Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 22, 2024, 2:24 p.m.	July 22, 2024, 2:25 p.m.

Size	12.1MB
Type	PE32+ executable (DLL) (console) x86-64, for MS Windows
MD5	`ad49cc932660b3b8ce1460da383b814b`
SHA256	`e1d835e3af9f0cfcc79043be39b8451062c96b7d10e9c88158dc3e426f51264e`
CRC32	`EB1F0A26`
ssdeep	`196608:Iv0RLExL3w8Hsid3Cf0miLii5pJiCIw4kVLu:oPA8Hl3Cf0BzbrS`
Yara	PE_Header_Zero - PE File Signature IsDLL - (no description) IsPE64 - (no description) UPX_Zero - UPX packed file

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_GCC_specific_handler
3044
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_GCC_specific_handler
  2116
  - cmd.exe C:\Windows\system32\cmd.exe /c
    1188
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_DeleteException
156
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_DeleteException
  1220
  - cmd.exe C:\Windows\system32\cmd.exe /c
    296
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_Backtrace
2184
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_Backtrace
  1020
  - cmd.exe C:\Windows\system32\cmd.exe /c
    1648
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_FindEnclosingFunction
2376
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_FindEnclosingFunction
  1832
  - cmd.exe C:\Windows\system32\cmd.exe /c
    1780
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_ForcedUnwind
1604
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_ForcedUnwind
  1600
  - cmd.exe C:\Windows\system32\cmd.exe /c
    2724
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_GetCFA
1728
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_GetCFA
  3004
  - cmd.exe C:\Windows\system32\cmd.exe /c
    1184
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_GetDataRelBase
2852
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_GetDataRelBase
  2108
  - cmd.exe C:\Windows\system32\cmd.exe /c
    1564
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_GetGR
2208
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_GetGR
  3028
  - cmd.exe C:\Windows\system32\cmd.exe /c
    2560
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_GetIP
2508
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_GetIP
  2400
  - cmd.exe C:\Windows\system32\cmd.exe /c
    2756
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_GetIPInfo
1112
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_GetIPInfo
  1704
  - cmd.exe C:\Windows\system32\cmd.exe /c
    3180
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_GetLanguageSpecificData
2928
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_GetLanguageSpecificData
  2384
  - cmd.exe C:\Windows\system32\cmd.exe /c
    3116
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_GetRegionStart
2276
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_GetRegionStart
  3212
  - cmd.exe C:\Windows\system32\cmd.exe /c
    3688
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_GetTextRelBase
3104
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_GetTextRelBase
  3408
  - cmd.exe C:\Windows\system32\cmd.exe /c
    3660
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_RaiseException
3384
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_RaiseException
  3552
  - cmd.exe C:\Windows\system32\cmd.exe /c
    3800
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_Resume
3604
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_Resume
  3832
  - cmd.exe C:\Windows\system32\cmd.exe /c
    2144
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_Resume_or_Rethrow
3916
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_Resume_or_Rethrow
  3076
  - cmd.exe C:\Windows\system32\cmd.exe /c
    3652
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_SetGR
4064
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_SetGR
  3440
  - cmd.exe C:\Windows\system32\cmd.exe /c
    3848
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_SetIP
3364
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_Unwind_SetIP
  3516
  - cmd.exe C:\Windows\system32\cmd.exe /c
    3300
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_ZN9
3184
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_ZN9
  4052
  - cmd.exe C:\Windows\system32\cmd.exe /c
    3764
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,gnu_cxx11char_traitsIcE2eqERKcS3
4016
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,gnu_cxx11char_traitsIcE2eqERKcS3
  2016
  - cmd.exe C:\Windows\system32\cmd.exe /c
    3816
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,
3584
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,ZN9
3136
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,ZN9
  3140
  - cmd.exe C:\Windows\system32\cmd.exe /c
    3480
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,gnu_cxx11char_traitsIcE6lengthEPKc
3624
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,gnu_cxx11char_traitsIcE6lengthEPKc
  4156
  - cmd.exe C:\Windows\system32\cmd.exe /c
    4388
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_ZNSt11char_traitsIcE6lengthEPKc
4112
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_ZNSt11char_traitsIcE6lengthEPKc
  4332
  - cmd.exe C:\Windows\system32\cmd.exe /c
    4672
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_ZNSt15
4316
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_ZNSt15
  4552
  - cmd.exe C:\Windows\system32\cmd.exe /c
    4752
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,new_allocatorIcED2Ev
4544
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,new_allocatorIcED2Ev
  4696
  - cmd.exe C:\Windows\system32\cmd.exe /c
    5000
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_ZNSt7
4736
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_ZNSt7
  4940
  - cmd.exe C:\Windows\system32\cmd.exe /c
    5112
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,cxx1112basic_stringIcSt11char_traitsIcESaIcEE12_Alloc_hiderD1Ev
4932
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,cxx1112basic_stringIcSt11char_traitsIcESaIcEE12_Alloc_hiderD1Ev
  4276
  - cmd.exe C:\Windows\system32\cmd.exe /c
    4540
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_ZNSt7
4252
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_ZNSt7
  4476
  - cmd.exe C:\Windows\system32\cmd.exe /c
    4980
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,cxx1112basic_stringIcSt11char_traitsIcESaIcEE12_M_constructIPKcEEvT_S8_St20forward_iterator_tag
4584
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,cxx1112basic_stringIcSt11char_traitsIcESaIcEE12_M_constructIPKcEEvT_S8_St20forward_iterator_tag
  4820
  - cmd.exe C:\Windows\system32\cmd.exe /c
    4136
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_ZNSt7
4904
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_ZNSt7
  3352
  - cmd.exe C:\Windows\system32\cmd.exe /c
    4608
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1IS3_EEPKcRKS3
4972
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1IS3_EEPKcRKS3
  4648
  - cmd.exe C:\Windows\system32\cmd.exe /c
    4204
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,
4872
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,ZSt12
4860
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,ZSt12
  4788
  - cmd.exe C:\Windows\system32\cmd.exe /c
    5032
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,str_concatINSt7
4720
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,str_concatINSt7
  2448
  - cmd.exe C:\Windows\system32\cmd.exe /c
    4144
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,cxx1112basic_stringIcSt11char_traitsIcESaIcEEEET_PKNS6_10value_typeENS6_9size_typeES9_SA_RKNS6_14allocator_typeE
4116
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,cxx1112basic_stringIcSt11char_traitsIcESaIcEEEET_PKNS6_10value_typeENS6_9size_typeES9_SA_RKNS6_14allocator_typeE
  2440
  - cmd.exe C:\Windows\system32\cmd.exe /c
    4408
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_ZSt23
4480
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_ZSt23
  4808
  - cmd.exe C:\Windows\system32\cmd.exe /c
    5368
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,is_constant_evaluatedv
4224
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,is_constant_evaluatedv
  5300
  - cmd.exe C:\Windows\system32\cmd.exe /c
    5476
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_ZStplIcSt11char_traitsIcESaIcEENSt7
5276
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_ZStplIcSt11char_traitsIcESaIcEENSt7
  5536
  - cmd.exe C:\Windows\system32\cmd.exe /c
    5748
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,cxx1112basic_stringIT_T0_T1_EERKS8_PKS5
5556
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,cxx1112basic_stringIT_T0_T1_EERKS8_PKS5
  5796
  - cmd.exe C:\Windows\system32\cmd.exe /c
    5332
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,
5780
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,ZZNSt7
5236
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,ZZNSt7
  5760
  - cmd.exe C:\Windows\system32\cmd.exe /c
    5396
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,cxx1112basic_stringIcSt11char_traitsIcESaIcEE12_M_constructIPKcEEvT_S8_St20forward_iterator_tagEN6_GuardC1EPS4
5608
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,cxx1112basic_stringIcSt11char_traitsIcESaIcEE12_M_constructIPKcEEvT_S8_St20forward_iterator_tagEN6_GuardC1EPS4
  180
  - cmd.exe C:\Windows\system32\cmd.exe /c
    5616
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,
5244
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,ZZNSt7
5848
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,ZZNSt7
  5336
  - cmd.exe C:\Windows\system32\cmd.exe /c
    5528
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,cxx1112basic_stringIcSt11char_traitsIcESaIcEE12_M_constructIPKcEEvT_S8_St20forward_iterator_tagEN6_GuardD1Ev
5644
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,cxx1112basic_stringIcSt11char_traitsIcESaIcEE12_M_constructIPKcEEvT_S8_St20forward_iterator_tagEN6_GuardD1Ev
  5512
  - cmd.exe C:\Windows\system32\cmd.exe /c
    6160
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,
5672
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,emutls_get_address
5220
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,emutls_get_address
  6352
  - cmd.exe C:\Windows\system32\cmd.exe /c
    6540
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,
6320
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,emutls_register_common
6492
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,emutls_register_common
  6672
  - cmd.exe C:\Windows\system32\cmd.exe /c
    6912
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,
6640
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,pth_gpointer_locked
6788
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,pth_gpointer_locked
  6980
  - cmd.exe C:\Windows\system32\cmd.exe /c
    5820
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,
6972
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,pthread_clock_nanosleep
7156
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,pthread_clock_nanosleep
  6268
  - cmd.exe C:\Windows\system32\cmd.exe /c
    6420
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,
6220
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,pthread_shallcancel
6436
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,pthread_shallcancel
  6724
  - cmd.exe C:\Windows\system32\cmd.exe /c
    7064
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,
6448
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,xl_f
6872
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,xl_f
  5724
  - cmd.exe C:\Windows\system32\cmd.exe /c
    6524
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_pthread_cleanup_dest
7000
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_pthread_cleanup_dest
  6380
  - cmd.exe C:\Windows\system32\cmd.exe /c
    6572
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_pthread_get_state
4852
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_pthread_get_state
  6652
  - cmd.exe C:\Windows\system32\cmd.exe /c
    7116
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_pthread_invoke_cancel
6936
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_pthread_invoke_cancel
  7112
  - cmd.exe C:\Windows\system32\cmd.exe /c
    3068
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_pthread_key_dest
6916
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_pthread_key_dest
  6544
  - cmd.exe C:\Windows\system32\cmd.exe /c
    6300
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_pthread_rel_time_in_ms
6488
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_pthread_rel_time_in_ms
  7060
  - cmd.exe C:\Windows\system32\cmd.exe /c
    6376
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_pthread_set_state
7132
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_pthread_set_state
  7040
  - cmd.exe C:\Windows\system32\cmd.exe /c
    6224
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_pthread_setnobreak
7096
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_pthread_setnobreak
  6368
  - cmd.exe C:\Windows\system32\cmd.exe /c
    7416
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_pthread_time_in_ms
6272
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_pthread_time_in_ms
  7328
  - cmd.exe C:\Windows\system32\cmd.exe /c
    7564
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_pthread_time_in_ms_from_timespec
7260
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_pthread_time_in_ms_from_timespec
  7428
  - cmd.exe C:\Windows\system32\cmd.exe /c
    7788
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_pthread_tryjoin
7508
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_pthread_tryjoin
  7780
  - cmd.exe C:\Windows\system32\cmd.exe /c
    8016
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_pthread_wait_for_multiple_objects
7712
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_pthread_wait_for_multiple_objects
  7960
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,_pthread_wait_for_single_object
7908
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\win.txt.exe.dll,cond_print
8136

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (28 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 22, 2024, 2:24 p.m.			0	0
IsDebuggerPresent July 22, 2024, 2:24 p.m.			0	0
IsDebuggerPresent July 22, 2024, 2:24 p.m.			0	0
IsDebuggerPresent July 22, 2024, 2:24 p.m.			0	0
IsDebuggerPresent July 22, 2024, 2:24 p.m.			0	0
IsDebuggerPresent July 22, 2024, 2:24 p.m.			0	0
IsDebuggerPresent July 22, 2024, 2:24 p.m.			0	0
IsDebuggerPresent July 22, 2024, 2:24 p.m.			0	0
IsDebuggerPresent July 22, 2024, 2:24 p.m.			0	0
IsDebuggerPresent July 22, 2024, 2:24 p.m.			0	0
IsDebuggerPresent July 22, 2024, 2:24 p.m.			0	0
IsDebuggerPresent July 22, 2024, 2:24 p.m.			0	0
IsDebuggerPresent July 22, 2024, 2:24 p.m.			0	0
IsDebuggerPresent July 22, 2024, 2:24 p.m.			0	0
IsDebuggerPresent July 22, 2024, 2:24 p.m.			0	0
IsDebuggerPresent July 22, 2024, 2:24 p.m.			0	0
IsDebuggerPresent July 22, 2024, 2:24 p.m.			0	0
IsDebuggerPresent July 22, 2024, 2:24 p.m.			0	0
IsDebuggerPresent July 22, 2024, 2:24 p.m.			0	0
IsDebuggerPresent July 22, 2024, 2:24 p.m.			0	0
IsDebuggerPresent July 22, 2024, 2:24 p.m.			0	0
IsDebuggerPresent July 22, 2024, 2:24 p.m.			0	0
IsDebuggerPresent July 22, 2024, 2:24 p.m.			0	0
IsDebuggerPresent July 22, 2024, 2:24 p.m.			0	0
IsDebuggerPresent July 22, 2024, 2:24 p.m.			0	0
IsDebuggerPresent July 22, 2024, 2:24 p.m.			0	0
IsDebuggerPresent July 22, 2024, 2:25 p.m.			0	0
IsDebuggerPresent July 22, 2024, 2:25 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 22, 2024, 2:24 p.m.		1	1	0

One or more processes crashed (15 events)

Time & API	Arguments	Status
__exception__ July 22, 2024, 2:24 p.m.	stacktrace: 0x201bc _Unwind_Backtrace+0x114 __emutls_get_address-0xfc win+0xc524 @ 0x7fef2aac524 rundll32+0x2f42 @ 0xfff42f42 rundll32+0x3b7a @ 0xfff43b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521 exception.instruction_r: 00 00 00 00 1f 5e 51 4a 0b a9 67 32 b9 39 67 3a exception.instruction: add byte ptr [rax], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x201bc registers.r14: 0 registers.r15: 0 registers.rcx: 2094192 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2096400 registers.r11: 2094128 registers.r8: 8791575259008 registers.r9: 0 registers.rdx: 4294180864 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1
__exception__ July 22, 2024, 2:24 p.m.	stacktrace: MCOperand_CreateImm0+0x3c X86_getInstruction-0x40 @ 0x74823ba0 cs_strdup+0x1ad decodeInstruction-0xde6 @ 0x74828233 decodeInstruction+0x61 SHA1Reset-0xe96 @ 0x7482907a X86_getInstruction+0xd2 printSrcIdx8-0x2478 @ 0x74823cb2 cs_disasm_ex+0x138 cs_free-0x437 @ 0x74822f1b disasm+0x6b hook_create_stub-0x8d @ 0x747f4530 log_exception+0x3fe log_action-0x39c @ 0x747f38d1 New_ntdll_RtlDispatchException+0x12e New_ntdll_RtlRemoveVectoredContinueHandler-0x59 @ 0x74816dcb KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x772e1278 0xffffffffffffffff rundll32+0x2f42 @ 0xfff42f42 rundll32+0x3b7a @ 0xfff43b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521 exception.instruction_r: 42 8a 04 00 88 02 31 c0 c3 57 56 48 81 ec d8 00 exception.symbol: MCOperand_CreateImm0+0x3c X86_getInstruction-0x40 exception.instruction: mov al, byte ptr [rax + r8] exception.module: monitor-x64.dll exception.exception_code: 0xc0000005 exception.offset: 211872 exception.address: 0x74823ba0 registers.r14: 0 registers.r15: 0 registers.rcx: 907624 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 917104 registers.r11: 514 registers.r8: 0 registers.r9: -1 registers.rdx: 907466 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: -1 registers.r13: 0	1
__exception__ July 22, 2024, 2:24 p.m.	stacktrace: _GCC_specific_handler+0x100 _Unwind_RaiseException-0x120 win+0xc190 @ 0x7fef2aac190 rundll32+0x2f42 @ 0xfff42f42 rundll32+0x3b7a @ 0xfff43b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521 exception.instruction_r: 49 8b 41 28 48 8b 51 38 48 89 90 88 00 00 00 eb exception.instruction: mov rax, qword ptr [r9 + 0x28] exception.exception_code: 0xc0000005 exception.symbol: _GCC_specific_handler+0x100 _Unwind_RaiseException-0x120 win+0xc190 exception.address: 0x7fef2aac190 registers.r14: 0 registers.r15: 0 registers.rcx: 131474 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2752272 registers.r11: 2751360 registers.r8: 4637120 registers.r9: 10 registers.rdx: 1857525731 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 222589634 registers.r13: 0	1
__exception__ July 22, 2024, 2:24 p.m.	stacktrace: _Unwind_ForcedUnwind+0x4 _Unwind_DeleteException-0x2c win+0xc3c4 @ 0x7fef2aac3c4 rundll32+0x2f42 @ 0xfff42f42 rundll32+0x3b7a @ 0xfff43b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521 exception.instruction_r: 0f 11 41 28 48 c7 41 38 00 00 00 00 48 89 51 10 exception.exception_code: 0xc0000005 exception.symbol: _Unwind_ForcedUnwind+0x4 _Unwind_DeleteException-0x2c win+0xc3c4 exception.address: 0x7fef2aac3c4 registers.r14: 0 registers.r15: 0 registers.rcx: 131564 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1113424 registers.r11: 1112512 registers.r8: 2736558 registers.r9: 10 registers.rdx: 4294180864 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 131564 registers.r13: 0	1
__exception__ July 22, 2024, 2:24 p.m.	stacktrace: _ZZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE12_M_constructIPKcEEvT_S8_St20forward_iterator_tagEN6_GuardD1Ev+0x2fd0 _pthread_key_dest-0x32370 win+0xb6940 @ 0x7fef2b56940 rundll32+0x2f42 @ 0xfff42f42 rundll32+0x3b7a @ 0xfff43b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521 exception.instruction_r: 0f 0b 0f 0b 90 90 90 90 90 90 90 90 90 90 90 90 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: _ZZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE12_M_constructIPKcEEvT_S8_St20forward_iterator_tagEN6_GuardD1Ev+0x2fd0 _pthread_key_dest-0x32370 win+0xb6940 exception.address: 0x7fef2b56940 registers.r14: 0 registers.r15: 0 registers.rcx: 393702 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2685664 registers.r11: 2684752 registers.r8: 1294752 registers.r9: 10 registers.rdx: 4294180864 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 393702 registers.r13: 0	1
__exception__ July 22, 2024, 2:24 p.m.	stacktrace: _Unwind_GetIP+0x10 _Unwind_SetIP-0x10 win+0xc000 @ 0x7fef2aac000 rundll32+0x2f42 @ 0xfff42f42 rundll32+0x3b7a @ 0xfff43b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521 exception.instruction_r: 48 8b 41 08 c7 02 00 00 00 00 c3 0f 1f 44 00 00 exception.instruction: mov rax, qword ptr [rcx + 8] exception.exception_code: 0xc0000005 exception.symbol: _Unwind_GetIP+0x10 _Unwind_SetIP-0x10 win+0xc000 exception.address: 0x7fef2aac000 registers.r14: 0 registers.r15: 0 registers.rcx: 4653450 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2686592 registers.r11: 2685680 registers.r8: 4440488 registers.r9: 10 registers.rdx: 4294180864 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 4653450 registers.r13: 0	1
__exception__ July 22, 2024, 2:24 p.m.	stacktrace: _Unwind_GetLanguageSpecificData+0x4 _Unwind_GetRegionStart-0xc win+0xc024 @ 0x7fef2aac024 rundll32+0x2f42 @ 0xfff42f42 rundll32+0x3b7a @ 0xfff43b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521 exception.instruction_r: 48 8b 40 38 c3 0f 1f 80 00 00 00 00 48 8b 51 20 exception.instruction: mov rax, qword ptr [rax + 0x38] exception.exception_code: 0xc0000005 exception.symbol: _Unwind_GetLanguageSpecificData+0x4 _Unwind_GetRegionStart-0xc win+0xc024 exception.address: 0x7fef2aac024 registers.r14: 0 registers.r15: 0 registers.rcx: 328158 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2489536 registers.r11: 2488624 registers.r8: 3981812 registers.r9: 10 registers.rdx: 4294180864 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1
__exception__ July 22, 2024, 2:24 p.m.	stacktrace: _Unwind_GetRegionStart+0x4 _Unwind_FindEnclosingFunction-0xc win+0xc034 @ 0x7fef2aac034 rundll32+0x2f42 @ 0xfff42f42 rundll32+0x3b7a @ 0xfff43b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521 exception.instruction_r: 48 8b 42 10 8b 00 48 03 42 08 c3 90 48 83 ec 38 exception.instruction: mov rax, qword ptr [rdx + 0x10] exception.exception_code: 0xc0000005 exception.symbol: _Unwind_GetRegionStart+0x4 _Unwind_FindEnclosingFunction-0xc win+0xc034 exception.address: 0x7fef2aac034 registers.r14: 0 registers.r15: 0 registers.rcx: 131698 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1507152 registers.r11: 1506240 registers.r8: 2212290 registers.r9: 10 registers.rdx: -4159074255876653056 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 131698 registers.r13: 0	1
__exception__ July 22, 2024, 2:24 p.m.	stacktrace: _Unwind_GetTextRelBase+0x4 _GCC_specific_handler-0xc win+0xc084 @ 0x7fef2aac084 rundll32+0x2f42 @ 0xfff42f42 rundll32+0x3b7a @ 0xfff43b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521 exception.instruction_r: 48 8b 40 08 c3 0f 1f 80 00 00 00 00 41 55 41 54 exception.instruction: mov rax, qword ptr [rax + 8] exception.exception_code: 0xc0000005 exception.symbol: _Unwind_GetTextRelBase+0x4 _GCC_specific_handler-0xc win+0xc084 exception.address: 0x7fef2aac084 registers.r14: 0 registers.r15: 0 registers.rcx: 131646 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2489856 registers.r11: 2488944 registers.r8: 4374978 registers.r9: 10 registers.rdx: 4294180864 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 68315903 registers.r13: 0	1
__exception__ July 22, 2024, 2:24 p.m.	stacktrace: _Unwind_RaiseException+0x1a _Unwind_Resume-0x26 win+0xc2ca @ 0x7fef2aac2ca rundll32+0x2f42 @ 0xfff42f42 rundll32+0x3b7a @ 0xfff43b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521 exception.instruction_r: 0f 11 41 10 0f 11 41 20 0f 11 41 30 b9 43 43 47 exception.exception_code: 0xc0000005 exception.symbol: _Unwind_RaiseException+0x1a _Unwind_Resume-0x26 win+0xc2ca exception.address: 0x7fef2aac2ca registers.r14: 0 registers.r15: 0 registers.rcx: 131662 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2096672 registers.r11: 2095760 registers.r8: 1 registers.r9: 2096128 registers.rdx: 0 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 131662 registers.r13: 0	1
__exception__ July 22, 2024, 2:24 p.m.	stacktrace: RtlRaiseStatus+0x18 RtlInitializeContext-0x78 ntdll+0xcd7d8 @ 0x7735d7d8 RtlIsDosDeviceName_U+0x15adc NtdllDialogWndProc_A-0x18c90 ntdll+0x6f55c @ 0x772ff55c RtlUnwindEx+0x1e GetUserDefaultUILanguage-0x12 kernel32+0x32dae @ 0x771a2dae _Unwind_Resume+0xa2 _Unwind_Resume_or_Rethrow-0xe win+0xc392 @ 0x7fef2aac392 rundll32+0x2f42 @ 0xfff42f42 rundll32+0x3b7a @ 0xfff43b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521 exception.instruction_r: 48 8b 84 24 b8 01 00 00 33 d2 48 89 54 24 28 89 exception.symbol: RtlRaiseStatus+0x18 RtlInitializeContext-0x78 ntdll+0xcd7d8 exception.instruction: mov rax, qword ptr [rsp + 0x1b8] exception.module: ntdll.dll exception.exception_code: 0xc0000028 exception.offset: 841688 exception.address: 0x7735d7d8 registers.r14: 0 registers.r15: 0 registers.rcx: 2483584 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2488848 registers.r11: 2487280 registers.r8: 0 registers.r9: 8791766663168 registers.rdx: 8791767395640 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 4 registers.r13: 0	1
__exception__ July 22, 2024, 2:24 p.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda5a49d _Unwind_GetGR-0x3f win+0xbf61 @ 0x7fef2aabf61 _Unwind_Resume_or_Rethrow+0x17 _Unwind_ForcedUnwind-0x9 win+0xc3b7 @ 0x7fef2aac3b7 rundll32+0x2f42 @ 0xfff42f42 rundll32+0x3b7a @ 0xfff43b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x22474343 exception.offset: 42141 exception.address: 0x7fefda5a49d registers.r14: 0 registers.r15: 0 registers.rcx: 1699680 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1702096 registers.r11: 1701296 registers.r8: 0 registers.r9: 0 registers.rdx: 208 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1998879728 registers.r13: 0	1
__exception__ July 22, 2024, 2:24 p.m.	stacktrace: _ZZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE12_M_constructIPKcEEvT_S8_St20forward_iterator_tagEN6_GuardD1Ev+0x2fd2 _pthread_key_dest-0x3236e win+0xb6942 @ 0x7fef2b56942 rundll32+0x2f42 @ 0xfff42f42 rundll32+0x3b7a @ 0xfff43b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521 exception.instruction_r: 0f 0b 90 90 90 90 90 90 90 90 90 90 90 90 0f 0b exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: _ZZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE12_M_constructIPKcEEvT_S8_St20forward_iterator_tagEN6_GuardD1Ev+0x2fd2 _pthread_key_dest-0x3236e win+0xb6942 exception.address: 0x7fef2b56942 registers.r14: 0 registers.r15: 0 registers.rcx: 66352 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1309344 registers.r11: 1308432 registers.r8: 3457440 registers.r9: 10 registers.rdx: 4294180864 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 66352 registers.r13: 0	1
__exception__ July 22, 2024, 2:24 p.m.	stacktrace: _Unwind_GetIPInfo+0x10 _Unwind_GetLanguageSpecificData-0x10 win+0xc010 @ 0x7fef2aac010 rundll32+0x2f42 @ 0xfff42f42 rundll32+0x3b7a @ 0xfff43b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521 exception.instruction_r: 48 89 51 08 c3 66 66 2e 0f 1f 84 00 00 00 00 00 exception.instruction: mov qword ptr [rcx + 8], rdx exception.exception_code: 0xc0000005 exception.symbol: _Unwind_GetIPInfo+0x10 _Unwind_GetLanguageSpecificData-0x10 win+0xc010 exception.address: 0x7fef2aac010 registers.r14: 0 registers.r15: 0 registers.rcx: 131832 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161344 registers.r11: 2160432 registers.r8: 3522976 registers.r9: 10 registers.rdx: 4294180864 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 131832 registers.r13: 0	1
__exception__ July 22, 2024, 2:24 p.m.	stacktrace: _ZZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE12_M_constructIPKcEEvT_S8_St20forward_iterator_tagEN6_GuardD1Ev+0x35340 __xl_f-0x4390 win+0xe8cb0 @ 0x7fef2b88cb0 rundll32+0x2f42 @ 0xfff42f42 rundll32+0x3b7a @ 0xfff43b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.instruction: add byte ptr [rax], al exception.exception_code: 0xc0000005 exception.symbol: _ZZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE12_M_constructIPKcEEvT_S8_St20forward_iterator_tagEN6_GuardD1Ev+0x35340 __xl_f-0x4390 win+0xe8cb0 exception.address: 0x7fef2b88cb0 registers.r14: 0 registers.r15: 0 registers.rcx: 132474 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 982272 registers.r11: 981360 registers.r8: 2998696 registers.r9: 10 registers.rdx: 4294180864 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 132474 registers.r13: 0	1

Allocates read-write-execute memory (usually to unpack itself) (31 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 1020 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 1220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 1832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 1600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 3004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 3028 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 2400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 2384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 3212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 3408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 3552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 3832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 3076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 3440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 3516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 2016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef69c9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 4332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 4276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef69c9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 4788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef69c9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 6268 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef69c9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 6380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 6652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 7112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 6544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 7060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:24 p.m.	process_identifier: 7040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:25 p.m.	process_identifier: 6368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 22, 2024, 2:25 p.m.	process_identifier: 7328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe /c

File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 events)

Kaspersky	UDS:DangerousObject.Multi.Generic
McAfeeD	ti!E1D835E3AF9F

win.txt.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All