popup
procMemory | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Process Memory

Process memory dump for cmd.exe (PID 1932, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1

Yara signatures matches on process memory

Match: Create_Service

  • Q29udHJvbFNlcnZpY2U= (ControlService)
  • Q3JlYXRlU2VydmljZQ== (CreateService)
  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • U3RhcnRTZXJ2aWNl (StartService)
  • UXVlcnlTZXJ2aWNlU3RhdHVz (QueryServiceStatus)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: Network_TCP_Socket

  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBQ29ubmVjdA== (WSAConnect)
  • V1NBQ2xlYW51cA== (WSACleanup)
  • V1NBU29ja2V0 (WSASocket)
  • V1NBU2VuZA== (WSASend)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • Y29ubmVjdA== (connect)
  • Y2xvc2Vzb2NrZXQ= (closesocket)
  • c29ja2V0 (socket)
  • c2VuZA== (send)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: Network_DGA

  • Q3J5cHRBY3F1aXJlQ29udGV4dA== (CryptAcquireContext)
  • Q3J5cHRDcmVhdGVIYXNo (CryptCreateHash)
  • Q3J5cHRIYXNoRGF0YQ== (CryptHashData)
  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • R2V0U3lzdGVtVGltZQ== (GetSystemTime)
  • R2V0U3lzdGVtVGltZUFzRmlsZVRpbWU= (GetSystemTimeAsFileTime)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRPcGVuVXJs (InternetOpenUrl)
  • U3lzdGVtVGltZVRvRmlsZVRpbWU= (SystemTimeToFileTime)
  • Y3J5cHQzMi5kbGw= (crypt32.dll)
  • YWR2YXBpMzIuZGxs (advapi32.dll)
  • Z2V0YWRkcmluZm8= (getaddrinfo)
  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: Str_Win32_Http_API

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFF1ZXJ5SW5mbw== (HttpQueryInfo)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)

Match: ScreenShot

  • Qml0Qmx0 (BitBlt)
  • R0RJMzIuZGxs (GDI32.dll)
  • R2V0REM= (GetDC)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • Z2RpMzIuZGxs (gdi32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: Escalate_priviledges

  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: local_credential_Steal

  • Q3JlZEVudW1lcmF0ZUE= (CredEnumerateA)
  • Q3JlZEVudW1lcmF0ZVc= (CredEnumerateW)
  • THNhRW51bWVyYXRlTG9nb25TZXNzaW9ucw== (LsaEnumerateLogonSessions)
  • U2FtSUNvbm5lY3Q= (SamIConnect)
  • U2FtUXVlcnlJbmZvcm1hdGlvblVzZQ== (SamQueryInformationUse)

Match: Generic_PWS_Memory_Zero

  • UEFTU1dPUkQ= (PASSWORD)
  • UGFzc3dvcmQ= (Password)
  • cGFzc3dvcmQ= (password)

Match: Sniff_Audio

  • d2F2ZUluQ2xvc2U= (waveInClose)
  • d2F2ZUluQWRkQnVmZmVy (waveInAddBuffer)
  • d2F2ZUluT3Blbg== (waveInOpen)
  • d2F2ZUluU3RhcnQ= (waveInStart)
  • d2F2ZUluUmVzZXQ= (waveInReset)
  • d2lubW0uZGxs (winmm.dll)

Match: Network_HTTP

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)
  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRPcGVuVXJs (InternetOpenUrl)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)
  • SW50ZXJuZXRXcml0ZUZpbGU= (InternetWriteFile)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: Network_DNS

  • RG5zUXVlcnk= (DnsQuery)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • Z2V0YWRkcmluZm8= (getaddrinfo)
  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • ZG5zYXBpLmRsbA== (dnsapi.dll)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: Code_injection

  • Q3JlYXRlUmVtb3RlVGhyZWFk (CreateRemoteThread)
  • Q3JlYXRlVGhyZWFk (CreateThread)
  • T3BlblByb2Nlc3M= (OpenProcess)
  • TnRXcml0ZVZpcnR1YWxNZW1vcnk= (NtWriteVirtualMemory)
  • V3JpdGVQcm9jZXNzTWVtb3J5 (WriteProcessMemory)
  • VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerCheck__RemoteAPI

  • Q2hlY2tSZW1vdGVEZWJ1Z2dlclByZXNlbnQ= (CheckRemoteDebuggerPresent)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: DebuggerException__ConsoleCtrl

  • R2VuZXJhdGVDb25zb2xlQ3RybEV2ZW50 (GenerateConsoleCtrlEvent)

Match: DebuggerException__SetConsoleCtrl

  • U2V0Q29uc29sZUN0cmxIYW5kbGVy (SetConsoleCtrlHandler)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: Check_Dlls

  • ZGJnaGVscC5kbGw= (dbghelp.dll)
  • cABzAHQAbwByAGUAYwAuAGQAbABsAA== (pstorec.dll)
  • cHN0b3JlYy5kbGw= (pstorec.dll)

Match: anti_dbg

  • Q29udGludWVEZWJ1Z0V2ZW50 (ContinueDebugEvent)
  • Q2hlY2tSZW1vdGVEZWJ1Z2dlclByZXNlbnQ= (CheckRemoteDebuggerPresent)
  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • S0VSTkVMMzIuRExM (KERNEL32.DLL)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • SXNEZWJ1Z2dlclByZXNlbnQ= (IsDebuggerPresent)
  • T3V0cHV0RGVidWdTdHJpbmc= (OutputDebugString)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: antisb_threatExpert

  • ZGJnaGVscC5kbGw= (dbghelp.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • U2V0UHJvY2Vzc0RFUFBvbGljeQ== (SetProcessDEPPolicy)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Match: win_hook

  • Q2FsbE5leHRIb29rRXg= (CallNextHookEx)
  • U2V0V2luZG93c0hvb2tFeEE= (SetWindowsHookExA)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VW5ob29rV2luZG93c0hvb2tFeA== (UnhookWindowsHookEx)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: Network_Downloader

  • VVJMRG93bmxvYWRUb0NhY2hlRmlsZQ== (URLDownloadToCacheFile)
  • VVJMRG93bmxvYWRUb0ZpbGU= (URLDownloadToFile)
  • VVJMRG93bmxvYWRUb0ZpbGVX (URLDownloadToFileW)
  • dXJsbW9uLmRsbA== (urlmon.dll)

Match: Str_Win32_Internet_API

  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRDbG9zZUhhbmRsZQ== (InternetCloseHandle)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)

Match: Network_FTP

  • RnRwQ3JlYXRlRGlyZWN0b3J5 (FtpCreateDirectory)
  • RnRwR2V0Q3VycmVudERpcmVjdG9yeQ== (FtpGetCurrentDirectory)
  • RnRwR2V0RmlsZQ== (FtpGetFile)
  • RnRwR2V0RmlsZVNpemU= (FtpGetFileSize)
  • RnRwRGVsZXRlRmlsZQ== (FtpDeleteFile)
  • RnRwT3BlbkZpbGU= (FtpOpenFile)
  • RnRwU2V0Q3VycmVudERpcmVjdG9yeQ== (FtpSetCurrentDirectory)
  • RnRwUHV0RmlsZQ== (FtpPutFile)
  • RnRwUmVtb3ZlRGlyZWN0b3J5 (FtpRemoveDirectory)
  • RnRwUmVuYW1lRmlsZQ== (FtpRenameFile)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: KeyLogger

  • R2V0QXN5bmNLZXlTdGF0ZQ== (GetAsyncKeyState)
  • R2V0S2V5U3RhdGU= (GetKeyState)
  • R2V0S2V5Ym9hcmRUeXBl (GetKeyboardType)
  • TWFwVmlydHVhbEtleQ== (MapVirtualKey)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: Network_P2P_Win

  • UGVlckNvbGxhYkV4cG9ydENvbnRhY3Q= (PeerCollabExportContact)
  • UGVlckNvbGxhYkdldEFwcGxpY2F0aW9uUmVnaXN0cmF0aW9uSW5mbw== (PeerCollabGetApplicationRegistrationInfo)
  • UGVlckNvbGxhYkdldEV2ZW50RGF0YQ== (PeerCollabGetEventData)
  • UGVlckNvbGxhYkdldEVuZHBvaW50TmFtZQ== (PeerCollabGetEndpointName)
  • UGVlckNvbGxhYkdldEludml0YXRpb25SZXNwb25zZQ== (PeerCollabGetInvitationResponse)
  • UGVlckNvbGxhYkdldFByZXNlbmNlSW5mbw== (PeerCollabGetPresenceInfo)
  • UGVlckNvbGxhYkdldFNpZ25pbk9wdGlvbnM= (PeerCollabGetSigninOptions)
  • UGVlckNvbGxhYkludml0ZUNvbnRhY3Q= (PeerCollabInviteContact)
  • UGVlckNvbGxhYkludml0ZUVuZHBvaW50 (PeerCollabInviteEndpoint)
  • UGVlckNvbGxhYlBhcnNlQ29udGFjdA== (PeerCollabParseContact)
  • UGVlckNvbGxhYlF1ZXJ5Q29udGFjdERhdGE= (PeerCollabQueryContactData)
  • UGVlckNvbGxhYlJlZ2lzdGVyQXBwbGljYXRpb24= (PeerCollabRegisterApplication)
  • UGVlckNvbGxhYlJlZ2lzdGVyRXZlbnQ= (PeerCollabRegisterEvent)
  • UGVlckNvbGxhYlJlZnJlc2hFbmRwb2ludERhdGE= (PeerCollabRefreshEndpointData)
  • UGVlckNvbGxhYlNldE9iamVjdA== (PeerCollabSetObject)
  • UGVlckNvbGxhYlNldEVuZHBvaW50TmFtZQ== (PeerCollabSetEndpointName)
  • UGVlckNvbGxhYlNldFByZXNlbmNlSW5mbw== (PeerCollabSetPresenceInfo)
  • UGVlckNvbGxhYlNpZ25vdXQ= (PeerCollabSignout)
  • UGVlckNvbGxhYlVucmVnaXN0ZXJBcHBsaWNhdGlvbg== (PeerCollabUnregisterApplication)
  • UGVlckNvbGxhYlVwZGF0ZUNvbnRhY3Q= (PeerCollabUpdateContact)

Process memory dump for cmd.exe (PID 2076, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1

Yara signatures matches on process memory

Match: Create_Service

  • Q29udHJvbFNlcnZpY2U= (ControlService)
  • Q3JlYXRlU2VydmljZQ== (CreateService)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • U3RhcnRTZXJ2aWNl (StartService)
  • UXVlcnlTZXJ2aWNlU3RhdHVz (QueryServiceStatus)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: Network_TCP_Socket

  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBQ29ubmVjdA== (WSAConnect)
  • V1NBQ2xlYW51cA== (WSACleanup)
  • V1NBU29ja2V0 (WSASocket)
  • V1NBU2VuZA== (WSASend)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • Y29ubmVjdA== (connect)
  • Y2xvc2Vzb2NrZXQ= (closesocket)
  • c29ja2V0 (socket)
  • c2VuZA== (send)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: Network_DGA

  • Q3J5cHRBY3F1aXJlQ29udGV4dA== (CryptAcquireContext)
  • Q3J5cHRDcmVhdGVIYXNo (CryptCreateHash)
  • Q3J5cHRIYXNoRGF0YQ== (CryptHashData)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • R2V0U3lzdGVtVGltZQ== (GetSystemTime)
  • R2V0U3lzdGVtVGltZUFzRmlsZVRpbWU= (GetSystemTimeAsFileTime)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRPcGVuVXJs (InternetOpenUrl)
  • U3lzdGVtVGltZVRvRmlsZVRpbWU= (SystemTimeToFileTime)
  • Y3J5cHQzMi5kbGw= (crypt32.dll)
  • YWR2YXBpMzIuZGxs (advapi32.dll)
  • Z2V0YWRkcmluZm8= (getaddrinfo)
  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: Str_Win32_Http_API

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFF1ZXJ5SW5mbw== (HttpQueryInfo)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)

Match: ScreenShot

  • Qml0Qmx0 (BitBlt)
  • R0RJMzIuZGxs (GDI32.dll)
  • R2V0REM= (GetDC)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • Z2RpMzIuZGxs (gdi32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: Escalate_priviledges

  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: local_credential_Steal

  • Q3JlZEVudW1lcmF0ZUE= (CredEnumerateA)
  • Q3JlZEVudW1lcmF0ZVc= (CredEnumerateW)
  • THNhRW51bWVyYXRlTG9nb25TZXNzaW9ucw== (LsaEnumerateLogonSessions)
  • U2FtSUNvbm5lY3Q= (SamIConnect)
  • U2FtUXVlcnlJbmZvcm1hdGlvblVzZQ== (SamQueryInformationUse)

Match: Generic_PWS_Memory_Zero

  • UEFTU1dPUkQ= (PASSWORD)
  • UGFzc3dvcmQ= (Password)
  • cGFzc3dvcmQ= (password)

Match: Sniff_Audio

  • d2F2ZUluQ2xvc2U= (waveInClose)
  • d2F2ZUluQWRkQnVmZmVy (waveInAddBuffer)
  • d2F2ZUluT3Blbg== (waveInOpen)
  • d2F2ZUluU3RhcnQ= (waveInStart)
  • d2F2ZUluUmVzZXQ= (waveInReset)
  • d2lubW0uZGxs (winmm.dll)

Match: Network_HTTP

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)
  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRPcGVuVXJs (InternetOpenUrl)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)
  • SW50ZXJuZXRXcml0ZUZpbGU= (InternetWriteFile)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: Network_DNS

  • RG5zUXVlcnk= (DnsQuery)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • Z2V0YWRkcmluZm8= (getaddrinfo)
  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • ZG5zYXBpLmRsbA== (dnsapi.dll)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: Code_injection

  • Q3JlYXRlUmVtb3RlVGhyZWFk (CreateRemoteThread)
  • Q3JlYXRlVGhyZWFk (CreateThread)
  • T3BlblByb2Nlc3M= (OpenProcess)
  • TnRXcml0ZVZpcnR1YWxNZW1vcnk= (NtWriteVirtualMemory)
  • V3JpdGVQcm9jZXNzTWVtb3J5 (WriteProcessMemory)
  • VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerCheck__RemoteAPI

  • Q2hlY2tSZW1vdGVEZWJ1Z2dlclByZXNlbnQ= (CheckRemoteDebuggerPresent)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: DebuggerException__ConsoleCtrl

  • R2VuZXJhdGVDb25zb2xlQ3RybEV2ZW50 (GenerateConsoleCtrlEvent)

Match: DebuggerException__SetConsoleCtrl

  • U2V0Q29uc29sZUN0cmxIYW5kbGVy (SetConsoleCtrlHandler)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: Check_Dlls

  • ZGJnaGVscC5kbGw= (dbghelp.dll)
  • cHN0b3JlYy5kbGw= (pstorec.dll)

Match: anti_dbg

  • Q29udGludWVEZWJ1Z0V2ZW50 (ContinueDebugEvent)
  • Q2hlY2tSZW1vdGVEZWJ1Z2dlclByZXNlbnQ= (CheckRemoteDebuggerPresent)
  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • SXNEZWJ1Z2dlclByZXNlbnQ= (IsDebuggerPresent)
  • T3V0cHV0RGVidWdTdHJpbmc= (OutputDebugString)

Match: antisb_threatExpert

  • ZGJnaGVscC5kbGw= (dbghelp.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • U2V0UHJvY2Vzc0RFUFBvbGljeQ== (SetProcessDEPPolicy)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Match: win_hook

  • Q2FsbE5leHRIb29rRXg= (CallNextHookEx)
  • U2V0V2luZG93c0hvb2tFeEE= (SetWindowsHookExA)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VW5ob29rV2luZG93c0hvb2tFeA== (UnhookWindowsHookEx)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: Network_Downloader

  • VVJMRG93bmxvYWRUb0NhY2hlRmlsZQ== (URLDownloadToCacheFile)
  • VVJMRG93bmxvYWRUb0ZpbGU= (URLDownloadToFile)
  • VVJMRG93bmxvYWRUb0ZpbGVX (URLDownloadToFileW)
  • dXJsbW9uLmRsbA== (urlmon.dll)

Match: Str_Win32_Internet_API

  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRDbG9zZUhhbmRsZQ== (InternetCloseHandle)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)

Match: Network_FTP

  • RnRwQ3JlYXRlRGlyZWN0b3J5 (FtpCreateDirectory)
  • RnRwR2V0Q3VycmVudERpcmVjdG9yeQ== (FtpGetCurrentDirectory)
  • RnRwR2V0RmlsZQ== (FtpGetFile)
  • RnRwR2V0RmlsZVNpemU= (FtpGetFileSize)
  • RnRwRGVsZXRlRmlsZQ== (FtpDeleteFile)
  • RnRwT3BlbkZpbGU= (FtpOpenFile)
  • RnRwU2V0Q3VycmVudERpcmVjdG9yeQ== (FtpSetCurrentDirectory)
  • RnRwUHV0RmlsZQ== (FtpPutFile)
  • RnRwUmVtb3ZlRGlyZWN0b3J5 (FtpRemoveDirectory)
  • RnRwUmVuYW1lRmlsZQ== (FtpRenameFile)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: KeyLogger

  • R2V0QXN5bmNLZXlTdGF0ZQ== (GetAsyncKeyState)
  • R2V0S2V5U3RhdGU= (GetKeyState)
  • R2V0S2V5Ym9hcmRUeXBl (GetKeyboardType)
  • TWFwVmlydHVhbEtleQ== (MapVirtualKey)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: Network_P2P_Win

  • UGVlckNvbGxhYkV4cG9ydENvbnRhY3Q= (PeerCollabExportContact)
  • UGVlckNvbGxhYkdldEFwcGxpY2F0aW9uUmVnaXN0cmF0aW9uSW5mbw== (PeerCollabGetApplicationRegistrationInfo)
  • UGVlckNvbGxhYkdldEV2ZW50RGF0YQ== (PeerCollabGetEventData)
  • UGVlckNvbGxhYkdldEVuZHBvaW50TmFtZQ== (PeerCollabGetEndpointName)
  • UGVlckNvbGxhYkdldEludml0YXRpb25SZXNwb25zZQ== (PeerCollabGetInvitationResponse)
  • UGVlckNvbGxhYkdldFByZXNlbmNlSW5mbw== (PeerCollabGetPresenceInfo)
  • UGVlckNvbGxhYkdldFNpZ25pbk9wdGlvbnM= (PeerCollabGetSigninOptions)
  • UGVlckNvbGxhYkludml0ZUNvbnRhY3Q= (PeerCollabInviteContact)
  • UGVlckNvbGxhYkludml0ZUVuZHBvaW50 (PeerCollabInviteEndpoint)
  • UGVlckNvbGxhYlBhcnNlQ29udGFjdA== (PeerCollabParseContact)
  • UGVlckNvbGxhYlF1ZXJ5Q29udGFjdERhdGE= (PeerCollabQueryContactData)
  • UGVlckNvbGxhYlJlZ2lzdGVyQXBwbGljYXRpb24= (PeerCollabRegisterApplication)
  • UGVlckNvbGxhYlJlZ2lzdGVyRXZlbnQ= (PeerCollabRegisterEvent)
  • UGVlckNvbGxhYlJlZnJlc2hFbmRwb2ludERhdGE= (PeerCollabRefreshEndpointData)
  • UGVlckNvbGxhYlNldE9iamVjdA== (PeerCollabSetObject)
  • UGVlckNvbGxhYlNldEVuZHBvaW50TmFtZQ== (PeerCollabSetEndpointName)
  • UGVlckNvbGxhYlNldFByZXNlbmNlSW5mbw== (PeerCollabSetPresenceInfo)
  • UGVlckNvbGxhYlNpZ25vdXQ= (PeerCollabSignout)
  • UGVlckNvbGxhYlVucmVnaXN0ZXJBcHBsaWNhdGlvbg== (PeerCollabUnregisterApplication)
  • UGVlckNvbGxhYlVwZGF0ZUNvbnRhY3Q= (PeerCollabUpdateContact)

Process memory dump for cmd.exe (PID 2076, dump 2)

Extracted/injected images (may contain unpacked executables)
Download #1

Yara signatures matches on process memory

Match: Create_Service

  • Q29udHJvbFNlcnZpY2U= (ControlService)
  • Q3JlYXRlU2VydmljZQ== (CreateService)
  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • U3RhcnRTZXJ2aWNl (StartService)
  • UXVlcnlTZXJ2aWNlU3RhdHVz (QueryServiceStatus)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: Network_TCP_Socket

  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBQ29ubmVjdA== (WSAConnect)
  • V1NBQ2xlYW51cA== (WSACleanup)
  • V1NBU29ja2V0 (WSASocket)
  • V1NBU2VuZA== (WSASend)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • Y29ubmVjdA== (connect)
  • Y2xvc2Vzb2NrZXQ= (closesocket)
  • c29ja2V0 (socket)
  • c2VuZA== (send)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: Network_DGA

  • Q3J5cHRBY3F1aXJlQ29udGV4dA== (CryptAcquireContext)
  • Q3J5cHRDcmVhdGVIYXNo (CryptCreateHash)
  • Q3J5cHRIYXNoRGF0YQ== (CryptHashData)
  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • R2V0U3lzdGVtVGltZQ== (GetSystemTime)
  • R2V0U3lzdGVtVGltZUFzRmlsZVRpbWU= (GetSystemTimeAsFileTime)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRPcGVuVXJs (InternetOpenUrl)
  • U3lzdGVtVGltZVRvRmlsZVRpbWU= (SystemTimeToFileTime)
  • Y3J5cHQzMi5kbGw= (crypt32.dll)
  • YWR2YXBpMzIuZGxs (advapi32.dll)
  • Z2V0YWRkcmluZm8= (getaddrinfo)
  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: Str_Win32_Http_API

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFF1ZXJ5SW5mbw== (HttpQueryInfo)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)

Match: ScreenShot

  • Qml0Qmx0 (BitBlt)
  • R0RJMzIuZGxs (GDI32.dll)
  • R2V0REM= (GetDC)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • Z2RpMzIuZGxs (gdi32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: Escalate_priviledges

  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: local_credential_Steal

  • Q3JlZEVudW1lcmF0ZUE= (CredEnumerateA)
  • Q3JlZEVudW1lcmF0ZVc= (CredEnumerateW)
  • THNhRW51bWVyYXRlTG9nb25TZXNzaW9ucw== (LsaEnumerateLogonSessions)
  • U2FtSUNvbm5lY3Q= (SamIConnect)
  • U2FtUXVlcnlJbmZvcm1hdGlvblVzZQ== (SamQueryInformationUse)

Match: Generic_PWS_Memory_Zero

  • UEFTU1dPUkQ= (PASSWORD)
  • UGFzc3dvcmQ= (Password)
  • cGFzc3dvcmQ= (password)

Match: Sniff_Audio

  • d2F2ZUluQ2xvc2U= (waveInClose)
  • d2F2ZUluQWRkQnVmZmVy (waveInAddBuffer)
  • d2F2ZUluT3Blbg== (waveInOpen)
  • d2F2ZUluU3RhcnQ= (waveInStart)
  • d2F2ZUluUmVzZXQ= (waveInReset)
  • d2lubW0uZGxs (winmm.dll)

Match: Network_HTTP

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)
  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRPcGVuVXJs (InternetOpenUrl)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)
  • SW50ZXJuZXRXcml0ZUZpbGU= (InternetWriteFile)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: Network_DNS

  • RG5zUXVlcnk= (DnsQuery)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • Z2V0YWRkcmluZm8= (getaddrinfo)
  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • ZG5zYXBpLmRsbA== (dnsapi.dll)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: Code_injection

  • Q3JlYXRlUmVtb3RlVGhyZWFk (CreateRemoteThread)
  • Q3JlYXRlVGhyZWFk (CreateThread)
  • T3BlblByb2Nlc3M= (OpenProcess)
  • TnRXcml0ZVZpcnR1YWxNZW1vcnk= (NtWriteVirtualMemory)
  • V3JpdGVQcm9jZXNzTWVtb3J5 (WriteProcessMemory)
  • VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerCheck__RemoteAPI

  • Q2hlY2tSZW1vdGVEZWJ1Z2dlclByZXNlbnQ= (CheckRemoteDebuggerPresent)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: DebuggerException__ConsoleCtrl

  • R2VuZXJhdGVDb25zb2xlQ3RybEV2ZW50 (GenerateConsoleCtrlEvent)

Match: DebuggerException__SetConsoleCtrl

  • U2V0Q29uc29sZUN0cmxIYW5kbGVy (SetConsoleCtrlHandler)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: Check_Dlls

  • ZGJnaGVscC5kbGw= (dbghelp.dll)
  • cHN0b3JlYy5kbGw= (pstorec.dll)

Match: anti_dbg

  • Q29udGludWVEZWJ1Z0V2ZW50 (ContinueDebugEvent)
  • Q2hlY2tSZW1vdGVEZWJ1Z2dlclByZXNlbnQ= (CheckRemoteDebuggerPresent)
  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • S0VSTkVMMzIuRExM (KERNEL32.DLL)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • SXNEZWJ1Z2dlclByZXNlbnQ= (IsDebuggerPresent)
  • T3V0cHV0RGVidWdTdHJpbmc= (OutputDebugString)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: antisb_threatExpert

  • ZGJnaGVscC5kbGw= (dbghelp.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • U2V0UHJvY2Vzc0RFUFBvbGljeQ== (SetProcessDEPPolicy)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Match: win_hook

  • Q2FsbE5leHRIb29rRXg= (CallNextHookEx)
  • U2V0V2luZG93c0hvb2tFeEE= (SetWindowsHookExA)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VW5ob29rV2luZG93c0hvb2tFeA== (UnhookWindowsHookEx)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: Network_Downloader

  • VVJMRG93bmxvYWRUb0NhY2hlRmlsZQ== (URLDownloadToCacheFile)
  • VVJMRG93bmxvYWRUb0ZpbGU= (URLDownloadToFile)
  • VVJMRG93bmxvYWRUb0ZpbGVX (URLDownloadToFileW)
  • dXJsbW9uLmRsbA== (urlmon.dll)

Match: Str_Win32_Internet_API

  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRDbG9zZUhhbmRsZQ== (InternetCloseHandle)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)

Match: Network_FTP

  • RnRwQ3JlYXRlRGlyZWN0b3J5 (FtpCreateDirectory)
  • RnRwR2V0Q3VycmVudERpcmVjdG9yeQ== (FtpGetCurrentDirectory)
  • RnRwR2V0RmlsZQ== (FtpGetFile)
  • RnRwR2V0RmlsZVNpemU= (FtpGetFileSize)
  • RnRwRGVsZXRlRmlsZQ== (FtpDeleteFile)
  • RnRwT3BlbkZpbGU= (FtpOpenFile)
  • RnRwU2V0Q3VycmVudERpcmVjdG9yeQ== (FtpSetCurrentDirectory)
  • RnRwUHV0RmlsZQ== (FtpPutFile)
  • RnRwUmVtb3ZlRGlyZWN0b3J5 (FtpRemoveDirectory)
  • RnRwUmVuYW1lRmlsZQ== (FtpRenameFile)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: KeyLogger

  • R2V0QXN5bmNLZXlTdGF0ZQ== (GetAsyncKeyState)
  • R2V0S2V5U3RhdGU= (GetKeyState)
  • R2V0S2V5Ym9hcmRUeXBl (GetKeyboardType)
  • TWFwVmlydHVhbEtleQ== (MapVirtualKey)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: Network_P2P_Win

  • UGVlckNvbGxhYkV4cG9ydENvbnRhY3Q= (PeerCollabExportContact)
  • UGVlckNvbGxhYkdldEFwcGxpY2F0aW9uUmVnaXN0cmF0aW9uSW5mbw== (PeerCollabGetApplicationRegistrationInfo)
  • UGVlckNvbGxhYkdldEV2ZW50RGF0YQ== (PeerCollabGetEventData)
  • UGVlckNvbGxhYkdldEVuZHBvaW50TmFtZQ== (PeerCollabGetEndpointName)
  • UGVlckNvbGxhYkdldEludml0YXRpb25SZXNwb25zZQ== (PeerCollabGetInvitationResponse)
  • UGVlckNvbGxhYkdldFByZXNlbmNlSW5mbw== (PeerCollabGetPresenceInfo)
  • UGVlckNvbGxhYkdldFNpZ25pbk9wdGlvbnM= (PeerCollabGetSigninOptions)
  • UGVlckNvbGxhYkludml0ZUNvbnRhY3Q= (PeerCollabInviteContact)
  • UGVlckNvbGxhYkludml0ZUVuZHBvaW50 (PeerCollabInviteEndpoint)
  • UGVlckNvbGxhYlBhcnNlQ29udGFjdA== (PeerCollabParseContact)
  • UGVlckNvbGxhYlF1ZXJ5Q29udGFjdERhdGE= (PeerCollabQueryContactData)
  • UGVlckNvbGxhYlJlZ2lzdGVyQXBwbGljYXRpb24= (PeerCollabRegisterApplication)
  • UGVlckNvbGxhYlJlZ2lzdGVyRXZlbnQ= (PeerCollabRegisterEvent)
  • UGVlckNvbGxhYlJlZnJlc2hFbmRwb2ludERhdGE= (PeerCollabRefreshEndpointData)
  • UGVlckNvbGxhYlNldE9iamVjdA== (PeerCollabSetObject)
  • UGVlckNvbGxhYlNldEVuZHBvaW50TmFtZQ== (PeerCollabSetEndpointName)
  • UGVlckNvbGxhYlNldFByZXNlbmNlSW5mbw== (PeerCollabSetPresenceInfo)
  • UGVlckNvbGxhYlNpZ25vdXQ= (PeerCollabSignout)
  • UGVlckNvbGxhYlVucmVnaXN0ZXJBcHBsaWNhdGlvbg== (PeerCollabUnregisterApplication)
  • UGVlckNvbGxhYlVwZGF0ZUNvbnRhY3Q= (PeerCollabUpdateContact)

Process memory dump for java.exe (PID 2844, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1

Yara signatures matches on process memory

Match: Create_Service

  • Q29udHJvbFNlcnZpY2U= (ControlService)
  • Q3JlYXRlU2VydmljZQ== (CreateService)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • U3RhcnRTZXJ2aWNl (StartService)
  • UXVlcnlTZXJ2aWNlU3RhdHVz (QueryServiceStatus)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: Network_TCP_Socket

  • V1MyXzMyLkRMTA== (WS2_32.DLL)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBQ29ubmVjdA== (WSAConnect)
  • V1NBQ2xlYW51cA== (WSACleanup)
  • V1NBU29ja2V0 (WSASocket)
  • V1NBU2VuZA== (WSASend)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • V1NPQ0szMi5kbGw= (WSOCK32.dll)
  • Y29ubmVjdA== (connect)
  • Y2xvc2Vzb2NrZXQ= (closesocket)
  • c29ja2V0 (socket)
  • c2VuZA== (send)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: Network_DGA

  • Q1JZUFQzMi5kbGw= (CRYPT32.dll)
  • Q3J5cHRBY3F1aXJlQ29udGV4dA== (CryptAcquireContext)
  • Q3J5cHRDcmVhdGVIYXNo (CryptCreateHash)
  • Q3J5cHRIYXNoRGF0YQ== (CryptHashData)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • R2V0U3lzdGVtVGltZQ== (GetSystemTime)
  • R2V0U3lzdGVtVGltZUFzRmlsZVRpbWU= (GetSystemTimeAsFileTime)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRPcGVuVXJs (InternetOpenUrl)
  • U3lzdGVtVGltZVRvRmlsZVRpbWU= (SystemTimeToFileTime)
  • V0lOSU5FVC5kbGw= (WININET.dll)
  • Y3J5cHQzMi5kbGw= (crypt32.dll)
  • YWR2YXBpMzIuZGxs (advapi32.dll)
  • Z2V0YWRkcmluZm8= (getaddrinfo)
  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: Str_Win32_Http_API

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFF1ZXJ5SW5mbw== (HttpQueryInfo)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)

Match: ScreenShot

  • Qml0Qmx0 (BitBlt)
  • R0RJMzIuZGxs (GDI32.dll)
  • R2V0REM= (GetDC)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • Z2RpMzIuZGxs (gdi32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: Escalate_priviledges

  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: local_credential_Steal

  • Q3JlZEVudW1lcmF0ZUE= (CredEnumerateA)
  • Q3JlZEVudW1lcmF0ZVc= (CredEnumerateW)
  • THNhRW51bWVyYXRlTG9nb25TZXNzaW9ucw== (LsaEnumerateLogonSessions)
  • U2FtSUNvbm5lY3Q= (SamIConnect)
  • U2FtUXVlcnlJbmZvcm1hdGlvblVzZQ== (SamQueryInformationUse)

Match: Generic_PWS_Memory_Zero

  • UEFTU1dPUkQ= (PASSWORD)
  • UGFzc3dvcmQ= (Password)
  • cGFzc3dvcmQ= (password)

Match: Sniff_Audio

  • V0lOTU0uZGxs (WINMM.dll)
  • d2F2ZUluQ2xvc2U= (waveInClose)
  • d2F2ZUluQWRkQnVmZmVy (waveInAddBuffer)
  • d2F2ZUluT3Blbg== (waveInOpen)
  • d2F2ZUluU3RhcnQ= (waveInStart)
  • d2F2ZUluUmVzZXQ= (waveInReset)
  • d2lubW0uZGxs (winmm.dll)

Match: Network_HTTP

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)
  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRPcGVuVXJs (InternetOpenUrl)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)
  • SW50ZXJuZXRXcml0ZUZpbGU= (InternetWriteFile)
  • V0lOSU5FVC5kbGw= (WININET.dll)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: Network_DNS

  • RE5TQVBJLmRsbA== (DNSAPI.dll)
  • RG5zUXVlcnk= (DnsQuery)
  • V1MyXzMyLkRMTA== (WS2_32.DLL)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBQXN5bmNHZXRIb3N0QnlOYW1l (WSAAsyncGetHostByName)
  • V1NPQ0szMi5kbGw= (WSOCK32.dll)
  • Z2V0YWRkcmluZm8= (getaddrinfo)
  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • ZG5zYXBpLmRsbA== (dnsapi.dll)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: Code_injection

  • Q3JlYXRlUmVtb3RlVGhyZWFk (CreateRemoteThread)
  • Q3JlYXRlVGhyZWFk (CreateThread)
  • T3BlblByb2Nlc3M= (OpenProcess)
  • TnRXcml0ZVZpcnR1YWxNZW1vcnk= (NtWriteVirtualMemory)
  • V3JpdGVQcm9jZXNzTWVtb3J5 (WriteProcessMemory)
  • VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerCheck__RemoteAPI

  • Q2hlY2tSZW1vdGVEZWJ1Z2dlclByZXNlbnQ= (CheckRemoteDebuggerPresent)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: DebuggerException__ConsoleCtrl

  • R2VuZXJhdGVDb25zb2xlQ3RybEV2ZW50 (GenerateConsoleCtrlEvent)

Match: DebuggerException__SetConsoleCtrl

  • U2V0Q29uc29sZUN0cmxIYW5kbGVy (SetConsoleCtrlHandler)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: Check_Dlls

  • REJHSEVMUC5ETEw= (DBGHELP.DLL)
  • ZGJnaGVscC5kbGw= (dbghelp.dll)
  • cHN0b3JlYy5kbGw= (pstorec.dll)

Match: anti_dbg

  • Q29udGludWVEZWJ1Z0V2ZW50 (ContinueDebugEvent)
  • Q2hlY2tSZW1vdGVEZWJ1Z2dlclByZXNlbnQ= (CheckRemoteDebuggerPresent)
  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • S2VybmVsMzIuZGxs (Kernel32.dll)
  • SXNEZWJ1Z2dlclByZXNlbnQ= (IsDebuggerPresent)
  • T3V0cHV0RGVidWdTdHJpbmc= (OutputDebugString)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: antisb_threatExpert

  • REJHSEVMUC5ETEw= (DBGHELP.DLL)
  • ZGJnaGVscC5kbGw= (dbghelp.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • U2V0UHJvY2Vzc0RFUFBvbGljeQ== (SetProcessDEPPolicy)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Match: win_hook

  • Q2FsbE5leHRIb29rRXg= (CallNextHookEx)
  • U2V0V2luZG93c0hvb2tFeEE= (SetWindowsHookExA)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VW5ob29rV2luZG93c0hvb2tFeA== (UnhookWindowsHookEx)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: Network_Downloader

  • VVJMRG93bmxvYWRUb0NhY2hlRmlsZQ== (URLDownloadToCacheFile)
  • VVJMRG93bmxvYWRUb0ZpbGU= (URLDownloadToFile)
  • VVJMRG93bmxvYWRUb0ZpbGVX (URLDownloadToFileW)
  • dXJsbW9uLmRsbA== (urlmon.dll)

Match: Str_Win32_Internet_API

  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRDbG9zZUhhbmRsZQ== (InternetCloseHandle)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)

Match: Persistence

  • U29mdHdhcmVcTWljcm9zb2Z0XEFjdGl2ZSBTZXR1cFxJbnN0YWxsZWQgQ29tcG9uZW50c1w= (Software\Microsoft\Active Setup\Installed Components\)

Match: Network_FTP

  • RnRwQ3JlYXRlRGlyZWN0b3J5 (FtpCreateDirectory)
  • RnRwR2V0Q3VycmVudERpcmVjdG9yeQ== (FtpGetCurrentDirectory)
  • RnRwR2V0RmlsZQ== (FtpGetFile)
  • RnRwR2V0RmlsZVNpemU= (FtpGetFileSize)
  • RnRwRGVsZXRlRmlsZQ== (FtpDeleteFile)
  • RnRwT3BlbkZpbGU= (FtpOpenFile)
  • RnRwU2V0Q3VycmVudERpcmVjdG9yeQ== (FtpSetCurrentDirectory)
  • RnRwUHV0RmlsZQ== (FtpPutFile)
  • RnRwUmVtb3ZlRGlyZWN0b3J5 (FtpRemoveDirectory)
  • RnRwUmVuYW1lRmlsZQ== (FtpRenameFile)
  • V0lOSU5FVC5kbGw= (WININET.dll)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: KeyLogger

  • R2V0QXN5bmNLZXlTdGF0ZQ== (GetAsyncKeyState)
  • R2V0S2V5U3RhdGU= (GetKeyState)
  • R2V0S2V5Ym9hcmRUeXBl (GetKeyboardType)
  • TWFwVmlydHVhbEtleQ== (MapVirtualKey)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: Network_P2P_Win

  • UGVlckNvbGxhYkV4cG9ydENvbnRhY3Q= (PeerCollabExportContact)
  • UGVlckNvbGxhYkdldEFwcGxpY2F0aW9uUmVnaXN0cmF0aW9uSW5mbw== (PeerCollabGetApplicationRegistrationInfo)
  • UGVlckNvbGxhYkdldEV2ZW50RGF0YQ== (PeerCollabGetEventData)
  • UGVlckNvbGxhYkdldEVuZHBvaW50TmFtZQ== (PeerCollabGetEndpointName)
  • UGVlckNvbGxhYkdldEludml0YXRpb25SZXNwb25zZQ== (PeerCollabGetInvitationResponse)
  • UGVlckNvbGxhYkdldFByZXNlbmNlSW5mbw== (PeerCollabGetPresenceInfo)
  • UGVlckNvbGxhYkdldFNpZ25pbk9wdGlvbnM= (PeerCollabGetSigninOptions)
  • UGVlckNvbGxhYkludml0ZUNvbnRhY3Q= (PeerCollabInviteContact)
  • UGVlckNvbGxhYkludml0ZUVuZHBvaW50 (PeerCollabInviteEndpoint)
  • UGVlckNvbGxhYlBhcnNlQ29udGFjdA== (PeerCollabParseContact)
  • UGVlckNvbGxhYlF1ZXJ5Q29udGFjdERhdGE= (PeerCollabQueryContactData)
  • UGVlckNvbGxhYlJlZ2lzdGVyQXBwbGljYXRpb24= (PeerCollabRegisterApplication)
  • UGVlckNvbGxhYlJlZ2lzdGVyRXZlbnQ= (PeerCollabRegisterEvent)
  • UGVlckNvbGxhYlJlZnJlc2hFbmRwb2ludERhdGE= (PeerCollabRefreshEndpointData)
  • UGVlckNvbGxhYlNldE9iamVjdA== (PeerCollabSetObject)
  • UGVlckNvbGxhYlNldEVuZHBvaW50TmFtZQ== (PeerCollabSetEndpointName)
  • UGVlckNvbGxhYlNldFByZXNlbmNlSW5mbw== (PeerCollabSetPresenceInfo)
  • UGVlckNvbGxhYlNpZ25vdXQ= (PeerCollabSignout)
  • UGVlckNvbGxhYlVucmVnaXN0ZXJBcHBsaWNhdGlvbg== (PeerCollabUnregisterApplication)
  • UGVlckNvbGxhYlVwZGF0ZUNvbnRhY3Q= (PeerCollabUpdateContact)

URLs found in process memory 
    http://commons.apache.org/lang/
    http://nekohtml.sourceforge.net/index.html
    http://bugreport.java.com/bugreport/crash.jsp
    http://www.apache.org/licenses/LICENSE-2.0
    http://commons.apache.org/cli/
    http://www.joda.org/joda-time/
    http://www.github.com/3breadt/dd-plist
    https://github.com/gradle/gradle/issues/2293t
    http://www.oracle.com/hotspot/jvm/vm/compiler/id
    http://xml.apache.org/commons/
    http://bndtools.org/
    http://www.apache.org/licenses/LICENSE-2.0.txt
    http://www.gradle.org
    https://dl.google.com/dl/android/maven2/
    http://commons.apache.org/proper/commons-codec/
    http://xerces.apache.org/xerces2-j/
    http://www.oracle.com/hotspot/jvm/
    http://commons.apache.org/collections/
    http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6325169.
    http://jatl.google.com
    https://repo.maven.apache.org/maven2/
    http://openjdk.java.net/jeps/220).
    http://www.saxproject.org/
    https://docs.gradle.org/%s/userguide/%s.html
    http://ant.apache.org/ivy/
    https://www.apache.org/licenses/LICENSE-2.0.txt
    http://bugreport.sun.com/bugreport/
    https://github.com/bndtools/bnd
    https://docs.gradle.org/%s/dsl/%s.html
    http://www.oracle.com/hotspot/jvm/vm/code_sweeper/id
    http://apache.org/licenses/LICENSE-2.0
    http://www.mozilla.org/rhino
    http://xml.apache.org/
    http://opensource.org/licenses/mit
    http://github.com/FasterXML/jackson
    https://github.com/google/gson
    http://www.beanshell.org/
    http://bnd.bndtools.org/
    http://www.oracle.com/hotspot/jvm/java/monitor/address
    https://github.com/FasterXML/jackson-core
    http://commons.apache.org/io/
    http://www.apache.org/
    http://asm.ow2.org
    https://gradle.com/scans/help/gradle-incompatible-plugin-version
    https://gradle.com/scans/help/gradle-cli
    https://help.gradle.org
    http://www.google.com/
    http://www.slf4j.org/codes.htmln
    http://www.slf4j.org/codes.html
    http://www.oracle.com/technetwork/java/javaseproducts/
    https://plugins.gradle.org/m2
    http://java.oracle.com/
    http://www.oracle.com/hotspot/jvm/vm/gc/id
    http://www.w3c.org/DOM/
    http://commons.apache.org/proper/commons-compress/