popup
procMemory | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Process Memory

Process memory dump for WINWORD.EXE (PID 1016, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1

Yara signatures matches on process memory

Match: create_com_service

  • RGxsQ2FuVW5sb2FkTm93 (DllCanUnloadNow)
  • RGxsR2V0Q2xhc3NPYmplY3Q= (DllGetClassObject)
  • RGxsSW5zdGFsbA== (DllInstall)
  • RGxsUmVnaXN0ZXJTZXJ2ZXI= (DllRegisterServer)
  • RGxsVW5yZWdpc3RlclNlcnZlcg== (DllUnregisterServer)

Match: network_tcp_listen

  • U3lzdGVtLk5ldA== (System.Net)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • YWNjZXB0 (accept)
  • YmluZA== (bind)
  • bGlzdGVu (listen)

Match: network_http

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)
  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRPcGVuVXJs (InternetOpenUrl)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)
  • SW50ZXJuZXRXcml0ZUZpbGU= (InternetWriteFile)
  • V0lOSU5FVC5ETEw= (WININET.DLL)
  • V0lOSU5FVC5kbGw= (WININET.dll)

Match: network_ftp

  • RnRwQ3JlYXRlRGlyZWN0b3J5 (FtpCreateDirectory)
  • RnRwR2V0Q3VycmVudERpcmVjdG9yeQ== (FtpGetCurrentDirectory)
  • RnRwR2V0RmlsZQ== (FtpGetFile)
  • RnRwRGVsZXRlRmlsZQ== (FtpDeleteFile)
  • RnRwT3BlbkZpbGU= (FtpOpenFile)
  • RnRwU2V0Q3VycmVudERpcmVjdG9yeQ== (FtpSetCurrentDirectory)
  • RnRwUmVtb3ZlRGlyZWN0b3J5 (FtpRemoveDirectory)
  • RnRwUmVuYW1lRmlsZQ== (FtpRenameFile)
  • V0lOSU5FVC5ETEw= (WININET.DLL)
  • V0lOSU5FVC5kbGw= (WININET.dll)

Match: network_tcp_socket

  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBQ2xlYW51cA== (WSACleanup)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • Y29ubmVjdA== (connect)
  • Y2xvc2Vzb2NrZXQ= (closesocket)
  • c29ja2V0 (socket)
  • c2VuZA== (send)

Match: network_dns

  • U3lzdGVtLk5ldA== (System.Net)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • Z2V0YWRkcmluZm8= (getaddrinfo)

Match: network_dga

  • Q1JZUFQzMi5kbGw= (CRYPT32.dll)
  • Q3J5cHRBY3F1aXJlQ29udGV4dA== (CryptAcquireContext)
  • Q3J5cHRDcmVhdGVIYXNo (CryptCreateHash)
  • Q3J5cHRIYXNoRGF0YQ== (CryptHashData)
  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • R2V0U3lzdGVtVGltZQ== (GetSystemTime)
  • R2V0U3lzdGVtVGltZUFzRmlsZVRpbWU= (GetSystemTimeAsFileTime)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRPcGVuVXJs (InternetOpenUrl)
  • U3lzdGVtVGltZVRvRmlsZVRpbWU= (SystemTimeToFileTime)
  • V0lOSU5FVC5ETEw= (WININET.DLL)
  • V0lOSU5FVC5kbGw= (WININET.dll)
  • Z2V0YWRkcmluZm8= (getaddrinfo)

Match: escalate_priv

  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)

Match: screenshot

  • Qml0Qmx0 (BitBlt)
  • R0RJMzIuRExM (GDI32.DLL)
  • R0RJMzIuZGxs (GDI32.dll)
  • R2V0REM= (GetDC)
  • VVNFUjMyLkRMTA== (USER32.DLL)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • Z2RpMzIuZGxs (gdi32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: keylogger

  • R2V0QXN5bmNLZXlTdGF0ZQ== (GetAsyncKeyState)
  • R2V0S2V5U3RhdGU= (GetKeyState)
  • TWFwVmlydHVhbEtleQ== (MapVirtualKey)
  • VVNFUjMyLkRMTA== (USER32.DLL)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: cred_local

  • Q3JlZEVudW1lcmF0ZVc= (CredEnumerateW)
  • THNhRW51bWVyYXRlTG9nb25TZXNzaW9ucw== (LsaEnumerateLogonSessions)

Match: migrate_apc

  • T3BlblRocmVhZA== (OpenThread)
  • UXVldWVVc2VyQVBD (QueueUserAPC)

Match: spreading_file

  • ZGVza3RvcC5pbmk= (desktop.ini)

Match: rat_rdp

  • RW5hYmxlQWRtaW5UU1JlbW90ZQ== (EnableAdminTSRemote)

Match: win_mutex

  • Q3JlYXRlTXV0ZXg= (CreateMutex)

Match: win_registry

  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • UmVnQ2xvc2VLZXk= (RegCloseKey)
  • UmVnQ3JlYXRlS2V5QQ== (RegCreateKeyA)
  • UmVnT3BlbktleUV4QQ== (RegOpenKeyExA)
  • UmVnU2V0VmFsdWVFeEE= (RegSetValueExA)
  • UmVnUXVlcnlWYWx1ZUV4QQ== (RegQueryValueExA)

Match: win_token

  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
  • T3BlblByb2Nlc3NUb2tlbg== (OpenProcessToken)
  • TG9va3VwUHJpdmlsZWdlVmFsdWVB (LookupPrivilegeValueA)

Match: win_private_profile

  • R2V0UHJpdmF0ZVByb2ZpbGVJbnRB (GetPrivateProfileIntA)
  • R2V0UHJpdmF0ZVByb2ZpbGVTdHJpbmdB (GetPrivateProfileStringA)
  • S0VSTkVMMzIuRExM (KERNEL32.DLL)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • S2VybmVsMzIuZGxs (Kernel32.dll)
  • V3JpdGVQcml2YXRlUHJvZmlsZVN0cmluZ0E= (WritePrivateProfileStringA)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: win_files_operation

  • Q29weUZpbGU= (CopyFile)
  • Q3JlYXRlRmlsZUE= (CreateFileA)
  • RGVsZXRlRmlsZUE= (DeleteFileA)
  • RmluZENsb3Nl (FindClose)
  • RmluZEZpcnN0RmlsZUE= (FindFirstFileA)
  • S0VSTkVMMzIuRExM (KERNEL32.DLL)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • S2VybmVsMzIuZGxs (Kernel32.dll)
  • U2V0RmlsZUF0dHJpYnV0ZXNB (SetFileAttributesA)
  • U2V0RmlsZVBvaW50ZXI= (SetFilePointer)
  • UmVhZEZpbGU= (ReadFile)
  • V3JpdGVGaWxl (WriteFile)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: Str_Win32_Winsock2_Library

  • V1MyXzMyLmRsbA== (WS2_32.dll)

Match: Str_Win32_Wininet_Library

  • V0lOSU5FVC5ETEw= (WININET.DLL)
  • V0lOSU5FVC5kbGw= (WININET.dll)

Match: Str_Win32_Internet_API

  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRDbG9zZUhhbmRsZQ== (InternetCloseHandle)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)

Match: Str_Win32_Http_API

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFF1ZXJ5SW5mbw== (HttpQueryInfo)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: anti_dbg

  • S0VSTkVMMzIuRExM (KERNEL32.DLL)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • S2VybmVsMzIuZGxs (Kernel32.dll)
  • SXNEZWJ1Z2dlclByZXNlbnQ= (IsDebuggerPresent)
  • T3V0cHV0RGVidWdTdHJpbmc= (OutputDebugString)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: antisb_threatExpert

  • ZGJnaGVscC5kbGw= (dbghelp.dll)

Match: win_hook

  • Q2FsbE5leHRIb29rRXg= (CallNextHookEx)
  • U2V0V2luZG93c0hvb2tFeEE= (SetWindowsHookExA)
  • VVNFUjMyLkRMTA== (USER32.DLL)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VW5ob29rV2luZG93c0hvb2tFeA== (UnhookWindowsHookEx)
  • dXNlcjMyLmRsbA== (user32.dll)

URLs found in process memory 
    http://www.microsoft.com/pki/certs/CodeSignPCA2.crt0
    http://schemas.openx
    http://purl.org/dc/elements/1.1/
    http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable
    http://ocsp.verisign.com0
    http://schemas.openxmlformats.org/package/2006/content-types
    http://schemas.xmlsoap.org/wsdl/soap/
    http://schemas.openxmlformats.org/presentationml/2006/3/main
    http://schemas.openxmlformats.org/officeDocument/2006/relationships/image
    http://purl.org/dc/terms
    http://schemas.openxmlformats.org/officeDocument/2006/math
    http://schemas.openxmlformats.org/package/2006/metadata/core-properties
    http://schemas.openxmlformats.org/officeDocument/2006/relationships/header
    http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings
    http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings
    http://storage.msn.com/mydata/myspace/SpaceFolder/PhotoAlbums/My
    http://office.microsoft.com
    http://crl.verisign.com/ThawteTimestampingCA.crl0
    http://schemas.xmlsoap.org/wsdl/http/
    http://microsoft.com/wsdl/mime/textMatching/
    http://schemas.openxmlformats.org/officeDocument/2006/relationships/footnotes
    http://schemas.xmlsoap.org/wsdl/mime/
    http://microsoft.com/webservices/SharePointPortalServer/BDCClientWS/Resolve
    http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    http://schemas.openxmlformats.org/wordprocessingml/2006/main
    http://www.microsoft.com0
    http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject
    http://schemas.xmlsoap.org/wsdl/
    http://schemas.xmlsoap.org/soap/envelope/
    http://schemas.openxmlformats.org/officeDocument/2006/relationships
    http://schemas.openxmlformats.org/drawingml/2006/3/diagram
    http://sc
    http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme
    http://schemas.xmlsoap.org/soap/encoding/
    http://crl.verisign.com/tss-ca.crl0
    http://schemas.openxmlformats.org/drawingml/2006/3/main
    http://purl.org/dc/elements/1.
    http://schemas.openxmlformats.org/drawingml/2006/3/spreadsheetDrawing
    http://schemas.openxmlformats.org/officeDocument/2006/relationships/endnotes
    http://microsoft.com0
    http://schemas.openxmlformats.org/package/2006/relationships
    http://microsoft.com/webservices/SharePointPortalServer/BDCClientWS/
    http://www.typepad.com/t/api
    https://storage.msn.com/storageservice/MetaWeblog.rpc
    http://schemas.openxmlformats.org/drawingml/2006/main
    http://purl.org/dc/dcmitype/
    http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles
    http://purl.org/dc/terms/
    http://schemas.open
    http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsd
    http://p
    http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsd
    http://www.blogger.com/feeds/default/blogs