Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 17, 2023, 8:12 p.m.	March 17, 2023, 8:13 p.m.

Size	561.5KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`c901c8089c5e017f8e9b4b15c8ef154f`
SHA256	`fd79e8fa5e3801101a1305b6aba7a5e7fdc852ed9036d6d9a5210be414a5cc5a`
CRC32	`B6229C5F`
ssdeep	`12288:chQZR06Fy1F5YqSDZ9ma2aCStos1F3uD2Hescq2mc:jT08y1F5YqSDZ9ma21Str3cTX`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library OS_Processor_Check_Zero - OS Processor Check IsDLL - (no description) IsPE64 - (no description) Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,APgLpQbnGOFg
2160
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,APgLpQbnGOFg
  2436
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,AaVQghYMoDvlcIkoDhwOzm
2252
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,AaVQghYMoDvlcIkoDhwOzm
  2500
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,AFxNCNDhpJUjLGSUBdyJAlirW
1516
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,AFxNCNDhpJUjLGSUBdyJAlirW
  2556
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,AbGiqsZapYXQEJBQNrWj
2356
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,AbGiqsZapYXQEJBQNrWj
  2700
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,AcIMOdUMWKfNaHjlQaJhaKDTvv
2536
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,AcIMOdUMWKfNaHjlQaJhaKDTvv
  2780
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,AjmdNJiPaRsRtAqadcjQnlCAvv
2680
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,AjmdNJiPaRsRtAqadcjQnlCAvv
  2916
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,AmhroJJBvgsvk
2860
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,AmhroJJBvgsvk
  3052
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,BdxxRGs
3008
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,BdxxRGs
  1884
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,BgAFcJi
2140
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,BgAFcJi
  2532
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,BlIVCeEMUhTYUniUkHlJscB
2312
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,BlIVCeEMUhTYUniUkHlJscB
  2800
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,BleGyOkIaepldUi
2568
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,BleGyOkIaepldUi
  2956
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,BoepXZDDjhOrSbcuQncJB
2908
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,BoepXZDDjhOrSbcuQncJB
  2116
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,BpzeaEnGa
2988
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,BpzeaEnGa
  2380
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,BwCjRp
2284
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,BwCjRp
  2932
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,CFIstcx
2464
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,CFIstcx
  2924
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,CJsqCnAMpj
2792
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,CJsqCnAMpj
  2172
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,CNPpdSVcuSzviIZhvCWSTfhZ
2796
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,CNPpdSVcuSzviIZhvCWSTfhZ
  1540
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,COOXnQoQSaTGSpWIAaSzo
2616
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,COOXnQoQSaTGSpWIAaSzo
  2992
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,CSUruSgGDFRVUvVHcTu
2904
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,CSUruSgGDFRVUvVHcTu
  2712
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,CTCQAClHYzuiPWfwqyQYV
2428
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,CTCQAClHYzuiPWfwqyQYV
  660
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,CeHgsCxOuoDTDrP
3048
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,CeHgsCxOuoDTDrP
  1280
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,CpbkGyHjPVYKKbevwuabtfos
2552
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,CpbkGyHjPVYKKbevwuabtfos
  2512
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,DIczDdVVlD
840
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,DIczDdVVlD
  2720
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,DXtcAMkZFB
2376
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,DXtcAMkZFB
  3156
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,DahoeOjCy
2104
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,DahoeOjCy
  3284
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,DdmfNyLzGBEZdhjuVaLnGLAC
3220
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,DdmfNyLzGBEZdhjuVaLnGLAC
  3504
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,DllRegisterServer
3352
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,DllRegisterServer
  3640
  - regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KiDvwXijhmlT\pVqWysWfxs.dll"
    4688
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,EDirxlezljynQMb
3452
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,EDirxlezljynQMb
  3732
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,EJrkYuGqWKJxcbkEWFxWuj
3584
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,EJrkYuGqWKJxcbkEWFxWuj
  3764
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,EOCBExEDvmpuiTSdISaFTJpbnD
3724
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,EOCBExEDvmpuiTSdISaFTJpbnD
  3952
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,ERdHSxbrluXBmlg
3904
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,ERdHSxbrluXBmlg
  3108
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,EWqRXzEYZJPwDvIiOC
4040
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,EWqRXzEYZJPwDvIiOC
  3236
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,EbquiojgkxAH
3144
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,EbquiojgkxAH
  3680
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,EjCrzK
3340
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,EjCrzK
  3576
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,FSJZHjqXtVCcouB
3160
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,FSJZHjqXtVCcouB
  3852
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,FmgnZSs
3776
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,FmgnZSs
  1172
  - explorer.exe C:\Windows\Explorer.EXE
    1236
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,FwGMzFvmlRhqfdgYj
3968
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,FwGMzFvmlRhqfdgYj
  3348
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,GEakZdngEgkQEMUw
800
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,GEakZdngEgkQEMUw
  3424
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,GNoduqRICMxxYLScjzRR
3628
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,GNoduqRICMxxYLScjzRR
  3820
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,GIucseXHMrRrXPFeKw
3304
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,GIucseXHMrRrXPFeKw
  3996
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,GTdkEFQtZIyifVPtMw
3892
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,GTdkEFQtZIyifVPtMw
  3616
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,GUUIOYFVBkCRKKGPM
3276
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,GUUIOYFVBkCRKKGPM
  3924
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,GabGyY
3496
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,GabGyY
  3976
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,GlmIPNFEUxGfzccoGbGvt
3932
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,GlmIPNFEUxGfzccoGbGvt
  3836
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,GqxGeRkjCFW
3544
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,GqxGeRkjCFW
  4016
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,GrnXAG
3392
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,GrnXAG
  3464
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,GsRUyGCvRhXYbBNdoXgMoD
3208
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,GsRUyGCvRhXYbBNdoXgMoD
  3956
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,GyQSbTrVGUQXgOfZOvlwGGJOZ
2264
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,GyQSbTrVGUQXgOfZOvlwGGJOZ
  4104
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,HCaLEQxCPhokiggZc
1932
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,HCaLEQxCPhokiggZc
  4224
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,HETlXz
3552
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,HETlXz
  4324
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,HRQNzHLCNHYjXY
4256
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,HRQNzHLCNHYjXY
  4528
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,HbOXELXYC
4408
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,HbOXELXYC
  4640
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,ISKZiApGwwqfPxyvDE
4508
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,ISKZiApGwwqfPxyvDE
  4804
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,IcSKMpKalYoTBtNC
4664
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,IcSKMpKalYoTBtNC
  4916
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,IprhqRmUjfLjdAvaVSyh
4772
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,IprhqRmUjfLjdAvaVSyh
  4956
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,IsZFDjJYWWGraQqQsCIojuoPI
4908
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,IsZFDjJYWWGraQqQsCIojuoPI
  4120
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,ItCdjvWTgdRQjqKEojXISZB
5092
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,JEVIhwFBZItxqXVhyUDXDtvW
4204
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,JEhcfsFJLI
4372
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,JhsVgkWwuNGjkVJBv
4496
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,JiXLWADK
4712
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,JkvQVFXLk
4456
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,JqTVuEmdOv
4792
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,JuvMSMMEvEF
4312
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,KDwYBJCicCZzRoOZ
4748
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,KLAfQsdsaKGHSrQOYTMpVzgK
3500
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,KSnZqpvzTNl
4176
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,KWfbJvRFrOV
4404
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,KcugiBMUcgjkCqc
948
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trxV9376.dll,KidKIFrYdPHAre
4264

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (50 out of 55 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:12 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:13 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:13 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:13 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:13 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:13 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:13 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:13 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:13 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:13 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:13 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:13 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:13 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:13 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:13 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:13 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:13 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:13 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:13 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:13 p.m.			0	0
IsDebuggerPresent March 17, 2023, 8:13 p.m.			0	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

TZU

Allocates read-write-execute memory (usually to unpack itself) (50 out of 130 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001be0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2436 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001bf0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000004b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2500 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000004c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2556 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c70000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2700 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000003d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2780 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c70000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000002c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2916 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000002d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001be0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 3052 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001bf0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 1884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001be0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 1884 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001bf0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2532 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c70000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000003b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2800 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000003d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000002c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2956 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000002d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001be0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2116 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001bf0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001be0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2380 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2924 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2924 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c70000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001be0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2932 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001bf0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000004b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2172 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000004c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 1540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000004b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 1540 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001bf0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2992 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001be0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2992 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001bf0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000004b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2712 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000004c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000002b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 660 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000002c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001be0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 1280 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001bf0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2512 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c70000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001be0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 2720 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001bf0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 3156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001be0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 3156 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001bf0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 3284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 8:12 p.m.	process_identifier: 3284 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c70000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KiDvwXijhmlT\pVqWysWfxs.dll"

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (13 events)

Time & API	Arguments	Status	Return
Process32NextW March 17, 2023, 8:13 p.m.	snapshot_handle: 0x0000000000000118 process_name: mobsync.exe process_identifier: 1668	1	1
Process32NextW March 17, 2023, 8:13 p.m.	snapshot_handle: 0x0000000000000118 process_name: cmd.exe process_identifier: 1880	1	1
Process32NextW March 17, 2023, 8:13 p.m.	snapshot_handle: 0x0000000000000118 process_name: conhost.exe process_identifier: 1932	1	1
Process32NextW March 17, 2023, 8:13 p.m.	snapshot_handle: 0x0000000000000118 process_name: pw.exe process_identifier: 2068	1	1
Process32NextW March 17, 2023, 8:13 p.m.	snapshot_handle: 0x0000000000000118 process_name: rundll32.exe process_identifier: 3352	1	1
Process32NextW March 17, 2023, 8:13 p.m.	snapshot_handle: 0x0000000000000118 process_name: rundll32.exe process_identifier: 3640	1	1
Process32NextW March 17, 2023, 8:13 p.m.	snapshot_handle: 0x0000000000000148 process_name: rundll32.exe process_identifier: 4908	1	1
Process32NextW March 17, 2023, 8:13 p.m.	snapshot_handle: 0x0000000000000148 process_name: rundll32.exe process_identifier: 5092	1	1
Process32NextW March 17, 2023, 8:13 p.m.	snapshot_handle: 0x0000000000000148 process_name: rundll32.exe process_identifier: 4120	1	1
Process32NextW March 17, 2023, 8:13 p.m.	snapshot_handle: 0x0000000000000148 process_name: rundll32.exe process_identifier: 4204	1	1
Process32NextW March 17, 2023, 8:13 p.m.	snapshot_handle: 0x0000000000000148 process_name: rundll32.exe process_identifier: 4372	1	1
Process32NextW March 17, 2023, 8:13 p.m.	snapshot_handle: 0x0000000000000148 process_name: rundll32.exe process_identifier: 4496	1	1
Process32NextW March 17, 2023, 8:13 p.m.	snapshot_handle: 0x0000000000000148 process_name: regsvr32.exe process_identifier: 4688	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0002b200', u'virtual_address': u'0x00065000', u'entropy': 7.772240674390569, u'name': u'.rsrc', u'virtual_size': u'0x0002b060'}

entropy

7.77224067439

description

A section with a high entropy has been found

entropy

0.307760927743

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (2 events)

process	regsvr32.exe
process	rundll32.exe

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

Elastic	malicious (high confidence)
McAfee	Artemis!C901C8089C5E
K7AntiVirus	Trojan ( 0059b58d1 )
K7GW	Trojan ( 0059b58d1 )
CrowdStrike	win/malicious_confidence_90% (W)
Symantec	ML.Attribute.HighConfidence
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	FileRepMalware [Misc]
McAfee-GW-Edition	Artemis!Trojan
Microsoft	Trojan:Win64/Emotet.PAV!MTB
Rising	Trojan.Emotet!8.B95 (CLOUD)
MaxSecure	Trojan.Malware.121218.susgen
AVG	FileRepMalware [Misc]

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Windows\System32\KiDvwXijhmlT\pVqWysWfxs.dll:Zone.Identifier

trxV9376

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All