Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 31, 2021, 11 a.m.	Aug. 31, 2021, 11:07 a.m.

Size	684.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`aca08c69a22e6f4f07cb44a74e7b9dac`
SHA256	`8a4f2595fd06f95e90671af95430b5473d27a50097eaf3d2719de076748e1d85`
CRC32	`FD98E1DF`
ssdeep	`12288:9bSAuiSYEczIDyTFiPKu5mHNoMyqcLHazX:9bS78z7PuCqHqRD`
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
3024

Name	Response	Post-Analysis Lookup
www.poorwhitetrashlivesmatter.net	CNAME poorwhitetrashlivesmatter.net A 34.102.136.180	34.102.136.180
www.aquarius-twins.com	A 194.230.72.206	194.230.72.206
www.o-distribs.com	CNAME ns0.anthtech.net A 62.4.7.10	62.4.7.10
www.listenstech.com	CNAME HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com A 3.223.115.185	3.223.115.185
www.empirerack.com	A 156.237.251.107	156.237.251.107
www.805thaifood.com	CNAME 805thaifood.com A 182.50.132.242	182.50.132.242
www.safeandsoundyachtservices.com	CNAME safeandsoundyachtservices.com A 34.102.136.180	34.102.136.180
www.betsysobiech.com
aceddq.bn.files.1drv.com	CNAME odc-bn-files-geo.onedrive.akadns.net CNAME bn-files.fe.1drv.com CNAME odc-bn-files-brs.onedrive.akadns.net A 13.107.42.12 CNAME bn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net CNAME l-0003.l-msedge.net	13.107.42.12
www.tasteofourneighborhood.com	CNAME tasteofourneighborhood.com A 34.102.136.180	34.102.136.180
www.polaritelibrairie.com	CNAME polaritelibrairie.com A 34.102.136.180	34.102.136.180
www.enovexcorp.com	A 172.67.134.229 A 104.21.6.147	104.21.6.147
onedrive.live.com	CNAME odc-web-geo.onedrive.akadns.net CNAME l-0004.l-msedge.net A 13.107.42.13 CNAME odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net CNAME odc-web-brs.onedrive.akadns.net	13.107.42.13
www.manufacturedinjapan.com	A 183.181.81.33	183.181.81.33
www.redcountrypodcast.com	A 34.102.136.180 CNAME redcountrypodcast.com	34.102.136.180
www.workabhaile.com	A 209.99.40.222	209.99.40.222

IP Address	Status	Action
13.107.42.12	Active	Moloch
13.107.42.13	Active	Moloch
156.237.251.107	Active	Moloch
164.124.101.2	Active	Moloch
172.67.134.229	Active	Moloch
182.50.132.242	Active	Moloch
183.181.81.33	Active	Moloch
194.230.72.206	Active	Moloch
209.99.40.222	Active	Moloch
3.223.115.185	Active	Moloch
34.102.136.180	Active	Moloch
62.4.7.10	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49201 -> 13.107.42.13:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49203 -> 13.107.42.12:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49202 -> 13.107.42.12:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49223 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49223 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49223 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 194.230.72.206:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 194.230.72.206:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 194.230.72.206:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49221 -> 182.50.132.242:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49221 -> 182.50.132.242:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49221 -> 182.50.132.242:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49229 -> 183.181.81.33:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49229 -> 183.181.81.33:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49229 -> 183.181.81.33:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 209.99.40.222:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49225 -> 172.67.134.229:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 209.99.40.222:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49225 -> 172.67.134.229:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 209.99.40.222:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49225 -> 172.67.134.229:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49227 -> 156.237.251.107:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49227 -> 156.237.251.107:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49227 -> 156.237.251.107:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 3.223.115.185:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 3.223.115.185:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 3.223.115.185:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 62.4.7.10:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 62.4.7.10:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 62.4.7.10:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49201 13.107.42.13:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	CN=onedrive.com	50:2f:33:10:92:ac:27:7b:17:be:82:68:3b:e2:29:ad:97:41:b7:bb
TLSv1 192.168.56.101:49203 13.107.42.12:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com	ec:e5:02:98:e6:c9:9a:12:fc:c0:4d:19:cd:2b:0c:ae:d0:c0:37:8e
TLSv1 192.168.56.101:49202 13.107.42.12:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com	ec:e5:02:98:e6:c9:9a:12:fc:c0:4d:19:cd:2b:0c:ae:d0:c0:37:8e

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (13 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.o-distribs.com/ecuu/?uTuD=2fFFpbMyLUJzYlZhDT8vOGOwgFBPZS+/I9qabDuA36nCGLx7k9QeIlc/dOLT21aoTTouS1Gs&Kj9ht=AVPd7xKPhhkxdz5p
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.safeandsoundyachtservices.com/ecuu/?uTuD=Ze9u3c+JrkZMLd1iq8wEeNDhA8GBJvow2hjXqHEmaYUNXZ6LBYmY4Z/ain7TyThB0L5b8kMi&Kj9ht=AVPd7xKPhhkxdz5p
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.aquarius-twins.com/ecuu/?uTuD=i70bI06xK+671wXcZeZFUnUbIG41m3pyCPaR/31xF3WgPXN1BCrK4K5oBTRoN80eF7TYmcNc&Kj9ht=AVPd7xKPhhkxdz5p
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.redcountrypodcast.com/ecuu/?uTuD=C0rihD2hGnnRrpjswzT7uhuHD8PfbnuKKC7ou16TN5COtT4jGgPjFjduvIv/h6aCIOoNM/lg&Kj9ht=AVPd7xKPhhkxdz5p
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.workabhaile.com/ecuu/?uTuD=psKvWxiJggpO43FMpV003tzUv9VXMXoP5rDQMzIOVpzQQ6MlN6hUAQTlmRRdHO4IMuWhrhTy&Kj9ht=AVPd7xKPhhkxdz5p
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.listenstech.com/ecuu/?uTuD=kZQ2xSRRrPRSBp5jFhnjX1FSIADBjElgtC+7SfW5nxGr1YavPckfOpnPtRZoEBHlAahsqtq3&Kj9ht=AVPd7xKPhhkxdz5p
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.polaritelibrairie.com/ecuu/?uTuD=9V37CvjOwlD+G2cZgvNSMh0FDLzSpLIOzW7Ku/j/E3/FrLtCEhUpqK2rSLRqtlK3cTc9cFsZ&Kj9ht=AVPd7xKPhhkxdz5p
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.poorwhitetrashlivesmatter.net/ecuu/?uTuD=Pl7Wo/Sc18YTVh4ZfRYn9GaIW3hmPNugWLqq+bwHPa7GGyOQcNaR6G/8c/+q5jU1tNJ+hTp8&Kj9ht=AVPd7xKPhhkxdz5p
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.805thaifood.com/ecuu/?uTuD=hUTHBcYuod6wePbk0fg23NzqxmOoeRrbfmFgVJWVpfKHZh9llzJ0TA90NFAjaWRAYOQ0Eh2G&Kj9ht=AVPd7xKPhhkxdz5p
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.tasteofourneighborhood.com/ecuu/?uTuD=2bt83kpOuVtEIWyxUzi5DXhitRFjdhq2G+J/5YNEy7Qmu4jdCi+MNXaEKclGMLIx7+ZhZc0n&Kj9ht=AVPd7xKPhhkxdz5p
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.enovexcorp.com/ecuu/?uTuD=bpzCTk/qdCIwipMedq6J/wQgKeK6uVGVcgTnCs1o93acAvo7q59x5CsOod7vCsrr9woKgHPq&Kj9ht=AVPd7xKPhhkxdz5p
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.empirerack.com/ecuu/?uTuD=GEQTnerqhYYOZeP3k5oh8uqumDp4pVGJvED355C55gboS73ReFUlDy35EJLcN622X6ywqSXw&Kj9ht=AVPd7xKPhhkxdz5p
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.manufacturedinjapan.com/ecuu/?uTuD=cm4EhB+xSusT2ZEgdpayhNT4zIjmvrOEKqQy1IzKW+qeT4TFPzigSNFvZaza7qmlNOHW0cnS&Kj9ht=AVPd7xKPhhkxdz5p

Performs some HTTP requests (29 events)

request	POST http://www.o-distribs.com/ecuu/
request	GET http://www.o-distribs.com/ecuu/?uTuD=2fFFpbMyLUJzYlZhDT8vOGOwgFBPZS+/I9qabDuA36nCGLx7k9QeIlc/dOLT21aoTTouS1Gs&Kj9ht=AVPd7xKPhhkxdz5p
request	POST http://www.safeandsoundyachtservices.com/ecuu/
request	GET http://www.safeandsoundyachtservices.com/ecuu/?uTuD=Ze9u3c+JrkZMLd1iq8wEeNDhA8GBJvow2hjXqHEmaYUNXZ6LBYmY4Z/ain7TyThB0L5b8kMi&Kj9ht=AVPd7xKPhhkxdz5p
request	POST http://www.aquarius-twins.com/ecuu/
request	GET http://www.aquarius-twins.com/ecuu/?uTuD=i70bI06xK+671wXcZeZFUnUbIG41m3pyCPaR/31xF3WgPXN1BCrK4K5oBTRoN80eF7TYmcNc&Kj9ht=AVPd7xKPhhkxdz5p
request	POST http://www.redcountrypodcast.com/ecuu/
request	GET http://www.redcountrypodcast.com/ecuu/?uTuD=C0rihD2hGnnRrpjswzT7uhuHD8PfbnuKKC7ou16TN5COtT4jGgPjFjduvIv/h6aCIOoNM/lg&Kj9ht=AVPd7xKPhhkxdz5p
request	POST http://www.workabhaile.com/ecuu/
request	GET http://www.workabhaile.com/ecuu/?uTuD=psKvWxiJggpO43FMpV003tzUv9VXMXoP5rDQMzIOVpzQQ6MlN6hUAQTlmRRdHO4IMuWhrhTy&Kj9ht=AVPd7xKPhhkxdz5p
request	POST http://www.listenstech.com/ecuu/
request	GET http://www.listenstech.com/ecuu/?uTuD=kZQ2xSRRrPRSBp5jFhnjX1FSIADBjElgtC+7SfW5nxGr1YavPckfOpnPtRZoEBHlAahsqtq3&Kj9ht=AVPd7xKPhhkxdz5p
request	POST http://www.polaritelibrairie.com/ecuu/
request	GET http://www.polaritelibrairie.com/ecuu/?uTuD=9V37CvjOwlD+G2cZgvNSMh0FDLzSpLIOzW7Ku/j/E3/FrLtCEhUpqK2rSLRqtlK3cTc9cFsZ&Kj9ht=AVPd7xKPhhkxdz5p
request	POST http://www.poorwhitetrashlivesmatter.net/ecuu/
request	GET http://www.poorwhitetrashlivesmatter.net/ecuu/?uTuD=Pl7Wo/Sc18YTVh4ZfRYn9GaIW3hmPNugWLqq+bwHPa7GGyOQcNaR6G/8c/+q5jU1tNJ+hTp8&Kj9ht=AVPd7xKPhhkxdz5p
request	POST http://www.805thaifood.com/ecuu/
request	GET http://www.805thaifood.com/ecuu/?uTuD=hUTHBcYuod6wePbk0fg23NzqxmOoeRrbfmFgVJWVpfKHZh9llzJ0TA90NFAjaWRAYOQ0Eh2G&Kj9ht=AVPd7xKPhhkxdz5p
request	POST http://www.tasteofourneighborhood.com/ecuu/
request	GET http://www.tasteofourneighborhood.com/ecuu/?uTuD=2bt83kpOuVtEIWyxUzi5DXhitRFjdhq2G+J/5YNEy7Qmu4jdCi+MNXaEKclGMLIx7+ZhZc0n&Kj9ht=AVPd7xKPhhkxdz5p
request	POST http://www.enovexcorp.com/ecuu/
request	GET http://www.enovexcorp.com/ecuu/?uTuD=bpzCTk/qdCIwipMedq6J/wQgKeK6uVGVcgTnCs1o93acAvo7q59x5CsOod7vCsrr9woKgHPq&Kj9ht=AVPd7xKPhhkxdz5p
request	POST http://www.empirerack.com/ecuu/
request	GET http://www.empirerack.com/ecuu/?uTuD=GEQTnerqhYYOZeP3k5oh8uqumDp4pVGJvED355C55gboS73ReFUlDy35EJLcN622X6ywqSXw&Kj9ht=AVPd7xKPhhkxdz5p
request	POST http://www.manufacturedinjapan.com/ecuu/
request	GET http://www.manufacturedinjapan.com/ecuu/?uTuD=cm4EhB+xSusT2ZEgdpayhNT4zIjmvrOEKqQy1IzKW+qeT4TFPzigSNFvZaza7qmlNOHW0cnS&Kj9ht=AVPd7xKPhhkxdz5p
request	GET https://onedrive.live.com/download?cid=D020578D515FAC65&resid=D020578D515FAC65%21111&authkey=AP6lzi_AotrWkq8
request	GET https://aceddq.bn.files.1drv.com/y4mmFuLrAmiQhwfiUX_9q9QkYs5bdmG7KRDr6ypX2gbItT1YDleYPEezFf9YGdUc9RoGpprgEYOf1PWKbcCYE6yO6x-iBBL3_2wsh8Em8fejrqpmtT9AbJj_kB-ykvyAre0Oz-9t5XOgmvYDpSytJYC5F7yj1YPgkcRA_y1K7e8We0sXJIPUZjpuM3fHrJA4ZfsWuX2n5pd2KqRsrHirYt5qQ/Zbgpobuadnduobcthrjxqnwjcfbhjre?download&psid=1
request	GET https://aceddq.bn.files.1drv.com/y4mnpzWq6nzESCeTlyX6547ecopygeoPVjTDPAiQ9qtDwqKns_kP9pal2sQV_WuqgOO1zDsyHgp0sFy8YUdVjz71GDq104jzsUljyKtvmHCmfkbdVcy0zDBruyz9JD3tzOgvgfADgk_UjNKTo5sKr19jQOwO3cmSXkqy9mipCj5i6pi8Ku67RZxJ81TTfPg2Ot43h_6RY8Ap802urbBvPCs2w/Zbgpobuadnduobcthrjxqnwjcfbhjre?download&psid=1

Sends data using the HTTP POST Method (13 events)

request	POST http://www.o-distribs.com/ecuu/
request	POST http://www.safeandsoundyachtservices.com/ecuu/
request	POST http://www.aquarius-twins.com/ecuu/
request	POST http://www.redcountrypodcast.com/ecuu/
request	POST http://www.workabhaile.com/ecuu/
request	POST http://www.listenstech.com/ecuu/
request	POST http://www.polaritelibrairie.com/ecuu/
request	POST http://www.poorwhitetrashlivesmatter.net/ecuu/
request	POST http://www.805thaifood.com/ecuu/
request	POST http://www.tasteofourneighborhood.com/ecuu/
request	POST http://www.enovexcorp.com/ecuu/
request	POST http://www.empirerack.com/ecuu/
request	POST http://www.manufacturedinjapan.com/ecuu/

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 3024 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10410000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 81920 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10411000 process_handle: 0xffffffff	1	0	0

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: fc1682070ab6ece2a5980883ef46d8f5da1a10d2

Allocates execute permission to another process indicative of possible code injection (50 out of 498 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10410000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00330000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00340000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00200000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00210000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00220000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00230000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00240000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00250000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00280000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00290000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00300000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00310000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00320000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00380000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00390000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (50 out of 134 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3024 created a remote thread in non-child process 2264
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 2256 process_identifier: 2264 function_address: 0x001e0000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x000000f0	1	248	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 1332 process_identifier: 2264 function_address: 0x00360000 flags: 0 stack_size: 0 parameter: 0x00350000 process_handle: 0x000000f0	1	248	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 1536 process_identifier: 2264 function_address: 0x00220000 flags: 0 stack_size: 0 parameter: 0x00210000 process_handle: 0x000000f0	1	244	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 584 process_identifier: 2264 function_address: 0x00260000 flags: 0 stack_size: 0 parameter: 0x00250000 process_handle: 0x000000f0	1	252	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 1396 process_identifier: 2264 function_address: 0x002a0000 flags: 0 stack_size: 0 parameter: 0x00290000 process_handle: 0x000000f0	1	256	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 288 process_identifier: 2264 function_address: 0x002e0000 flags: 0 stack_size: 0 parameter: 0x002d0000 process_handle: 0x000000f0	1	260	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 2084 process_identifier: 2264 function_address: 0x00320000 flags: 0 stack_size: 0 parameter: 0x00310000 process_handle: 0x000000f0	1	264	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 2744 process_identifier: 2264 function_address: 0x003a0000 flags: 0 stack_size: 0 parameter: 0x00390000 process_handle: 0x000000f0	1	268	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 2624 process_identifier: 2264 function_address: 0x003e0000 flags: 0 stack_size: 0 parameter: 0x003d0000 process_handle: 0x000000f0	1	272	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 1456 process_identifier: 2264 function_address: 0x00530000 flags: 0 stack_size: 0 parameter: 0x00520000 process_handle: 0x000000f0	1	276	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 2936 process_identifier: 2264 function_address: 0x00570000 flags: 0 stack_size: 0 parameter: 0x00560000 process_handle: 0x000000f0	1	280	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 804 process_identifier: 2264 function_address: 0x005b0000 flags: 0 stack_size: 0 parameter: 0x005a0000 process_handle: 0x000000f0	1	284	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 2364 process_identifier: 2264 function_address: 0x005f0000 flags: 0 stack_size: 0 parameter: 0x005e0000 process_handle: 0x000000f0	1	288	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 1460 process_identifier: 2264 function_address: 0x00720000 flags: 0 stack_size: 0 parameter: 0x00710000 process_handle: 0x000000f0	1	292	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 596 process_identifier: 2264 function_address: 0x00760000 flags: 0 stack_size: 0 parameter: 0x00750000 process_handle: 0x000000f0	1	296	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 2988 process_identifier: 2264 function_address: 0x00a30000 flags: 0 stack_size: 0 parameter: 0x00a20000 process_handle: 0x000000f0	1	300	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 2164 process_identifier: 2264 function_address: 0x02010000 flags: 0 stack_size: 0 parameter: 0x02000000 process_handle: 0x000000f0	1	304	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 492 process_identifier: 2264 function_address: 0x02050000 flags: 0 stack_size: 0 parameter: 0x02040000 process_handle: 0x000000f0	1	308	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 1976 process_identifier: 2264 function_address: 0x02090000 flags: 0 stack_size: 0 parameter: 0x02080000 process_handle: 0x000000f0	1	312	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 556 process_identifier: 2264 function_address: 0x020d0000 flags: 0 stack_size: 0 parameter: 0x020c0000 process_handle: 0x000000f0	1	316	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 2044 process_identifier: 2264 function_address: 0x02110000 flags: 0 stack_size: 0 parameter: 0x02100000 process_handle: 0x000000f0	1	320	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 2760 process_identifier: 2264 function_address: 0x02150000 flags: 0 stack_size: 0 parameter: 0x02140000 process_handle: 0x000000f0	1	324	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 656 process_identifier: 2264 function_address: 0x02190000 flags: 0 stack_size: 0 parameter: 0x02180000 process_handle: 0x000000f0	1	328	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 1452 process_identifier: 2264 function_address: 0x021e0000 flags: 0 stack_size: 0 parameter: 0x021d0000 process_handle: 0x000000f0	1	332	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 2720 process_identifier: 2264 function_address: 0x02220000 flags: 0 stack_size: 0 parameter: 0x02210000 process_handle: 0x000000f0	1	336	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 1812 process_identifier: 2264 function_address: 0x02260000 flags: 0 stack_size: 0 parameter: 0x02250000 process_handle: 0x000000f0	1	340	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 2856 process_identifier: 2264 function_address: 0x022a0000 flags: 0 stack_size: 0 parameter: 0x02290000 process_handle: 0x000000f0	1	344	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 668 process_identifier: 2264 function_address: 0x022e0000 flags: 0 stack_size: 0 parameter: 0x022d0000 process_handle: 0x000000f0	1	348	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 1048 process_identifier: 2264 function_address: 0x02320000 flags: 0 stack_size: 0 parameter: 0x02310000 process_handle: 0x000000f0	1	352	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 2664 process_identifier: 2264 function_address: 0x02360000 flags: 0 stack_size: 0 parameter: 0x02350000 process_handle: 0x000000f0	1	356	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 2932 process_identifier: 2264 function_address: 0x023a0000 flags: 0 stack_size: 0 parameter: 0x02390000 process_handle: 0x000000f0	1	360	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 2532 process_identifier: 2264 function_address: 0x023e0000 flags: 0 stack_size: 0 parameter: 0x023d0000 process_handle: 0x000000f0	1	364	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 2112 process_identifier: 2264 function_address: 0x02420000 flags: 0 stack_size: 0 parameter: 0x02410000 process_handle: 0x000000f0	1	368	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 2324 process_identifier: 2264 function_address: 0x02460000 flags: 0 stack_size: 0 parameter: 0x02450000 process_handle: 0x000000f0	1	372	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 2772 process_identifier: 2264 function_address: 0x024a0000 flags: 0 stack_size: 0 parameter: 0x02490000 process_handle: 0x000000f0	1	376	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 2696 process_identifier: 2264 function_address: 0x024e0000 flags: 0 stack_size: 0 parameter: 0x024d0000 process_handle: 0x000000f0	1	380	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 2572 process_identifier: 2264 function_address: 0x02520000 flags: 0 stack_size: 0 parameter: 0x02510000 process_handle: 0x000000f0	1	384	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 2092 process_identifier: 2264 function_address: 0x02560000 flags: 0 stack_size: 0 parameter: 0x02550000 process_handle: 0x000000f0	1	388	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 1808 process_identifier: 2264 function_address: 0x025a0000 flags: 0 stack_size: 0 parameter: 0x02590000 process_handle: 0x000000f0	1	392	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 2408 process_identifier: 2264 function_address: 0x025e0000 flags: 0 stack_size: 0 parameter: 0x025d0000 process_handle: 0x000000f0	1	396	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 1120 process_identifier: 2264 function_address: 0x02620000 flags: 0 stack_size: 0 parameter: 0x02610000 process_handle: 0x000000f0	1	400	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 3028 process_identifier: 2264 function_address: 0x02660000 flags: 0 stack_size: 0 parameter: 0x02650000 process_handle: 0x000000f0	1	404	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 2672 process_identifier: 2264 function_address: 0x026a0000 flags: 0 stack_size: 0 parameter: 0x02690000 process_handle: 0x000000f0	1	408	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 1632 process_identifier: 2264 function_address: 0x026e0000 flags: 0 stack_size: 0 parameter: 0x026d0000 process_handle: 0x000000f0	1	412	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 2840 process_identifier: 2264 function_address: 0x02720000 flags: 0 stack_size: 0 parameter: 0x02710000 process_handle: 0x000000f0	1	416	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 1940 process_identifier: 2264 function_address: 0x02730000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x000000f0	1	420	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 2660 process_identifier: 2264 function_address: 0x02760000 flags: 0 stack_size: 0 parameter: 0x02750000 process_handle: 0x000000f0	1	420	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 1760 process_identifier: 2264 function_address: 0x027a0000 flags: 0 stack_size: 0 parameter: 0x02790000 process_handle: 0x000000f0	1	424	0
CreateRemoteThread Aug. 31, 2021, 10:57 a.m.	thread_identifier: 2908 process_identifier: 2264 function_address: 0x027e0000 flags: 0 stack_size: 0 parameter: 0x027d0000 process_handle: 0x000000f0	1	428	0

Manipulates memory of a non-child process indicative of process injection (50 out of 499 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3024 manipulating memory of non-child process 2264
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10410000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00330000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00340000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00200000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00210000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00220000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00230000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00240000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00250000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00280000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00290000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00300000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00310000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00320000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00380000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00390000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0
NtAllocateVirtualMemory Aug. 31, 2021, 10:57 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0

Potential code injection by writing to the memory of another process (50 out of 498 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3024 injected into non-child 2264
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: hÿhÿ×IsuÕ?wkernel32.dllÿÿÿÿþ(ý¾t½r XýÉ½rÐý~<ýla½rQy½r.Ðý~Xý:½r6;ÃrèýmØ¾r°ý°ýÿÿÿÿþþr?@S%@ôý%@¼ýH¨VÐÀL¨VlþôýGEGElþ(þ¸E@ base_address: 0x001e0000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: DeleteCriticalSection base_address: 0x00330000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: kernel32.dll base_address: 0x00340000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: Õ?w"suEsu43 base_address: 0x00350000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂUìÄàSVWùUüØu3ÀEøhKEh(KEèûÿPèûÿEèh8KEh(KEèýûÿPèÿûÿEähHKEh(KEèåûÿPèçûÿEàþu}ðëÎ×ÃèóöÿÿEðUüÃèªþÿÿEìjjMàºJEÃè¬úÿÿØÛtjÿSèÏûÿEôPSèUûÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄØSVW3ÒUØUÜUàEü]ô}ÇÜ3ÀUhÚLEdÿ0d EüEøéEø@UBôEèEäPEpðÆè>ûÿPEàUèèÒúúÿMàEÆZèðúÿÿÀu1Uèè¬ûÿÿEÜUèèúúÿUÜE@ðèÏüÿÿEøxuEø@UBôéEøUBôësèkúÿÿÀtjáÿÿUèèáýÿÿEìë9UBôÀEðEØUðèúúÿEØèÔúúÿPMðUèè¦ýÿÿEìUì8uEøEøxÚþÿÿ3ÀZYYdháLEEØºèë÷úÿÃ base_address: 0x00360000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: LeaveCriticalSection base_address: 0x001f0000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: kernel32.dll base_address: 0x00200000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: Õ?w"suEsu base_address: 0x00210000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂUìÄàSVWùUüØu3ÀEøhKEh(KEèûÿPèûÿEèh8KEh(KEèýûÿPèÿûÿEähHKEh(KEèåûÿPèçûÿEàþu}ðëÎ×ÃèóöÿÿEðUüÃèªþÿÿEìjjMàºJEÃè¬úÿÿØÛtjÿSèÏûÿEôPSèUûÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄØSVW3ÒUØUÜUàEü]ô}ÇÜ3ÀUhÚLEdÿ0d EüEøéEø@UBôEèEäPEpðÆè>ûÿPEàUèèÒúúÿMàEÆZèðúÿÿÀu1Uèè¬ûÿÿEÜUèèúúÿUÜE@ðèÏüÿÿEøxuEø@UBôéEøUBôësèkúÿÿÀtjáÿÿUèèáýÿÿEìë9UBôÀEðEØUðèúúÿEØèÔúúÿPMðUèè¦ýÿÿEìUì8uEøEøxÚþÿÿ3ÀZYYdháLEEØºèë÷úÿÃ base_address: 0x00220000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: EnterCriticalSection base_address: 0x00230000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: kernel32.dll base_address: 0x00240000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: Õ?w"suEsu$# base_address: 0x00250000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂUìÄàSVWùUüØu3ÀEøhKEh(KEèûÿPèûÿEèh8KEh(KEèýûÿPèÿûÿEähHKEh(KEèåûÿPèçûÿEàþu}ðëÎ×ÃèóöÿÿEðUüÃèªþÿÿEìjjMàºJEÃè¬úÿÿØÛtjÿSèÏûÿEôPSèUûÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄØSVW3ÒUØUÜUàEü]ô}ÇÜ3ÀUhÚLEdÿ0d EüEøéEø@UBôEèEäPEpðÆè>ûÿPEàUèèÒúúÿMàEÆZèðúÿÿÀu1Uèè¬ûÿÿEÜUèèúúÿUÜE@ðèÏüÿÿEøxuEø@UBôéEøUBôësèkúÿÿÀtjáÿÿUèèáýÿÿEìë9UBôÀEðEØUðèúúÿEØèÔúúÿPMðUèè¦ýÿÿEìUì8uEøEøxÚþÿÿ3ÀZYYdháLEEØºèë÷úÿÃ base_address: 0x00260000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: InitializeCriticalSection base_address: 0x00270000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: kernel32.dll base_address: 0x00280000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: Õ?w"suEsu(' base_address: 0x00290000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂUìÄàSVWùUüØu3ÀEøhKEh(KEèûÿPèûÿEèh8KEh(KEèýûÿPèÿûÿEähHKEh(KEèåûÿPèçûÿEàþu}ðëÎ×ÃèóöÿÿEðUüÃèªþÿÿEìjjMàºJEÃè¬úÿÿØÛtjÿSèÏûÿEôPSèUûÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄØSVW3ÒUØUÜUàEü]ô}ÇÜ3ÀUhÚLEdÿ0d EüEøéEø@UBôEèEäPEpðÆè>ûÿPEàUèèÒúúÿMàEÆZèðúÿÿÀu1Uèè¬ûÿÿEÜUèèúúÿUÜE@ðèÏüÿÿEøxuEø@UBôéEøUBôësèkúÿÿÀtjáÿÿUèèáýÿÿEìë9UBôÀEðEØUðèúúÿEØèÔúúÿPMðUèè¦ýÿÿEìUì8uEøEøxÚþÿÿ3ÀZYYdháLEEØºèë÷úÿÃ base_address: 0x002a0000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: VirtualFree base_address: 0x002b0000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: kernel32.dll base_address: 0x002c0000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: Õ?w"suEsu,+ base_address: 0x002d0000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂUìÄàSVWùUüØu3ÀEøhKEh(KEèûÿPèûÿEèh8KEh(KEèýûÿPèÿûÿEähHKEh(KEèåûÿPèçûÿEàþu}ðëÎ×ÃèóöÿÿEðUüÃèªþÿÿEìjjMàºJEÃè¬úÿÿØÛtjÿSèÏûÿEôPSèUûÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄØSVW3ÒUØUÜUàEü]ô}ÇÜ3ÀUhÚLEdÿ0d EüEøéEø@UBôEèEäPEpðÆè>ûÿPEàUèèÒúúÿMàEÆZèðúÿÿÀu1Uèè¬ûÿÿEÜUèèúúÿUÜE@ðèÏüÿÿEøxuEø@UBôéEøUBôësèkúÿÿÀtjáÿÿUèèáýÿÿEìë9UBôÀEðEØUðèúúÿEØèÔúúÿPMðUèè¦ýÿÿEìUì8uEøEøxÚþÿÿ3ÀZYYdháLEEØºèë÷úÿÃ base_address: 0x002e0000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: VirtualAlloc base_address: 0x002f0000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: kernel32.dll base_address: 0x00300000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: Õ?w"suEsu0/ base_address: 0x00310000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂUìÄàSVWùUüØu3ÀEøhKEh(KEèûÿPèûÿEèh8KEh(KEèýûÿPèÿûÿEähHKEh(KEèåûÿPèçûÿEàþu}ðëÎ×ÃèóöÿÿEðUüÃèªþÿÿEìjjMàºJEÃè¬úÿÿØÛtjÿSèÏûÿEôPSèUûÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄØSVW3ÒUØUÜUàEü]ô}ÇÜ3ÀUhÚLEdÿ0d EüEøéEø@UBôEèEäPEpðÆè>ûÿPEàUèèÒúúÿMàEÆZèðúÿÿÀu1Uèè¬ûÿÿEÜUèèúúÿUÜE@ðèÏüÿÿEøxuEø@UBôéEøUBôësèkúÿÿÀtjáÿÿUèèáýÿÿEìë9UBôÀEðEØUðèúúÿEØèÔúúÿPMðUèè¦ýÿÿEìUì8uEøEøxÚþÿÿ3ÀZYYdháLEEØºèë÷úÿÃ base_address: 0x00320000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: LocalFree base_address: 0x00370000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: kernel32.dll base_address: 0x00380000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: Õ?w"suEsu87 base_address: 0x00390000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂUìÄàSVWùUüØu3ÀEøhKEh(KEèûÿPèûÿEèh8KEh(KEèýûÿPèÿûÿEähHKEh(KEèåûÿPèçûÿEàþu}ðëÎ×ÃèóöÿÿEðUüÃèªþÿÿEìjjMàºJEÃè¬úÿÿØÛtjÿSèÏûÿEôPSèUûÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄØSVW3ÒUØUÜUàEü]ô}ÇÜ3ÀUhÚLEdÿ0d EüEøéEø@UBôEèEäPEpðÆè>ûÿPEàUèèÒúúÿMàEÆZèðúÿÿÀu1Uèè¬ûÿÿEÜUèèúúÿUÜE@ðèÏüÿÿEøxuEø@UBôéEøUBôësèkúÿÿÀtjáÿÿUèèáýÿÿEìë9UBôÀEðEØUðèúúÿEØèÔúúÿPMðUèè¦ýÿÿEìUì8uEøEøxÚþÿÿ3ÀZYYdháLEEØºèë÷úÿÃ base_address: 0x003a0000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: LocalAlloc base_address: 0x003b0000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: kernel32.dll base_address: 0x003c0000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: Õ?w"suEsu<; base_address: 0x003d0000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂUìÄàSVWùUüØu3ÀEøhKEh(KEèûÿPèûÿEèh8KEh(KEèýûÿPèÿûÿEähHKEh(KEèåûÿPèçûÿEàþu}ðëÎ×ÃèóöÿÿEðUüÃèªþÿÿEìjjMàºJEÃè¬úÿÿØÛtjÿSèÏûÿEôPSèUûÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄØSVW3ÒUØUÜUàEü]ô}ÇÜ3ÀUhÚLEdÿ0d EüEøéEø@UBôEèEäPEpðÆè>ûÿPEàUèèÒúúÿMàEÆZèðúÿÿÀu1Uèè¬ûÿÿEÜUèèúúÿUÜE@ðèÏüÿÿEøxuEø@UBôéEøUBôësèkúÿÿÀtjáÿÿUèèáýÿÿEìë9UBôÀEðEØUðèúúÿEØèÔúúÿPMðUèè¦ýÿÿEìUì8uEøEøxÚþÿÿ3ÀZYYdháLEEØºèë÷úÿÃ base_address: 0x003e0000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: GetTickCount base_address: 0x003f0000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: kernel32.dll base_address: 0x00510000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: Õ?w"suEsuQ? base_address: 0x00520000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂUìÄàSVWùUüØu3ÀEøhKEh(KEèûÿPèûÿEèh8KEh(KEèýûÿPèÿûÿEähHKEh(KEèåûÿPèçûÿEàþu}ðëÎ×ÃèóöÿÿEðUüÃèªþÿÿEìjjMàºJEÃè¬úÿÿØÛtjÿSèÏûÿEôPSèUûÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄØSVW3ÒUØUÜUàEü]ô}ÇÜ3ÀUhÚLEdÿ0d EüEøéEø@UBôEèEäPEpðÆè>ûÿPEàUèèÒúúÿMàEÆZèðúÿÿÀu1Uèè¬ûÿÿEÜUèèúúÿUÜE@ðèÏüÿÿEøxuEø@UBôéEøUBôësèkúÿÿÀtjáÿÿUèèáýÿÿEìë9UBôÀEðEØUðèúúÿEØèÔúúÿPMðUèè¦ýÿÿEìUì8uEøEøxÚþÿÿ3ÀZYYdháLEEØºèë÷úÿÃ base_address: 0x00530000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: QueryPerformanceCounter base_address: 0x00540000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: kernel32.dll base_address: 0x00550000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: Õ?w"suEsuUT base_address: 0x00560000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂUìÄàSVWùUüØu3ÀEøhKEh(KEèûÿPèûÿEèh8KEh(KEèýûÿPèÿûÿEähHKEh(KEèåûÿPèçûÿEàþu}ðëÎ×ÃèóöÿÿEðUüÃèªþÿÿEìjjMàºJEÃè¬úÿÿØÛtjÿSèÏûÿEôPSèUûÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄØSVW3ÒUØUÜUàEü]ô}ÇÜ3ÀUhÚLEdÿ0d EüEøéEø@UBôEèEäPEpðÆè>ûÿPEàUèèÒúúÿMàEÆZèðúÿÿÀu1Uèè¬ûÿÿEÜUèèúúÿUÜE@ðèÏüÿÿEøxuEø@UBôéEøUBôësèkúÿÿÀtjáÿÿUèèáýÿÿEìë9UBôÀEðEØUðèúúÿEØèÔúúÿPMðUèè¦ýÿÿEìUì8uEøEøxÚþÿÿ3ÀZYYdháLEEØºèë÷úÿÃ base_address: 0x00570000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: GetVersion base_address: 0x00580000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: kernel32.dll base_address: 0x00590000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: Õ?w"suEsuYX base_address: 0x005a0000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂUìÄàSVWùUüØu3ÀEøhKEh(KEèûÿPèûÿEèh8KEh(KEèýûÿPèÿûÿEähHKEh(KEèåûÿPèçûÿEàþu}ðëÎ×ÃèóöÿÿEðUüÃèªþÿÿEìjjMàºJEÃè¬úÿÿØÛtjÿSèÏûÿEôPSèUûÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄØSVW3ÒUØUÜUàEü]ô}ÇÜ3ÀUhÚLEdÿ0d EüEøéEø@UBôEèEäPEpðÆè>ûÿPEàUèèÒúúÿMàEÆZèðúÿÿÀu1Uèè¬ûÿÿEÜUèèúúÿUÜE@ðèÏüÿÿEøxuEø@UBôéEøUBôësèkúÿÿÀtjáÿÿUèèáýÿÿEìë9UBôÀEðEØUðèúúÿEØèÔúúÿPMðUèè¦ýÿÿEìUì8uEøEøxÚþÿÿ3ÀZYYdháLEEØºèë÷úÿÃ base_address: 0x005b0000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: GetCurrentThreadId base_address: 0x005c0000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: kernel32.dll base_address: 0x005d0000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: Õ?w"suEsu]\ base_address: 0x005e0000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0
WriteProcessMemory Aug. 31, 2021, 10:57 a.m.	buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂUìÄàSVWùUüØu3ÀEøhKEh(KEèûÿPèûÿEèh8KEh(KEèýûÿPèÿûÿEähHKEh(KEèåûÿPèçûÿEàþu}ðëÎ×ÃèóöÿÿEðUüÃèªþÿÿEìjjMàºJEÃè¬úÿÿØÛtjÿSèÏûÿEôPSèUûÿEôEøEø_^[å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadUìÄØSVW3ÒUØUÜUàEü]ô}ÇÜ3ÀUhÚLEdÿ0d EüEøéEø@UBôEèEäPEpðÆè>ûÿPEàUèèÒúúÿMàEÆZèðúÿÿÀu1Uèè¬ûÿÿEÜUèèúúÿUÜE@ðèÏüÿÿEøxuEø@UBôéEøUBôësèkúÿÿÀtjáÿÿUèèáýÿÿEìë9UBôÀEðEØUðèúúÿEØèÔúúÿPMðUèè¦ýÿÿEìUì8uEøEøxÚþÿÿ3ÀZYYdháLEEØºèë÷úÿÃ base_address: 0x005f0000 process_identifier: 2264 process_handle: 0x000000f0	1	1	0

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Trojan.Heur3.LPT.QGW@aK80jZiib
FireEye	Generic.mg.aca08c69a22e6f4f
ALYac	Gen:Trojan.Heur3.LPT.QGW@aK80jZiib
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
BitDefenderTheta	AI:Packer.C0BF90BD18
Cyren	W32/Delf_Troj.BX.gen!Eldorado
Symantec	Packed.Generic.516
ESET-NOD32	a variant of Win32/DllInject.KF potentially unsafe
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Backdoor.Win32.NetWiredRC.gen
BitDefender	Gen:Trojan.Heur3.LPT.QGW@aK80jZiib
Ad-Aware	Gen:Trojan.Heur3.LPT.QGW@aK80jZiib
Emsisoft	Gen:Trojan.Heur3.LPT.QGW@aK80jZiib (B)
Avira	HEUR/AGEN.1141657
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Gen:Trojan.Heur3.LPT.QGW@aK80jZiib
Cynet	Malicious (score: 100)
MAX	malware (ai score=80)
VBA32	BScope.TrojanSpy.Noon
SentinelOne	Static AI - Suspicious PE
Fortinet	W32/GenKryptik.FIVH!tr
Cybereason	malicious.9a22e6
Panda	Trj/GdSda.A

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All