You are right on the signature being content related, but its probably both, i.e. a malleable profile (as another commenter suggests) to add more plausibility to a fronted endpoint. This would make sense as outer connection AND content would match potentially.
Thanks @mubix Ported this snippet to C# and added the process MainModule location - good for identifying potential custom software which could be easily reversed on a red team👏gist.github.com/dtmsecurity/…
Super simple function, but super powerful Get-CSharpProcess -> gist.github.com/mubix/153615…
Just looks at running processes and tells you which ones are written in C#