popup
procMemory | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Process Memory

Process memory dump for RegAsm.exe (PID 2860, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1

Yara signatures matches on process memory

Match: Create_Service

  • Q29udHJvbFNlcnZpY2U= (ControlService)
  • Q3JlYXRlU2VydmljZQ== (CreateService)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • U3RhcnRTZXJ2aWNl (StartService)
  • UXVlcnlTZXJ2aWNlU3RhdHVz (QueryServiceStatus)

Match: Client_SW_User_Data_Stealer

  • Q3JlYXRlVGhyZWFk (CreateThread)
  • T3BlblByb2Nlc3M= (OpenProcess)
  • TG9jYWxcR29vZ2xlXENocm9tZVxVc2VyIERhdGE= (Local\Google\Chrome\User Data)
  • V3JpdGVQcm9jZXNzTWVtb3J5 (WriteProcessMemory)

Match: Win_Backdoor_RemcosRAT

  • RmlyZWZveCBTdG9yZWRMb2dpbnMgbm90IGZvdW5k (Firefox StoredLogins not found)
  • TVo= (MZ)
  • UmVtY29zIHY= (Remcos v)

Match: Network_TCP_Socket

  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • Y29ubmVjdA== (connect)
  • c29ja2V0 (socket)
  • c2VuZA== (send)

Match: infoStealer_browser_Zero

  • TG9jYWxcR29vZ2xlXENocm9tZVxVc2VyIERhdGE= (Local\Google\Chrome\User Data)

Match: ScreenShot

  • Qml0Qmx0 (BitBlt)
  • R0RJMzIuZGxs (GDI32.dll)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VXNlcjMyLmRsbA== (User32.dll)

Match: Escalate_priviledges

  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)

Match: Chrome_User_Data_Check_Zero

  • Q2hyb21lXFVzZXIgRGF0YVxEZWZhdWx0XExvZ2luIERhdGE= (Chrome\User Data\Default\Login Data)
  • XEdvb2dsZVxDaHJvbWVcVXNlciBEYXRhXA== (\Google\Chrome\User Data\)
  • XEdvb2dsZVxDaHJvbWVcVXNlciBEYXRhXERlZmF1bHRcQ29va2llcw== (\Google\Chrome\User Data\Default\Cookies)

Match: Generic_PWS_Memory_Zero

  • TG9naW4gRGF0YQ== (Login Data)

Match: Sniff_Audio

  • V0lOTU0uZGxs (WINMM.dll)
  • d2F2ZUluQ2xvc2U= (waveInClose)
  • d2F2ZUluQWRkQnVmZmVy (waveInAddBuffer)
  • d2F2ZUluT3Blbg== (waveInOpen)
  • d2F2ZUluU3RhcnQ= (waveInStart)

Match: Network_DNS

  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • Z2V0YWRkcmluZm8= (getaddrinfo)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: anti_dbg

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • SXNEZWJ1Z2dlclByZXNlbnQ= (IsDebuggerPresent)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • U2V0UHJvY2Vzc0RFUFBvbGljeQ== (SetProcessDEPPolicy)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Match: win_hook

  • Q2FsbE5leHRIb29rRXg= (CallNextHookEx)
  • U2V0V2luZG93c0hvb2tFeEE= (SetWindowsHookExA)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VW5ob29rV2luZG93c0hvb2tFeA== (UnhookWindowsHookEx)
  • VXNlcjMyLmRsbA== (User32.dll)

Match: Network_Downloader

  • VVJMRG93bmxvYWRUb0ZpbGU= (URLDownloadToFile)
  • VVJMRG93bmxvYWRUb0ZpbGVX (URLDownloadToFileW)
  • dXJsbW9uLmRsbA== (urlmon.dll)

Match: Str_Win32_Internet_API

  • SW50ZXJuZXRDbG9zZUhhbmRsZQ== (InternetCloseHandle)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)

Match: KeyLogger

  • R2V0S2V5U3RhdGU= (GetKeyState)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VXNlcjMyLmRsbA== (User32.dll)