In local memory movement scenarios, for example, when a loader places a payload into memory for execution, antimalware can detect malicious activity at the moment the payload bytes are written into the newly allocated executable memory region. Attackers may try to evade such detection by avoiding direct writes to new memory region and instead relying on other, legitimate Windows APIs …