Windows Analysis Report
2YsKFOeUhM.dll

Overview

General Information

Sample name:	2YsKFOeUhM.dll renamed because original name is a hash value
Original sample name:	2ff3f2639e73e8bba2a321faad0e785412f8b45a204133912e8f341c2e8bbd1b.dll
Analysis ID:	1544798
MD5:	668c2aaf5ef19c034137885d4aa4e45a
SHA1:	3a8283170d3f6cdbd89f944e3b0fb533c754cb60
SHA256:	2ff3f2639e73e8bba2a321faad0e785412f8b45a204133912e8f341c2e8bbd1b
Tags:	2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 88.5% probability

Bitcoin Miner

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0514C0	3_2_6D0514C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD014C0	14_2_6CD014C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD014C0	18_2_6CD014C0

Uses 32bit PE files

Source: 2YsKFOeUhM.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: 2YsKFOeUhM.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	3_2_6D049DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	3_2_6D03CB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	3_2_6D048A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	3_2_6D023000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	14_2_6CCF9DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	14_2_6CCF8A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	14_2_6CCECB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	14_2_6CCD3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	18_2_6CCF9DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	18_2_6CCF8A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	18_2_6CCECB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	18_2_6CCD3000

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04AD00	3_2_6D04AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D037DD0	3_2_6D037DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D077FB0	3_2_6D077FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D096FB0	3_2_6D096FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D048E10	3_2_6D048E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D05CE40	3_2_6D05CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D02BE4F	3_2_6D02BE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D092940	3_2_6D092940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D035820	3_2_6D035820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D030830	3_2_6D030830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0A1A00	3_2_6D0A1A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D02CA60	3_2_6D02CA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04CA70	3_2_6D04CA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04BAB0	3_2_6D04BAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04D525	3_2_6D04D525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04B540	3_2_6D04B540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D095590	3_2_6D095590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04C460	3_2_6D04C460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D097490	3_2_6D097490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0A3710	3_2_6D0A3710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D07F732	3_2_6D07F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D066730	3_2_6D066730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04A790	3_2_6D04A790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D023620	3_2_6D023620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0A1640	3_2_6D0A1640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04C100	3_2_6D04C100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D095100	3_2_6D095100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0461A0	3_2_6D0461A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D023000	3_2_6D023000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D05E040	3_2_6D05E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D056040	3_2_6D056040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D043090	3_2_6D043090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0410D0	3_2_6D0410D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D096240	3_2_6D096240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0292E0	3_2_6D0292E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCE7DD0	14_2_6CCE7DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCFAD00	14_2_6CCFAD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCDBE4F	14_2_6CCDBE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD0CE40	14_2_6CD0CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCF8E10	14_2_6CCF8E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD27FB0	14_2_6CD27FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD46FB0	14_2_6CD46FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCE5820	14_2_6CCE5820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCE0830	14_2_6CCE0830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD42940	14_2_6CD42940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCFBAB0	14_2_6CCFBAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCDCA60	14_2_6CCDCA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCFCA70	14_2_6CCFCA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD51A00	14_2_6CD51A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD47490	14_2_6CD47490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCFC460	14_2_6CCFC460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD45590	14_2_6CD45590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCFB540	14_2_6CCFB540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCFD525	14_2_6CCFD525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD51640	14_2_6CD51640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCD3620	14_2_6CCD3620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCFA790	14_2_6CCFA790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD53710	14_2_6CD53710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD2F732	14_2_6CD2F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD16730	14_2_6CD16730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCF10D0	14_2_6CCF10D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCF3090	14_2_6CCF3090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD0E040	14_2_6CD0E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD06040	14_2_6CD06040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCD3000	14_2_6CCD3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCF61A0	14_2_6CCF61A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCFC100	14_2_6CCFC100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD45100	14_2_6CD45100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCD92E0	14_2_6CCD92E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD46240	14_2_6CD46240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCE7DD0	18_2_6CCE7DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCFAD00	18_2_6CCFAD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCDBE4F	18_2_6CCDBE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD0CE40	18_2_6CD0CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCF8E10	18_2_6CCF8E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD27FB0	18_2_6CD27FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD46FB0	18_2_6CD46FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCE5820	18_2_6CCE5820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCE0830	18_2_6CCE0830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD42940	18_2_6CD42940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCFBAB0	18_2_6CCFBAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCDCA60	18_2_6CCDCA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCFCA70	18_2_6CCFCA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD51A00	18_2_6CD51A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD47490	18_2_6CD47490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCFC460	18_2_6CCFC460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD45590	18_2_6CD45590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCFB540	18_2_6CCFB540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCFD525	18_2_6CCFD525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD51640	18_2_6CD51640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCD3620	18_2_6CCD3620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCFA790	18_2_6CCFA790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD53710	18_2_6CD53710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD2F732	18_2_6CD2F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD16730	18_2_6CD16730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCF10D0	18_2_6CCF10D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCF3090	18_2_6CCF3090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD0E040	18_2_6CD0E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD06040	18_2_6CD06040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCD3000	18_2_6CCD3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCF61A0	18_2_6CCF61A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCFC100	18_2_6CCFC100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD45100	18_2_6CD45100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCD92E0	18_2_6CCD92E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD46240	18_2_6CD46240

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CD07450 appears 1374 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CD04FD0 appears 922 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CCDF4D0 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D057450 appears 687 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CCD2F90 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D054FD0 appears 461 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CD03620 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CD050A0 appears 38 times

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 832

Uses 32bit PE files

Source: 2YsKFOeUhM.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: classification engine

Classification label: mal48.mine.winDLL@35/0@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D0A4310 GetLastError,FormatMessageA,fprintf,LocalFree,

3_2_6D0A4310

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7008:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\0f05acd2-3cfe-4909-8511-d04313a16448

Jump to behavior

Source: 2YsKFOeUhM.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2YsKFOeUhM.dll,BarCreate

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2YsKFOeUhM.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 832
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 824
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2YsKFOeUhM.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2YsKFOeUhM.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",_cgo_dummy_export
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 844
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SpellSpell
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2YsKFOeUhM.dll,BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2YsKFOeUhM.dll,BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2YsKFOeUhM.dll,BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",_cgo_dummy_export	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SpellSpell	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SpellInit	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SpellFree	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SignalInitializeCrashReporting	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",GetInstallDetailsPayload	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarRecognize	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: 2YsKFOeUhM.dll

Static PE information: Image base 0x6d8c0000 > 0x60000000

Source: 2YsKFOeUhM.dll

Static file information: File size 1198080 > 1048576

Source: 2YsKFOeUhM.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D0213E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6D0213E0

PE file contains an invalid checksum

Source: 2YsKFOeUhM.dll

Static PE information: real checksum: 0x12c967 should be: 0x126f74

PE file contains sections with non-standard names

Source: 2YsKFOeUhM.dll

Static PE information: section name: .eh_fram

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01C38F4F push es; ret	0_2_01C38F52
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01C38F3D push es; ret	0_2_01C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_04C38F4F push es; ret	12_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_04C3A496 push edi; iretd	12_2_04C3A497
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_04C38F3B push es; ret	12_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0490240D pushfd ; retf	15_2_0490242F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0503B9C6 push ebx; ret	20_2_0503B9C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0503B464 pushad ; ret	20_2_0503B472
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0503A929 pushfd ; ret	20_2_0503A93E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0508049D push cs; retf 0001h	20_2_0508049F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04C38F4F push es; ret	21_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04C38F3B push es; ret	21_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04C80472 push cs; retf	21_2_04C80473
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0488043B push FFFFFFB0h; iretd	23_2_04880451
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_04C38F4F push es; ret	24_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_04C38F3B push es; ret	24_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_0503A468 push ss; ret	25_2_0503A472

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D080F80 rdtscp

3_2_6D080F80

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 00000016.00000002.2551732689.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: rundll32.exe, 00000014.00000002.2551108916.000000000334A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
Source: loaddll32.exe, 00000000.00000002.2554669122.000000000148D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2458220279.000000000332A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2457743003.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2483825116.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2514078062.000000000340A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2546999162.000000000080A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2550376519.00000000034F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.2552827855.0000000002FCA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rundll32.exe, 0000000E.00000002.2550564353.000000000320A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.2553651655.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
Source: rundll32.exe, 00000015.00000002.2550622139.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
Source: rundll32.exe, 00000017.00000002.2552910448.000000000092A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~~

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D080F80 rdtscp

3_2_6D080F80

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D0213E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6D0213E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D0A3710 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy,memset,IsBadReadPtr,realloc,SetLastError,SetLastError,SetLastError,SetLastError,SetLastError,memcpy,SetLastError,SetLastError,SetLastError,SetLastError,

3_2_6D0A3710

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0A4ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_6D0A4ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0A4AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_6D0A4AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD54ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	14_2_6CD54ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD54AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	14_2_6CD54AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD54ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	18_2_6CD54ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD54AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	18_2_6CD54AE0

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D0A4A30 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_6D0A4A30

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 88.5% probability

Bitcoin Miner

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0514C0	3_2_6D0514C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD014C0	14_2_6CD014C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD014C0	18_2_6CD014C0

Uses 32bit PE files

Source: 2YsKFOeUhM.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: 2YsKFOeUhM.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	3_2_6D049DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	3_2_6D03CB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	3_2_6D048A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	3_2_6D023000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	14_2_6CCF9DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	14_2_6CCF8A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	14_2_6CCECB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	14_2_6CCD3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	18_2_6CCF9DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	18_2_6CCF8A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	18_2_6CCECB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	18_2_6CCD3000

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04AD00	3_2_6D04AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D037DD0	3_2_6D037DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D077FB0	3_2_6D077FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D096FB0	3_2_6D096FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D048E10	3_2_6D048E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D05CE40	3_2_6D05CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D02BE4F	3_2_6D02BE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D092940	3_2_6D092940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D035820	3_2_6D035820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D030830	3_2_6D030830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0A1A00	3_2_6D0A1A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D02CA60	3_2_6D02CA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04CA70	3_2_6D04CA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04BAB0	3_2_6D04BAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04D525	3_2_6D04D525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04B540	3_2_6D04B540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D095590	3_2_6D095590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04C460	3_2_6D04C460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D097490	3_2_6D097490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0A3710	3_2_6D0A3710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D07F732	3_2_6D07F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D066730	3_2_6D066730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04A790	3_2_6D04A790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D023620	3_2_6D023620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0A1640	3_2_6D0A1640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04C100	3_2_6D04C100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D095100	3_2_6D095100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0461A0	3_2_6D0461A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D023000	3_2_6D023000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D05E040	3_2_6D05E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D056040	3_2_6D056040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D043090	3_2_6D043090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0410D0	3_2_6D0410D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D096240	3_2_6D096240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0292E0	3_2_6D0292E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCE7DD0	14_2_6CCE7DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCFAD00	14_2_6CCFAD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCDBE4F	14_2_6CCDBE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD0CE40	14_2_6CD0CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCF8E10	14_2_6CCF8E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD27FB0	14_2_6CD27FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD46FB0	14_2_6CD46FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCE5820	14_2_6CCE5820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCE0830	14_2_6CCE0830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD42940	14_2_6CD42940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCFBAB0	14_2_6CCFBAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCDCA60	14_2_6CCDCA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCFCA70	14_2_6CCFCA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD51A00	14_2_6CD51A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD47490	14_2_6CD47490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCFC460	14_2_6CCFC460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD45590	14_2_6CD45590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCFB540	14_2_6CCFB540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCFD525	14_2_6CCFD525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD51640	14_2_6CD51640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCD3620	14_2_6CCD3620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCFA790	14_2_6CCFA790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD53710	14_2_6CD53710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD2F732	14_2_6CD2F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD16730	14_2_6CD16730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCF10D0	14_2_6CCF10D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCF3090	14_2_6CCF3090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD0E040	14_2_6CD0E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD06040	14_2_6CD06040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCD3000	14_2_6CCD3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCF61A0	14_2_6CCF61A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCFC100	14_2_6CCFC100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD45100	14_2_6CD45100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCD92E0	14_2_6CCD92E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD46240	14_2_6CD46240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCE7DD0	18_2_6CCE7DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCFAD00	18_2_6CCFAD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCDBE4F	18_2_6CCDBE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD0CE40	18_2_6CD0CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCF8E10	18_2_6CCF8E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD27FB0	18_2_6CD27FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD46FB0	18_2_6CD46FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCE5820	18_2_6CCE5820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCE0830	18_2_6CCE0830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD42940	18_2_6CD42940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCFBAB0	18_2_6CCFBAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCDCA60	18_2_6CCDCA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCFCA70	18_2_6CCFCA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD51A00	18_2_6CD51A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD47490	18_2_6CD47490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCFC460	18_2_6CCFC460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD45590	18_2_6CD45590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCFB540	18_2_6CCFB540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCFD525	18_2_6CCFD525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD51640	18_2_6CD51640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCD3620	18_2_6CCD3620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCFA790	18_2_6CCFA790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD53710	18_2_6CD53710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD2F732	18_2_6CD2F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD16730	18_2_6CD16730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCF10D0	18_2_6CCF10D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCF3090	18_2_6CCF3090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD0E040	18_2_6CD0E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD06040	18_2_6CD06040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCD3000	18_2_6CCD3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCF61A0	18_2_6CCF61A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCFC100	18_2_6CCFC100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD45100	18_2_6CD45100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCD92E0	18_2_6CCD92E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD46240	18_2_6CD46240

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CD07450 appears 1374 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CD04FD0 appears 922 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CCDF4D0 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D057450 appears 687 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CCD2F90 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D054FD0 appears 461 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CD03620 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CD050A0 appears 38 times

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 832

Uses 32bit PE files

Source: 2YsKFOeUhM.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: classification engine

Classification label: mal48.mine.winDLL@35/0@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D0A4310 GetLastError,FormatMessageA,fprintf,LocalFree,

3_2_6D0A4310

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7008:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\0f05acd2-3cfe-4909-8511-d04313a16448

Jump to behavior

Source: 2YsKFOeUhM.dll

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2YsKFOeUhM.dll,BarCreate

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2YsKFOeUhM.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 832
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 824
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2YsKFOeUhM.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2YsKFOeUhM.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",_cgo_dummy_export
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 844
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SpellSpell
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2YsKFOeUhM.dll,BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2YsKFOeUhM.dll,BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2YsKFOeUhM.dll,BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",_cgo_dummy_export	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SpellSpell	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SpellInit	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SpellFree	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SignalInitializeCrashReporting	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",GetInstallDetailsPayload	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarRecognize	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: 2YsKFOeUhM.dll

Static PE information: Image base 0x6d8c0000 > 0x60000000

Source: 2YsKFOeUhM.dll

Static file information: File size 1198080 > 1048576

Source: 2YsKFOeUhM.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D0213E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6D0213E0

PE file contains an invalid checksum

Source: 2YsKFOeUhM.dll

Static PE information: real checksum: 0x12c967 should be: 0x126f74

PE file contains sections with non-standard names

Source: 2YsKFOeUhM.dll

Static PE information: section name: .eh_fram

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01C38F4F push es; ret	0_2_01C38F52
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01C38F3D push es; ret	0_2_01C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_04C38F4F push es; ret	12_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_04C3A496 push edi; iretd	12_2_04C3A497
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_04C38F3B push es; ret	12_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0490240D pushfd ; retf	15_2_0490242F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0503B9C6 push ebx; ret	20_2_0503B9C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0503B464 pushad ; ret	20_2_0503B472
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0503A929 pushfd ; ret	20_2_0503A93E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0508049D push cs; retf 0001h	20_2_0508049F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04C38F4F push es; ret	21_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04C38F3B push es; ret	21_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04C80472 push cs; retf	21_2_04C80473
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0488043B push FFFFFFB0h; iretd	23_2_04880451
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_04C38F4F push es; ret	24_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_04C38F3B push es; ret	24_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_0503A468 push ss; ret	25_2_0503A472

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D080F80 rdtscp

3_2_6D080F80

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 00000016.00000002.2551732689.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: rundll32.exe, 00000014.00000002.2551108916.000000000334A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
Source: loaddll32.exe, 00000000.00000002.2554669122.000000000148D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2458220279.000000000332A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2457743003.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2483825116.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2514078062.000000000340A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2546999162.000000000080A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2550376519.00000000034F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.2552827855.0000000002FCA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rundll32.exe, 0000000E.00000002.2550564353.000000000320A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.2553651655.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
Source: rundll32.exe, 00000015.00000002.2550622139.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
Source: rundll32.exe, 00000017.00000002.2552910448.000000000092A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~~

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D080F80 rdtscp

3_2_6D080F80

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D0213E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6D0213E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_6D0A3710

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0A4ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_6D0A4ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0A4AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_6D0A4AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD54ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	14_2_6CD54ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD54AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	14_2_6CD54AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD54ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	18_2_6CD54ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD54AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	18_2_6CD54AE0

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D0A4A30 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_6D0A4A30

ID:	1544798
Product:	CloudBasic
Start time:	18:53:12
Start date:	29.10.2024
Sample:	2YsKFOeUhM.dll
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	668c2aaf5ef19c034137885d4aa4e45a
SHA1:	3a8283170d3f6cdbd89f944e3b0fb533c754cb60
SHA256:	2ff3f2639e73e8bba2a321faad0e785412f8b45a204133912e8f341c2e8bbd1b
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Windows Analysis Report
2YsKFOeUhM.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Bitcoin Miner

Compliance

Software Vulnerabilities

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report 2YsKFOeUhM.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Bitcoin Miner

Compliance

Software Vulnerabilities

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
2YsKFOeUhM.dll