Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 19, 2023, 12:35 p.m.	Jan. 19, 2023, 12:48 p.m.

Size	882.0KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`2a4865151e02af3be15b37f8ac07dec5`
SHA256	`212fff7721e43dff7db6bd7a5df41d57dac21bbf9a9c7c952e5a4a11092761b7`
CRC32	`B347CD43`
ssdeep	`12288:OY67TI+4RcCD01BkNsNi0MBpIwz0WMWQdshDQ1xA3:Opk+4Rj01BkN3tphz0WMTmYK`
Yara	Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check NPKI_Zero - File included NPKI IsDLL - (no description) PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE64 - (no description) UPX_Zero - UPX packed file

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?CallShowStatus@JKDefragLib@@QEAAXPEAUDefragDataStruct@@HH@Z
2628
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?CallShowStatus@JKDefragLib@@QEAAXPEAUDefragDataStruct@@HH@Z
  3056
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?AddArrayString@JKDefragLib@@QEAAPEAPEA_WPEAPEA_WPEA_W@Z
2544
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?AddArrayString@JKDefragLib@@QEAAPEAPEA_WPEAPEA_WPEA_W@Z
  2508
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?ColorizeItem@JKDefragLib@@QEAAXPEAUDefragDataStruct@@PEAUItemStruct@@_K2H@Z
2720
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?ColorizeItem@JKDefragLib@@QEAAXPEAUDefragDataStruct@@PEAUItemStruct@@_K2H@Z
  1356
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?DeleteItemTree@JKDefragLib@@QEAAXPEAUItemStruct@@@Z
2808
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?DeleteItemTree@JKDefragLib@@QEAAXPEAUItemStruct@@@Z
  2308
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?FragmentCount@JKDefragLib@@QEAAHPEAUItemStruct@@@Z
2900
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?FragmentCount@JKDefragLib@@QEAAHPEAUItemStruct@@@Z
  2584
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?GetItemLcn@JKDefragLib@@QEAA_KPEAUItemStruct@@@Z
2992
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?GetItemLcn@JKDefragLib@@QEAA_KPEAUItemStruct@@@Z
  2684
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?GetLongPath@JKDefragLib@@QEAAPEA_WPEAUDefragDataStruct@@PEAUItemStruct@@@Z
2072
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?GetLongPath@JKDefragLib@@QEAAPEA_WPEAUDefragDataStruct@@PEAUItemStruct@@@Z
  2752
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?GetShortPath@JKDefragLib@@QEAAPEA_WPEAUDefragDataStruct@@PEAUItemStruct@@@Z
2192
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?GetShortPath@JKDefragLib@@QEAAPEA_WPEAUDefragDataStruct@@PEAUItemStruct@@@Z
  3024
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?IsFragmented@JKDefragLib@@QEAAHPEAUItemStruct@@_K1@Z
2532
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?IsFragmented@JKDefragLib@@QEAAHPEAUItemStruct@@_K1@Z
  604
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?MatchMask@JKDefragLib@@QEAAHPEA_W0@Z
2880
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?MatchMask@JKDefragLib@@QEAAHPEA_W0@Z
  2052
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?RunJkDefrag@JKDefragLib@@QEAAXPEA_WHHNPEAPEA_W1PEAH1@Z
2100
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?RunJkDefrag@JKDefragLib@@QEAAXPEA_WHHNPEAPEA_W1PEAH1@Z
  2488
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?ShowHex@JKDefragLib@@QEAAXPEAUDefragDataStruct@@PEAE_K@Z
2800
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?ShowHex@JKDefragLib@@QEAAXPEAUDefragDataStruct@@PEAE_K@Z
  2116
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?SlowDown@JKDefragLib@@QEAAXPEAUDefragDataStruct@@@Z
2080
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?SlowDown@JKDefragLib@@QEAAXPEAUDefragDataStruct@@@Z
  2788
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?StopJkDefrag@JKDefragLib@@QEAAXPEAHH@Z
2760
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?StopJkDefrag@JKDefragLib@@QEAAXPEAHH@Z
  3196
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?SystemErrorStr@JKDefragLib@@QEAAXKPEA_W_K@Z
2664
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?SystemErrorStr@JKDefragLib@@QEAAXKPEA_W_K@Z
  3352
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?TreeBiggest@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@@Z
3220
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?TreeBiggest@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@@Z
  3424
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?TreeDetach@JKDefragLib@@QEAAXPEAUDefragDataStruct@@PEAUItemStruct@@@Z
3340
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?TreeDetach@JKDefragLib@@QEAAXPEAUDefragDataStruct@@PEAUItemStruct@@@Z
  3596
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?TreeFirst@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@H@Z
3588
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?TreeFirst@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@H@Z
  3756
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?TreeInsert@JKDefragLib@@QEAAXPEAUDefragDataStruct@@PEAUItemStruct@@@Z
3732
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?TreeInsert@JKDefragLib@@QEAAXPEAUDefragDataStruct@@PEAUItemStruct@@@Z
  3952
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?TreeNext@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@@Z
3872
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?TreeNext@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@@Z
  3280
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?TreeNextPrev@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@H@Z
4024
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?TreeNextPrev@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@H@Z
  3544
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?TreePrev@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@@Z
3136
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?TreePrev@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@@Z
  3628
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?TreeSmallest@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@@Z
3320
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?TreeSmallest@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@@Z
  3708
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?stristr@JKDefragLib@@QEAAPEADPEAD0@Z
3552
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?stristr@JKDefragLib@@QEAAPEADPEAD0@Z
  4020
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?stristrW@JKDefragLib@@QEAAPEA_WPEA_W0@Z
3900
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,?stristrW@JKDefragLib@@QEAAPEA_WPEA_W0@Z
  3112
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,DllRegisterServer
3188
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,DllRegisterServer
  3712
  - regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SqgVvKHZbUCIyvj\VomzcJxJr.dll"
    3896
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dKRRwATC1r1pz.dll,
3508
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
110.232.117.186	Active	Moloch
149.28.143.92	Active	Moloch
169.60.181.70	Active	Moloch
182.162.143.56	Active	Moloch
187.63.160.88	Active	Moloch
91.187.140.35	Active	Moloch
94.23.45.86	Active	Moloch
95.217.221.146	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 149.28.143.92:443 -> 192.168.56.101:49227	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49231 -> 187.63.160.88:80	2404307	ET CNC Feodo Tracker Reported CnC Server group 8	A Network Trojan was detected
TCP 192.168.56.101:49223 -> 182.162.143.56:443	2404306	ET CNC Feodo Tracker Reported CnC Server group 7	A Network Trojan was detected
TCP 182.162.143.56:443 -> 192.168.56.101:49224	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 187.63.160.88:80 -> 192.168.56.101:49232	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Jan. 19, 2023, 12:36 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (27 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 19, 2023, 12:35 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:35 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:35 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:35 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:35 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:35 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:35 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:35 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:35 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:35 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:35 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:35 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:35 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:35 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:35 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:35 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:35 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:35 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:35 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:35 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:35 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:35 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:35 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:35 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:35 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:35 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:35 p.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

One or more processes crashed (17 events)

Time & API	Arguments	Status
__exception__ Jan. 19, 2023, 12:35 p.m.	stacktrace: ?CallShowStatus@JKDefragLib@@QEAAXPEAUDefragDataStruct@@HH@Z+0x4c ?ColorizeItem@JKDefragLib@@QEAAXPEAUDefragDataStruct@@PEAUItemStruct@@_K2H@Z-0x468 dkrrwatc1r1pz+0x6ac8 @ 0x180006ac8 rundll32+0x2f42 @ 0xffc62f42 rundll32+0x3b7a @ 0xffc63b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 4c 89 a3 b0 01 00 00 41 8b fc 4c 89 a3 a8 01 00 exception.instruction: mov qword ptr [rbx + 0x1b0], r12 exception.exception_code: 0xc0000005 exception.symbol: ?CallShowStatus@JKDefragLib@@QEAAXPEAUDefragDataStruct@@HH@Z+0x4c ?ColorizeItem@JKDefragLib@@QEAAXPEAUDefragDataStruct@@PEAUItemStruct@@_K2H@Z-0x468 dkrrwatc1r1pz+0x6ac8 exception.address: 0x180006ac8 registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1047472 registers.r11: 100 registers.r8: 87 registers.r9: 100 registers.rdx: 30316860 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 38993984 registers.r13: 0	1
__exception__ Jan. 19, 2023, 12:35 p.m.	stacktrace: ?DeleteItemTree@JKDefragLib@@QEAAXPEAUItemStruct@@@Z+0x19 ?FragmentCount@JKDefragLib@@QEAAHPEAUItemStruct@@@Z-0xef7 dkrrwatc1r1pz+0xadd9 @ 0x18000add9 ?DeleteItemTree@JKDefragLib@@QEAAXPEAUItemStruct@@@Z+0x27 ?FragmentCount@JKDefragLib@@QEAAHPEAUItemStruct@@@Z-0xee9 dkrrwatc1r1pz+0xade7 @ 0x18000ade7 rundll32+0x2f42 @ 0xffc62f42 rundll32+0x3b7a @ 0xffc63b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 48 8b 52 08 48 85 d2 74 05 e8 d9 ff ff ff 48 8b exception.instruction: mov rdx, qword ptr [rdx + 8] exception.exception_code: 0xc0000005 exception.symbol: ?DeleteItemTree@JKDefragLib@@QEAAXPEAUItemStruct@@@Z+0x19 ?FragmentCount@JKDefragLib@@QEAAHPEAUItemStruct@@@Z-0xef7 dkrrwatc1r1pz+0xadd9 exception.address: 0x18000add9 registers.r14: 0 registers.r15: 0 registers.rcx: 590200 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1506592 registers.r11: 1505680 registers.r8: 3588498 registers.r9: 10 registers.rdx: 281470681743364 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 590200 registers.r13: 0	1
__exception__ Jan. 19, 2023, 12:35 p.m.	stacktrace: ?GetItemLcn@JKDefragLib@@QEAA_KPEAUItemStruct@@@Z+0xb ?GetLongPath@JKDefragLib@@QEAAPEA_WPEAUDefragDataStruct@@PEAUItemStruct@@@Z-0x19 dkrrwatc1r1pz+0xc053 @ 0x18000c053 rundll32+0x2f42 @ 0xffc62f42 rundll32+0x3b7a @ 0xffc63b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 48 83 38 ff 75 0c 48 8b 40 10 48 85 c0 75 f1 33 exception.instruction: cmp qword ptr [rax], -1 exception.exception_code: 0xc0000005 exception.symbol: ?GetItemLcn@JKDefragLib@@QEAA_KPEAUItemStruct@@@Z+0xb ?GetLongPath@JKDefragLib@@QEAAPEA_WPEAUDefragDataStruct@@PEAUItemStruct@@@Z-0x19 dkrrwatc1r1pz+0xc053 exception.address: 0x18000c053 registers.r14: 0 registers.r15: 0 registers.rcx: 262434 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1834288 registers.r11: 1833376 registers.r8: 2867596 registers.r9: 10 registers.rdx: 4291166208 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 7959393399912669300 registers.r13: 0	1
__exception__ Jan. 19, 2023, 12:35 p.m.	stacktrace: ?FragmentCount@JKDefragLib@@QEAAHPEAUItemStruct@@@Z+0xe ?GetItemLcn@JKDefragLib@@QEAA_KPEAUItemStruct@@@Z-0x36a dkrrwatc1r1pz+0xbcde @ 0x18000bcde rundll32+0x2f42 @ 0xffc62f42 rundll32+0x3b7a @ 0xffc63b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 48 83 38 ff 74 17 48 85 c9 74 08 48 39 08 74 03 exception.instruction: cmp qword ptr [rax], -1 exception.exception_code: 0xc0000005 exception.symbol: ?FragmentCount@JKDefragLib@@QEAAHPEAUItemStruct@@@Z+0xe ?GetItemLcn@JKDefragLib@@QEAA_KPEAUItemStruct@@@Z-0x36a dkrrwatc1r1pz+0xbcde exception.address: 0x18000bcde registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1833904 registers.r11: 1832992 registers.r8: 0 registers.r9: 0 registers.rdx: 4291166208 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 7959393399912669300 registers.r13: 0	1
__exception__ Jan. 19, 2023, 12:35 p.m.	stacktrace: ?stristrW@JKDefragLib@@QEAAPEA_WPEA_W0@Z+0x16b87 dkrrwatc1r1pz+0x2654b @ 0x18002654b ?GetLongPath@JKDefragLib@@QEAAPEA_WPEAUDefragDataStruct@@PEAUItemStruct@@@Z+0x30 ?GetShortPath@JKDefragLib@@QEAAPEA_WPEAUDefragDataStruct@@PEAUItemStruct@@@Z-0x88 dkrrwatc1r1pz+0xc09c @ 0x18000c09c rundll32+0x2f42 @ 0xffc62f42 rundll32+0x3b7a @ 0xffc63b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: c5 ed 75 0a c5 fd d7 c1 85 c0 75 06 48 83 c2 20 exception.exception_code: 0xc0000005 exception.symbol: ?stristrW@JKDefragLib@@QEAAPEA_WPEA_W0@Z+0x16b87 dkrrwatc1r1pz+0x2654b exception.address: 0x18002654b registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1178160 registers.r11: 1177248 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1
__exception__ Jan. 19, 2023, 12:35 p.m.	stacktrace: RtlReAllocateHeap+0x67 RtlExpandEnvironmentStrings-0x249 ntdll+0x33f87 @ 0x76d63f87 ?stristrW@JKDefragLib@@QEAAPEA_WPEA_W0@Z+0x51a03 dkrrwatc1r1pz+0x613c7 @ 0x1800613c7 ?AddArrayString@JKDefragLib@@QEAAPEAPEA_WPEAPEA_WPEA_W@Z+0x72 ?CallShowStatus@JKDefragLib@@QEAAXPEAUDefragDataStruct@@HH@Z-0xa8e dkrrwatc1r1pz+0x5fee @ 0x180005fee rundll32+0x2f42 @ 0xffc62f42 rundll32+0x3b7a @ 0xffc63b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 80 7f 0f 05 0f 84 19 19 04 00 f6 47 0f 3f 0f 84 exception.symbol: RtlReAllocateHeap+0x67 RtlExpandEnvironmentStrings-0x249 ntdll+0x33f87 exception.instruction: cmp byte ptr [rdi + 0xf], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 212871 exception.address: 0x76d63f87 registers.r14: 0 registers.r15: 0 registers.rcx: 2883584 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2160976 registers.r11: 2160064 registers.r8: 4291166208 registers.r9: 48 registers.rdx: 0 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 2160328 registers.r13: 0	1
__exception__ Jan. 19, 2023, 12:35 p.m.	stacktrace: ?stristrW@JKDefragLib@@QEAAPEA_WPEA_W0@Z+0x16b87 dkrrwatc1r1pz+0x2654b @ 0x18002654b ?GetShortPath@JKDefragLib@@QEAAPEA_WPEAUDefragDataStruct@@PEAUItemStruct@@@Z+0x30 ?IsFragmented@JKDefragLib@@QEAAHPEAUItemStruct@@_K1@Z-0x88 dkrrwatc1r1pz+0xc154 @ 0x18000c154 rundll32+0x2f42 @ 0xffc62f42 rundll32+0x3b7a @ 0xffc63b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: c5 ed 75 0a c5 fd d7 c1 85 c0 75 06 48 83 c2 20 exception.exception_code: 0xc0000005 exception.symbol: ?stristrW@JKDefragLib@@QEAAPEA_WPEA_W0@Z+0x16b87 dkrrwatc1r1pz+0x2654b exception.address: 0x18002654b registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1112512 registers.r11: 1111600 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1
__exception__ Jan. 19, 2023, 12:35 p.m.	stacktrace: ?IsFragmented@JKDefragLib@@QEAAHPEAUItemStruct@@_K1@Z+0x1d ?MatchMask@JKDefragLib@@QEAAHPEA_W0@Z-0x97 dkrrwatc1r1pz+0xc1f9 @ 0x18000c1f9 rundll32+0x2f42 @ 0xffc62f42 rundll32+0x3b7a @ 0xffc63b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 48 8b 11 48 83 fa ff 74 39 48 85 c0 74 27 48 3b exception.instruction: mov rdx, qword ptr [rcx] exception.exception_code: 0xc0000005 exception.symbol: ?IsFragmented@JKDefragLib@@QEAAHPEAUItemStruct@@_K1@Z+0x1d ?MatchMask@JKDefragLib@@QEAAHPEA_W0@Z-0x97 dkrrwatc1r1pz+0xc1f9 exception.address: 0x18000c1f9 registers.r14: 0 registers.r15: 0 registers.rcx: 7959393399912669300 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1964352 registers.r11: 0 registers.r8: 2146708 registers.r9: 10 registers.rdx: 4291166208 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1
__exception__ Jan. 19, 2023, 12:35 p.m.	stacktrace: ?RunJkDefrag@JKDefragLib@@QEAAXPEA_WHHNPEAPEA_W1PEAH1@Z+0x8e ?ShowHex@JKDefragLib@@QEAAXPEAUDefragDataStruct@@PEAE_K@Z-0xf86 dkrrwatc1r1pz+0xdd2e @ 0x18000dd2e rundll32+0x2f42 @ 0xffc62f42 rundll32+0x3b7a @ 0xffc63b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 83 21 00 4d 85 ed 74 10 49 83 7d 00 00 74 09 4c exception.instruction: and dword ptr [rcx], 0 exception.exception_code: 0xc0000005 exception.symbol: ?RunJkDefrag@JKDefragLib@@QEAAXPEA_WHHNPEAPEA_W1PEAH1@Z+0x8e ?ShowHex@JKDefragLib@@QEAAXPEAUDefragDataStruct@@PEAE_K@Z-0xf86 dkrrwatc1r1pz+0xdd2e exception.address: 0x18000dd2e registers.r14: 0 registers.r15: 0 registers.rcx: 8791759269770 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1834400 registers.r11: 100 registers.r8: 87 registers.r9: 100 registers.rdx: 30316860 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 40304704 registers.r13: 0	1
__exception__ Jan. 19, 2023, 12:35 p.m.	stacktrace: ?TreeBiggest@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@@Z+0x11 ?TreeDetach@JKDefragLib@@QEAAXPEAUDefragDataStruct@@PEAUItemStruct@@@Z-0xf dkrrwatc1r1pz+0xf08d @ 0x18000f08d rundll32+0x2f42 @ 0xffc62f42 rundll32+0x3b7a @ 0xffc63b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 48 8b 40 10 48 85 c0 75 f4 48 8b c2 c3 cc cc 48 exception.instruction: mov rax, qword ptr [rax + 0x10] exception.exception_code: 0xc0000005 exception.symbol: ?TreeBiggest@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@@Z+0x11 ?TreeDetach@JKDefragLib@@QEAAXPEAUDefragDataStruct@@PEAUItemStruct@@@Z-0xf dkrrwatc1r1pz+0xf08d exception.address: 0x18000f08d registers.r14: 0 registers.r15: 0 registers.rcx: 66114 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1767920 registers.r11: 1767008 registers.r8: 3522966 registers.r9: 10 registers.rdx: 184 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 184 registers.r13: 0	1
__exception__ Jan. 19, 2023, 12:35 p.m.	stacktrace: ?TreeDetach@JKDefragLib@@QEAAXPEAUDefragDataStruct@@PEAUItemStruct@@@Z+0xb2 ?TreeFirst@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@H@Z-0x7e dkrrwatc1r1pz+0xf14e @ 0x18000f14e rundll32+0x2f42 @ 0xffc62f42 rundll32+0x3b7a @ 0xffc63b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 48 8b 52 08 48 85 d2 75 f4 48 8b 01 48 85 c0 74 exception.instruction: mov rdx, qword ptr [rdx + 8] exception.exception_code: 0xc0000005 exception.symbol: ?TreeDetach@JKDefragLib@@QEAAXPEAUDefragDataStruct@@PEAUItemStruct@@@Z+0xb2 ?TreeFirst@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@H@Z-0x7e dkrrwatc1r1pz+0xf14e exception.address: 0x18000f14e registers.r14: 0 registers.r15: 0 registers.rcx: 3882650435585 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1702480 registers.r11: 1701568 registers.r8: 3457510 registers.r9: 4291166208 registers.rdx: 3882650435585 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 262144 registers.r13: 0	1
__exception__ Jan. 19, 2023, 12:35 p.m.	stacktrace: ?TreeFirst@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@H@Z+0x2e ?TreeInsert@JKDefragLib@@QEAAXPEAUDefragDataStruct@@PEAUItemStruct@@@Z-0xe dkrrwatc1r1pz+0xf1fa @ 0x18000f1fa rundll32+0x2f42 @ 0xffc62f42 rundll32+0x3b7a @ 0xffc63b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 48 8b 49 10 48 85 c9 75 f4 48 8b c2 c3 cc 4c 8b exception.instruction: mov rcx, qword ptr [rcx + 0x10] exception.exception_code: 0xc0000005 exception.symbol: ?TreeFirst@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@H@Z+0x2e ?TreeInsert@JKDefragLib@@QEAAXPEAUDefragDataStruct@@PEAUItemStruct@@@Z-0xe dkrrwatc1r1pz+0xf1fa exception.address: 0x18000f1fa registers.r14: 0 registers.r15: 0 registers.rcx: 184 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1834592 registers.r11: 1833680 registers.r8: 3195284 registers.r9: 10 registers.rdx: 184 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1
__exception__ Jan. 19, 2023, 12:35 p.m.	stacktrace: ?TreeInsert@JKDefragLib@@QEAAXPEAUDefragDataStruct@@PEAUItemStruct@@@Z+0x37 ?TreeNext@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@@Z-0x17d dkrrwatc1r1pz+0xf23f @ 0x18000f23f rundll32+0x2f42 @ 0xffc62f42 rundll32+0x3b7a @ 0xffc63b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 48 8b 48 60 48 8b d0 eb 0a 48 83 39 ff 75 33 48 exception.instruction: mov rcx, qword ptr [rax + 0x60] exception.exception_code: 0xc0000005 exception.symbol: ?TreeInsert@JKDefragLib@@QEAAXPEAUDefragDataStruct@@PEAUItemStruct@@@Z+0x37 ?TreeNext@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@@Z-0x17d dkrrwatc1r1pz+0xf23f exception.address: 0x18000f23f registers.r14: 0 registers.r15: 0 registers.rcx: 1 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1833056 registers.r11: 0 registers.r8: 2671078 registers.r9: 4291166208 registers.rdx: 0 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 281500746579974 registers.r13: 0	1
__exception__ Jan. 19, 2023, 12:35 p.m.	stacktrace: ?TreeNext@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@@Z+0x11 ?TreeNextPrev@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@H@Z-0x2b dkrrwatc1r1pz+0xf3cd @ 0x18000f3cd rundll32+0x2f42 @ 0xffc62f42 rundll32+0x3b7a @ 0xffc63b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 48 8b 48 08 eb 07 48 8b c1 48 8b 49 08 48 85 c9 exception.instruction: mov rcx, qword ptr [rax + 8] exception.exception_code: 0xc0000005 exception.symbol: ?TreeNext@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@@Z+0x11 ?TreeNextPrev@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@H@Z-0x2b dkrrwatc1r1pz+0xf3cd exception.address: 0x18000f3cd registers.r14: 0 registers.r15: 0 registers.rcx: 66294 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 916880 registers.r11: 915968 registers.r8: 2802064 registers.r9: 10 registers.rdx: 4291166208 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 184 registers.r13: 0	1
__exception__ Jan. 19, 2023, 12:35 p.m.	stacktrace: ?TreePrev@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@@Z+0x11 ?TreeSmallest@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@@Z-0x2b dkrrwatc1r1pz+0xf419 @ 0x18000f419 rundll32+0x2f42 @ 0xffc62f42 rundll32+0x3b7a @ 0xffc63b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 48 8b 48 10 eb 07 48 8b c1 48 8b 49 10 48 85 c9 exception.instruction: mov rcx, qword ptr [rax + 0x10] exception.exception_code: 0xc0000005 exception.symbol: ?TreePrev@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@@Z+0x11 ?TreeSmallest@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@@Z-0x2b dkrrwatc1r1pz+0xf419 exception.address: 0x18000f419 registers.r14: 0 registers.r15: 0 registers.rcx: 197382 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 917296 registers.r11: 916384 registers.r8: 1556906 registers.r9: 10 registers.rdx: 4291166208 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 281470681743364 registers.r13: 0	1
__exception__ Jan. 19, 2023, 12:35 p.m.	stacktrace: ?TreePrev@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@@Z+0x11 ?TreeSmallest@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@@Z-0x2b dkrrwatc1r1pz+0xf419 @ 0x18000f419 rundll32+0x2f42 @ 0xffc62f42 rundll32+0x3b7a @ 0xffc63b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 48 8b 48 10 eb 07 48 8b c1 48 8b 49 10 48 85 c9 exception.instruction: mov rcx, qword ptr [rax + 0x10] exception.exception_code: 0xc0000005 exception.symbol: ?TreePrev@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@@Z+0x11 ?TreeSmallest@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@@Z-0x2b dkrrwatc1r1pz+0xf419 exception.address: 0x18000f419 registers.r14: 0 registers.r15: 0 registers.rcx: 66296 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2488368 registers.r11: 2487456 registers.r8: 3654032 registers.r9: 10 registers.rdx: 4291166208 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 281470681743364 registers.r13: 0	1
__exception__ Jan. 19, 2023, 12:35 p.m.	stacktrace: ?TreeSmallest@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@@Z+0x11 ?stristr@JKDefragLib@@QEAAPEADPEAD0@Z-0x50f dkrrwatc1r1pz+0xf455 @ 0x18000f455 rundll32+0x2f42 @ 0xffc62f42 rundll32+0x3b7a @ 0xffc63b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 48 8b 40 08 48 85 c0 75 f4 48 8b c2 c3 cc cc 48 exception.instruction: mov rax, qword ptr [rax + 8] exception.exception_code: 0xc0000005 exception.symbol: ?TreeSmallest@JKDefragLib@@QEAAPEAUItemStruct@@PEAU2@@Z+0x11 ?stristr@JKDefragLib@@QEAAPEADPEAD0@Z-0x50f dkrrwatc1r1pz+0xf455 exception.address: 0x18000f455 registers.r14: 0 registers.r15: 0 registers.rcx: 66288 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2424432 registers.r11: 2423520 registers.r8: 3064232 registers.r9: 10 registers.rdx: 281470681743364 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 281470681743364 registers.r13: 0	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 100 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 3056 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001d80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001db0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 3056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 1356 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001d80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 1356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001db0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 1356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 2308 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000002e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000310000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 2684 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001d80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 2684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001db0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 2584 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 2584 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c30000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 2752 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001da0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000550000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 2508 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000450000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 2508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 3024 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001d80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001db0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 604 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001d80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 604 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001db0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 2488 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001d80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001db0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 2052 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001d80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001db0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 2052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 2116 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001d80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001db0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 2788 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001d00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 2788 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001db0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 3196 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000002d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 3196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000300000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 3196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 3352 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001d90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 3352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 3352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 3424 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 3424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001db0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 3424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 3596 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 3596 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c30000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SqgVvKHZbUCIyvj\VomzcJxJr.dll"

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (50 out of 89 events)

Time & API	Arguments	Status	Return
Process32FirstW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: [System Process] process_identifier: 0	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: System process_identifier: 4	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: smss.exe process_identifier: 224	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: csrss.exe process_identifier: 304	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: wininit.exe process_identifier: 352	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: csrss.exe process_identifier: 360	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: winlogon.exe process_identifier: 400	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: services.exe process_identifier: 444	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: lsass.exe process_identifier: 460	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: lsm.exe process_identifier: 468	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: svchost.exe process_identifier: 572	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: svchost.exe process_identifier: 652	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: svchost.exe process_identifier: 724	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: svchost.exe process_identifier: 784	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: svchost.exe process_identifier: 832	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: audiodg.exe process_identifier: 900	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: svchost.exe process_identifier: 992	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: svchost.exe process_identifier: 292	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: spoolsv.exe process_identifier: 324	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: svchost.exe process_identifier: 1048	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: srvany.exe process_identifier: 1284	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: KMService.exe process_identifier: 1436	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: conhost.exe process_identifier: 1448	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: taskhost.exe process_identifier: 1600	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: sppsvc.exe process_identifier: 1820	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: svchost.exe process_identifier: 1896	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: dwm.exe process_identifier: 1260	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: explorer.exe process_identifier: 1452	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: pw.exe process_identifier: 988	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: SearchIndexer.exe process_identifier: 1160	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: SearchProtocolHost.exe process_identifier: 936	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: SearchFilterHost.exe process_identifier: 2000	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: mobsync.exe process_identifier: 2276	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: pw.exe process_identifier: 2320	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: taskhost.exe process_identifier: 2368	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: rundll32.exe process_identifier: 2544	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: rundll32.exe process_identifier: 2808	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: rundll32.exe process_identifier: 2900	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: rundll32.exe process_identifier: 2992	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: rundll32.exe process_identifier: 2072	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: rundll32.exe process_identifier: 2192	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: rundll32.exe process_identifier: 2308	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: rundll32.exe process_identifier: 2508	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: rundll32.exe process_identifier: 2532	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: rundll32.exe process_identifier: 2584	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: rundll32.exe process_identifier: 2684	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: rundll32.exe process_identifier: 2752	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: rundll32.exe process_identifier: 3024	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: rundll32.exe process_identifier: 604	1	1
Process32NextW Jan. 19, 2023, 12:36 p.m.	snapshot_handle: 0x0000000000000128 process_name: rundll32.exe process_identifier: 2100	1	1

Expresses interest in specific running processes (2 events)

process	regsvr32.exe
process	rundll32.exe

Communicates with host for which no DNS query was performed (8 events)

host	110.232.117.186
host	149.28.143.92
host	169.60.181.70
host	182.162.143.56
host	187.63.160.88
host	91.187.140.35
host	94.23.45.86
host	95.217.221.146

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Windows\System32\SqgVvKHZbUCIyvj\VomzcJxJr.dll:Zone.Identifier

Generates some ICMP traffic

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Lionic	Trojan.Win32.Emotet.L!c
Elastic	malicious (high confidence)
DrWeb	Trojan.Siggen19.2733
MicroWorld-eScan	Trojan.GenericKDZ.93259
ClamAV	Win.Malware.Gbix-9976817-0
ALYac	Trojan.Agent.Emotet
Malwarebytes	Trojan.Emotet
Zillya	Trojan.Injuke.Win32.26507
K7AntiVirus	Trojan ( 0059a90c1 )
Alibaba	Trojan:Win64/Injuke.507353de
K7GW	Trojan ( 0059a90c1 )
CrowdStrike	win/malicious_confidence_100% (W)
VirIT	Trojan.Win64.Genus.BQP
Cyren	W64/S-8b4c5040!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/Kryptik.DOE
Cynet	Malicious (score: 100)
Kaspersky	Trojan.Win32.Injuke.fzpp
BitDefender	Trojan.GenericKDZ.93259
Avast	Win64:BotX-gen [Trj]
Tencent	Trojan.Win64.Kryptik.yw
Emsisoft	Trojan.GenericKDZ.93259 (B)
F-Secure	Trojan.TR/AD.Nekark.qwxzh
VIPRE	Trojan.GenericKDZ.93259
TrendMicro	TrojanSpy.Win64.EMOTET.YXDARZ
McAfee-GW-Edition	BehavesLike.Win64.Emotet.ch
FireEye	Trojan.GenericKDZ.93259
Sophos	Mal/Generic-S + Troj/Emotet-DCP
Jiangmin	Trojan.Injuke.qnq
Webroot	W32.Trojan.Emotet
Avira	TR/AD.Nekark.qwxzh
Antiy-AVL	Trojan/Win32.Injuke
Microsoft	Trojan:Win64/Emotet.EM!MTB
Gridinsoft	Malware.Win64.Emotet.bot
Arcabit	Trojan.Generic.D16C4B
ZoneAlarm	Trojan.Win32.Injuke.fzpp
GData	Trojan.GenericKDZ.93259
Google	Detected
AhnLab-V3	Trojan/Win.BotX-gen.R533097
McAfee	Artemis!2A4865151E02
MAX	malware (ai score=84)
VBA32	Trojan.Win64.Emotet
Cylance	Unsafe
TrendMicro-HouseCall	TrojanSpy.Win64.EMOTET.YXDARZ
Rising	Trojan.Cobalt!8.C4EF (TFE:6:eR2NJLMzZWQ)
Yandex	Trojan.Kryptik!p6jUxrGd0ww
Ikarus	Trojan.Win64.Crypt
MaxSecure	Trojan.Malware.192387666.susgen
Fortinet	W32/Emotet.PACA!tr
AVG	Win64:BotX-gen [Trj]

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (5 events)

dead_host	94.23.45.86:4143
dead_host	95.217.221.146:8080
dead_host	169.60.181.70:8080
dead_host	192.168.56.101:49234
dead_host	91.187.140.35:8080

dKRRwATC1r1pz

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All