Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 17, 2023, 7:51 a.m.	March 17, 2023, 7:52 a.m.

Size	645.5KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`6f262e779fc26d8dd89c942c744eecba`
SHA256	`0b8682fe1ee1d9a8ad485452179e9c8651c682660591077e0fb7077e89af81bd`
CRC32	`07DB70BD`
ssdeep	`12288:UF+tM6XshMhiEPV8dltumwktXEaUfRLN7ku4xAYuIbm6YvKKypnweFcqFXeN2wq:O/6XqMciFypnwscqReN2D`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet IsDLL - (no description) IsPE64 - (no description) Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,ANJHrtqPyoZlLN
2560
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,ANJHrtqPyoZlLN
  908
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,AdDIJNyjoaSeKitBSSfvfV
2644
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,AdDIJNyjoaSeKitBSSfvfV
  2088
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,AiQuYKFP
2736
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,AiQuYKFP
  196
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,AjCvWu
2824
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,AjCvWu
  2216
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,AveAkeMGsAwFFAhoKdNXhIMFQ
2916
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,AveAkeMGsAwFFAhoKdNXhIMFQ
  2628
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,BFNfItOdrItDPYj
3012
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,BFNfItOdrItDPYj
  2676
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,BOhuBWDUsCWLiC
940
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,BOhuBWDUsCWLiC
  2776
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,BTMFzdgTuyWjiIBHnce
2460
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,BTMFzdgTuyWjiIBHnce
  1152
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,CXLyPNN
2612
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,CXLyPNN
  1728
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,CoPzTghLuoRCKv
3000
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,CoPzTghLuoRCKv
  2444
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,CzSCLOcblUEHZbXguBeBKvOsFr
2516
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,CzSCLOcblUEHZbXguBeBKvOsFr
  3004
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,DGWnzoUQDuJFITIs
2860
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,DGWnzoUQDuJFITIs
  2556
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,DXFnrcWUukvqM
2168
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,DXFnrcWUukvqM
  1120
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,DllRegisterServer
2920
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,DllRegisterServer
  3044
  - regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OAgjhKSULIBzUOCv\qeRLOgWoVARWAki.dll"
    3560
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,DtuklXMCytMEOfG
2748
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,DtuklXMCytMEOfG
  3016
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,DvvFQBN
2924
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,DvvFQBN
  2520
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,EEFTMFWzodeDNgkOokBFbPUM
2864
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,EEFTMFWzodeDNgkOokBFbPUM
  2852
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,EZkpQfdxRULajOkDrGLHdLD
2784
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,EZkpQfdxRULajOkDrGLHdLD
  2112
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,EnFJoeQtlzsJDJiJBmbXoBTpwv
2828
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,EnFJoeQtlzsJDJiJBmbXoBTpwv
  2100
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,EsKEcLa
3112
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,EsKEcLa
  3240
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,EtgJryXb
3232
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,EtgJryXb
  3472
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,EwUPpnOBjfPxH
3364
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,EwUPpnOBjfPxH
  3532
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,EztRXmoFVqjMSateN
3464
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,EztRXmoFVqjMSateN
  3692
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,FASZSnNRTIVAAaGcgawnKQZyy
3636
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,FASZSnNRTIVAAaGcgawnKQZyy
  3848
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,FGFyHfFIUhGbYBAZSYZbyICNUd
3776
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,FGFyHfFIUhGbYBAZSYZbyICNUd
  3964
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,FRjkVJXkyiheeOfN
3916
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,FRjkVJXkyiheeOfN
  4064
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,FYgbRxuhThTqi
4056
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,FYgbRxuhThTqi
  3148
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,FkEiXaMMKAdEpLTECJzhaViXI
3204
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,FkEiXaMMKAdEpLTECJzhaViXI
  3356
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,GFnuqsATNhcsPXZHiVOxZST
3432
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,GFnuqsATNhcsPXZHiVOxZST
  3676
explorer.exe C:\Windows\Explorer.EXE
1452
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,GQJmrAwSczpjroAXcGhyqBUdB
3604
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,GQJmrAwSczpjroAXcGhyqBUdB
  3792
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,GUBjDl
3804
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,GUBjDl
  3640
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,GVoDrZwwflq
3468
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,GVoDrZwwflq
  3284
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,GWOPbRQrBekZviftyaAUwXmnh
2716
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,GWOPbRQrBekZviftyaAUwXmnh
  3168
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,HIQgMO
2120
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,HIQgMO
  3720
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,HUraWDowXZUfxDa
3448
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,HUraWDowXZUfxDa
  3948
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,Hjkwbzu
2224
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,IVoyuTGXNLCke
3156
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,IfyOjidHbwvD
3620
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,IxFJaPJQRQSzqlajawLBTzlwKo
3668
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,JOLlxrVluAyNHIhUuvAYwypV
3780
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,JXiDoHIIyrJjEYKuRb
3188
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,JilnPOgZrXMjkwk
3852
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,JqWanxhQqUNu
3836
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,KCYGkqzzvPgjOGshmaWLW
3608
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,KEMrlPvHxelUlZ
2456
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,KMaMkjqMkYYPMAAJPKLOehoPyY
4040
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,KVtfEbpbmPAlXPj
4192
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,KpXiawubnkzsXkEtjJO
4304
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,KydgpVnbUe
4416
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,LZWxaAtECxaSGoAz
4516
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,LxlPnmCsAgDIkxMugK
4636
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,LyTteGzhZhP
4756
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,MEXTEnCNvZXJLhRKiTCyNPih
4860
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,MRJugro
4980
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,MdqrgqIfjHmjoZkNi
5100
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,MgYMlGlGPQTRsI
4172
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,MopbjpmEaxOdYcIcIYZme
4372
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,NFxEbaQrvHYBkgyyc
4540
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,NItPsPAfBOUuIBno
4752
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,NyTYpQnIzVVNhlVibsSjFCZouP
4928
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,OaAXUXHduoOFLxnDhBJwzh
5064
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,OeHfob
3748
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,OsrEfsOyNaoWldUmRfDeFahCz
4376
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,OtMYeClSBjKXnqKKcwvkpdT
4708
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,PTjntzhnCrFsOVRuqb
4848
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,PVEOpmicZObotzmowwdn
5048
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,PYGtAnBuWCkXSFbfJoxh
4360
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,PcZbHHwxtObWwsAZucWAfp
4728
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,PovPoPHy
5008
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\My5PdKnB.dll,QQDxzrvZSfjOUIRPNLzseI
4784

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (34 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0
IsDebuggerPresent March 17, 2023, 7:44 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 17, 2023, 7:51 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

BPEFHH

Allocates read-write-execute memory (usually to unpack itself) (50 out of 115 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 908 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000004d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 2088 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000004e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 196 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 2216 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 2776 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 2676 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000002d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 2628 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000002e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 1152 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 1152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 1728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000002e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 1728 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c30000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 1728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000002e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 2444 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000002f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 3004 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 3004 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 3004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 2556 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 1120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000002e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 1120 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 1120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 3044 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 2520 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000002e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 2520 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000002f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 2520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 3016 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 3016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 17, 2023, 7:44 a.m.	process_identifier: 2852 region_size: 172032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OAgjhKSULIBzUOCv\qeRLOgWoVARWAki.dll"

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (8 events)

Time & API	Arguments	Status	Return
Process32NextW March 17, 2023, 7:44 a.m.	snapshot_handle: 0x0000000000000124 process_name: rundll32.exe process_identifier: 2920	1	1
Process32NextW March 17, 2023, 7:44 a.m.	snapshot_handle: 0x0000000000000124 process_name: rundll32.exe process_identifier: 3044	1	1
Process32NextW March 17, 2023, 7:44 a.m.	snapshot_handle: 0x0000000000000148 process_name: rundll32.exe process_identifier: 3448	1	1
Process32NextW March 17, 2023, 7:44 a.m.	snapshot_handle: 0x0000000000000148 process_name: rundll32.exe process_identifier: 2224	1	1
Process32NextW March 17, 2023, 7:44 a.m.	snapshot_handle: 0x0000000000000148 process_name: rundll32.exe process_identifier: 3948	1	1
Process32NextW March 17, 2023, 7:44 a.m.	snapshot_handle: 0x0000000000000148 process_name: rundll32.exe process_identifier: 3156	1	1
Process32NextW March 17, 2023, 7:44 a.m.	snapshot_handle: 0x0000000000000148 process_name: rundll32.exe process_identifier: 3620	1	1
Process32NextW March 17, 2023, 7:44 a.m.	snapshot_handle: 0x0000000000000148 process_name: regsvr32.exe process_identifier: 3560	1	1

File has been identified by 8 AntiVirus engines on VirusTotal as malicious (8 events)

Elastic	malicious (high confidence)
McAfee	Artemis!6F262E779FC2
K7AntiVirus	Trojan ( 0059b58d1 )
K7GW	Trojan ( 0059b58d1 )
CrowdStrike	win/malicious_confidence_100% (D)
Symantec	ML.Attribute.HighConfidence
Cynet	Malicious (score: 100)
McAfee-GW-Edition	BehavesLike.Win64.Generic.jc

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0002b000', u'virtual_address': u'0x0007a000', u'entropy': 7.83165138668879, u'name': u'.rsrc', u'virtual_size': u'0x0002aee8'}

entropy

7.83165138669

description

A section with a high entropy has been found

entropy

0.266873545384

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (2 events)

process	regsvr32.exe
process	rundll32.exe

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Windows\System32\OAgjhKSULIBzUOCv\qeRLOgWoVARWAki.dll:Zone.Identifier

My5PdKnB

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All