popup
procMemory | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Process Memory

Process memory dump for AppLaunch.exe (PID 2676, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1

Yara signatures matches on process memory

Match: Generic_PWS_Memory_Zero

  • UGFzc3dvcmQ= (Password)

Match: RedLine_Stealer_m_Zero

  • Q2hyb21lR2V0Um9hbWluZ05hbWU= (ChromeGetRoamingName)
  • U2NhblBhc3N3b3Jkcw== (ScanPasswords)
  • Y2hyb21lS2V5 (chromeKey)
  • Z2V0X2VuY3J5cHRlZF9rZXk= (get_encrypted_key)
  • bG9naW5QYWlycw== (loginPairs)
  • c2V0X2VuY3J5cHRlZF9rZXk= (set_encrypted_key)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: anti_dbg

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • SXNEZWJ1Z2dlclByZXNlbnQ= (IsDebuggerPresent)
  • T3V0cHV0RGVidWdTdHJpbmc= (OutputDebugString)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • U2V0UHJvY2Vzc0RFUFBvbGljeQ== (SetProcessDEPPolicy)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

URLs found in process memory 
    http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
    http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0
    http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
    http://www.microsoft.com/pkiops/docs/primarycps.htm0
    http://www.microsoft.com/PKI/docs/CPS/default.htm0
    http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
    http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
    http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
    http://www.microsoft.com0
    http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a