Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll

Overview

General Information

Sample name:1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll
(renamed file extension from exe to dll)
Original sample name:1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.exe
Analysis ID:1540042
MD5:b98ecc977f2602af55f78808b1293d48
SHA1:10c249dcef4f9cd4f36a214becde3472adf46067
SHA256:40bf87872eaf3562e22310d5f270486a69786a37a358f618c30768c2613e169f
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

Stealc
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sigma detected: Execute DLL with spoofed extension
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Creates a process in suspended mode (likely to inject code)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7140 cmdline: loaddll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4204 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7080 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • rundll32.exe (PID: 6532 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
          • rundll32.exe (PID: 5268 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
            • rundll32.exe (PID: 280 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
              • rundll32.exe (PID: 4120 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                • rundll32.exe (PID: 6880 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                  • rundll32.exe (PID: 3336 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                    • rundll32.exe (PID: 1636 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                      • rundll32.exe (PID: 4844 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                        • rundll32.exe (PID: 4080 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                          • rundll32.exe (PID: 4248 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                            • rundll32.exe (PID: 5512 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                              • rundll32.exe (PID: 6424 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                • rundll32.exe (PID: 3988 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                  • rundll32.exe (PID: 6284 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                    • rundll32.exe (PID: 364 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                      • rundll32.exe (PID: 5492 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                        • rundll32.exe (PID: 2656 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                          • rundll32.exe (PID: 3560 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                            • rundll32.exe (PID: 4572 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                              • rundll32.exe (PID: 2532 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                • rundll32.exe (PID: 5144 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                  • rundll32.exe (PID: 4612 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                    • rundll32.exe (PID: 6872 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                      • rundll32.exe (PID: 4956 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                        • rundll32.exe (PID: 3492 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                          • rundll32.exe (PID: 5716 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                            • rundll32.exe (PID: 7188 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                              • rundll32.exe (PID: 7200 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                                • rundll32.exe (PID: 7232 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                                  • rundll32.exe (PID: 7252 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                                    • rundll32.exe (PID: 7268 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                                      • rundll32.exe (PID: 7284 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                                        • rundll32.exe (PID: 7300 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                                          • rundll32.exe (PID: 7316 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                                            • rundll32.exe (PID: 7332 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                                              • rundll32.exe (PID: 7348 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                                                • rundll32.exe (PID: 7364 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dllJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dllJoeSecurity_StealcYara detected StealcJoe Security

      Sigma Signatures

      Data Obfuscation

      barindex
      Sigma detected: Execute DLL with spoofed extension
      Source: Process startedAuthor: Joe Security: Data: Command: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1, CommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: loaddll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll", ParentImage: C:\Windows\System32\loaddll32.exe, ParentProcessId: 7140, ParentProcessName: loaddll32.exe, ProcessCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1, ProcessId: 4204, ProcessName: cmd.exe

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: 1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dllAvira: detected
      Multi AV Scanner detection for submitted file
      Source: 1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dllReversingLabs: Detection: 13%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 89.0% probability
      Source: classification engineClassification label: mal84.troj.evad.winDLL@81/0@0/0
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_03
      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: 1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dllReversingLabs: Detection: 13%
      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll"
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknown
      Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell download and execute
      Source: Yara matchFile source: 1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll, type: SAMPLE
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1Jump to behavior

      Stealing of Sensitive Information

      barindex
      Yara detected Stealc
      Source: Yara matchFile source: 1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll, type: SAMPLE

      Remote Access Functionality

      barindex
      Yara detected Stealc
      Source: Yara matchFile source: 1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll, type: SAMPLE

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
      DLL Side-Loading      		11
      Process Injection      		1
      Rundll32      		OS Credential Dumping1
      System Information Discovery      		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading      		11
      Process Injection      		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      DLL Side-Loading      		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1540042 Sample: 1729664783b8112cf86eae0b1f4... Startdate: 23/10/2024 Architecture: WINDOWS Score: 84 36 Antivirus / Scanner detection for submitted sample 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected Stealc 2->40 42 3 other signatures 2->42 14 loaddll32.exe 1 2->14         started        process3 process4 16 cmd.exe 1 14->16         started        18 conhost.exe 14->18         started        process5 20 rundll32.exe 16->20         started        process6 22 rundll32.exe 20->22         started        process7 24 rundll32.exe 22->24         started        process8 26 rundll32.exe 24->26         started        process9 28 rundll32.exe 26->28         started        process10 30 rundll32.exe 28->30         started        process11 32 rundll32.exe 30->32         started        process12 34 rundll32.exe 32->34         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll13%ReversingLabs
      1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll100%AviraTR/Crypt.XPACK.Gen

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      No contacted domains info

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1540042
      Start date and time:2024-10-23 11:26:10 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 7m 28s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:42
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll
      (renamed file extension from exe to dll)
      Original Sample Name:1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.exe
      Detection:MAL
      Classification:mal84.troj.evad.winDLL@81/0@0/0
      EGA Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Override analysis time to 240s for rundll32

      Warnings

      • Exclude process from analysis (whitelisted): dllhost.exe
      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • VT rate limit hit for: 1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:PE Unknown PE signature 0x200 (DLL) Intel 80386, for MS Windows
      Entropy (8bit):6.4698025376000645
      TrID:
      • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
      • Generic Win/DOS Executable (2004/3) 0.20%
      • DOS Executable Generic (2002/1) 0.20%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll
      File size:199'482 bytes
      MD5:b98ecc977f2602af55f78808b1293d48
      SHA1:10c249dcef4f9cd4f36a214becde3472adf46067
      SHA256:40bf87872eaf3562e22310d5f270486a69786a37a358f618c30768c2613e169f
      SHA512:24c4f99e083531c888beaa693a8b6e28a00b5a7a68c42c68bf631bc0178f52b3d3c61195c9fa570102e8e7103a31d9332ee8081e3d390a5b15f9cd40f8c71a28
      SSDEEP:3072:M2Loe1l74znQNwuLtmvhWtSW04I1hnq9/yVwT/1Z9NaJ4W:M2sgN4zQqmmJfWA1Jqkg/79N04
      TLSH:A7144B30E5034019F4A349FE5A9E5F9AEC996D620320C0D363DB5BAC16F14F5B8B4E6B
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b...............u^......uk......u_......{v.....fz.......{f..............uZ......uh.....Rich............PE..L.... .N..f........

      File Icon

      Icon Hash:7ae282899bbab082

      Network Behavior

      No network behavior found

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:05:27:15
      Start date:23/10/2024
      Path:C:\Windows\System32\loaddll32.exe
      Wow64 process (32bit):true
      Commandline:loaddll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll"
      Imagebase:0x1a0000
      File size:126'464 bytes
      MD5 hash:51E6071F9CBA48E79F10C84515AAE618
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:1
      Start time:05:27:15
      Start date:23/10/2024
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff70f010000
      File size:862'208 bytes
      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:2
      Start time:05:27:15
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\cmd.exe
      Wow64 process (32bit):true
      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0xc50000
      File size:236'544 bytes
      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:3
      Start time:05:27:15
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:4
      Start time:05:27:15
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:6
      Start time:05:27:15
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:7
      Start time:05:27:15
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:8
      Start time:05:27:15
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:9
      Start time:05:27:15
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:10
      Start time:05:27:15
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:11
      Start time:05:27:15
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:12
      Start time:05:27:15
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:13
      Start time:05:27:15
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:14
      Start time:05:27:16
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:15
      Start time:05:27:16
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:16
      Start time:05:27:16
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:17
      Start time:05:27:16
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:18
      Start time:05:27:16
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:19
      Start time:05:27:16
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:20
      Start time:05:27:16
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:21
      Start time:05:27:16
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:22
      Start time:05:27:16
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:23
      Start time:05:27:16
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:24
      Start time:05:27:16
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:25
      Start time:05:27:16
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:26
      Start time:05:27:16
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:27
      Start time:05:27:16
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:28
      Start time:05:27:16
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:29
      Start time:05:27:16
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:30
      Start time:05:27:16
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:31
      Start time:05:27:16
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:32
      Start time:05:27:16
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:33
      Start time:05:27:17
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:34
      Start time:05:27:17
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:35
      Start time:05:27:17
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:36
      Start time:05:27:17
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:37
      Start time:05:27:17
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:38
      Start time:05:27:17
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:39
      Start time:05:27:17
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:40
      Start time:05:27:17
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:41
      Start time:05:27:17
      Start date:23/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
      Imagebase:0x350000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      Disassembly

      No disassembly