Process Memory

Extracted/injected images (may contain unpacked executables)
Download #1

---

Yara signatures matches on process memory

Match: schtasks_Zero

• cwBjAGgAdABhAHMAawBzAA== (schtasks)

Match: Generic_Malware_Zero_m

• InVdajBW ("u]j0V)
• LwBDACAALwBjAHIAZQBhAHQAZQAgAC8ARgAgAC8AcwBjACAAbQBpAG4AdQB0AGUAIAAvAG0AbwAgADEAIAAvAHQAbgAgACIA (/C /create /F /sc minute /mo 1 /tn ")
• MCAwJjAuMDMwOjBDMEgwUTBWMF4wYzBrMHAweTB+MA== (0 0&0.030:0C0H0Q0V0^0c0k0p0y0~0)
• MSMxKTEvMTQxOjFAMUUxSzFRMVYxXTFiMWkxbjF0MXox (1#1)1/141:1@1E1K1Q1V1]1b1i1n1t1z1)
• MiEzNDNRM2EzcTN2Mw== (2!343Q3a3q3v3)
• QQB6AHUAcgBlAC0AVQBwAGQAYQB0AGUALQBUAGEAcwBrAA== (Azure-Update-Task)
• akRfZjk+ (jD_f9>)
• amNZamJb (jcYjb[)
• bnVSZjle (nuRf9^)

Match: DebuggerCheck__GlobalFlags

• TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

• UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

• U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

• RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

• U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

• QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
• UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: anti_dbg

• RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
• S0VSTkVMMzIuZGxs (KERNEL32.dll)

Match: disable_dep

• TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
• WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

---