popup
procMemory | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Process Memory

Process memory dump for 8194_1636301703_9028.exe (PID 2512, dump 1)

Yara signatures matches on process memory

Match: Win32_PWS_Loki_Zero

  • TQBhAHIAdABpAG4AIABQAHIAaQBrAHIAeQBsAA== (Martin Prikryl)

Match: Win_Trojan_agentTesla_Zero

  • Q3JlYXRlVGhyZWFk (CreateThread)
  • QnJhdmVTb2Z0d2FyZVxCcmF2ZS1Ccm93c2VyXFVzZXIgRGF0YQ== (BraveSoftware\Brave-Browser\User Data)
  • R2V0RW52aXJvbm1lbnRWYXJpYWJsZQ== (GetEnvironmentVariable)
  • RmlyZWZveFxwcm9maWxlcy5pbmk= (Firefox\profiles.ini)
  • T3BlblByb2Nlc3M= (OpenProcess)
  • VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)

Match: Code_injection

  • Q3JlYXRlVGhyZWFk (CreateThread)
  • T3BlblByb2Nlc3M= (OpenProcess)
  • TnRXcml0ZVZpcnR1YWxNZW1vcnk= (NtWriteVirtualMemory)
  • VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)

Match: ScreenShot

  • Qml0Qmx0 (BitBlt)
  • R2V0REM= (GetDC)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • Z2RpMzIuZGxs (gdi32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerCheck__RemoteAPI

  • Q2hlY2tSZW1vdGVEZWJ1Z2dlclByZXNlbnQ= (CheckRemoteDebuggerPresent)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: anti_dbg

  • Q2hlY2tSZW1vdGVEZWJ1Z2dlclByZXNlbnQ= (CheckRemoteDebuggerPresent)
  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • SXNEZWJ1Z2dlclByZXNlbnQ= (IsDebuggerPresent)
  • T3V0cHV0RGVidWdTdHJpbmc= (OutputDebugString)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Match: infoStealer_browser_Zero

  • QnJhdmVTb2Z0d2FyZVxCcmF2ZS1Ccm93c2VyXFVzZXIgRGF0YQ== (BraveSoftware\Brave-Browser\User Data)
  • RmlyZWZveFxwcm9maWxlcy5pbmk= (Firefox\profiles.ini)