Process Memory

Yara signatures matches on process memory

Match: DebuggerCheck__GlobalFlags

• TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

• UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

• U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

• RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

• U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vba

• dmJhRXhjZXB0SGFuZGxlcg== (vbaExceptHandler)

Match: SEH__vectored

• QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
• UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: anti_dbg

• RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
• a2VybmVsMzIuZGxs (kernel32.dll)

Match: disable_dep

• TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
• WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

---

URLs found in process memory

    http://crl4.digicert.com/sha2-assured-ts.crl0
    http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
    http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    https://www.nuget.org/packages/Newtonsoft.Json.Bson
    http://ocsp.digicert.com0O
    http://ocsp.digicert.com0K
    http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
    http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
    https://www.newtonsoft.com/jsonschema
    http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
    http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    https://www.newtonsoft.com/json
    http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    http://ocsp.digicert.com0N
    http://ocsp.digicert.com0C
    http://crl3.digicert.com/sha2-assured-ts.crl02
    https://www.digicert.com/CPS0
    http://www.digicert.com/CPS0