| Time & API |
Arguments |
Status |
Return |
Repeated |
1619948414.288784
CreateProcessInternalW
|
thread_identifier:
2340
thread_handle:
0x00000108
process_identifier:
2456
current_directory:
filepath:
C:\Windows\System32\notepad.exe
track:
1
command_line:
filepath_r:
C:\Windows\system32\notepad.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x00000100
inherit_handles:
0
|
success
|
1 |
0
|
1619948414.288784
NtAllocateVirtualMemory
|
process_identifier:
2456
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
64
(PAGE_EXECUTE_READWRITE)
process_handle:
0x00000100
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
base_address:
0x000f0000
|
success
|
0 |
0
|
1619948414.288784
NtAllocateVirtualMemory
|
process_identifier:
2456
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
4
(PAGE_READWRITE)
process_handle:
0x00000100
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
base_address:
0x00100000
|
success
|
0 |
0
|
1619948414.288784
WriteProcessMemory
|
process_identifier:
2456
buffer:
Q¹0���d�@�@���@��$�$YÃVWR¾§ÆgNè���Yø�v��·
¿Zw��f;Ït
¿Nt��f;Ïu�Â�è�
Àt�ÎÁá�þÁï��Ï�¾:�Ï3ñBHué_Æ^ÃUìQQM�SVW
Ét;¸MZ��f9�u1A<�Át*8PE��u"@xeü��Áx�X$p @��ù�Ù�ñEø
Àu
3À_^[ÉÃM�Eü��ÑèOÿÿÿ;E�t
ÿEüEü;Eøràë×Eü�·�C��E�ëÊUìQSW3ÿWWj�Wj�h���@ÿu�ÿV�Øûÿu�3Àë&WWWS}üÿV0W}�EüPWÿu�SÿV�SÿV�3À9}ü�À_[ÉÃ
Ét�è���
Àt�3Éf�ÃUìì����Vð
äüÿÿP3ÀPPj�PÿVl
À�
���j\XfEü3Àj.fEþXjvfEðXfEòjbXfEôjsXfEö3ÀfEøUü
äüÿÿèÖ���U�èÎ���UðèÆ���ÿu�
ìþÿÿÿu�PÿVxÄ�
äüÿÿPÿV�
ìþÿÿPèÂ���@P
ìþÿÿP
äüÿÿPèîþÿÿÄ�^ÉÃUìì,���j:XjZfEÜXjofEÞXjnfEàXjefEâXjIfEäXjdfEæXjefEèXjnfEêXjtfEìXjifEîXjffEðXjifEòXfEôjeXfEöjrXfEø3ÀfEú
Ôýÿÿè¬���UÜè÷���EÿPÆEÿ�è����PEÿP
ÔýÿÿPè?þÿÿÄ�ÉÃUìQeü�VðEüPÿu�èþ���YY
Àt�}ü�t�ÿuüPÿu�è�þÿÿÄ�
Àt�3À@ë�3À^ÉÃUìì����SVðÏ
øýÿÿè'���Èè(þÿÿ3ÛS
øýÿÿPÿV�WÿV�8]�u�Wÿu�Æè~ÿÿÿYYØë }��u5SWÿu�ÿ�WÿV(3ÛøÿÏ�Ãèªþÿÿû�u�9]�u�WÿV(È�PWÿV,3À@ë�3À^[ÉÃUìì�SVWèsüÿÿø
ÿ�"���h"�¿WèÌüÿÿØYY
Û�����j�h�0��h���j�ÿÓð
ö�ñ���h¼Û«½W~`^@èüÿÿh�Ò¼WF$èüÿÿh|QgjWF(èyüÿÿhë�IWF,èküÿÿhå©WF0è]üÿÿh¥°�(WF4èOüÿÿh�)�·WF8èAüÿÿh[uðWFDè3üÿÿÄ@ØhdóuW^ è üÿÿh¢¦aëWF�è�üÿÿhÕOd"WF�è�üÿÿhy.ÃWF�èöûÿÿh±��÷WF�èèûÿÿheóW÷WF�èÚûÿÿh¯4PWF�èÌûÿÿh{=#WF<è¾ûÿÿÄ@hOû~
WF�èûÿÿhà=!6WFHèûÿÿh�h#W�èûÿÿFLhÍ��eWèûÿÿhÓ1ÆVWFPèvûÿÿh7�½WFTèhûÿÿh£-ã�WFXèZûÿÿF\Ä8EðPÇEðshelÇEôl32�ÿÓø
ÿt"hÀåz°W~dè,ûÿÿhêêºWFlè�ûÿÿÄ�FpEøPÇEøuserfÇEü32ÆEþ�ÿV ø
ÿtAhqV°0W~hèìúÿÿhkV°0WFxèÞúÿÿh&cjWFtèÐúÿÿh<cjWF|èÂúÿÿÄ ���Æë�3À_^[ÉÃUìì\Vu�W3ÿ;÷�î���Sè¤ýÿÿØ;ßu�Wÿ�D���éÕ�������EüPë�j2ÿSPÿuüWWÿSL
ÀuïjdÿSPF�EøE�9>tYÿ¶�����¶����QP¾����Ãè¾üÿÿ}�3ÿÄ�9>t1jDE¤WPè����j�EèWPèü���Ä�EèPE¤PWWj WWWWÿu�ÿS$9¾(���t�l���P,���Pÿu�Ãè½úÿÿÄ�9¾����t�ë�j2ÿSPÿuüWWÿSL
ÀuïjdÿSPÿuøÿS�WÿSD[_3À^ÉÂ��Uìì�SW3ÿWWj�Wj�h���ÿu�}øÿV�Øûÿu�3Àë>WSÿV�Eô;Çt+j�h�0��PWÿV@Eø;Çt�WMüQÿuô}üPSÿV�EüM��SÿV�Eø_[ÉÃ�·�f�f
Òt�Vð+ñÁ��·�f��f
Òuñ^ÃUìQQE�EüEü�E�EøEü;Eøt�EüM��Eü@EüëçE�ÉÃf8�Vðt Æ�f>�u÷+ò�·
f���f
Éuñ^ÃD$��@Éuù+D$�HÃ
Éu�3ÀÃf9�Át À�f8�u÷+ÁÑøÃ
Ét èÚÿÿÿ
Àt�DAþë fù\t
è��·�f
Éuï3ÀÃ
process_handle:
0x00000100
base_address:
0x000f0000
|
success
|
1 |
0
|
1619948414.288784
WriteProcessMemory
|
process_identifier:
2456
buffer:
����C�:�\�U�s�e�r�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�.�O�s�k�a�r�-�P�C�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�d�b�a�b�d�b�9�9�f�f�e�1�9�f�2�e�e�9�5�7�c�4�c�5�6�6�e�0�6�b�f�e�.�e�x�e�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������C�:�\�U�s�e�r�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�.�O�s�k�a�r�-�P�C�\�A�p�p�D�a�t�a�\�R�o�a�m�i�n�g�\�a�p�p�d�a�t�a�\�s�h�d�y�u�f�m�j�.�e�x�e�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������"�C�:�\�U�s�e�r�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�.�O�s�k�a�r�-�P�C�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�d�b�a�b�d�b�9�9�f�f�e�1�9�f�2�e�e�9�5�7�c�4�c�5�6�6�e�0�6�b�f�e�.�e�x�e�"� �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������w�e�b�����������������������������������������������������������set MQbk = creaTeoBJecT("wscrIPT.sheLl")
MqBk.ruN """%ls""", 0, False����������������������������������������������������������������������������������������������������������������������������������
process_handle:
0x00000100
base_address:
0x00100000
|
success
|
1 |
0
|
1619963594.532
CreateProcessInternalW
|
thread_identifier:
1060
thread_handle:
0x000000d0
process_identifier:
944
current_directory:
filepath:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\shdyufmj.exe
track:
1
command_line:
filepath_r:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\shdyufmj.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x000000cc
inherit_handles:
0
|
success
|
1 |
0
|
1619963595.000502
CreateProcessInternalW
|
thread_identifier:
340
thread_handle:
0x00000108
process_identifier:
2316
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\shdyufmj.exe"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
process_handle:
0x00000100
inherit_handles:
0
|
success
|
1 |
0
|
1619963595.000502
NtUnmapViewOfSection
|
process_identifier:
2316
region_size:
4096
process_handle:
0x00000100
base_address:
0x00400000
|
success
|
0 |
0
|
1619963595.000502
NtMapViewOfSection
|
section_handle:
0x00000110
process_identifier:
2316
commit_size:
1314816
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
process_handle:
0x00000100
allocation_type:
0
()
section_offset:
0
view_size:
1314816
base_address:
0x00400000
|
success
|
0 |
0
|
1619963595.062502
NtGetContextThread
|
thread_handle:
0x00000108
|
success
|
0 |
0
|
1619963595.062502
NtSetContextThread
|
thread_handle:
0x00000108
registers.eip:
0
registers.esp:
0
registers.edi:
0
registers.eax:
5503072
registers.ebp:
0
registers.edx:
0
registers.ebx:
2130567168
registers.esi:
0
registers.ecx:
0
process_identifier:
2316
|
success
|
0 |
0
|
1619963595.406502
NtResumeThread
|
thread_handle:
0x00000108
suspend_count:
1
process_identifier:
2316
|
success
|
0 |
0
|
1619963595.609502
CreateProcessInternalW
|
thread_identifier:
2900
thread_handle:
0x0000010c
process_identifier:
2260
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\shdyufmj.exe" 2 2316 6088984
filepath_r:
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x0000011c
inherit_handles:
0
|
success
|
1 |
0
|
1619963603.188
CreateProcessInternalW
|
thread_identifier:
3228
thread_handle:
0x000001a0
process_identifier:
3224
current_directory:
filepath:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\shdyufmj.exe
track:
1
command_line:
filepath_r:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\shdyufmj.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x000001a4
inherit_handles:
0
|
success
|
1 |
0
|
1619963604.641125
CreateProcessInternalW
|
thread_identifier:
3304
thread_handle:
0x00000108
process_identifier:
3300
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\shdyufmj.exe"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
process_handle:
0x00000100
inherit_handles:
0
|
success
|
1 |
0
|
1619963604.641125
NtUnmapViewOfSection
|
process_identifier:
3300
region_size:
4096
process_handle:
0x00000100
base_address:
0x00400000
|
success
|
0 |
0
|
1619963604.673125
NtMapViewOfSection
|
section_handle:
0x00000110
process_identifier:
3300
commit_size:
1314816
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
process_handle:
0x00000100
allocation_type:
0
()
section_offset:
0
view_size:
1314816
base_address:
0x00400000
|
success
|
0 |
0
|
1619963604.813125
NtGetContextThread
|
thread_handle:
0x00000108
|
success
|
0 |
0
|
1619963604.813125
NtSetContextThread
|
thread_handle:
0x00000108
registers.eip:
0
registers.esp:
0
registers.edi:
0
registers.eax:
5503072
registers.ebp:
0
registers.edx:
0
registers.ebx:
2130567168
registers.esi:
0
registers.ecx:
0
process_identifier:
3300
|
success
|
0 |
0
|
1619963605.188125
NtResumeThread
|
thread_handle:
0x00000108
suspend_count:
1
process_identifier:
3300
|
success
|
0 |
0
|
1619963605.266125
CreateProcessInternalW
|
thread_identifier:
3368
thread_handle:
0x0000010c
process_identifier:
3364
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\shdyufmj.exe" 2 3300 6098765
filepath_r:
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x0000011c
inherit_handles:
0
|
success
|
1 |
0
|
1619963607.875375
CreateProcessInternalW
|
thread_identifier:
3488
thread_handle:
0x0000012c
process_identifier:
3484
current_directory:
filepath:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\shdyufmj.exe
track:
1
command_line:
filepath_r:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\shdyufmj.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x00000130
inherit_handles:
0
|
success
|
1 |
0
|
1619963609.2655
CreateProcessInternalW
|
thread_identifier:
3568
thread_handle:
0x00000108
process_identifier:
3564
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\shdyufmj.exe"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
process_handle:
0x00000100
inherit_handles:
0
|
success
|
1 |
0
|
1619963609.2655
NtUnmapViewOfSection
|
process_identifier:
3564
region_size:
4096
process_handle:
0x00000100
base_address:
0x00400000
|
success
|
0 |
0
|
1619963609.2975
NtMapViewOfSection
|
section_handle:
0x00000110
process_identifier:
3564
commit_size:
1314816
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
process_handle:
0x00000100
allocation_type:
0
()
section_offset:
0
view_size:
1314816
base_address:
0x00400000
|
success
|
0 |
0
|
1619963609.3905
NtGetContextThread
|
thread_handle:
0x00000108
|
success
|
0 |
0
|
1619963609.3905
NtSetContextThread
|
thread_handle:
0x00000108
registers.eip:
0
registers.esp:
0
registers.edi:
0
registers.eax:
5503072
registers.ebp:
0
registers.edx:
0
registers.ebx:
2130567168
registers.esi:
0
registers.ecx:
0
process_identifier:
3564
|
success
|
0 |
0
|
1619963609.9685
NtResumeThread
|
thread_handle:
0x00000108
suspend_count:
1
process_identifier:
3564
|
success
|
0 |
0
|
1619963610.1565
CreateProcessInternalW
|
thread_identifier:
3632
thread_handle:
0x0000010c
process_identifier:
3628
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\shdyufmj.exe" 2 3564 6103546
filepath_r:
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x0000011c
inherit_handles:
0
|
success
|
1 |
0
|
1619963613.204125
CreateProcessInternalW
|
thread_identifier:
3740
thread_handle:
0x00000128
process_identifier:
3736
current_directory:
filepath:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\shdyufmj.exe
track:
1
command_line:
filepath_r:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\shdyufmj.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x0000012c
inherit_handles:
0
|
success
|
1 |
0
|
1619963614.343625
CreateProcessInternalW
|
thread_identifier:
3820
thread_handle:
0x00000108
process_identifier:
3816
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\shdyufmj.exe"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
process_handle:
0x00000100
inherit_handles:
0
|
success
|
1 |
0
|
1619963614.343625
NtUnmapViewOfSection
|
process_identifier:
3816
region_size:
4096
process_handle:
0x00000100
base_address:
0x00400000
|
success
|
0 |
0
|
1619963614.359625
NtMapViewOfSection
|
section_handle:
0x00000110
process_identifier:
3816
commit_size:
1314816
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
process_handle:
0x00000100
allocation_type:
0
()
section_offset:
0
view_size:
1314816
base_address:
0x00400000
|
success
|
0 |
0
|
1619963614.406625
NtGetContextThread
|
thread_handle:
0x00000108
|
success
|
0 |
0
|
1619963614.406625
NtSetContextThread
|
thread_handle:
0x00000108
registers.eip:
0
registers.esp:
0
registers.edi:
0
registers.eax:
5503072
registers.ebp:
0
registers.edx:
0
registers.ebx:
2130567168
registers.esi:
0
registers.ecx:
0
process_identifier:
3816
|
success
|
0 |
0
|
1619963614.843625
NtResumeThread
|
thread_handle:
0x00000108
suspend_count:
1
process_identifier:
3816
|
success
|
0 |
0
|
1619963615.797625
CreateProcessInternalW
|
thread_identifier:
3880
thread_handle:
0x0000010c
process_identifier:
3876
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\shdyufmj.exe" 2 3816 6108421
filepath_r:
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x0000011c
inherit_handles:
0
|
success
|
1 |
0
|
1619963620.640375
CreateProcessInternalW
|
thread_identifier:
4004
thread_handle:
0x0000014c
process_identifier:
4000
current_directory:
filepath:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\shdyufmj.exe
track:
1
command_line:
filepath_r:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\shdyufmj.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x00000150
inherit_handles:
0
|
success
|
1 |
0
|
1619963621.828875
CreateProcessInternalW
|
thread_identifier:
4076
thread_handle:
0x00000108
process_identifier:
4072
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\shdyufmj.exe"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
process_handle:
0x00000100
inherit_handles:
0
|
success
|
1 |
0
|
1619963621.828875
NtUnmapViewOfSection
|
process_identifier:
4072
region_size:
4096
process_handle:
0x00000100
base_address:
0x00400000
|
success
|
0 |
0
|
1619963621.843875
NtMapViewOfSection
|
section_handle:
0x00000110
process_identifier:
4072
commit_size:
1314816
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
process_handle:
0x00000100
allocation_type:
0
()
section_offset:
0
view_size:
1314816
base_address:
0x00400000
|
success
|
0 |
0
|
1619963621.937875
NtGetContextThread
|
thread_handle:
0x00000108
|
success
|
0 |
0
|
1619963621.937875
NtSetContextThread
|
thread_handle:
0x00000108
registers.eip:
0
registers.esp:
0
registers.edi:
0
registers.eax:
5503072
registers.ebp:
0
registers.edx:
0
registers.ebx:
2130567168
registers.esi:
0
registers.ecx:
0
process_identifier:
4072
|
success
|
0 |
0
|
1619963622.562875
NtResumeThread
|
thread_handle:
0x00000108
suspend_count:
1
process_identifier:
4072
|
success
|
0 |
0
|
1619963622.765875
CreateProcessInternalW
|
thread_identifier:
3084
thread_handle:
0x0000010c
process_identifier:
3080
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\shdyufmj.exe" 2 4072 6116156
filepath_r:
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x0000011c
inherit_handles:
0
|
success
|
1 |
0
|
1619963630.390502
CreateProcessInternalW
|
thread_identifier:
1868
thread_handle:
0x00000188
process_identifier:
3152
current_directory:
filepath:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\shdyufmj.exe
track:
1
command_line:
filepath_r:
C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\shdyufmj.exe
stack_pivoted:
0
creation_flags:
32
(NORMAL_PRIORITY_CLASS)
process_handle:
0x0000018c
inherit_handles:
0
|
success
|
1 |
0
|
1619963631.26625
CreateProcessInternalW
|
thread_identifier:
3400
thread_handle:
0x00000108
process_identifier:
3404
current_directory:
filepath:
track:
1
command_line:
"C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\shdyufmj.exe"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
process_handle:
0x00000100
inherit_handles:
0
|
success
|
1 |
0
|
1619963631.26625
NtUnmapViewOfSection
|
process_identifier:
3404
region_size:
4096
process_handle:
0x00000100
base_address:
0x00400000
|
success
|
0 |
0
|
1619963631.28225
NtMapViewOfSection
|
section_handle:
0x00000110
process_identifier:
3404
commit_size:
1314816
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
process_handle:
0x00000100
allocation_type:
0
()
section_offset:
0
view_size:
1314816
base_address:
0x00400000
|
success
|
0 |
0
|
1619963631.40725
NtGetContextThread
|
thread_handle:
0x00000108
|
success
|
0 |
0
|