Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 20, 2024, 7:59 p.m.	July 20, 2024, 8:01 p.m.

Size	31.0KB
Type	PE32 executable (DLL) (console) Intel 80386, for MS Windows
MD5	`46e598798bdde4c72e796edcf2317b52`
SHA256	`e60c210687e79347d06f9a144ee84417ba9ac4c1f303720f2fe4509734d670d6`
CRC32	`2BEE9497`
ssdeep	`384:ZPqreMGv6SqMDjuPRjL9sapJcos+uOiZESsQDygQ2Unn7PAss3sWqWyXO4hMnAl3:lrEdpJLFiq3GO7bs3sdEFyQejil0Tn`
Yara	PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsDLL - (no description) IsPE32 - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,DhcpServerCalloutEntry
2148
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,DhcpNewPktHook
1372
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,DllCanUnloadNow
2232
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,DllGetClassObject
2332
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,DnsPluginCleanup
2428
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,DnsPluginInitialize
2520
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,DnsPluginQuery
2616
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,ExtensionApiVersion
2708
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,InitializeChangeNotify
2800
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,Msv1_0SubAuthenticationFilter
2892
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,Msv1_0SubAuthenticationRoutine
2980
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,NPGetCaps
1076
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,NPLogonNotify
2224
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,PasswordChangeNotify
2360
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,SpLsaModeInitialize
2532
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,WinDbgExtensionDllInit
2692
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,coffee
2968
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,mimikatz
2244
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,startW
2472
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,
2976

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (19 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 20, 2024, 7:59 p.m.			0	0
IsDebuggerPresent July 20, 2024, 7:59 p.m.			0	0
IsDebuggerPresent July 20, 2024, 7:59 p.m.			0	0
IsDebuggerPresent July 20, 2024, 7:59 p.m.			0	0
IsDebuggerPresent July 20, 2024, 7:59 p.m.			0	0
IsDebuggerPresent July 20, 2024, 7:59 p.m.			0	0
IsDebuggerPresent July 20, 2024, 7:59 p.m.			0	0
IsDebuggerPresent July 20, 2024, 7:59 p.m.			0	0
IsDebuggerPresent July 20, 2024, 7:59 p.m.			0	0
IsDebuggerPresent July 20, 2024, 7:59 p.m.			0	0
IsDebuggerPresent July 20, 2024, 7:59 p.m.			0	0
IsDebuggerPresent July 20, 2024, 7:59 p.m.			0	0
IsDebuggerPresent July 20, 2024, 7:59 p.m.			0	0
IsDebuggerPresent July 20, 2024, 7:59 p.m.			0	0
IsDebuggerPresent July 20, 2024, 7:59 p.m.			0	0
IsDebuggerPresent July 20, 2024, 7:59 p.m.			0	0
IsDebuggerPresent July 20, 2024, 7:59 p.m.			0	0
IsDebuggerPresent July 20, 2024, 7:59 p.m.			0	0
IsDebuggerPresent July 20, 2024, 7:59 p.m.			0	0

One or more processes crashed (9 events)

Time & API	Arguments	Status
__exception__ July 20, 2024, 7:59 p.m.	stacktrace: rundll32+0x137d @ 0x17137d rundll32+0x1326 @ 0x171326 rundll32+0x1901 @ 0x171901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c7 02 01 00 00 00 8b 08 56 57 8d 59 1c c7 45 1c exception.instruction: mov dword ptr [edx], 1 exception.exception_code: 0xc0000005 exception.symbol: DhcpNewPktHook+0x14 DnsPluginInitialize-0x6a mimilib+0x1130 exception.address: 0x74501130 registers.esp: 1177520 registers.edi: 0 registers.eax: 262184 registers.ebp: 1177532 registers.edx: 0 registers.ebx: 0 registers.esi: 262184 registers.ecx: 0	1
__exception__ July 20, 2024, 7:59 p.m.	stacktrace: RtlpNtEnumerateSubKey+0x2a2b isupper-0x4e2b ntdll+0xcf559 @ 0x7796f559 RtlpNtEnumerateSubKey+0x2b0b isupper-0x4d4b ntdll+0xcf639 @ 0x7796f639 RtlUlonglongByteSwap+0xd17b RtlFreeOemString-0x1475f ntdll+0x8a56b @ 0x7792a56b RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x33587 @ 0x778d3587 RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x33472 @ 0x778d3472 GlobalFree+0x27 GlobalAlloc-0x11f kernelbase+0x13e88 @ 0x755a3e88 rundll32+0x1355 @ 0x171355 rundll32+0x1901 @ 0x171901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: eb 12 8b 45 ec 8b 08 8b 09 50 51 e8 6f ff ff ff exception.symbol: RtlpNtEnumerateSubKey+0x1b25 isupper-0x5d31 ntdll+0xce653 exception.instruction: jmp 0x7796e667 exception.module: ntdll.dll exception.exception_code: 0xc0000374 exception.offset: 845395 exception.address: 0x7796e653 registers.esp: 783460 registers.edi: 5022272 registers.eax: 783476 registers.ebp: 783580 registers.edx: 0 registers.ebx: 0 registers.esi: 4784128 registers.ecx: 2147483647	1
__exception__ July 20, 2024, 7:59 p.m.	stacktrace: rundll32+0x137d @ 0x17137d rundll32+0x1326 @ 0x171326 rundll32+0x1901 @ 0x171901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 0f b7 83 b8 00 00 00 56 50 8b 45 0c 8d 48 1c 51 exception.instruction: movzx eax, word ptr [ebx + 0xb8] exception.exception_code: 0xc0000005 exception.symbol: Msv1_0SubAuthenticationFilter+0x28 DllGetClassObject-0x484 mimilib+0x13a9 exception.address: 0x745013a9 registers.esp: 1834268 registers.edi: 1992042848 registers.eax: 1992042848 registers.ebp: 1834280 registers.edx: 2130566017 registers.ebx: 1 registers.esi: 524640 registers.ecx: 1951421828	1
__exception__ July 20, 2024, 7:59 p.m.	stacktrace: rundll32+0x137d @ 0x17137d rundll32+0x1326 @ 0x171326 rundll32+0x1901 @ 0x171901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 0f b7 83 b8 00 00 00 56 50 8b 45 0c 8d 48 1c 51 exception.instruction: movzx eax, word ptr [ebx + 0xb8] exception.exception_code: 0xc0000005 exception.symbol: Msv1_0SubAuthenticationFilter+0x28 DllGetClassObject-0x484 mimilib+0x13a9 exception.address: 0x745013a9 registers.esp: 1833184 registers.edi: 1992042848 registers.eax: 1992042848 registers.ebp: 1833196 registers.edx: 2130566017 registers.ebx: 1 registers.esi: 262500 registers.ecx: 1951421828	1
__exception__ July 20, 2024, 7:59 p.m.	stacktrace: rundll32+0x1326 @ 0x171326 rundll32+0x1901 @ 0x171901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 83 20 00 33 c0 5f c2 20 00 8b 44 24 04 48 74 18 exception.instruction: and dword ptr [eax], 0 exception.exception_code: 0xc0000005 exception.symbol: NPLogonNotify+0x61 NPGetCaps-0x9 mimilib+0x1295 exception.address: 0x74501295 registers.esp: 3341836 registers.edi: 1992042848 registers.eax: 0 registers.ebp: 3341956 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 131434 registers.ecx: 1991458255	1
__exception__ July 20, 2024, 7:59 p.m.	stacktrace: rundll32+0x1326 @ 0x171326 rundll32+0x1901 @ 0x171901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c7 00 00 00 01 00 8b 44 24 0c c7 00 20 84 50 74 exception.instruction: mov dword ptr [eax], 0x10000 exception.exception_code: 0xc0000005 exception.symbol: SpLsaModeInitialize+0x4 Msv1_0SubAuthenticationFilter-0x1f mimilib+0x1362 exception.address: 0x74501362 registers.esp: 2883016 registers.edi: 0 registers.eax: 1507328 registers.ebp: 2883132 registers.edx: 9 registers.ebx: 0 registers.esi: 131438 registers.ecx: 0	1
__exception__ July 20, 2024, 7:59 p.m.	stacktrace: rundll32+0x1326 @ 0x171326 rundll32+0x1901 @ 0x171901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x3ba1 registers.esp: 653156 registers.edi: 1951434820 registers.eax: 41530 registers.ebp: 653292 registers.edx: 9 registers.ebx: 0 registers.esi: 65954 registers.ecx: 0	1
__exception__ July 20, 2024, 7:59 p.m.	stacktrace: rundll32+0x1326 @ 0x171326 rundll32+0x1901 @ 0x171901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 2750280 registers.edi: 0 registers.eax: 66050 registers.ebp: 2750404 registers.edx: 9 registers.ebx: 0 registers.esi: 66050 registers.ecx: 0	1
__exception__ July 20, 2024, 7:59 p.m.	stacktrace: rundll32+0x137d @ 0x17137d rundll32+0x1326 @ 0x171326 rundll32+0x1901 @ 0x171901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 3143984 registers.edi: 0 registers.eax: 4294960296 registers.ebp: 3144088 registers.edx: 9 registers.ebx: 1951420864 registers.esi: 0 registers.ecx: 2399	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 57 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 1372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74505000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 1372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74490000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 1372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74505000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74490000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74505000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74490000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74505000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74490000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74505000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74490000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74505000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74490000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74505000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74490000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74505000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74490000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74505000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74490000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74505000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74490000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2980 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74505000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2980 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74490000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2980 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 1076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74505000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 1076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74490000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 1076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74505000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74490000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74505000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74490000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74505000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74490000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74505000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74490000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74505000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2024, 7:59 p.m.	process_identifier: 2968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74490000 process_handle: 0xffffffff	1

File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	HTool-Mimikatz
ALYac	Trojan.GenericKD.72711626
Cylance	Unsafe
VIPRE	Trojan.GenericKD.72711626
Sangfor	HackTool.Win64.Mimikatz.uwccg
K7AntiVirus	Riskware ( 005368931 )
BitDefender	Trojan.GenericKD.72711626
K7GW	Riskware ( 005368931 )
Arcabit	Trojan.Generic.D4557DCA
VirIT	Trojan.Win32.Genus.RUJ
Symantec	Hacktool.Mimikatz
ESET-NOD32	a variant of Win32/RiskWare.Mimikatz.J
McAfee	HTool-Mimikatz
Avast	Win32:MalwareX-gen [Trj]
ClamAV	Win.Tool.Mimikatz-10030748-0
Kaspersky	HEUR:Trojan.Win32.Mimikatz.gen
Alibaba	Trojan:Win32/Mimikatz.4b1
NANO-Antivirus	Trojan.Win32.Mimikatz.jritks
MicroWorld-eScan	Trojan.GenericKD.72711626
Rising	HackTool.Mimikatz!1.B3A7 (CLASSIC)
Emsisoft	Trojan.GenericKD.72711626 (B)
F-Secure	Trojan.TR/AD.Mimikatz.olrti
DrWeb	Tool.PassView.1958
Zillya	Tool.Mimikatz.Win32.1997
TrendMicro	HackTool.Win32.Mimikatz.CNGF
McAfeeD	ti!E60C210687E7
FireEye	Generic.mg.46e598798bdde4c7
Sophos	ATK/Apteryx-Gen
Ikarus	HackTool.Mimikatz
Jiangmin	Trojan.PSW.Mimikatz.cvz
Webroot	W32.Hacktool.Gen
Google	Detected
Avira	TR/AD.Mimikatz.olrti
MAX	malware (ai score=100)
Antiy-AVL	Trojan[PSW]/Win32.Mimikatz
Kingsoft	malware.kb.a.797
Gridinsoft	Risk.Win32.Mimikatz.tr
Xcitium	Malware@#289lhzuorpj06
Microsoft	HackTool:Win64/Mikatz!dha
ViRobot	HackTool.S.Mimikatz.31744
ZoneAlarm	HEUR:Trojan.Win32.Mimikatz.gen
GData	Trojan.GenericKD.72711626
Varist	W32/Mimikatz.A.gen!Eldorado
AhnLab-V3	Trojan/Win.Mimikatz.R453144
BitDefenderTheta	Gen:NN.ZedlaF.36810.bu8@aC9ojzni
TACHYON	Trojan/W32.Mimikatz.31744
DeepInstinct	MALICIOUS

mimilib.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All