popup
procMemory | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Process Memory

Process memory dump for ctfmon.exe (PID 2192, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1

Yara signatures matches on process memory

Match: Network_TCP_Socket

  • V1MyXzMyLkRMTA== (WS2_32.DLL)
  • V1NBQ29ubmVjdA== (WSAConnect)
  • V1NBQ2xlYW51cA== (WSACleanup)
  • V1NBU29ja2V0 (WSASocket)
  • V1NBU2VuZA== (WSASend)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • Y29ubmVjdA== (connect)
  • Y2xvc2Vzb2NrZXQ= (closesocket)
  • c29ja2V0 (socket)
  • c2VuZA== (send)
  • d3NvY2szMi5kbGw= (wsock32.dll)

Match: ScreenShot

  • Qml0Qmx0 (BitBlt)
  • R2V0REM= (GetDC)
  • VVNFUjMyLkRMTA== (USER32.DLL)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VXNlcjMyLmRsbA== (User32.dll)
  • Z2RpMzIuZGxs (gdi32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: Escalate_priviledges

  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: Generic_PWS_Memory_Zero

  • UEFTU1dPUkQ= (PASSWORD)
  • UGFzc3dvcmQ= (Password)

Match: network_smtp_raw

  • TUFJTCBGUk9NOg== (MAIL FROM:)
  • UkNQVCBUTzo= (RCPT TO:)

Match: Network_SSL

  • SWRTU0xPcGVuU1NM (IdSSLOpenSSL)
  • bGliZWF5MzIuZGxs (libeay32.dll)
  • c3NsZWF5MzIuZGxs (ssleay32.dll)

Match: Network_DNS

  • V1MyXzMyLkRMTA== (WS2_32.DLL)
  • V1NBQXN5bmNHZXRIb3N0QnlOYW1l (WSAAsyncGetHostByName)
  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • d3NvY2szMi5kbGw= (wsock32.dll)

Match: Network_DynDns

  • LmFmcmFpZC5vcmc= (.afraid.org)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: anti_dbg

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Match: win_hook

  • Q2FsbE5leHRIb29rRXg= (CallNextHookEx)
  • U2V0V2luZG93c0hvb2tFeEE= (SetWindowsHookExA)
  • VVNFUjMyLkRMTA== (USER32.DLL)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VW5ob29rV2luZG93c0hvb2tFeA== (UnhookWindowsHookEx)
  • VXNlcjMyLmRsbA== (User32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: Str_Win32_Internet_API

  • SW50ZXJuZXRDbG9zZUhhbmRsZQ== (InternetCloseHandle)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)

Match: Persistence

  • U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu (SOFTWARE\Microsoft\Windows\CurrentVersion\Run)
  • U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu (Software\Microsoft\Windows\CurrentVersion\Run)

Match: KeyLogger

  • R2V0S2V5U3RhdGU= (GetKeyState)
  • R2V0S2V5Ym9hcmRUeXBl (GetKeyboardType)
  • TWFwVmlydHVhbEtleQ== (MapVirtualKey)
  • VVNFUjMyLkRMTA== (USER32.DLL)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VXNlcjMyLmRsbA== (User32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

URLs found in process memory 
    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
    http://freedns.afraid.org/api/?action=getdyndns
    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
    http://xred.site50.net/syn/SSLLibrary.dll
    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ
    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk
    http://xred.site50.net/syn/SUpdate.ini
    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk
    http://xred.site50.net/syn/Synaptics.rar