Process Memory

Yara signatures matches on process memory

Match: Network_HTTP

• SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
• SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)
• SW50ZXJuZXRDb25uZWN0 (InternetConnect)
• SW50ZXJuZXRPcGVu (InternetOpen)
• SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)
• V0lOSU5FVC5kbGw= (WININET.dll)

Match: Str_Win32_Http_API

• SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
• SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)

Match: Str_Win32_Internet_API

• SW50ZXJuZXRDb25uZWN0 (InternetConnect)
• SW50ZXJuZXRDbG9zZUhhbmRsZQ== (InternetCloseHandle)
• SW50ZXJuZXRPcGVu (InternetOpen)
• SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)

Match: ScreenShot

• Qml0Qmx0 (BitBlt)
• R2V0REM= (GetDC)
• VVNFUjMyLmRsbA== (USER32.dll)

Match: DebuggerCheck__QueryInfo

• UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: ThreadControl__Context

• U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vba

• dmJhRXhjZXB0SGFuZGxlcg== (vbaExceptHandler)

Match: Persistence

• U29mdHdhcmVcTWljcm9zb2Z0XEFjdGl2ZSBTZXR1cFxJbnN0YWxsZWQgQ29tcG9uZW50c1w= (Software\Microsoft\Active Setup\Installed Components\)

---