Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll

Overview

General Information

Sample name:17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll
(renamed file extension from exe to dll)
Original sample name:17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.exe
Analysis ID:1526394
MD5:f5062c56ca27f67f38a450377f091647
SHA1:d6d00f98da705220c668f57d17f4e1ffbe80ccd7
SHA256:d4d5ba9653ba3a4e273668992dfed87aa0d6a7b8b9e4d64ad145852e3b725793
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

PureLog Stealer, zgRAT
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Execute DLL with spoofed extension
Yara detected PureLog Stealer
Yara detected zgRAT
AI detected suspicious sample
Creates a process in suspended mode (likely to inject code)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6004 cmdline: loaddll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 3176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6180 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 3228 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • rundll32.exe (PID: 5512 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
          • rundll32.exe (PID: 6676 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
            • rundll32.exe (PID: 432 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
              • rundll32.exe (PID: 4308 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                • rundll32.exe (PID: 6460 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                  • rundll32.exe (PID: 5560 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                    • rundll32.exe (PID: 6036 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                      • rundll32.exe (PID: 1264 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                        • rundll32.exe (PID: 3092 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                          • rundll32.exe (PID: 3136 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                            • rundll32.exe (PID: 7188 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                              • rundll32.exe (PID: 7204 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                • rundll32.exe (PID: 7216 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                  • rundll32.exe (PID: 7236 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                    • rundll32.exe (PID: 7252 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                      • rundll32.exe (PID: 7268 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                        • rundll32.exe (PID: 7284 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                          • rundll32.exe (PID: 7300 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                            • rundll32.exe (PID: 7316 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                              • rundll32.exe (PID: 7332 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                • rundll32.exe (PID: 7348 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                  • rundll32.exe (PID: 7364 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                    • rundll32.exe (PID: 7380 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                      • rundll32.exe (PID: 7396 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                        • rundll32.exe (PID: 7412 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                          • rundll32.exe (PID: 7444 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                            • rundll32.exe (PID: 7460 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                              • rundll32.exe (PID: 7476 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                                • rundll32.exe (PID: 7492 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                                  • rundll32.exe (PID: 7508 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                                    • rundll32.exe (PID: 7524 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                                      • rundll32.exe (PID: 7540 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                                        • rundll32.exe (PID: 7556 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                                          • rundll32.exe (PID: 7572 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                                            • rundll32.exe (PID: 7592 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                                              • rundll32.exe (PID: 7632 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
                                                                                • rundll32.exe (PID: 7648 cmdline: rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dllJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dllJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dllMALWARE_Win_zgRATDetects zgRATditekSHen
      • 0x9c951:$s1: file:///
      • 0x9c889:$s2: {11111-22222-10009-11112}
      • 0x9c8e1:$s3: {11111-22222-50001-00000}
      • 0x961ca:$s4: get_Module
      • 0x8fb34:$s5: Reverse
      • 0x909f2:$s6: BlockCopy
      • 0x8fa4f:$s7: ReadByte
      • 0x9c963:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

      Sigma Signatures

      Data Obfuscation

      barindex
      Sigma detected: Execute DLL with spoofed extension
      Source: Process startedAuthor: Joe Security: Data: Command: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1, CommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: loaddll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll", ParentImage: C:\Windows\System32\loaddll32.exe, ParentProcessId: 6004, ParentProcessName: loaddll32.exe, ProcessCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1, ProcessId: 6180, ProcessName: cmd.exe

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: 17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dllVirustotal: Detection: 7%Perma Link
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 84.6% probability

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll, type: SAMPLEMatched rule: Detects zgRAT Author: ditekSHen
      Source: 17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dllBinary or memory string: OriginalFilenameDispossess.exe" vs 17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll
      Source: 17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll, type: SAMPLEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
      Source: classification engineClassification label: mal84.troj.evad.winDLL@81/0@0/0
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3176:120:WilError_03
      Source: 17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dllStatic file information: TRID: Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 50.14%
      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: 17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dllVirustotal: Detection: 7%
      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll"
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknown
      Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1Jump to behavior

      Stealing of Sensitive Information

      barindex
      Yara detected PureLog Stealer
      Source: Yara matchFile source: 17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll, type: SAMPLE
      Yara detected zgRAT
      Source: Yara matchFile source: 17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll, type: SAMPLE

      Remote Access Functionality

      barindex
      Yara detected PureLog Stealer
      Source: Yara matchFile source: 17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll, type: SAMPLE
      Yara detected zgRAT
      Source: Yara matchFile source: 17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll, type: SAMPLE

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
      DLL Side-Loading      		11
      Process Injection      		1
      Rundll32      		OS Credential Dumping1
      System Information Discovery      		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading      		11
      Process Injection      		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      DLL Side-Loading      		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1526394 Sample: 17280510090f1289c4b32d1e219... Startdate: 05/10/2024 Architecture: WINDOWS Score: 84 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected PureLog Stealer 2->40 42 3 other signatures 2->42 14 loaddll32.exe 1 2->14         started        process3 process4 16 cmd.exe 1 14->16         started        18 conhost.exe 14->18         started        process5 20 rundll32.exe 16->20         started        process6 22 rundll32.exe 20->22         started        process7 24 rundll32.exe 22->24         started        process8 26 rundll32.exe 24->26         started        process9 28 rundll32.exe 26->28         started        process10 30 rundll32.exe 28->30         started        process11 32 rundll32.exe 30->32         started        process12 34 rundll32.exe 32->34         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll7%VirustotalBrowse
      17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll3%ReversingLabs

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      No contacted domains info

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1526394
      Start date and time:2024-10-05 15:01:08 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 6m 37s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:42
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll
      (renamed file extension from exe to dll)
      Original Sample Name:17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.exe
      Detection:MAL
      Classification:mal84.troj.evad.winDLL@81/0@0/0
      EGA Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Override analysis time to 240s for rundll32

      Warnings

      • Exclude process from analysis (whitelisted): dllhost.exe
      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:PE Unknown PE signature 0xe00 (DLL) Intel 80386, for MS Windows
      Entropy (8bit):5.835569671563695
      TrID:
      • Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 50.14%
      • Win32 Dynamic Link Library (generic) (1002004/3) 49.67%
      • Generic Win/DOS Executable (2004/3) 0.10%
      • DOS Executable Generic (2002/1) 0.10%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll
      File size:806'960 bytes
      MD5:f5062c56ca27f67f38a450377f091647
      SHA1:d6d00f98da705220c668f57d17f4e1ffbe80ccd7
      SHA256:d4d5ba9653ba3a4e273668992dfed87aa0d6a7b8b9e4d64ad145852e3b725793
      SHA512:a4d8b23fea674e8b8e83c758def8840d4b153e86af6bc1a97e26bba3a66e72c84c6b7ef5fc1c7dc0009ad6963c061ebd93977978bd15b81ae8042ec66e4cac20
      SSDEEP:6144:CRPMOLLQ82x0WQFp3QQGaJkfndRWkoqPPshIADgwCl7qbUUPVjkccxgpQk+UmFiZ:CRP3Agg9OkrbWos+UKizZk1G
      TLSH:1605F72B7605CD23E19A0732C0A384641778DD86E613E74FFA8A3F6678333667489E57
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...sT$8.................0..f............... ........@.. .......................`............@.............................

      File Icon

      Icon Hash:7ae282899bbab082

      Network Behavior

      No network behavior found

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:09:02:01
      Start date:05/10/2024
      Path:C:\Windows\System32\loaddll32.exe
      Wow64 process (32bit):true
      Commandline:loaddll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll"
      Imagebase:0x290000
      File size:126'464 bytes
      MD5 hash:51E6071F9CBA48E79F10C84515AAE618
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:1
      Start time:09:02:01
      Start date:05/10/2024
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff6d64d0000
      File size:862'208 bytes
      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:2
      Start time:09:02:01
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\cmd.exe
      Wow64 process (32bit):true
      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x790000
      File size:236'544 bytes
      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:3
      Start time:09:02:01
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:4
      Start time:09:02:01
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:5
      Start time:09:02:01
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:6
      Start time:09:02:01
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:7
      Start time:09:02:01
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:8
      Start time:09:02:01
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:9
      Start time:09:02:01
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:10
      Start time:09:02:01
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:11
      Start time:09:02:01
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:13
      Start time:09:02:01
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:14
      Start time:09:02:01
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:15
      Start time:09:02:01
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:16
      Start time:09:02:01
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:17
      Start time:09:02:02
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:18
      Start time:09:02:02
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:19
      Start time:09:02:02
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:20
      Start time:09:02:02
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:21
      Start time:09:02:02
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:22
      Start time:09:02:02
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:23
      Start time:09:02:02
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:24
      Start time:09:02:02
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:25
      Start time:09:02:02
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:26
      Start time:09:02:02
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:27
      Start time:09:02:02
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:28
      Start time:09:02:02
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:29
      Start time:09:02:02
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:30
      Start time:09:02:02
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:31
      Start time:09:02:02
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:32
      Start time:09:02:02
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:33
      Start time:09:02:02
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:34
      Start time:09:02:02
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:35
      Start time:09:02:02
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:36
      Start time:09:02:02
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:37
      Start time:09:02:02
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:38
      Start time:09:02:02
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:39
      Start time:09:02:03
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:40
      Start time:09:02:03
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:41
      Start time:09:02:03
      Start date:05/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\17280510090f1289c4b32d1e219d22219124bf268c1b127a93455268343197d422433249d7443.dat-decoded.dll",#1
      Imagebase:0x450000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:false

      Disassembly

      No disassembly