Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 23, 2024, 9:04 a.m.	July 23, 2024, 9:05 a.m.

Size	1.3MB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`eb29329de4937b34f218665da57bcef4`
SHA256	`4ad9845e691dd415420e0c253ba452772495c0b971f48294b54631e79a22644a`
CRC32	`E81EA696`
ssdeep	`24576:gplQSK1oQplSdNkU4lH3cDyx+7LKSyUR5E:gpeZdpqEx3cWonnx`
PDB Path	D:\c++\Mal_Cookie_x64\x64\Release\mscorsvc.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature ftp_command - ftp command infoStealer_browser_b_Zero - browser info stealer IsDLL - (no description) IsPE64 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_ApplyPatches
612
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_ApplyPatches
  1592
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_ApplyPatchesCaseSensitive
2252
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_ApplyPatchesCaseSensitive
  504
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_FindPointerFromObjectTo
2388
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_FindPointerFromObjectTo
  1700
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_AddPatchToArray
3020
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_AddPatchToArray
  2124
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_GenerateMergePatch
1620
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_GenerateMergePatch
  2764
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_GenerateMergePatchCaseSensitive
2564
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_GenerateMergePatchCaseSensitive
  2888
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_GeneratePatches
2968
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_GeneratePatches
  200
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_GeneratePatchesCaseSensitive
1188
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_GeneratePatchesCaseSensitive
  2528
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_GetPointer
2136
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_GetPointer
  2856
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_GetPointerCaseSensitive
3040
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_GetPointerCaseSensitive
  2400
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_MergePatch
2412
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_MergePatch
  832
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_MergePatchCaseSensitive
2800
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_MergePatchCaseSensitive
  2104
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_SortObject
1716
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_SortObject
  1300
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_SortObjectCaseSensitive
1596
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSONUtils_SortObjectCaseSensitive
  2796
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddArrayToObject
1692
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddArrayToObject
  3172
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddBoolToObject
3108
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddBoolToObject
  3244
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddFalseToObject
3308
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddFalseToObject
  3448
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddItemReferenceToArray
3420
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddItemReferenceToArray
  3584
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddItemReferenceToObject
3604
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddItemReferenceToObject
  3744
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddItemToArray
3732
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddItemToArray
  3936
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddItemToObject
3892
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddItemToObject
  4060
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddItemToObjectCS
4032
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddItemToObjectCS
  3268
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddNullToObject
3260
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddNullToObject
  3524
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddNumberToObject
3440
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddNumberToObject
  3696
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddObjectToObject
3708
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddObjectToObject
  3800
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddRawToObject
3972
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddRawToObject
  3336
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddStringToObject
3220
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddStringToObject
  2464
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddTrueToObject
3504
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_AddTrueToObject
  3956
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_Compare
2496
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_Compare
  3392
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateArray
3808
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateArray
  3100
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateArrayReference
4028
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateArrayReference
  3288
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateBool
3928
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateBool
  3776
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateDoubleArray
3120
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateDoubleArray
  4280
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateFalse
4272
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateFalse
  4380
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateFloatArray
4452
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateFloatArray
  4624
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateIntArray
4576
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateIntArray
  4768
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateNull
4740
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateNull
  4912
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateNumber
4880
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateNumber
  5040
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateObject
5028
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateObject
  3472
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateObjectReference
4216
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateObjectReference
  4444
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateRaw
4464
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateRaw
  4656
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateString
4636
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateString
  4940
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateStringArray
4900
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateStringArray
  4188
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateStringReference
5076
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateStringReference
  4540
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateTrue
4496
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_CreateTrue
  4720
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_Delete
4736
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_Delete
  4196
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_DeleteItemFromArray
4320
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_DeleteItemFromArray
  5456
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_DeleteItemFromObject
5480
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_DeleteItemFromObject
  5696
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_DeleteItemFromObjectCaseSensitive
5628
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_DeleteItemFromObjectCaseSensitive
  5780
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_DetachItemFromArray
5804
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_DetachItemFromArray
  5976
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_DetachItemFromObject
5924
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_DetachItemFromObject
  6060
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_DetachItemFromObjectCaseSensitive
6100
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_DetachItemFromObjectCaseSensitive
  5548
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_DetachItemViaPointer
5512
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_DetachItemViaPointer
  5720
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_Duplicate
5836
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_Duplicate
  6044
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_GetArrayItem
5992
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_GetArrayItem
  5516
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_GetArraySize
5564
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_GetArraySize
  5552
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_GetErrorPtr
5996
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_GetErrorPtr
  5920
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_GetNumberValue
6120
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_GetNumberValue
  4552
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_GetObjectItem
6096
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_GetObjectItem
  5788
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_GetObjectItemCaseSensitive
5856
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_GetObjectItemCaseSensitive
  6116
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_GetStringValue
6184
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_GetStringValue
  6376
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_HasObjectItem
6292
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_HasObjectItem
  6472
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_InitHooks
6412
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_InitHooks
  6668
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_InsertItemInArray
6596
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_InsertItemInArray
  6768
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_IsArray
6756
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_IsArray
  6972
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_IsBool
6924
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_IsBool
  7088
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_IsFalse
7080
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_IsFalse
  6136
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_IsInvalid
6280
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_IsInvalid
  6372
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_IsNull
6504
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_IsNull
  6712
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_IsNumber
6608
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,cJSON_IsObject
6876

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

D:\c++\Mal_Cookie_x64\x64\Release\mscorsvc.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 23, 2024, 8:57 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

Allocates read-write-execute memory (usually to unpack itself) (9 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 23, 2024, 8:57 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef69c9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 23, 2024, 8:57 a.m.	process_identifier: 2856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef69c9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 23, 2024, 8:57 a.m.	process_identifier: 3244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef69c9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 23, 2024, 8:57 a.m.	process_identifier: 3392 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef69c9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 23, 2024, 8:57 a.m.	process_identifier: 3288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef69c9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 23, 2024, 8:57 a.m.	process_identifier: 5780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef69c9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 23, 2024, 8:57 a.m.	process_identifier: 5516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef69c9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 23, 2024, 8:58 a.m.	process_identifier: 5920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef69c9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 23, 2024, 8:58 a.m.	process_identifier: 6768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef69c9000 process_handle: 0xffffffffffffffff	1

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

Bkav	W64.AIDetectMalware
Elastic	malicious (moderate confidence)
Cynet	Malicious (score: 100)
ESET-NOD32	a variant of Win64/PSW.Agent.HR
Kaspersky	UDS:Trojan.Win32.Loader.jga
McAfeeD	ti!4AD9845E691D
Ikarus	Win32.Outbreak
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	UDS:Trojan.Win32.Loader.jga
SentinelOne	Static AI - Suspicious PE

mscorsvc.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All