Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 21, 2025, 1:14 p.m.	April 21, 2025, 1:28 p.m.

Size	48.1KB
Type	PE32+ executable (DLL) (console) x86-64, for MS Windows
MD5	`63a94cc1e3803c3811e496e60baabb8f`
SHA256	`3b984765a97640c3dec2b78d4562216be7f446254095b00dc08f4174f1e59cab`
CRC32	`CDD6D771`
ssdeep	`768:wsdDjdgqUQv+EAZJimW8ahsNekFkTn5bmsnsFfZ9kleUveejil0g9dASRy3iPmbz:dU+LuaaQkFkTn5b7sFhWSejil5TRs7X`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description) IsDLL - (no description) Malicious_Packer_Zero - Malicious Packer Generic_Malware_Zero - Generic Malware

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,DhcpServerCalloutEntry
2144
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,DhcpServerCalloutEntry
  2492
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,DllCanUnloadNow
2236
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,DllCanUnloadNow
  2544
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,DhcpNewPktHook
1712
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,DhcpNewPktHook
  2612
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,DllGetClassObject
2328
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,DllGetClassObject
  2720
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,DnsPluginCleanup
2420
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,DnsPluginCleanup
  2660
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,DnsPluginInitialize
2596
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,DnsPluginInitialize
  2924
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,DnsPluginQuery
2836
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,DnsPluginQuery
  2076
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,ExtensionApiVersion
3016
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,ExtensionApiVersion
  2324
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,InitializeChangeNotify
2108
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,InitializeChangeNotify
  2412
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,Msv1_0SubAuthenticationFilter
2348
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,Msv1_0SubAuthenticationFilter
  2768
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,Msv1_0SubAuthenticationRoutine
2672
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,Msv1_0SubAuthenticationRoutine
  2548
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,NPGetCaps
2852
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,NPGetCaps
  2168
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,NPLogonNotify
3060
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,NPLogonNotify
  2364
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,PasswordChangeNotify
2292
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,PasswordChangeNotify
  2892
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,SpLsaModeInitialize
2320
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,SpLsaModeInitialize
  2288
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,WinDbgExtensionDllInit
2176
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,WinDbgExtensionDllInit
  2608
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,coffee
2860
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,coffee
  2360
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,mimikatz
3056
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,mimikatz
  3160
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,startW
3076
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,startW
  3312
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmslib.dll,
3228

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (19 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 21, 2025, 1:06 p.m.			0	0
IsDebuggerPresent April 21, 2025, 1:06 p.m.			0	0
IsDebuggerPresent April 21, 2025, 1:06 p.m.			0	0
IsDebuggerPresent April 21, 2025, 1:06 p.m.			0	0
IsDebuggerPresent April 21, 2025, 1:06 p.m.			0	0
IsDebuggerPresent April 21, 2025, 1:07 p.m.			0	0
IsDebuggerPresent April 21, 2025, 1:07 p.m.			0	0
IsDebuggerPresent April 21, 2025, 1:07 p.m.			0	0
IsDebuggerPresent April 21, 2025, 1:07 p.m.			0	0
IsDebuggerPresent April 21, 2025, 1:07 p.m.			0	0
IsDebuggerPresent April 21, 2025, 1:07 p.m.			0	0
IsDebuggerPresent April 21, 2025, 1:07 p.m.			0	0
IsDebuggerPresent April 21, 2025, 1:07 p.m.			0	0
IsDebuggerPresent April 21, 2025, 1:07 p.m.			0	0
IsDebuggerPresent April 21, 2025, 1:07 p.m.			0	0
IsDebuggerPresent April 21, 2025, 1:07 p.m.			0	0
IsDebuggerPresent April 21, 2025, 1:07 p.m.			0	0
IsDebuggerPresent April 21, 2025, 1:07 p.m.			0	0
IsDebuggerPresent April 21, 2025, 1:07 p.m.			0	0

One or more processes crashed (9 events)

Time & API	Arguments	Status
__exception__ April 21, 2025, 1:06 p.m.	stacktrace: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 @ 0x777840f2 EtwEnumerateProcessRegGuids+0x216 RtlTraceDatabaseLock-0x2a ntdll+0xc4736 @ 0x77784736 RtlQueryProcessLockInformation+0x972 RtlTraceDatabaseEnumerate-0xe ntdll+0xc5942 @ 0x77785942 RtlLogStackBackTrace+0x444 RtlTraceDatabaseCreate-0x4ec ntdll+0xc75f4 @ 0x777875f4 RtlIsDosDeviceName_U+0x7afb NtdllDialogWndProc_A-0x26c71 ntdll+0x6157b @ 0x7772157b RtlAllocateHeap+0xd9d AlpcGetMessageAttribute-0x8c3 ntdll+0x5413d @ 0x7771413d LocalFree+0x32 LocalAlloc-0x2e kernelbase+0x1582 @ 0x7fefdbf1582 rundll32+0x3023 @ 0xffdc3023 rundll32+0x3b7a @ 0xffdc3b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: eb 00 48 8b 9c 24 d0 00 00 00 48 81 c4 c0 00 00 exception.symbol: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 exception.instruction: jmp 0x777840f4 exception.module: ntdll.dll exception.exception_code: 0xc0000374 exception.offset: 803058 exception.address: 0x777840f2 registers.r14: 0 registers.r15: 0 registers.rcx: 2354944 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2358416 registers.r11: 646 registers.r8: 1448128801053502734 registers.r9: 746826336 registers.rdx: 2004857936 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 2002618128 registers.r13: 0	1
__exception__ April 21, 2025, 1:06 p.m.	stacktrace: DhcpNewPktHook+0x34 DnsPluginQuery-0x90 mmslib+0x1220 @ 0x7fef5ee1220 rundll32+0x2f42 @ 0xffdc2f42 rundll32+0x3b7a @ 0xffdc3b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 66 45 8b 41 1c 4b 8d 0c 52 48 8d 05 68 55 00 00 exception.instruction: mov r8w, word ptr [r9 + 0x1c] exception.exception_code: 0xc0000005 exception.symbol: DhcpNewPktHook+0x34 DnsPluginQuery-0x90 mmslib+0x1220 exception.address: 0x7fef5ee1220 registers.r14: 0 registers.r15: 0 registers.rcx: 196648 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2751152 registers.r11: 0 registers.r8: 3719544 registers.r9: 223338299399 registers.rdx: 2750736 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 196648 registers.r13: 0	1
__exception__ April 21, 2025, 1:07 p.m.	stacktrace: Msv1_0SubAuthenticationFilter+0x35 DllGetClassObject-0x5f3 mmslib+0x15a5 @ 0x7fef5ee15a5 rundll32+0x2f42 @ 0xffdc2f42 rundll32+0x3b7a @ 0xffdc3b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 0f b7 8b 30 01 00 00 44 8b 8b 14 01 00 00 4c 8d exception.instruction: movzx ecx, word ptr [rbx + 0x130] exception.exception_code: 0xc0000005 exception.symbol: Msv1_0SubAuthenticationFilter+0x35 DllGetClassObject-0x5f3 mmslib+0x15a5 exception.address: 0x7fef5ee15a5 registers.r14: 0 registers.r15: 0 registers.rcx: 3997392 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1703520 registers.r11: 514 registers.r8: 8791771916416 registers.r9: 1701200 registers.rdx: 3 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 8791771917072 registers.r13: 0	1
__exception__ April 21, 2025, 1:07 p.m.	stacktrace: Msv1_0SubAuthenticationFilter+0x35 DllGetClassObject-0x5f3 mmslib+0x15a5 @ 0x7fef5ee15a5 rundll32+0x2f42 @ 0xffdc2f42 rundll32+0x3b7a @ 0xffdc3b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 0f b7 8b 30 01 00 00 44 8b 8b 14 01 00 00 4c 8d exception.instruction: movzx ecx, word ptr [rbx + 0x130] exception.exception_code: 0xc0000005 exception.symbol: Msv1_0SubAuthenticationFilter+0x35 DllGetClassObject-0x5f3 mmslib+0x15a5 exception.address: 0x7fef5ee15a5 registers.r14: 0 registers.r15: 0 registers.rcx: 1965776 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1834224 registers.r11: 514 registers.r8: 8791771916416 registers.r9: 1831904 registers.rdx: 3 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 8791771917072 registers.r13: 0	1
__exception__ April 21, 2025, 1:07 p.m.	stacktrace: RtlIsTextUnicode+0xd0 RtlNumberGenericTableElements-0x340 ntdll+0x20440 @ 0x776e0440 IsTextUnicode+0xa LsaOpenPolicy-0x416 advapi32+0x2072a @ 0x7fefe8f072a mimikatz+0x19f3 mmslib+0x4b97 @ 0x7fef5ee4b97 NPLogonNotify+0x72 NPGetCaps-0x3e mmslib+0x1412 @ 0x7fef5ee1412 rundll32+0x2f42 @ 0xffdc2f42 rundll32+0x3b7a @ 0xffdc3b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 41 0f b7 0a 83 f9 21 0f 8c 03 02 00 00 81 f9 00 exception.symbol: RtlIsTextUnicode+0xd0 RtlNumberGenericTableElements-0x340 ntdll+0x20440 exception.instruction: movzx ecx, word ptr [r10] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 132160 exception.address: 0x776e0440 registers.r14: 0 registers.r15: 0 registers.rcx: 57 registers.rsi: 0 registers.r10: 130825403236352 registers.rbx: 0 registers.rsp: 2162032 registers.r11: 0 registers.r8: 2161416 registers.r9: 0 registers.rdx: 115 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 256 registers.r13: 0	1
__exception__ April 21, 2025, 1:07 p.m.	stacktrace: SpLsaModeInitialize+0x7 Msv1_0SubAuthenticationFilter-0x15 mmslib+0x155b @ 0x7fef5ee155b rundll32+0x2f42 @ 0xffdc2f42 rundll32+0x3b7a @ 0xffdc3b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: c7 02 00 00 01 00 49 89 00 41 c7 01 01 00 00 00 exception.instruction: mov dword ptr [rdx], 0x10000 exception.exception_code: 0xc0000005 exception.symbol: SpLsaModeInitialize+0x7 Msv1_0SubAuthenticationFilter-0x15 mmslib+0x155b exception.address: 0x7fef5ee155b registers.r14: 0 registers.r15: 0 registers.rcx: 65944 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2357664 registers.r11: 2356752 registers.r8: 770466 registers.r9: 10 registers.rdx: 4292608000 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 8791629141264 registers.r13: 0	1
__exception__ April 21, 2025, 1:07 p.m.	stacktrace: WinDbgExtensionDllInit+0x34 coffee-0x8 mmslib+0x318c @ 0x7fef5ee318c rundll32+0x2f42 @ 0xffdc2f42 rundll32+0x3b7a @ 0xffdc3b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 48 ff 25 b5 6a 00 00 cc 48 8d 0d 15 43 00 00 48 exception.instruction: jmp qword ptr [rip + 0x6ab5] exception.exception_code: 0xc0000005 exception.symbol: WinDbgExtensionDllInit+0x34 coffee-0x8 mmslib+0x318c exception.address: 0x7fef5ee318c registers.r14: 0 registers.r15: 0 registers.rcx: 8791629132192 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1374320 registers.r11: 8791629143104 registers.r8: 0 registers.r9: 0 registers.rdx: 49576 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 8791629143104 registers.r13: 0	1
__exception__ April 21, 2025, 1:07 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 8791629132976 registers.rsi: 0 registers.r10: 0 registers.rbx: 66110 registers.rsp: 2488248 registers.r11: 2487888 registers.r8: 3260760 registers.r9: 10 registers.rdx: 4292608000 registers.r12: 10 registers.rbp: 3260656 registers.rdi: -1 registers.rax: 66110 registers.r13: 0	1
__exception__ April 21, 2025, 1:07 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 8791629133072 registers.rsi: 0 registers.r10: 0 registers.rbx: 8791629128432 registers.rsp: 1177640 registers.r11: 1177552 registers.r8: 7000 registers.r9: 10 registers.rdx: 4292608000 registers.r12: 10 registers.rbp: 2998512 registers.rdi: -1 registers.rax: 58536 registers.r13: 0	1

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Cynet	Malicious (score: 99)
CAT-QuickHeal	HackTool.Mimikatz.S33893077
Skyhigh	HTool-Mimikatz
ALYac	Gen:Variant.Mimikatz.10
VIPRE	Gen:Variant.Mimikatz.10
Sangfor	HackTool.Win64.Mimikatz.uwccg
BitDefender	Gen:Variant.Mimikatz.10
K7GW	Hacktool ( 0043c1591 )
K7AntiVirus	Hacktool ( 0043c1591 )
Arcabit	Trojan.Mimikatz.10
VirIT	Trojan.Win64.MimiK.BBD
Symantec	Hacktool.Mimikatz
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win64/Riskware.Mimikatz.U
APEX	Malicious
Avast	Win64:MalwareX-gen [Misc]
ClamAV	Win.Tool.Mimikatz-10030748-0
Kaspersky	HEUR:Trojan.Win32.Mimikatz.gen
MicroWorld-eScan	Gen:Variant.Mimikatz.10
Rising	HackTool.Mimikatz!1.B3A7 (CLASSIC)
Emsisoft	Gen:Variant.Mimikatz.10 (B)
F-Secure	Trojan.TR/AD.Mimikatz.zbqnj
DrWeb	Tool.Mimikatz.1198
Zillya	Tool.Mimikatz.Win64.2153
TrendMicro	HKTL_MIMIKATZ64
McAfeeD	ti!3B984765A976
CTX	dll.unknown.mimikatz
Sophos	ATK/Apteryx-Gen
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan.PSW.Mimikatz.cqg
Webroot	W32.Hacktool.Gen
Google	Detected
Avira	TR/AD.Mimikatz.zbqnj
Antiy-AVL	Trojan[PSW]/Win64.Mimikatz
Gridinsoft	Virtool.Win64.Mimikatz.dd!n
Microsoft	HackTool:Win64/Mikatz!dha
ZoneAlarm	ATK/Apteryx-Gen
GData	Win32.Riskware.Mimikatz.C
Varist	W64/Mimikatz.N
AhnLab-V3	Trojan/Win.Mimikatz.R451356
McAfee	HTool-Mimikatz
DeepInstinct	MALICIOUS
Malwarebytes	Mimikatz.Spyware.Stealer.DDS
Ikarus	HackTool.Mimikatz
Panda	Trj/GdSda.A
TrendMicro-HouseCall	HKTL_MIMIKATZ64
Tencent	Trojan.Win64.Mimikatz.a
Yandex	Riskware.Mimikatz!5N98LJ61WxY
huorong	HackTool/Mimikatz.j
Fortinet	Riskware/Mimikatz

mmslib.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All