popup
procMemory | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Process Memory

Process memory dump for jsc.exe (PID 1872, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1

Yara signatures matches on process memory

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

URLs found in process memory 
    https://docs.microsoft.com/windows/win32/fileio/maximum-file-path-limitation

Process memory dump for 360TS_Setup.exe (PID 3184, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1

Yara signatures matches on process memory

Match: Create_Service

  • Q29udHJvbFNlcnZpY2U= (ControlService)
  • Q3JlYXRlU2VydmljZQ== (CreateService)
  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • U3RhcnRTZXJ2aWNl (StartService)
  • UXVlcnlTZXJ2aWNlU3RhdHVz (QueryServiceStatus)

Match: Network_TCP_Socket

  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • Y29ubmVjdA== (connect)
  • c29ja2V0 (socket)
  • c2VuZA== (send)

Match: Network_DGA

  • Q1JZUFQzMi5kbGw= (CRYPT32.dll)
  • Q3J5cHRBY3F1aXJlQ29udGV4dA== (CryptAcquireContext)
  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • R2V0U3lzdGVtVGltZQ== (GetSystemTime)
  • R2V0U3lzdGVtVGltZUFzRmlsZVRpbWU= (GetSystemTimeAsFileTime)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRPcGVuVXJs (InternetOpenUrl)
  • U3lzdGVtVGltZVRvRmlsZVRpbWU= (SystemTimeToFileTime)
  • V0lOSU5FVC5kbGw= (WININET.dll)

Match: Str_Win32_Http_API

  • SHR0cFF1ZXJ5SW5mbw== (HttpQueryInfo)

Match: ScreenShot

  • Qml0Qmx0 (BitBlt)
  • R0RJMzIuZGxs (GDI32.dll)
  • R2V0REM= (GetDC)
  • VVNFUjMyLkRMTA== (USER32.DLL)
  • VVNFUjMyLmRsbA== (USER32.dll)

Match: Escalate_priviledges

  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)

Match: Generic_PWS_Memory_Zero

  • UGFzc3dvcmQ= (Password)
  • cGFzc3dvcmQ= (password)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: anti_dbg

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • S0VSTkVMMzIuRExM (KERNEL32.DLL)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • SXNEZWJ1Z2dlclByZXNlbnQ= (IsDebuggerPresent)
  • T3V0cHV0RGVidWdTdHJpbmc= (OutputDebugString)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Match: Str_Win32_Internet_API

  • SW50ZXJuZXRDbG9zZUhhbmRsZQ== (InternetCloseHandle)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)

URLs found in process memory 
    http://s.symcb.com/universal-root.crl0
    http://crl.globalsign.com/root-r6.crl0G
    http://crl.globalsign.com/codesigningrootr45.crl0U
    http://ocsp.verisign.com0
    https://www.verisign.com/rpa
    http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
    http://ns.adobe.com/xap/1.0/sType/ResourceRef
    http://ocsp2.globalsign.com/rootr606
    http://s1.symcb.com/pca3-g5.crl0
    http://www.symauth.com/cps0(
    http://ocsp.globalsign.com/ca/gstsacasha384g40C
    http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
    http://crl.globalsign.com/ca/gstsacasha384g4.crl0
    http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
    http://s2.symcb.com0
    https://d.symcb.com/cps0%
    http://sv.symcb.com/sv.crl0a
    http://s.symcd.com06
    http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
    http://crl.verisign.com/pca3-g5.crl04
    https://www.globalsign.com/repository/0
    http://logo.verisign.com/vslogo.gif04
    http://ns.adobe.com/xap/1.0/mm/
    http://crl.globalsign.net/root.crl0
    https://d.symcb.com/rpa0
    https://www.verisign.com/cps0
    http://sv.symcb.com/sv.crt0
    http://ocsp.globalsign.com/codesigningrootr450F
    http://sf.symcb.com/sf.crl0a
    http://ocsp2.globalsign.com/rootr306
    http://crl.globalsign.com/root-r3.crl0G
    http://www.360safe.com0
    https://www.globalsign.com/repository/03
    https://d.symcb.com/rpa0.
    http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
    http://ns.adobe.com/xap/1.0/
    http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
    http://www.symauth.com/rpa00
    http://sf.symcb.com/sf.crt0
    https://www.verisign.com/rpa0
    http://sv.symcd.com0
    http://secure.globalsign.com/cacert/gstimestampingg2.crt0
    http://www.openssl.org/support/faq.html
    http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
    http://crl.globalsign.com/gs/gstimestampingg2.crl0T
    http://sf.symcd.com0
    http://ts-ocsp.ws.symantec.com0

Process memory dump for RegAsm.exe (PID 3228, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1
Download #2

Yara signatures matches on process memory

Match: Network_TCP_Socket

  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V3MyXzMyLmRsbA== (Ws2_32.dll)
  • Y29ubmVjdA== (connect)
  • c29ja2V0 (socket)
  • c2VuZA== (send)

Match: ScreenShot

  • Qml0Qmx0 (BitBlt)
  • R0RJMzIuZGxs (GDI32.dll)
  • R2V0REM= (GetDC)
  • VVNFUjMyLmRsbA== (USER32.dll)

Match: local_credential_Steal

  • Q3JlZEVudW1lcmF0ZUE= (CredEnumerateA)

Match: Network_DNS

  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V3MyXzMyLmRsbA== (Ws2_32.dll)
  • Z2V0YWRkcmluZm8= (getaddrinfo)

Match: Code_injection

  • Q3JlYXRlUmVtb3RlVGhyZWFk (CreateRemoteThread)
  • Q3JlYXRlVGhyZWFk (CreateThread)
  • T3BlblByb2Nlc3M= (OpenProcess)
  • TnRXcml0ZVZpcnR1YWxNZW1vcnk= (NtWriteVirtualMemory)
  • V3JpdGVQcm9jZXNzTWVtb3J5 (WriteProcessMemory)
  • VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: anti_dbg

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • SXNEZWJ1Z2dlclByZXNlbnQ= (IsDebuggerPresent)
  • T3V0cHV0RGVidWdTdHJpbmc= (OutputDebugString)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

URLs found in process memory 
    http://www.winimage.com/zLibDll

Process memory dump for cmd.exe (PID 3504, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1

Yara signatures matches on process memory

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: DebuggerException__SetConsoleCtrl

  • U2V0Q29uc29sZUN0cmxIYW5kbGVy (SetConsoleCtrlHandler)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: anti_dbg

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • SXNEZWJ1Z2dlclByZXNlbnQ= (IsDebuggerPresent)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)