsmmr bsdo pg sas ace eoy ae n ae cn pite rnky Pitargsr ky adissbesadvle rn eity e, n t uky n aus pis rv Dslypoespiiee ipa rcs rvlgs poeeup rcxdm Dm apoest a eeual fl sml up rcs o n xctbe ie ape pommup rcedm Dm apoest a eeual mmr sml up rcs o n xctbe eoy ape pls sit Pitalrnigpoessb floigteERCS lss rn l unn rcse y olwn h POES it psa scn Sa Pyia mmr fr_POESpo alctos cn hscl eoy o ERCS ol loain pte sre Pitpoesls a ate rn rcs it s re pxiw sve Fn hde poesswt vrospoeslsig id idn rcse ih aiu rcs itns rwdp a2m Cnet apyia mmr sml t awnb cahdm ovrs hscl eoy ape o idg rs up sreso cenht Sv aped-cenhtbsdo GIwnos ae suosreso ae n D idw ssin esos Ls dtiso _MSSINSAE(srlgnssin) it eal n M_ESO_PC ue oo esos selas hlbg Pit Selasif rns hlBg no sicce hmah Pre teApiainCmaiiiySi Ccergsr ky ass h plcto optblt hm ah eity e sces okt Pitls o oe sces rn it f pn okt scsa okcn Sa Pyia mmr fr_DRS_BETojcs(c sces cn hscl eoy o ADESOJC bet tp okt) sd st DslySD etis ipa ST nre srns tig Mthpyia ofest vruladess(a tk awie VR vroe ac hscl fst o ita drse my ae hl, EY ebs) sccn vsa Sa frWnossrie cn o idw evcs smikcn ylnsa Sa frsmoi ln ojcs cn o yblc ik bet trsa hdcn Sa pyia mmr fr_TRA ojcs cn hscl eoy o EHED bet tras hed Ivsiae_TRA ad_TRAs netgt EHED n KHED tmr ies Pitkre tmr adascae mdl DC rn enl ies n soitd oue Ps ulaemdls noddoue Pitls o ulae mdls rn it f nodd oue ueass srsit Pitueass rgsr ky adifrain rn srsit eity es n nomto uehnls srade Dm teUE hnl tbe up h SR ade als vdup adm Dmsottevdscin t afl up u h a etos o ie vdno aif Dm teVDif up h A no vdre ate Wl teVDte addslyi te fra ak h A re n ipa n re omt vdak awl Wl teVDte ak h A re voif bxno Dm vrulo ifrain up itabx nomto vwrif maeno Dm Vwr VS/MNifrain up Mae MSVS nomto vlhl osel Seli temmr iae hl n h eoy mg wnos idw PitDstpWnos(ebs dtis rn eko idw vroe eal) wnre ite PitZOdrDstpWnosTe rn -re eko idw re wdcn nsa Po sanrfrtgIDWTTO (idwsain) ol cne o aWNOSAIN wno ttos yrsa aacn Sa poeso kre mmr wt Yr sgaue cn rcs r enl eoy ih aa intrs . . . imageinfo - Identify information for the image I [] !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmiaeno n 2: pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e mgif Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh Dtriigpoiebsdo KB sac.. eemnn rfl ae n DG erh. SgetdPoies :WnPPx6 WnPPx6(ntnitdwt WnPPx6 ugse rfl() iXS28, iXS38 Isatae ih iXS28) A Lyr :JI3Pgdeoya (enlA) S ae1 KA2aeMmrPe Kre S A Lyr :FlAdespc (ro/eko/e/edm.e) S ae2 iedrsSae /otDstpmmmmupmm PEtp :PE A ye A DB:0340L T x300 KB :0854eL DG x04c0 Nme o Poesr :1 ubr f rcsos IaeTp (evc Pc):2 mg ye Srie ak KC frCU0:0fdf0L PR o P xff00 KSRSAE_AA:0fd00L UE_HRDDT xff00127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 2/14
  • 3. 3/6/13 IPython Notebook Iaedt adtm :21-22 1:60 UC00 mg ae n ie 030-5 81:1 T+00 Iaelcldt adtm :21-22 1:60 -50 mg oa ae n ie 030-5 31:1 00 . . . pslist - Print all running processes by following the EPROCESS lists I [] !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmpls n 6: pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e sit Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh Ofe() Nm fstV ae PD PI I PD Td hs Hd ns Ss Ww4Sat es o6 tr Ei xt ----- ---------- --- --- --- ---- --- --- --------------- --------- ----- ---------- --- --- --- ---- --- --- --------------- --------- ------ ------ 08c33 Sse x9780 ytm 4 0 56 37--- 2 --- 0 087b2 ss.x x9900 msee 34 8 4 3 2 --- 1 --- 021-22 2:22 UC00 030-0 15:0 T+00 087e3 crsee x9828 ss.x 68 0 34 8 12 48 4 0 021-22 2:22 UC00 030-0 15:2 T+00 087e6 wnoo.x x9860 ilgnee 62 3 34 8 19 55 6 0 021-22 2:22 UC00 030-0 15:2 T+00 08651 srie.x x9360 evcsee 66 7 62 3 16 23 8 0 021-22 2:22 UC00 030-0 15:2 T+00 08a08 lasee x9f80 ss.x 68 8 62 3 19 31 4 0 021-22 2:22 UC00 030-0 15:2 T+00 0870e vatl.x x9a68 mchpee 86 9 66 7 1 24 0 021-22 2:22 UC00 030-0 15:2 T+00 08b48 scotee x9538 vhs.x 98 0 66 7 17 17 9 0 021-22 2:22 UC00 030-0 15:2 T+00 08647 scotee x9fa8 vhs.x 92 7 66 7 9 26 7 0 021-22 2:22 UC00 030-0 15:2 T+00 08b4a scotee x90d0 vhs.x 12 10 66 7 61 18 53 0 021-22 2:22 UC00 030-0 15:2 T+00 08b27 scotee x9058 vhs.x 17 16 66 7 5 87 0 021-22 2:22 UC00 030-0 15:2 T+00 08b06 scotee x9e40 vhs.x 11 26 66 7 15 24 1 0 021-22 2:22 UC00 030-0 15:3 T+00 08b91 solvee x9c68 pos.x 14 58 66 7 10 17 2 0 021-22 2:22 UC00 030-0 15:4 T+00 086c8 scotee x9f90 vhs.x 18 64 66 7 6 89 0 021-22 2:24 UC00 030-0 15:1 T+00 086e8 vtos.x x9390 moldee 14 88 66 7 7 20 7 0 021-22 2:24 UC00 030-0 15:1 T+00 08842 TAtCnSce x9400 Puoonv. 42 5 66 7 5 11 0 0 021-22 2:24 UC00 030-0 15:9 T+00 089de agee x9f60 l.x 58 8 66 7 6 16 0 0 021-22 2:25 UC00 030-0 15:0 T+00 0863a epoe.x x95d0 xlrree 21 02 16 80 13 42 9 0 021-22 2:30 UC00 030-0 15:0 T+00 08bea rnl3.x x95d0 udl2ee 88 21 0 02 5 75 0 021-22 2:30 UC00 030-0 15:1 T+00 087a2 vtos.x x99c0 moldee 62 21 9 02 6 22 4 0 021-22 2:30 UC00 030-0 15:1 T+00 087ac TAtCnete x9930 Puoonc. 13 02 42 5 1 63 0 021-22 2:30 UC00 030-0 15:1 T+00 087ae wctyee x9978 snf.x 16 18 12 10 1 27 0 021-22 2:30 UC00 030-0 15:2 T+00 08880 wactee x9360 uul.x 22 54 12 10 3 12 3 0 021-22 2:34 UC00 030-0 15:9 T+00 08ba2 crm.x x9338 hoeee 19 76 21 02 27 84 1 0 021-22 2:21 UC00 030-0 20:2 T+00 08aec crm.x x9a98 hoeee 10 74 19 76 6 97 0 021-22 2:21 UC00 030-0 20:3 T+00 08e15 crm.x x8538 hoeee 18 40 19 76 7 92 0 021-22 2:84 UC00 030-0 21:9 T+00 08422 crm.x x9400 hoeee 10 38 19 76 7 94 0 021-22 2:55 UC00 030-0 23:7 T+00 08ca7 crm.x x8f90 hoeee 18 78 19 76 7 97 0 021-22 2:73 UC00 030-0 23:8 T+00 0890a cdee x87d0 m.x 28 34 21 02 1 30 0 021-22 0:92 UC00 030-5 51:4 T+00 08f1a crm.x x88d0 hoeee 86 19 5 76 7 94 0 021-22 0:30 UC00 030-5 73:5 T+00 085da FKIae.x x83d0 T mgree 36 18 21 02 8 23 2 0 021-22 1:53 UC00 030-5 81:7 T+00 . . . psscan - Scan Physical memory for _EPROCESS pool allocationsRun BASH commands I [] !yhn/ets/oesc/oaiiyvlp - ~Dstpmmmmupmmpsa n 8: pto pnetfrnisvltlt/o.y f /eko/e/edm.e scn Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 3/14
  • 4. 3/6/13 IPython Notebook Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh Ofe() Nm fstP ae PD PI PB I PD D Tm cetd ie rae Tm eie ie xtd ----- -------- --- --- ----- --------------- --------------- ----- -------- --- --- ----- --------------- --------------- 0061c crm.x x8c98 hoeee 10 74 19 00f00 21-22 2:21 UC00 76 xf840 030-0 20:3 T+00 007da FKIae.x x83d0 T mgree 36 18 21 00f04 21-22 1:53 UC00 02 xf830 030-5 81:7 T+00 00b0a cdee x87d0 m.x 28 34 21 00f00 21-22 0:92 UC00 02 xf830 030-5 51:4 T+00 00ea7 crm.x x8f90 hoeee 18 78 19 00f06 21-22 2:73 UC00 76 xf830 030-0 23:8 T+00 00015 crm.x x9538 hoeee 18 40 19 00f0c 21-22 2:84 UC00 76 xf830 030-0 21:9 T+00 0011a crm.x x98d0 hoeee 86 19 00f06 21-22 0:30 UC00 5 76 xf840 030-5 73:5 T+00 00578 (s@$ ??: 2.. 2.. 0837a x9a30 ???? s​? 3.8 3.0 x9a30 u 00622 crm.x x9400 hoeee 10 38 19 00f02 21-22 2:55 UC00 76 xf830 030-0 23:7 T+00 0077a agee x98d0 l.x 18 44 6600e08 21-22 2:84 UC00 7 xf810 030-0 12:4 T+00 00851 srie.x x9360 evcsee 66 7 6200f08 21-22 2:22 UC00 3 xf800 030-0 15:2 T+00 008e8 vtos.x x9390 moldee 14 88 6600f00 21-22 2:24 UC00 7 xf820 030-0 15:1 T+00 0083a epoe.x x95d0 xlrree 21 02 16 00f06 21-22 2:30 UC00 80 xf820 030-0 15:0 T+00 00847 scotee x9fa8 vhs.x 92 7 6600f00 21-22 2:22 UC00 7 xf810 030-0 15:2 T+00 008c8 scotee x9f90 vhs.x 18 64 6600f0c 21-22 2:24 UC00 7 xf810 030-0 15:1 T+00 009e3 crsee x9828 ss.x 68 0 3400f04 21-22 2:22 UC00 8 xf800 030-0 15:2 T+00 009e6 wnoo.x x9860 ilgnee 62 3 3400f06 21-22 2:22 UC00 8 xf800 030-0 15:2 T+00 009ac TAtCnete x9930 Puoonc. 13 02 4200f0e 21-22 2:30 UC00 5 xf820 030-0 15:1 T+00 009ae wctyee x9978 snf.x 16 18 12 00f02 21-22 2:30 UC00 10 xf820 030-0 15:2 T+00 009a2 vtos.x x99c0 moldee 62 21 00f0c 21-22 2:30 UC00 9 02 xf820 030-0 15:1 T+00 009b2 ss.x x9900 msee 34 8 400f02 21-22 2:22 UC00 xf800 030-0 15:0 T+00 0090e vatl.x x9a68 mchpee 86 9 6600f0c 21-22 2:22 UC00 7 xf800 030-0 15:2 T+00 00afe vatl.x x9268 mchpee 86 9 6600f0c 21-22 2:22 UC00 7 xf800 030-0 15:2 T+00 00a80 wactee x9360 uul.x 22 54 12 00f08 21-22 2:34 UC00 10 xf830 030-0 15:9 T+00 00a42 TAtCnSce x9400 Puoonv. 42 5 6600f0a 21-22 2:24 UC00 7 xf820 030-0 15:9 T+00 00bde agee x9f60 l.x 58 8 6600f0e 21-22 2:25 UC00 7 xf810 030-0 15:0 T+00 00cec crm.x x9a98 hoeee 10 74 19 00f00 21-22 2:21 UC00 76 xf840 030-0 20:3 T+00 00c08 lasee x9f80 ss.x 68 8 6200f0a 21-22 2:22 UC00 3 xf800 030-0 15:2 T+00 00d27 scotee x9058 vhs.x 17 16 6600f04 21-22 2:22 UC00 7 xf810 030-0 15:2 T+00 00d4a scotee x90d0 vhs.x 12 10 6600f02 21-22 2:22 UC00 7 xf810 030-0 15:2 T+00 00da2 crm.x x9338 hoeee 19 76 21 00f08 21-22 2:21 UC00 02 xf820 030-0 20:2 T+00 00d48 scotee x9538 vhs.x 98 0 6600f0e 21-22 2:22 UC00 7 xf800 030-0 15:2 T+00 00dea rnl3.x x95d0 udl2ee 88 21 00f08 21-22 2:30 UC00 0 02 xf810 030-0 15:1 T+00 00d91 solvee x9c68 pos.x 14 58 6600f0a 21-22 2:22 UC00 7 xf810 030-0 15:4 T+00 00d06 scotee x9e40 vhs.x 11 26 6600f06 21-22 2:22 UC00 7 xf810 030-0 15:3 T+00 00e33 Sse x9780 ytm 4 000340 x0300 0105c crm.x x3d98 hoeee 10 74 19 00f00 21-22 2:21 UC00 76 xf840 030-0 20:3 T+00 01a0c TAtCnete x3c30 Puoonc. 13 02 4200f0e 21-22 2:30 UC00 5 xf820 030-0 15:1 T+00 01a0e wctyee x3c78 snf.x 16 18 12 00f02 21-22 2:30 UC00 10 xf820 030-0 15:2 T+00 01a02 vtos.x x3cc0 moldee 62 21 00f0c 21-22 2:30 UC00 9 02 xf820 030-0 15:1 T+00 0128a epoe.x xafd0 xlrree 21 02 16 00f06 21-22 2:30 UC00 80 xf820 030-0 15:0 T+00 01238 vtos.x xd690 moldee 14 88 6600f00 21-22 2:24 UC00 7 xf820 030-0 15:1 T+00 020a2 TAtCnSce x0600 Puoonv. 42 5 6600f0a 21-22 2:24 UC00 7 xf820 030-0 15:9 T+00 0206e vatl.x x0868 mchpee 86 9 6600f0c 21-22 2:22 UC00 7 xf800 030-0 15:2 T+00 02408 vtos.x x3090 moldee 14 88 6600f00 21-22 2:24 UC00 7 xf820 030-0 15:1 T+00 02811 solvee x7f68 pos.x 14 58 6600f0a 21-22 2:22 UC00 7 xf810 030-0 15:4 T+00 02187 crm.x x8d90 hoeee 18 78 19 00f06 21-22 2:73 UC00 76 xf830 030-0 23:8 T+00 0278c crm.x x8998 hoeee 10 74 19 00f00 21-22 2:21 UC00 76 xf840 030-0 20:3 T+00 021e7 crm.x xb690 hoeee 18 78 19 00f06 21-22 2:73 UC00 76 xf830 030-0 23:8 T+00 02e5e vatl.x xb168 mchpee 86 9 6600f0c 21-22 2:22 UC00 7 xf800 030-0 15:2 T+00 03bca agee x1ad0 l.x 18 44 6600e08 21-22 2:84 UC00 7 xf810 030-0 12:4 T+00 03152 TAtCnSce x2e00 Puoonv. 42 5 6600f0a 21-22 2:24 UC00 7 xf820 030-0 15:9 T+00 03aca scotee x5ad0 vhs.x 12 10 6600f02 21-22 2:22 UC00 7 xf810 030-0 15:2 T+00 03ba7 scotee xce58 vhs.x 17 16 6600f04 21-22 2:22 UC00 7 xf810 030-0 15:2 T+00 0493a scotee x32d0 vhs.x 12 10 6600f02 21-22 2:22 UC00 7 xf810 030-0 15:2 T+00 04f52 crm.x x5a00 hoeee 10 38 19 00f02 21-22 2:55 UC00 76 xf830 030-0 23:7 T+00 04305 crm.x x7738 hoeee 18 40 19 00f0c 21-22 2:84 UC00 76 xf830 030-0 21:9 T+00 0456a rnl3.x xa4d0 udl2ee 88 21 00f08 21-22 2:30 UC00 0 02 xf810 030-0 15:1 T+00 048a1 srie.x xad60 evcsee 66 7 6200f08 21-22 2:22 UC00 3 xf800 030-0 15:2 T+00 045b3 Sse xd180 ytm 4 000340 x0300 04bc8 scotee xd338 vhs.x 98 0 6600f0e 21-22 2:22 UC00 7 xf800 030-0 15:2 T+00 046a8 (s@$ ??: 2.. 2.. 0837a xe430 ???? s​? 3.8 3.0 x9a30 u 05478 lasee x4580 ss.x 68 8 6200f0a 21-22 2:22 UC00 3 xf800 030-0 15:2 T+00 05ff7 crm.x x7990 hoeee 18 78 19 00f06 21-22 2:73 UC00 76 xf830 030-0 23:8 T+00 056ba agee x8ad0 l.x 18 44 6600e08 21-22 2:84 UC00 7 xf810 030-0 12:4 T+00 052fa rnl3.x xbdd0 udl2ee 88 21 00f08 21-22 2:30 UC00 0 02 xf810 030-0 15:1 T+00 05902 TAtCnSce xbe00 Puoonv. 42 5 6600f0a 21-22 2:24 UC00 7 xf820 030-0 15:9 T+00 05401 solvee xd068 pos.x 14 58 6600f0a 21-22 2:22 UC00 7 xf810 030-0 15:4 T+00 06a1e vatl.x x5868 mchpee 86 9 6600f0c 21-22 2:22 UC00 7 xf800 030-0 15:2 T+00 06b9a epoe.x xd3d0 xlrree 21 02 16 00f06 21-22 2:30 UC00 80 xf820 030-0 15:0 T+00 06f41 srie.x xd360 evcsee 66 7 6200f08 21-22 2:22 UC00 3 xf800 030-0 15:2 T+00 079d2 crm.x x4400 hoeee 10 38 19 00f02 21-22 2:55 UC00 76 xf830 030-0 23:7 T+00 07bd2 TAtCnSce x7500 Puoonv. 42 5 6600f0a 21-22 2:24 UC00 7 xf820 030-0 15:9 T+00 076ce vatl.x xc468 mchpee 86 9 6600f0c 21-22 2:22 UC00 7 xf800 030-0 15:2 T+00 .127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 4/14
  • 5. 3/6/13 IPython Notebook . . pstree - Print process list as a tree I [] !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmpte n 9: pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e sre Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh Nm ae Pd Pi i Pd Td hs Hd Tm ns ie ------------------------- --- --- --- --- ---------- ------------------------- --- --- --- --- ---------- 08c33:ytm x9780Sse 4 0 56 3717-10.UC00 2 900-..T+00 .087b2:msee x9900ss.x 34 8 4 3 2 21-22.UC00 1 030-..T+00 . 087e3:ss.x . x9828crsee 68 0 34 8 12 4821-22.UC00 4 030-..T+00 . 087e6:ilgnee . x9860wnoo.x 62 3 34 8 19 5521-22.UC00 6 030-..T+00 ..08651:evcsee . x9360srie.x 66 7 62 3 16 2321-22.UC00 8 030-..T+00 .. 0870e:mchpee .. x9a68vatl.x 86 9 66 7 1 2 21-22.UC00 4 030-..T+00 .. 08b48:vhs.x .. x9538scotee 98 0 66 7 17 1721-22.UC00 9 030-..T+00 .. 086c8:vhs.x .. x9f90scotee 18 64 66 7 6 8 21-22.UC00 9 030-..T+00 .. 08b27:vhs.x .. x9058scotee 17 16 66 7 5 8 21-22.UC00 7 030-..T+00 .. 08b91:pos.x .. x9c68solvee 14 58 66 7 10 1721-22.UC00 2 030-..T+00 .. 086e8:moldee .. x9390vtos.x 14 88 66 7 7 2021-22.UC00 7 030-..T+00 .. 08b06:vhs.x .. x9e40scotee 11 26 66 7 15 2421-22.UC00 1 030-..T+00 .. 08b4a:vhs.x .. x90d0scotee 12 10 66 7 61 18 21-22.UC00 53 030-..T+00 ...087ae:snf.x .. x9978wctyee 16 18 12 10 1 2 21-22.UC00 7 030-..T+00 ...08880:uul.x .. x9360wactee 22 54 12 10 3 1221-22.UC00 3 030-..T+00 .. 08842:Puoonv. .. x9400TAtCnSce 42 5 66 7 5 1121-22.UC00 0 030-..T+00 ...087ac:Puoonc. .. x9930TAtCnete 13 02 42 5 1 6 21-22.UC00 3 030-..T+00 .. 08647:vhs.x .. x9fa8scotee 92 7 66 7 9 2621-22.UC00 7 030-..T+00 .. 089de:l.x .. x9f60agee 58 8 66 7 6 1621-22.UC00 0 030-..T+00 ..08a08:ss.x . x9f80lasee 68 8 62 3 19 3121-22.UC00 4 030-..T+00 0863a:xlrree x95d0epoe.x 21 02 16 80 13 4221-22.UC00 9 030-..T+00 .08ba2:hoeee x9338crm.x 19 76 21 02 27 8421-22.UC00 1 030-..T+00 . 08422:hoeee . x9400crm.x 10 38 19 76 7 9 21-22.UC00 4 030-..T+00 . 08e15:hoeee . x8538crm.x 18 40 19 76 7 9 21-22.UC00 2 030-..T+00 . 08f1a:hoeee . x88d0crm.x 86 19 5 76 7 9 21-22.UC00 4 030-..T+00 . 08aec:hoeee . x9a98crm.x 10 74 19 76 6 9 21-22.UC00 7 030-..T+00 . 08ca7:hoeee . x8f90crm.x 18 78 19 76 7 9 21-22.UC00 7 030-..T+00 .08bea:udl2ee x95d0rnl3.x 88 21 0 02 5 7 21-22.UC00 5 030-..T+00 .087a2:moldee x99c0vtos.x 62 21 9 02 6 2221-22.UC00 4 030-..T+00 .0890a:m.x x87d0cdee 28 34 21 02 1 3 21-22.UC00 0 030-..T+00 .085da:T Iae.x x83d0FK mgree 36 18 21 02 8 2321-22.UC00 2 030-..T+00 . . . clipboard - Extract the contents of the windows clipboard I [0: !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmcibad n 1] pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e lpor Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh Ssin eso WnoSainFra idwtto omt Hnl Ojc ade bet Dt aa ----- ---------------- ----- ----- ------------------------- ----- ------ --------- ----- ----- ------------------------- 0Wnt0 iSa 0c0L x09 02e03 0e8db x511f x1218 0Wnt0 iSa C_NCDTX FUIOEET 00----- x ----- 0Wnt0 iSa 0c1L x03 0e0b 0eef2 xd03 x1b20 0Wnt0 iSa C_OAE FLCL 0be1b0e480 xa04 x29d0 0Wnt0 iSa C_ET FTX 01----- x -----127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 5/14
  • 6. 3/6/13 IPython Notebook 0Wnt0 iSa C_ETX FOMET 01----- x ----- . . . connections - Print list of open connections [Windows XP and 2003 Only] I [2: !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmcnetos n 1] pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e oncin Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh Ofe() LclAdes fstV oa drs Rmt Ades eoe drs Pd i ----- ---------------------------- ----- ------------ ------------ - 08837 121.5.3:83 x8ee0 7.6181715 121.5.4:44 7.6181444 12 10 08597 121.5.3:84 x85e0 7.6181715 121.5.4:44 7.6181444 12 10 08507 121.5.3:10 x87e0 7.6181723 121.5.4:44 7.6181444 12 10 08fc0 121.5.3:85 x8308 7.6181715 121.5.4:44 7.6181444 12 10 0861d 121.5.3:82 x98d8 7.6181715 121.5.4:44 7.6181444 12 10 08ae6 121.5.3:86 x9fa8 7.6181715 121.5.4:44 7.6181444 12 10 . . . sockets - Print list of open sockets I [1: !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmsces n 1] pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e okt Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh Ofe() fstV PD Pr PooPooo I ot rt rtcl Ades drs Cet Tm rae ie ----- ---- --- --- ---------------------- ----- ---- --- --- ------- ------- ----- 086a0 x9308 17 16 1301 1 UP 7 D 0000 ... 21-22 2:30 UC00 030-0 15:1 T+00 08b3c x9a68 4 17 3 1 UP 7 D 121.5.3 21-22 0:22 UC00 7.61817 030-5 13:6 T+00 08a80 x9908 68 8 50 0 1 UP 7 D 0000 ... 21-22 2:24 UC00 030-0 15:2 T+00 08b6c x9938 12 10 1582 6TP C 0000 ... 21-22 0:64 UC00 030-5 50:7 T+00 089e0 x8f08 12 10 1586 6TP C 0000 ... 21-22 0:70 UC00 030-5 51:7 T+00 08b2e x9070 4 45 4 6TP C 0000 ... 21-22 2:22 UC00 030-0 15:0 T+00 08629 x9fe8 92 7 15 3 6TP C 0000 ... 21-22 2:22 UC00 030-0 15:2 T+00 083c8 x9e80 17 16 1211 1 UP 7 D 0000 ... 21-22 2:74 UC00 030-0 15:2 T+00 082b9 x91e8 4 18 3 1 UP 7 D 121.5.3 21-22 0:22 UC00 7.61817 030-5 13:6 T+00 08b4e x9078 12 10 1583 6TP C 0000 ... 21-22 0:42 UC00 030-5 51:9 T+00 080e9 x9ee8 12 10 13 2 1 UP 7 D 121.5.3 21-22 0:22 UC00 7.61817 030-5 13:6 T+00 08cc0 x8808 12 10 13 2 1 UP 7 D 17001 2... 21-22 0:22 UC00 030-5 13:6 T+00 08592 x9680 68 8 0 25Rsre 5 eevd 0000 ... 21-22 2:24 UC00 030-0 15:2 T+00 08900 x8368 17 16 1045 1 UP 7 D 0000 ... 21-22 2:02 UC00 030-0 24:7 T+00 08aa0 x9ad8 17 16 1212 1 UP 7 D 0000 ... 21-22 2:74 UC00 030-0 15:2 T+00 08785 x9160 17 16 1307 1 UP 7 D 0000 ... 21-22 2:32 UC00 030-0 15:7 T+00 08670 x8608 12 10 1584 6TP C 0000 ... 21-22 0:53 UC00 030-5 51:5 T+00 08512 x9540 58 12 8 06 6TP C 17001 2... 21-22 2:25 UC00 030-0 15:0 T+00 08d7c x8fd0 11 26 1090 1 UP 7 D 121.5.3 21-22 0:22 UC00 7.61817 030-5 13:6 T+00 08bbb x8da0 11 26 1090 1 UP 7 D 17001 2... 21-22 0:22 UC00 030-5 13:6 T+00 08a83 x9a50 12 10 2310 6TP C 0000 ... 21-22 1:21 UC00 030-5 81:3 T+00 08649 x94e8 17 16 1308 1 UP 7 D 0000 ... 21-22 2:32 UC00 030-0 15:7 T+00 08740 x9a20 4 19 3 6TP C 121.5.3 21-22 0:22 UC00 7.61817 030-5 13:6 T+00 087f9 x9ae8 68 40 8 50 1 UP 7 D 0000 ... 21-22 2:24 UC00 030-0 15:2 T+00127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 6/14
  • 7. 3/6/13 IPython Notebook 08bc4 x9c58 12 10 15 85 6TP C 0000 ... 21-22 0:62 UC00 030-5 51:8 T+00 08b20 x90c8 4 45 4 1 UP 7 D 0000 ... 21-22 2:22 UC00 030-0 15:0 T+00 . . . hivelist - Print list of registry hives. I [3: !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmhvls n 1] pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e ieit Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh Vrul ita Pyia hscl Nm ae ----- ----- -- ----- ----- -- 0eee6 01926 eieHrdsVlm1DcmnsadStigetLclStigplcto x1eb0 x40b0 Dvcadikoueouet n etnstsoa etnsApiain DtirsfidwsCasdt aaMcootWnosUrls.a 0efd0 01250 eieHrdsVlm1DcmnsadStigetNUE.A x1108 x6108 Dvcadikoueouet n etnstsTSRDT 0e95c 0117c eieHrdsVlm1DcmnsadStigoaSrieLclStigplcto x1a78 x2778 Dvcadikoueouet n etnsLclevcoa etnsApiain DtirsfidwsCasdt aaMcootWnosUrls.a 0e9c0 011b0 eieHrdsVlm1DcmnsadStigoaSrieNUE.A x1908 x2e08 Dvcadikoueouet n etnsLclevcTSRDT 0e900 01d80 eieHrdsVlm1DcmnsadStigewrSrieLclStigplcto x1808 x1608 Dvcadikoueouet n etnsNtokevcoa etnsApiain DtirsfidwsCasdt aaMcootWnosUrls.a 0e946 01c86 eieHrdsVlm1DcmnsadStigewrSrieNUE.A x17b0 x1db0 Dvcadikoueouet n etnsNtokevcTSRDT 0e656 00d06 eieHrdsVlm1WNOSsse3ofgsfwr x13b0 xfeb0 DvcadikoueIDWytm2cniotae 0e635 00895 eieHrdsVlm1WNOSsse3ofgdfut x1078 xfd78 DvcadikoueIDWytm2cnieal 0e6a6 00eb6 eieHrdsVlm1WNOSsse3ofgSM x12b0 xf1b0 DvcadikoueIDWytm2cniA 0e67c 0084c eieHrdsVlm1WNOSsse3ofgSCRT x1168 xfe68 DvcadikoueIDWytm2cniEUIY 0e326 00706 [onm] x1eb0 xa2b0 n ae 0e056 00306 eieHrdsVlm1WNOSsse3ofgsse x13b0 xa7b0 DvcadikoueIDWytm2cniytm 0e0e0 003a0 [onm] x1208 xa608 n ae . . . hashdump - Dumps passwords hashes (LM/NTLM) from memory I [4: #- =IDWytm2cniA n 1] y WNOSsse3ofgSM #- =IDWytm2cniytm s WNOSsse3ofgsse !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmm-poieWnPPx6hsdm - 0e6a6 - pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e -rfl iXS28 ahup s x12b0 y Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh Amnsrtr50adb3b10eadb3b10e:16f01a917c970090: diitao:0:a345544ea345544e3dced6e3b35dec8c:: Get51adb3b10eadb3b10e:16f01a917c970090: us:0:a345544ea345544e3dced6e3b35dec8c:: HlAssat10:81f82ae281ecb913e59f0d56c4f54ed0:: epsitn:0026aba3cc845d53e7:850b0efabb79cb45: SPOT384a:02adb3b10eadb3b10e:35d8761bdc39308b: UPR_895010:a345544ea345544e0750498fea686dd7:: ts:04e2a6499243183ac6:867aef17d6d8078c: et10:5cc71aa2ab0ff6bd84fee8b1a0bd3b56:: .127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 7/14
  • 8. 3/6/13 IPython Notebook . . Getting help I [5: !yhn/ets/oesc/oaiiyvlp - n 1] pto pnetfrnisvltlt/o.y h Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh Uae Vltlt -Ammr frnisaayi pafr. sg: oaiiy eoy oesc nlss ltom Otos pin: -,-hl h -ep ls alaalbeotosadterdfutvle. it l vial pin n hi eal aus Dfutvle myb sti tecniuainfl eal aus a e e n h ofgrto ie (ecvltltr) /t/oaiiyc -cn-ie/ot.oaiiyc -offl=ro/vltltr Ue bsdcniuainfl sr ae ofgrto ie -,-dbg d -eu Dbgvltlt eu oaiiy -puisPUIS -lgn=LGN Adtoa pui drcoist ue(oo sprtd diinl lgn ietre o s cln eaae) -if -no Pitifrainaotalrgsee ojcs rn nomto bu l eitrd bet -ccedrcoy/ot.ah/oaiiy -ah-ietr=ro/ccevltlt Drcoyweecceflsaesoe ietr hr ah ie r trd -cce -ah Ueccig s ahn -t=Z -zT St tetmzn frdslyn tmsap es h ieoe o ipaig ietms - FLNM,-flnm=IEAE f IEAE -ieaeFLNM Flnm t uewe oeiga iae ieae o s hn pnn n mg -poieWnPPx6 -rfl=iXS28 Nm o tepoiet la ae f h rfl o od - LCTO,-lcto=OAIN l OAIN -oainLCTO . . . sessions - List details on _MM_SESSION_SPACE (user logon sessions) I [7: !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmssin n 1] pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e esos Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh ************************* ************************* SsinV:bdc0 I:0Poess 2 eso() ac00 D rcse: 9 Pgdoltr:b000 Pgdoln b3ff aePoSat c000 aePoEd cfff Poes 68crsee21-22 2:22 UC00 rcs: 0 ss.x 030-0 15:2 T+00 Poes 62wnoo.x 21-22 2:22 UC00 rcs: 3 ilgnee 030-0 15:2 T+00 Poes 66srie.x 21-22 2:22 UC00 rcs: 7 evcsee 030-0 15:2 T+00 Poes 68lasee21-22 2:22 UC00 rcs: 8 ss.x 030-0 15:2 T+00 Poes 86vatl.x 21-22 2:22 UC00 rcs: 9 mchpee 030-0 15:2 T+00 Poes 98scotee21-22 2:22 UC00 rcs: 0 vhs.x 030-0 15:2 T+00 Poes 92scotee21-22 2:22 UC00 rcs: 7 vhs.x 030-0 15:2 T+00 Poes 12 scotee21-22 2:22 UC00 rcs: 10 vhs.x 030-0 15:2 T+00 Poes 17 scotee21-22 2:22 UC00 rcs: 16 vhs.x 030-0 15:2 T+00 Poes 11 scotee21-22 2:22 UC00 rcs: 26 vhs.x 030-0 15:3 T+00 Poes 14 solvee21-22 2:22 UC00 rcs: 58 pos.x 030-0 15:4 T+00 Poes 18 scotee21-22 2:24 UC00 rcs: 64 vhs.x 030-0 15:1 T+00 Poes 14 vtos.x 21-22 2:24 UC00 rcs: 88 moldee 030-0 15:1 T+00 Poes 42TAtCnSce21-22 2:24 UC00 rcs: 5 Puoonv. 030-0 15:9 T+00 Poes 58agee21-22 2:25 UC00 rcs: 8 l.x 030-0 15:0 T+00 Poes 21 epoe.x 21-22 2:30 UC00 rcs: 02 xlrree 030-0 15:0 T+00 Poes 88rnl3.x 21-22 2:30 UC00 rcs: 0 udl2ee 030-0 15:1 T+00 Poes 62vtos.x 21-22 2:30 UC00 rcs: 9 moldee 030-0 15:1 T+00 Poes 13 TAtCnete21-22 2:30 UC00 rcs: 02 Puoonc. 030-0 15:1 T+00 Poes 16 wctyee21-22 2:30 UC00 rcs: 18 snf.x 030-0 15:2 T+00127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 8/14
  • 9. 3/6/13 IPython Notebook Poes 22 wactee21-22 2:34 UC00 rcs: 54 uul.x 030-0 15:9 T+00 Poes 19 crm.x 21-22 2:21 UC00 rcs: 76 hoeee 030-0 20:2 T+00 Poes 10 crm.x 21-22 2:21 UC00 rcs: 74 hoeee 030-0 20:3 T+00 Poes 18 crm.x 21-22 2:84 UC00 rcs: 40 hoeee 030-0 21:9 T+00 Poes 10 crm.x 21-22 2:55 UC00 rcs: 38 hoeee 030-0 23:7 T+00 Poes 18 crm.x 21-22 2:73 UC00 rcs: 78 hoeee 030-0 23:8 T+00 Poes 28 cdee21-22 0:92 UC00 rcs: 34 m.x 030-5 51:4 T+00 Poes 86crm.x 21-22 0:30 UC00 rcs: 5 hoeee 030-5 73:5 T+00 Poes 36 FKIae.x 21-22 1:53 UC00 rcs: 18 T mgree 030-5 81:7 T+00 Iae 0881b,Adesb800,Nm:wn2.y mg: x9e78 drs f000 ae i3kss Iae 08939,Adesb910,Nm:dgss mg: x9250 drs fc00 ae x.y Iae 08abb,Adesb930,Nm:vxf.l mg: x9b38 drs fd00 ae m_bdl Iae 08545,Adesbf00,Nm:AMDDL mg: x93a8 drs fa00 ae TF.L Iae 0b709,Adesc566,Nm: mg: xff0c drs 0de0 ae . . . Manipulating data into python data structures I [9: dt =!yhn/ets/oesc/oaiiyvlp - ~Dstpmmmmupmmpls n 1] aa pto pnetfrnisvltlt/o.y f /eko/e/edm.e sit dt aa Ot1] [Vltl SsesVltlt Faeok23apa, u[9: oaie ytm oaiiy rmwr ._lh fstV Nm Ofe() ae PD PI I PD Td hs Hd ns Ss Ww4Sat es o6 tr Ei xt , --------------- --- --- --- ---- --- --- --------------- -------- ----- ---------- --- --- --- ---- --- --- --------------- -------- ------- -------, x9780Sse 08c33 ytm 4 0 56 37--- 2 --- 0 , x9900ss.x 087b2 msee 34 8 4 3 2 --- 1 --- 021-22 2:22 UC00 030-0 15:0 T+00 , x9828crsee 087e3 ss.x 68 0 34 8 12 48 4 0 021-22 2:22 UC00 030-0 15:2 T+00 , x9860wnoo.x 087e6 ilgnee 62 3 34 8 19 55 6 0 021-22 2:22 UC00 030-0 15:2 T+00 , x9360srie.x 08651 evcsee 66 7 62 3 16 23 8 0 021-22 2:22 UC00 030-0 15:2 T+00 , x9f80lasee 08a08 ss.x 68 8 62 3 19 31 4 0 021-22 2:22 UC00 030-0 15:2 T+00 , x9a68vatl.x 0870e mchpee 86 9 66 7 1 24 0 021-22 2:22 UC00 030-0 15:2 T+00 , x9538scotee 08b48 vhs.x 98 0 66 7 17 17 9 0 021-22 2:22 UC00 030-0 15:2 T+00 , x9fa8scotee 08647 vhs.x 92 7 66 7 9 26 7 0 021-22 2:22 UC00 030-0 15:2 T+00 , x90d0scotee 08b4a vhs.x 12 10 66 7 61 18 53 0 021-22 2:22 UC00 030-0 15:2 T+00 , x9058scotee 08b27 vhs.x 17 16 66 7 5 87 0 021-22 2:22 UC00 030-0 15:2 T+00 , x9e40scotee 08b06 vhs.x 11 26 66 7 15 24 1 0 021-22 2:22 UC00 030-0 15:3 T+00 , x9c68solvee 08b91 pos.x 14 58 66 7 10 17 2 0 021-22 2:22 UC00 030-0 15:4 T+00 , x9f90scotee 086c8 vhs.x 18 64 66 7 6 89 0 021-22 2:24 UC00 030-0 15:1 T+00 , x9390vtos.x 086e8 moldee 14 88 66 7 7 20 7 0 021-22 2:24 UC00 030-0 15:1 T+00 , x9400TAtCnSce 08842 Puoonv. 42 5 66 7 5 11 0 0 021-22 2:24 UC00 030-0 15:9 T+00 , x9f60agee 089de l.x 58 8 66 7 6 16 0 0 021-22 2:25 UC00 030-0 15:0 T+00 , x95d0epoe.x 0863a xlrree 21 02 16 80 13 42 9 0 021-22 2:30 UC00 030-0 15:0 T+00 , x95d0rnl3.x 08bea udl2ee 88 21 0 02 5 75 0 021-22 2:30 UC00 030-0 15:1 T+00 , x99c0vtos.x 087a2 moldee 62 21 9 02 6 22 4 0 021-22 2:30 UC00 030-0 15:1 T+00127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 9/14
  • 10. 3/6/13 IPython Notebook , x9930TAtCnete 087ac Puoonc. 13 02 42 5 1 63 0 021-22 2:30 UC00 030-0 15:1 T+00 , x9978wctyee 087ae snf.x 16 18 12 10 1 27 0 021-22 2:30 UC00 030-0 15:2 T+00 , x9360wactee 08880 uul.x 22 54 12 10 3 12 3 0 021-22 2:34 UC00 030-0 15:9 T+00 , x9338crm.x 08ba2 hoeee 19 76 21 02 27 84 1 0 021-22 2:21 UC00 030-0 20:2 T+00 , x9a98crm.x 08aec hoeee 10 74 19 76 6 97 0 021-22 2:21 UC00 030-0 20:3 T+00 , x8538crm.x 08e15 hoeee 18 40 19 76 7 92 0 021-22 2:84 UC00 030-0 21:9 T+00 , x9400crm.x 08422 hoeee 10 38 19 76 7 94 0 021-22 2:55 UC00 030-0 23:7 T+00 , x8f90crm.x 08ca7 hoeee 18 78 19 76 7 97 0 021-22 2:73 UC00 030-0 23:8 T+00 , x87d0cdee 0890a m.x 28 34 21 02 1 30 0 021-22 0:92 UC00 030-5 51:4 T+00 , x88d0crm.x 08f1a hoeee 86 5 19 76 7 94 0 021-22 0:30 UC00 030-5 73:5 T+00 , x83d0FKIae.x 085da T mgree 36 18 21 02 8 23 2 0 021-22 1:53 UC00 030-5 81:7 T+00 ] . . . Looking at all the strings in the memory dump I [1: tx_tig =!tig /otDstpmmmmupmm n 2] etsrns srns ro/eko/e/edm.e I [2: tx_tig[:0 n 2] etsrns01] Ot2] [mvr.l u[2: sctdl, D3.l GI2dl, ENL2dl, KRE3.l SR2dl, UE3.l DAI2dl, AVP3.l l3.l oe2dl, HWP.l SLAIdl, HOV.l SDCWdl, ss1dl, ml3.l _loei _dlnxt] . . . Created a small grep function to look for "Visited:" I [6: dfgep(erhtr,tx_tig) n 2] e rpysac_em etsrns: tm_it[ epls=]127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 10/14
  • 11. 3/6/13 IPython Notebook frie i tx_tig: o tm n etsrns i sac_emi ie: f erhtr n tm tm_itapn(tm epls.pedie) rtr tm_it eun epls gep(Vstd ts@,tx_tig) rpy"iie: et" etsrns Ot2] [wVstd ts@c:/ytmcmacrcmamd.t u[6: wiie: ethp/sse/optt/optoehm, iie:ts@tp/cd.ogecmpvltlt/iiVltltBace Vstd etht:/oegol.o//oaiiywk/oaiiyrnhs, iie:ts@tp/wwbn.o/erhsc=0&OMA6qfkiae+ie, Vstd etht:/w.igcmsac?rh16FR=S&=t+mgrlt iie:ts@tp/wwacsdt.o/onod.tl, Vstd etht:/w.cesaacmdwlashm iie:ts@tp/wwfrnisiiogwk/T_mgr, Vstd etht:/w.oescwk.r/iiFKIae iie:ts@tp/wwscrtnwpra.o/teuiyidxhm?il=T_mgrLt_.. Vstd etht:/w.euiyesotlcmiscrt/ne.tltteFKIae_ie261, iie:ts@bu:ln Vstd etaotbak, iie:ts@tp:/w.ogecmit/ncrm/rwe/hnyuhm Vstd ethts/wwgol.o/nle/hoebosrtako.tl, iie:ts@tp/wwbn.o/erhsc=0&OMA6qcrm Vstd etht:/w.igcmsac?rh16FR=S&=hoe, iie:ts@tp/spotgol.o/hoebnase.yh=nase=54 Vstd etht:/upr.ogecmcrm/i/nwrp?le&nwr936, iie:ts@tp:/w.ogecmit/ncrm Vstd ethts/wwgol.o/nle/hoe, iie:ts@ie//:Dcmns2ad2Stig/etDstpwnmm131zp, Vstd etfl:/C/ouet%0n%0etnsts/eko/ipe-...i iie:ts@bu:oe, Vstd etaotHm iie:ts@e:/:IDWsse3sdccdldsro.t Vstd etrs/CWNOSytm2hol.l/nerrhm, iie:ts@tp/wwbn.o/erhsc=0&OMA6qmzla, Vstd etht:/w.igcmsac?rh16FR=S&=oil iie:ts@tp:/oegol.o//oaiiydwlasdti?aewnmm131zp, Vstd ethts/cd.ogecmpvltlt/onod/ealnm=ipe-...i iie:ts@tp/dc.yhnogfqwnos, Vstd etht:/ospto.r/a/idw iie:ts@tp:/oaiiygolcd.o/ie/ipe-...i Vstd ethts/vltlt.ogeoecmflswnmm131zp, iie:ts@tp/at.erhmncmrsos.s?Tpto+idwx&rh3po=uf Vstd etht:/uosac.s.o/epneapM=yhnwno+psc=&rv&t8, iie:ts@tp/wwbn.o/erhsc=0&OMA6qpto+idwx Vstd etht:/w.igcmsac?rh16FR=S&=yhnwno+p, iie:ts@tp/dc.yhnog2fqwnos, Vstd etht:/ospto.r//a/idw iie:ts@tp/wwbn.o/erhsc=0&OMA6qvltlt++ehpeiwwnos, Vstd etht:/w.igcmsac?rh16FR=S&=oaiiy3tc+rve+idw iie:ts@tp/wwscrtnwpra.o/euiylg/ril.h?il=T_mgrLt_.. Vstd etht:/w.euiyesotlcmscrtbosatcepptteFKIae_ie261, iie:ts@tp/cd.ogecmpvltlt/iiVltltRamp, Vstd etht:/oegol.o//oaiiywk/oaiiyoda iie:ts@tp/cd.ogecmpvltlt/iiSmlMmrIae Vstd etht:/oegol.o//oaiiywk/apeeoymgs, iie:ts@tp:/lgol.o/a//pgi%D786D4-5443-F1A99509%D2id3%B66BE21- Vstd ethts/d.ogecmtgsapud3%BA935D6-6CAF-6DE3F67%6i%D78895-83 D7-7C 31C3- 49AD06%D2ln%Dn2bosr322uaett%D%6pnm%Doge22Crm%6edamn3peesudt2isalr/h 98B30E7%6ag3e%6rwe%D%6sgsas302apae3Gol%50hoe2nesdi%Drfr/pae/ntlesCr iie:ts@tp/cd.ogecmpvltlt/iiVltltBace Vstd etht:/oegol.o//oaiiywk/oaiiyrnhs, iie:ts@tp/wwbn.o/erhsc=0&OMA6qfkiae+ie, Vstd etht:/w.igcmsac?rh16FR=S&=t+mgrlt iie:ts@tp/wwacsdt.o/onod.tl, Vstd etht:/w.cesaacmdwlashm iie:ts@tp/wwfrnisiiogwk/T_mgr, Vstd etht:/w.oescwk.r/iiFKIae iie:ts@tp/wwscrtnwpra.o/teuiyidxhm?il=T_mgrLt_.. Vstd etht:/w.euiyesotlcmiscrt/ne.tltteFKIae_ie261, iie:ts@bu:ln Vstd etaotbak, iie:ts@tp:/w.ogecmit/ncrm/rwe/hnyuhm Vstd ethts/wwgol.o/nle/hoebosrtako.tl, iie:ts@tp/wwbn.o/erhsc=0&OMA6qcrm Vstd etht:/w.igcmsac?rh16FR=S&=hoe, iie:ts@tp/spotgol.o/hoebnase.yh=nase=54 Vstd etht:/upr.ogecmcrm/i/nwrp?le&nwr936, iie:ts@tp:/w.ogecmit/ncrm Vstd ethts/wwgol.o/nle/hoe, iie:ts@tp/cd.ogecmpvltlt/iiSmlMmrIae Vstd etht:/oegol.o//oaiiywk/apeeoymgs, iie:ts@tp:/lgol.o/a//pgi%D786D4-5443-F1A99509%D2id3%B66BE21- Vstd ethts/d.ogecmtgsapud3%BA935D6-6CAF-6DE3F67%6i%D78895-83 D7-7C 31C3- 49AD06%D2ln%Dn2bosr322uaett%D%6pnm%Doge22Crm%6edamn3peesudt2isalr/h 98B30E7%6ag3e%6rwe%D%6sgsas302apae3Gol%50hoe2nesdi%Drfr/pae/ntlesCr wiie:ts@bu:ln wVstd etaotbak, wiie:ts@bu:ln wVstd etaotbak, iie:ts@tp/cd.ogecmpvltlt/iiSmlMmrIae Vstd etht:/oegol.o//oaiiywk/apeeoymgs, iie:ts@tp:/lgol.o/a//pgi%D786D4-5443-F1A99509%D2id3%B66BE21- Vstd ethts/d.ogecmtgsapud3%BA935D6-6CAF-6DE3F67%6i%D78895-83 D7-7C 31C3- 49AD06%D2ln%Dn2bosr322uaett%D%6pnm%Doge22Crm%6edamn3peesudt2isalr/h 98B30E7%6ag3e%6rwe%D%6sgsas302apae3Gol%50hoe2nesdi%Drfr/pae/ntlesCr . . . Searching for data in sockets I [3: scesls =!yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmsces n 2] okt_it pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e okt I [5: frie i scesls[:: n 2] o tm n okt_it3]127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 11/14
  • 12. 3/6/13 IPython Notebook ie =ie.pi( tm tmslt) i "7.61817 i ie: f 121.5.3" n tm pitie[] ie[] ie[] rn tm5, tm6, tm7 121.5.3 21-22 0:22 7.61817 030-5 13:6 121.5.3 21-22 0:22 7.61817 030-5 13:6 121.5.3 21-22 0:22 7.61817 030-5 13:6 121.5.3 21-22 0:22 7.61817 030-5 13:6 121.5.3 21-22 0:22 7.61817 030-5 13:6 I [6: scesls n 2] okt_it Ot2] [Vltl SsesVltlt Faeok23apa, u[6: oaie ytm oaiiy rmwr ._lh fstV Ofe() PD Pr PooPooo I ot rt rtcl Ades drs Cet Tm rae ie, --------- --- --- ----------------------, ----- ---- --- --- ------- ------- ----- x9308 086a0 17 16 13 01 1 UP 7 D 0000 ... 21-22 2:30 UC00 030-0 15:1 T+00, x9a68 08b3c 4 17 3 1 UP 7 D 121.5.3 21-22 0:22 UC00 7.61817 030-5 13:6 T+00, x9908 08a80 68 8 50 0 1 UP 7 D 0000 ... 21-22 2:24 UC00 030-0 15:2 T+00, x9938 08b6c 12 10 15 82 6TP C 0000 ... 21-22 0:64 UC00 030-5 50:7 T+00, x8f08 089e0 12 10 15 86 6TP C 0000 ... 21-22 0:70 UC00 030-5 51:7 T+00, x9070 08b2e 4 45 4 6TP C 0000 ... 21-22 2:22 UC00 030-0 15:0 T+00, x9fe8 08629 92 7 15 3 6TP C 0000 ... 21-22 2:22 UC00 030-0 15:2 T+00, x9e80 083c8 17 16 12 11 1 UP 7 D 0000 ... 21-22 2:74 UC00 030-0 15:2 T+00, x91e8 082b9 4 18 3 1 UP 7 D 121.5.3 21-22 0:22 UC00 7.61817 030-5 13:6 T+00, x9078 08b4e 12 10 15 83 6TP C 0000 ... 21-22 0:42 UC00 030-5 51:9 T+00, x9ee8 080e9 12 10 13 2 1 UP 7 D 121.5.3 21-22 0:22 UC00 7.61817 030-5 13:6 T+00, x8808 08cc0 12 10 13 2 1 UP 7 D 17001 2... 21-22 0:22 UC00 030-5 13:6 T+00, x9680 08592 68 8 0 25Rsre 5 eevd 0000 ... 21-22 2:24 UC00 030-0 15:2 T+00, x8368 08900 17 16 10 45 1 UP 7 D 0000 ... 21-22 2:02 UC00 030-0 24:7 T+00, x9ad8 08aa0 17 16 12 12 1 UP 7 D 0000 ... 21-22 2:74 UC00 030-0 15:2 T+00, x9160 08785 17 16 13 07 1 UP 7 D 0000 ... 21-22 2:32 UC00 030-0 15:7 T+00, x8608 08670 12 10 15 84 6TP C 0000 ... 21-22 0:53 UC00 030-5 51:5 T+00, x9540 08512 58 12 8 06 6TP C 17001 2... 21-22 2:25 UC00 030-0 15:0 T+00, x8fd0 08d7c 11 26 10 90 1 UP 7 D 121.5.3 21-22 0:22 UC00 7.61817 030-5 13:6 T+00, x8da0 08bbb 11 26 10 90 1 UP 7 D 17001 2... 21-22 0:22 UC00 030-5 13:6 T+00, x9a50 08a83 12 10 23 10 6TP C 0000 ... 21-22 1:21 UC00 030-5 81:3 T+00, x94e8 08649 17 16 13 08 1 UP 7 D 0000 ... 21-22 2:32 UC00 030-0 15:7 T+00, x9a20 08740 4 19 3 6TP C 121.5.3 21-22 0:22 UC00 7.61817 030-5 13:6 T+00, x9ae8 087f9 68 40 8 50 1 UP 7 D 0000 ... 21-22 2:24 UC00 030-0 15:2 T+00, x9c58 08bc4 12 10 15 85 6TP C 0000 ... 21-22 0:62 UC00 030-5 51:8 T+00, x90c8 08b20 4 45 4 1 UP 7 D 0000 ... 21-22 2:22 UC00 030-0 15:0 T+00] . . . Malfind plugin I [7: !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmmlid n 2] pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e afn Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh Poes crseePd 68Ades 07600 rcs: ss.x i: 0 drs: xff00 VdTg Vd Poeto:PG_XCT_EDRT a a: a rtcin AEEEUERAWIE Fas Poeto:6 lg: rtcin 07600 xff00 c 0 0 0 9 0 0 0 f e f e 0 7 0 0 8 0 0 0 c 1 0 0 f e f e 8 0 0 0 ........ ......p. 07601 xff00 0 0 0 0 0 f 0 0 0 0 1 0 0 2 0 0 8 0 0 0 0 e 0 0 0 0 0 0 0 0 0 0 ........ ........ 07602 xff00 0 0 0 0 0 2 0 0 8 0 0 0 f e f 7 0 2 0 0 0 0 0 0 d 1 0 0 f f d f ........ ........ 07603 xff00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3 0 8 6 0 0 0 0 0 0 0 0 0 0 0 0 ........ ........ 07600 c000 xff00 8000 ETR00 00 NE x, x 07600 9 xff04 c PSF UH 07600 00 xff05 10 AD[A] EX D EX, A 07600 0f xff07 0f ADB,B D H H 07600 e xff09 e OTD,A U X L 07600 f xff0a f D 0f B xf 07600 e xff0b e OTD,A U X L 07600 070 xff0c 800 O [A+x] D R EX00, H 07600 00 xff0f 08 AD[A] C D EX, L 07601 00 xff01 00 AD[A] A D EX, L127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 12/14
  • 13. 3/6/13 IPython Notebook 07601 00 xff01 00 AD[A] A D EX, L 07601 00 xff03 00 AD[A] A D EX, L . . . Extracting dlls for process ID 1120 I [1: !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmdlup- 12 -dm-i /otDstpad n 5] pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e ldm p 10 -updr ro/eko/sf Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh PoesV Nm rcs() ae Mdl Bs Mdl Nm oue ae oue ae Rsl eut ----- ---------- ---------------- --- ----- ---------- ----- ---------- --- 08b4a scotee x90d0 vhs.x 001000scotee x0000 vhs.x O:mdl.1090d01000dl K oue12.d4a.000.l 08b4a scotee x90d0 vhs.x 00c000ndldl x7900 tl.l O:mdl.1090d07900.l K oue12.d4a.c000dl 08b4a scotee x90d0 vhs.x 007900crcidl x7b00 etl.l O:mdl.1090d07b00.l K oue12.d4a.7900dl 08b4a scotee x90d0 vhs.x 006300WIdl x7d00 M.l O:mdl.1090d07d00.l K oue12.d4a.6300dl 08b4a scotee x90d0 vhs.x 007600SLAIdl x7f00 HWP.l O:mdl.1090d07f00.l K oue12.d4a.7600dl 08b4a scotee x90d0 vhs.x 007e00Scr2dl x7f00 eu3.l O:mdl.1090d07f00.l K oue12.d4a.7e00dl 08b4a scotee x90d0 vhs.x 007000VRINdl x7c00 ESO.l O:mdl.1090d07c00.l K oue12.d4a.7000dl 08b4a scotee x90d0 vhs.x 000000xs2e.l x2000 pprsdl O:mdl.1090d02000.l K oue12.d4a.0000dl 08b4a scotee x90d0 vhs.x 007d00cmt3.l x7300 ocl2dl O:mdl.1090d07300.l K oue12.d4a.7d00dl 08b4a scotee x90d0 vhs.x 001500mwokdl x7a00 ssc.l O:mdl.1090d07a00.l K oue12.d4a.1500dl 08b4a scotee x90d0 vhs.x 001d00WOK2dl x7a00 SC3.l O:mdl.1090d07a00.l K oue12.d4a.1d00dl 08b4a scotee x90d0 vhs.x 001800NTA.l x7c00 ERPdl O:mdl.1090d07c00.l K oue12.d4a.1800dl 08b4a scotee x90d0 vhs.x 005900wecm.l x7200 bmondl O:mdl.1090d07200.l K oue12.d4a.5900dl 08b4a scotee x90d0 vhs.x 006b00TP3.l x7e00 AI2dl O:mdl.1090d07e00.l K oue12.d4a.6b00dl 08b4a scotee x90d0 vhs.x 006600WDP2dl x7f00 LA3.l O:mdl.1090d07f00.l K oue12.d4a.6600dl 08b4a scotee x90d0 vhs.x 004d00PWPO.l x7a00 ORRFdl O:mdl.1090d07a00.l K oue12.d4a.4d00dl 08b4a scotee x90d0 vhs.x 007000nta.l x7d00 emndl O:mdl.1090d07d00.l K oue12.d4a.7000dl 08b4a scotee x90d0 vhs.x 003000WNPO.R x7000 ISOLDV O:mdl.1090d07000.l K oue12.d4a.3000dl . . . Extracting executables from memory I [2: !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmpoeeup-dm-i /otDstpad n 5] pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e rcxdm -updr ro/eko/sf Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh PoesV Iaeae Nm rcs() mgBs ae Rsl eut ----- ----- ---------- --- ----- ----- ---------- --- 08c33 ----- Sse x9780 ----- ytm Err PBa 00i pgd ro: E t x s ae 087b2 04500 ss.x x9900 x8800 msee O:eeual.8.x K xctbe34ee 087e3 04600 crsee x9828 xa800 ss.x O:eeual.0.x K xctbe68ee 087e6 00000 wnoo.x x9860 x1000 ilgnee O:eeual.3.x K xctbe62ee 08651 00000 srie.x x9360 x1000 evcsee O:eeual.7.x K xctbe66ee 08a08 00000 lasee x9f80 x1000 ss.x O:eeual.8.x K xctbe68ee 0870e 00400 vatl.x x9a68 x0000 mchpee O:eeual.9.x K xctbe86ee 08b48 00000 scotee x9538 x1000 vhs.x O:eeual.0.x K xctbe98ee 08647 00000 scotee x9fa8 x1000 vhs.x O:eeual.7.x K xctbe92ee 08b4a 00000 scotee x90d0 x1000 vhs.x O:eeual.10ee K xctbe12.x 08b27 00000 scotee x9058 x1000 vhs.x O:eeual.16ee K xctbe17.x 08b06 00000 scotee x9e40 x1000 vhs.x O:eeual.26ee K xctbe11.x 08b91 00000 solvee x9c68 x1000 pos.x O:eeual.58ee K xctbe14.x127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 13/14
  • 14. 3/6/13 IPython Notebook 086c8 00000 scotee x9f90 x1000 vhs.x O:eeual.64ee K xctbe18.x 086e8 00400 vtos.x x9390 x0000 moldee O:eeual.88ee K xctbe14.x 08842 00400 TAtCnSce x9400 x0000 Puoonv. O:eeual.5.x K xctbe42ee 089de 00000 agee x9f60 x1000 l.x O:eeual.8.x K xctbe58ee 0863a 00000 epoe.x x95d0 x1000 xlrree O:eeual.02ee K xctbe21.x 08bea 00000 rnl3.x x95d0 x1000 udl2ee O:eeual.0.x K xctbe88ee 087a2 00400 vtos.x x99c0 x0000 moldee O:eeual.9.x K xctbe62ee 087ac 00400 TAtCnete x9930 x0000 Puoonc. O:eeual.02ee K xctbe13.x 087ae 00000 wctyee x9978 x1000 snf.x O:eeual.18ee K xctbe16.x 08880 00400 wactee x9360 x0000 uul.x O:eeual.54ee K xctbe22.x 08ba2 00400 crm.x x9338 x0000 hoeee O:eeual.76ee K xctbe19.x 08aec 00400 crm.x x9a98 x0000 hoeee O:eeual.74ee K xctbe10.x 08e15 00400 crm.x x8538 x0000 hoeee O:eeual.40ee K xctbe18.x 08422 00400 crm.x x9400 x0000 hoeee O:eeual.38ee K xctbe10.x 08ca7 00400 crm.x x8f90 x0000 hoeee O:eeual.78ee K xctbe18.x 0890a 04d00 cdee x87d0 xa000 m.x Err Iaeaedrs a 04d00 i pgd ro: mgBsAdes t xa000 s ae 08f1a 00400 crm.x x88d0 x0000 hoeee O:eeual.5.x K xctbe86ee 085da 00400 FKIae.x x83d0 x0000 T mgree O:eeual.18ee K xctbe36.x . . . netstat -an history found in cmd.exe sessions I [8: !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmcnoe n 2] pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e osls Vltl SsesVltlt Faeok23apa oaie ytm oaiiy rmwr ._lh ************************* ************************* Cnoercs:crseePd 68 oslPoes ss.x i: 0 Cnoe 042b CmaditrSz:5 osl: xe30 omnHsoyie 0 Hsoyufron:1Hsoyufra:4 itrBfeCut itrBfeMx OiiaTte Crga FlsVwrMaeTosTAtCnScee rgnlil: :Porm ieMaeVwr olPuoonv.x Tte Crga FlsVwrMaeTosTAtCnScee il: :Porm ieMaeVwr olPuoonv.x AtcePoes TAtCnetePd 13 Hnl:058 tahdrcs: Puoonc. i: 02 ade xf -- -- Cmaditr:0f8f Apiain TAtCneteeFas Alctd omnHsoy x968 plcto: Puoonc.x lg: loae Cmadon:0LsAdd - LsDslyd - omnCut atde: 1 atipae: 1 Frtomn:0CmadonMx 5 isCmad omnCuta: 0 Poesade 058 rcsHnl: xf -- -- Sre 042b X8 Y2 cen xea0 :0 :5 Dm: up TiPitAtCnetcmoet Cprgt()19-02CraoA,88741 hnrn uoonc opnn, oyih c 9921 otd G ..3. ************************* ************************* Cnoercs:crseePd 68 oslPoes ss.x i: 0 Cnoe 042d CmaditrSz:5 osl: xe68 omnHsoyie 0 Hsoyufron:2Hsoyufra:4 itrBfeCut itrBfeMx127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 14/14