Re: [Vol-users] zeusscan2

Michael; Interesting: $ python vol.py --plugins=contrib/plugins/malware zeusscan2 -f ~/Images/CA005040-HP8460/CA005040-HP8460-RAM.dd4.001 --profile=Win7SP1x86 -p 2928 Volatility Foundation Volatility Framework 2.3.1 [a05p8zz@W0147206 volatility-2.3.1]$ Ends relatively quickly with no output. Looking at 'strings' for the malfind output relate to this process, I see all of the things I have come to know and love about Zeus: 00008A40 tellerplus 00008A58 bancline 00008A6C fidelity 00008A80 micrsolv 00008A94 bankman 00008AA4 vantiv 00008AB4 episys 00008AC4 jack henry 00008ADC cruisenet 00008AF0 gplusmain 00008B04 launchpadshell.exe 00008B2C dirclt32.exe 00008B48 wtng.exe 00008B5C prologue.exe 00008B78 silverlake 00008B90 pcsws.exe 00008BA4 v48d0250s1 00008BBC fdmaster.exe 00008BD8 fastdoc And our FireEye infrastructure is screaming Zeus as well. Thoughts? -=[ Steve ]=- too much data into memory at once. Can you do the following for me, please: know Zeus injects explorer, so this will let us focus on just one process first) and send me the output (offlist is fine) vadinfo across all processes (just vol.py vadinfo > results.txt) and send me that instead.