Windows Analysis Report
5O4F7OpjtZ.dll

Overview

General Information

Sample name:	5O4F7OpjtZ.dll renamed because original name is a hash value
Original sample name:	1913d6f00f3630c1eabdf94ace70d216448c971ea4f0c35c01211aeb29fb943d.dll
Analysis ID:	1544809
MD5:	92477a7ccc9b8a4418fb2a73fdf0c2c8
SHA1:	8a0c71061c826b5ed4986b618403bcd903dfef56
SHA256:	1913d6f00f3630c1eabdf94ace70d216448c971ea4f0c35c01211aeb29fb943d
Tags:	2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 93.3% probability

Bitcoin Miner

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC714C0	3_2_6CC714C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF014C0	13_2_6CF014C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF014C0	17_2_6CF014C0

Uses 32bit PE files

Source: 5O4F7OpjtZ.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: 5O4F7OpjtZ.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	3_2_6CC69DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	3_2_6CC68A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	3_2_6CC5CB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	3_2_6CC43000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	13_2_6CEF9DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	13_2_6CEF8A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	13_2_6CEECB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	13_2_6CED3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	17_2_6CEF9DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	17_2_6CEF8A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	17_2_6CEECB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	17_2_6CED3000

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC57DD0	3_2_6CC57DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC6AD00	3_2_6CC6AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC7CE40	3_2_6CC7CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC4BE4F	3_2_6CC4BE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC68E10	3_2_6CC68E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC97FB0	3_2_6CC97FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCB6FB0	3_2_6CCB6FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC55820	3_2_6CC55820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC50830	3_2_6CC50830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCB2940	3_2_6CCB2940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC6BAB0	3_2_6CC6BAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC4CA60	3_2_6CC4CA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC6CA70	3_2_6CC6CA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCC1A00	3_2_6CCC1A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCB7490	3_2_6CCB7490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC6C460	3_2_6CC6C460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCB5590	3_2_6CCB5590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC6B540	3_2_6CC6B540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC6D525	3_2_6CC6D525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCC1640	3_2_6CCC1640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC43620	3_2_6CC43620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC6A790	3_2_6CC6A790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCC3710	3_2_6CCC3710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC86730	3_2_6CC86730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC9F732	3_2_6CC9F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC610D0	3_2_6CC610D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC63090	3_2_6CC63090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC7E040	3_2_6CC7E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC76040	3_2_6CC76040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC43000	3_2_6CC43000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC661A0	3_2_6CC661A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC6C100	3_2_6CC6C100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCB5100	3_2_6CCB5100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC492E0	3_2_6CC492E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCB6240	3_2_6CCB6240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEE7DD0	13_2_6CEE7DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEFAD00	13_2_6CEFAD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEDBE4F	13_2_6CEDBE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0CE40	13_2_6CF0CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEF8E10	13_2_6CEF8E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF27FB0	13_2_6CF27FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF46FB0	13_2_6CF46FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEE5820	13_2_6CEE5820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEE0830	13_2_6CEE0830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF42940	13_2_6CF42940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEFBAB0	13_2_6CEFBAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEDCA60	13_2_6CEDCA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEFCA70	13_2_6CEFCA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF51A00	13_2_6CF51A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF47490	13_2_6CF47490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEFC460	13_2_6CEFC460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF45590	13_2_6CF45590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEFB540	13_2_6CEFB540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEFD525	13_2_6CEFD525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF51640	13_2_6CF51640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CED3620	13_2_6CED3620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEFA790	13_2_6CEFA790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF2F732	13_2_6CF2F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF16730	13_2_6CF16730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF53710	13_2_6CF53710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEF10D0	13_2_6CEF10D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEF3090	13_2_6CEF3090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0E040	13_2_6CF0E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF06040	13_2_6CF06040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CED3000	13_2_6CED3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEF61A0	13_2_6CEF61A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEFC100	13_2_6CEFC100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF45100	13_2_6CF45100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CED92E0	13_2_6CED92E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF46240	13_2_6CF46240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEE7DD0	17_2_6CEE7DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEFAD00	17_2_6CEFAD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEDBE4F	17_2_6CEDBE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0CE40	17_2_6CF0CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEF8E10	17_2_6CEF8E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF27FB0	17_2_6CF27FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF46FB0	17_2_6CF46FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEE5820	17_2_6CEE5820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEE0830	17_2_6CEE0830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF42940	17_2_6CF42940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEFBAB0	17_2_6CEFBAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEDCA60	17_2_6CEDCA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEFCA70	17_2_6CEFCA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF51A00	17_2_6CF51A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF47490	17_2_6CF47490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEFC460	17_2_6CEFC460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF45590	17_2_6CF45590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEFB540	17_2_6CEFB540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEFD525	17_2_6CEFD525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF51640	17_2_6CF51640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CED3620	17_2_6CED3620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEFA790	17_2_6CEFA790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF2F732	17_2_6CF2F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF16730	17_2_6CF16730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF53710	17_2_6CF53710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEF10D0	17_2_6CEF10D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEF3090	17_2_6CEF3090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0E040	17_2_6CF0E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF06040	17_2_6CF06040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CED3000	17_2_6CED3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEF61A0	17_2_6CEF61A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEFC100	17_2_6CEFC100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF45100	17_2_6CF45100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CED92E0	17_2_6CED92E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF46240	17_2_6CF46240

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CF07450 appears 1374 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CF050A0 appears 38 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CF03620 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CEDF4D0 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CC77450 appears 687 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CED2F90 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CF04FD0 appears 922 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CC74FD0 appears 461 times

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 844

Uses 32bit PE files

Source: 5O4F7OpjtZ.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: classification engine

Classification label: mal48.mine.winDLL@35/0@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CCC4310 GetLastError,FormatMessageA,fprintf,LocalFree,

3_2_6CCC4310

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4828:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\e52c0386-7512-4d1e-80eb-c51b6d2e93e3

Jump to behavior

Source: 5O4F7OpjtZ.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5O4F7OpjtZ.dll,BarCreate

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5O4F7OpjtZ.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 844
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6052 -s 832
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5O4F7OpjtZ.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5O4F7OpjtZ.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",_cgo_dummy_export
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",SpellSpell
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 824
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5O4F7OpjtZ.dll,BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5O4F7OpjtZ.dll,BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5O4F7OpjtZ.dll,BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",_cgo_dummy_export	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",SpellSpell	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",SpellInit	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",SpellFree	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",SignalInitializeCrashReporting	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",GetInstallDetailsPayload	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",BarRecognize	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: 5O4F7OpjtZ.dll

Static PE information: Image base 0x6d8c0000 > 0x60000000

Source: 5O4F7OpjtZ.dll

Static file information: File size 1198080 > 1048576

Source: 5O4F7OpjtZ.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CC413E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6CC413E0

PE file contains an invalid checksum

Source: 5O4F7OpjtZ.dll

Static PE information: real checksum: 0x12f9e7 should be: 0x13370e

PE file contains sections with non-standard names

Source: 5O4F7OpjtZ.dll

Static PE information: section name: .eh_fram

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CD36FBD push cs; ret	3_2_6CD36FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CD359F2 push es; iretd	3_2_6CD35A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CD376AA push ebx; iretd	3_2_6CD379EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04880451 push cs; iretd	4_2_04880457
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0503BA37 push cs; retf	11_2_0503BA4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0503B462 push ss; ret	12_2_0503B463
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CFC6FBD push cs; ret	13_2_6CFC6FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CFC59F2 push es; iretd	13_2_6CFC5A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CFC76AA push ebx; iretd	13_2_6CFC79EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CFC9120 push esp; iretd	13_2_6CFC918F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0503BA05 push eax; retf	14_2_0503BA1A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0503A41C push ebp; iretd	14_2_0503A41D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_049023A6 push FFFFFFF0h; retf	15_2_049023B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CFC6FBD push cs; ret	17_2_6CFC6FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CFC59F2 push es; iretd	17_2_6CFC5A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CFC76AA push ebx; iretd	17_2_6CFC79EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CFC9120 push esp; iretd	17_2_6CFC918F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04C3AFAF push es; ret	18_2_04C3B08A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04C3AFAF push es; ret	18_2_04C3B0BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_04C38F4F push es; ret	20_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_04C3B4B7 push esp; iretd	20_2_04C3B4BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_04C38F3B push es; ret	20_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_04C3B43F push eax; iretd	20_2_04C3B442
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_04C809F3 push 01E82E82h; iretd	20_2_04C809F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0443A9AF push edx; retf	23_2_0443A9B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_04C38F4F push es; ret	24_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_04C38F3B push es; ret	24_2_04C38F4A

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CCA0F80 rdtscp

3_2_6CCA0F80

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 00000014.00000002.2137707063.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
Source: rundll32.exe, 0000000F.00000002.2135329446.000000000271A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
Source: rundll32.exe, 00000018.00000002.2140636499.0000000002D3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQ
Source: rundll32.exe, 00000003.00000002.2045536896.000000000264A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj
Source: rundll32.exe, 0000000D.00000002.2136880759.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: loaddll32.exe, 00000000.00000002.2141154524.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2046344493.00000000029DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2071691584.000000000316A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2101666195.0000000002E91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.2133754570.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2137962454.0000000002BCA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2139506703.0000000002F0A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000002.2139979640.00000000030BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rundll32.exe, 00000017.00000002.2139795044.00000000022EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CCA0F80 rdtscp

3_2_6CCA0F80

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CC413E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6CC413E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CCC3630 free,free,GetProcessHeap,HeapFree,

3_2_6CCC3630

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCC4ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_6CCC4ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCC4AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_6CCC4AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF54AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	13_2_6CF54AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF54ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	13_2_6CF54ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF54AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	17_2_6CF54AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF54ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	17_2_6CF54ADC

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CCC4A30 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_6CCC4A30

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 93.3% probability

Bitcoin Miner

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC714C0	3_2_6CC714C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF014C0	13_2_6CF014C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF014C0	17_2_6CF014C0

Uses 32bit PE files

Source: 5O4F7OpjtZ.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: 5O4F7OpjtZ.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	3_2_6CC69DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	3_2_6CC68A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	3_2_6CC5CB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	3_2_6CC43000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	13_2_6CEF9DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	13_2_6CEF8A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	13_2_6CEECB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	13_2_6CED3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	17_2_6CEF9DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	17_2_6CEF8A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	17_2_6CEECB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	17_2_6CED3000

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC57DD0	3_2_6CC57DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC6AD00	3_2_6CC6AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC7CE40	3_2_6CC7CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC4BE4F	3_2_6CC4BE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC68E10	3_2_6CC68E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC97FB0	3_2_6CC97FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCB6FB0	3_2_6CCB6FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC55820	3_2_6CC55820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC50830	3_2_6CC50830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCB2940	3_2_6CCB2940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC6BAB0	3_2_6CC6BAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC4CA60	3_2_6CC4CA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC6CA70	3_2_6CC6CA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCC1A00	3_2_6CCC1A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCB7490	3_2_6CCB7490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC6C460	3_2_6CC6C460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCB5590	3_2_6CCB5590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC6B540	3_2_6CC6B540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC6D525	3_2_6CC6D525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCC1640	3_2_6CCC1640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC43620	3_2_6CC43620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC6A790	3_2_6CC6A790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCC3710	3_2_6CCC3710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC86730	3_2_6CC86730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC9F732	3_2_6CC9F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC610D0	3_2_6CC610D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC63090	3_2_6CC63090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC7E040	3_2_6CC7E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC76040	3_2_6CC76040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC43000	3_2_6CC43000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC661A0	3_2_6CC661A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC6C100	3_2_6CC6C100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCB5100	3_2_6CCB5100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC492E0	3_2_6CC492E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCB6240	3_2_6CCB6240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEE7DD0	13_2_6CEE7DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEFAD00	13_2_6CEFAD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEDBE4F	13_2_6CEDBE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0CE40	13_2_6CF0CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEF8E10	13_2_6CEF8E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF27FB0	13_2_6CF27FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF46FB0	13_2_6CF46FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEE5820	13_2_6CEE5820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEE0830	13_2_6CEE0830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF42940	13_2_6CF42940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEFBAB0	13_2_6CEFBAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEDCA60	13_2_6CEDCA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEFCA70	13_2_6CEFCA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF51A00	13_2_6CF51A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF47490	13_2_6CF47490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEFC460	13_2_6CEFC460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF45590	13_2_6CF45590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEFB540	13_2_6CEFB540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEFD525	13_2_6CEFD525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF51640	13_2_6CF51640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CED3620	13_2_6CED3620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEFA790	13_2_6CEFA790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF2F732	13_2_6CF2F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF16730	13_2_6CF16730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF53710	13_2_6CF53710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEF10D0	13_2_6CEF10D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEF3090	13_2_6CEF3090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0E040	13_2_6CF0E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF06040	13_2_6CF06040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CED3000	13_2_6CED3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEF61A0	13_2_6CEF61A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEFC100	13_2_6CEFC100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF45100	13_2_6CF45100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CED92E0	13_2_6CED92E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF46240	13_2_6CF46240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEE7DD0	17_2_6CEE7DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEFAD00	17_2_6CEFAD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEDBE4F	17_2_6CEDBE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0CE40	17_2_6CF0CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEF8E10	17_2_6CEF8E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF27FB0	17_2_6CF27FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF46FB0	17_2_6CF46FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEE5820	17_2_6CEE5820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEE0830	17_2_6CEE0830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF42940	17_2_6CF42940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEFBAB0	17_2_6CEFBAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEDCA60	17_2_6CEDCA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEFCA70	17_2_6CEFCA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF51A00	17_2_6CF51A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF47490	17_2_6CF47490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEFC460	17_2_6CEFC460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF45590	17_2_6CF45590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEFB540	17_2_6CEFB540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEFD525	17_2_6CEFD525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF51640	17_2_6CF51640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CED3620	17_2_6CED3620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEFA790	17_2_6CEFA790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF2F732	17_2_6CF2F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF16730	17_2_6CF16730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF53710	17_2_6CF53710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEF10D0	17_2_6CEF10D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEF3090	17_2_6CEF3090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0E040	17_2_6CF0E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF06040	17_2_6CF06040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CED3000	17_2_6CED3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEF61A0	17_2_6CEF61A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEFC100	17_2_6CEFC100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF45100	17_2_6CF45100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CED92E0	17_2_6CED92E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF46240	17_2_6CF46240

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CF07450 appears 1374 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CF050A0 appears 38 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CF03620 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CEDF4D0 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CC77450 appears 687 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CED2F90 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CF04FD0 appears 922 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CC74FD0 appears 461 times

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 844

Uses 32bit PE files

Source: 5O4F7OpjtZ.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: classification engine

Classification label: mal48.mine.winDLL@35/0@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CCC4310 GetLastError,FormatMessageA,fprintf,LocalFree,

3_2_6CCC4310

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4828:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\e52c0386-7512-4d1e-80eb-c51b6d2e93e3

Jump to behavior

Source: 5O4F7OpjtZ.dll

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5O4F7OpjtZ.dll,BarCreate

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5O4F7OpjtZ.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 844
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6052 -s 832
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5O4F7OpjtZ.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5O4F7OpjtZ.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",_cgo_dummy_export
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",SpellSpell
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 824
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5O4F7OpjtZ.dll,BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5O4F7OpjtZ.dll,BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5O4F7OpjtZ.dll,BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",_cgo_dummy_export	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",SpellSpell	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",SpellInit	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",SpellFree	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",SignalInitializeCrashReporting	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",GetInstallDetailsPayload	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",BarRecognize	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: 5O4F7OpjtZ.dll

Static PE information: Image base 0x6d8c0000 > 0x60000000

Source: 5O4F7OpjtZ.dll

Static file information: File size 1198080 > 1048576

Source: 5O4F7OpjtZ.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CC413E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6CC413E0

PE file contains an invalid checksum

Source: 5O4F7OpjtZ.dll

Static PE information: real checksum: 0x12f9e7 should be: 0x13370e

PE file contains sections with non-standard names

Source: 5O4F7OpjtZ.dll

Static PE information: section name: .eh_fram

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CD36FBD push cs; ret	3_2_6CD36FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CD359F2 push es; iretd	3_2_6CD35A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CD376AA push ebx; iretd	3_2_6CD379EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04880451 push cs; iretd	4_2_04880457
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0503BA37 push cs; retf	11_2_0503BA4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0503B462 push ss; ret	12_2_0503B463
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CFC6FBD push cs; ret	13_2_6CFC6FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CFC59F2 push es; iretd	13_2_6CFC5A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CFC76AA push ebx; iretd	13_2_6CFC79EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CFC9120 push esp; iretd	13_2_6CFC918F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0503BA05 push eax; retf	14_2_0503BA1A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0503A41C push ebp; iretd	14_2_0503A41D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_049023A6 push FFFFFFF0h; retf	15_2_049023B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CFC6FBD push cs; ret	17_2_6CFC6FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CFC59F2 push es; iretd	17_2_6CFC5A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CFC76AA push ebx; iretd	17_2_6CFC79EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CFC9120 push esp; iretd	17_2_6CFC918F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04C3AFAF push es; ret	18_2_04C3B08A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04C3AFAF push es; ret	18_2_04C3B0BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_04C38F4F push es; ret	20_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_04C3B4B7 push esp; iretd	20_2_04C3B4BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_04C38F3B push es; ret	20_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_04C3B43F push eax; iretd	20_2_04C3B442
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_04C809F3 push 01E82E82h; iretd	20_2_04C809F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0443A9AF push edx; retf	23_2_0443A9B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_04C38F4F push es; ret	24_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_04C38F3B push es; ret	24_2_04C38F4A

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CCA0F80 rdtscp

3_2_6CCA0F80

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 00000014.00000002.2137707063.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
Source: rundll32.exe, 0000000F.00000002.2135329446.000000000271A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
Source: rundll32.exe, 00000018.00000002.2140636499.0000000002D3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQ
Source: rundll32.exe, 00000003.00000002.2045536896.000000000264A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj
Source: rundll32.exe, 0000000D.00000002.2136880759.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: loaddll32.exe, 00000000.00000002.2141154524.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2046344493.00000000029DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2071691584.000000000316A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2101666195.0000000002E91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.2133754570.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2137962454.0000000002BCA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2139506703.0000000002F0A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000002.2139979640.00000000030BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rundll32.exe, 00000017.00000002.2139795044.00000000022EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CCA0F80 rdtscp

3_2_6CCA0F80

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CC413E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6CC413E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CCC3630 free,free,GetProcessHeap,HeapFree,

3_2_6CCC3630

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCC4ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_6CCC4ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCC4AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_6CCC4AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF54AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	13_2_6CF54AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF54ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	13_2_6CF54ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF54AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	17_2_6CF54AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF54ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	17_2_6CF54ADC

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5O4F7OpjtZ.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CCC4A30 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_6CCC4A30

ID:	1544809
Product:	CloudBasic
Start time:	19:13:40
Start date:	29.10.2024
Sample:	5O4F7OpjtZ.dll
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	92477a7ccc9b8a4418fb2a73fdf0c2c8
SHA1:	8a0c71061c826b5ed4986b618403bcd903dfef56
SHA256:	1913d6f00f3630c1eabdf94ace70d216448c971ea4f0c35c01211aeb29fb943d
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Windows Analysis Report
5O4F7OpjtZ.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Bitcoin Miner

Compliance

Software Vulnerabilities

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report 5O4F7OpjtZ.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Bitcoin Miner

Compliance

Software Vulnerabilities

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
5O4F7OpjtZ.dll