Process Memory

Extracted/injected images (may contain unpacked executables)
Download #1

---

Yara signatures matches on process memory

Match: Generic_PWS_Memory_Zero

• UGFzc3dvcmQ= (Password)
• cGFzc3dvcmQ= (password)

Match: RedLine_Stealer_m_Zero

• NDIzQUNBMDFBQzE3MEE1MDg2OUVDREVGNTcyQ0Q5Njk5NTU3NjcxOA== (423ACA01AC170A50869ECDEF572CD96995576718)
• ODkxQjU2QzRDMEM4ODdENkM0RDMyNzgwNzI5MTkyMTM4MDE5OUZDQw== (891B56C4C0C887D6C4D327807291921380199FCC)
• UABhAHIAcwBlAEQAaQBzAGMAbwByAGQAVABvAGsAZQBuAHMA (ParseDiscordTokens)
• UGFyc2VEaXNjb3JkVG9rZW5z (ParseDiscordTokens)
• Y2hyb21lS2V5 (chromeKey)
• cERpc3RhbmNlVG9Nb3ZlSGlnaA== (pDistanceToMoveHigh)

Match: DebuggerCheck__GlobalFlags

• TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

• UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

• U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

• RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

• U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

• QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
• UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: anti_dbg

• RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
• a2VybmVsMzIuZGxs (kernel32.dll)

Match: disable_dep

• TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
• WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

---