popup
procMemory | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Process Memory

Process memory dump for None (PID 1908, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1

Yara signatures matches on process memory

Match: inject_thread

  • Q3JlYXRlVGhyZWFk (CreateThread)
  • T3BlblByb2Nlc3M= (OpenProcess)
  • TnRXcml0ZVZpcnR1YWxNZW1vcnk= (NtWriteVirtualMemory)
  • V3JpdGVQcm9jZXNzTWVtb3J5 (WriteProcessMemory)
  • VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)

Match: network_tcp_listen

  • U3lzdGVtLk5ldA== (System.Net)
  • YmluZA== (bind)
  • bGlzdGVu (listen)

Match: win_files_operation

  • RmluZENsb3Nl (FindClose)
  • UmVhZEZpbGU= (ReadFile)
  • V3JpdGVGaWxl (WriteFile)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: Str_Win32_Internet_API

  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: anti_dbg

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Process memory dump for ini.exe (PID 2200, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1
Download #2

Yara signatures matches on process memory

Match: inject_thread

  • Q3JlYXRlVGhyZWFk (CreateThread)
  • T3BlblByb2Nlc3M= (OpenProcess)
  • TnRXcml0ZVZpcnR1YWxNZW1vcnk= (NtWriteVirtualMemory)
  • V3JpdGVQcm9jZXNzTWVtb3J5 (WriteProcessMemory)
  • VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)

Match: network_tcp_listen

  • U3lzdGVtLk5ldA== (System.Net)
  • YmluZA== (bind)
  • bGlzdGVu (listen)

Match: network_smtp_dotNet

  • U210cENsaWVudA== (SmtpClient)
  • U3lzdGVtLk5ldC5NYWls (System.Net.Mail)

Match: keylogger

  • TWFwVmlydHVhbEtleQ== (MapVirtualKey)
  • VXNlcjMyLmRsbA== (User32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: win_files_operation

  • RmluZENsb3Nl (FindClose)
  • UmVhZEZpbGU= (ReadFile)
  • V3JpdGVGaWxl (WriteFile)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: Str_Win32_Internet_API

  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: anti_dbg

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Match: win_hook

  • Q2FsbE5leHRIb29rRXg= (CallNextHookEx)
  • VW5ob29rV2luZG93c0hvb2tFeA== (UnhookWindowsHookEx)
  • VXNlcjMyLmRsbA== (User32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Process memory dump for ini.exe (PID 2200, dump 2)

Extracted/injected images (may contain unpacked executables)
Download #1
Download #2

Yara signatures matches on process memory

Match: infoStealer_emailClients_Zero

  • QWVyb2ZveFxGb3htYWls (Aerofox\Foxmail)
  • Rm94bWFpbFxtYWls (Foxmail\mail)
  • SW5jcmVkaU1haWxcSWRlbnRpdGllcw== (IncrediMail\Identities)
  • T3BlcmEgTWFpbFxPcGVyYSBNYWlsXHdhbmQuZGF0 (Opera Mail\Opera Mail\wand.dat)
  • U29mdHdhcmVcUmltQXJ0c1xCMlxTZXR0aW5ncw== (Software\RimArts\B2\Settings)
  • UHJvZmlsZXNcT3V0bG9vaw== (Profiles\Outlook)
  • UXVhbGNvbW1cRXVkb3JhXENvbW1hbmRMaW5l (Qualcomm\Eudora\CommandLine)

Match: inject_thread

  • Q3JlYXRlUmVtb3RlVGhyZWFk (CreateRemoteThread)
  • Q3JlYXRlVGhyZWFk (CreateThread)
  • T3BlblByb2Nlc3M= (OpenProcess)
  • TnRXcml0ZVZpcnR1YWxNZW1vcnk= (NtWriteVirtualMemory)
  • V3JpdGVQcm9jZXNzTWVtb3J5 (WriteProcessMemory)
  • VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)

Match: create_service

  • Q29udHJvbFNlcnZpY2U= (ControlService)
  • Q3JlYXRlU2VydmljZQ== (CreateService)
  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWR2QXBpMzIuZGxs (AdvApi32.dll)
  • QWR2YXBpMzIuZGxs (Advapi32.dll)
  • U3RhcnRTZXJ2aWNl (StartService)
  • UXVlcnlTZXJ2aWNlU3RhdHVz (QueryServiceStatus)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: create_com_service

  • RGxsQ2FuVW5sb2FkTm93 (DllCanUnloadNow)
  • RGxsR2V0Q2xhc3NPYmplY3Q= (DllGetClassObject)
  • RGxsSW5zdGFsbA== (DllInstall)
  • RGxsUmVnaXN0ZXJTZXJ2ZXI= (DllRegisterServer)
  • RGxsVW5yZWdpc3RlclNlcnZlcg== (DllUnregisterServer)

Match: network_udp_sock

  • U3lzdGVtLk5ldA== (System.Net)
  • V1MyXzMyLkRMTA== (WS2_32.DLL)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBU2VuZFRv (WSASendTo)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • V1NBUmVjdkZyb20= (WSARecvFrom)
  • VWRwQ2xpZW50 (UdpClient)
  • c2VuZHRv (sendto)
  • c3lzdGVtLm5ldA== (system.net)
  • cmVjdmZyb20= (recvfrom)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_tcp_listen

  • QWNjZXB0RXg= (AcceptEx)
  • QWNjZXB0VGNwQ2xpZW50 (AcceptTcpClient)
  • R2V0QWNjZXB0RXhTb2NrYWRkcnM= (GetAcceptExSockaddrs)
  • U3lzdGVtLk5ldA== (System.Net)
  • V1MyXzMyLkRMTA== (WS2_32.DLL)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBQWNjZXB0 (WSAAccept)
  • V1NBU29ja2V0 (WSASocket)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • VGNwTGlzdGVuZXI= (TcpListener)
  • YWNjZXB0 (accept)
  • YmluZA== (bind)
  • bGlzdGVu (listen)
  • bXN3c29jay5kbGw= (mswsock.dll)
  • c3lzdGVtLm5ldA== (system.net)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_smtp_dotNet

  • U210cENsaWVudA== (SmtpClient)
  • U3lzdGVtLk5ldC5NYWls (System.Net.Mail)

Match: network_p2p_win

  • UGVlckNvbGxhYkV4cG9ydENvbnRhY3Q= (PeerCollabExportContact)
  • UGVlckNvbGxhYkdldEFwcGxpY2F0aW9uUmVnaXN0cmF0aW9uSW5mbw== (PeerCollabGetApplicationRegistrationInfo)
  • UGVlckNvbGxhYkdldEV2ZW50RGF0YQ== (PeerCollabGetEventData)
  • UGVlckNvbGxhYkdldEVuZHBvaW50TmFtZQ== (PeerCollabGetEndpointName)
  • UGVlckNvbGxhYkdldEludml0YXRpb25SZXNwb25zZQ== (PeerCollabGetInvitationResponse)
  • UGVlckNvbGxhYkdldFByZXNlbmNlSW5mbw== (PeerCollabGetPresenceInfo)
  • UGVlckNvbGxhYkdldFNpZ25pbk9wdGlvbnM= (PeerCollabGetSigninOptions)
  • UGVlckNvbGxhYkludml0ZUNvbnRhY3Q= (PeerCollabInviteContact)
  • UGVlckNvbGxhYkludml0ZUVuZHBvaW50 (PeerCollabInviteEndpoint)
  • UGVlckNvbGxhYlBhcnNlQ29udGFjdA== (PeerCollabParseContact)
  • UGVlckNvbGxhYlF1ZXJ5Q29udGFjdERhdGE= (PeerCollabQueryContactData)
  • UGVlckNvbGxhYlJlZ2lzdGVyQXBwbGljYXRpb24= (PeerCollabRegisterApplication)
  • UGVlckNvbGxhYlJlZ2lzdGVyRXZlbnQ= (PeerCollabRegisterEvent)
  • UGVlckNvbGxhYlJlZnJlc2hFbmRwb2ludERhdGE= (PeerCollabRefreshEndpointData)
  • UGVlckNvbGxhYlNldE9iamVjdA== (PeerCollabSetObject)
  • UGVlckNvbGxhYlNldEVuZHBvaW50TmFtZQ== (PeerCollabSetEndpointName)
  • UGVlckNvbGxhYlNldFByZXNlbmNlSW5mbw== (PeerCollabSetPresenceInfo)
  • UGVlckNvbGxhYlNpZ25vdXQ= (PeerCollabSignout)
  • UGVlckNvbGxhYlVucmVnaXN0ZXJBcHBsaWNhdGlvbg== (PeerCollabUnregisterApplication)
  • UGVlckNvbGxhYlVwZGF0ZUNvbnRhY3Q= (PeerCollabUpdateContact)

Match: network_http

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)
  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRPcGVuVXJs (InternetOpenUrl)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)
  • SW50ZXJuZXRXcml0ZUZpbGU= (InternetWriteFile)
  • V0lOSU5FVC5kbGw= (WININET.dll)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: network_dropper

  • VVJMRG93bmxvYWRUb0NhY2hlRmlsZQ== (URLDownloadToCacheFile)
  • VVJMRG93bmxvYWRUb0ZpbGU= (URLDownloadToFile)
  • dXJsbW9uLmRsbA== (urlmon.dll)

Match: network_ftp

  • RnRwQ3JlYXRlRGlyZWN0b3J5 (FtpCreateDirectory)
  • RnRwR2V0Q3VycmVudERpcmVjdG9yeQ== (FtpGetCurrentDirectory)
  • RnRwR2V0RmlsZQ== (FtpGetFile)
  • RnRwR2V0RmlsZVNpemU= (FtpGetFileSize)
  • RnRwRGVsZXRlRmlsZQ== (FtpDeleteFile)
  • RnRwT3BlbkZpbGU= (FtpOpenFile)
  • RnRwU2V0Q3VycmVudERpcmVjdG9yeQ== (FtpSetCurrentDirectory)
  • RnRwUHV0RmlsZQ== (FtpPutFile)
  • RnRwUmVtb3ZlRGlyZWN0b3J5 (FtpRemoveDirectory)
  • RnRwUmVuYW1lRmlsZQ== (FtpRenameFile)
  • V0lOSU5FVC5kbGw= (WININET.dll)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: network_tcp_socket

  • V1MyXzMyLkRMTA== (WS2_32.DLL)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBQ29ubmVjdA== (WSAConnect)
  • V1NBQ2xlYW51cA== (WSACleanup)
  • V1NBU29ja2V0 (WSASocket)
  • V1NBU2VuZA== (WSASend)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • Y29ubmVjdA== (connect)
  • Y2xvc2Vzb2NrZXQ= (closesocket)
  • c29ja2V0 (socket)
  • c2VuZA== (send)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_dns

  • R2V0SG9zdEVudHJ5 (GetHostEntry)
  • RE5TQVBJLmRsbA== (DNSAPI.dll)
  • RG5zUXVlcnk= (DnsQuery)
  • U3lzdGVtLk5ldA== (System.Net)
  • V1MyXzMyLkRMTA== (WS2_32.DLL)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBQXN5bmNHZXRIb3N0QnlOYW1l (WSAAsyncGetHostByName)
  • Z2V0YWRkcmluZm8= (getaddrinfo)
  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • ZG5zYXBpLmRsbA== (dnsapi.dll)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_dga

  • Q1JZUFQzMi5kbGw= (CRYPT32.dll)
  • Q3J5cHRBY3F1aXJlQ29udGV4dA== (CryptAcquireContext)
  • Q3J5cHRDcmVhdGVIYXNo (CryptCreateHash)
  • Q3J5cHRIYXNoRGF0YQ== (CryptHashData)
  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWR2QXBpMzIuZGxs (AdvApi32.dll)
  • QWR2YXBpMzIuZGxs (Advapi32.dll)
  • R2V0U3lzdGVtVGltZQ== (GetSystemTime)
  • R2V0U3lzdGVtVGltZUFzRmlsZVRpbWU= (GetSystemTimeAsFileTime)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRPcGVuVXJs (InternetOpenUrl)
  • U3lzdGVtVGltZVRvRmlsZVRpbWU= (SystemTimeToFileTime)
  • V0lOSU5FVC5kbGw= (WININET.dll)
  • Y3J5cHQzMi5kbGw= (crypt32.dll)
  • YWR2YXBpMzIuZGxs (advapi32.dll)
  • Z2V0YWRkcmluZm8= (getaddrinfo)
  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: escalate_priv

  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWR2QXBpMzIuZGxs (AdvApi32.dll)
  • QWR2YXBpMzIuZGxs (Advapi32.dll)
  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: screenshot

  • Qml0Qmx0 (BitBlt)
  • R0RJMzIuZGxs (GDI32.dll)
  • R2V0REM= (GetDC)
  • VVNFUjMyLkRMTA== (USER32.DLL)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VXNlcjMyLmRsbA== (User32.dll)
  • Z2RpMzIuZGxs (gdi32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: dyndns

  • U09GVFdBUkVcVml0YWx3ZXJrc1xEVUM= (SOFTWARE\Vitalwerks\DUC)

Match: keylogger

  • R2V0QXN5bmNLZXlTdGF0ZQ== (GetAsyncKeyState)
  • R2V0S2V5U3RhdGU= (GetKeyState)
  • R2V0S2V5Ym9hcmRUeXBl (GetKeyboardType)
  • TWFwVmlydHVhbEtleQ== (MapVirtualKey)
  • VVNFUjMyLkRMTA== (USER32.DLL)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VXNlcjMyLmRsbA== (User32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: cred_local

  • Q3JlZEVudW1lcmF0ZUE= (CredEnumerateA)
  • Q3JlZEVudW1lcmF0ZVc= (CredEnumerateW)
  • THNhRW51bWVyYXRlTG9nb25TZXNzaW9ucw== (LsaEnumerateLogonSessions)
  • U2FtSUNvbm5lY3Q= (SamIConnect)
  • U2FtUXVlcnlJbmZvcm1hdGlvblVzZQ== (SamQueryInformationUse)

Match: sniff_audio

  • V0lOTU0uZGxs (WINMM.dll)
  • d2F2ZUluQ2xvc2U= (waveInClose)
  • d2F2ZUluQWRkQnVmZmVy (waveInAddBuffer)
  • d2F2ZUluT3Blbg== (waveInOpen)
  • d2F2ZUluU3RhcnQ= (waveInStart)
  • d2F2ZUluUmVzZXQ= (waveInReset)
  • d2lubW0uZGxs (winmm.dll)

Match: cred_ff

  • a2V5My5kYg== (key3.db)
  • c2lnbm9ucy5zcWxpdGU= (signons.sqlite)
  • c2lnbm9uczMudHh0 (signons3.txt)

Match: migrate_apc

  • T3BlblRocmVhZA== (OpenThread)
  • UXVldWVVc2VyQVBD (QueueUserAPC)

Match: spreading_file

  • ZGVza3RvcC5pbmk= (desktop.ini)

Match: spreading_share

  • TmV0U2hhcmVFbnVt (NetShareEnum)
  • TmV0U2hhcmVHZXRJbmZv (NetShareGetInfo)
  • bmV0YXBpMzIuZGxs (netapi32.dll)

Match: rat_vnc

  • dWx0cmF2bmMuaW5p (ultravnc.ini)

Match: win_mutex

  • Q3JlYXRlTXV0ZXg= (CreateMutex)

Match: win_registry

  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWR2QXBpMzIuZGxs (AdvApi32.dll)
  • QWR2YXBpMzIuZGxs (Advapi32.dll)
  • UmVnQ2xvc2VLZXk= (RegCloseKey)
  • UmVnQ3JlYXRlS2V5QQ== (RegCreateKeyA)
  • UmVnT3BlbktleUV4QQ== (RegOpenKeyExA)
  • UmVnU2V0VmFsdWVFeEE= (RegSetValueExA)
  • UmVnUXVlcnlWYWx1ZUV4QQ== (RegQueryValueExA)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: win_token

  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWR2QXBpMzIuZGxs (AdvApi32.dll)
  • QWR2YXBpMzIuZGxs (Advapi32.dll)
  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
  • RHVwbGljYXRlVG9rZW5FeA== (DuplicateTokenEx)
  • T3BlblByb2Nlc3NUb2tlbg== (OpenProcessToken)
  • TG9va3VwUHJpdmlsZWdlVmFsdWVB (LookupPrivilegeValueA)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: win_private_profile

  • R2V0UHJpdmF0ZVByb2ZpbGVJbnRB (GetPrivateProfileIntA)
  • R2V0UHJpdmF0ZVByb2ZpbGVTdHJpbmdB (GetPrivateProfileStringA)
  • S0VSTkVMMzIuRExM (KERNEL32.DLL)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • S2VybmVsMzIuZGxs (Kernel32.dll)
  • V3JpdGVQcml2YXRlUHJvZmlsZVN0cmluZ0E= (WritePrivateProfileStringA)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: win_files_operation

  • Q29weUZpbGU= (CopyFile)
  • Q3JlYXRlRmlsZUE= (CreateFileA)
  • RGVsZXRlRmlsZUE= (DeleteFileA)
  • RmluZENsb3Nl (FindClose)
  • RmluZEZpcnN0RmlsZUE= (FindFirstFileA)
  • S0VSTkVMMzIuRExM (KERNEL32.DLL)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • S2VybmVsMzIuZGxs (Kernel32.dll)
  • TW92ZUZpbGVFeEE= (MoveFileExA)
  • U2V0RmlsZUF0dHJpYnV0ZXNB (SetFileAttributesA)
  • U2V0RmlsZVBvaW50ZXI= (SetFilePointer)
  • UmVhZEZpbGU= (ReadFile)
  • V3JpdGVGaWxl (WriteFile)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: Str_Win32_Winsock2_Library

  • V1MyXzMyLkRMTA== (WS2_32.DLL)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: Str_Win32_Wininet_Library

  • V0lOSU5FVC5kbGw= (WININET.dll)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: Str_Win32_Internet_API

  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRDbG9zZUhhbmRsZQ== (InternetCloseHandle)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)

Match: Str_Win32_Http_API

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFF1ZXJ5SW5mbw== (HttpQueryInfo)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)

Match: infoStealer_ftpClients_Zero

  • Q29yZUZUUFxzaXRlcy5pZHg= (CoreFTP\sites.idx)
  • RlRQIE5hdmlnYXRvclxGdHBsaXN0LnR4dA== (FTP Navigator\Ftplist.txt)
  • RlRQR2V0dGVyXHNlcnZlcnMueG1s (FTPGetter\servers.xml)
  • RlRQV2FyZVxDT1JFRlRQXFNpdGVz (FTPWare\COREFTP\Sites)
  • RmlsZVppbGxhXHJlY2VudHNlcnZlcnMueG1s (FileZilla\recentservers.xml)
  • Rmxhc2hGWFBcM3F1aWNrLmRhdA== (FlashFXP\3quick.dat)
  • SXBzd2l0Y2hcV1NfRlRQXFNpdGVzXHdzX2Z0cC5pbmk= (Ipswitch\WS_FTP\Sites\ws_ftp.ini)
  • U09GVFdBUkVcXE1hcnRpbiBQcmlrcnlsXFxXaW5TQ1AgMlxcU2Vzc2lvbnM= (SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions)
  • U21hcnRGVFBcQ2xpZW50IDIuMFxGYXZvcml0ZXNcUXVpY2sgQ29ubmVjdFwqLnhtbA== (SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml)
  • Y2Z0cFxGdHBsaXN0LnR4dA== (cftp\Ftplist.txt)

Match: Win_Trojan_agentTesla_Zero

  • Q29jQ29jXEJyb3dzZXJcVXNlciBEYXRh (CocCoc\Browser\User Data)
  • Q29tb2RvXERyYWdvblxVc2VyIERhdGE= (Comodo\Dragon\User Data)
  • Q29vd29uXENvb3dvblxVc2VyIERhdGE= (Coowon\Coowon\User Data)
  • Q29yZUZUUFxzaXRlcy5pZHg= (CoreFTP\sites.idx)
  • Q2F0YWxpbmFHcm91cFxDaXRyaW9cVXNlciBEYXRh (CatalinaGroup\Citrio\User Data)
  • Q2VudEJyb3dzZXJcVXNlciBEYXRh (CentBrowser\User Data)
  • Q2hlZG90XFVzZXIgRGF0YQ== (Chedot\User Data)
  • Q3JlYXRlVGhyZWFk (CreateThread)
  • QW1pZ29cVXNlciBEYXRh (Amigo\User Data)
  • QWVyb2ZveFxGb3htYWls (Aerofox\Foxmail)
  • QnJhdmVTb2Z0d2FyZVxCcmF2ZS1Ccm93c2VyXFVzZXIgRGF0YQ== (BraveSoftware\Brave-Browser\User Data)
  • R2V0RW52aXJvbm1lbnRWYXJpYWJsZQ== (GetEnvironmentVariable)
  • RWxlbWVudHMgQnJvd3NlclxVc2VyIERhdGE= (Elements Browser\User Data)
  • RXBpYyBQcml2YWN5IEJyb3dzZXJcVXNlciBEYXRh (Epic Privacy Browser\User Data)
  • RlRQIE5hdmlnYXRvclxGdHBsaXN0LnR4dA== (FTP Navigator\Ftplist.txt)
  • RlRQR2V0dGVyXHNlcnZlcnMueG1s (FTPGetter\servers.xml)
  • RlRQV2FyZVxDT1JFRlRQXFNpdGVz (FTPWare\COREFTP\Sites)
  • Rm94bWFpbFxtYWls (Foxmail\mail)
  • RmlsZVppbGxhXHJlY2VudHNlcnZlcnMueG1s (FileZilla\recentservers.xml)
  • Rmxhc2hGWFBcM3F1aWNrLmRhdA== (FlashFXP\3quick.dat)
  • RnRwR2V0Q3VycmVudERpcmVjdG9yeQ== (FtpGetCurrentDirectory)
  • S29tZXRhXFVzZXIgRGF0YQ== (Kometa\User Data)
  • SW5jcmVkaU1haWxcSWRlbnRpdGllcw== (IncrediMail\Identities)
  • SXBzd2l0Y2hcV1NfRlRQXFNpdGVzXHdzX2Z0cC5pbmk= (Ipswitch\WS_FTP\Sites\ws_ftp.ini)
  • SXJpZGl1bVxVc2VyIERhdGE= (Iridium\User Data)
  • T3BlblByb2Nlc3M= (OpenProcess)
  • T3BlcmEgTWFpbFxPcGVyYSBNYWlsXHdhbmQuZGF0 (Opera Mail\Opera Mail\wand.dat)
  • T3BlcmEgU29mdHdhcmVcT3BlcmEgU3RhYmxl (Opera Software\Opera Stable)
  • T3JiaXR1bVxVc2VyIERhdGE= (Orbitum\User Data)
  • U09GVFdBUkVcXE1hcnRpbiBQcmlrcnlsXFxXaW5TQ1AgMlxcU2Vzc2lvbnM= (SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions)
  • U210cENsaWVudA== (SmtpClient)
  • U21hcnRGVFBcQ2xpZW50IDIuMFxGYXZvcml0ZXNcUXVpY2sgQ29ubmVjdFwqLnhtbA== (SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml)
  • U29mdHdhcmVcUmltQXJ0c1xCMlxTZXR0aW5ncw== (Software\RimArts\B2\Settings)
  • U2xlaXBuaXI1XHNldHRpbmdcbW9kdWxlc1xDaHJvbWl1bVZpZXdlcg== (Sleipnir5\setting\modules\ChromiumViewer)
  • U3B1dG5pa1xTcHV0bmlrXFVzZXIgRGF0YQ== (Sputnik\Sputnik\User Data)
  • U3lzdGVtLk5ldC5NYWls (System.Net.Mail)
  • UHJvZmlsZXNcT3V0bG9vaw== (Profiles\Outlook)
  • UUlQIFN1cmZcVXNlciBEYXRh (QIP Surf\User Data)
  • UXVhbGNvbW1cRXVkb3JhXENvbW1hbmRMaW5l (Qualcomm\Eudora\CommandLine)
  • V3JpdGVQcm9jZXNzTWVtb3J5 (WriteProcessMemory)
  • VG9yY2hcVXNlciBEYXRh (Torch\User Data)
  • VGVuY2VudFxRUUJyb3dzZXJcVXNlciBEYXRh (Tencent\QQBrowser\User Data)
  • Vml2YWxkaVxVc2VyIERhdGE= (Vivaldi\User Data)
  • VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)
  • WWFuZGV4XFlhbmRleEJyb3dzZXJcVXNlciBEYXRh (Yandex\YandexBrowser\User Data)
  • XDdTdGFyXFVzZXIgRGF0YQ== (\7Star\User Data)
  • Y2Z0cFxGdHBsaXN0LnR4dA== (cftp\Ftplist.txt)
  • bGllYmFvXFVzZXIgRGF0YQ== (liebao\User Data)
  • dUNvek1lZGlhXFVyYW5cVXNlciBEYXRh (uCozMedia\Uran\User Data)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerCheck__RemoteAPI

  • Q2hlY2tSZW1vdGVEZWJ1Z2dlclByZXNlbnQ= (CheckRemoteDebuggerPresent)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: DebuggerException__ConsoleCtrl

  • R2VuZXJhdGVDb25zb2xlQ3RybEV2ZW50 (GenerateConsoleCtrlEvent)

Match: DebuggerException__SetConsoleCtrl

  • U2V0Q29uc29sZUN0cmxIYW5kbGVy (SetConsoleCtrlHandler)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: Check_Dlls

  • ZGJnaGVscC5kbGw= (dbghelp.dll)
  • cHN0b3JlYy5kbGw= (pstorec.dll)

Match: anti_dbg

  • Q29udGludWVEZWJ1Z0V2ZW50 (ContinueDebugEvent)
  • Q2hlY2tSZW1vdGVEZWJ1Z2dlclByZXNlbnQ= (CheckRemoteDebuggerPresent)
  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • S0VSTkVMMzIuRExM (KERNEL32.DLL)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • S2VybmVsMzIuZGxs (Kernel32.dll)
  • SXNEZWJ1Z2dlclByZXNlbnQ= (IsDebuggerPresent)
  • T3V0cHV0RGVidWdTdHJpbmc= (OutputDebugString)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: antisb_threatExpert

  • ZGJnaGVscC5kbGw= (dbghelp.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • U2V0UHJvY2Vzc0RFUFBvbGljeQ== (SetProcessDEPPolicy)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Match: win_hook

  • Q2FsbE5leHRIb29rRXg= (CallNextHookEx)
  • U2V0V2luZG93c0hvb2tFeEE= (SetWindowsHookExA)
  • VVNFUjMyLkRMTA== (USER32.DLL)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VW5ob29rV2luZG93c0hvb2tFeA== (UnhookWindowsHookEx)
  • VXNlcjMyLmRsbA== (User32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: infoStealer_browser_Zero

  • Q29jQ29jXEJyb3dzZXJcVXNlciBEYXRh (CocCoc\Browser\User Data)
  • Q29tb2RvXERyYWdvblxVc2VyIERhdGE= (Comodo\Dragon\User Data)
  • Q29vd29uXENvb3dvblxVc2VyIERhdGE= (Coowon\Coowon\User Data)
  • Q2F0YWxpbmFHcm91cFxDaXRyaW9cVXNlciBEYXRh (CatalinaGroup\Citrio\User Data)
  • Q2VudEJyb3dzZXJcVXNlciBEYXRh (CentBrowser\User Data)
  • Q2hlZG90XFVzZXIgRGF0YQ== (Chedot\User Data)
  • QW1pZ29cVXNlciBEYXRh (Amigo\User Data)
  • QnJhdmVTb2Z0d2FyZVxCcmF2ZS1Ccm93c2VyXFVzZXIgRGF0YQ== (BraveSoftware\Brave-Browser\User Data)
  • RWxlbWVudHMgQnJvd3NlclxVc2VyIERhdGE= (Elements Browser\User Data)
  • RXBpYyBQcml2YWN5IEJyb3dzZXJcVXNlciBEYXRh (Epic Privacy Browser\User Data)
  • S29tZXRhXFVzZXIgRGF0YQ== (Kometa\User Data)
  • SXJpZGl1bVxVc2VyIERhdGE= (Iridium\User Data)
  • T3BlcmEgU29mdHdhcmVcT3BlcmEgU3RhYmxl (Opera Software\Opera Stable)
  • T3JiaXR1bVxVc2VyIERhdGE= (Orbitum\User Data)
  • U2xlaXBuaXI1XHNldHRpbmdcbW9kdWxlc1xDaHJvbWl1bVZpZXdlcg== (Sleipnir5\setting\modules\ChromiumViewer)
  • U3B1dG5pa1xTcHV0bmlrXFVzZXIgRGF0YQ== (Sputnik\Sputnik\User Data)
  • UUlQIFN1cmZcVXNlciBEYXRh (QIP Surf\User Data)
  • VG9yY2hcVXNlciBEYXRh (Torch\User Data)
  • VGVuY2VudFxRUUJyb3dzZXJcVXNlciBEYXRh (Tencent\QQBrowser\User Data)
  • Vml2YWxkaVxVc2VyIERhdGE= (Vivaldi\User Data)
  • WWFuZGV4XFlhbmRleEJyb3dzZXJcVXNlciBEYXRh (Yandex\YandexBrowser\User Data)
  • XDdTdGFyXFVzZXIgRGF0YQ== (\7Star\User Data)
  • bGllYmFvXFVzZXIgRGF0YQ== (liebao\User Data)
  • dUNvek1lZGlhXFVyYW5cVXNlciBEYXRh (uCozMedia\Uran\User Data)

Match: Chrome_User_Data_Check_Zero

  • XEdvb2dsZVxDaHJvbWVcVXNlciBEYXRhXA== (\Google\Chrome\User Data\)

Match: infoStealer_DownloadManagement_Zero

  • akRvd25sb2FkZXJcY29uZmlnXGRhdGFiYXNlLnNjcmlwdA== (jDownloader\config\database.script)

URLs found in process memory 
    http://WrqCET.com
    http://go2.microsoft.com/fwlink/?LinkId=131738
    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hash%%torpass%https://www.theonionrouter.com/dist.torproject.org/torbrowser/
    http://127.0.0.1
    https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/sendDocumentdocument---------------------------x
    http://beta.visualstudio.net/net/sdk/feedback.asp
    http://DynDns.comDynDNS

Process memory dump for ini.exe (PID 2416, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1

Yara signatures matches on process memory

Match: inject_thread

  • Q3JlYXRlUmVtb3RlVGhyZWFk (CreateRemoteThread)
  • Q3JlYXRlVGhyZWFk (CreateThread)
  • T3BlblByb2Nlc3M= (OpenProcess)
  • TnRXcml0ZVZpcnR1YWxNZW1vcnk= (NtWriteVirtualMemory)
  • V3JpdGVQcm9jZXNzTWVtb3J5 (WriteProcessMemory)
  • VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)

Match: create_service

  • Q29udHJvbFNlcnZpY2U= (ControlService)
  • Q3JlYXRlU2VydmljZQ== (CreateService)
  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWR2YXBpMzIuZGxs (Advapi32.dll)
  • U3RhcnRTZXJ2aWNl (StartService)
  • UXVlcnlTZXJ2aWNlU3RhdHVz (QueryServiceStatus)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: create_com_service

  • RGxsQ2FuVW5sb2FkTm93 (DllCanUnloadNow)
  • RGxsR2V0Q2xhc3NPYmplY3Q= (DllGetClassObject)
  • RGxsSW5zdGFsbA== (DllInstall)
  • RGxsUmVnaXN0ZXJTZXJ2ZXI= (DllRegisterServer)
  • RGxsVW5yZWdpc3RlclNlcnZlcg== (DllUnregisterServer)

Match: network_udp_sock

  • U3lzdGVtLk5ldA== (System.Net)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBU2VuZFRv (WSASendTo)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • V1NBUmVjdkZyb20= (WSARecvFrom)
  • VWRwQ2xpZW50 (UdpClient)
  • c2VuZHRv (sendto)
  • c3lzdGVtLm5ldA== (system.net)
  • cmVjdmZyb20= (recvfrom)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_tcp_listen

  • QWNjZXB0RXg= (AcceptEx)
  • QWNjZXB0VGNwQ2xpZW50 (AcceptTcpClient)
  • R2V0QWNjZXB0RXhTb2NrYWRkcnM= (GetAcceptExSockaddrs)
  • U3lzdGVtLk5ldA== (System.Net)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBQWNjZXB0 (WSAAccept)
  • V1NBU29ja2V0 (WSASocket)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • VGNwTGlzdGVuZXI= (TcpListener)
  • YWNjZXB0 (accept)
  • YmluZA== (bind)
  • bGlzdGVu (listen)
  • bXN3c29jay5kbGw= (mswsock.dll)
  • c3lzdGVtLm5ldA== (system.net)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_smtp_dotNet

  • U210cENsaWVudA== (SmtpClient)
  • U3lzdGVtLk5ldC5NYWls (System.Net.Mail)

Match: network_p2p_win

  • UGVlckNvbGxhYkV4cG9ydENvbnRhY3Q= (PeerCollabExportContact)
  • UGVlckNvbGxhYkdldEFwcGxpY2F0aW9uUmVnaXN0cmF0aW9uSW5mbw== (PeerCollabGetApplicationRegistrationInfo)
  • UGVlckNvbGxhYkdldEV2ZW50RGF0YQ== (PeerCollabGetEventData)
  • UGVlckNvbGxhYkdldEVuZHBvaW50TmFtZQ== (PeerCollabGetEndpointName)
  • UGVlckNvbGxhYkdldEludml0YXRpb25SZXNwb25zZQ== (PeerCollabGetInvitationResponse)
  • UGVlckNvbGxhYkdldFByZXNlbmNlSW5mbw== (PeerCollabGetPresenceInfo)
  • UGVlckNvbGxhYkdldFNpZ25pbk9wdGlvbnM= (PeerCollabGetSigninOptions)
  • UGVlckNvbGxhYkludml0ZUNvbnRhY3Q= (PeerCollabInviteContact)
  • UGVlckNvbGxhYkludml0ZUVuZHBvaW50 (PeerCollabInviteEndpoint)
  • UGVlckNvbGxhYlBhcnNlQ29udGFjdA== (PeerCollabParseContact)
  • UGVlckNvbGxhYlF1ZXJ5Q29udGFjdERhdGE= (PeerCollabQueryContactData)
  • UGVlckNvbGxhYlJlZ2lzdGVyQXBwbGljYXRpb24= (PeerCollabRegisterApplication)
  • UGVlckNvbGxhYlJlZ2lzdGVyRXZlbnQ= (PeerCollabRegisterEvent)
  • UGVlckNvbGxhYlJlZnJlc2hFbmRwb2ludERhdGE= (PeerCollabRefreshEndpointData)
  • UGVlckNvbGxhYlNldE9iamVjdA== (PeerCollabSetObject)
  • UGVlckNvbGxhYlNldEVuZHBvaW50TmFtZQ== (PeerCollabSetEndpointName)
  • UGVlckNvbGxhYlNldFByZXNlbmNlSW5mbw== (PeerCollabSetPresenceInfo)
  • UGVlckNvbGxhYlNpZ25vdXQ= (PeerCollabSignout)
  • UGVlckNvbGxhYlVucmVnaXN0ZXJBcHBsaWNhdGlvbg== (PeerCollabUnregisterApplication)
  • UGVlckNvbGxhYlVwZGF0ZUNvbnRhY3Q= (PeerCollabUpdateContact)

Match: network_http

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)
  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRPcGVuVXJs (InternetOpenUrl)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)
  • SW50ZXJuZXRXcml0ZUZpbGU= (InternetWriteFile)
  • V0lOSU5FVC5kbGw= (WININET.dll)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: network_dropper

  • VVJMRG93bmxvYWRUb0NhY2hlRmlsZQ== (URLDownloadToCacheFile)
  • VVJMRG93bmxvYWRUb0ZpbGU= (URLDownloadToFile)
  • dXJsbW9uLmRsbA== (urlmon.dll)

Match: network_ftp

  • RnRwQ3JlYXRlRGlyZWN0b3J5 (FtpCreateDirectory)
  • RnRwR2V0Q3VycmVudERpcmVjdG9yeQ== (FtpGetCurrentDirectory)
  • RnRwR2V0RmlsZQ== (FtpGetFile)
  • RnRwR2V0RmlsZVNpemU= (FtpGetFileSize)
  • RnRwRGVsZXRlRmlsZQ== (FtpDeleteFile)
  • RnRwT3BlbkZpbGU= (FtpOpenFile)
  • RnRwU2V0Q3VycmVudERpcmVjdG9yeQ== (FtpSetCurrentDirectory)
  • RnRwUHV0RmlsZQ== (FtpPutFile)
  • RnRwUmVtb3ZlRGlyZWN0b3J5 (FtpRemoveDirectory)
  • RnRwUmVuYW1lRmlsZQ== (FtpRenameFile)
  • V0lOSU5FVC5kbGw= (WININET.dll)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: network_tcp_socket

  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBQ29ubmVjdA== (WSAConnect)
  • V1NBQ2xlYW51cA== (WSACleanup)
  • V1NBU29ja2V0 (WSASocket)
  • V1NBU2VuZA== (WSASend)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • Y29ubmVjdA== (connect)
  • Y2xvc2Vzb2NrZXQ= (closesocket)
  • c29ja2V0 (socket)
  • c2VuZA== (send)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_dns

  • R2V0SG9zdEVudHJ5 (GetHostEntry)
  • RG5zUXVlcnk= (DnsQuery)
  • U3lzdGVtLk5ldA== (System.Net)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • Z2V0YWRkcmluZm8= (getaddrinfo)
  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • ZG5zYXBpLmRsbA== (dnsapi.dll)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_dga

  • Q1JZUFQzMi5kbGw= (CRYPT32.dll)
  • Q3J5cHRBY3F1aXJlQ29udGV4dA== (CryptAcquireContext)
  • Q3J5cHRDcmVhdGVIYXNo (CryptCreateHash)
  • Q3J5cHRIYXNoRGF0YQ== (CryptHashData)
  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWR2YXBpMzIuZGxs (Advapi32.dll)
  • R2V0U3lzdGVtVGltZQ== (GetSystemTime)
  • R2V0U3lzdGVtVGltZUFzRmlsZVRpbWU= (GetSystemTimeAsFileTime)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRPcGVuVXJs (InternetOpenUrl)
  • U3lzdGVtVGltZVRvRmlsZVRpbWU= (SystemTimeToFileTime)
  • V0lOSU5FVC5kbGw= (WININET.dll)
  • Y3J5cHQzMi5kbGw= (crypt32.dll)
  • YWR2YXBpMzIuZGxs (advapi32.dll)
  • Z2V0YWRkcmluZm8= (getaddrinfo)
  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: escalate_priv

  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWR2YXBpMzIuZGxs (Advapi32.dll)
  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: screenshot

  • Qml0Qmx0 (BitBlt)
  • R0RJMzIuZGxs (GDI32.dll)
  • R2V0REM= (GetDC)
  • VVNFUjMyLkRMTA== (USER32.DLL)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VXNlcjMyLmRsbA== (User32.dll)
  • Z2RpMzIuZGxs (gdi32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: keylogger

  • R2V0QXN5bmNLZXlTdGF0ZQ== (GetAsyncKeyState)
  • R2V0S2V5U3RhdGU= (GetKeyState)
  • R2V0S2V5Ym9hcmRUeXBl (GetKeyboardType)
  • TWFwVmlydHVhbEtleQ== (MapVirtualKey)
  • VVNFUjMyLkRMTA== (USER32.DLL)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VXNlcjMyLmRsbA== (User32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: cred_local

  • Q3JlZEVudW1lcmF0ZUE= (CredEnumerateA)
  • Q3JlZEVudW1lcmF0ZVc= (CredEnumerateW)
  • THNhRW51bWVyYXRlTG9nb25TZXNzaW9ucw== (LsaEnumerateLogonSessions)
  • U2FtSUNvbm5lY3Q= (SamIConnect)
  • U2FtUXVlcnlJbmZvcm1hdGlvblVzZQ== (SamQueryInformationUse)

Match: sniff_audio

  • V0lOTU0uZGxs (WINMM.dll)
  • d2F2ZUluQ2xvc2U= (waveInClose)
  • d2F2ZUluQWRkQnVmZmVy (waveInAddBuffer)
  • d2F2ZUluT3Blbg== (waveInOpen)
  • d2F2ZUluU3RhcnQ= (waveInStart)
  • d2F2ZUluUmVzZXQ= (waveInReset)
  • d2lubW0uZGxs (winmm.dll)

Match: migrate_apc

  • T3BlblRocmVhZA== (OpenThread)
  • UXVldWVVc2VyQVBD (QueueUserAPC)

Match: spreading_file

  • ZGVza3RvcC5pbmk= (desktop.ini)

Match: spreading_share

  • TmV0U2hhcmVFbnVt (NetShareEnum)
  • TmV0U2hhcmVHZXRJbmZv (NetShareGetInfo)
  • bmV0YXBpMzIuZGxs (netapi32.dll)

Match: win_mutex

  • Q3JlYXRlTXV0ZXg= (CreateMutex)

Match: win_registry

  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWR2YXBpMzIuZGxs (Advapi32.dll)
  • UmVnQ2xvc2VLZXk= (RegCloseKey)
  • UmVnQ3JlYXRlS2V5QQ== (RegCreateKeyA)
  • UmVnT3BlbktleUV4QQ== (RegOpenKeyExA)
  • UmVnU2V0VmFsdWVFeEE= (RegSetValueExA)
  • UmVnUXVlcnlWYWx1ZUV4QQ== (RegQueryValueExA)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: win_token

  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWR2YXBpMzIuZGxs (Advapi32.dll)
  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
  • RHVwbGljYXRlVG9rZW5FeA== (DuplicateTokenEx)
  • T3BlblByb2Nlc3NUb2tlbg== (OpenProcessToken)
  • TG9va3VwUHJpdmlsZWdlVmFsdWVB (LookupPrivilegeValueA)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: win_private_profile

  • R2V0UHJpdmF0ZVByb2ZpbGVJbnRB (GetPrivateProfileIntA)
  • R2V0UHJpdmF0ZVByb2ZpbGVTdHJpbmdB (GetPrivateProfileStringA)
  • S0VSTkVMMzIuRExM (KERNEL32.DLL)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • S2VybmVsMzIuZGxs (Kernel32.dll)
  • V3JpdGVQcml2YXRlUHJvZmlsZVN0cmluZ0E= (WritePrivateProfileStringA)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: win_files_operation

  • Q29weUZpbGU= (CopyFile)
  • Q3JlYXRlRmlsZUE= (CreateFileA)
  • RGVsZXRlRmlsZUE= (DeleteFileA)
  • RmluZENsb3Nl (FindClose)
  • RmluZEZpcnN0RmlsZUE= (FindFirstFileA)
  • S0VSTkVMMzIuRExM (KERNEL32.DLL)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • S2VybmVsMzIuZGxs (Kernel32.dll)
  • TW92ZUZpbGVFeEE= (MoveFileExA)
  • U2V0RmlsZUF0dHJpYnV0ZXNB (SetFileAttributesA)
  • U2V0RmlsZVBvaW50ZXI= (SetFilePointer)
  • UmVhZEZpbGU= (ReadFile)
  • V3JpdGVGaWxl (WriteFile)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: Str_Win32_Winsock2_Library

  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: Str_Win32_Wininet_Library

  • V0lOSU5FVC5kbGw= (WININET.dll)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: Str_Win32_Internet_API

  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRDbG9zZUhhbmRsZQ== (InternetCloseHandle)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)

Match: Str_Win32_Http_API

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFF1ZXJ5SW5mbw== (HttpQueryInfo)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerCheck__RemoteAPI

  • Q2hlY2tSZW1vdGVEZWJ1Z2dlclByZXNlbnQ= (CheckRemoteDebuggerPresent)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: DebuggerException__ConsoleCtrl

  • R2VuZXJhdGVDb25zb2xlQ3RybEV2ZW50 (GenerateConsoleCtrlEvent)

Match: DebuggerException__SetConsoleCtrl

  • U2V0Q29uc29sZUN0cmxIYW5kbGVy (SetConsoleCtrlHandler)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: Check_Dlls

  • UwBiAGkAZQBEAGwAbAAuAGQAbABsAA== (SbieDll.dll)
  • ZGJnaGVscC5kbGw= (dbghelp.dll)
  • cHN0b3JlYy5kbGw= (pstorec.dll)

Match: Check_Qemu_Description

  • SABBAFIARABXAEEAUgBFAFwARABFAFMAQwBSAEkAUABUAEkATwBOAFwAUwB5AHMAdABlAG0A (HARDWARE\DESCRIPTION\System)
  • SABBAFIARABXAEEAUgBFAFwARABlAHMAYwByAGkAcAB0AGkAbwBuAFwAUwB5AHMAdABlAG0A (HARDWARE\Description\System)
  • SABhAHIAZAB3AGEAcgBlAFwARABlAHMAYwByAGkAcAB0AGkAbwBuAFwAUwB5AHMAdABlAG0A (Hardware\Description\System)
  • UQBFAE0AVQA= (QEMU)
  • UwB5AHMAdABlAG0AQgBpAG8AcwBWAGUAcgBzAGkAbwBuAA== (SystemBiosVersion)

Match: Check_Qemu_DeviceMap

  • SABBAFIARABXAEEAUgBFAFwARABFAFYASQBDAEUATQBBAFAAXABTAGMAcwBpAFwAUwBjAHMAaQAgAFAAbwByAHQAIAAwAFwAUwBjAHMAaQAgAEIAdQBzACAAMABcAFQAYQByAGcAZQB0ACAASQBkACAAMABcAEwAbwBnAGkAYwBhAGwAIABVAG4AaQB0ACAASQBkACAAMAA= (HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0)
  • SQBEAEUATgBUAEkARgBJAEUAUgA= (IDENTIFIER)
  • SQBkAGUAbgB0AGkAZgBpAGUAcgA= (Identifier)
  • SURFTlRJRklFUg== (IDENTIFIER)
  • SWRlbnRpZmllcg== (Identifier)
  • UQBFAE0AVQA= (QEMU)
  • aQBkAGUAbgB0AGkAZgBpAGUAcgA= (identifier)
  • aWRlbnRpZmllcg== (identifier)

Match: Check_VBox_Description

  • SABBAFIARABXAEEAUgBFAFwARABFAFMAQwBSAEkAUABUAEkATwBOAFwAUwB5AHMAdABlAG0A (HARDWARE\DESCRIPTION\System)
  • SABBAFIARABXAEEAUgBFAFwARABlAHMAYwByAGkAcAB0AGkAbwBuAFwAUwB5AHMAdABlAG0A (HARDWARE\Description\System)
  • SABhAHIAZAB3AGEAcgBlAFwARABlAHMAYwByAGkAcAB0AGkAbwBuAFwAUwB5AHMAdABlAG0A (Hardware\Description\System)
  • UwB5AHMAdABlAG0AQgBpAG8AcwBWAGUAcgBzAGkAbwBuAA== (SystemBiosVersion)
  • VgBCAE8AWAA= (VBOX)
  • dgBiAG8AeAA= (vbox)
  • dkJvWA== (vBoX)

Match: Check_VBox_DeviceMap

  • SABBAFIARABXAEEAUgBFAFwARABFAFYASQBDAEUATQBBAFAAXABTAGMAcwBpAFwAUwBjAHMAaQAgAFAAbwByAHQAIAAwAFwAUwBjAHMAaQAgAEIAdQBzACAAMABcAFQAYQByAGcAZQB0ACAASQBkACAAMABcAEwAbwBnAGkAYwBhAGwAIABVAG4AaQB0ACAASQBkACAAMAA= (HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0)
  • SQBEAEUATgBUAEkARgBJAEUAUgA= (IDENTIFIER)
  • SQBkAGUAbgB0AGkAZgBpAGUAcgA= (Identifier)
  • SURFTlRJRklFUg== (IDENTIFIER)
  • SWRlbnRpZmllcg== (Identifier)
  • VgBCAE8AWAA= (VBOX)
  • aQBkAGUAbgB0AGkAZgBpAGUAcgA= (identifier)
  • aWRlbnRpZmllcg== (identifier)
  • dgBiAG8AeAA= (vbox)
  • dkJvWA== (vBoX)

Match: Check_VBox_Guest_Additions

  • UwBPAEYAVABXAEEAUgBFAFwATwByAGEAYwBsAGUAXABWAGkAcgB0AHUAYQBsAEIAbwB4ACAARwB1AGUAcwB0ACAAQQBkAGQAaQB0AGkAbwBuAHMA (SOFTWARE\Oracle\VirtualBox Guest Additions)

Match: Check_VBox_VideoDrivers

  • SABBAFIARABXAEEAUgBFAFwARABFAFMAQwBSAEkAUABUAEkATwBOAFwAUwB5AHMAdABlAG0A (HARDWARE\DESCRIPTION\System)
  • SABBAFIARABXAEEAUgBFAFwARABlAHMAYwByAGkAcAB0AGkAbwBuAFwAUwB5AHMAdABlAG0A (HARDWARE\Description\System)
  • SABhAHIAZAB3AGEAcgBlAFwARABlAHMAYwByAGkAcAB0AGkAbwBuAFwAUwB5AHMAdABlAG0A (Hardware\Description\System)
  • VgBJAFIAVABVAEEATABCAE8AWAA= (VIRTUALBOX)
  • VgBpAGQAZQBvAEIAaQBvAHMAVgBlAHIAcwBpAG8AbgA= (VideoBiosVersion)
  • VgBpAHIAdAB1AGEAbABCAG8AeAA= (VirtualBox)

Match: Check_VMWare_DeviceMap

  • SABBAFIARABXAEEAUgBFAFwARABFAFYASQBDAEUATQBBAFAAXABTAGMAcwBpAFwAUwBjAHMAaQAgAFAAbwByAHQAIAAwAFwAUwBjAHMAaQAgAEIAdQBzACAAMABcAFQAYQByAGcAZQB0ACAASQBkACAAMABcAEwAbwBnAGkAYwBhAGwAIABVAG4AaQB0ACAASQBkACAAMAA= (HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0)
  • SQBEAEUATgBUAEkARgBJAEUAUgA= (IDENTIFIER)
  • SQBkAGUAbgB0AGkAZgBpAGUAcgA= (Identifier)
  • SURFTlRJRklFUg== (IDENTIFIER)
  • SWRlbnRpZmllcg== (Identifier)
  • VgBNAFcAQQBSAEUA (VMWARE)
  • VgBNAHcAYQByAGUA (VMware)
  • aQBkAGUAbgB0AGkAZgBpAGUAcgA= (identifier)
  • aWRlbnRpZmllcg== (identifier)
  • dgBtAHcAYQByAGUA (vmware)

Match: Check_VmTools

  • UwBPAEYAVABXAEEAUgBFAFwAVgBNAHcAYQByAGUALAAgAEkAbgBjAC4AXABWAE0AdwBhAHIAZQAgAFQAbwBvAGwAcwA= (SOFTWARE\VMware, Inc.\VMware Tools)

Match: WMI_VM_Detect

  • UABhAHIAYQBsAGwAZQBsAA== (Parallel)
  • UEFSQUxMRUw= (PARALLEL)
  • UGFyYWxsZWw= (Parallel)
  • UwBFAEwARQBDAFQAIAAqACAARgBSAE8ATQAgAFcAaQBuADMAMgBfAFYAaQBkAGUAbwBDAG8AbgB0AHIAbwBsAGwAZQByAA== (SELECT * FROM Win32_VideoController)
  • VgBNACAAQQBkAGQAaQB0AGkAbwBuAHMAIABTADMAIABUAHIAaQBvADMAMgAvADYANAA= (VM Additions S3 Trio32/64)
  • VgBNAHcAYQByAGUAIABTAFYARwBBACAASQBJAA== (VMware SVGA II)
  • VgBpAHIAdAB1AGEAbABCAG8AeAAgAEcAcgBhAHAAaABpAGMAcwAgAEEAZABhAHAAdABlAHIA (VirtualBox Graphics Adapter)
  • cABhAHIAYQBsAGwAZQBsAA== (parallel)
  • cGFyYWxsZWw= (parallel)

Match: anti_dbg

  • Q29udGludWVEZWJ1Z0V2ZW50 (ContinueDebugEvent)
  • Q2hlY2tSZW1vdGVEZWJ1Z2dlclByZXNlbnQ= (CheckRemoteDebuggerPresent)
  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • S0VSTkVMMzIuRExM (KERNEL32.DLL)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • S2VybmVsMzIuZGxs (Kernel32.dll)
  • SXNEZWJ1Z2dlclByZXNlbnQ= (IsDebuggerPresent)
  • T3V0cHV0RGVidWdTdHJpbmc= (OutputDebugString)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: antisb_threatExpert

  • ZGJnaGVscC5kbGw= (dbghelp.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • U2V0UHJvY2Vzc0RFUFBvbGljeQ== (SetProcessDEPPolicy)

Match: win_hook

  • Q2FsbE5leHRIb29rRXg= (CallNextHookEx)
  • U2V0V2luZG93c0hvb2tFeEE= (SetWindowsHookExA)
  • VVNFUjMyLkRMTA== (USER32.DLL)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VW5ob29rV2luZG93c0hvb2tFeA== (UnhookWindowsHookEx)
  • VXNlcjMyLmRsbA== (User32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: vmdetect_misc

  • UwBPAEYAVABXAEEAUgBFAFwATwByAGEAYwBsAGUAXABWAGkAcgB0AHUAYQBsAEIAbwB4ACAARwB1AGUAcwB0ACAAQQBkAGQAaQB0AGkAbwBuAHMA (SOFTWARE\Oracle\VirtualBox Guest Additions)
  • UwBZAFMAVABFAE0AXABDAG8AbgB0AHIAbwBsAFMAZQB0ADAAMAAxAFwAUwBlAHIAdgBpAGMAZQBzAFwARABpAHMAawBcAEUAbgB1AG0A (SYSTEM\ControlSet001\Services\Disk\Enum)
  • dgBtAHcAYQByAGUA (vmware)
  • dwBpAG4AZQBfAGcAZQB0AF8AdQBuAGkAeABfAGYAaQBsAGUAXwBuAGEAbQBlAA== (wine_get_unix_file_name)

URLs found in process memory 
    http://go2.microsoft.com/fwlink/?LinkId=131738
    http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
    http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0
    http://microsoft.com0
    http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
    http://www.microsoft.com/pkiops/docs/primarycps.htm0
    http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
    http://beta.visualstudio.net/net/sdk/feedback.asp
    http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
    http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
    http://www.microsoft.com/PKI/docs/CPS/default.htm0
    http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
    http://ns.adobe.com/xap/1.0/
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a

Process memory dump for ini.exe (PID 2416, dump 2)

Extracted/injected images (may contain unpacked executables)
Download #1

Yara signatures matches on process memory

Match: inject_thread

  • Q3JlYXRlUmVtb3RlVGhyZWFk (CreateRemoteThread)
  • Q3JlYXRlVGhyZWFk (CreateThread)
  • T3BlblByb2Nlc3M= (OpenProcess)
  • TnRXcml0ZVZpcnR1YWxNZW1vcnk= (NtWriteVirtualMemory)
  • V3JpdGVQcm9jZXNzTWVtb3J5 (WriteProcessMemory)
  • VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)

Match: create_service

  • Q29udHJvbFNlcnZpY2U= (ControlService)
  • Q3JlYXRlU2VydmljZQ== (CreateService)
  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWR2YXBpMzIuZGxs (Advapi32.dll)
  • U3RhcnRTZXJ2aWNl (StartService)
  • UXVlcnlTZXJ2aWNlU3RhdHVz (QueryServiceStatus)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: create_com_service

  • RGxsQ2FuVW5sb2FkTm93 (DllCanUnloadNow)
  • RGxsR2V0Q2xhc3NPYmplY3Q= (DllGetClassObject)
  • RGxsSW5zdGFsbA== (DllInstall)
  • RGxsUmVnaXN0ZXJTZXJ2ZXI= (DllRegisterServer)
  • RGxsVW5yZWdpc3RlclNlcnZlcg== (DllUnregisterServer)

Match: network_udp_sock

  • U3lzdGVtLk5ldA== (System.Net)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBU2VuZFRv (WSASendTo)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • V1NBUmVjdkZyb20= (WSARecvFrom)
  • VWRwQ2xpZW50 (UdpClient)
  • c2VuZHRv (sendto)
  • c3lzdGVtLm5ldA== (system.net)
  • cmVjdmZyb20= (recvfrom)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_tcp_listen

  • QWNjZXB0RXg= (AcceptEx)
  • QWNjZXB0VGNwQ2xpZW50 (AcceptTcpClient)
  • R2V0QWNjZXB0RXhTb2NrYWRkcnM= (GetAcceptExSockaddrs)
  • U3lzdGVtLk5ldA== (System.Net)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBQWNjZXB0 (WSAAccept)
  • V1NBU29ja2V0 (WSASocket)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • VGNwTGlzdGVuZXI= (TcpListener)
  • YWNjZXB0 (accept)
  • YmluZA== (bind)
  • bGlzdGVu (listen)
  • bXN3c29jay5kbGw= (mswsock.dll)
  • c3lzdGVtLm5ldA== (system.net)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_smtp_dotNet

  • U210cENsaWVudA== (SmtpClient)
  • U3lzdGVtLk5ldC5NYWls (System.Net.Mail)

Match: network_p2p_win

  • UGVlckNvbGxhYkV4cG9ydENvbnRhY3Q= (PeerCollabExportContact)
  • UGVlckNvbGxhYkdldEFwcGxpY2F0aW9uUmVnaXN0cmF0aW9uSW5mbw== (PeerCollabGetApplicationRegistrationInfo)
  • UGVlckNvbGxhYkdldEV2ZW50RGF0YQ== (PeerCollabGetEventData)
  • UGVlckNvbGxhYkdldEVuZHBvaW50TmFtZQ== (PeerCollabGetEndpointName)
  • UGVlckNvbGxhYkdldEludml0YXRpb25SZXNwb25zZQ== (PeerCollabGetInvitationResponse)
  • UGVlckNvbGxhYkdldFByZXNlbmNlSW5mbw== (PeerCollabGetPresenceInfo)
  • UGVlckNvbGxhYkdldFNpZ25pbk9wdGlvbnM= (PeerCollabGetSigninOptions)
  • UGVlckNvbGxhYkludml0ZUNvbnRhY3Q= (PeerCollabInviteContact)
  • UGVlckNvbGxhYkludml0ZUVuZHBvaW50 (PeerCollabInviteEndpoint)
  • UGVlckNvbGxhYlBhcnNlQ29udGFjdA== (PeerCollabParseContact)
  • UGVlckNvbGxhYlF1ZXJ5Q29udGFjdERhdGE= (PeerCollabQueryContactData)
  • UGVlckNvbGxhYlJlZ2lzdGVyQXBwbGljYXRpb24= (PeerCollabRegisterApplication)
  • UGVlckNvbGxhYlJlZ2lzdGVyRXZlbnQ= (PeerCollabRegisterEvent)
  • UGVlckNvbGxhYlJlZnJlc2hFbmRwb2ludERhdGE= (PeerCollabRefreshEndpointData)
  • UGVlckNvbGxhYlNldE9iamVjdA== (PeerCollabSetObject)
  • UGVlckNvbGxhYlNldEVuZHBvaW50TmFtZQ== (PeerCollabSetEndpointName)
  • UGVlckNvbGxhYlNldFByZXNlbmNlSW5mbw== (PeerCollabSetPresenceInfo)
  • UGVlckNvbGxhYlNpZ25vdXQ= (PeerCollabSignout)
  • UGVlckNvbGxhYlVucmVnaXN0ZXJBcHBsaWNhdGlvbg== (PeerCollabUnregisterApplication)
  • UGVlckNvbGxhYlVwZGF0ZUNvbnRhY3Q= (PeerCollabUpdateContact)

Match: network_http

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)
  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRPcGVuVXJs (InternetOpenUrl)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)
  • SW50ZXJuZXRXcml0ZUZpbGU= (InternetWriteFile)
  • V0lOSU5FVC5kbGw= (WININET.dll)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: network_dropper

  • VVJMRG93bmxvYWRUb0NhY2hlRmlsZQ== (URLDownloadToCacheFile)
  • VVJMRG93bmxvYWRUb0ZpbGU= (URLDownloadToFile)
  • dXJsbW9uLmRsbA== (urlmon.dll)

Match: network_ftp

  • RnRwQ3JlYXRlRGlyZWN0b3J5 (FtpCreateDirectory)
  • RnRwR2V0Q3VycmVudERpcmVjdG9yeQ== (FtpGetCurrentDirectory)
  • RnRwR2V0RmlsZQ== (FtpGetFile)
  • RnRwR2V0RmlsZVNpemU= (FtpGetFileSize)
  • RnRwRGVsZXRlRmlsZQ== (FtpDeleteFile)
  • RnRwT3BlbkZpbGU= (FtpOpenFile)
  • RnRwU2V0Q3VycmVudERpcmVjdG9yeQ== (FtpSetCurrentDirectory)
  • RnRwUHV0RmlsZQ== (FtpPutFile)
  • RnRwUmVtb3ZlRGlyZWN0b3J5 (FtpRemoveDirectory)
  • RnRwUmVuYW1lRmlsZQ== (FtpRenameFile)
  • V0lOSU5FVC5kbGw= (WININET.dll)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: network_tcp_socket

  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBQ29ubmVjdA== (WSAConnect)
  • V1NBQ2xlYW51cA== (WSACleanup)
  • V1NBU29ja2V0 (WSASocket)
  • V1NBU2VuZA== (WSASend)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • Y29ubmVjdA== (connect)
  • Y2xvc2Vzb2NrZXQ= (closesocket)
  • c29ja2V0 (socket)
  • c2VuZA== (send)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_dns

  • R2V0SG9zdEVudHJ5 (GetHostEntry)
  • RG5zUXVlcnk= (DnsQuery)
  • U3lzdGVtLk5ldA== (System.Net)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • Z2V0YWRkcmluZm8= (getaddrinfo)
  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • ZG5zYXBpLmRsbA== (dnsapi.dll)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_dga

  • Q1JZUFQzMi5kbGw= (CRYPT32.dll)
  • Q3J5cHRBY3F1aXJlQ29udGV4dA== (CryptAcquireContext)
  • Q3J5cHRDcmVhdGVIYXNo (CryptCreateHash)
  • Q3J5cHRIYXNoRGF0YQ== (CryptHashData)
  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWR2YXBpMzIuZGxs (Advapi32.dll)
  • R2V0U3lzdGVtVGltZQ== (GetSystemTime)
  • R2V0U3lzdGVtVGltZUFzRmlsZVRpbWU= (GetSystemTimeAsFileTime)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRPcGVuVXJs (InternetOpenUrl)
  • U3lzdGVtVGltZVRvRmlsZVRpbWU= (SystemTimeToFileTime)
  • V0lOSU5FVC5kbGw= (WININET.dll)
  • Y3J5cHQzMi5kbGw= (crypt32.dll)
  • YWR2YXBpMzIuZGxs (advapi32.dll)
  • Z2V0YWRkcmluZm8= (getaddrinfo)
  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: escalate_priv

  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWR2YXBpMzIuZGxs (Advapi32.dll)
  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: screenshot

  • Qml0Qmx0 (BitBlt)
  • R0RJMzIuZGxs (GDI32.dll)
  • R2V0REM= (GetDC)
  • VVNFUjMyLkRMTA== (USER32.DLL)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VXNlcjMyLmRsbA== (User32.dll)
  • Z2RpMzIuZGxs (gdi32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: keylogger

  • R2V0QXN5bmNLZXlTdGF0ZQ== (GetAsyncKeyState)
  • R2V0S2V5U3RhdGU= (GetKeyState)
  • R2V0S2V5Ym9hcmRUeXBl (GetKeyboardType)
  • TWFwVmlydHVhbEtleQ== (MapVirtualKey)
  • VVNFUjMyLkRMTA== (USER32.DLL)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VXNlcjMyLmRsbA== (User32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: cred_local

  • Q3JlZEVudW1lcmF0ZUE= (CredEnumerateA)
  • Q3JlZEVudW1lcmF0ZVc= (CredEnumerateW)
  • THNhRW51bWVyYXRlTG9nb25TZXNzaW9ucw== (LsaEnumerateLogonSessions)
  • U2FtSUNvbm5lY3Q= (SamIConnect)
  • U2FtUXVlcnlJbmZvcm1hdGlvblVzZQ== (SamQueryInformationUse)

Match: sniff_audio

  • V0lOTU0uZGxs (WINMM.dll)
  • d2F2ZUluQ2xvc2U= (waveInClose)
  • d2F2ZUluQWRkQnVmZmVy (waveInAddBuffer)
  • d2F2ZUluT3Blbg== (waveInOpen)
  • d2F2ZUluU3RhcnQ= (waveInStart)
  • d2F2ZUluUmVzZXQ= (waveInReset)
  • d2lubW0uZGxs (winmm.dll)

Match: migrate_apc

  • T3BlblRocmVhZA== (OpenThread)
  • UXVldWVVc2VyQVBD (QueueUserAPC)

Match: spreading_file

  • ZGVza3RvcC5pbmk= (desktop.ini)

Match: spreading_share

  • TmV0U2hhcmVFbnVt (NetShareEnum)
  • TmV0U2hhcmVHZXRJbmZv (NetShareGetInfo)
  • bmV0YXBpMzIuZGxs (netapi32.dll)

Match: win_mutex

  • Q3JlYXRlTXV0ZXg= (CreateMutex)

Match: win_registry

  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWR2YXBpMzIuZGxs (Advapi32.dll)
  • UmVnQ2xvc2VLZXk= (RegCloseKey)
  • UmVnQ3JlYXRlS2V5QQ== (RegCreateKeyA)
  • UmVnT3BlbktleUV4QQ== (RegOpenKeyExA)
  • UmVnU2V0VmFsdWVFeEE= (RegSetValueExA)
  • UmVnUXVlcnlWYWx1ZUV4QQ== (RegQueryValueExA)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: win_token

  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWR2YXBpMzIuZGxs (Advapi32.dll)
  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
  • RHVwbGljYXRlVG9rZW5FeA== (DuplicateTokenEx)
  • T3BlblByb2Nlc3NUb2tlbg== (OpenProcessToken)
  • TG9va3VwUHJpdmlsZWdlVmFsdWVB (LookupPrivilegeValueA)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: win_private_profile

  • R2V0UHJpdmF0ZVByb2ZpbGVJbnRB (GetPrivateProfileIntA)
  • R2V0UHJpdmF0ZVByb2ZpbGVTdHJpbmdB (GetPrivateProfileStringA)
  • S0VSTkVMMzIuRExM (KERNEL32.DLL)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • S2VybmVsMzIuZGxs (Kernel32.dll)
  • V3JpdGVQcml2YXRlUHJvZmlsZVN0cmluZ0E= (WritePrivateProfileStringA)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: win_files_operation

  • Q29weUZpbGU= (CopyFile)
  • Q3JlYXRlRmlsZUE= (CreateFileA)
  • RGVsZXRlRmlsZUE= (DeleteFileA)
  • RmluZENsb3Nl (FindClose)
  • RmluZEZpcnN0RmlsZUE= (FindFirstFileA)
  • S0VSTkVMMzIuRExM (KERNEL32.DLL)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • S2VybmVsMzIuZGxs (Kernel32.dll)
  • TW92ZUZpbGVFeEE= (MoveFileExA)
  • U2V0RmlsZUF0dHJpYnV0ZXNB (SetFileAttributesA)
  • U2V0RmlsZVBvaW50ZXI= (SetFilePointer)
  • UmVhZEZpbGU= (ReadFile)
  • V3JpdGVGaWxl (WriteFile)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: Str_Win32_Winsock2_Library

  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: Str_Win32_Wininet_Library

  • V0lOSU5FVC5kbGw= (WININET.dll)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: Str_Win32_Internet_API

  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRDbG9zZUhhbmRsZQ== (InternetCloseHandle)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)

Match: Str_Win32_Http_API

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFF1ZXJ5SW5mbw== (HttpQueryInfo)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerCheck__RemoteAPI

  • Q2hlY2tSZW1vdGVEZWJ1Z2dlclByZXNlbnQ= (CheckRemoteDebuggerPresent)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: DebuggerException__ConsoleCtrl

  • R2VuZXJhdGVDb25zb2xlQ3RybEV2ZW50 (GenerateConsoleCtrlEvent)

Match: DebuggerException__SetConsoleCtrl

  • U2V0Q29uc29sZUN0cmxIYW5kbGVy (SetConsoleCtrlHandler)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: Check_Dlls

  • UwBiAGkAZQBEAGwAbAAuAGQAbABsAA== (SbieDll.dll)
  • ZGJnaGVscC5kbGw= (dbghelp.dll)
  • cHN0b3JlYy5kbGw= (pstorec.dll)

Match: Check_Qemu_Description

  • SABBAFIARABXAEEAUgBFAFwARABFAFMAQwBSAEkAUABUAEkATwBOAFwAUwB5AHMAdABlAG0A (HARDWARE\DESCRIPTION\System)
  • SABBAFIARABXAEEAUgBFAFwARABlAHMAYwByAGkAcAB0AGkAbwBuAFwAUwB5AHMAdABlAG0A (HARDWARE\Description\System)
  • SABhAHIAZAB3AGEAcgBlAFwARABlAHMAYwByAGkAcAB0AGkAbwBuAFwAUwB5AHMAdABlAG0A (Hardware\Description\System)
  • UQBFAE0AVQA= (QEMU)
  • UwB5AHMAdABlAG0AQgBpAG8AcwBWAGUAcgBzAGkAbwBuAA== (SystemBiosVersion)

Match: Check_Qemu_DeviceMap

  • SABBAFIARABXAEEAUgBFAFwARABFAFYASQBDAEUATQBBAFAAXABTAGMAcwBpAFwAUwBjAHMAaQAgAFAAbwByAHQAIAAwAFwAUwBjAHMAaQAgAEIAdQBzACAAMABcAFQAYQByAGcAZQB0ACAASQBkACAAMABcAEwAbwBnAGkAYwBhAGwAIABVAG4AaQB0ACAASQBkACAAMAA= (HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0)
  • SQBEAEUATgBUAEkARgBJAEUAUgA= (IDENTIFIER)
  • SQBkAGUAbgB0AGkAZgBpAGUAcgA= (Identifier)
  • SURFTlRJRklFUg== (IDENTIFIER)
  • SWRlbnRpZmllcg== (Identifier)
  • UQBFAE0AVQA= (QEMU)
  • aQBkAGUAbgB0AGkAZgBpAGUAcgA= (identifier)
  • aWRlbnRpZmllcg== (identifier)

Match: Check_VBox_Description

  • SABBAFIARABXAEEAUgBFAFwARABFAFMAQwBSAEkAUABUAEkATwBOAFwAUwB5AHMAdABlAG0A (HARDWARE\DESCRIPTION\System)
  • SABBAFIARABXAEEAUgBFAFwARABlAHMAYwByAGkAcAB0AGkAbwBuAFwAUwB5AHMAdABlAG0A (HARDWARE\Description\System)
  • SABhAHIAZAB3AGEAcgBlAFwARABlAHMAYwByAGkAcAB0AGkAbwBuAFwAUwB5AHMAdABlAG0A (Hardware\Description\System)
  • UwB5AHMAdABlAG0AQgBpAG8AcwBWAGUAcgBzAGkAbwBuAA== (SystemBiosVersion)
  • VgBCAE8AWAA= (VBOX)
  • dgBiAG8AeAA= (vbox)
  • dkJvWA== (vBoX)

Match: Check_VBox_DeviceMap

  • SABBAFIARABXAEEAUgBFAFwARABFAFYASQBDAEUATQBBAFAAXABTAGMAcwBpAFwAUwBjAHMAaQAgAFAAbwByAHQAIAAwAFwAUwBjAHMAaQAgAEIAdQBzACAAMABcAFQAYQByAGcAZQB0ACAASQBkACAAMABcAEwAbwBnAGkAYwBhAGwAIABVAG4AaQB0ACAASQBkACAAMAA= (HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0)
  • SQBEAEUATgBUAEkARgBJAEUAUgA= (IDENTIFIER)
  • SQBkAGUAbgB0AGkAZgBpAGUAcgA= (Identifier)
  • SURFTlRJRklFUg== (IDENTIFIER)
  • SWRlbnRpZmllcg== (Identifier)
  • VgBCAE8AWAA= (VBOX)
  • aQBkAGUAbgB0AGkAZgBpAGUAcgA= (identifier)
  • aWRlbnRpZmllcg== (identifier)
  • dgBiAG8AeAA= (vbox)
  • dkJvWA== (vBoX)

Match: Check_VBox_Guest_Additions

  • UwBPAEYAVABXAEEAUgBFAFwATwByAGEAYwBsAGUAXABWAGkAcgB0AHUAYQBsAEIAbwB4ACAARwB1AGUAcwB0ACAAQQBkAGQAaQB0AGkAbwBuAHMA (SOFTWARE\Oracle\VirtualBox Guest Additions)

Match: Check_VBox_VideoDrivers

  • SABBAFIARABXAEEAUgBFAFwARABFAFMAQwBSAEkAUABUAEkATwBOAFwAUwB5AHMAdABlAG0A (HARDWARE\DESCRIPTION\System)
  • SABBAFIARABXAEEAUgBFAFwARABlAHMAYwByAGkAcAB0AGkAbwBuAFwAUwB5AHMAdABlAG0A (HARDWARE\Description\System)
  • SABhAHIAZAB3AGEAcgBlAFwARABlAHMAYwByAGkAcAB0AGkAbwBuAFwAUwB5AHMAdABlAG0A (Hardware\Description\System)
  • VgBJAFIAVABVAEEATABCAE8AWAA= (VIRTUALBOX)
  • VgBpAGQAZQBvAEIAaQBvAHMAVgBlAHIAcwBpAG8AbgA= (VideoBiosVersion)
  • VgBpAHIAdAB1AGEAbABCAG8AeAA= (VirtualBox)

Match: Check_VMWare_DeviceMap

  • SABBAFIARABXAEEAUgBFAFwARABFAFYASQBDAEUATQBBAFAAXABTAGMAcwBpAFwAUwBjAHMAaQAgAFAAbwByAHQAIAAwAFwAUwBjAHMAaQAgAEIAdQBzACAAMABcAFQAYQByAGcAZQB0ACAASQBkACAAMABcAEwAbwBnAGkAYwBhAGwAIABVAG4AaQB0ACAASQBkACAAMAA= (HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0)
  • SQBEAEUATgBUAEkARgBJAEUAUgA= (IDENTIFIER)
  • SQBkAGUAbgB0AGkAZgBpAGUAcgA= (Identifier)
  • SURFTlRJRklFUg== (IDENTIFIER)
  • SWRlbnRpZmllcg== (Identifier)
  • VgBNAFcAQQBSAEUA (VMWARE)
  • VgBNAHcAYQByAGUA (VMware)
  • aQBkAGUAbgB0AGkAZgBpAGUAcgA= (identifier)
  • aWRlbnRpZmllcg== (identifier)
  • dgBtAHcAYQByAGUA (vmware)

Match: Check_VmTools

  • UwBPAEYAVABXAEEAUgBFAFwAVgBNAHcAYQByAGUALAAgAEkAbgBjAC4AXABWAE0AdwBhAHIAZQAgAFQAbwBvAGwAcwA= (SOFTWARE\VMware, Inc.\VMware Tools)

Match: WMI_VM_Detect

  • UABhAHIAYQBsAGwAZQBsAA== (Parallel)
  • UEFSQUxMRUw= (PARALLEL)
  • UGFyYWxsZWw= (Parallel)
  • UwBFAEwARQBDAFQAIAAqACAARgBSAE8ATQAgAFcAaQBuADMAMgBfAFYAaQBkAGUAbwBDAG8AbgB0AHIAbwBsAGwAZQByAA== (SELECT * FROM Win32_VideoController)
  • VgBNACAAQQBkAGQAaQB0AGkAbwBuAHMAIABTADMAIABUAHIAaQBvADMAMgAvADYANAA= (VM Additions S3 Trio32/64)
  • VgBNAHcAYQByAGUAIABTAFYARwBBACAASQBJAA== (VMware SVGA II)
  • VgBpAHIAdAB1AGEAbABCAG8AeAAgAEcAcgBhAHAAaABpAGMAcwAgAEEAZABhAHAAdABlAHIA (VirtualBox Graphics Adapter)
  • cABhAHIAYQBsAGwAZQBsAA== (parallel)
  • cGFyYWxsZWw= (parallel)

Match: anti_dbg

  • Q29udGludWVEZWJ1Z0V2ZW50 (ContinueDebugEvent)
  • Q2hlY2tSZW1vdGVEZWJ1Z2dlclByZXNlbnQ= (CheckRemoteDebuggerPresent)
  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • S0VSTkVMMzIuRExM (KERNEL32.DLL)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • S2VybmVsMzIuZGxs (Kernel32.dll)
  • SXNEZWJ1Z2dlclByZXNlbnQ= (IsDebuggerPresent)
  • T3V0cHV0RGVidWdTdHJpbmc= (OutputDebugString)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: antisb_threatExpert

  • ZGJnaGVscC5kbGw= (dbghelp.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • U2V0UHJvY2Vzc0RFUFBvbGljeQ== (SetProcessDEPPolicy)

Match: win_hook

  • Q2FsbE5leHRIb29rRXg= (CallNextHookEx)
  • U2V0V2luZG93c0hvb2tFeEE= (SetWindowsHookExA)
  • VVNFUjMyLkRMTA== (USER32.DLL)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VW5ob29rV2luZG93c0hvb2tFeA== (UnhookWindowsHookEx)
  • VXNlcjMyLmRsbA== (User32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: vmdetect_misc

  • UwBPAEYAVABXAEEAUgBFAFwATwByAGEAYwBsAGUAXABWAGkAcgB0AHUAYQBsAEIAbwB4ACAARwB1AGUAcwB0ACAAQQBkAGQAaQB0AGkAbwBuAHMA (SOFTWARE\Oracle\VirtualBox Guest Additions)
  • UwBZAFMAVABFAE0AXABDAG8AbgB0AHIAbwBsAFMAZQB0ADAAMAAxAFwAUwBlAHIAdgBpAGMAZQBzAFwARABpAHMAawBcAEUAbgB1AG0A (SYSTEM\ControlSet001\Services\Disk\Enum)
  • dgBtAHcAYQByAGUA (vmware)
  • dwBpAG4AZQBfAGcAZQB0AF8AdQBuAGkAeABfAGYAaQBsAGUAXwBuAGEAbQBlAA== (wine_get_unix_file_name)

URLs found in process memory 
    http://go2.microsoft.com/fwlink/?LinkId=131738
    http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
    http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0
    http://microsoft.com0
    http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
    http://www.microsoft.com/pkiops/docs/primarycps.htm0
    http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
    http://beta.visualstudio.net/net/sdk/feedback.asp
    http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
    http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
    http://www.microsoft.com/PKI/docs/CPS/default.htm0
    http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
    http://ns.adobe.com/xap/1.0/
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a