NtResumeThread
|
thread_handle:
0x00000188
suspend_count:
1
process_identifier:
2332
|
1
|
0 |
0
|
CreateProcessInternalW
|
thread_identifier:
2228
thread_handle:
0x000002c8
process_identifier:
2852
current_directory:
C:\Users\test22\AppData\Local\Temp
filepath:
C:\Windows\System32\cmd.exe
track:
1
command_line:
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\test22\AppData\Local\Temp\Lady.exe" +s +h
filepath_r:
C:\Windows\System32\cmd.exe
stack_pivoted:
0
creation_flags:
67634192
(CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles:
0
process_handle:
0x000002d0
|
1
|
1 |
0
|
CreateProcessInternalW
|
thread_identifier:
1444
thread_handle:
0x000002c8
process_identifier:
1304
current_directory:
C:\Users\test22\AppData\Local\Temp
filepath:
C:\Windows\System32\cmd.exe
track:
1
command_line:
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\test22\AppData\Local\Temp" +s +h
filepath_r:
C:\Windows\System32\cmd.exe
stack_pivoted:
0
creation_flags:
67634192
(CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles:
0
process_handle:
0x000002bc
|
1
|
1 |
0
|
CreateProcessInternalW
|
thread_identifier:
2364
thread_handle:
0x00000280
process_identifier:
1892
current_directory:
filepath:
track:
1
command_line:
notepad
filepath_r:
stack_pivoted:
0
creation_flags:
134217728
(CREATE_NO_WINDOW)
inherit_handles:
0
process_handle:
0x00000290
|
1
|
1 |
0
|
NtAllocateVirtualMemory
|
process_identifier:
1892
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
64
(PAGE_EXECUTE_READWRITE)
base_address:
0x000b0000
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
process_handle:
0x00000290
|
1
|
0 |
0
|
WriteProcessMemory
|
buffer:
kernel32.dll
base_address:
0x000b0000
process_identifier:
1892
process_handle:
0x00000290
|
1
|
1 |
0
|
NtAllocateVirtualMemory
|
process_identifier:
1892
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
64
(PAGE_EXECUTE_READWRITE)
base_address:
0x000c0000
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
process_handle:
0x00000290
|
1
|
0 |
0
|
WriteProcessMemory
|
buffer:
user32.dll
base_address:
0x000c0000
process_identifier:
1892
process_handle:
0x00000290
|
1
|
1 |
0
|
NtAllocateVirtualMemory
|
process_identifier:
1892
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
64
(PAGE_EXECUTE_READWRITE)
base_address:
0x000d0000
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
process_handle:
0x00000290
|
1
|
0 |
0
|
WriteProcessMemory
|
buffer:
Sleep
base_address:
0x000d0000
process_identifier:
1892
process_handle:
0x00000290
|
1
|
1 |
0
|
NtAllocateVirtualMemory
|
process_identifier:
1892
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
64
(PAGE_EXECUTE_READWRITE)
base_address:
0x000e0000
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
process_handle:
0x00000290
|
1
|
0 |
0
|
WriteProcessMemory
|
buffer:
MessageBoxA
base_address:
0x000e0000
process_identifier:
1892
process_handle:
0x00000290
|
1
|
1 |
0
|
NtAllocateVirtualMemory
|
process_identifier:
1892
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
64
(PAGE_EXECUTE_READWRITE)
base_address:
0x000f0000
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
process_handle:
0x00000290
|
1
|
0 |
0
|
WriteProcessMemory
|
buffer:
ExitThread
base_address:
0x000f0000
process_identifier:
1892
process_handle:
0x00000290
|
1
|
1 |
0
|
NtAllocateVirtualMemory
|
process_identifier:
1892
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
64
(PAGE_EXECUTE_READWRITE)
base_address:
0x00100000
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
process_handle:
0x00000290
|
1
|
0 |
0
|
WriteProcessMemory
|
buffer:
DeleteFileA
base_address:
0x00100000
process_identifier:
1892
process_handle:
0x00000290
|
1
|
1 |
0
|
NtAllocateVirtualMemory
|
process_identifier:
1892
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
64
(PAGE_EXECUTE_READWRITE)
base_address:
0x00110000
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
process_handle:
0x00000290
|
1
|
0 |
0
|
WriteProcessMemory
|
buffer:
GetLastError
base_address:
0x00110000
process_identifier:
1892
process_handle:
0x00000290
|
1
|
1 |
0
|
NtAllocateVirtualMemory
|
process_identifier:
1892
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
64
(PAGE_EXECUTE_READWRITE)
base_address:
0x00120000
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
process_handle:
0x00000290
|
1
|
0 |
0
|
WriteProcessMemory
|
buffer:
TerminateProcess
base_address:
0x00120000
process_identifier:
1892
process_handle:
0x00000290
|
1
|
1 |
0
|
NtAllocateVirtualMemory
|
process_identifier:
1892
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
64
(PAGE_EXECUTE_READWRITE)
base_address:
0x00130000
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
process_handle:
0x00000290
|
1
|
0 |
0
|
WriteProcessMemory
|
buffer:
CloseHandle
base_address:
0x00130000
process_identifier:
1892
process_handle:
0x00000290
|
1
|
1 |
0
|
NtAllocateVirtualMemory
|
process_identifier:
1892
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
64
(PAGE_EXECUTE_READWRITE)
base_address:
0x00140000
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
process_handle:
0x00000290
|
1
|
0 |
0
|
WriteProcessMemory
|
buffer:
OpenProcess
base_address:
0x00140000
process_identifier:
1892
process_handle:
0x00000290
|
1
|
1 |
0
|
NtAllocateVirtualMemory
|
process_identifier:
1892
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
64
(PAGE_EXECUTE_READWRITE)
base_address:
0x00150000
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
process_handle:
0x00000290
|
1
|
0 |
0
|
WriteProcessMemory
|
buffer:
GetExitCodeProcess
base_address:
0x00150000
process_identifier:
1892
process_handle:
0x00000290
|
1
|
1 |
0
|
NtAllocateVirtualMemory
|
process_identifier:
1892
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
64
(PAGE_EXECUTE_READWRITE)
base_address:
0x001a0000
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
process_handle:
0x00000290
|
1
|
0 |
0
|
WriteProcessMemory
|
buffer:
C:\Users\test22\AppData\Local\Temp\Lady.exe
base_address:
0x001a0000
process_identifier:
1892
process_handle:
0x00000290
|
1
|
1 |
0
|
NtAllocateVirtualMemory
|
process_identifier:
1892
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
64
(PAGE_EXECUTE_READWRITE)
base_address:
0x001b0000
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
process_handle:
0x00000290
|
1
|
0 |
0
|
WriteProcessMemory
|
buffer:
×Isu"suF@ Õ?wDTsuÀsuØtususuMtu
d
base_address:
0x001b0000
process_identifier:
1892
process_handle:
0x00000290
|
1
|
1 |
0
|
NtAllocateVirtualMemory
|
process_identifier:
1892
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
64
(PAGE_EXECUTE_READWRITE)
base_address:
0x001c0000
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
process_handle:
0x00000290
|
1
|
0 |
0
|
WriteProcessMemory
|
buffer:
UìSVW]C4PC,PÿPÿSCC8PC0PÿPÿSCC<PC,PÿPÿSCC@PC,PÿPÿSCCDPC,PÿPÿSCCHPC,PÿPÿSCCTPC,PÿPÿSC CLPC,PÿPÿSC$CPPC,PÿPÿSC(ëÿSøthô ÿSC\PÿSÀtåCXPj jÿS$ð
ötWVÿS(WVÿSVÿS j ÿS_^[] ÀUìÄ@ÿÿÿSV3ÉMôUøEüEüè.
ùÿEøè&
ùÿu3ÀUhFRG dÿ0d
Pÿÿÿ3ɺD è+ëøÿÇ
PÿÿÿD Ç
|ÿÿÿ fÇE
@ÿÿÿP
PÿÿÿPj j h j j j EüèÔ ùÿPj è)ùÿ@ÿÿÿEüèNRùÿÀu
Eüº\RG èùÿEøè5RùÿÀu
Uø3Àèï¡ùÿEôUøèxùÿºdRG ÃèüüÿÿF,ºtRG ÃèíüÿÿF0ºRG ÃèÞüÿÿF4ºRG ÃèÏüÿÿF8ºRG ÃèÀüÿÿF<º RG Ãè±üÿÿF@º¬RG Ãè¢üÿÿFDº¼RG ÃèüÿÿFHºÐRG ÃèüÿÿFTºÜRG ÃèuüÿÿFLºèRG ÃèfüÿÿFPEôèßùÿÐÃèRüÿÿF\
HÿÿÿFXhüRG hSG èç)ùÿPèé)ùÿhSG hSG èÐ)ùÿPèÒ)ùÿFhRG hSG è¸)ùÿPèº)ùÿFhRG hSG è )ùÿPè¢)ùÿFhRG hSG è)ùÿPè)ùÿFh RG hSG èp)ùÿPèr)ùÿFh¬RG hSG èX)ùÿPèZ)ùÿFh¼RG hSG è@)ùÿPèB)ùÿFhÐRG hSG è()ùÿPè*)ùÿF hÜRG hSG è)ùÿPè)ùÿF$hèRG hSG èø(ùÿPèú(ùÿF(j`j κNG Ãèõûÿÿ3ÀZYYdhMRG Eôº èùÿÃ
base_address:
0x001c0000
process_identifier:
1892
process_handle:
0x00000290
|
1
|
1 |
0
|
CreateProcessInternalW
|
thread_identifier:
2824
thread_handle:
0x00000434
process_identifier:
844
current_directory:
C:\Users\test22\AppData\Local\Temp
filepath:
C:\Windows\System32\WinDefender\smarctscreen.exe
track:
1
command_line:
"C:\Windows\system32\WinDefender\smarctscreen.exe"
filepath_r:
C:\Windows\system32\WinDefender\smarctscreen.exe
stack_pivoted:
0
creation_flags:
67634192
(CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles:
0
process_handle:
0x00000440
|
1
|
1 |
0
|
CreateProcessInternalW
|
thread_identifier:
2672
thread_handle:
0x00000084
process_identifier:
3028
current_directory:
C:\Users\test22\AppData\Local\Temp
filepath:
C:\Windows\System32\attrib.exe
track:
1
command_line:
attrib "C:\Users\test22\AppData\Local\Temp\Lady.exe" +s +h
filepath_r:
C:\Windows\system32\attrib.exe
stack_pivoted:
0
creation_flags:
524288
(EXTENDED_STARTUPINFO_PRESENT)
inherit_handles:
1
process_handle:
0x00000088
|
1
|
1 |
0
|
CreateProcessInternalW
|
thread_identifier:
2772
thread_handle:
0x00000084
process_identifier:
1632
current_directory:
C:\Users\test22\AppData\Local\Temp
filepath:
C:\Windows\System32\attrib.exe
track:
1
command_line:
attrib "C:\Users\test22\AppData\Local\Temp" +s +h
filepath_r:
C:\Windows\system32\attrib.exe
stack_pivoted:
0
creation_flags:
524288
(EXTENDED_STARTUPINFO_PRESENT)
inherit_handles:
1
process_handle:
0x00000088
|
1
|
1 |
0
|
NtResumeThread
|
thread_handle:
0x0000014c
suspend_count:
1
process_identifier:
1892
|
1
|
0 |
0
|
NtResumeThread
|
thread_handle:
0x0000018c
suspend_count:
1
process_identifier:
844
|
1
|
0 |
0
|
CreateProcessInternalW
|
thread_identifier:
2316
thread_handle:
0x000001c8
process_identifier:
2480
current_directory:
filepath:
track:
1
command_line:
notepad
filepath_r:
stack_pivoted:
0
creation_flags:
134217728
(CREATE_NO_WINDOW)
inherit_handles:
0
process_handle:
0x000001cc
|
1
|
1 |
0
|
NtAllocateVirtualMemory
|
process_identifier:
2480
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
64
(PAGE_EXECUTE_READWRITE)
base_address:
0x000b0000
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
process_handle:
0x000001cc
|
1
|
0 |
0
|
WriteProcessMemory
|
buffer:
kernel32.dll
base_address:
0x000b0000
process_identifier:
2480
process_handle:
0x000001cc
|
1
|
1 |
0
|
NtAllocateVirtualMemory
|
process_identifier:
2480
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
64
(PAGE_EXECUTE_READWRITE)
base_address:
0x000c0000
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
process_handle:
0x000001cc
|
1
|
0 |
0
|
WriteProcessMemory
|
buffer:
user32.dll
base_address:
0x000c0000
process_identifier:
2480
process_handle:
0x000001cc
|
1
|
1 |
0
|
NtAllocateVirtualMemory
|
process_identifier:
2480
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
64
(PAGE_EXECUTE_READWRITE)
base_address:
0x000d0000
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
process_handle:
0x000001cc
|
1
|
0 |
0
|
WriteProcessMemory
|
buffer:
Sleep
base_address:
0x000d0000
process_identifier:
2480
process_handle:
0x000001cc
|
1
|
1 |
0
|
NtAllocateVirtualMemory
|
process_identifier:
2480
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
64
(PAGE_EXECUTE_READWRITE)
base_address:
0x000e0000
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
process_handle:
0x000001cc
|
1
|
0 |
0
|
WriteProcessMemory
|
buffer:
MessageBoxA
base_address:
0x000e0000
process_identifier:
2480
process_handle:
0x000001cc
|
1
|
1 |
0
|
NtAllocateVirtualMemory
|
process_identifier:
2480
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
64
(PAGE_EXECUTE_READWRITE)
base_address:
0x000f0000
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
process_handle:
0x000001cc
|
1
|
0 |
0
|
WriteProcessMemory
|
buffer:
CreateProcessA
base_address:
0x000f0000
process_identifier:
2480
process_handle:
0x000001cc
|
1
|
1 |
0
|
NtAllocateVirtualMemory
|
process_identifier:
2480
region_size:
4096
stack_dep_bypass:
0
stack_pivoted:
0
heap_dep_bypass:
0
protection:
64
(PAGE_EXECUTE_READWRITE)
base_address:
0x00100000
allocation_type:
12288
(MEM_COMMIT|MEM_RESERVE)
process_handle:
0x000001cc
|
1
|
0 |
0
|
WriteProcessMemory
|
buffer:
GetLastError
base_address:
0x00100000
process_identifier:
2480
process_handle:
0x000001cc
|
1
|
1 |
0
|