popup
procMemory | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Process Memory

Process memory dump for vbc.exe (PID 584, dump 1)

Yara signatures matches on process memory

Match: ScreenShot

  • R0RJMzIuZGxs (GDI32.dll)
  • R2V0REM= (GetDC)
  • VVNFUjMyLmRsbA== (USER32.dll)

Match: local_credential_Steal

  • Q3JlZEVudW1lcmF0ZUE= (CredEnumerateA)
  • Q3JlZEVudW1lcmF0ZVc= (CredEnumerateW)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: anti_dbg

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Process memory dump for vbc.exe (PID 2260, dump 1)

Yara signatures matches on process memory

Match: infoStealer_emailClients_Zero

  • SW5jcmVkaU1haWxcSWRlbnRpdGllcw== (IncrediMail\Identities)
  • UXVhbGNvbW1cRXVkb3JhXENvbW1hbmRMaW5l (Qualcomm\Eudora\CommandLine)

Match: ScreenShot

  • R0RJMzIuZGxs (GDI32.dll)
  • R2V0REM= (GetDC)
  • VVNFUjMyLmRsbA== (USER32.dll)

Match: local_credential_Steal

  • Q3JlZEVudW1lcmF0ZUE= (CredEnumerateA)
  • Q3JlZEVudW1lcmF0ZVc= (CredEnumerateW)
  • U29mdHdhcmVcTWljcm9zb2Z0XEludGVybmV0IEFjY291bnQgTWFuYWdlcg== (Software\Microsoft\Internet Account Manager)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: anti_dbg

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

URLs found in process memory 
    http://www.nirsoft.net/

Process memory dump for 6789568764240821.exe (PID 2936, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1

Yara signatures matches on process memory

Match: Network_DNS

  • R2V0SG9zdEVudHJ5 (GetHostEntry)
  • U3lzdGVtLk5ldA== (System.Net)

Match: Network_SMTP_dotNet

  • U210cENsaWVudA== (SmtpClient)
  • U3lzdGVtLk5ldC5NYWls (System.Net.Mail)

Match: Virtual_currency_Zero

  • Qml0Y29pbg== (Bitcoin)

Match: KeyLogger

  • R2V0QXN5bmNLZXlTdGF0ZQ== (GetAsyncKeyState)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: Code_injection

  • Q3JlYXRlVGhyZWFk (CreateThread)
  • T3BlblByb2Nlc3M= (OpenProcess)
  • TnRXcml0ZVZpcnR1YWxNZW1vcnk= (NtWriteVirtualMemory)
  • V3JpdGVQcm9jZXNzTWVtb3J5 (WriteProcessMemory)
  • VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)

Match: infoStealer_emailClients_Zero

  • SW5jcmVkaU1haWxcSWRlbnRpdGllcw== (IncrediMail\Identities)
  • UXVhbGNvbW1cRXVkb3JhXENvbW1hbmRMaW5l (Qualcomm\Eudora\CommandLine)

Match: ScreenShot

  • R0RJMzIuZGxs (GDI32.dll)
  • R2V0REM= (GetDC)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: local_credential_Steal

  • Q3JlZEVudW1lcmF0ZUE= (CredEnumerateA)
  • Q3JlZEVudW1lcmF0ZVc= (CredEnumerateW)
  • U29mdHdhcmVcTWljcm9zb2Z0XEludGVybmV0IEFjY291bnQgTWFuYWdlcg== (Software\Microsoft\Internet Account Manager)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: anti_dbg

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Match: win_hook

  • Q2FsbE5leHRIb29rRXg= (CallNextHookEx)
  • U2V0V2luZG93c0hvb2tFeEE= (SetWindowsHookExA)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VW5ob29rV2luZG93c0hvb2tFeA== (UnhookWindowsHookEx)
  • dXNlcjMyLmRsbA== (user32.dll)

URLs found in process memory 
    http://www.usertrust.com1
    http://ocsp.comodoca.com0
    http://crt.usertrust.com/UTNAddTrustObject_CA.crt0%
    https://secure.comodo.net/CPS0A
    http://crl.usertrust.com/UTN-USERFirst-Object.crl05
    http://crl.usertrust.com/UTN-USERFirst-Object.crl0t
    http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
    http://www.nirsoft.net/
    http://crl.usertrust.com/AddTrustExternalCARoot.crl05
    http://ocsp.usertrust.com0
    http://crt.comodoca.com/COMODOCodeSigningCA2.crt0