popup
procMemory | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Process Memory

Process memory dump for MSBuild.exe (PID 2804, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1

Yara signatures matches on process memory

Match: Client_SW_User_Data_Stealer

  • Q3JlYXRlVGhyZWFk (CreateThread)
  • R2V0RW52aXJvbm1lbnRWYXJpYWJsZQ== (GetEnvironmentVariable)
  • RmlsZVppbGxhXHJlY2VudHNlcnZlcnMueG1s (FileZilla\recentservers.xml)
  • T3BlblByb2Nlc3M= (OpenProcess)
  • V3JpdGVQcm9jZXNzTWVtb3J5 (WriteProcessMemory)
  • VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)

Match: infoStealer_ftpClients_Zero

  • RmlsZVppbGxhXHJlY2VudHNlcnZlcnMueG1s (FileZilla\recentservers.xml)

Match: Network_TCP_Socket

  • V1NPQ0szMi5kbGw= (WSOCK32.dll)
  • Y29ubmVjdA== (connect)
  • c29ja2V0 (socket)
  • c2VuZA== (send)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: Str_Win32_Http_API

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFF1ZXJ5SW5mbw== (HttpQueryInfo)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)

Match: Generic_PWS_Memory_Zero

  • UEFTU1dPUkQ= (PASSWORD)
  • UGFzc3dvcmQ= (Password)
  • cGFzc3dvcmQ= (password)
  • cmVjZW50c2VydmVycy54bWw= (recentservers.xml)

Match: Network_HTTP

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)
  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)
  • V0lOSU5FVC5ETEw= (WININET.DLL)

Match: Network_DNS

  • V1NPQ0szMi5kbGw= (WSOCK32.dll)
  • Z2V0YWRkcmluZm8= (getaddrinfo)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: Code_injection

  • Q3JlYXRlVGhyZWFk (CreateThread)
  • T3BlblByb2Nlc3M= (OpenProcess)
  • TnRXcml0ZVZpcnR1YWxNZW1vcnk= (NtWriteVirtualMemory)
  • V3JpdGVQcm9jZXNzTWVtb3J5 (WriteProcessMemory)
  • VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: anti_dbg

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • S0VSTkVMMzIuRExM (KERNEL32.DLL)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • SXNEZWJ1Z2dlclByZXNlbnQ= (IsDebuggerPresent)
  • T3V0cHV0RGVidWdTdHJpbmc= (OutputDebugString)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: antisb_threatExpert

  • ZGJnaGVscC5kbGw= (dbghelp.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Match: Str_Win32_Internet_API

  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRDbG9zZUhhbmRsZQ== (InternetCloseHandle)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)

Match: Win32_PWS_Loki_m_Zero

  • TWFydGluIFByaWtyeWw= (Martin Prikryl)

URLs found in process memory 
    http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
    http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
    http://ocsp.digicert.com0
    http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
    http://www.digicert.com/CPS0
    http://crl3.digicert.com/sha2-assured-cs-g1.crl05
    http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
    http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
    http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
    https://t.me/pech0nk
    http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0
    http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
    http://www.microsoft.com/pkiops/docs/primarycps.htm0
    http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
    http://www.microsoft.com0
    http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
    http://ocsp.digicert.com0C
    http://ocsp.digicert.com0A
    http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
    http://ocsp.digicert.com0N
    http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
    https://mozilla.org0/
    http://www.mozilla.com/en-US/blocklist/
    http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
    http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
    http://ocsp.digicert.com0X
    https://steamcommunity.com/profiles/76561199751190313
    http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
    http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
    http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
    http://www.microsoft.com/PKI/docs/CPS/default.htm0
    https://www.digicert.com/CPS0
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a