Process Memory

Extracted/injected images (may contain unpacked executables)
Download #1

---

Yara signatures matches on process memory

Match: Network_DNS

• V1MyXzMyLmRsbA== (WS2_32.dll)
• Z2V0YWRkcmluZm8= (getaddrinfo)

Match: Network_TCP_Socket

• V1MyXzMyLmRsbA== (WS2_32.dll)
• V1NBU29ja2V0 (WSASocket)
• V1NBU2VuZA== (WSASend)
• Y29ubmVjdA== (connect)
• c29ja2V0 (socket)
• c2VuZA== (send)

Match: Escalate_priviledges

• QURWQVBJMzIuZGxs (ADVAPI32.dll)
• QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)

Match: DebuggerCheck__GlobalFlags

• TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

• UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

• U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

• RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

• U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

• QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
• UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: vmdetect

• dm10b29scw== (vmtools)
• dm13YXJl (vmware)
• dmJveHNlcnZpY2U= (vboxservice)
• dmJveHRyYXk= (vboxtray)

Match: anti_dbg

• RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
• S0VSTkVMMzIuZGxs (KERNEL32.dll)
• SXNEZWJ1Z2dlclByZXNlbnQ= (IsDebuggerPresent)

Match: antisb_threatExpert

• ZGJnaGVscC5kbGw= (dbghelp.dll)

Match: antivm_virtualbox

• dmJveHNlcnZpY2UuZXhl (vboxservice.exe)

Match: disable_dep

• TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
• WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Match: vmdetect_misc

• dm11c3J2Yw== (vmusrvc)
• dm13YXJl (vmware)
• dm1zcnZj (vmsrvc)
• dmJveHNlcnZpY2U= (vboxservice)
• dmJveHRyYXk= (vboxtray)
• eGVuc2VydmljZQ== (xenservice)

---

URLs found in process memory

    https://cerionetya.com/src
    https://github.com/libcala/whoami/issuescalled
    https://www.catcert.net/verarrel