procMemory | ZeroBOX

Process memory dump for TiWorker.exe (PID 2632, dump 1)

Yara signatures matches on process memory

Match: Network_TCP_Socket

  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • Y29ubmVjdA== (connect)
  • c2VuZA== (send)

Match: Generic_PWS_Memory_Zero

  • UGFzc3dvcmQ= (Password)
  • cGFzc3dvcmQ= (password)

Match: Network_DNS

  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • Z2V0YWRkcmluZm8= (getaddrinfo)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: anti_dbg

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Match: Win32_PWS_Loki_m_Zero

  • JQBzAFwARgBhAHIAIABNAGEAbgBhAGcAZQByAFwAUAByAG8AZgBpAGwAZQBcAFAAbAB1AGcAaQBuAHMARABhAHQAYQBcADQAMgBFADQAQQBFAEIAMQAtAEEAMgAzADAALQA0ADQARgA0AC0AQgAzADMAQwAtAEYAMQA5ADUAQgBCADYANQA0ADkAMwAxAC4AZABiAA== (%s\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db)
  • JQBzAFwARgBpAGwAZQBaAGkAbABsAGEAXAByAGUAYwBlAG4AdABzAGUAcgB2AGUAcgBzAC4AeABtAGwA (%s\FileZilla\recentservers.xml)
  • JQBzAFwATgBFAFQARwBBAFQARQAgAFQAZQBjAGgAbgBvAGwAbwBnAGkAZQBzAFwAQgBsAGEAYwBrAEgAYQB3AGsAXABQAHIAbwBmAGkAbABlAHMAXAAlAHMA (%s\NETGATE Technologies\BlackHawk\Profiles\%s)
  • JQBzAFwAUABvAHMAdABiAG8AeABcAFAAcgBvAGYAaQBsAGUAcwBcACUAcwA= (%s\Postbox\Profiles\%s)
  • JQBzAFwAVwBpAG4ARgB0AHAAIABDAGwAaQBlAG4AdABcAEYAYQB2AG8AcgBpAHQAZQBzAC4AZABhAHQA (%s\WinFtp Client\Favorites.dat)
  • JQBzAFwAbwBaAG8AbgBlADMARABcAE0AeQBGAFQAUABcAG0AeQBmAHQAcAAuAGkAbgBpAA== (%s\oZone3D\MyFTP\myftp.ini)
  • KgBTAGkAdABlAHMALgBkAGEAdAA= (*Sites.dat)
  • KgBxAHUAaQBjAGsALgBkAGEAdAA= (*quick.dat)
  • RgBpAGwAZQBaAGkAbABsAGEAXABGAGkAbABlAHoAaQBsAGwAYQAuAHgAbQBsAA== (FileZilla\Filezilla.xml)
  • RgBpAGwAZQBaAGkAbABsAGEAXABmAGkAbABlAHoAaQBsAGwAYQAuAHgAbQBsAA== (FileZilla\filezilla.xml)
  • TQBhAHIAdABpAG4AIABQAHIAaQBrAHIAeQBsAA== (Martin Prikryl)
  • U0VMRUNUIGVuY3J5cHRlZFVzZXJuYW1lLCBlbmNyeXB0ZWRQYXNzd29yZCwgZm9ybVN1Ym1pdFVSTCwgaG9zdG5hbWUgRlJPTSBtb3pfbG9naW5z (SELECT encryptedUsername, encryptedPassword, formSubmitURL, hostname FROM moz_logins)
  • UAB1AFQAVABZAFwAUwBlAHMAcwBpAG8AbgBzAA== (PuTTY\Sessions)
  • cwBDAHIAeQBwAHQAMwAyAC4AZABsAGwA (sCrypt32.dll)
  • dABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAEkAbgB0AGUAcgBuAGUAdAAgAEUAeABwAGwAbwByAGUAcgBcAEkAbgB0AGUAbABsAGkARgBvAHIAbQBzAFwAUwB0AG8AcgBhAGcAZQAyAA== (tSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2)


URLs found in process memory
    http://www.ibsensoftware.com/