Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
71e0000.dll.exe

Overview

General Information

Sample Name:71e0000.dll.exe (renamed file extension from exe to dll)
Analysis ID:745704
MD5:4a97461216c8a905f374ebb4f9d5423c
SHA1:972bcb9401faa74c1b66a1929b6cfa20ce26aa70
SHA256:1c127c223ece190ab8982cb8b55cb2d78754b1e8e51775aa276e85587a1311e4
Tags:exegozi
Infos:

Detection

Ursnif
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Ursnif
Sample execution stops while process was sleeping (likely an evasion)
PE file does not import any functions
Tries to load missing DLLs
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
Checks if the current process is being debugged

Classification

  • System is w10x64
  • loaddll64.exe (PID: 5860 cmdline: loaddll64.exe "C:\Users\user\Desktop\71e0000.dll.dll" MD5: C676FC0263EDD17D4CE7D644B8F3FCD6)
    • conhost.exe (PID: 5968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 3888 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\71e0000.dll.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 5248 cmdline: rundll32.exe "C:\Users\user\Desktop\71e0000.dll.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5304 cmdline: rundll32.exe C:\Users\user\Desktop\71e0000.dll.dll,#1 MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup
{"RSA Public Key": "jl3OiSb2v7y37ljQ6Wyz+Y0CvgAX1wFCqMlzAxRsCG3qD38OzQczLWVjurYCsuEoUrl862ftBKgvFoKN2O0DO0LqpRtmlsgOuzLD56JaGSas/UPLMKPbURKpIJgaL7ETLvP66TG2+zWMzBRZ7A24/MXB1WNzVNE0si2igwojjBo9fwDkFL3VT9TnNAgv+mBjGnq6Z5YtDYf3juf/MEplSZ/w+pUV8pXx6VwaPRCHkcRQFkWTkyqTFCyG0ijsCptq9SoAusD8YObw3vaWSG6mwDIl5khfkR7ehBXnjLRF7OGKhsvOMK6pennTL4SO4NkROI5bkIr4DQio9UB4D6qLyZm5Af/z5Lcc2vflZnbtV04=", "c2_domain": ["telemetry.skype.com", "pushkin-kotero.ru", "ballya99.ru", "tympedyrra66kos2.ru", "svoona8vdia88.ru", "okpoker009291.ru", "sandinsd7x6e.ru", "p4elauus.ru", "kraskinaayd7imus.ru", "dukatto03lo.ru", "leikocitoosih9racker.ru", "simenshina88a8.ru"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "2Egw4N9I7z6IN0of", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8, calc no*ad", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "15072022", "SetWaitableTimer_value": "1"}
SourceRuleDescriptionAuthorStrings
71e0000.dll.dllJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    No Sigma rule has matched
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: 71e0000.dll.dllAvira: detected
    Source: 71e0000.dll.dllMalware Configuration Extractor: Ursnif {"RSA Public Key": "jl3OiSb2v7y37ljQ6Wyz+Y0CvgAX1wFCqMlzAxRsCG3qD38OzQczLWVjurYCsuEoUrl862ftBKgvFoKN2O0DO0LqpRtmlsgOuzLD56JaGSas/UPLMKPbURKpIJgaL7ETLvP66TG2+zWMzBRZ7A24/MXB1WNzVNE0si2igwojjBo9fwDkFL3VT9TnNAgv+mBjGnq6Z5YtDYf3juf/MEplSZ/w+pUV8pXx6VwaPRCHkcRQFkWTkyqTFCyG0ijsCptq9SoAusD8YObw3vaWSG6mwDIl5khfkR7ehBXnjLRF7OGKhsvOMK6pennTL4SO4NkROI5bkIr4DQio9UB4D6qLyZm5Af/z5Lcc2vflZnbtV04=", "c2_domain": ["telemetry.skype.com", "pushkin-kotero.ru", "ballya99.ru", "tympedyrra66kos2.ru", "svoona8vdia88.ru", "okpoker009291.ru", "sandinsd7x6e.ru", "p4elauus.ru", "kraskinaayd7imus.ru", "dukatto03lo.ru", "leikocitoosih9racker.ru", "simenshina88a8.ru"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "2Egw4N9I7z6IN0of", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8, calc no*ad", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "15072022", "SetWaitableTimer_value": "1"}

    Key, Mouse, Clipboard, Microphone and Screen Capturing

    barindex
    Source: Yara matchFile source: 71e0000.dll.dll, type: SAMPLE

    E-Banking Fraud

    barindex
    Source: Yara matchFile source: 71e0000.dll.dll, type: SAMPLE
    Source: 71e0000.dll.dllStatic PE information: No import functions for PE file found
    Source: C:\Windows\System32\loaddll64.exeSection loaded: .dllJump to behavior
    Source: C:\Windows\System32\loaddll64.exeSection loaded: .dllJump to behavior
    Source: 71e0000.dll.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: classification engineClassification label: mal56.troj.winDLL@8/0@0/0
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\71e0000.dll.dll,#1
    Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\71e0000.dll.dll"
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\71e0000.dll.dll",#1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\71e0000.dll.dll,#1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\71e0000.dll.dll",#1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\71e0000.dll.dll",#1Jump to behavior
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\71e0000.dll.dll,#1Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\71e0000.dll.dll",#1Jump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5968:120:WilError_01
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: 71e0000.dll.dllStatic PE information: Image base 0x180000000 > 0x60000000

    Hooking and other Techniques for Hiding and Protection

    barindex
    Source: Yara matchFile source: 71e0000.dll.dll, type: SAMPLE
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\71e0000.dll.dll",#1Jump to behavior

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: 71e0000.dll.dll, type: SAMPLE

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: 71e0000.dll.dll, type: SAMPLE
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management Instrumentation1
    DLL Side-Loading
    11
    Process Injection
    1
    Virtualization/Sandbox Evasion
    OS Credential Dumping1
    Security Software Discovery
    Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading
    1
    Rundll32
    LSASS Memory1
    Virtualization/Sandbox Evasion
    Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
    Process Injection
    Security Account Manager1
    System Information Discovery
    SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
    DLL Side-Loading
    NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 745704 Sample: 71e0000.dll.exe Startdate: 14/11/2022 Architecture: WINDOWS Score: 56 17 Antivirus / Scanner detection for submitted sample 2->17 19 Yara detected  Ursnif 2->19 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        13 rundll32.exe 7->13         started        process5 15 rundll32.exe 9->15         started       

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    71e0000.dll.dll100%AviraHEUR/AGEN.1245293
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    No contacted domains info
    No contacted IP infos
    Joe Sandbox Version:36.0.0 Rainbow Opal
    Analysis ID:745704
    Start date and time:2022-11-14 16:52:14 +01:00
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 7m 7s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:71e0000.dll.exe (renamed file extension from exe to dll)
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:19
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal56.troj.winDLL@8/0@0/0
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Override analysis time to 240s for rundll32
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 23.35.236.109
    • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
    • Not all processes where analyzed, report is missing behavior information
    No simulations
    No context
    No context
    No context
    No context
    No context
    No created / dropped files found
    File type:MS-DOS executable PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Entropy (8bit):6.418533812763107
    TrID:
    • Win64 Dynamic Link Library (generic) (102004/3) 84.94%
    • Win64 Executable (generic) (12005/4) 10.00%
    • DOS Executable Borland Pascal 7.0x (2037/25) 1.70%
    • Generic Win/DOS Executable (2004/3) 1.67%
    • DOS Executable Generic (2002/1) 1.67%
    File name:71e0000.dll.dll
    File size:233472
    MD5:4a97461216c8a905f374ebb4f9d5423c
    SHA1:972bcb9401faa74c1b66a1929b6cfa20ce26aa70
    SHA256:1c127c223ece190ab8982cb8b55cb2d78754b1e8e51775aa276e85587a1311e4
    SHA512:3f240bc9cca4a0d04df27e5fdfb6f10de64ab6b77402699c0a065e836145c475f7821fd9fed0e54c79f7fcc074fb2206b3703aaa45a5d75eecdcccddc34f28a0
    SSDEEP:3072:1lfGqwJTeTEom3lIkR2SCD6q9KgyItk78mV0dfgxT/cqApw5VgCK5hcjw9xJFoc:1lDosEPR66q9KgylInd6oqApD5BnFoc
    TLSH:4D346D5AA3E50995ED6BD5B6CD53D227EBF234492B24C30F53B0CAA66F17362B21C301
    File Content Preview:MZ..............................................................................................................................................................................................................................................PE..d.....%c...
    Icon Hash:74f0e4ecccdce0e4
    Entrypoint:0x18000ada0
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x180000000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
    DLL Characteristics:
    Time Stamp:0x632596F2 [Sat Sep 17 09:44:18 2022 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:5
    OS Version Minor:2
    File Version Major:5
    File Version Minor:2
    Subsystem Version Major:5
    Subsystem Version Minor:2
    Import Hash:
    Instruction
    inc eax
    push ebx
    dec eax
    sub esp, 20h
    mov ebx, 00000001h
    test edx, edx
    je 00007F920471D986h
    cmp edx, ebx
    jne 00007F920471D991h
    mov eax, ebx
    lock xadd dword ptr [0002ACB3h], eax
    add eax, ebx
    cmp eax, ebx
    jne 00007F920471D981h
    dec ecx
    mov edx, eax
    call 00007F920473028Ah
    test eax, eax
    je 00007F920471D975h
    xor ebx, ebx
    jmp 00007F920471D971h
    lock add dword ptr [0002AC95h], FFFFFFFFh
    jne 00007F920471D967h
    call 00007F920472B3B7h
    mov eax, ebx
    dec eax
    add esp, 20h
    pop ebx
    ret
    int3
    int3
    dec eax
    mov dword ptr [esp+08h], ebx
    push edi
    dec eax
    sub esp, 20h
    dec eax
    mov ebx, ecx
    dec eax
    mov ecx, dword ptr [ecx+08h]
    call dword ptr [ebx]
    dec eax
    lea edx, dword ptr [ebx+10h]
    cmp byte ptr [edx], 00000000h
    mov edi, eax
    je 00007F920471D97Bh
    dec eax
    mov ecx, dword ptr [0002AE4Fh]
    dec eax
    lea eax, dword ptr [0002F01Bh]
    inc esp
    mov eax, edi
    dec eax
    add ecx, eax
    call 00007F920471D9DAh
    dec eax
    mov ecx, dword ptr [0002AC3Eh]
    dec esp
    mov eax, ebx
    xor edx, edx
    call dword ptr [00023263h]
    lock add dword ptr [0002AE03h], FFFFFFFFh
    mov ecx, edi
    call dword ptr [00023263h]
    int3
    int3
    int3
    inc esp
    mov ebx, ecx
    xor eax, eax
    inc ebp
    xor ecx, ecx
    inc esp
    xor ebx, dword ptr [0002AE01h]
    dec esp
    mov edx, edx
    dec eax
    test edx, edx
    je 00007F920471D999h
    dec esp
    lea eax, dword ptr [edx+10h]
    inc ebp
    cmp ecx, dword ptr [edx]
    jnc 00007F920471D990h
    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x337e00x36.rdata
    IMAGE_DIRECTORY_ENTRY_IMPORT0x327380x3c.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x370000x18d8.pdata
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x3c0000x340.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x2e0000x520.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x309ac0x1e0.rdata
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x2cc320x2ce00False0.5784133443593314data6.355705596590523IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rdata0x2e0000x58160x5a00False0.36796875data5.257417548439639IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x340000x20400x1a00False0.3293269230769231lif file "", version 0, LIF identifier 0, directory start address 0 length 03.9553774452192996IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .pdata0x370000x18d80x1a00False0.5178786057692307data5.20244289599206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .bss0x390000x20200x2200False0.9345128676470589data7.791653023995373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .reloc0x3c0000x10000xe00False0.5245535714285714data4.919058316188766IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    No network behavior found

    Click to jump to process

    Click to jump to process

    Click to jump to process

    Target ID:0
    Start time:16:53:16
    Start date:14/11/2022
    Path:C:\Windows\System32\loaddll64.exe
    Wow64 process (32bit):false
    Commandline:loaddll64.exe "C:\Users\user\Desktop\71e0000.dll.dll"
    Imagebase:0x7ff64b2a0000
    File size:139776 bytes
    MD5 hash:C676FC0263EDD17D4CE7D644B8F3FCD6
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Target ID:1
    Start time:16:53:16
    Start date:14/11/2022
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff745070000
    File size:625664 bytes
    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Target ID:2
    Start time:16:53:17
    Start date:14/11/2022
    Path:C:\Windows\System32\cmd.exe
    Wow64 process (32bit):false
    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\71e0000.dll.dll",#1
    Imagebase:0x7ff707bb0000
    File size:273920 bytes
    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Target ID:3
    Start time:16:53:17
    Start date:14/11/2022
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe C:\Users\user\Desktop\71e0000.dll.dll,#1
    Imagebase:0x7ff7463a0000
    File size:69632 bytes
    MD5 hash:73C519F050C20580F8A62C849D49215A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Target ID:4
    Start time:16:53:17
    Start date:14/11/2022
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\71e0000.dll.dll",#1
    Imagebase:0x7ff7463a0000
    File size:69632 bytes
    MD5 hash:73C519F050C20580F8A62C849D49215A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    No disassembly