Windows Analysis Report
LKwQJxGVXf.dll

Overview

General Information

Sample name:	LKwQJxGVXf.dll renamed because original name is a hash value
Original sample name:	cf6015d5bc81bf146e340edf1702859f56eabbd0e85eb4c1e983939db9bcdd0f.dll
Analysis ID:	1544803
MD5:	2dbba73dbf326f0ea03d80bede21b467
SHA1:	d8acc159a59cc07e0d7d6a3de7d7ba9df424c441
SHA256:	cf6015d5bc81bf146e340edf1702859f56eabbd0e85eb4c1e983939db9bcdd0f
Tags:	2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 88.0% probability

Bitcoin Miner

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB814C0	3_2_6CB814C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE114C0	13_2_6CE114C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE114C0	17_2_6CE114C0

Uses 32bit PE files

Source: LKwQJxGVXf.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: LKwQJxGVXf.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	3_2_6CB79DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	3_2_6CB78A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	3_2_6CB6CB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	3_2_6CB53000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	13_2_6CE09DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	13_2_6CE08A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	13_2_6CDFCB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	13_2_6CDE3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	17_2_6CE09DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	17_2_6CE08A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	17_2_6CDFCB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	17_2_6CDE3000

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB67DD0	3_2_6CB67DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB7AD00	3_2_6CB7AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB78E10	3_2_6CB78E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB8CE40	3_2_6CB8CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB5BE4F	3_2_6CB5BE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBA7FB0	3_2_6CBA7FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBC6FB0	3_2_6CBC6FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB60830	3_2_6CB60830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB65820	3_2_6CB65820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBC2940	3_2_6CBC2940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB7BAB0	3_2_6CB7BAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD1A00	3_2_6CBD1A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB7CA70	3_2_6CB7CA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB5CA60	3_2_6CB5CA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBC7490	3_2_6CBC7490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB7C460	3_2_6CB7C460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBC5590	3_2_6CBC5590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB7D525	3_2_6CB7D525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB7B540	3_2_6CB7B540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB53620	3_2_6CB53620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD1640	3_2_6CBD1640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB7A790	3_2_6CB7A790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBAF732	3_2_6CBAF732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB96730	3_2_6CB96730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD3710	3_2_6CBD3710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB73090	3_2_6CB73090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB710D0	3_2_6CB710D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB53000	3_2_6CB53000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB8E040	3_2_6CB8E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB86040	3_2_6CB86040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB761A0	3_2_6CB761A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB7C100	3_2_6CB7C100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBC5100	3_2_6CBC5100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB592E0	3_2_6CB592E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBC6240	3_2_6CBC6240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDF7DD0	13_2_6CDF7DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE0AD00	13_2_6CE0AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDEBE4F	13_2_6CDEBE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE1CE40	13_2_6CE1CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE08E10	13_2_6CE08E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE37FB0	13_2_6CE37FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE56FB0	13_2_6CE56FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDF0830	13_2_6CDF0830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDF5820	13_2_6CDF5820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE52940	13_2_6CE52940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE0BAB0	13_2_6CE0BAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE0CA70	13_2_6CE0CA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDECA60	13_2_6CDECA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE61A00	13_2_6CE61A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE57490	13_2_6CE57490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE0C460	13_2_6CE0C460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE55590	13_2_6CE55590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE0B540	13_2_6CE0B540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE0D525	13_2_6CE0D525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE61640	13_2_6CE61640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDE3620	13_2_6CDE3620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE0A790	13_2_6CE0A790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE3F732	13_2_6CE3F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE26730	13_2_6CE26730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE63710	13_2_6CE63710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE010D0	13_2_6CE010D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE03090	13_2_6CE03090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE1E040	13_2_6CE1E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE16040	13_2_6CE16040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDE3000	13_2_6CDE3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE061A0	13_2_6CE061A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE0C100	13_2_6CE0C100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE55100	13_2_6CE55100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDE92E0	13_2_6CDE92E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE56240	13_2_6CE56240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CDF7DD0	17_2_6CDF7DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE0AD00	17_2_6CE0AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CDEBE4F	17_2_6CDEBE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE1CE40	17_2_6CE1CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE08E10	17_2_6CE08E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE37FB0	17_2_6CE37FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE56FB0	17_2_6CE56FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CDF0830	17_2_6CDF0830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CDF5820	17_2_6CDF5820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE52940	17_2_6CE52940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE0BAB0	17_2_6CE0BAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE0CA70	17_2_6CE0CA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CDECA60	17_2_6CDECA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE61A00	17_2_6CE61A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE57490	17_2_6CE57490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE0C460	17_2_6CE0C460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE55590	17_2_6CE55590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE0B540	17_2_6CE0B540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE0D525	17_2_6CE0D525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE61640	17_2_6CE61640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CDE3620	17_2_6CDE3620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE0A790	17_2_6CE0A790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE3F732	17_2_6CE3F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE26730	17_2_6CE26730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE63710	17_2_6CE63710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE010D0	17_2_6CE010D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE03090	17_2_6CE03090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE1E040	17_2_6CE1E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE16040	17_2_6CE16040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CDE3000	17_2_6CDE3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE061A0	17_2_6CE061A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE0C100	17_2_6CE0C100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE55100	17_2_6CE55100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CDE92E0	17_2_6CDE92E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE56240	17_2_6CE56240

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CDEF4D0 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CE13620 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CB84FD0 appears 461 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CE14FD0 appears 922 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CE17450 appears 1374 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CE150A0 appears 38 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CDE2F90 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CB87450 appears 687 times

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6564 -s 836

Uses 32bit PE files

Source: LKwQJxGVXf.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: classification engine

Classification label: mal48.mine.winDLL@35/0@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CBD4310 GetLastError,FormatMessageA,fprintf,LocalFree,

3_2_6CBD4310

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3868:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\e917f5ba-49e8-4fad-b18f-f2b504d24a2e

Jump to behavior

Source: LKwQJxGVXf.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LKwQJxGVXf.dll,BarCreate

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LKwQJxGVXf.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6564 -s 836
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 812
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LKwQJxGVXf.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LKwQJxGVXf.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",_cgo_dummy_export
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 844
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SpellSpell
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LKwQJxGVXf.dll,BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LKwQJxGVXf.dll,BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LKwQJxGVXf.dll,BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",_cgo_dummy_export	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SpellSpell	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SpellInit	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SpellFree	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SignalInitializeCrashReporting	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",GetInstallDetailsPayload	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarRecognize	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: LKwQJxGVXf.dll

Static PE information: Image base 0x6d8c0000 > 0x60000000

Source: LKwQJxGVXf.dll

Static file information: File size 1198080 > 1048576

Source: LKwQJxGVXf.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CB513E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6CB513E0

PE file contains an invalid checksum

Source: LKwQJxGVXf.dll

Static PE information: real checksum: 0x13151e should be: 0x130042

PE file contains sections with non-standard names

Source: LKwQJxGVXf.dll

Static PE information: section name: .eh_fram

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC46FBD push cs; ret	3_2_6CC46FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC459F2 push es; iretd	3_2_6CC45A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC476AA push ebx; iretd	3_2_6CC479EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0483B9AB push es; iretd	4_2_0483B9AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0483AEB4 push ecx; ret	4_2_0483AED6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04C38FC3 push es; ret	11_2_04C38FC6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04C38F4F push es; ret	11_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04C38F53 push es; ret	11_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04C38F3B push es; ret	11_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CED6FBD push cs; ret	13_2_6CED6FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CED59F2 push es; iretd	13_2_6CED5A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CED76AA push ebx; iretd	13_2_6CED79EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C38FC3 push es; ret	14_2_04C38FC6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C3B60B push esi; iretd	14_2_04C3B982
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C38F4F push es; ret	14_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C3A217 push ds; ret	14_2_04C3A3B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C3A3B7 push 0004C303h; ret	14_2_04C3A58A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C38F3B push es; ret	14_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C3A378 push ds; ret	14_2_04C3A3B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0483A9E2 push edx; ret	15_2_0483A9E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0483AEA9 push cs; ret	15_2_0483AEC7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CED6FBD push cs; ret	17_2_6CED6FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CED59F2 push es; iretd	17_2_6CED5A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CED76AA push ebx; iretd	17_2_6CED79EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04C38FC3 push es; ret	19_2_04C38FC6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04C38FA1 push es; ret	19_2_04C38FAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04C3A473 push 0004C303h; ret	19_2_04C3A58A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_04C38FC3 push es; ret	22_2_04C38FC6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_04C38F4F push es; ret	22_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_04C3A418 pushad ; iretd	22_2_04C3A419
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_04C38F3B push es; ret	22_2_04C38F4A

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CBB0F80 rdtscp

3_2_6CBB0F80

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 0000000E.00000002.2229264812.0000000002D6A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: rundll32.exe, 00000013.00000002.2232490236.0000000002ADA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
Source: rundll32.exe, 00000018.00000002.2238595309.000000000315A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: rundll32.exe, 00000015.00000002.2234698661.000000000064A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
Source: loaddll32.exe, 00000000.00000002.2237856869.0000000000666000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2140730643.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2139546766.000000000080A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2166605305.0000000002ACA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2197069812.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2232731511.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2230203030.000000000061A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000002.2233926444.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000002.2234749334.0000000002C3A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2237851825.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CBB0F80 rdtscp

3_2_6CBB0F80

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CB513E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6CB513E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CBD3630 free,free,GetProcessHeap,HeapFree,

3_2_6CBD3630

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD4AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_6CBD4AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD4ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_6CBD4ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE64AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	13_2_6CE64AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE64ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	13_2_6CE64ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE64AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	17_2_6CE64AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE64ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	17_2_6CE64ADC

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CBD4A30 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_6CBD4A30

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 88.0% probability

Bitcoin Miner

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB814C0	3_2_6CB814C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE114C0	13_2_6CE114C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE114C0	17_2_6CE114C0

Uses 32bit PE files

Source: LKwQJxGVXf.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: LKwQJxGVXf.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	3_2_6CB79DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	3_2_6CB78A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	3_2_6CB6CB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	3_2_6CB53000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	13_2_6CE09DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	13_2_6CE08A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	13_2_6CDFCB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	13_2_6CDE3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	17_2_6CE09DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	17_2_6CE08A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	17_2_6CDFCB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	17_2_6CDE3000

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB67DD0	3_2_6CB67DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB7AD00	3_2_6CB7AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB78E10	3_2_6CB78E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB8CE40	3_2_6CB8CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB5BE4F	3_2_6CB5BE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBA7FB0	3_2_6CBA7FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBC6FB0	3_2_6CBC6FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB60830	3_2_6CB60830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB65820	3_2_6CB65820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBC2940	3_2_6CBC2940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB7BAB0	3_2_6CB7BAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD1A00	3_2_6CBD1A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB7CA70	3_2_6CB7CA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB5CA60	3_2_6CB5CA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBC7490	3_2_6CBC7490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB7C460	3_2_6CB7C460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBC5590	3_2_6CBC5590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB7D525	3_2_6CB7D525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB7B540	3_2_6CB7B540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB53620	3_2_6CB53620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD1640	3_2_6CBD1640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB7A790	3_2_6CB7A790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBAF732	3_2_6CBAF732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB96730	3_2_6CB96730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD3710	3_2_6CBD3710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB73090	3_2_6CB73090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB710D0	3_2_6CB710D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB53000	3_2_6CB53000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB8E040	3_2_6CB8E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB86040	3_2_6CB86040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB761A0	3_2_6CB761A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB7C100	3_2_6CB7C100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBC5100	3_2_6CBC5100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB592E0	3_2_6CB592E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBC6240	3_2_6CBC6240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDF7DD0	13_2_6CDF7DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE0AD00	13_2_6CE0AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDEBE4F	13_2_6CDEBE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE1CE40	13_2_6CE1CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE08E10	13_2_6CE08E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE37FB0	13_2_6CE37FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE56FB0	13_2_6CE56FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDF0830	13_2_6CDF0830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDF5820	13_2_6CDF5820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE52940	13_2_6CE52940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE0BAB0	13_2_6CE0BAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE0CA70	13_2_6CE0CA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDECA60	13_2_6CDECA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE61A00	13_2_6CE61A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE57490	13_2_6CE57490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE0C460	13_2_6CE0C460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE55590	13_2_6CE55590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE0B540	13_2_6CE0B540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE0D525	13_2_6CE0D525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE61640	13_2_6CE61640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDE3620	13_2_6CDE3620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE0A790	13_2_6CE0A790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE3F732	13_2_6CE3F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE26730	13_2_6CE26730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE63710	13_2_6CE63710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE010D0	13_2_6CE010D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE03090	13_2_6CE03090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE1E040	13_2_6CE1E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE16040	13_2_6CE16040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDE3000	13_2_6CDE3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE061A0	13_2_6CE061A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE0C100	13_2_6CE0C100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE55100	13_2_6CE55100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDE92E0	13_2_6CDE92E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE56240	13_2_6CE56240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CDF7DD0	17_2_6CDF7DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE0AD00	17_2_6CE0AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CDEBE4F	17_2_6CDEBE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE1CE40	17_2_6CE1CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE08E10	17_2_6CE08E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE37FB0	17_2_6CE37FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE56FB0	17_2_6CE56FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CDF0830	17_2_6CDF0830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CDF5820	17_2_6CDF5820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE52940	17_2_6CE52940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE0BAB0	17_2_6CE0BAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE0CA70	17_2_6CE0CA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CDECA60	17_2_6CDECA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE61A00	17_2_6CE61A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE57490	17_2_6CE57490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE0C460	17_2_6CE0C460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE55590	17_2_6CE55590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE0B540	17_2_6CE0B540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE0D525	17_2_6CE0D525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE61640	17_2_6CE61640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CDE3620	17_2_6CDE3620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE0A790	17_2_6CE0A790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE3F732	17_2_6CE3F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE26730	17_2_6CE26730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE63710	17_2_6CE63710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE010D0	17_2_6CE010D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE03090	17_2_6CE03090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE1E040	17_2_6CE1E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE16040	17_2_6CE16040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CDE3000	17_2_6CDE3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE061A0	17_2_6CE061A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE0C100	17_2_6CE0C100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE55100	17_2_6CE55100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CDE92E0	17_2_6CDE92E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE56240	17_2_6CE56240

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CDEF4D0 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CE13620 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CB84FD0 appears 461 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CE14FD0 appears 922 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CE17450 appears 1374 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CE150A0 appears 38 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CDE2F90 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CB87450 appears 687 times

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6564 -s 836

Uses 32bit PE files

Source: LKwQJxGVXf.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: classification engine

Classification label: mal48.mine.winDLL@35/0@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CBD4310 GetLastError,FormatMessageA,fprintf,LocalFree,

3_2_6CBD4310

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3868:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\e917f5ba-49e8-4fad-b18f-f2b504d24a2e

Jump to behavior

Source: LKwQJxGVXf.dll

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LKwQJxGVXf.dll,BarCreate

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LKwQJxGVXf.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6564 -s 836
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 812
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LKwQJxGVXf.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LKwQJxGVXf.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",_cgo_dummy_export
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 844
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SpellSpell
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LKwQJxGVXf.dll,BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LKwQJxGVXf.dll,BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LKwQJxGVXf.dll,BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",_cgo_dummy_export	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SpellSpell	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SpellInit	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SpellFree	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SignalInitializeCrashReporting	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",GetInstallDetailsPayload	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarRecognize	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: LKwQJxGVXf.dll

Static PE information: Image base 0x6d8c0000 > 0x60000000

Source: LKwQJxGVXf.dll

Static file information: File size 1198080 > 1048576

Source: LKwQJxGVXf.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CB513E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6CB513E0

PE file contains an invalid checksum

Source: LKwQJxGVXf.dll

Static PE information: real checksum: 0x13151e should be: 0x130042

PE file contains sections with non-standard names

Source: LKwQJxGVXf.dll

Static PE information: section name: .eh_fram

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC46FBD push cs; ret	3_2_6CC46FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC459F2 push es; iretd	3_2_6CC45A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC476AA push ebx; iretd	3_2_6CC479EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0483B9AB push es; iretd	4_2_0483B9AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0483AEB4 push ecx; ret	4_2_0483AED6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04C38FC3 push es; ret	11_2_04C38FC6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04C38F4F push es; ret	11_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04C38F53 push es; ret	11_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04C38F3B push es; ret	11_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CED6FBD push cs; ret	13_2_6CED6FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CED59F2 push es; iretd	13_2_6CED5A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CED76AA push ebx; iretd	13_2_6CED79EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C38FC3 push es; ret	14_2_04C38FC6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C3B60B push esi; iretd	14_2_04C3B982
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C38F4F push es; ret	14_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C3A217 push ds; ret	14_2_04C3A3B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C3A3B7 push 0004C303h; ret	14_2_04C3A58A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C38F3B push es; ret	14_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C3A378 push ds; ret	14_2_04C3A3B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0483A9E2 push edx; ret	15_2_0483A9E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0483AEA9 push cs; ret	15_2_0483AEC7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CED6FBD push cs; ret	17_2_6CED6FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CED59F2 push es; iretd	17_2_6CED5A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CED76AA push ebx; iretd	17_2_6CED79EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04C38FC3 push es; ret	19_2_04C38FC6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04C38FA1 push es; ret	19_2_04C38FAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04C3A473 push 0004C303h; ret	19_2_04C3A58A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_04C38FC3 push es; ret	22_2_04C38FC6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_04C38F4F push es; ret	22_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_04C3A418 pushad ; iretd	22_2_04C3A419
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_04C38F3B push es; ret	22_2_04C38F4A

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CBB0F80 rdtscp

3_2_6CBB0F80

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 0000000E.00000002.2229264812.0000000002D6A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: rundll32.exe, 00000013.00000002.2232490236.0000000002ADA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
Source: rundll32.exe, 00000018.00000002.2238595309.000000000315A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: rundll32.exe, 00000015.00000002.2234698661.000000000064A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
Source: loaddll32.exe, 00000000.00000002.2237856869.0000000000666000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2140730643.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2139546766.000000000080A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2166605305.0000000002ACA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2197069812.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2232731511.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2230203030.000000000061A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000002.2233926444.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000002.2234749334.0000000002C3A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2237851825.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CBB0F80 rdtscp

3_2_6CBB0F80

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CB513E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6CB513E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CBD3630 free,free,GetProcessHeap,HeapFree,

3_2_6CBD3630

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD4AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_6CBD4AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD4ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_6CBD4ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE64AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	13_2_6CE64AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE64ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	13_2_6CE64ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE64AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	17_2_6CE64AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CE64ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	17_2_6CE64ADC

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CBD4A30 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_6CBD4A30

ID:	1544803
Product:	CloudBasic
Start time:	19:09:41
Start date:	29.10.2024
Sample:	LKwQJxGVXf.dll
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	2dbba73dbf326f0ea03d80bede21b467
SHA1:	d8acc159a59cc07e0d7d6a3de7d7ba9df424c441
SHA256:	cf6015d5bc81bf146e340edf1702859f56eabbd0e85eb4c1e983939db9bcdd0f
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Windows Analysis Report
LKwQJxGVXf.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Bitcoin Miner

Compliance

Software Vulnerabilities

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report LKwQJxGVXf.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Bitcoin Miner

Compliance

Software Vulnerabilities

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
LKwQJxGVXf.dll