Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 12, 2021, 2:34 p.m.	May 12, 2021, 2:37 p.m.

Size	3.0MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`c71735c5ec39ab472178ab89a3ee7d35`
SHA256	`2338fcb4421c49d3f357db82478b5ab01429e2bb4bb59e0feb2331ce53863b2a`
CRC32	`330E93EB`
ssdeep	`1536:lCaA0srYlsINTaAqrVJ57kzIao1xjYq5uSHlgnp0fTArjlhIwMl5UdQW0QVRXy+n:bz0QnjTabQAWQA+G`
Yara	Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description) Win_Eredel_Stealer_Extended_IN_Zero - Win Eredel Stealer Extended

r1o.exe "C:\Users\test22\AppData\Local\Temp\r1o.exe"
1108
- AdvancedRun.exe "C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2240
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\r1o.exe" -Force
  2948
- cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 1
  2088
  - timeout.exe timeout 1
    2084

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 12, 2021, 2:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 12, 2021, 2:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 12, 2021, 2:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 12, 2021, 2:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 12, 2021, 2:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 12, 2021, 2:35 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 12, 2021, 2:34 p.m.			0	0
IsDebuggerPresent May 12, 2021, 2:34 p.m.			0	0
IsDebuggerPresent May 12, 2021, 2:35 p.m.			0	0

Command line console output was observed (11 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 12, 2021, 2:35 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW May 12, 2021, 2:35 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW May 12, 2021, 2:35 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW May 12, 2021, 2:35 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW May 12, 2021, 2:35 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\r1o. console_handle: 0x00000053	1	1
WriteConsoleW May 12, 2021, 2:35 p.m.	buffer: exe -Force console_handle: 0x0000005f	1	1
WriteConsoleW May 12, 2021, 2:35 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW May 12, 2021, 2:35 p.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW May 12, 2021, 2:35 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW May 12, 2021, 2:35 p.m.	buffer: Waiting for 1 console_handle: 0x00000007	1	1
WriteConsoleW May 12, 2021, 2:35 p.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (49 events)

Time & API	Arguments	Status	Return
CryptExportKey May 12, 2021, 2:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a412f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a41230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a41230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a01a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0168 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0168 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0168 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039fd68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a0aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a09e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a09e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a09e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a09e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a09e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a09e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a09e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 2:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a09e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 12, 2021, 2:34 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 165 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 12, 2021, 2:34 p.m.	process_identifier: 1108 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00280000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:34 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00280000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 2:34 p.m.	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 2:34 p.m.	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:34 p.m.	process_identifier: 1108 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00810000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:34 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:34 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:34 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:34 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04330000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:34 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:34 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:34 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:34 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:34 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:34 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:34 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:34 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04331000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1108 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1108 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04332000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04333000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04334000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04335000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2948 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d7b1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d7b2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02682000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02692000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2948 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02693000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02694000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02695000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02696000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\AdvancedRun.exe
file	C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\test.bat

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\r1o.exe" -Force
cmdline	cmd.exe /c timeout 1
cmdline	"C:\Windows\System32\cmd.exe" /c timeout 1
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\r1o.exe" -Force

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\AdvancedRun.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\AdvancedRun.exe

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW May 12, 2021, 2:34 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\AdvancedRun.exe parameters: /EXEFilename "C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run filepath: C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\AdvancedRun.exe	1	1
ShellExecuteExW May 12, 2021, 2:35 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\r1o.exe" -Force filepath: powershell	1	1
ShellExecuteExW May 12, 2021, 2:35 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c timeout 1 filepath: cmd.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (5 events)

Time & API	Arguments	Status	Return
Process32NextW May 12, 2021, 2:34 p.m.	snapshot_handle: 0x00000108 process_name: pw.exe process_identifier: 2812	1	1
Process32NextW May 12, 2021, 2:34 p.m.	snapshot_handle: 0x00000108 process_name: taskhost.exe process_identifier: 2576	1	1
Process32NextW May 12, 2021, 2:34 p.m.	snapshot_handle: 0x00000108 process_name: r1o.exe process_identifier: 1108	1	1
Process32NextW May 12, 2021, 2:34 p.m.	snapshot_handle: 0x00000108 process_name: AdvancedRun.exe process_identifier: 2240	1	1
Process32NextW May 12, 2021, 2:34 p.m.	snapshot_handle: 0x00000108 process_name: TrustedInstaller.exe process_identifier: 1332	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW May 12, 2021, 2:35 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 12, 2021, 2:34 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 12, 2021, 2:35 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Terminates another process (50 out of 12294 events)

Time & API	Arguments	Status
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 2760 process_handle: 0x00000480
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 2760 process_handle: 0x00000480	1
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 1120 process_handle: 0x00000488
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 1120 process_handle: 0x00000488	1
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 1760 process_handle: 0x00000490
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 1760 process_handle: 0x00000490	1
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 260 process_handle: 0x00000498
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 260 process_handle: 0x00000498	1
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 1368 process_handle: 0x000004a0
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 1368 process_handle: 0x000004a0	1
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 1568 process_handle: 0x000004a8
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 1568 process_handle: 0x000004a8	1
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 1940 process_handle: 0x000004b0
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 1940 process_handle: 0x000004b0	1
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 2288 process_handle: 0x000004b8
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 2288 process_handle: 0x000004b8	1
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 1420 process_handle: 0x000004c0
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 1420 process_handle: 0x000004c0	1
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 2252 process_handle: 0x000004c8
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 2252 process_handle: 0x000004c8	1
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 2072 process_handle: 0x000004d0
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 2072 process_handle: 0x000004d0	1
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 1808 process_handle: 0x000004d8
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 1808 process_handle: 0x000004d8	1
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 1460 process_handle: 0x000004e0
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 1460 process_handle: 0x000004e0	1
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 1768 process_handle: 0x000004e8
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 1768 process_handle: 0x000004e8	1
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 192 process_handle: 0x000004f0
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 192 process_handle: 0x000004f0	1
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 872 process_handle: 0x000004f8
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 872 process_handle: 0x000004f8	1
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 2236 process_handle: 0x00000500
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 2236 process_handle: 0x00000500	1
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 1188 process_handle: 0x00000508
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 1188 process_handle: 0x00000508	1
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 2036 process_handle: 0x00000510
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 2036 process_handle: 0x00000510	1
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 2324 process_handle: 0x00000518
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 2324 process_handle: 0x00000518	1
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 1080 process_handle: 0x00000520
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 1080 process_handle: 0x00000520	1
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 2832 process_handle: 0x00000528
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 2832 process_handle: 0x00000528	1
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 2548 process_handle: 0x00000530
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 2548 process_handle: 0x00000530	1
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 2056 process_handle: 0x00000538
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 2056 process_handle: 0x00000538	1
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 1048 process_handle: 0x00000540
NtTerminateProcess May 12, 2021, 2:35 p.m.	status_code: 0xffffffff process_identifier: 1048 process_handle: 0x00000540	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline	C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\AdvancedRun.exe /EXEFilename "C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run

Allocates execute permission to another process indicative of possible code injection (50 out of 6147 events)

Time & API	Arguments	Return
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2760 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000478	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1120 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000047c	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1760 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000484	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 260 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000048c	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1368 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000494	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1568 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000049c	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1940 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a4	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2288 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004ac	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1420 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004b4	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2252 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004bc	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2072 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004c4	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1808 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004cc	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1460 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004d4	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1768 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004dc	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 192 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004e4	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 872 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004ec	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2236 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004f4	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1188 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004fc	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2036 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000504	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2324 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000050c	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1080 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000514	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2832 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000051c	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2548 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000524	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2056 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000052c	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1048 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000534	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2644 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000053c	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 656 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000544	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 3104 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000054c	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 3140 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000554	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 3176 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000055c	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 3212 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000564	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 3248 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000056c	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 3284 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000574	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 3320 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000057c	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 3356 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000584	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 3392 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000058c	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 3428 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000594	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 3464 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000059c	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 3500 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000005a4	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 3536 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000005ac	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 3572 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000005b4	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 3608 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000005bc	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 3644 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000005c4	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 3680 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000005cc	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 3716 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000005d4	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 3752 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000005dc	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 3788 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000005e4	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 3824 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000005ec	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 3860 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000005f4	3221225496
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 3896 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000005fc	3221225496

Manipulates memory of a non-child process indicative of process injection (50 out of 12294 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 1108 manipulating memory of non-child process 2760
Process injection	Process 1108 manipulating memory of non-child process 1120
Process injection	Process 1108 manipulating memory of non-child process 1760
Process injection	Process 1108 manipulating memory of non-child process 260
Process injection	Process 1108 manipulating memory of non-child process 1368
Process injection	Process 1108 manipulating memory of non-child process 1568
Process injection	Process 1108 manipulating memory of non-child process 1940
Process injection	Process 1108 manipulating memory of non-child process 2288
Process injection	Process 1108 manipulating memory of non-child process 1420
Process injection	Process 1108 manipulating memory of non-child process 2252
Process injection	Process 1108 manipulating memory of non-child process 2072
Process injection	Process 1108 manipulating memory of non-child process 1808
Process injection	Process 1108 manipulating memory of non-child process 1460
Process injection	Process 1108 manipulating memory of non-child process 1768
Process injection	Process 1108 manipulating memory of non-child process 192
Process injection	Process 1108 manipulating memory of non-child process 872
Process injection	Process 1108 manipulating memory of non-child process 2236
Process injection	Process 1108 manipulating memory of non-child process 1188
Process injection	Process 1108 manipulating memory of non-child process 2036
Process injection	Process 1108 manipulating memory of non-child process 2324
Process injection	Process 1108 manipulating memory of non-child process 1080
Process injection	Process 1108 manipulating memory of non-child process 2832
Process injection	Process 1108 manipulating memory of non-child process 2548
Process injection	Process 1108 manipulating memory of non-child process 2056
Process injection	Process 1108 manipulating memory of non-child process 1048
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2760 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000478	3221225496	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1120 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000047c	3221225496	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1760 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000484	3221225496	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 260 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000048c	3221225496	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1368 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000494	3221225496	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1568 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000049c	3221225496	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1940 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a4	3221225496	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2288 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004ac	3221225496	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1420 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004b4	3221225496	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2252 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004bc	3221225496	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2072 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004c4	3221225496	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1808 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004cc	3221225496	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1460 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004d4	3221225496	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1768 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004dc	3221225496	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 192 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004e4	3221225496	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 872 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004ec	3221225496	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2236 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004f4	3221225496	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1188 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004fc	3221225496	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2036 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000504	3221225496	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2324 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000050c	3221225496	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1080 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000514	3221225496	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2832 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000051c	3221225496	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2548 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000524	3221225496	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2056 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000052c	3221225496	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1048 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000534	3221225496	0

Creates known SpyNet files, registry changes and/or mutexes. (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Elastic	malicious (high confidence)
Sangfor	Suspicious.MSIL.Kryptik.AAVI
CrowdStrike	win/malicious_confidence_100% (W)
Cyren	W32/MSIL_Kryptik.ECN.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.AAVI
APEX	Malicious
Kaspersky	UDS:Trojan.MSIL.PowerShell.gen
Alibaba	Trojan:MSIL/Kryptik.5c7d9a11
Rising	Trojan.Kryptik!8.8 (CLOUD)
McAfee-GW-Edition	Artemis!Trojan
FireEye	Generic.mg.c71735c5ec39ab47
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:MSIL/Remcos.ZN!MTB
GData	MSIL.Trojan-Stealer.NetSteal.PJJS2V
Cynet	Malicious (score: 100)
McAfee	Artemis!C71735C5EC39
Yandex	Trojan.Agent!jemwtb+HDpM
SentinelOne	Static AI - Malicious PE
BitDefenderTheta	Gen:NN.ZemsilF.34688.9o2@airNkBmi
AVG	Win32:PWSX-gen [Trj]
Cybereason	malicious.757e37
Avast	Win32:PWSX-gen [Trj]

Disables Windows Security features (4 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection

Executed a process and injected code into it, probably while unpacking (50 out of 18463 events)

Time & API	Arguments	Status	Return
NtResumeThread May 12, 2021, 2:34 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1108	1	0
NtResumeThread May 12, 2021, 2:34 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 1108	1	0
NtResumeThread May 12, 2021, 2:34 p.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 1108	1	0
NtResumeThread May 12, 2021, 2:34 p.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 1108	1	0
NtGetContextThread May 12, 2021, 2:34 p.m.	thread_handle: 0x000000e8	1	0
NtResumeThread May 12, 2021, 2:34 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 1108	1	0
NtGetContextThread May 12, 2021, 2:34 p.m.	thread_handle: 0x000000e8	1	0
NtResumeThread May 12, 2021, 2:34 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 1108	1	0
NtGetContextThread May 12, 2021, 2:34 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread May 12, 2021, 2:34 p.m.	thread_handle: 0x000000e8	1	0
NtResumeThread May 12, 2021, 2:34 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 1108	1	0
NtResumeThread May 12, 2021, 2:34 p.m.	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 1108	1	0
CreateProcessInternalW May 12, 2021, 2:34 p.m.	thread_identifier: 2244 thread_handle: 0x000003f0 process_identifier: 2240 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\AdvancedRun.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run filepath_r: C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\AdvancedRun.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003f8	1	1
NtResumeThread May 12, 2021, 2:35 p.m.	thread_handle: 0x00000398 suspend_count: 1 process_identifier: 1108	1	0
CreateProcessInternalW May 12, 2021, 2:35 p.m.	thread_identifier: 1908 thread_handle: 0x00000434 process_identifier: 2948 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\r1o.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000448	1	1
NtResumeThread May 12, 2021, 2:35 p.m.	thread_handle: 0x00000448 suspend_count: 1 process_identifier: 1108	1	0
CreateProcessInternalW May 12, 2021, 2:35 p.m.	thread_identifier: 1896 thread_handle: 0x00000450 process_identifier: 2088 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c timeout 1 filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000468	1	1
CreateProcessInternalW May 12, 2021, 2:35 p.m.	thread_identifier: 2856 thread_handle: 0x00000474 process_identifier: 2760 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\r1o.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\r1o.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000478	1	1
NtGetContextThread May 12, 2021, 2:35 p.m.	thread_handle: 0x00000474	1	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2760 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000478		3221225496
CreateProcessInternalW May 12, 2021, 2:35 p.m.	thread_identifier: 3028 thread_handle: 0x00000480 process_identifier: 1120 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\r1o.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\r1o.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000047c	1	1
NtGetContextThread May 12, 2021, 2:35 p.m.	thread_handle: 0x00000480	1	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1120 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000047c		3221225496
CreateProcessInternalW May 12, 2021, 2:35 p.m.	thread_identifier: 1572 thread_handle: 0x00000488 process_identifier: 1760 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\r1o.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\r1o.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000484	1	1
NtGetContextThread May 12, 2021, 2:35 p.m.	thread_handle: 0x00000488	1	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1760 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000484		3221225496
CreateProcessInternalW May 12, 2021, 2:35 p.m.	thread_identifier: 2560 thread_handle: 0x00000490 process_identifier: 260 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\r1o.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\r1o.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000048c	1	1
NtGetContextThread May 12, 2021, 2:35 p.m.	thread_handle: 0x00000490	1	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 260 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000048c		3221225496
CreateProcessInternalW May 12, 2021, 2:35 p.m.	thread_identifier: 2472 thread_handle: 0x00000498 process_identifier: 1368 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\r1o.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\r1o.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000494	1	1
NtGetContextThread May 12, 2021, 2:35 p.m.	thread_handle: 0x00000498	1	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1368 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000494		3221225496
CreateProcessInternalW May 12, 2021, 2:35 p.m.	thread_identifier: 1032 thread_handle: 0x000004a0 process_identifier: 1568 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\r1o.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\r1o.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000049c	1	1
NtGetContextThread May 12, 2021, 2:35 p.m.	thread_handle: 0x000004a0	1	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1568 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000049c		3221225496
CreateProcessInternalW May 12, 2021, 2:35 p.m.	thread_identifier: 1296 thread_handle: 0x000004a8 process_identifier: 1940 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\r1o.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\r1o.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000004a4	1	1
NtGetContextThread May 12, 2021, 2:35 p.m.	thread_handle: 0x000004a8	1	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1940 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a4		3221225496
CreateProcessInternalW May 12, 2021, 2:35 p.m.	thread_identifier: 2936 thread_handle: 0x000004b0 process_identifier: 2288 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\r1o.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\r1o.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000004ac	1	1
NtGetContextThread May 12, 2021, 2:35 p.m.	thread_handle: 0x000004b0	1	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2288 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004ac		3221225496
CreateProcessInternalW May 12, 2021, 2:35 p.m.	thread_identifier: 240 thread_handle: 0x000004b8 process_identifier: 1420 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\r1o.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\r1o.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000004b4	1	1
NtGetContextThread May 12, 2021, 2:35 p.m.	thread_handle: 0x000004b8	1	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 1420 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004b4		3221225496
CreateProcessInternalW May 12, 2021, 2:35 p.m.	thread_identifier: 2244 thread_handle: 0x000004c0 process_identifier: 2252 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\r1o.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\r1o.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000004bc	1	1
NtGetContextThread May 12, 2021, 2:35 p.m.	thread_handle: 0x000004c0	1	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2252 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004bc		3221225496
CreateProcessInternalW May 12, 2021, 2:35 p.m.	thread_identifier: 1896 thread_handle: 0x000004c8 process_identifier: 2072 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\r1o.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\r1o.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000004c4	1	1
NtGetContextThread May 12, 2021, 2:35 p.m.	thread_handle: 0x000004c8	1	0
NtAllocateVirtualMemory May 12, 2021, 2:35 p.m.	process_identifier: 2072 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004c4		3221225496

r1o.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All