| Time & API |
Arguments |
Status |
Return |
Repeated |
1619685945.89025
CreateProcessInternalW
|
thread_identifier:
1940
thread_handle:
0x00000108
process_identifier:
1916
current_directory:
filepath:
C:\Windows\System32\notepad.exe
track:
1
command_line:
filepath_r:
C:\Windows\system32\notepad.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x00000100
inherit_handles:
0
|
success
|
1 |
0
|
1619685945.89025
NtAllocateVirtualMemory
|
process_identifier:
1916
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
64
(PAGE_EXECUTE_READWRITE)
process_handle:
0x00000100
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
base_address:
0x000b0000
|
success
|
0 |
0
|
1619685945.89025
NtAllocateVirtualMemory
|
process_identifier:
1916
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
4
(PAGE_READWRITE)
process_handle:
0x00000100
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
base_address:
0x000c0000
|
success
|
0 |
0
|
1619685945.89025
WriteProcessMemory
|
process_identifier:
1916
buffer:
Q¹0���d�@�@���@��$�$YÃVWR¾§ÆgNè���Yø�v��·
¿Zw��f;Ït
¿Nt��f;Ïu�Â�è�
Àt�ÎÁá�þÁï��Ï�¾:�Ï3ñBHué_Æ^ÃUìQQM�SVW
Ét;¸MZ��f9�u1A<�Át*8PE��u"@xeü��Áx�X$p @��ù�Ù�ñEø
Àu
3À_^[ÉÃM�Eü��ÑèOÿÿÿ;E�t
ÿEüEü;Eøràë×Eü�·�C��E�ëÊUìQSW3ÿWWj�Wj�h���@ÿu�ÿV�Øûÿu�3Àë&WWWS}üÿV0W}�EüPWÿu�SÿV�SÿV�3À9}ü�À_[ÉÃ
Ét�è���
Àt�3Éf�ÃUìì����Vð
äüÿÿP3ÀPPj�PÿVl
À�
���j\XfEü3Àj.fEþXjvfEðXfEòjbXfEôjsXfEö3ÀfEøUü
äüÿÿèÖ���U�èÎ���UðèÆ���ÿu�
ìþÿÿÿu�PÿVxÄ�
äüÿÿPÿV�
ìþÿÿPèÂ���@P
ìþÿÿP
äüÿÿPèîþÿÿÄ�^ÉÃUìì,���j:XjZfEÜXjofEÞXjnfEàXjefEâXjIfEäXjdfEæXjefEèXjnfEêXjtfEìXjifEîXjffEðXjifEòXfEôjeXfEöjrXfEø3ÀfEú
Ôýÿÿè¬���UÜè÷���EÿPÆEÿ�è����PEÿP
ÔýÿÿPè?þÿÿÄ�ÉÃUìQeü�VðEüPÿu�èþ���YY
Àt�}ü�t�ÿuüPÿu�è�þÿÿÄ�
Àt�3À@ë�3À^ÉÃUìì����SVðÏ
øýÿÿè'���Èè(þÿÿ3ÛS
øýÿÿPÿV�WÿV�8]�u�Wÿu�Æè~ÿÿÿYYØë }��u5SWÿu�ÿ�WÿV(3ÛøÿÏ�Ãèªþÿÿû�u�9]�u�WÿV(È�PWÿV,3À@ë�3À^[ÉÃUìì�SVWèsüÿÿø
ÿ�"���h"�¿WèÌüÿÿØYY
Û�����j�h�0��h���j�ÿÓð
ö�ñ���h¼Û«½W~`^@èüÿÿh�Ò¼WF$èüÿÿh|QgjWF(èyüÿÿhë�IWF,èküÿÿhå©WF0è]üÿÿh¥°�(WF4èOüÿÿh�)�·WF8èAüÿÿh[uðWFDè3üÿÿÄ@ØhdóuW^ è üÿÿh¢¦aëWF�è�üÿÿhÕOd"WF�è�üÿÿhy.ÃWF�èöûÿÿh±��÷WF�èèûÿÿheóW÷WF�èÚûÿÿh¯4PWF�èÌûÿÿh{=#WF<è¾ûÿÿÄ@hOû~
WF�èûÿÿhà=!6WFHèûÿÿh�h#W�èûÿÿFLhÍ��eWèûÿÿhÓ1ÆVWFPèvûÿÿh7�½WFTèhûÿÿh£-ã�WFXèZûÿÿF\Ä8EðPÇEðshelÇEôl32�ÿÓø
ÿt"hÀåz°W~dè,ûÿÿhêêºWFlè�ûÿÿÄ�FpEøPÇEøuserfÇEü32ÆEþ�ÿV ø
ÿtAhqV°0W~hèìúÿÿhkV°0WFxèÞúÿÿh&cjWFtèÐúÿÿh<cjWF|èÂúÿÿÄ ���Æë�3À_^[ÉÃUìì\Vu�W3ÿ;÷�î���Sè¤ýÿÿØ;ßu�Wÿ�D���éÕ�������EüPë�j2ÿSPÿuüWWÿSL
ÀuïjdÿSPF�EøE�9>tYÿ¶�����¶����QP¾����Ãè¾üÿÿ}�3ÿÄ�9>t1jDE¤WPè����j�EèWPèü���Ä�EèPE¤PWWj WWWWÿu�ÿS$9¾(���t�l���P,���Pÿu�Ãè½úÿÿÄ�9¾����t�ë�j2ÿSPÿuüWWÿSL
ÀuïjdÿSPÿuøÿS�WÿSD[_3À^ÉÂ��Uìì�SW3ÿWWj�Wj�h���ÿu�}øÿV�Øûÿu�3Àë>WSÿV�Eô;Çt+j�h�0��PWÿV@Eø;Çt�WMüQÿuô}üPSÿV�EüM��SÿV�Eø_[ÉÃ�·�f�f
Òt�Vð+ñÁ��·�f��f
Òuñ^ÃUìQQE�EüEü�E�EøEü;Eøt�EüM��Eü@EüëçE�ÉÃf8�Vðt Æ�f>�u÷+ò�·
f���f
Éuñ^ÃD$��@Éuù+D$�HÃ
Éu�3ÀÃf9�Át À�f8�u÷+ÁÑøÃ
Ét èÚÿÿÿ
Àt�DAþë fù\t
è��·�f
Éuï3ÀÃ
process_handle:
0x00000100
base_address:
0x000b0000
|
success
|
1 |
0
|
1619685945.89025
WriteProcessMemory
|
process_identifier:
1916
buffer:
����C�:�\�U�s�e�r�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�.�O�s�k�a�r�-�P�C�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�8�3�f�3�5�f�7�8�4�8�1�2�c�6�9�5�7�5�c�2�9�b�a�d�4�a�9�7�f�f�1�2�.�e�x�e�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������C�:�\�U�s�e�r�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�.�O�s�k�a�r�-�P�C�\�A�p�p�D�a�t�a�\�R�o�a�m�i�n�g�\�a�p�p�d�a�t�a�\�h�h�s�y�r�b�s�.�e�x�e�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������"�C�:�\�U�s�e�r�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�.�O�s�k�a�r�-�P�C�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�8�3�f�3�5�f�7�8�4�8�1�2�c�6�9�5�7�5�c�2�9�b�a�d�4�a�9�7�f�f�1�2�.�e�x�e�"� �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
process_handle:
0x00000100
base_address:
0x000c0000
|
success
|
1 |
0
|
1619685946.266
CreateProcessInternalW
|
thread_identifier:
2632
thread_handle:
0x000000d0
process_identifier:
2712
current_directory:
filepath:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hhsyrbs.exe
track:
1
command_line:
filepath_r:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hhsyrbs.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x000000cc
inherit_handles:
0
|
success
|
1 |
0
|
1619698724.605999
CreateProcessInternalW
|
thread_identifier:
1912
thread_handle:
0x00000108
process_identifier:
2064
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hhsyrbs.exe"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
process_handle:
0x00000100
inherit_handles:
0
|
success
|
1 |
0
|
1619698724.605999
NtUnmapViewOfSection
|
process_identifier:
2064
region_size:
4096
process_handle:
0x00000100
base_address:
0x00400000
|
success
|
0 |
0
|
1619698724.605999
NtMapViewOfSection
|
section_handle:
0x00000110
process_identifier:
2064
commit_size:
520192
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
process_handle:
0x00000100
allocation_type:
0
()
section_offset:
0
view_size:
520192
base_address:
0x00400000
|
success
|
0 |
0
|
1619698724.621999
NtGetContextThread
|
thread_handle:
0x00000108
|
success
|
0 |
0
|
1619698724.621999
NtSetContextThread
|
thread_handle:
0x00000108
registers.eip:
0
registers.esp:
0
registers.edi:
0
registers.eax:
4708144
registers.ebp:
0
registers.edx:
0
registers.ebx:
2130567168
registers.esi:
0
registers.ecx:
0
process_identifier:
2064
|
success
|
0 |
0
|
1619698725.355999
NtResumeThread
|
thread_handle:
0x00000108
suspend_count:
1
process_identifier:
2064
|
success
|
0 |
0
|
1619698725.371999
CreateProcessInternalW
|
thread_identifier:
2040
thread_handle:
0x0000010c
process_identifier:
284
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hhsyrbs.exe" 2 2064 21699234
filepath_r:
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x0000011c
inherit_handles:
0
|
success
|
1 |
0
|
1619698752.261876
CreateProcessInternalW
|
thread_identifier:
3412
thread_handle:
0x000004d4
process_identifier:
3408
current_directory:
filepath:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hhsyrbs.exe
track:
1
command_line:
filepath_r:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hhsyrbs.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x000004d8
inherit_handles:
0
|
success
|
1 |
0
|
1619698752.497124
CreateProcessInternalW
|
thread_identifier:
3484
thread_handle:
0x00000108
process_identifier:
3480
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hhsyrbs.exe"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
process_handle:
0x00000100
inherit_handles:
0
|
success
|
1 |
0
|
1619698752.497124
NtUnmapViewOfSection
|
process_identifier:
3480
region_size:
4096
process_handle:
0x00000100
base_address:
0x00400000
|
success
|
0 |
0
|
1619698752.497124
NtMapViewOfSection
|
section_handle:
0x00000110
process_identifier:
3480
commit_size:
520192
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
process_handle:
0x00000100
allocation_type:
0
()
section_offset:
0
view_size:
520192
base_address:
0x00400000
|
success
|
0 |
0
|
1619698752.497124
NtGetContextThread
|
thread_handle:
0x00000108
|
success
|
0 |
0
|
1619698752.497124
NtSetContextThread
|
thread_handle:
0x00000108
registers.eip:
0
registers.esp:
0
registers.edi:
0
registers.eax:
4708144
registers.ebp:
0
registers.edx:
0
registers.ebx:
2130567168
registers.esi:
0
registers.ecx:
0
process_identifier:
3480
|
success
|
0 |
0
|
1619698752.590124
NtResumeThread
|
thread_handle:
0x00000108
suspend_count:
1
process_identifier:
3480
|
success
|
0 |
0
|
1619698752.606124
CreateProcessInternalW
|
thread_identifier:
3544
thread_handle:
0x0000010c
process_identifier:
3540
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hhsyrbs.exe" 2 3480 21726468
filepath_r:
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x0000011c
inherit_handles:
0
|
success
|
1 |
0
|
1619698754.933876
CreateProcessInternalW
|
thread_identifier:
3660
thread_handle:
0x00000150
process_identifier:
3656
current_directory:
filepath:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hhsyrbs.exe
track:
1
command_line:
filepath_r:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hhsyrbs.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x00000154
inherit_handles:
0
|
success
|
1 |
0
|
1619698755.105999
CreateProcessInternalW
|
thread_identifier:
3732
thread_handle:
0x00000108
process_identifier:
3728
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hhsyrbs.exe"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
process_handle:
0x00000100
inherit_handles:
0
|
success
|
1 |
0
|
1619698755.105999
NtUnmapViewOfSection
|
process_identifier:
3728
region_size:
4096
process_handle:
0x00000100
base_address:
0x00400000
|
success
|
0 |
0
|
1619698755.105999
NtMapViewOfSection
|
section_handle:
0x00000110
process_identifier:
3728
commit_size:
520192
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
process_handle:
0x00000100
allocation_type:
0
()
section_offset:
0
view_size:
520192
base_address:
0x00400000
|
success
|
0 |
0
|
1619698755.121999
NtGetContextThread
|
thread_handle:
0x00000108
|
success
|
0 |
0
|
1619698755.121999
NtSetContextThread
|
thread_handle:
0x00000108
registers.eip:
0
registers.esp:
0
registers.edi:
0
registers.eax:
4708144
registers.ebp:
0
registers.edx:
0
registers.ebx:
2130567168
registers.esi:
0
registers.ecx:
0
process_identifier:
3728
|
success
|
0 |
0
|
1619698755.152999
NtResumeThread
|
thread_handle:
0x00000108
suspend_count:
1
process_identifier:
3728
|
success
|
0 |
0
|
1619698755.152999
CreateProcessInternalW
|
thread_identifier:
3792
thread_handle:
0x0000010c
process_identifier:
3788
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hhsyrbs.exe" 2 3728 21729031
filepath_r:
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x0000011c
inherit_handles:
0
|
success
|
1 |
0
|
1619698758.589751
CreateProcessInternalW
|
thread_identifier:
3908
thread_handle:
0x0000016c
process_identifier:
3904
current_directory:
filepath:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hhsyrbs.exe
track:
1
command_line:
filepath_r:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hhsyrbs.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x00000170
inherit_handles:
0
|
success
|
1 |
0
|
1619698759.511876
CreateProcessInternalW
|
thread_identifier:
3984
thread_handle:
0x00000108
process_identifier:
3980
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hhsyrbs.exe"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
process_handle:
0x00000100
inherit_handles:
0
|
success
|
1 |
0
|
1619698759.511876
NtUnmapViewOfSection
|
process_identifier:
3980
region_size:
4096
process_handle:
0x00000100
base_address:
0x00400000
|
success
|
0 |
0
|
1619698759.511876
NtMapViewOfSection
|
section_handle:
0x00000110
process_identifier:
3980
commit_size:
520192
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
process_handle:
0x00000100
allocation_type:
0
()
section_offset:
0
view_size:
520192
base_address:
0x00400000
|
success
|
0 |
0
|
1619698759.511876
NtGetContextThread
|
thread_handle:
0x00000108
|
success
|
0 |
0
|
1619698759.511876
NtSetContextThread
|
thread_handle:
0x00000108
registers.eip:
0
registers.esp:
0
registers.edi:
0
registers.eax:
4708144
registers.ebp:
0
registers.edx:
0
registers.ebx:
2130567168
registers.esi:
0
registers.ecx:
0
process_identifier:
3980
|
success
|
0 |
0
|
1619698759.824876
NtResumeThread
|
thread_handle:
0x00000108
suspend_count:
1
process_identifier:
3980
|
success
|
0 |
0
|
1619698759.824876
CreateProcessInternalW
|
thread_identifier:
4044
thread_handle:
0x0000010c
process_identifier:
4040
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hhsyrbs.exe" 2 3980 21733703
filepath_r:
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x0000011c
inherit_handles:
0
|
success
|
1 |
0
|
1619698766.277626
CreateProcessInternalW
|
thread_identifier:
2604
thread_handle:
0x000001bc
process_identifier:
2960
current_directory:
filepath:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hhsyrbs.exe
track:
1
command_line:
filepath_r:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hhsyrbs.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x000001c0
inherit_handles:
0
|
success
|
1 |
0
|
1619698767.026062
CreateProcessInternalW
|
thread_identifier:
2448
thread_handle:
0x00000108
process_identifier:
2548
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hhsyrbs.exe"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
process_handle:
0x00000100
inherit_handles:
0
|
success
|
1 |
0
|
1619698767.026062
NtUnmapViewOfSection
|
process_identifier:
2548
region_size:
4096
process_handle:
0x00000100
base_address:
0x00400000
|
success
|
0 |
0
|
1619698767.026062
NtMapViewOfSection
|
section_handle:
0x00000110
process_identifier:
2548
commit_size:
520192
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
process_handle:
0x00000100
allocation_type:
0
()
section_offset:
0
view_size:
520192
base_address:
0x00400000
|
success
|
0 |
0
|
1619698767.338062
NtGetContextThread
|
thread_handle:
0x00000108
|
success
|
0 |
0
|
1619698767.338062
NtSetContextThread
|
thread_handle:
0x00000108
registers.eip:
0
registers.esp:
0
registers.edi:
0
registers.eax:
4708144
registers.ebp:
0
registers.edx:
0
registers.ebx:
2130567168
registers.esi:
0
registers.ecx:
0
process_identifier:
2548
|
success
|
0 |
0
|
1619698767.432062
NtResumeThread
|
thread_handle:
0x00000108
suspend_count:
1
process_identifier:
2548
|
success
|
0 |
0
|
1619698767.448062
CreateProcessInternalW
|
thread_identifier:
2576
thread_handle:
0x0000010c
process_identifier:
1344
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hhsyrbs.exe" 2 2548 21741015
filepath_r:
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x0000011c
inherit_handles:
0
|
success
|
1 |
0
|
1619698774.535564
CreateProcessInternalW
|
thread_identifier:
3424
thread_handle:
0x000001d8
process_identifier:
3204
current_directory:
filepath:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hhsyrbs.exe
track:
1
command_line:
filepath_r:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hhsyrbs.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x000001dc
inherit_handles:
0
|
success
|
1 |
0
|
1619698775.956872
CreateProcessInternalW
|
thread_identifier:
3520
thread_handle:
0x00000108
process_identifier:
3528
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hhsyrbs.exe"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
process_handle:
0x00000100
inherit_handles:
0
|
success
|
1 |
0
|
1619698775.956872
NtUnmapViewOfSection
|
process_identifier:
3528
region_size:
4096
process_handle:
0x00000100
base_address:
0x00400000
|
success
|
0 |
0
|
1619698775.956872
NtMapViewOfSection
|
section_handle:
0x00000110
process_identifier:
3528
commit_size:
520192
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
process_handle:
0x00000100
allocation_type:
0
()
section_offset:
0
view_size:
520192
base_address:
0x00400000
|
success
|
0 |
0
|
1619698776.441872
NtGetContextThread
|
thread_handle:
0x00000108
|
success
|
0 |
0
|