| Time & API |
Arguments |
Status |
Return |
Repeated |
1619912873.1875
CreateProcessInternalW
|
thread_identifier:
284
thread_handle:
0x00000120
process_identifier:
3064
current_directory:
filepath:
C:\Windows\System32\notepad.exe
track:
1
command_line:
filepath_r:
C:\Windows\system32\notepad.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x00000118
inherit_handles:
0
|
success
|
1 |
0
|
1619912873.1875
NtAllocateVirtualMemory
|
process_identifier:
3064
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
64
(PAGE_EXECUTE_READWRITE)
process_handle:
0x00000118
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
base_address:
0x000b0000
|
success
|
0 |
0
|
1619912873.1875
NtAllocateVirtualMemory
|
process_identifier:
3064
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
4
(PAGE_READWRITE)
process_handle:
0x00000118
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
base_address:
0x000c0000
|
success
|
0 |
0
|
1619912873.1875
WriteProcessMemory
|
process_identifier:
3064
buffer:
Q¹0���d�@�@���@��$�$YÃVWR¾§ÆgNè���Yø�v��·
¿Zw��f;Ït
¿Nt��f;Ïu�Â�è�
Àt�ÎÁá�þÁï��Ï�¾:�Ï3ñBHué_Æ^ÃUìQQM�SVW
Ét;¸MZ��f9�u1A<�Át*8PE��u"@xeü��Áx�X$p @��ù�Ù�ñEø
Àu
3À_^[ÉÃM�Eü��ÑèOÿÿÿ;E�t
ÿEüEü;Eøràë×Eü�·�C��E�ëÊUìQSW3ÿWWj�Wj�h���@ÿu�ÿV�Øûÿu�3Àë&WWWS}üÿV0W}�EüPWÿu�SÿV�SÿV�3À9}ü�À_[ÉÃ
Ét�è���
Àt�3Éf�ÃUìì����Vð
äüÿÿP3ÀPPj�PÿVl
À�
���j\XfEü3Àj.fEþXjvfEðXfEòjbXfEôjsXfEö3ÀfEøUü
äüÿÿèÖ���U�èÎ���UðèÆ���ÿu�
ìþÿÿÿu�PÿVxÄ�
äüÿÿPÿV�
ìþÿÿPèÂ���@P
ìþÿÿP
äüÿÿPèîþÿÿÄ�^ÉÃUìì,���j:XjZfEÜXjofEÞXjnfEàXjefEâXjIfEäXjdfEæXjefEèXjnfEêXjtfEìXjifEîXjffEðXjifEòXfEôjeXfEöjrXfEø3ÀfEú
Ôýÿÿè¬���UÜè÷���EÿPÆEÿ�è����PEÿP
ÔýÿÿPè?þÿÿÄ�ÉÃUìQeü�VðEüPÿu�èþ���YY
Àt�}ü�t�ÿuüPÿu�è�þÿÿÄ�
Àt�3À@ë�3À^ÉÃUìì����SVðÏ
øýÿÿè'���Èè(þÿÿ3ÛS
øýÿÿPÿV�WÿV�8]�u�Wÿu�Æè~ÿÿÿYYØë }��u5SWÿu�ÿ�WÿV(3ÛøÿÏ�Ãèªþÿÿû�u�9]�u�WÿV(È�PWÿV,3À@ë�3À^[ÉÃUìì�SVWèsüÿÿø
ÿ�"���h"�¿WèÌüÿÿØYY
Û�����j�h�0��h���j�ÿÓð
ö�ñ���h¼Û«½W~`^@èüÿÿh�Ò¼WF$èüÿÿh|QgjWF(èyüÿÿhë�IWF,èküÿÿhå©WF0è]üÿÿh¥°�(WF4èOüÿÿh�)�·WF8èAüÿÿh[uðWFDè3üÿÿÄ@ØhdóuW^ è üÿÿh¢¦aëWF�è�üÿÿhÕOd"WF�è�üÿÿhy.ÃWF�èöûÿÿh±��÷WF�èèûÿÿheóW÷WF�èÚûÿÿh¯4PWF�èÌûÿÿh{=#WF<è¾ûÿÿÄ@hOû~
WF�èûÿÿhà=!6WFHèûÿÿh�h#W�èûÿÿFLhÍ��eWèûÿÿhÓ1ÆVWFPèvûÿÿh7�½WFTèhûÿÿh£-ã�WFXèZûÿÿF\Ä8EðPÇEðshelÇEôl32�ÿÓø
ÿt"hÀåz°W~dè,ûÿÿhêêºWFlè�ûÿÿÄ�FpEøPÇEøuserfÇEü32ÆEþ�ÿV ø
ÿtAhqV°0W~hèìúÿÿhkV°0WFxèÞúÿÿh&cjWFtèÐúÿÿh<cjWF|èÂúÿÿÄ ���Æë�3À_^[ÉÃUìì\Vu�W3ÿ;÷�î���Sè¤ýÿÿØ;ßu�Wÿ�D���éÕ�������EüPë�j2ÿSPÿuüWWÿSL
ÀuïjdÿSPF�EøE�9>tYÿ¶�����¶����QP¾����Ãè¾üÿÿ}�3ÿÄ�9>t1jDE¤WPè����j�EèWPèü���Ä�EèPE¤PWWj WWWWÿu�ÿS$9¾(���t�l���P,���Pÿu�Ãè½úÿÿÄ�9¾����t�ë�j2ÿSPÿuüWWÿSL
ÀuïjdÿSPÿuøÿS�WÿSD[_3À^ÉÂ��Uìì�SW3ÿWWj�Wj�h���ÿu�}øÿV�Øûÿu�3Àë>WSÿV�Eô;Çt+j�h�0��PWÿV@Eø;Çt�WMüQÿuô}üPSÿV�EüM��SÿV�Eø_[ÉÃ�·�f�f
Òt�Vð+ñÁ��·�f��f
Òuñ^ÃUìQQE�EüEü�E�EøEü;Eøt�EüM��Eü@EüëçE�ÉÃf8�Vðt Æ�f>�u÷+ò�·
f���f
Éuñ^ÃD$��@Éuù+D$�HÃ
Éu�3ÀÃf9�Át À�f8�u÷+ÁÑøÃ
Ét èÚÿÿÿ
Àt�DAþë fù\t
è��·�f
Éuï3ÀÃ
process_handle:
0x00000118
base_address:
0x000b0000
|
success
|
1 |
0
|
1619912873.1875
WriteProcessMemory
|
process_identifier:
3064
buffer:
����C�:�\�U�s�e�r�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�.�O�s�k�a�r�-�P�C�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�c�6�e�2�1�7�0�e�8�6�6�c�5�2�d�5�7�f�8�7�3�1�d�5�b�9�7�0�0�0�1�1�.�e�x�e�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������C�:�\�U�s�e�r�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�.�O�s�k�a�r�-�P�C�\�A�p�p�D�a�t�a�\�R�o�a�m�i�n�g�\�a�p�p�d�a�t�a�\�h�d�g�f�h�j�e�u�.�e�x�e�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������"�C�:�\�U�s�e�r�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�.�O�s�k�a�r�-�P�C�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�c�6�e�2�1�7�0�e�8�6�6�c�5�2�d�5�7�f�8�7�3�1�d�5�b�9�7�0�0�0�1�1�.�e�x�e�"� �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������w�e�b�����������������������������������������������������������SEt ztxp = creatEOBJeCt("WscriPT.shell")
ztxP.run """%ls""", 0, False����������������������������������������������������������������������������������������������������������������������������������
process_handle:
0x00000118
base_address:
0x000c0000
|
success
|
1 |
0
|
1619912873.53125
CreateProcessInternalW
|
thread_identifier:
2656
thread_handle:
0x000000d0
process_identifier:
1208
current_directory:
filepath:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdgfhjeu.exe
track:
1
command_line:
filepath_r:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdgfhjeu.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x000000cc
inherit_handles:
0
|
success
|
1 |
0
|
1619912873.75075
CreateProcessInternalW
|
thread_identifier:
2428
thread_handle:
0x00000120
process_identifier:
3036
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdgfhjeu.exe"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
process_handle:
0x00000118
inherit_handles:
0
|
success
|
1 |
0
|
1619912873.75075
NtUnmapViewOfSection
|
process_identifier:
3036
region_size:
4096
process_handle:
0x00000118
base_address:
0x00400000
|
success
|
0 |
0
|
1619912873.75075
NtMapViewOfSection
|
section_handle:
0x00000128
process_identifier:
3036
commit_size:
1314816
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
process_handle:
0x00000118
allocation_type:
0
()
section_offset:
0
view_size:
1314816
base_address:
0x00400000
|
success
|
0 |
0
|
1619912873.78175
NtGetContextThread
|
thread_handle:
0x00000120
|
success
|
0 |
0
|
1619912873.78175
NtSetContextThread
|
thread_handle:
0x00000120
registers.eip:
0
registers.esp:
0
registers.edi:
0
registers.eax:
5503936
registers.ebp:
0
registers.edx:
0
registers.ebx:
2130567168
registers.esi:
0
registers.ecx:
0
process_identifier:
3036
|
success
|
0 |
0
|
1619912875.65675
NtResumeThread
|
thread_handle:
0x00000120
suspend_count:
1
process_identifier:
3036
|
success
|
0 |
0
|
1619912875.67175
CreateProcessInternalW
|
thread_identifier:
2032
thread_handle:
0x00000124
process_identifier:
196
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdgfhjeu.exe" 2 3036 13312906
filepath_r:
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x00000134
inherit_handles:
0
|
success
|
1 |
0
|
1619912895.078375
CreateProcessInternalW
|
thread_identifier:
3284
thread_handle:
0x000003d4
process_identifier:
3280
current_directory:
filepath:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdgfhjeu.exe
track:
1
command_line:
filepath_r:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdgfhjeu.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x000003d8
inherit_handles:
0
|
success
|
1 |
0
|
1619912895.34375
CreateProcessInternalW
|
thread_identifier:
3356
thread_handle:
0x00000120
process_identifier:
3352
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdgfhjeu.exe"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
process_handle:
0x00000118
inherit_handles:
0
|
success
|
1 |
0
|
1619912895.34375
NtUnmapViewOfSection
|
process_identifier:
3352
region_size:
4096
process_handle:
0x00000118
base_address:
0x00400000
|
success
|
0 |
0
|
1619912895.34375
NtMapViewOfSection
|
section_handle:
0x00000128
process_identifier:
3352
commit_size:
1314816
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
process_handle:
0x00000118
allocation_type:
0
()
section_offset:
0
view_size:
1314816
base_address:
0x00400000
|
success
|
0 |
0
|
1619912895.37575
NtGetContextThread
|
thread_handle:
0x00000120
|
success
|
0 |
0
|
1619912895.37575
NtSetContextThread
|
thread_handle:
0x00000120
registers.eip:
0
registers.esp:
0
registers.edi:
0
registers.eax:
5503936
registers.ebp:
0
registers.edx:
0
registers.ebx:
2130567168
registers.esi:
0
registers.ecx:
0
process_identifier:
3352
|
success
|
0 |
0
|
1619912895.43775
NtResumeThread
|
thread_handle:
0x00000120
suspend_count:
1
process_identifier:
3352
|
success
|
0 |
0
|
1619912895.45375
CreateProcessInternalW
|
thread_identifier:
3416
thread_handle:
0x00000124
process_identifier:
3412
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdgfhjeu.exe" 2 3352 13332687
filepath_r:
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x00000134
inherit_handles:
0
|
success
|
1 |
0
|
1619912899.468625
CreateProcessInternalW
|
thread_identifier:
3520
thread_handle:
0x000001a4
process_identifier:
3516
current_directory:
filepath:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdgfhjeu.exe
track:
1
command_line:
filepath_r:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdgfhjeu.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x000001a8
inherit_handles:
0
|
success
|
1 |
0
|
1619912899.703875
CreateProcessInternalW
|
thread_identifier:
3592
thread_handle:
0x00000120
process_identifier:
3588
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdgfhjeu.exe"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
process_handle:
0x00000118
inherit_handles:
0
|
success
|
1 |
0
|
1619912899.703875
NtUnmapViewOfSection
|
process_identifier:
3588
region_size:
4096
process_handle:
0x00000118
base_address:
0x00400000
|
success
|
0 |
0
|
1619912899.718875
NtMapViewOfSection
|
section_handle:
0x00000128
process_identifier:
3588
commit_size:
1314816
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
process_handle:
0x00000118
allocation_type:
0
()
section_offset:
0
view_size:
1314816
base_address:
0x00400000
|
success
|
0 |
0
|
1619912899.734875
NtGetContextThread
|
thread_handle:
0x00000120
|
success
|
0 |
0
|
1619912899.734875
NtSetContextThread
|
thread_handle:
0x00000120
registers.eip:
0
registers.esp:
0
registers.edi:
0
registers.eax:
5503936
registers.ebp:
0
registers.edx:
0
registers.ebx:
2130567168
registers.esi:
0
registers.ecx:
0
process_identifier:
3588
|
success
|
0 |
0
|
1619912901.453875
NtResumeThread
|
thread_handle:
0x00000120
suspend_count:
1
process_identifier:
3588
|
success
|
0 |
0
|
1619912901.468875
CreateProcessInternalW
|
thread_identifier:
3660
thread_handle:
0x00000124
process_identifier:
3656
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdgfhjeu.exe" 2 3588 13338703
filepath_r:
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x00000134
inherit_handles:
0
|
success
|
1 |
0
|
1619912901.85925
CreateProcessInternalW
|
thread_identifier:
3764
thread_handle:
0x00000120
process_identifier:
3760
current_directory:
filepath:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdgfhjeu.exe
track:
1
command_line:
filepath_r:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdgfhjeu.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x00000124
inherit_handles:
0
|
success
|
1 |
0
|
1619912902.1095
CreateProcessInternalW
|
thread_identifier:
3836
thread_handle:
0x00000120
process_identifier:
3832
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdgfhjeu.exe"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
process_handle:
0x00000118
inherit_handles:
0
|
success
|
1 |
0
|
1619912902.1095
NtUnmapViewOfSection
|
process_identifier:
3832
region_size:
4096
process_handle:
0x00000118
base_address:
0x00400000
|
success
|
0 |
0
|
1619912902.1095
NtMapViewOfSection
|
section_handle:
0x00000128
process_identifier:
3832
commit_size:
1314816
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
process_handle:
0x00000118
allocation_type:
0
()
section_offset:
0
view_size:
1314816
base_address:
0x00400000
|
success
|
0 |
0
|
1619912902.1255
NtGetContextThread
|
thread_handle:
0x00000120
|
success
|
0 |
0
|
1619912902.1405
NtSetContextThread
|
thread_handle:
0x00000120
registers.eip:
0
registers.esp:
0
registers.edi:
0
registers.eax:
5503936
registers.ebp:
0
registers.edx:
0
registers.ebx:
2130567168
registers.esi:
0
registers.ecx:
0
process_identifier:
3832
|
success
|
0 |
0
|
1619912902.1565
NtResumeThread
|
thread_handle:
0x00000120
suspend_count:
1
process_identifier:
3832
|
success
|
0 |
0
|
1619912902.1715
CreateProcessInternalW
|
thread_identifier:
3896
thread_handle:
0x00000124
process_identifier:
3892
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdgfhjeu.exe" 2 3832 13339406
filepath_r:
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x00000134
inherit_handles:
0
|
success
|
1 |
0
|
1619912903.031375
CreateProcessInternalW
|
thread_identifier:
4000
thread_handle:
0x00000130
process_identifier:
3996
current_directory:
filepath:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdgfhjeu.exe
track:
1
command_line:
filepath_r:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdgfhjeu.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x00000134
inherit_handles:
0
|
success
|
1 |
0
|
1619912903.281375
CreateProcessInternalW
|
thread_identifier:
4072
thread_handle:
0x00000120
process_identifier:
4068
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdgfhjeu.exe"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
process_handle:
0x00000118
inherit_handles:
0
|
success
|
1 |
0
|
1619912903.281375
NtUnmapViewOfSection
|
process_identifier:
4068
region_size:
4096
process_handle:
0x00000118
base_address:
0x00400000
|
success
|
0 |
0
|
1619912903.281375
NtMapViewOfSection
|
section_handle:
0x00000128
process_identifier:
4068
commit_size:
1314816
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
process_handle:
0x00000118
allocation_type:
0
()
section_offset:
0
view_size:
1314816
base_address:
0x00400000
|
success
|
0 |
0
|
1619912903.390375
NtGetContextThread
|
thread_handle:
0x00000120
|
success
|
0 |
0
|
1619912903.390375
NtSetContextThread
|
thread_handle:
0x00000120
registers.eip:
0
registers.esp:
0
registers.edi:
0
registers.eax:
5503936
registers.ebp:
0
registers.edx:
0
registers.ebx:
2130567168
registers.esi:
0
registers.ecx:
0
process_identifier:
4068
|
success
|
0 |
0
|
1619912903.546375
NtResumeThread
|
thread_handle:
0x00000120
suspend_count:
1
process_identifier:
4068
|
success
|
0 |
0
|
1619912903.578375
CreateProcessInternalW
|
thread_identifier:
1868
thread_handle:
0x00000124
process_identifier:
1824
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdgfhjeu.exe" 2 4068 13340796
filepath_r:
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x00000134
inherit_handles:
0
|
success
|
1 |
0
|
1619912904.796625
CreateProcessInternalW
|
thread_identifier:
2948
thread_handle:
0x0000013c
process_identifier:
3140
current_directory:
filepath:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdgfhjeu.exe
track:
1
command_line:
filepath_r:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdgfhjeu.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x00000140
inherit_handles:
0
|
success
|
1 |
0
|
1619912905.031375
CreateProcessInternalW
|
thread_identifier:
2656
thread_handle:
0x00000120
process_identifier:
2952
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdgfhjeu.exe"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
process_handle:
0x00000118
inherit_handles:
0
|
success
|
1 |
0
|
1619912905.031375
NtUnmapViewOfSection
|
process_identifier:
2952
region_size:
4096
process_handle:
0x00000118
base_address:
0x00400000
|
success
|
0 |
0
|
1619912905.031375
NtMapViewOfSection
|
section_handle:
0x00000128
process_identifier:
2952
commit_size:
1314816
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
process_handle:
0x00000118
allocation_type:
0
()
section_offset:
0
view_size:
1314816
base_address:
0x00400000
|
success
|
0 |
0
|
1619912905.234375
NtGetContextThread
|
thread_handle:
0x00000120
|
success
|
0 |
0
|