Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 21, 2021, 9:54 a.m.	May 21, 2021, 9:56 a.m.

Size	541.5KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`d2fe28f11e61c88847055640d0d92b41`
SHA256	`b706c4069b014fee3dc18079519e77c9f75e8fc2736264866119a4c0a7bc06c3`
CRC32	`3FDAFAAC`
ssdeep	`12288:n7jCgJ8TDXqANCvmA6vdot2lY4ieYHcftQ:nPFSDFNCvmAyot7/Hy`
PDB Path	c:\must\book speed\kee1\Read\Once.pdb
Yara	IsDLL - (no description) PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\img.dll,DllRegisterServer
2208
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\img.dll,DllUnregisterServer
7748
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\img.dll,Doubleboy
7232
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\img.dll,Drivetube
8800
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\img.dll,
5332

Name	Response	Post-Analysis Lookup
chat.veminiare.com	A 35.247.240.15	35.247.240.15
app.buboleinov.com
chat.billionady.com	A 35.247.240.15	35.247.240.15
app3.maintorna.com	A 35.247.240.15	35.247.240.15

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
35.247.240.15	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (15 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 21, 2021, 9:54 a.m.	computer_name:		0
GetComputerNameW May 21, 2021, 9:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 21, 2021, 9:54 a.m.	computer_name:		0
GetComputerNameW May 21, 2021, 9:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 21, 2021, 9:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 21, 2021, 9:55 a.m.	computer_name:		0
GetComputerNameW May 21, 2021, 9:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 21, 2021, 9:55 a.m.	computer_name:		0
GetComputerNameW May 21, 2021, 9:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 21, 2021, 9:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 21, 2021, 9:54 a.m.	computer_name:		0
GetComputerNameW May 21, 2021, 9:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 21, 2021, 9:54 a.m.	computer_name:		0
GetComputerNameW May 21, 2021, 9:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 21, 2021, 9:54 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 21, 2021, 9:54 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate

This executable has a PDB path (1 event)

pdb_path

c:\must\book speed\kee1\Read\Once.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 21, 2021, 9:54 a.m.		1	1	0

Performs some HTTP requests (7 events)

request	GET http://chat.veminiare.com/SWKRRoakONjHS/sJUvOXim/_2B9jP62X8_2FGlg4YDjd4d/qcmm7f7ClO/0z_2FBik6zsFUb_2B/mdQuBGZWJbZi/6xjwfL8HuMz/d_2FSpDSI_2BKI/JPFoCEypL2oX91Q4Ez8Ol/_2BbhoEWQeeBD5YI/8AKl5Z_2B2W818y/o2LGNPqkk0KZ7SqM_2/BMAI5eaIh/c2V1xT0MggHgb9EHebVm/6sBZ5NPXZp1FD_2B_2F/pWANEdjwYpo0P5KQDdAFKl/yUhTzhrbU_2BJ/rWTYGgor/1sg9sd85Eu4uYyHnSJDXAaK/pZxdrYlOCF/U5EegqM25eDBrssZ7s5/E3
request	GET http://chat.veminiare.com/XG7VMRXz6CIgQVN/FIntP9vcoEkPSFVbFS/fYS8e36TX/47lcuBGwy_2Fxx2vh551/lqWwG1U_2B_2B1jEskE/JXiowlyiqpwwViroADLTPB/X_2BWBHu8SYGn/eSBJSBRB/dF6BXDtumGC6qp3_2F77amm/xs_2BDlWuF/q_2BNO2mypx9x4I9I/Mf_2F_2BfEaM/dYEJV1IL6pP/veKpGWZ2qUuoLp/mkzQV4lPTU3MkaBkfEekk/35JqCIhlF2V6Q7CU/SlWE6mIgUZzrKTB/N1180MRdubkJqxJUKJ/yEKzRhHUc/jdp_2F6QzI8g8n2qM0o0/er4YGuEd4WrXPgZbwDl/HH_2BVJA9/DSh4
request	GET http://chat.billionady.com/6UJSnOoZaJnsH/_2FnSXfG/ln0aL5nX3zhg1UG0FK3qlut/6LZhHclyKd/I_2BKVhzQWMWrcGcT/ZTTdNTGlVi9S/I_2BAWt0RO9/er8HPcbpFhwm36/a1eGThTcirHujHLF1hMPY/2MVDtK4kSPDf6x73/kBOc3g9jxsxeT0e/L10KY1NatyOr4ZwtIc/K_2Fvjy1Q/srpejgSg7907lJY9reM9/9Qw_2Fjk1albXSiy4oJ/LgPFE2YVHTdPp_2FZsD8Cg/DFD_2BLO9r8Wh/t0A12sbi/Qajd6psuZy588mTQqbWqV2t/4O2zvkug11/4OSQHCtMtxkP1M2U5/58GKm53yW2ph/c23
request	GET http://chat.billionady.com/_2BajllG2W5QT7c_2BZ752/OUUsE0PdrCWti/u9hmphDr/_2F9VYvDpC09PqHzWQ_2FgV/MgOXJ_2BYm/vglQH6ZyKvTwcWC2l/9KkU02SFeC5O/8WYERoLeYTH/YXQmDuxxY7zygt/d5870sTfet2nG0xBg_2FD/l4lJZP2MJLjZmoGm/X_2Fqttce3zZyDw/zj6OUwPJSioOxqH_2F/X7tf_2ByV/RoBMC3jlcSkCJpfAFTXJ/J8J_2FU1gKyYAT49hXl/mKoGzzXRNmwQYbWjXJ42lM/PNnC61le0aduH/ZboUDnEv/R1TvWtf_2Bseqg4Yhb_2Fbs/TDEkt6dBpq/Bnv8PCQuC/dX1RYbcMw_2/BP
request	GET http://app3.maintorna.com/DOnp8FFIHxzkzO_2BI6as/Fk0cpZuJStBv_2Bf/7dz0Pm9_2FDrH_2/BzURhMGfKY7dgLun5s/iJYbzM_2F/OpXZ4LNbk_2Fg61I1stG/_2BebEv8Xkqy5n2biLH/11_2Bgm6kPAWWd2iIKpjRo/G4rSkBS3HoKhG/EYgrqAFJ/AL6M1PWxcCpetsvV1oiFf_2/BohAk_2FI9/F_2BEUu9lzeyW1whp/ZaCzXxb5vf_2/FOoMXHLhCrL/WImY_2FOZAtGK_/2BqWFJtD6Wmlrct1tJIXo/Od830PThv_2FVsVX/ZdVQms7bduFf4f_/2BtVaKPpdHSao2OHbP/E2qA5owZL/iyO_2FtU3PTxS9YRT_2F/mva4jJSu/N
request	GET http://app3.maintorna.com/8D1iapHyZLACTh/rcVgyTqKzXA6LpliF4YXu/XzM08QA0f3i7z2Ji/5n2Aq_2F0nnzvZE/fgvsm6sx70duziYeT2/m1YbOFs_2/BnZ3Nsio6pU1esvY2GaB/072K4jXWAaNHHzJBgKQ/cjz9OMjQ8jFdM66FM0X5PH/8sMCLzWI9KYKG/P9401_2B/4_2BUA4sQyYHR1erUXLu0MR/4bIIrt07vu/dFa8mj1HDypiDob48/HZYMjtUwOtXJ/8gnN_2Be1Gg/8xeLB6A3hV4xD1/yCLUivcQ_2FPo_2Bm4FLg/ULbhusSZkHt7XUYu/9_2BZcHorbO0foO/nV27I1E4VlAowLRgeiZl/xm
request	GET http://chat.veminiare.com/lN4ZajfSnftzc7Dl/Zr0OE4FzP7c3zQB/jGkKqDLiYl_2FSgzkC/IsLtY5lOe/_2BINzYKsAYitV_2B6iY/_2F_2FO_2FOWTH4Lh5x/d7vtLNqHW83WIFHjo5ZqI6/bLVkD1v5Lpzxf/OkXnFjV9/kb3Qz61muiBunA_2BK_2BYp/xlKBbqYPKl/gKaNm2lkuGFA8P9JV/vYzvXLsNzSOI/em46rn0AL6j/jjz0pVdMfHPnpB/pekEVSPzfDDI8Yp_2FLSs/kgNdJBlnC_2Fv_2B/TPjSEeUbuWIEYoS/5ZCcazyYNbMYmcL5av/sa6JqQioU/5CLBEaoucjWJ4hu5ys4V/t_2FAeecmj0FnLw44/c

Allocates read-write-execute memory (usually to unpack itself) (50 out of 141 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x64b1d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75241000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74f41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73861000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x721d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73821000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72121000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ef1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66a91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e4c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74131000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72de1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72961000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x673a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66a71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x64b68000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 region_size: 151552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e80000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73771000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72da4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x720c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72071000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 7748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x64b1d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 7748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 7748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75241000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 7748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74f41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 7748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73861000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 7748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x721d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 7748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73821000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 7748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 7748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 7748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 7748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72121000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

rundll32.exe tried to sleep 196 seconds, actually delayed analysis time by 196 seconds

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

FireEye	Generic.mg.d2fe28f11e61c888
BitDefenderTheta	Gen:NN.ZedlaF.34690.Hu4@aSig!ici
Avast	Win32:Malware-gen
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Trojan.Gen
Microsoft	Trojan:Win32/Wacatac.B!ml
Cynet	Malicious (score: 100)
VBA32	BScope.TrojanBanker.Gozi
eGambit	Unsafe.AI_Score_88%
AVG	Win32:Malware-gen

img.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All