procMemory | ZeroBOX

Process memory dump for rrrem.exe (PID 2620, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1

Yara signatures matches on process memory

Match: Network_TCP_Socket

V1MyXzMyLmRsbA== (WS2_32.dll)
Y29ubmVjdA== (connect)
c29ja2V0 (socket)
c2VuZA== (send)

Match: Create_Service

Q29udHJvbFNlcnZpY2U= (ControlService)
Q3JlYXRlU2VydmljZQ== (CreateService)
QURWQVBJMzIuZGxs (ADVAPI32.dll)
U3RhcnRTZXJ2aWNl (StartService)
UXVlcnlTZXJ2aWNlU3RhdHVz (QueryServiceStatus)

Match: Sniff_Audio

V0lOTU0uZGxs (WINMM.dll)
d2F2ZUluQ2xvc2U= (waveInClose)
d2F2ZUluQWRkQnVmZmVy (waveInAddBuffer)
d2F2ZUluT3Blbg== (waveInOpen)
d2F2ZUluU3RhcnQ= (waveInStart)

Match: Chrome_User_Data_Check_Zero

Q2hyb21lXFVzZXIgRGF0YVxEZWZhdWx0XExvZ2luIERhdGE= (Chrome\User Data\Default\Login Data)
XEdvb2dsZVxDaHJvbWVcVXNlciBEYXRhXA== (\Google\Chrome\User Data\)
XEdvb2dsZVxDaHJvbWVcVXNlciBEYXRhXERlZmF1bHRcQ29va2llcw== (\Google\Chrome\User Data\Default\Cookies)

Match: Escalate_priviledges

QURWQVBJMzIuZGxs (ADVAPI32.dll)
QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)

Match: KeyLogger

R2V0S2V5U3RhdGU= (GetKeyState)
VVNFUjMyLmRsbA== (USER32.dll)
VXNlcjMyLmRsbA== (User32.dll)

Match: Win_Trojan_agentTesla_Zero

Q3JlYXRlVGhyZWFk (CreateThread)
T3BlblByb2Nlc3M= (OpenProcess)
TG9jYWxcR29vZ2xlXENocm9tZVxVc2VyIERhdGE= (Local\Google\Chrome\User Data)
V3JpdGVQcm9jZXNzTWVtb3J5 (WriteProcessMemory)
VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)

Match: Code_injection

Q3JlYXRlVGhyZWFk (CreateThread)
T3BlblByb2Nlc3M= (OpenProcess)
TnRXcml0ZVZpcnR1YWxNZW1vcnk= (NtWriteVirtualMemory)
V3JpdGVQcm9jZXNzTWVtb3J5 (WriteProcessMemory)
VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)

Match: infoStealer_browser_Zero

TG9jYWxcR29vZ2xlXENocm9tZVxVc2VyIERhdGE= (Local\Google\Chrome\User Data)

Match: Network_Downloader

VVJMRG93bmxvYWRUb0ZpbGU= (URLDownloadToFile)
dXJsbW9uLmRsbA== (urlmon.dll)

Match: DebuggerCheck__GlobalFlags

TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: anti_dbg

RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
S0VSTkVMMzIuZGxs (KERNEL32.dll)
S2VybmVsMzIuZGxs (Kernel32.dll)
SXNEZWJ1Z2dlclByZXNlbnQ= (IsDebuggerPresent)
a2VybmVsMzIuZGxs (kernel32.dll)

Match: disable_dep

TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
U2V0UHJvY2Vzc0RFUFBvbGljeQ== (SetProcessDEPPolicy)
WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Match: win_hook

Q2FsbE5leHRIb29rRXg= (CallNextHookEx)
U2V0V2luZG93c0hvb2tFeEE= (SetWindowsHookExA)
VVNFUjMyLmRsbA== (USER32.dll)
VW5ob29rV2luZG93c0hvb2tFeA== (UnhookWindowsHookEx)
VXNlcjMyLmRsbA== (User32.dll)

URLs found in process memory

    http://crl4.digicert.com/sha2-assured-ts.crl0
    http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
    http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    https://www.nuget.org/packages/Newtonsoft.Json.Bson
    http://ocsp.digicert.com0O
    http://ocsp.digicert.com0K
    http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
    http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
    https://www.newtonsoft.com/jsonschema
    http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
    http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    https://www.newtonsoft.com/json
    http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    http://ocsp.digicert.com0N
    http://ocsp.digicert.com0C
    http://crl3.digicert.com/sha2-assured-ts.crl02
    https://www.digicert.com/CPS0
    http://www.digicert.com/CPS0