Windows Analysis Report
D3S2SyPdiw.dll

Overview

General Information

Sample name:	D3S2SyPdiw.dll renamed because original name is a hash value
Original sample name:	000e80b5f82b0a0a7c53a136c7066b8ad5661fd02f642ad8fe64f1287d52f92c.dll
Analysis ID:	1544790
MD5:	234fa81ac8057a55e9678cf0463a6ba6
SHA1:	49433e972cd1322e28204405947e19138a872e55
SHA256:	000e80b5f82b0a0a7c53a136c7066b8ad5661fd02f642ad8fe64f1287d52f92c
Tags:	2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Bitcoin Miner

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD1830		3_2_6CBD1830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE61830		13_2_6CE61830

Uses 32bit PE files

Source: D3S2SyPdiw.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: D3S2SyPdiw.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], eax	3_2_6CBA2CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], eax	3_2_6CBA2CA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	3_2_6CBBCEC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	3_2_6CBC9030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	3_2_6CBCA360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], eax	13_2_6CE32CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], eax	13_2_6CE32CA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	13_2_6CE4CEC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	13_2_6CE59030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	13_2_6CE5A360

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD2A90 NtCreateWaitCompletionPacket,	3_2_6CBD2A90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD1A70 NtCreateWaitCompletionPacket,	3_2_6CBD1A70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD1570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,	3_2_6CBD1570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD11F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,	3_2_6CBD11F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE62A90 NtCreateWaitCompletionPacket,	13_2_6CE62A90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE61A70 NtCreateWaitCompletionPacket,	13_2_6CE61A70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE61570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,	13_2_6CE61570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE611F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,	13_2_6CE611F0

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBA2CA0	3_2_6CBA2CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBA2CA6	3_2_6CBA2CA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC26D40	3_2_6CC26D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBCAD50	3_2_6CBCAD50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBFBD40	3_2_6CBFBD40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBABE90	3_2_6CBABE90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC24E40	3_2_6CC24E40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBDCF90	3_2_6CBDCF90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBF5FF0	3_2_6CBF5FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC1E860	3_2_6CC1E860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC26860	3_2_6CC26860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBFD800	3_2_6CBFD800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBB59F0	3_2_6CBB59F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC0A992	3_2_6CC0A992
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBCD9C5	3_2_6CBCD9C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC25AF0	3_2_6CC25AF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBB0AF0	3_2_6CBB0AF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBCCA30	3_2_6CBCCA30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBAFBC0	3_2_6CBAFBC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBCBB10	3_2_6CBCBB10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC37B10	3_2_6CC37B10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC0344F	3_2_6CC0344F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBC3400	3_2_6CBC3400
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBE6470	3_2_6CBE6470
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBC1440	3_2_6CBC1440
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC296C0	3_2_6CC296C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBF8690	3_2_6CBF8690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC22680	3_2_6CC22680
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBCC6D0	3_2_6CBCC6D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBC6630	3_2_6CBC6630
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBB80A0	3_2_6CBB80A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBCC080	3_2_6CBCC080
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBA90F0	3_2_6CBA90F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD6010	3_2_6CBD6010
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC1D010	3_2_6CC1D010
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBCD040	3_2_6CBCD040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBA32A0	3_2_6CBA32A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBCB2D0	3_2_6CBCB2D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBDE240	3_2_6CBDE240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBC93F0	3_2_6CBC93F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC073A0	3_2_6CC073A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBDA320	3_2_6CBDA320
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE32CA0	13_2_6CE32CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE32CA6	13_2_6CE32CA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE8BD40	13_2_6CE8BD40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE5AD50	13_2_6CE5AD50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE3BE90	13_2_6CE3BE90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE85FF0	13_2_6CE85FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE6CF90	13_2_6CE6CF90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE8D800	13_2_6CE8D800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE459F0	13_2_6CE459F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE5D9C5	13_2_6CE5D9C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE9A992	13_2_6CE9A992
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE40AF0	13_2_6CE40AF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE5CA30	13_2_6CE5CA30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE3FBC0	13_2_6CE3FBC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE5BB10	13_2_6CE5BB10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEC7B10	13_2_6CEC7B10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE76470	13_2_6CE76470
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE51440	13_2_6CE51440
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE9344F	13_2_6CE9344F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE53400	13_2_6CE53400
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE5C6D0	13_2_6CE5C6D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE88690	13_2_6CE88690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE56630	13_2_6CE56630
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE390F0	13_2_6CE390F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE480A0	13_2_6CE480A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE5C080	13_2_6CE5C080
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE5D040	13_2_6CE5D040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE66010	13_2_6CE66010
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE5B2D0	13_2_6CE5B2D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE332A0	13_2_6CE332A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE6E240	13_2_6CE6E240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE593F0	13_2_6CE593F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE973A0	13_2_6CE973A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE6A320	13_2_6CE6A320

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CC06BB0 appears 481 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CE96BB0 appears 481 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CBD7410 appears 693 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CE67410 appears 691 times

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 820

Uses 32bit PE files

Source: D3S2SyPdiw.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: classification engine

Classification label: mal48.mine.winDLL@35/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\7632555f-bd42-4c19-8b71-ba2d96eeeb40

Jump to behavior

Source: D3S2SyPdiw.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D3S2SyPdiw.dll,BarCreate

Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe	String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe	String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe	String found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exe	String found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exe	String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe	String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe	String found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exe	String found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D3S2SyPdiw.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 820
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 832
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D3S2SyPdiw.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D3S2SyPdiw.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",_cgo_dummy_export
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 856
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SpellSpell
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D3S2SyPdiw.dll,BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D3S2SyPdiw.dll,BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D3S2SyPdiw.dll,BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",_cgo_dummy_export	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SpellSpell	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SpellInit	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SpellFree	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SignalInitializeCrashReporting	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",GetInstallDetailsPayload	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarRecognize	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: D3S2SyPdiw.dll

Static PE information: Image base 0x6d8c0000 > 0x60000000

Source: D3S2SyPdiw.dll

Static file information: File size 1397248 > 1048576

Source: D3S2SyPdiw.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CBA13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6CBA13E0

PE file contains an invalid checksum

Source: D3S2SyPdiw.dll

Static PE information: real checksum: 0x15be84 should be: 0x15b335

PE file contains sections with non-standard names

Source: D3S2SyPdiw.dll

Static PE information: section name: .eh_fram

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0183AF34 push eax; retf	0_2_0183AF39
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_018803F6 push es; iretd	0_2_018803FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0543D28C push ebp; ret	11_2_0543D28D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0503AF38 push eax; retf	12_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C3D7C8 push ds; iretd	14_2_04C3D7C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C3C15B push es; retf	14_2_04C3C330
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C3D5B6 push ds; iretd	14_2_04C3D7C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C3AF34 push eax; retf	14_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04C3AF34 push eax; retf	16_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0503AF34 push eax; retf	17_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_050806B4 push edi; iretd	17_2_05080897
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0503C84D push esp; ret	20_2_0503C84E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0503AF34 push eax; retf	20_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0508042C push ebx; iretd	20_2_05080439
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_0543AF38 push eax; retf	21_2_0543AF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_0548032C push edi; iretd	21_2_0548035B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05480000 push edi; iretd	21_2_0548035B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0503CB81 push esi; ret	23_2_0503CDA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0503AF34 push eax; retf	23_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_0483CD6D push edx; iretd	24_2_0483CD71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_0488036B push eax; retf	24_2_0488036A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_048801B6 push eax; retf	24_2_0488036A

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CC0C1E0 rdtscp

3_2_6CC0C1E0

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 0.8 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CC0C1E0 rdtscp

3_2_6CC0C1E0

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CBA13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6CBA13E0

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CBD1C90 RtlGetVersion,RtlGetCurrentPeb,

3_2_6CBD1C90

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Bitcoin Miner

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD1830		3_2_6CBD1830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE61830		13_2_6CE61830

Uses 32bit PE files

Source: D3S2SyPdiw.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: D3S2SyPdiw.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], eax	3_2_6CBA2CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], eax	3_2_6CBA2CA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	3_2_6CBBCEC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	3_2_6CBC9030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	3_2_6CBCA360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], eax	13_2_6CE32CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], eax	13_2_6CE32CA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	13_2_6CE4CEC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	13_2_6CE59030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	13_2_6CE5A360

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD2A90 NtCreateWaitCompletionPacket,	3_2_6CBD2A90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD1A70 NtCreateWaitCompletionPacket,	3_2_6CBD1A70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD1570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,	3_2_6CBD1570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD11F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,	3_2_6CBD11F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE62A90 NtCreateWaitCompletionPacket,	13_2_6CE62A90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE61A70 NtCreateWaitCompletionPacket,	13_2_6CE61A70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE61570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,	13_2_6CE61570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE611F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,	13_2_6CE611F0

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBA2CA0	3_2_6CBA2CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBA2CA6	3_2_6CBA2CA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC26D40	3_2_6CC26D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBCAD50	3_2_6CBCAD50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBFBD40	3_2_6CBFBD40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBABE90	3_2_6CBABE90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC24E40	3_2_6CC24E40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBDCF90	3_2_6CBDCF90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBF5FF0	3_2_6CBF5FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC1E860	3_2_6CC1E860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC26860	3_2_6CC26860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBFD800	3_2_6CBFD800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBB59F0	3_2_6CBB59F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC0A992	3_2_6CC0A992
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBCD9C5	3_2_6CBCD9C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC25AF0	3_2_6CC25AF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBB0AF0	3_2_6CBB0AF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBCCA30	3_2_6CBCCA30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBAFBC0	3_2_6CBAFBC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBCBB10	3_2_6CBCBB10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC37B10	3_2_6CC37B10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC0344F	3_2_6CC0344F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBC3400	3_2_6CBC3400
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBE6470	3_2_6CBE6470
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBC1440	3_2_6CBC1440
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC296C0	3_2_6CC296C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBF8690	3_2_6CBF8690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC22680	3_2_6CC22680
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBCC6D0	3_2_6CBCC6D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBC6630	3_2_6CBC6630
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBB80A0	3_2_6CBB80A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBCC080	3_2_6CBCC080
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBA90F0	3_2_6CBA90F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD6010	3_2_6CBD6010
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC1D010	3_2_6CC1D010
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBCD040	3_2_6CBCD040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBA32A0	3_2_6CBA32A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBCB2D0	3_2_6CBCB2D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBDE240	3_2_6CBDE240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBC93F0	3_2_6CBC93F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC073A0	3_2_6CC073A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBDA320	3_2_6CBDA320
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE32CA0	13_2_6CE32CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE32CA6	13_2_6CE32CA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE8BD40	13_2_6CE8BD40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE5AD50	13_2_6CE5AD50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE3BE90	13_2_6CE3BE90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE85FF0	13_2_6CE85FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE6CF90	13_2_6CE6CF90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE8D800	13_2_6CE8D800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE459F0	13_2_6CE459F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE5D9C5	13_2_6CE5D9C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE9A992	13_2_6CE9A992
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE40AF0	13_2_6CE40AF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE5CA30	13_2_6CE5CA30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE3FBC0	13_2_6CE3FBC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE5BB10	13_2_6CE5BB10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEC7B10	13_2_6CEC7B10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE76470	13_2_6CE76470
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE51440	13_2_6CE51440
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE9344F	13_2_6CE9344F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE53400	13_2_6CE53400
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE5C6D0	13_2_6CE5C6D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE88690	13_2_6CE88690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE56630	13_2_6CE56630
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE390F0	13_2_6CE390F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE480A0	13_2_6CE480A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE5C080	13_2_6CE5C080
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE5D040	13_2_6CE5D040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE66010	13_2_6CE66010
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE5B2D0	13_2_6CE5B2D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE332A0	13_2_6CE332A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE6E240	13_2_6CE6E240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE593F0	13_2_6CE593F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE973A0	13_2_6CE973A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE6A320	13_2_6CE6A320

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CC06BB0 appears 481 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CE96BB0 appears 481 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CBD7410 appears 693 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CE67410 appears 691 times

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 820

Uses 32bit PE files

Source: D3S2SyPdiw.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: classification engine

Classification label: mal48.mine.winDLL@35/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\7632555f-bd42-4c19-8b71-ba2d96eeeb40

Jump to behavior

Source: D3S2SyPdiw.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D3S2SyPdiw.dll,BarCreate

Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe	String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe	String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe	String found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exe	String found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exe	String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe	String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe	String found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exe	String found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D3S2SyPdiw.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 820
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 832
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D3S2SyPdiw.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D3S2SyPdiw.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",_cgo_dummy_export
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 856
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SpellSpell
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D3S2SyPdiw.dll,BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D3S2SyPdiw.dll,BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D3S2SyPdiw.dll,BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",_cgo_dummy_export	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SpellSpell	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SpellInit	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SpellFree	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SignalInitializeCrashReporting	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",GetInstallDetailsPayload	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarRecognize	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: D3S2SyPdiw.dll

Static PE information: Image base 0x6d8c0000 > 0x60000000

Source: D3S2SyPdiw.dll

Static file information: File size 1397248 > 1048576

Source: D3S2SyPdiw.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CBA13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6CBA13E0

PE file contains an invalid checksum

Source: D3S2SyPdiw.dll

Static PE information: real checksum: 0x15be84 should be: 0x15b335

PE file contains sections with non-standard names

Source: D3S2SyPdiw.dll

Static PE information: section name: .eh_fram

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0183AF34 push eax; retf	0_2_0183AF39
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_018803F6 push es; iretd	0_2_018803FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0543D28C push ebp; ret	11_2_0543D28D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0503AF38 push eax; retf	12_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C3D7C8 push ds; iretd	14_2_04C3D7C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C3C15B push es; retf	14_2_04C3C330
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C3D5B6 push ds; iretd	14_2_04C3D7C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C3AF34 push eax; retf	14_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04C3AF34 push eax; retf	16_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0503AF34 push eax; retf	17_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_050806B4 push edi; iretd	17_2_05080897
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0503C84D push esp; ret	20_2_0503C84E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0503AF34 push eax; retf	20_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0508042C push ebx; iretd	20_2_05080439
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_0543AF38 push eax; retf	21_2_0543AF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_0548032C push edi; iretd	21_2_0548035B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05480000 push edi; iretd	21_2_0548035B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0503CB81 push esi; ret	23_2_0503CDA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0503AF34 push eax; retf	23_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_0483CD6D push edx; iretd	24_2_0483CD71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_0488036B push eax; retf	24_2_0488036A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_048801B6 push eax; retf	24_2_0488036A

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CC0C1E0 rdtscp

3_2_6CC0C1E0

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 0.8 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CC0C1E0 rdtscp

3_2_6CC0C1E0

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CBA13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6CBA13E0

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CBD1C90 RtlGetVersion,RtlGetCurrentPeb,

3_2_6CBD1C90

ID:	1544790
Product:	CloudBasic
Start time:	18:50:09
Start date:	29.10.2024
Sample:	D3S2SyPdiw.dll
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	234fa81ac8057a55e9678cf0463a6ba6
SHA1:	49433e972cd1322e28204405947e19138a872e55
SHA256:	000e80b5f82b0a0a7c53a136c7066b8ad5661fd02f642ad8fe64f1287d52f92c
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Windows Analysis Report
D3S2SyPdiw.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Bitcoin Miner

Compliance

Software Vulnerabilities

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report D3S2SyPdiw.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Bitcoin Miner

Compliance

Software Vulnerabilities

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
D3S2SyPdiw.dll