Process Memory

Yara signatures matches on process memory

Match: network_tcp_listen

• V1MyXzMyLmRsbA== (WS2_32.dll)
• YmluZA== (bind)
• bGlzdGVu (listen)

Match: network_dns

• V1MyXzMyLmRsbA== (WS2_32.dll)
• Z2V0YWRkcmluZm8= (getaddrinfo)

Match: win_files_operation

• RmluZENsb3Nl (FindClose)
• S0VSTkVMMzIuZGxs (KERNEL32.dll)
• UmVhZEZpbGU= (ReadFile)
• V3JpdGVGaWxl (WriteFile)

Match: Str_Win32_Winsock2_Library

• V1MyXzMyLmRsbA== (WS2_32.dll)

Match: DebuggerCheck__GlobalFlags

• TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

• UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

• U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

• RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

• U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

• QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
• UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: anti_dbg

• RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
• S0VSTkVMMzIuZGxs (KERNEL32.dll)

Match: disable_dep

• TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
• WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Match: Win32_PWS_Loki_Zero

• U0VMRUNUIGVuY3J5cHRlZFVzZXJuYW1lLCBlbmNyeXB0ZWRQYXNzd29yZCwgZm9ybVN1Ym1pdFVSTCwgaG9zdG5hbWUgRlJPTSBtb3pfbG9naW5z (SELECT encryptedUsername, encryptedPassword, formSubmitURL, hostname FROM moz_logins)

---

URLs found in process memory

    http://www.ibsensoftware.com/