Process Memory

Yara signatures matches on process memory

Match: Escalate_priviledges

• QURWQVBJMzIuZGxs (ADVAPI32.dll)
• QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
• YWR2YXBpMzIuZGxs (advapi32.dll)

Match: KeyLogger

• R2V0QXN5bmNLZXlTdGF0ZQ== (GetAsyncKeyState)
• R2V0S2V5U3RhdGU= (GetKeyState)
• TWFwVmlydHVhbEtleQ== (MapVirtualKey)
• VVNFUjMyLmRsbA== (USER32.dll)
• dXNlcjMyLmRsbA== (user32.dll)

Match: ScreenShot

• Qml0Qmx0 (BitBlt)
• R0RJMzIuZGxs (GDI32.dll)
• R2V0REM= (GetDC)
• VVNFUjMyLmRsbA== (USER32.dll)
• dXNlcjMyLmRsbA== (user32.dll)

Match: Network_Downloader

• VVJMRG93bmxvYWRUb0NhY2hlRmlsZQ== (URLDownloadToCacheFile)
• dXJsbW9uLmRsbA== (urlmon.dll)

Match: DebuggerCheck__QueryInfo

• UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

• U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: SEH__vba

• dmJhRXhjZXB0SGFuZGxlcg== (vbaExceptHandler)

Match: anti_dbg

• S0VSTkVMMzIuZGxs (KERNEL32.dll)
• T3V0cHV0RGVidWdTdHJpbmc= (OutputDebugString)
• a2VybmVsMzIuZGxs (kernel32.dll)

Match: win_hook

• Q2FsbE5leHRIb29rRXg= (CallNextHookEx)
• VVNFUjMyLmRsbA== (USER32.dll)
• VW5ob29rV2luZG93c0hvb2tFeA== (UnhookWindowsHookEx)
• dXNlcjMyLmRsbA== (user32.dll)

Match: Persistence

• U29mdHdhcmVcTWljcm9zb2Z0XEFjdGl2ZSBTZXR1cFxJbnN0YWxsZWQgQ29tcG9uZW50c1w= (Software\Microsoft\Active Setup\Installed Components\)

---