popup
procMemory | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Process Memory

Process memory dump for Ozgkdiw.exe (PID 2072, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1

Yara signatures matches on process memory

Match: Escalate_priviledges

  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: schtasks_Zero

  • cwBjAGgAdABhAHMAawBzAA== (schtasks)

Match: Generic_PWS_Memory_Zero

  • UGFzc3dvcmQ= (Password)
  • cGFzc3dvcmQ= (password)

Match: ScreenShot

  • Qml0Qmx0 (BitBlt)
  • Z2RpMzIuZGxs (gdi32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: vmdetect

  • MDA1MDU2 (005056)

Match: anti_dbg

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

URLs found in process memory 
    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/RenewT
    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal
    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/IssueT
    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateT
    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueT
    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinal
    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/CancelT
    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/CancelT
    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueT
    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelT
    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/ValidateT
    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinalw
    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/RenewT
    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/IssueT
    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Validate
    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinal
    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/CancelT
    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Validateq
    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewT
    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Cancel
    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Renew
    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/ValidateT
    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/RenewT
    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/ValidateT
    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinal

Process memory dump for wininit.exe (PID 3012, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1

Yara signatures matches on process memory

Match: Escalate_priviledges

  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: schtasks_Zero

  • cwBjAGgAdABhAHMAawBzAA== (schtasks)

Match: Generic_PWS_Memory_Zero

  • UGFzc3dvcmQ= (Password)
  • cGFzc3dvcmQ= (password)

Match: ScreenShot

  • Qml0Qmx0 (BitBlt)
  • Z2RpMzIuZGxs (gdi32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: vmdetect

  • MDA1MDU2 (005056)

Match: anti_dbg

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

URLs found in process memory 
    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/RenewT
    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal
    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/IssueT
    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateT
    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueT
    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinal
    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/CancelT
    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/CancelT
    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueT
    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelT
    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/ValidateT
    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinalw
    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/RenewT
    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/IssueT
    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Validate
    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinal
    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/CancelT
    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Validateq
    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewT
    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Cancel
    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Renew
    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/ValidateT
    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/RenewT
    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/ValidateT
    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinal