popup
procMemory | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Process Memory

Process memory dump for tj85xg1cs.exe (PID 532, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1

Yara signatures matches on process memory

Match: Network_DNS

  • R2V0SG9zdEVudHJ5 (GetHostEntry)
  • RG5zUXVlcnk= (DnsQuery)
  • U3lzdGVtLk5ldA== (System.Net)
  • ZG5zYXBpLmRsbA== (dnsapi.dll)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: anti_dbg

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Process memory dump for ujunkwerex.exe (PID 2488, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1

Yara signatures matches on process memory

Match: Network_DNS

  • R2V0SG9zdEVudHJ5 (GetHostEntry)
  • RG5zUXVlcnk= (DnsQuery)
  • U3lzdGVtLk5ldA== (System.Net)
  • ZG5zYXBpLmRsbA== (dnsapi.dll)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: anti_dbg

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Process memory dump for tj85xg1cs.exe (PID 5572, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1

Yara signatures matches on process memory

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: Check_Qemu_Description

  • SABBAFIARABXAEEAUgBFAFwARABFAFMAQwBSAEkAUABUAEkATwBOAFwAUwB5AHMAdABlAG0A (HARDWARE\DESCRIPTION\System)
  • SABBAFIARABXAEEAUgBFAFwARABlAHMAYwByAGkAcAB0AGkAbwBuAFwAUwB5AHMAdABlAG0A (HARDWARE\Description\System)
  • UQBFAE0AVQA= (QEMU)
  • UwB5AHMAdABlAG0AQgBpAG8AcwBWAGUAcgBzAGkAbwBuAA== (SystemBiosVersion)

Match: Check_Qemu_DeviceMap

  • SABBAFIARABXAEEAUgBFAFwARABFAFYASQBDAEUATQBBAFAAXABTAGMAcwBpAFwAUwBjAHMAaQAgAFAAbwByAHQAIAAwAFwAUwBjAHMAaQAgAEIAdQBzACAAMABcAFQAYQByAGcAZQB0ACAASQBkACAAMABcAEwAbwBnAGkAYwBhAGwAIABVAG4AaQB0ACAASQBkACAAMAA= (HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0)
  • SQBEAEUATgBUAEkARgBJAEUAUgA= (IDENTIFIER)
  • SQBkAGUAbgB0AGkAZgBpAGUAcgA= (Identifier)
  • SWRlbnRpZmllcg== (Identifier)
  • UQBFAE0AVQA= (QEMU)
  • aQBkAGUAbgB0AGkAZgBpAGUAcgA= (identifier)
  • aWRlbnRpZmllcg== (identifier)

Match: Check_VBox_Description

  • SABBAFIARABXAEEAUgBFAFwARABFAFMAQwBSAEkAUABUAEkATwBOAFwAUwB5AHMAdABlAG0A (HARDWARE\DESCRIPTION\System)
  • SABBAFIARABXAEEAUgBFAFwARABlAHMAYwByAGkAcAB0AGkAbwBuAFwAUwB5AHMAdABlAG0A (HARDWARE\Description\System)
  • UwB5AHMAdABlAG0AQgBpAG8AcwBWAGUAcgBzAGkAbwBuAA== (SystemBiosVersion)
  • VgBCAE8AWAA= (VBOX)
  • VgBCAG8AeAA= (VBox)

Match: Check_VBox_DeviceMap

  • SABBAFIARABXAEEAUgBFAFwARABFAFYASQBDAEUATQBBAFAAXABTAGMAcwBpAFwAUwBjAHMAaQAgAFAAbwByAHQAIAAwAFwAUwBjAHMAaQAgAEIAdQBzACAAMABcAFQAYQByAGcAZQB0ACAASQBkACAAMABcAEwAbwBnAGkAYwBhAGwAIABVAG4AaQB0ACAASQBkACAAMAA= (HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0)
  • SQBEAEUATgBUAEkARgBJAEUAUgA= (IDENTIFIER)
  • SQBkAGUAbgB0AGkAZgBpAGUAcgA= (Identifier)
  • SWRlbnRpZmllcg== (Identifier)
  • VgBCAE8AWAA= (VBOX)
  • VgBCAG8AeAA= (VBox)
  • aQBkAGUAbgB0AGkAZgBpAGUAcgA= (identifier)
  • aWRlbnRpZmllcg== (identifier)

Match: Check_VBox_Guest_Additions

  • UwBPAEYAVABXAEEAUgBFAFwATwByAGEAYwBsAGUAXABWAGkAcgB0AHUAYQBsAEIAbwB4ACAARwB1AGUAcwB0ACAAQQBkAGQAaQB0AGkAbwBuAHMA (SOFTWARE\Oracle\VirtualBox Guest Additions)

Match: Check_VBox_VideoDrivers

  • SABBAFIARABXAEEAUgBFAFwARABFAFMAQwBSAEkAUABUAEkATwBOAFwAUwB5AHMAdABlAG0A (HARDWARE\DESCRIPTION\System)
  • SABBAFIARABXAEEAUgBFAFwARABlAHMAYwByAGkAcAB0AGkAbwBuAFwAUwB5AHMAdABlAG0A (HARDWARE\Description\System)
  • VgBJAFIAVABVAEEATABCAE8AWAA= (VIRTUALBOX)
  • VgBpAGQAZQBvAEIAaQBvAHMAVgBlAHIAcwBpAG8AbgA= (VideoBiosVersion)
  • VgBpAHIAdAB1AGEAbABCAG8AeAA= (VirtualBox)

Match: Check_VMWare_DeviceMap

  • SABBAFIARABXAEEAUgBFAFwARABFAFYASQBDAEUATQBBAFAAXABTAGMAcwBpAFwAUwBjAHMAaQAgAFAAbwByAHQAIAAwAFwAUwBjAHMAaQAgAEIAdQBzACAAMABcAFQAYQByAGcAZQB0ACAASQBkACAAMABcAEwAbwBnAGkAYwBhAGwAIABVAG4AaQB0ACAASQBkACAAMAA= (HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0)
  • SQBEAEUATgBUAEkARgBJAEUAUgA= (IDENTIFIER)
  • SQBkAGUAbgB0AGkAZgBpAGUAcgA= (Identifier)
  • SWRlbnRpZmllcg== (Identifier)
  • VgBNAFcAQQBSAEUA (VMWARE)
  • VgBNAHcAYQByAGUA (VMware)
  • aQBkAGUAbgB0AGkAZgBpAGUAcgA= (identifier)
  • aWRlbnRpZmllcg== (identifier)
  • dgBtAHcAYQByAGUA (vmware)

Match: Check_VmTools

  • UwBPAEYAVABXAEEAUgBFAFwAVgBNAHcAYQByAGUALAAgAEkAbgBjAC4AXABWAE0AdwBhAHIAZQAgAFQAbwBvAGwAcwA= (SOFTWARE\VMware, Inc.\VMware Tools)

Match: WMI_VM_Detect

  • UwBFAEwARQBDAFQAIAAqACAARgBSAE8ATQAgAFcAaQBuADMAMgBfAFYAaQBkAGUAbwBDAG8AbgB0AHIAbwBsAGwAZQByAA== (SELECT * FROM Win32_VideoController)
  • VgBNACAAQQBkAGQAaQB0AGkAbwBuAHMAIABTADMAIABUAHIAaQBvADMAMgAvADYANAA= (VM Additions S3 Trio32/64)
  • VgBNAHcAYQByAGUAIABTAFYARwBBACAASQBJAA== (VMware SVGA II)
  • VgBpAHIAdAB1AGEAbABCAG8AeAAgAEcAcgBhAHAAaABpAGMAcwAgAEEAZABhAHAAdABlAHIA (VirtualBox Graphics Adapter)

Match: anti_dbg

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Match: vmdetect_misc

  • UwBPAEYAVABXAEEAUgBFAFwATwByAGEAYwBsAGUAXABWAGkAcgB0AHUAYQBsAEIAbwB4ACAARwB1AGUAcwB0ACAAQQBkAGQAaQB0AGkAbwBuAHMA (SOFTWARE\Oracle\VirtualBox Guest Additions)
  • UwBZAFMAVABFAE0AXABDAG8AbgB0AHIAbwBsAFMAZQB0ADAAMAAxAFwAUwBlAHIAdgBpAGMAZQBzAFwARABpAHMAawBcAEUAbgB1AG0A (SYSTEM\ControlSet001\Services\Disk\Enum)
  • VgBCAG8AeABNAG8AdQBzAGUA (VBoxMouse)
  • aABnAGYAcwAuAHMAeQBzAA== (hgfs.sys)
  • dgBtAG0AbwB1AHMAZQA= (vmmouse)
  • dgBtAG0AbwB1AHMAZQAuAHMAeQBzAA== (vmmouse.sys)
  • dgBtAGgAZwBmAHMALgBzAHkAcwA= (vmhgfs.sys)
  • dgBtAHcAYQByAGUA (vmware)
  • dwBpAG4AZQBfAGcAZQB0AF8AdQBuAGkAeABfAGYAaQBsAGUAXwBuAGEAbQBlAA== (wine_get_unix_file_name)

Process memory dump for ujunkwerex.exe (PID 7204, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1

Yara signatures matches on process memory

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: Check_Qemu_Description

  • SABBAFIARABXAEEAUgBFAFwARABFAFMAQwBSAEkAUABUAEkATwBOAFwAUwB5AHMAdABlAG0A (HARDWARE\DESCRIPTION\System)
  • SABBAFIARABXAEEAUgBFAFwARABlAHMAYwByAGkAcAB0AGkAbwBuAFwAUwB5AHMAdABlAG0A (HARDWARE\Description\System)
  • UQBFAE0AVQA= (QEMU)
  • UwB5AHMAdABlAG0AQgBpAG8AcwBWAGUAcgBzAGkAbwBuAA== (SystemBiosVersion)

Match: Check_Qemu_DeviceMap

  • SABBAFIARABXAEEAUgBFAFwARABFAFYASQBDAEUATQBBAFAAXABTAGMAcwBpAFwAUwBjAHMAaQAgAFAAbwByAHQAIAAwAFwAUwBjAHMAaQAgAEIAdQBzACAAMABcAFQAYQByAGcAZQB0ACAASQBkACAAMABcAEwAbwBnAGkAYwBhAGwAIABVAG4AaQB0ACAASQBkACAAMAA= (HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0)
  • SQBEAEUATgBUAEkARgBJAEUAUgA= (IDENTIFIER)
  • SQBkAGUAbgB0AGkAZgBpAGUAcgA= (Identifier)
  • SWRlbnRpZmllcg== (Identifier)
  • UQBFAE0AVQA= (QEMU)
  • aQBkAGUAbgB0AGkAZgBpAGUAcgA= (identifier)
  • aWRlbnRpZmllcg== (identifier)

Match: Check_VBox_Description

  • SABBAFIARABXAEEAUgBFAFwARABFAFMAQwBSAEkAUABUAEkATwBOAFwAUwB5AHMAdABlAG0A (HARDWARE\DESCRIPTION\System)
  • SABBAFIARABXAEEAUgBFAFwARABlAHMAYwByAGkAcAB0AGkAbwBuAFwAUwB5AHMAdABlAG0A (HARDWARE\Description\System)
  • UwB5AHMAdABlAG0AQgBpAG8AcwBWAGUAcgBzAGkAbwBuAA== (SystemBiosVersion)
  • VgBCAE8AWAA= (VBOX)
  • VgBCAG8AeAA= (VBox)

Match: Check_VBox_DeviceMap

  • SABBAFIARABXAEEAUgBFAFwARABFAFYASQBDAEUATQBBAFAAXABTAGMAcwBpAFwAUwBjAHMAaQAgAFAAbwByAHQAIAAwAFwAUwBjAHMAaQAgAEIAdQBzACAAMABcAFQAYQByAGcAZQB0ACAASQBkACAAMABcAEwAbwBnAGkAYwBhAGwAIABVAG4AaQB0ACAASQBkACAAMAA= (HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0)
  • SQBEAEUATgBUAEkARgBJAEUAUgA= (IDENTIFIER)
  • SQBkAGUAbgB0AGkAZgBpAGUAcgA= (Identifier)
  • SWRlbnRpZmllcg== (Identifier)
  • VgBCAE8AWAA= (VBOX)
  • VgBCAG8AeAA= (VBox)
  • aQBkAGUAbgB0AGkAZgBpAGUAcgA= (identifier)
  • aWRlbnRpZmllcg== (identifier)

Match: Check_VBox_Guest_Additions

  • UwBPAEYAVABXAEEAUgBFAFwATwByAGEAYwBsAGUAXABWAGkAcgB0AHUAYQBsAEIAbwB4ACAARwB1AGUAcwB0ACAAQQBkAGQAaQB0AGkAbwBuAHMA (SOFTWARE\Oracle\VirtualBox Guest Additions)

Match: Check_VBox_VideoDrivers

  • SABBAFIARABXAEEAUgBFAFwARABFAFMAQwBSAEkAUABUAEkATwBOAFwAUwB5AHMAdABlAG0A (HARDWARE\DESCRIPTION\System)
  • SABBAFIARABXAEEAUgBFAFwARABlAHMAYwByAGkAcAB0AGkAbwBuAFwAUwB5AHMAdABlAG0A (HARDWARE\Description\System)
  • VgBJAFIAVABVAEEATABCAE8AWAA= (VIRTUALBOX)
  • VgBpAGQAZQBvAEIAaQBvAHMAVgBlAHIAcwBpAG8AbgA= (VideoBiosVersion)
  • VgBpAHIAdAB1AGEAbABCAG8AeAA= (VirtualBox)

Match: Check_VMWare_DeviceMap

  • SABBAFIARABXAEEAUgBFAFwARABFAFYASQBDAEUATQBBAFAAXABTAGMAcwBpAFwAUwBjAHMAaQAgAFAAbwByAHQAIAAwAFwAUwBjAHMAaQAgAEIAdQBzACAAMABcAFQAYQByAGcAZQB0ACAASQBkACAAMABcAEwAbwBnAGkAYwBhAGwAIABVAG4AaQB0ACAASQBkACAAMAA= (HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0)
  • SQBEAEUATgBUAEkARgBJAEUAUgA= (IDENTIFIER)
  • SQBkAGUAbgB0AGkAZgBpAGUAcgA= (Identifier)
  • SWRlbnRpZmllcg== (Identifier)
  • VgBNAFcAQQBSAEUA (VMWARE)
  • VgBNAHcAYQByAGUA (VMware)
  • aQBkAGUAbgB0AGkAZgBpAGUAcgA= (identifier)
  • aWRlbnRpZmllcg== (identifier)
  • dgBtAHcAYQByAGUA (vmware)

Match: Check_VmTools

  • UwBPAEYAVABXAEEAUgBFAFwAVgBNAHcAYQByAGUALAAgAEkAbgBjAC4AXABWAE0AdwBhAHIAZQAgAFQAbwBvAGwAcwA= (SOFTWARE\VMware, Inc.\VMware Tools)

Match: WMI_VM_Detect

  • UwBFAEwARQBDAFQAIAAqACAARgBSAE8ATQAgAFcAaQBuADMAMgBfAFYAaQBkAGUAbwBDAG8AbgB0AHIAbwBsAGwAZQByAA== (SELECT * FROM Win32_VideoController)
  • VgBNACAAQQBkAGQAaQB0AGkAbwBuAHMAIABTADMAIABUAHIAaQBvADMAMgAvADYANAA= (VM Additions S3 Trio32/64)
  • VgBNAHcAYQByAGUAIABTAFYARwBBACAASQBJAA== (VMware SVGA II)
  • VgBpAHIAdAB1AGEAbABCAG8AeAAgAEcAcgBhAHAAaABpAGMAcwAgAEEAZABhAHAAdABlAHIA (VirtualBox Graphics Adapter)

Match: anti_dbg

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Match: vmdetect_misc

  • UwBPAEYAVABXAEEAUgBFAFwATwByAGEAYwBsAGUAXABWAGkAcgB0AHUAYQBsAEIAbwB4ACAARwB1AGUAcwB0ACAAQQBkAGQAaQB0AGkAbwBuAHMA (SOFTWARE\Oracle\VirtualBox Guest Additions)
  • UwBZAFMAVABFAE0AXABDAG8AbgB0AHIAbwBsAFMAZQB0ADAAMAAxAFwAUwBlAHIAdgBpAGMAZQBzAFwARABpAHMAawBcAEUAbgB1AG0A (SYSTEM\ControlSet001\Services\Disk\Enum)
  • VgBCAG8AeABNAG8AdQBzAGUA (VBoxMouse)
  • aABnAGYAcwAuAHMAeQBzAA== (hgfs.sys)
  • dgBtAG0AbwB1AHMAZQA= (vmmouse)
  • dgBtAG0AbwB1AHMAZQAuAHMAeQBzAA== (vmmouse.sys)
  • dgBtAGgAZwBmAHMALgBzAHkAcwA= (vmhgfs.sys)
  • dgBtAHcAYQByAGUA (vmware)
  • dwBpAG4AZQBfAGcAZQB0AF8AdQBuAGkAeABfAGYAaQBsAGUAXwBuAGEAbQBlAA== (wine_get_unix_file_name)