Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll

Overview

General Information

Sample name:1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll
(renamed file extension from exe to dll)
Original sample name:1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.exe
Analysis ID:1540045
MD5:59053c6d7d29cfc444403a0ae2b7fed7
SHA1:4ce37670b0a1d631aa38c10a1ca1c63466e0f0ce
SHA256:0d1121083c3605d2ba0524104251ff938c3a7360527978d8c8c2d8ca1f7d4946
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

PureLog Stealer, zgRAT
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: Execute DLL with spoofed extension
Yara detected PureLog Stealer
Yara detected zgRAT
AI detected suspicious sample
Creates a process in suspended mode (likely to inject code)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6476 cmdline: loaddll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 6524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6568 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 6584 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • rundll32.exe (PID: 6604 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
          • rundll32.exe (PID: 6628 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
            • rundll32.exe (PID: 6648 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
              • rundll32.exe (PID: 6660 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                • rundll32.exe (PID: 6680 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                  • rundll32.exe (PID: 6716 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                    • rundll32.exe (PID: 6744 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                      • rundll32.exe (PID: 6760 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                        • rundll32.exe (PID: 6780 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                          • rundll32.exe (PID: 6796 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                            • rundll32.exe (PID: 6812 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                              • rundll32.exe (PID: 6828 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                • rundll32.exe (PID: 6844 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                  • rundll32.exe (PID: 6860 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                    • rundll32.exe (PID: 6876 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                      • rundll32.exe (PID: 6892 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                        • rundll32.exe (PID: 6908 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                          • rundll32.exe (PID: 6924 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                            • rundll32.exe (PID: 6940 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                              • rundll32.exe (PID: 6952 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                • rundll32.exe (PID: 6972 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                  • rundll32.exe (PID: 6988 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                    • rundll32.exe (PID: 7004 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                      • rundll32.exe (PID: 7020 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                        • rundll32.exe (PID: 7036 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                          • rundll32.exe (PID: 7052 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                            • rundll32.exe (PID: 7068 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                              • rundll32.exe (PID: 7084 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                                • rundll32.exe (PID: 7100 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                                  • rundll32.exe (PID: 7116 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                                    • rundll32.exe (PID: 7132 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                                      • rundll32.exe (PID: 7148 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                                        • rundll32.exe (PID: 7164 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                                          • rundll32.exe (PID: 6184 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                                            • rundll32.exe (PID: 6176 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                                              • rundll32.exe (PID: 5540 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                                                • rundll32.exe (PID: 5852 cmdline: rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dllJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dllJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dllMALWARE_Win_zgRATDetects zgRATditekSHen
      • 0x46dbb:$s1: file:///
      • 0x46d17:$s2: {11111-22222-10009-11112}
      • 0x46d4b:$s3: {11111-22222-50001-00000}
      • 0x43ea2:$s4: get_Module
      • 0x3e693:$s5: Reverse
      • 0x3f2f1:$s6: BlockCopy
      • 0x3e5c6:$s7: ReadByte
      • 0x46dcd:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

      Sigma Signatures

      Data Obfuscation

      barindex
      Sigma detected: Execute DLL with spoofed extension
      Source: Process startedAuthor: Joe Security: Data: Command: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1, CommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: loaddll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll", ParentImage: C:\Windows\System32\loaddll32.exe, ParentProcessId: 6476, ParentProcessName: loaddll32.exe, ProcessCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1, ProcessId: 6568, ProcessName: cmd.exe

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 92.1% probability
      Source: unknownDNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll, type: SAMPLEMatched rule: Detects zgRAT Author: ditekSHen
      Source: 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dllBinary or memory string: OriginalFilenameHarmonical.exe" vs 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll
      Source: 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll, type: SAMPLEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
      Source: classification engineClassification label: mal76.troj.evad.winDLL@81/0@1/0
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6524:120:WilError_03
      Source: 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dllStatic file information: TRID: Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 50.14%
      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll"
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknown
      Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1Jump to behavior

      Stealing of Sensitive Information

      barindex
      Yara detected PureLog Stealer
      Source: Yara matchFile source: 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll, type: SAMPLE
      Yara detected zgRAT
      Source: Yara matchFile source: 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll, type: SAMPLE

      Remote Access Functionality

      barindex
      Yara detected PureLog Stealer
      Source: Yara matchFile source: 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll, type: SAMPLE
      Yara detected zgRAT
      Source: Yara matchFile source: 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll, type: SAMPLE

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
      DLL Side-Loading      		11
      Process Injection      		1
      Rundll32      		OS Credential Dumping1
      System Information Discovery      		Remote ServicesData from Local System1
      Non-Application Layer Protocol      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading      		11
      Process Injection      		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
      Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      DLL Side-Loading      		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1540045 Sample: 1729664770327f0644708d7db50... Startdate: 23/10/2024 Architecture: WINDOWS Score: 76 37 198.187.3.20.in-addr.arpa 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Yara detected PureLog Stealer 2->41 43 Yara detected zgRAT 2->43 45 2 other signatures 2->45 15 loaddll32.exe 1 2->15         started        signatures3 process4 process5 17 cmd.exe 1 15->17         started        19 conhost.exe 15->19         started        process6 21 rundll32.exe 17->21         started        process7 23 rundll32.exe 21->23         started        process8 25 rundll32.exe 23->25         started        process9 27 rundll32.exe 25->27         started        process10 29 rundll32.exe 27->29         started        process11 31 rundll32.exe 29->31         started        process12 33 rundll32.exe 31->33         started        process13 35 rundll32.exe 33->35         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll5%ReversingLabs

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      198.187.3.20.in-addr.arpa
      		unknown
      		unknownfalse
        		unknown

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1540045
        Start date and time:2024-10-23 11:26:15 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 6m 54s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:42
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll
        (renamed file extension from exe to dll)
        Original Sample Name:1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.exe
        Detection:MAL
        Classification:mal76.troj.evad.winDLL@81/0@1/0
        EGA Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Override analysis time to 240s for rundll32

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe
        • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • VT rate limit hit for: 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        No created / dropped files found

        Static File Info

        General

        File type:PE Unknown PE signature 0xe00 (DLL) Intel 80386, for MS Windows
        Entropy (8bit):6.269939250415289
        TrID:
        • Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 50.14%
        • Win32 Dynamic Link Library (generic) (1002004/3) 49.67%
        • Generic Win/DOS Executable (2004/3) 0.10%
        • DOS Executable Generic (2002/1) 0.10%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll
        File size:350'264 bytes
        MD5:59053c6d7d29cfc444403a0ae2b7fed7
        SHA1:4ce37670b0a1d631aa38c10a1ca1c63466e0f0ce
        SHA256:0d1121083c3605d2ba0524104251ff938c3a7360527978d8c8c2d8ca1f7d4946
        SHA512:6aeda0057ed033831f29587e9b35cf387a8729a55166cadf2a7ca31d1117582c0eece16b410a116703d7e3163cf7bf81f82bc5b1c7b5eaaead2293c441e9a385
        SSDEEP:6144:00szTcvva8vsxgLLsMSohG6PlHj1tONmTnnPPxRs3weHln8N9LFiPNIPrW:00svcvi8vEqG6NHj2zDU9xiPmr
        TLSH:3F743A16BB96DE93E39C0A37C0E198042B78E50FA553F74F9CCD23A16D13352B606DA6
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... .N..................0..&...........E... ...`....@.. ....................................@.............................

        File Icon

        Icon Hash:7ae282899bbab082

        Network Behavior

        Network Port Distribution

        UDP Packets

        TimestampSource PortDest PortSource IPDest IP
        Oct 23, 2024 11:27:58.218353033 CEST5360054162.159.36.2192.168.2.12
        Oct 23, 2024 11:27:58.831722975 CEST6281853192.168.2.121.1.1.1
        Oct 23, 2024 11:27:58.839670897 CEST53628181.1.1.1192.168.2.12

        DNS Queries

        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
        Oct 23, 2024 11:27:58.831722975 CEST192.168.2.121.1.1.10xb8f6Standard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Oct 23, 2024 11:27:58.839670897 CEST1.1.1.1192.168.2.120xb8f6Name error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        Behavior

        Click to jump to process

        System Behavior

        General

        Target ID:0
        Start time:05:27:22
        Start date:23/10/2024
        Path:C:\Windows\System32\loaddll32.exe
        Wow64 process (32bit):true
        Commandline:loaddll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll"
        Imagebase:0x610000
        File size:126'464 bytes
        MD5 hash:51E6071F9CBA48E79F10C84515AAE618
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        General

        Target ID:2
        Start time:05:27:22
        Start date:23/10/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff704000000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        General

        Target ID:3
        Start time:05:27:22
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x1f0000
        File size:236'544 bytes
        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        General

        Target ID:4
        Start time:05:27:22
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        General

        Target ID:5
        Start time:05:27:22
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        General

        Target ID:6
        Start time:05:27:23
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        General

        Target ID:7
        Start time:05:27:23
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        General

        Target ID:8
        Start time:05:27:23
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        General

        Target ID:9
        Start time:05:27:23
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        General

        Target ID:10
        Start time:05:27:23
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        General

        Target ID:11
        Start time:05:27:24
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        General

        Target ID:12
        Start time:05:27:24
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        General

        Target ID:13
        Start time:05:27:24
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:14
        Start time:05:27:24
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:15
        Start time:05:27:24
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:16
        Start time:05:27:24
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:17
        Start time:05:27:24
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:18
        Start time:05:27:25
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:19
        Start time:05:27:25
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:20
        Start time:05:27:25
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:21
        Start time:05:27:25
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:22
        Start time:05:27:25
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:23
        Start time:05:27:25
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:24
        Start time:05:27:25
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:25
        Start time:05:27:25
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:26
        Start time:05:27:25
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:27
        Start time:05:27:25
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:28
        Start time:05:27:25
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:29
        Start time:05:27:25
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:30
        Start time:05:27:25
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:31
        Start time:05:27:25
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:32
        Start time:05:27:25
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:33
        Start time:05:27:25
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:34
        Start time:05:27:25
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:35
        Start time:05:27:25
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:36
        Start time:05:27:26
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:37
        Start time:05:27:26
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:38
        Start time:05:27:26
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:39
        Start time:05:27:26
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:40
        Start time:05:27:26
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:41
        Start time:05:27:26
        Start date:23/10/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
        Imagebase:0x8e0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        Disassembly

        No disassembly