Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 26, 2021, 8:31 a.m.	Aug. 26, 2021, 8:36 a.m.

Size	742.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`27ee757d743631d49dcb3c6d7c90dfbe`
SHA256	`dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028`
CRC32	`2712A197`
ssdeep	`12288:vFtHRwMpWIIyKj9X1WxQ3jC0CJVYT+R0ws8YAX2ujF5JjFWVJq2O:vFtxwR9uwvQYYds/+TJ581O`
Yara	PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

bill.exe "C:\Users\test22\AppData\Local\Temp\bill.exe"
544

Name	Response	Post-Analysis Lookup
nt6sqq.sn.files.1drv.com	CNAME odc-sn-files-geo.onedrive.akadns.net CNAME sn-files.fe.1drv.com CNAME sn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net A 13.107.42.12 CNAME odc-sn-files-brs.onedrive.akadns.net CNAME l-0003.l-msedge.net	13.107.42.12
onedrive.live.com	CNAME odc-web-geo.onedrive.akadns.net CNAME l-0004.l-msedge.net A 13.107.42.13 CNAME odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net CNAME odc-web-brs.onedrive.akadns.net	13.107.42.13

IP Address	Status	Action
13.107.42.12	Active	Moloch
13.107.42.13	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49165 -> 13.107.42.13:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49166 -> 13.107.42.12:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49167 -> 13.107.42.12:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49165 13.107.42.13:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	CN=onedrive.com	50:2f:33:10:92:ac:27:7b:17:be:82:68:3b:e2:29:ad:97:41:b7:bb
TLSv1 192.168.56.102:49166 13.107.42.12:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com	ec:e5:02:98:e6:c9:9a:12:fc:c0:4d:19:cd:2b:0c:ae:d0:c0:37:8e
TLSv1 192.168.56.102:49167 13.107.42.12:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com	ec:e5:02:98:e6:c9:9a:12:fc:c0:4d:19:cd:2b:0c:ae:d0:c0:37:8e

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (3 events)

request	GET https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21131&authkey=AF_kkRi5NlE5DPw
request	GET https://nt6sqq.sn.files.1drv.com/y4mNVtGZzPYcR78EMlHGKNeHHQWKO_LnuQ1sDFBUs6Lj3A1RV9mR-XMaYq1uifSmbA5tl-PXhY-ytxbNy2KAAQ0BtrjOZPq4M9x-1FXOOgwySy0ztqS2CymrSFH8vBcnyeTC4Q-miXdvWUEuIF1YDSxr5FOCbL6s1gQplbX3KYtkLd_ijTY273zj85pzJPECKcJxDwW8qGCF7CeAamESQdJfw/Zgwpegsteovovkqiegedbinxprysexl?download&psid=1
request	GET https://nt6sqq.sn.files.1drv.com/y4mpp6wUwjjYpF4pJniIr2AqktLZQdVZPN-jgBBWBFh7P-N2J5U63HcpYSm4fKhAjnjkwoMYxNRz-4o9ZMAfl5d6jYdkP8kofLXfZ4ETyf86DYdlpvPQt1q8sXKXeD8AOON52ygaix7bOyQsYQLDW8IwcAGNctzDhNEOYScupe6bvC5WkYHiIsb1aUO4cU49ZgLxOd9GoFlIFka1neO_ecypA/Zgwpegsteovovkqiegedbinxprysexl?download&psid=1

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 544 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10410000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 81920 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10411000 process_handle: 0xffffffff	1	0	0

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 59fd5a048c0f1a032d2068178d60f3f3139ba258

Allocates execute permission to another process indicative of possible code injection (50 out of 498 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10410000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00330000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00340000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00200000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00210000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00220000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00230000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00240000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00250000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00280000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00290000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00300000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00310000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00320000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00380000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00390000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (50 out of 134 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 544 created a remote thread in non-child process 2096
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 1040 process_identifier: 2096 function_address: 0x001e0000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000100	1	264	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 1196 process_identifier: 2096 function_address: 0x00360000 flags: 0 stack_size: 0 parameter: 0x00350000 process_handle: 0x00000100	1	264	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 180 process_identifier: 2096 function_address: 0x00220000 flags: 0 stack_size: 0 parameter: 0x00210000 process_handle: 0x00000100	1	260	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 2132 process_identifier: 2096 function_address: 0x00260000 flags: 0 stack_size: 0 parameter: 0x00250000 process_handle: 0x00000100	1	268	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 1660 process_identifier: 2096 function_address: 0x002a0000 flags: 0 stack_size: 0 parameter: 0x00290000 process_handle: 0x00000100	1	272	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 896 process_identifier: 2096 function_address: 0x002e0000 flags: 0 stack_size: 0 parameter: 0x002d0000 process_handle: 0x00000100	1	276	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 672 process_identifier: 2096 function_address: 0x00320000 flags: 0 stack_size: 0 parameter: 0x00310000 process_handle: 0x00000100	1	280	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 1744 process_identifier: 2096 function_address: 0x003a0000 flags: 0 stack_size: 0 parameter: 0x00390000 process_handle: 0x00000100	1	284	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 3068 process_identifier: 2096 function_address: 0x003e0000 flags: 0 stack_size: 0 parameter: 0x003d0000 process_handle: 0x00000100	1	288	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 2140 process_identifier: 2096 function_address: 0x004e0000 flags: 0 stack_size: 0 parameter: 0x004d0000 process_handle: 0x00000100	1	292	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 2744 process_identifier: 2096 function_address: 0x00520000 flags: 0 stack_size: 0 parameter: 0x00510000 process_handle: 0x00000100	1	296	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 1460 process_identifier: 2096 function_address: 0x00560000 flags: 0 stack_size: 0 parameter: 0x00550000 process_handle: 0x00000100	1	300	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 2104 process_identifier: 2096 function_address: 0x005a0000 flags: 0 stack_size: 0 parameter: 0x00590000 process_handle: 0x00000100	1	304	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 1220 process_identifier: 2096 function_address: 0x00650000 flags: 0 stack_size: 0 parameter: 0x00640000 process_handle: 0x00000100	1	308	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 2524 process_identifier: 2096 function_address: 0x00690000 flags: 0 stack_size: 0 parameter: 0x00680000 process_handle: 0x00000100	1	312	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 2752 process_identifier: 2096 function_address: 0x006e0000 flags: 0 stack_size: 0 parameter: 0x006d0000 process_handle: 0x00000100	1	316	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 1260 process_identifier: 2096 function_address: 0x00720000 flags: 0 stack_size: 0 parameter: 0x00710000 process_handle: 0x00000100	1	320	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 2420 process_identifier: 2096 function_address: 0x00760000 flags: 0 stack_size: 0 parameter: 0x00750000 process_handle: 0x00000100	1	324	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 656 process_identifier: 2096 function_address: 0x02040000 flags: 0 stack_size: 0 parameter: 0x02030000 process_handle: 0x00000100	1	328	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 572 process_identifier: 2096 function_address: 0x02080000 flags: 0 stack_size: 0 parameter: 0x02070000 process_handle: 0x00000100	1	332	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 1148 process_identifier: 2096 function_address: 0x020c0000 flags: 0 stack_size: 0 parameter: 0x020b0000 process_handle: 0x00000100	1	336	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 1772 process_identifier: 2096 function_address: 0x02100000 flags: 0 stack_size: 0 parameter: 0x020f0000 process_handle: 0x00000100	1	340	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 1628 process_identifier: 2096 function_address: 0x02140000 flags: 0 stack_size: 0 parameter: 0x02130000 process_handle: 0x00000100	1	344	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 1636 process_identifier: 2096 function_address: 0x02190000 flags: 0 stack_size: 0 parameter: 0x02180000 process_handle: 0x00000100	1	348	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 1164 process_identifier: 2096 function_address: 0x021d0000 flags: 0 stack_size: 0 parameter: 0x021c0000 process_handle: 0x00000100	1	352	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 1796 process_identifier: 2096 function_address: 0x02210000 flags: 0 stack_size: 0 parameter: 0x02200000 process_handle: 0x00000100	1	356	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 684 process_identifier: 2096 function_address: 0x02250000 flags: 0 stack_size: 0 parameter: 0x02240000 process_handle: 0x00000100	1	360	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 1644 process_identifier: 2096 function_address: 0x02290000 flags: 0 stack_size: 0 parameter: 0x02280000 process_handle: 0x00000100	1	364	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 2916 process_identifier: 2096 function_address: 0x022d0000 flags: 0 stack_size: 0 parameter: 0x022c0000 process_handle: 0x00000100	1	368	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 2248 process_identifier: 2096 function_address: 0x02310000 flags: 0 stack_size: 0 parameter: 0x02300000 process_handle: 0x00000100	1	372	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 932 process_identifier: 2096 function_address: 0x02350000 flags: 0 stack_size: 0 parameter: 0x02340000 process_handle: 0x00000100	1	376	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 1808 process_identifier: 2096 function_address: 0x02390000 flags: 0 stack_size: 0 parameter: 0x02380000 process_handle: 0x00000100	1	380	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 2492 process_identifier: 2096 function_address: 0x023d0000 flags: 0 stack_size: 0 parameter: 0x023c0000 process_handle: 0x00000100	1	384	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 2344 process_identifier: 2096 function_address: 0x02410000 flags: 0 stack_size: 0 parameter: 0x02400000 process_handle: 0x00000100	1	388	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 1612 process_identifier: 2096 function_address: 0x02450000 flags: 0 stack_size: 0 parameter: 0x02440000 process_handle: 0x00000100	1	392	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 1080 process_identifier: 2096 function_address: 0x02490000 flags: 0 stack_size: 0 parameter: 0x02480000 process_handle: 0x00000100	1	396	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 2880 process_identifier: 2096 function_address: 0x024d0000 flags: 0 stack_size: 0 parameter: 0x024c0000 process_handle: 0x00000100	1	400	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 2816 process_identifier: 2096 function_address: 0x02510000 flags: 0 stack_size: 0 parameter: 0x02500000 process_handle: 0x00000100	1	404	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 2208 process_identifier: 2096 function_address: 0x02550000 flags: 0 stack_size: 0 parameter: 0x02540000 process_handle: 0x00000100	1	408	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 2828 process_identifier: 2096 function_address: 0x02590000 flags: 0 stack_size: 0 parameter: 0x02580000 process_handle: 0x00000100	1	412	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 2860 process_identifier: 2096 function_address: 0x025d0000 flags: 0 stack_size: 0 parameter: 0x025c0000 process_handle: 0x00000100	1	416	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 2864 process_identifier: 2096 function_address: 0x02610000 flags: 0 stack_size: 0 parameter: 0x02600000 process_handle: 0x00000100	1	420	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 972 process_identifier: 2096 function_address: 0x02650000 flags: 0 stack_size: 0 parameter: 0x02640000 process_handle: 0x00000100	1	424	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 2848 process_identifier: 2096 function_address: 0x02690000 flags: 0 stack_size: 0 parameter: 0x02680000 process_handle: 0x00000100	1	428	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 2792 process_identifier: 2096 function_address: 0x026d0000 flags: 0 stack_size: 0 parameter: 0x026c0000 process_handle: 0x00000100	1	432	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 1088 process_identifier: 2096 function_address: 0x026e0000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000100	1	436	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 1376 process_identifier: 2096 function_address: 0x02860000 flags: 0 stack_size: 0 parameter: 0x02850000 process_handle: 0x00000100	1	436	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 1312 process_identifier: 2096 function_address: 0x02720000 flags: 0 stack_size: 0 parameter: 0x02710000 process_handle: 0x00000100	1	440	0
CreateRemoteThread Aug. 26, 2021, 8:31 a.m.	thread_identifier: 1108 process_identifier: 2096 function_address: 0x02760000 flags: 0 stack_size: 0 parameter: 0x02750000 process_handle: 0x00000100	1	444	0

Manipulates memory of a non-child process indicative of process injection (50 out of 499 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 544 manipulating memory of non-child process 2096
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10410000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00330000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00340000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00200000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00210000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00220000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00230000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00240000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00250000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00280000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00290000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00300000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00310000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00320000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00380000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00390000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0
NtAllocateVirtualMemory Aug. 26, 2021, 8:31 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0	0

Potential code injection by writing to the memory of another process (50 out of 498 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 544 injected into non-child 2096
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: hÿhÿ×I¤vÕ³wkernel32.dllÿþ(ý¾t®tXýÉ®tÐý~<ýla®tQy®t/Ðý~Xý:®t6;´tèýmØ¯t°ý°ýÿÿÿÿþþ¶>@C%@øýp%@ÀýÀðÜÀÄðÜøýE6FM6F,þüD@ base_address: 0x001e0000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: DeleteCriticalSection base_address: 0x00330000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: kernel32.dll base_address: 0x00340000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: Õ³w"¤vE¤v43 base_address: 0x00350000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh0?FhD?Fè)(úÿPè3(úÿEèhT?FhD?Fè(úÿPè(úÿEähd?FhD?Fèù'úÿPè(úÿEàþu}ðëÎ×ÃèÏûÿÿEðUüÃè*ûÿÿEìjjMàº<>FÃèèûÿÿØÛtjÿSèò(úÿEôPSèp'úÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00360000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: LeaveCriticalSection base_address: 0x001f0000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: kernel32.dll base_address: 0x00200000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: Õ³w"¤vE¤v base_address: 0x00210000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh0?FhD?Fè)(úÿPè3(úÿEèhT?FhD?Fè(úÿPè(úÿEähd?FhD?Fèù'úÿPè(úÿEàþu}ðëÎ×ÃèÏûÿÿEðUüÃè*ûÿÿEìjjMàº<>FÃèèûÿÿØÛtjÿSèò(úÿEôPSèp'úÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00220000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: EnterCriticalSection base_address: 0x00230000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: kernel32.dll base_address: 0x00240000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: Õ³w"¤vE¤v$# base_address: 0x00250000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh0?FhD?Fè)(úÿPè3(úÿEèhT?FhD?Fè(úÿPè(úÿEähd?FhD?Fèù'úÿPè(úÿEàþu}ðëÎ×ÃèÏûÿÿEðUüÃè*ûÿÿEìjjMàº<>FÃèèûÿÿØÛtjÿSèò(úÿEôPSèp'úÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00260000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: InitializeCriticalSection base_address: 0x00270000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: kernel32.dll base_address: 0x00280000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: Õ³w"¤vE¤v(' base_address: 0x00290000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh0?FhD?Fè)(úÿPè3(úÿEèhT?FhD?Fè(úÿPè(úÿEähd?FhD?Fèù'úÿPè(úÿEàþu}ðëÎ×ÃèÏûÿÿEðUüÃè*ûÿÿEìjjMàº<>FÃèèûÿÿØÛtjÿSèò(úÿEôPSèp'úÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x002a0000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: VirtualFree base_address: 0x002b0000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: kernel32.dll base_address: 0x002c0000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: Õ³w"¤vE¤v,+ base_address: 0x002d0000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh0?FhD?Fè)(úÿPè3(úÿEèhT?FhD?Fè(úÿPè(úÿEähd?FhD?Fèù'úÿPè(úÿEàþu}ðëÎ×ÃèÏûÿÿEðUüÃè*ûÿÿEìjjMàº<>FÃèèûÿÿØÛtjÿSèò(úÿEôPSèp'úÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x002e0000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: VirtualAlloc base_address: 0x002f0000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: kernel32.dll base_address: 0x00300000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: Õ³w"¤vE¤v0/ base_address: 0x00310000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh0?FhD?Fè)(úÿPè3(úÿEèhT?FhD?Fè(úÿPè(úÿEähd?FhD?Fèù'úÿPè(úÿEàþu}ðëÎ×ÃèÏûÿÿEðUüÃè*ûÿÿEìjjMàº<>FÃèèûÿÿØÛtjÿSèò(úÿEôPSèp'úÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00320000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: LocalFree base_address: 0x00370000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: kernel32.dll base_address: 0x00380000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: Õ³w"¤vE¤v87 base_address: 0x00390000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh0?FhD?Fè)(úÿPè3(úÿEèhT?FhD?Fè(úÿPè(úÿEähd?FhD?Fèù'úÿPè(úÿEàþu}ðëÎ×ÃèÏûÿÿEðUüÃè*ûÿÿEìjjMàº<>FÃèèûÿÿØÛtjÿSèò(úÿEôPSèp'úÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x003a0000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: LocalAlloc base_address: 0x003b0000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: kernel32.dll base_address: 0x003c0000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: Õ³w"¤vE¤v<; base_address: 0x003d0000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh0?FhD?Fè)(úÿPè3(úÿEèhT?FhD?Fè(úÿPè(úÿEähd?FhD?Fèù'úÿPè(úÿEàþu}ðëÎ×ÃèÏûÿÿEðUüÃè*ûÿÿEìjjMàº<>FÃèèûÿÿØÛtjÿSèò(úÿEôPSèp'úÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x003e0000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: GetTickCount base_address: 0x003f0000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: kernel32.dll base_address: 0x004c0000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: Õ³w"¤vE¤vL? base_address: 0x004d0000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh0?FhD?Fè)(úÿPè3(úÿEèhT?FhD?Fè(úÿPè(úÿEähd?FhD?Fèù'úÿPè(úÿEàþu}ðëÎ×ÃèÏûÿÿEðUüÃè*ûÿÿEìjjMàº<>FÃèèûÿÿØÛtjÿSèò(úÿEôPSèp'úÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x004e0000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: QueryPerformanceCounter base_address: 0x004f0000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: kernel32.dll base_address: 0x00500000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: Õ³w"¤vE¤vPO base_address: 0x00510000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh0?FhD?Fè)(úÿPè3(úÿEèhT?FhD?Fè(úÿPè(úÿEähd?FhD?Fèù'úÿPè(úÿEàþu}ðëÎ×ÃèÏûÿÿEðUüÃè*ûÿÿEìjjMàº<>FÃèèûÿÿØÛtjÿSèò(úÿEôPSèp'úÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00520000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: GetVersion base_address: 0x00530000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: kernel32.dll base_address: 0x00540000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: Õ³w"¤vE¤vTS base_address: 0x00550000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh0?FhD?Fè)(úÿPè3(úÿEèhT?FhD?Fè(úÿPè(úÿEähd?FhD?Fèù'úÿPè(úÿEàþu}ðëÎ×ÃèÏûÿÿEðUüÃè*ûÿÿEìjjMàº<>FÃèèûÿÿØÛtjÿSèò(úÿEôPSèp'úÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x00560000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: GetCurrentThreadId base_address: 0x00570000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: kernel32.dll base_address: 0x00580000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: Õ³w"¤vE¤vXW base_address: 0x00590000 process_identifier: 2096 process_handle: 0x00000100	1	1	0
WriteProcessMemory Aug. 26, 2021, 8:31 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh0?FhD?Fè)(úÿPè3(úÿEèhT?FhD?Fè(úÿPè(úÿEähd?FhD?Fèù'úÿPè(úÿEàþu}ðëÎ×ÃèÏûÿÿEðUüÃè*ûÿÿEìjjMàº<>FÃèèûÿÿØÛtjÿSèò(úÿEôPSèp'úÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄìSEüEüEøE@ü¤EôëUEø@èÑèEìEøÀEðUìJÒr0BEðföÅðtE@ô]øfáÿ·ÉÁMIøEðJuÑEðEøEø+Eü;Eôr [å]Ã base_address: 0x005a0000 process_identifier: 2096 process_handle: 0x00000100	1	1	0

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
FireEye	Generic.mg.27ee757d743631d4
Cylance	Unsafe
BitDefenderTheta	Gen:NN.ZelphiF.34104.UGW@amxrxlci
ESET-NOD32	a variant of Win32/Injector.EPZM
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Diple.gen
McAfee-GW-Edition	BehavesLike.Win32.Fareit.bc
SentinelOne	Static AI - Suspicious PE
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	HEUR:Trojan.Win32.Diple.gen
Cynet	Malicious (score: 100)
VBA32	BScope.TrojanSpy.Noon
Malwarebytes	Malware.AI.4097121984
Ikarus	Trojan.Inject
MaxSecure	Trojan.Malware.300983.susgen

bill.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All