Process Memory

Extracted/injected images (may contain unpacked executables)
Download #1

---

Yara signatures matches on process memory

Match: Network_Downloader

• VVJMRG93bmxvYWRUb0ZpbGU= (URLDownloadToFile)
• dXJsbW9uLmRsbA== (urlmon.dll)

Match: DebuggerCheck__GlobalFlags

• TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

• UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

• U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

• RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: DebuggerException__SetConsoleCtrl

• U2V0Q29uc29sZUN0cmxIYW5kbGVy (SetConsoleCtrlHandler)

Match: ThreadControl__Context

• U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

• QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
• UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: anti_dbg

• RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
• S0VSTkVMMzIuZGxs (KERNEL32.dll)
• SXNEZWJ1Z2dlclByZXNlbnQ= (IsDebuggerPresent)
• T3V0cHV0RGVidWdTdHJpbmc= (OutputDebugString)

Match: disable_dep

• TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
• WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

---

URLs found in process memory

    http://down.fuck-jp.ru/hh.exe
    http://api.fuck-jp.ru/run64.txt
    http://api.fuck-jp.ru/url64.txt
    
                                                

Extracted/injected images (may contain unpacked executables)
Download #1

---

Yara signatures matches on process memory

Match: Network_DNS

• V1MyXzMyLmRsbA== (WS2_32.dll)
• Z2V0YWRkcmluZm8= (getaddrinfo)
• Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)

Match: Network_TCP_Socket

• V1MyXzMyLmRsbA== (WS2_32.dll)
• V1NBQ2xlYW51cA== (WSACleanup)
• V1NBU29ja2V0 (WSASocket)
• V1NBU2VuZA== (WSASend)
• V1NBU3RhcnR1cA== (WSAStartup)
• Y29ubmVjdA== (connect)
• Y2xvc2Vzb2NrZXQ= (closesocket)
• c29ja2V0 (socket)
• c2VuZA== (send)

Match: Create_Service

• Q29udHJvbFNlcnZpY2U= (ControlService)
• Q3JlYXRlU2VydmljZQ== (CreateService)
• QURWQVBJMzIuZGxs (ADVAPI32.dll)
• U3RhcnRTZXJ2aWNl (StartService)
• UXVlcnlTZXJ2aWNlU3RhdHVz (QueryServiceStatus)

Match: BitCoin

• T3BlbkNMLmRsbA== (OpenCL.dll)
• c3RyYXR1bQ== (stratum)

Match: Escalate_priviledges

• QURWQVBJMzIuZGxs (ADVAPI32.dll)
• QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)

Match: KeyLogger

• TWFwVmlydHVhbEtleQ== (MapVirtualKey)
• VVNFUjMyLmRsbA== (USER32.dll)
• dXNlcjMyLmRsbA== (user32.dll)

Match: Code_injection

• Q3JlYXRlVGhyZWFk (CreateThread)
• T3BlblByb2Nlc3M= (OpenProcess)
• TnRXcml0ZVZpcnR1YWxNZW1vcnk= (NtWriteVirtualMemory)
• VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)

Match: DebuggerCheck__GlobalFlags

• TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

• UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

• U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

• RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: DebuggerException__SetConsoleCtrl

• U2V0Q29uc29sZUN0cmxIYW5kbGVy (SetConsoleCtrlHandler)

Match: ThreadControl__Context

• U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

• QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
• UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: anti_dbg

• RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
• S0VSTkVMMzIuZGxs (KERNEL32.dll)
• SXNEZWJ1Z2dlclByZXNlbnQ= (IsDebuggerPresent)
• T3V0cHV0RGVidWdTdHJpbmc= (OutputDebugString)
• a2VybmVsMzIuZGxs (kernel32.dll)

Match: disable_dep

• TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
• WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

---

URLs found in process memory

    https://L
    https://xmrig.com/wizard
    https://xmrig.com/benchmark/%s
    https://xmrig.com/docs/algorithms
    https://H