procMemory | ZeroBOX

Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

procMemory | ZeroBOX

Process memory dump for FineC0de.exe (PID 2444, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1
Download #2

Yara signatures matches on process memory

Match: Network_TCP_Socket

Y29ubmVjdA== (connect)
c29ja2V0 (socket)
d3MyXzMyLmRsbA== (ws2_32.dll)

Match: Generic_PWS_Memory_Zero

UGFzc3dvcmQ= (Password)
cGFzc3dvcmQ= (password)

Match: Str_Win32_Http_API

SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)

Match: Network_Downloader

VVJMRG93bmxvYWRUb0ZpbGU= (URLDownloadToFile)
VVJMRG93bmxvYWRUb0ZpbGVX (URLDownloadToFileW)
dXJsbW9uLmRsbA== (urlmon.dll)

Match: DebuggerCheck__GlobalFlags

TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: anti_dbg

RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
S0VSTkVMMzIuZGxs (KERNEL32.dll)
SXNEZWJ1Z2dlclByZXNlbnQ= (IsDebuggerPresent)
a2VybmVsMzIuZGxs (kernel32.dll)

Match: disable_dep

TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Match: ScreenShot

Qml0Qmx0 (BitBlt)
R2RpMzIuZGxs (Gdi32.dll)
R2V0REM= (GetDC)
dXNlcjMyLmRsbA== (user32.dll)