How can I see network log history of a specific executable (malware in this case)

I've detected that my Windows 10 PC has been infected with qorigjsr.exe malware. Pretty sure it was after I've injected my less computer savvy friend USB into my PC. I've deleted it immediately but when I checked "App History" in Task Manager it seems like it was running for 7 seconds and had network usage of 8.9MB.

So my question is - how can I see more details of this network usage, e.g. when it was running and how much of that usage was upload and how much download and where exactly (ip)?

BTW: Do you guys had any experience with this malware? Do you maybe know what does it exactly do?

Dominik Serafin

Posted 2017-01-20T10:16:21.660

Reputation: 121

You can't retroactively view that data. As it is a random name that does really identify the malware itself you would have to have a closer look, possibly uploading it to a service like virustotal if you own AV didn't report any more information about it.

– Seth – 2017-01-20T10:19:09.667

@Seth thanks for reply - but what do you mean by retroactively view that data? – Dominik Serafin – 2017-01-20T10:25:40.243

1There is no default recording of such information and as the program already ran and did its thing you can't retroactively view that data as it doesn't really exist. What you could do is identify the actual malware (if you still have that exe file) in order to get a grasp on what it actually did. It's likely that it tried to download a payload in order to gain further rights or to do some form of damage (e.g. ransomware). – Seth – 2017-01-20T10:31:33.727

Answers

While it is too late find out about the network communication that has occurred in the past, you can certainly take action to make sure you log the connection should it happen in the future. And my experience with malware tells me it will happen in the future.

Your problem, i.e. detecting and terminating network connections made by malicious software is exactly what gave birth to a genre of computer software called Personal Firewall.

If you install a personal firewall like Comodo Internet Security (freemium), GlassWire (freemium), ZoneAlarm (freemium) or ESET Internet Security (commercial), you gain the ability to view and control not just this certain malware, but any and every program that tries to establish a connection from your computer to the world outside. Network-connecting malware becomes a problem of the past.

Now, some people might come here and tell you that you can all these with Windows itself. That would be partly true: What these third party apps give you is comfort and an unprecedented degree of control.

user477799

Posted 2017-01-20T10:16:21.660

Reputation:

1Nice, but this doesn't actually answer the question. – DavidPostill – 2017-01-20T12:27:26.267

@DavidPostill The question is "How can I see network log history of a specific executable"? The answer is: "The aforementioned apps allow you to do so". – None – 2017-01-20T13:09:17.803

Well the free version of comodo doesn't log network traffic. – DavidPostill – 2017-01-20T13:13:10.740

@DavidPostill Yes. It does. To do so, you must open Advanced Settings, Firewall, Application Rules and modify the rules so their their checkbox "Log as firewall event if this rule is fired" is checked. It is possible to do this in bulk by editing Global Rules. – None – 2017-01-20T13:16:22.150

1So? That still doesn't allow the OP to "retroactively view the data" – DavidPostill – 2017-01-20T13:17:50.653

@DavidPostill This is an answer website, not a magic website. He needs a time machine. However, reading his question, I concluded that the OP needs insight instead of a time machine. Those security apps give him insight. Plus, we are preserving our answers for the future generations. It is best to be practical instead of pedantic. – None – 2017-01-20T13:21:09.160

1That's all very well but your answer doesn't answer the question so your answer is of no use to anybody. – DavidPostill – 2017-01-20T13:35:58.657

@DavidPostill Then flag it as "Not an answer" I dare you. Of course, my answer if faithful to the purpose of this site. – None – 2017-01-20T13:42:02.683

1Why are you so hostile? Seems like a simple task to improve this answer, if the author is asking "can I determine the network usage a process was using without logging being enable", the answer is of course simply "no it isn't possible" to that specific question. Flagging this answer, as "not an answer", wouldn't be the correct procedure, David knows that. Does not change the fact this answer, in it's current form, does not answer author's question. – Ramhound – 2017-01-20T15:58:30.907

Perhaps with this batch script to display cache DNS, can give you more information

@echo off
ipconfig /DisplayDNS > CacheDNS.txt
Start "" CacheDNS.txt

Hackoo

Posted 2017-01-20T10:16:21.660

Reputation: 589