popup
procMemory | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Process Memory

Process memory dump for file.txt (PID 2608, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1

Yara signatures matches on process memory

Match: screenshot

  • R0RJMzIuZGxs (GDI32.dll)
  • R2V0REM= (GetDC)
  • VVNFUjMyLmRsbA== (USER32.dll)

Match: keylogger

  • R2V0S2V5U3RhdGU= (GetKeyState)
  • VVNFUjMyLmRsbA== (USER32.dll)

Match: win_registry

  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • UmVnQ2xvc2VLZXk= (RegCloseKey)

Match: win_token

  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • T3BlblByb2Nlc3NUb2tlbg== (OpenProcessToken)

Match: win_files_operation

  • Q29weUZpbGU= (CopyFile)
  • Q3JlYXRlRmlsZUE= (CreateFileA)
  • RGVsZXRlRmlsZUE= (DeleteFileA)
  • RmluZENsb3Nl (FindClose)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • U2V0RmlsZVBvaW50ZXI= (SetFilePointer)
  • UmVhZEZpbGU= (ReadFile)
  • V3JpdGVGaWxl (WriteFile)

Match: Str_Win32_Wininet_Library

  • V0lOSU5FVC5kbGw= (WININET.dll)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: anti_dbg

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Process memory dump for file.txt (PID 3028, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1

Yara signatures matches on process memory

Match: inject_thread

  • Q3JlYXRlVGhyZWFk (CreateThread)
  • T3BlblByb2Nlc3M= (OpenProcess)
  • TnRXcml0ZVZpcnR1YWxNZW1vcnk= (NtWriteVirtualMemory)
  • V3JpdGVQcm9jZXNzTWVtb3J5 (WriteProcessMemory)
  • VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)

Match: network_tcp_listen

  • V1NBU3RhcnR1cA== (WSAStartup)
  • V1NPQ0szMi5ETEw= (WSOCK32.DLL)
  • YmluZA== (bind)
  • bGlzdGVu (listen)

Match: network_http

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)
  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)
  • V0lOSU5FVC5ETEw= (WININET.DLL)

Match: network_dropper

  • VVJMRG93bmxvYWRUb0ZpbGU= (URLDownloadToFile)
  • VVJMTU9OLkRMTA== (URLMON.DLL)

Match: network_tcp_socket

  • V1NBQ2xlYW51cA== (WSACleanup)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • V1NPQ0szMi5ETEw= (WSOCK32.DLL)
  • Y29ubmVjdA== (connect)
  • Y2xvc2Vzb2NrZXQ= (closesocket)
  • c29ja2V0 (socket)
  • c2VuZA== (send)

Match: network_dns

  • V1NPQ0szMi5ETEw= (WSOCK32.DLL)
  • Z2V0YWRkcmluZm8= (getaddrinfo)

Match: screenshot

  • Qml0Qmx0 (BitBlt)
  • R0RJMzIuRExM (GDI32.DLL)
  • R2V0REM= (GetDC)
  • VVNFUjMyLkRMTA== (USER32.DLL)

Match: win_mutex

  • Q3JlYXRlTXV0ZXg= (CreateMutex)

Match: win_registry

  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • UmVnQ2xvc2VLZXk= (RegCloseKey)

Match: win_token

  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • T3BlblByb2Nlc3NUb2tlbg== (OpenProcessToken)

Match: win_files_operation

  • Q29weUZpbGU= (CopyFile)
  • RmluZENsb3Nl (FindClose)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • U2V0RmlsZVBvaW50ZXI= (SetFilePointer)
  • UmVhZEZpbGU= (ReadFile)
  • V3JpdGVGaWxl (WriteFile)

Match: Str_Win32_Winsock2_Library

  • V1NPQ0szMi5ETEw= (WSOCK32.DLL)

Match: Str_Win32_Wininet_Library

  • V0lOSU5FVC5ETEw= (WININET.DLL)

Match: Str_Win32_Internet_API

  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRDbG9zZUhhbmRsZQ== (InternetCloseHandle)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)

Match: Str_Win32_Http_API

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: anti_dbg

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)