procMemory | ZeroBOX

Process memory dump for EXCEL.EXE (PID 2704, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1

Yara signatures matches on process memory

Match: Network_TCP_Socket

V1MyXzMyLmRsbA== (WS2_32.dll)
V1NBQ2xlYW51cA== (WSACleanup)
V1NBU3RhcnR1cA== (WSAStartup)
Y29ubmVjdA== (connect)
Y2xvc2Vzb2NrZXQ= (closesocket)
c29ja2V0 (socket)
c2VuZA== (send)

Match: Network_DGA

Q1JZUFQzMi5kbGw= (CRYPT32.dll)
Q3J5cHRBY3F1aXJlQ29udGV4dA== (CryptAcquireContext)
Q3J5cHRDcmVhdGVIYXNo (CryptCreateHash)
Q3J5cHRIYXNoRGF0YQ== (CryptHashData)
QURWQVBJMzIuZGxs (ADVAPI32.dll)
R2V0U3lzdGVtVGltZQ== (GetSystemTime)
R2V0U3lzdGVtVGltZUFzRmlsZVRpbWU= (GetSystemTimeAsFileTime)
SW50ZXJuZXRPcGVu (InternetOpen)
SW50ZXJuZXRPcGVuVXJs (InternetOpenUrl)
U3lzdGVtVGltZVRvRmlsZVRpbWU= (SystemTimeToFileTime)
V0lOSU5FVC5kbGw= (WININET.dll)
Y3J5cHQzMi5kbGw= (crypt32.dll)
Z2V0YWRkcmluZm8= (getaddrinfo)

Match: Str_Win32_Http_API

SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
SHR0cFF1ZXJ5SW5mbw== (HttpQueryInfo)
SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)

Match: ScreenShot

Qml0Qmx0 (BitBlt)
R0RJMzIuRExM (GDI32.DLL)
R0RJMzIuZGxs (GDI32.dll)
R2V0REM= (GetDC)
VVNFUjMyLkRMTA== (USER32.DLL)
VVNFUjMyLmRsbA== (USER32.dll)
Z2RpMzIuZGxs (gdi32.dll)
dXNlcjMyLmRsbA== (user32.dll)

Match: local_credential_Steal

Q3JlZEVudW1lcmF0ZVc= (CredEnumerateW)
THNhRW51bWVyYXRlTG9nb25TZXNzaW9ucw== (LsaEnumerateLogonSessions)
U2FtUXVlcnlJbmZvcm1hdGlvblVzZQ== (SamQueryInformationUse)

Match: Generic_PWS_Memory_Zero

UEFTU1dPUkQ= (PASSWORD)
UGFzc3dvcmQ= (Password)
cGFzc3dvcmQ= (password)

Match: Network_HTTP

SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)
SW50ZXJuZXRDb25uZWN0 (InternetConnect)
SW50ZXJuZXRPcGVu (InternetOpen)
SW50ZXJuZXRPcGVuVXJs (InternetOpenUrl)
SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)
SW50ZXJuZXRXcml0ZUZpbGU= (InternetWriteFile)
V0lOSU5FVC5kbGw= (WININET.dll)

Match: Network_DNS

U3lzdGVtLk5ldA== (System.Net)
V1MyXzMyLmRsbA== (WS2_32.dll)
Z2V0YWRkcmluZm8= (getaddrinfo)

Match: DebuggerCheck__QueryInfo

UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: ThreadControl__Context

U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: Check_Dlls

ZABiAGcAaABlAGwAcAAuAGQAbABsAA== (dbghelp.dll)
ZGJnaGVscC5kbGw= (dbghelp.dll)
cABzAHQAbwByAGUAYwAuAGQAbABsAA== (pstorec.dll)

Match: anti_dbg

S0VSTkVMMzIuRExM (KERNEL32.DLL)
S0VSTkVMMzIuZGxs (KERNEL32.dll)
S2VybmVsMzIuZGxs (Kernel32.dll)
SXNEZWJ1Z2dlclByZXNlbnQ= (IsDebuggerPresent)
T3V0cHV0RGVidWdTdHJpbmc= (OutputDebugString)
a2VybmVsMzIuZGxs (kernel32.dll)

Match: antisb_threatExpert

ZGJnaGVscC5kbGw= (dbghelp.dll)

Match: win_hook

Q2FsbE5leHRIb29rRXg= (CallNextHookEx)
U2V0V2luZG93c0hvb2tFeEE= (SetWindowsHookExA)
VVNFUjMyLkRMTA== (USER32.DLL)
VVNFUjMyLmRsbA== (USER32.dll)
VW5ob29rV2luZG93c0hvb2tFeA== (UnhookWindowsHookEx)
dXNlcjMyLmRsbA== (user32.dll)

Match: Str_Win32_Internet_API

SW50ZXJuZXRDb25uZWN0 (InternetConnect)
SW50ZXJuZXRDbG9zZUhhbmRsZQ== (InternetCloseHandle)
SW50ZXJuZXRPcGVu (InternetOpen)
SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)

Match: Network_FTP

RnRwQ3JlYXRlRGlyZWN0b3J5 (FtpCreateDirectory)
RnRwR2V0Q3VycmVudERpcmVjdG9yeQ== (FtpGetCurrentDirectory)
RnRwR2V0RmlsZQ== (FtpGetFile)
RnRwRGVsZXRlRmlsZQ== (FtpDeleteFile)
RnRwT3BlbkZpbGU= (FtpOpenFile)
RnRwU2V0Q3VycmVudERpcmVjdG9yeQ== (FtpSetCurrentDirectory)
RnRwUmVtb3ZlRGlyZWN0b3J5 (FtpRemoveDirectory)
RnRwUmVuYW1lRmlsZQ== (FtpRenameFile)
V0lOSU5FVC5kbGw= (WININET.dll)

Match: KeyLogger

R2V0QXN5bmNLZXlTdGF0ZQ== (GetAsyncKeyState)
R2V0S2V5U3RhdGU= (GetKeyState)
TWFwVmlydHVhbEtleQ== (MapVirtualKey)
VVNFUjMyLkRMTA== (USER32.DLL)
VVNFUjMyLmRsbA== (USER32.dll)
dXNlcjMyLmRsbA== (user32.dll)

URLs found in process memory

    http://schemas.openxmlformats.org/officeDocument/2006/relationships/worksheet
    http://www.microsoft.com/pki/certs/CodeSignPCA2.crt0
    http://ocsp.verisign.com0
    http://schemas.openxmlformats.org/presentationml/2006/3/main
    http://schemas.openxmlformats.org/officeDocument/2006/relationships/sharedStrings
    http://crl.verisign.com/tss-ca.crl0
    http://purl.org/dc/terms
    http://schemas.openxmlformats.org/package/2006/metadata/core-properties
    http://schemas.xmlsoap.org/wsdl/mime/
    http://storage.msn.com/mydata/myspace/SpaceFolder/PhotoAlbums/My
    http://office.microsoft.com
    http://crl.verisign.com/ThawteTimestampingCA.crl0
    http://schemas.xmlsoap.org/wsdl/http/
    http://microsoft.com/wsdl/mime/textMatching/
    http://purl.org/dc/elements/1.1/
    http://schemas.xmlsoap.org/wsdl/soap/
    http://microsoft.com/webservices/SharePointPortalServer/BDCClientWS/Resolve
    http://www.blogger.com/feeds/default/blogs
    http://schemas.xmlsoap.org/soap/envelope/
    http://schemas.xmlsoap.org/wsdl/
    http://schemas.openxmlformats.org/officeDocument/2006/relationships
    http://schemas.openxmlformats.org/drawingml/2006/3/diagram
    http://schemas.xmlsoap.org/soap/encoding/
    http://purl.org/dc/elemenb
    http://schemas.openxmlformats.org/drawingml/2006/3/main
    http://schemas.openxmlformats.org/drawingml/2006/diagram
    http://schemas.openxmlformats.org/drawingml/2006/3/spreadsheetDrawing
    http://microsoft.com0
    http://schemas.openxmlformats.org/package/2006/relationships
    http://purl.org/dc/elements/1%
    http://microsoft.com/webservices/SharePointPortalServer/BDCClientWS/
    http://www.typepad.com/t/api
    https://storage.msn.com/storageservice/MetaWeblog.rpc
    http://schemas.openxmlformats.org/drawingml/2006/main
    http://purl.org/dc/dcmitype/
    http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles
    http://purl.org/dc/terms/
    http://schemas.openxmlformats.org/officeDocument/2006/extended-properties
    http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsd
    http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsd