Process Memory

Extracted/injected images (may contain unpacked executables)
Download #1

---

Yara signatures matches on process memory

Match: Network_TCP_Socket

• V3MyXzMyLmRsbA== (Ws2_32.dll)
• Y29ubmVjdA== (connect)
• c29ja2V0 (socket)
• c2VuZA== (send)

Match: Escalate_priviledges

• QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
• U2VEZWJ1Z1ByaXZpbGVnZQ== (SeDebugPrivilege)
• YWR2YXBpMzIuZGxs (advapi32.dll)

Match: schtasks_Zero

• cwBjAGgAdABhAHMAawBzAA== (schtasks)

Match: Generic_PWS_Memory_Zero

• UEFTU1dPUkQ= (PASSWORD)
• UGFzc3dvcmQ= (Password)
• cGFzc3dvcmQ= (password)

Match: Sniff_Audio

• d2F2ZUluQ2xvc2U= (waveInClose)
• d2F2ZUluQWRkQnVmZmVy (waveInAddBuffer)
• d2F2ZUluT3Blbg== (waveInOpen)
• d2F2ZUluU3RhcnQ= (waveInStart)
• d2F2ZUluUmVzZXQ= (waveInReset)
• d2lubW0uZGxs (winmm.dll)

Match: Network_DNS

• R2V0SG9zdEVudHJ5 (GetHostEntry)
• U3lzdGVtLk5ldA== (System.Net)
• V3MyXzMyLmRsbA== (Ws2_32.dll)

Match: Code_injection

• Q3JlYXRlVGhyZWFk (CreateThread)
• T3BlblByb2Nlc3M= (OpenProcess)
• TnRXcml0ZVZpcnR1YWxNZW1vcnk= (NtWriteVirtualMemory)
• V3JpdGVQcm9jZXNzTWVtb3J5 (WriteProcessMemory)
• VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)

Match: DebuggerCheck__GlobalFlags

• TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

• UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerCheck__RemoteAPI

• Q2hlY2tSZW1vdGVEZWJ1Z2dlclByZXNlbnQ= (CheckRemoteDebuggerPresent)

Match: DebuggerHiding__Thread

• U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

• RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

• U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

• QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
• UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: WMI_VM_Detect

• UABhAHIAYQBsAGwAZQBsAA== (Parallel)
• UGFyYWxsZWw= (Parallel)
• UwBFAEwARQBDAFQAIAAqACAARgBSAE8ATQAgAFcAaQBuADMAMgBfAFYAaQBkAGUAbwBDAG8AbgB0AHIAbwBsAGwAZQByAA== (SELECT * FROM Win32_VideoController)
• cwBlAGwAZQBjAHQAIAAqACAAZgByAG8AbQAgAFcAaQBuADMAMgBfAFYAaQBkAGUAbwBDAG8AbgB0AHIAbwBsAGwAZQByAA== (select * from Win32_VideoController)

Match: anti_dbg

• Q2hlY2tSZW1vdGVEZWJ1Z2dlclByZXNlbnQ= (CheckRemoteDebuggerPresent)
• RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
• a2VybmVsMzIuZGxs (kernel32.dll)

Match: disable_antivirus

• RGlzYWJsZUFudGlTcHl3YXJl (DisableAntiSpyware)
• U09GVFdBUkVcUG9saWNpZXNcTWljcm9zb2Z0XFdpbmRvd3MgRGVmZW5kZXI= (SOFTWARE\Policies\Microsoft\Windows Defender)

Match: disable_dep

• TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
• WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Match: win_hook

• Q2FsbE5leHRIb29rRXg= (CallNextHookEx)
• VW5ob29rV2luZG93c0hvb2tFeA== (UnhookWindowsHookEx)
• dXNlcjMyLmRsbA== (user32.dll)

Match: KeyLogger

• R2V0S2V5U3RhdGU= (GetKeyState)
• TWFwVmlydHVhbEtleQ== (MapVirtualKey)
• dXNlcjMyLmRsbA== (user32.dll)

Match: RAT_WebCam

• Y2FwQ3JlYXRlQ2FwdHVyZVdpbmRvdw== (capCreateCaptureWindow)
• YXZpY2FwMzIuZGxs (avicap32.dll)

---

URLs found in process memory

    https://github.com/LimerBoy/StormKitty
    http://www.newtonsoft.com/jsonschema