Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 6, 2025, 12:18 p.m.	March 6, 2025, 12:20 p.m.

Size	338.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`66e8096b9b061550314a82654ce0fabd`
SHA256	`c43507b6f2c2cb033d3f55229b20adfde9cda4dfb93dc3db45556847638ec7f8`
CRC32	`8E207FB4`
ssdeep	`6144:3FfBi5Kr4x+r+XvG2EsNXgLMBVyynN+XxE0uYeEfdAOIHpTIy:xI5Kr4x+r4vGDstgL0VFNj0uYe24/`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsDLL - (no description) IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\VERSION_2.DLL,GetFileVersionInfoA
2576
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\VERSION_2.DLL,GetFileVersionInfoByHandle
2660
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\VERSION_2.DLL,GetFileVersionInfoExA
2752
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\VERSION_2.DLL,GetFileVersionInfoExW
2840
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\VERSION_2.DLL,GetFileVersionInfoSizeA
2936
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\VERSION_2.DLL,GetFileVersionInfoSizeExA
3028
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\VERSION_2.DLL,GetFileVersionInfoSizeExW
1404
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\VERSION_2.DLL,GetFileVersionInfoSizeW
2176
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\VERSION_2.DLL,GetFileVersionInfoW
2356
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\VERSION_2.DLL,VerFindFileA
2520
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\VERSION_2.DLL,VerFindFileW
2672
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\VERSION_2.DLL,VerInstallFileA
2832
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\VERSION_2.DLL,VerInstallFileW
2968
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\VERSION_2.DLL,VerLanguageNameA
2076
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\VERSION_2.DLL,VerLanguageNameW
2196
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\VERSION_2.DLL,VerQueryValueA
2396
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\VERSION_2.DLL,VerQueryValueW
2468
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\VERSION_2.DLL,
2852

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (10 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 6, 2025, 12:18 p.m.			0	0
IsDebuggerPresent March 6, 2025, 12:18 p.m.			0	0
IsDebuggerPresent March 6, 2025, 12:18 p.m.			0	0
IsDebuggerPresent March 6, 2025, 12:18 p.m.			0	0
IsDebuggerPresent March 6, 2025, 12:18 p.m.			0	0
IsDebuggerPresent March 6, 2025, 12:18 p.m.			0	0
IsDebuggerPresent March 6, 2025, 12:18 p.m.			0	0
IsDebuggerPresent March 6, 2025, 12:18 p.m.			0	0
IsDebuggerPresent March 6, 2025, 12:18 p.m.			0	0
IsDebuggerPresent March 6, 2025, 12:18 p.m.			0	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 78 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736ae000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73470000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736ae000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73470000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736ae000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73470000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736ae000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736ae000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 3028 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736ae000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 3028 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 3028 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 3028 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 3028 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73470000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 1404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736ae000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 1404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 1404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 1404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 1404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73470000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736ae000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73470000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736ae000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73470000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736ae000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73470000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736ae000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2025, 12:18 p.m.	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bd1000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x00055060

size

0x000003c0

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Dropper.fh
ALYac	Trojan.Agent.177346A
Cylance	Unsafe
Sangfor	Trojan.Win32.Agent.V4em
CrowdStrike	win/malicious_confidence_90% (W)
Elastic	malicious (high confidence)
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	Trojan.Win32.DllHijack.sjl
Alibaba	Trojan:Win32/DllHijack.ce653ea2
F-Secure	Trojan.TR/AVI.PredThief.xurmv
DrWeb	Trojan.Siggen30.26889
McAfeeD	ti!C43507B6F2C2
Google	Detected
Avira	TR/AVI.PredThief.xurmv
Antiy-AVL	Trojan/Win32.Agent
Kingsoft	Win32.Trojan.DllHijack.sjl
ViRobot	Trojan.Win.S.Agent.346112
GData	Win32.Trojan.Agent.XEGT42
AhnLab-V3	Downloader/Win.Agent.R684503
McAfee	Artemis!66E8096B9B06
DeepInstinct	MALICIOUS
Ikarus	Trojan-Spy.PredThief
Fortinet	Malicious_Behavior.SB
AVG	Win32:MalwareX-gen [Trj]

VERSION_2.DLL

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All