Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 12, 2023, 8:56 a.m.	June 12, 2023, 9 a.m.

Size	297.5KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`91479a5bad88f0f0cfd0e9adb5c995e1`
SHA256	`93c3b4b783572c8191350d41f57ba4d9fff1568604ed193c7a71736f671e8ab6`
CRC32	`0F50E8D3`
ssdeep	`6144:HtEkenhntp+bTjbtyIdi/MJcTBwq4FtwbqNFzJSTBKbybpbublt4uYbG:HqkenZr+bDdIVwq4JzJSTQx`
PDB Path	C:\Users\è°·å \Desktop\2022è¿ç¨ç®¡çgfi\cangku\WinOsClientProject\x64\Release\ä¸çº¿æ¨¡å.pdb
Yara	UPX_Zero - UPX packed file IsDLL - (no description) Malicious_Library_Zero - Malicious_Library IsPE64 - (no description) anti_vm_detect - Possibly employs anti-virtualization techniques Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Antivirus - Contains references to security software Generic_Malware_Zero - Generic Malware

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\output_64.dll,GetInstallDetailsPayload
2552
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\output_64.dll,GetInstallDetailsPayload
  2960
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\output_64.dll,SignalChromeElf
2636
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\output_64.dll,SignalChromeElf
  3016
  - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\output_64.dll,SignalChromeElf
    2436
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\output_64.dll,Version
2728
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\output_64.dll,Version
  2088
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\output_64.dll,load
2816
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\output_64.dll,load
  1484
  - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\output_64.dll,load
    2508
    - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\output_64.dll,load
      2668
      - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\output_64.dll,load
        2760
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\output_64.dll,run
2912
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\output_64.dll,run
  152
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\output_64.dll,
744

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
91.208.236.70	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (9 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 12, 2023, 8:56 a.m.			0	0
IsDebuggerPresent June 12, 2023, 8:56 a.m.			0	0
IsDebuggerPresent June 12, 2023, 8:56 a.m.			0	0
IsDebuggerPresent June 12, 2023, 8:56 a.m.			0	0
IsDebuggerPresent June 12, 2023, 8:56 a.m.			0	0
IsDebuggerPresent June 12, 2023, 8:56 a.m.			0	0
IsDebuggerPresent June 12, 2023, 8:56 a.m.			0	0
IsDebuggerPresent June 12, 2023, 8:56 a.m.			0	0
IsDebuggerPresent June 12, 2023, 8:56 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\Users\è°·å \Desktop\2022è¿ç¨ç®¡çgfi\cangku\WinOsClientProject\x64\Release\ä¸çº¿æ¨¡å.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 12, 2023, 8:57 a.m.		1	1	0

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ June 12, 2023, 8:56 a.m.	stacktrace: 0x1c01204 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1c01204 registers.r14: 1 registers.r15: 6 registers.rcx: 48 registers.rsi: 0 registers.r10: 0 registers.rbx: 32042884 registers.rsp: 42925192 registers.r11: 42925968 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092858960 registers.r12: 1 registers.rbp: 42925312 registers.rdi: 32042960 registers.rax: 29364736 registers.r13: 0	1
__exception__ June 12, 2023, 8:56 a.m.	stacktrace: 0x551204 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x551204 registers.r14: 1 registers.r15: 6 registers.rcx: 48 registers.rsi: 0 registers.r10: 0 registers.rbx: 31254420 registers.rsp: 45480888 registers.r11: 45481664 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092858960 registers.r12: 1 registers.rbp: 45481008 registers.rdi: 31254496 registers.rax: 5575168 registers.r13: 0	1
__exception__ June 12, 2023, 8:56 a.m.	stacktrace: 0x551204 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x551204 registers.r14: 1 registers.r15: 6 registers.rcx: 48 registers.rsi: 0 registers.r10: 0 registers.rbx: 31909780 registers.rsp: 47053128 registers.r11: 47053904 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092858960 registers.r12: 1 registers.rbp: 47053248 registers.rdi: 31909856 registers.rax: 5575168 registers.r13: 0	1
__exception__ June 12, 2023, 8:56 a.m.	stacktrace: 0x1c01204 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 0xfffffa8000000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1c01204 registers.r14: 1 registers.r15: 6 registers.rcx: 48 registers.rsi: 0 registers.r10: 0 registers.rbx: 30336916 registers.rsp: 47708200 registers.r11: 47708976 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092863056 registers.r12: 1 registers.rbp: 47708320 registers.rdi: 30336992 registers.rax: 29364736 registers.r13: 0	1

Allocates read-write-execute memory (usually to unpack itself) (9 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 12, 2023, 8:56 a.m.	process_identifier: 2960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2023, 8:56 a.m.	process_identifier: 3016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2023, 8:56 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2023, 8:56 a.m.	process_identifier: 1484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2023, 8:56 a.m.	process_identifier: 152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2023, 8:56 a.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2023, 8:56 a.m.	process_identifier: 2508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2023, 8:56 a.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2023, 8:56 a.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

rundll32.exe tried to sleep 590 seconds, actually delayed analysis time by 590 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (3 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW June 12, 2023, 8:57 a.m.	total_number_of_free_bytes: 13324292096 free_bytes_available: 13324292096 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW June 12, 2023, 8:57 a.m.	total_number_of_free_bytes: 13324292096 free_bytes_available: 13324292096 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW June 12, 2023, 8:57 a.m.	total_number_of_free_bytes: 13324292096 free_bytes_available: 13324292096 root_path: C:\ total_number_of_bytes: 34252779520	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (8 events)

Time & API	Arguments	Status	Return
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: pw.exe process_identifier: 2320	1	1
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: taskhost.exe process_identifier: 2372	1	1
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2552	1	1
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2912	1	1
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2960	1	1
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 152	1	1
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2436	1	1
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760	1	1

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 108 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002a4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002c8 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002e4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002e4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002e4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002e4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002e4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002e4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002e4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002e4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002e4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002e4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002e4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002e4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002e4 process_name: rundll32.exe process_identifier: 2760		0	0
Process32NextW June 12, 2023, 8:57 a.m.	snapshot_handle: 0x00000000000002e4 process_name: rundll32.exe process_identifier: 2760		0	0

Communicates with host for which no DNS query was performed (1 event)

host

91.208.236.70

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

91.208.236.70:6000

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

MicroWorld-eScan	Gen:Variant.Ulise.404777
ALYac	Gen:Variant.Ulise.404777
Malwarebytes	Malware.AI.4097583061
VIPRE	Gen:Variant.Ulise.404777
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_70% (D)
Arcabit	Trojan.Ulise.D62D29
Cyren	W64/Agent.GAP.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win64/Spy.Agent.EE
Cynet	Malicious (score: 100)
ClamAV	Win.Malware.Barys-10002228-0
Kaspersky	HEUR:Trojan-Spy.Win64.AntiAV.gen
BitDefender	Gen:Variant.Ulise.404777
Avast	Win64:TrojanX-gen [Trj]
Tencent	Malware.Win32.Gencirc.10bdd3bd
Emsisoft	Gen:Variant.Ulise.404777 (B)
Zillya	Trojan.Agent.Win64.24920
FireEye	Gen:Variant.Ulise.404777
MAX	malware (ai score=83)
Antiy-AVL	Trojan[Spy]/Win64.AntiAV
Microsoft	Trojan:Script/Phonzy.A!ml
ZoneAlarm	HEUR:Trojan-Spy.Win64.AntiAV.gen
GData	Gen:Variant.Ulise.404777
Google	Detected
AhnLab-V3	Trojan/Win.Backdoor.R563961
McAfee	GenericRXAA-AA!91479A5BAD88
Rising	Backdoor.Farfli!1.DE41 (CLASSIC)
Yandex	TrojanSpy.Agent!x5bE/mVN39A
Ikarus	Trojan.Win64.Spy
MaxSecure	Trojan.Malware.186401462.susgen
AVG	Win64:TrojanX-gen [Trj]
DeepInstinct	MALICIOUS

output_64.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All