Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 18, 2024, 9:36 a.m.	June 18, 2024, 9:38 a.m.

Size	55.0KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`b60a81a659f6a8228c3e5df7f1c0819a`
SHA256	`0f4c555dc838ea3ba222b6d64e93be6400f5eccb6ae432a653fb5688eff719d5`
CRC32	`6084881B`
ssdeep	`1536:z4qguMDQRDG4S/GvGMZ4dvkAxcmgdSrna:z4qgbDQtG+Ydv/xcmgwrn`
PDB Path	C:\Users\Admin\Documents\Visual Studio 2008\Projects\dlll\x64\Release\dlll.pdb
Yara	Malicious_Library_Zero - Malicious_Library IsDLL - (no description) IsPE64 - (no description) PE_Header_Zero - PE File Signature

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\arphaDump64.dll,GetArphaCrashReport
2548
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\arphaDump64.dll,GetArphaCrashReport
  2876
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\arphaDump64.dll,GetArphaUtils
2632
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\arphaDump64.dll,GetArphaUtils
  2956
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\arphaDump64.dll,SetWindowLocalDump
2728
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\arphaDump64.dll,SetWindowLocalDump
  2920
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\arphaDump64.dll,
2816

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 18, 2024, 9:29 a.m.			0	0
IsDebuggerPresent June 18, 2024, 9:29 a.m.			0	0
IsDebuggerPresent June 18, 2024, 9:29 a.m.			0	0

pdb_path

C:\Users\Admin\Documents\Visual Studio 2008\Projects\dlll\x64\Release\dlll.pdb

Time & API	Arguments	Status
NtProtectVirtualMemory June 18, 2024, 9:29 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 18, 2024, 9:29 a.m.	process_identifier: 2920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 18, 2024, 9:29 a.m.	process_identifier: 2956 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1

arphaDump64.dll