Process Memory

Extracted/injected images (may contain unpacked executables)
Download #1
Download #2

---

Yara signatures matches on process memory

Match: network_tcp_listen

• U3lzdGVtLk5ldA== (System.Net)
• YmluZA== (bind)
• bGlzdGVu (listen)

Match: network_smtp_dotNet

• U210cENsaWVudA== (SmtpClient)
• U3lzdGVtLk5ldC5NYWls (System.Net.Mail)

Match: keylogger

• TWFwVmlydHVhbEtleQ== (MapVirtualKey)
• VXNlcjMyLmRsbA== (User32.dll)
• dXNlcjMyLmRsbA== (user32.dll)

Match: DebuggerCheck__GlobalFlags

• TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

• UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

• U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

• RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: SEH__vectored

• QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
• UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: disable_dep

• TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
• WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Match: win_hook

• Q2FsbE5leHRIb29rRXg= (CallNextHookEx)
• VW5ob29rV2luZG93c0hvb2tFeA== (UnhookWindowsHookEx)
• VXNlcjMyLmRsbA== (User32.dll)
• dXNlcjMyLmRsbA== (user32.dll)

---