Windows Analysis Report
jIcqgmCcrZ.dll

Overview

General Information

Sample name:	jIcqgmCcrZ.dll renamed because original name is a hash value
Original sample name:	9b3744c4390d6fca4984674ada398a9a59872cbc3eefa3e36623550e4abff4cf.dll
Analysis ID:	1544813
MD5:	cf9ab2f055c7237719fbb9adad6e166a
SHA1:	140c28115a21e2b53d02e754b38316764a39cdfb
SHA256:	9b3744c4390d6fca4984674ada398a9a59872cbc3eefa3e36623550e4abff4cf
Tags:	2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 91.6% probability

Bitcoin Miner

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D1314C0		4_2_6D1314C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD814C0		13_2_6CD814C0

Uses 32bit PE files

Source: jIcqgmCcrZ.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: jIcqgmCcrZ.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	4_2_6D129DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	4_2_6D11CB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	4_2_6D128A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	4_2_6D103000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	13_2_6CD79DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	13_2_6CD78A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	13_2_6CD6CB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	13_2_6CD53000

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D12AD00	4_2_6D12AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D117DD0	4_2_6D117DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D157FB0	4_2_6D157FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D176FB0	4_2_6D176FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D128E10	4_2_6D128E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D13CE40	4_2_6D13CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D10BE4F	4_2_6D10BE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D172940	4_2_6D172940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D110830	4_2_6D110830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D115820	4_2_6D115820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D181A00	4_2_6D181A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D12CA70	4_2_6D12CA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D10CA60	4_2_6D10CA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D12BAB0	4_2_6D12BAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D12D525	4_2_6D12D525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D12B540	4_2_6D12B540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D175590	4_2_6D175590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D12C460	4_2_6D12C460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D177490	4_2_6D177490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D183710	4_2_6D183710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D146730	4_2_6D146730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D15F732	4_2_6D15F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D12A790	4_2_6D12A790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D103620	4_2_6D103620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D181640	4_2_6D181640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D12C100	4_2_6D12C100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D175100	4_2_6D175100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D1261A0	4_2_6D1261A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D103000	4_2_6D103000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D13E040	4_2_6D13E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D136040	4_2_6D136040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D123090	4_2_6D123090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D1210D0	4_2_6D1210D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D176240	4_2_6D176240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D1092E0	4_2_6D1092E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD67DD0	13_2_6CD67DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD7AD00	13_2_6CD7AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD8CE40	13_2_6CD8CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD5BE4F	13_2_6CD5BE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD78E10	13_2_6CD78E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDA7FB0	13_2_6CDA7FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDC6FB0	13_2_6CDC6FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD60830	13_2_6CD60830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD65820	13_2_6CD65820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDC2940	13_2_6CDC2940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD7BAB0	13_2_6CD7BAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD7CA70	13_2_6CD7CA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD5CA60	13_2_6CD5CA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDD1A00	13_2_6CDD1A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDC7490	13_2_6CDC7490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD7C460	13_2_6CD7C460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDC5590	13_2_6CDC5590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD7B540	13_2_6CD7B540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD7D525	13_2_6CD7D525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDD1640	13_2_6CDD1640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD53620	13_2_6CD53620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD7A790	13_2_6CD7A790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDD3710	13_2_6CDD3710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDAF732	13_2_6CDAF732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD96730	13_2_6CD96730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD710D0	13_2_6CD710D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD73090	13_2_6CD73090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD8E040	13_2_6CD8E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD86040	13_2_6CD86040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD53000	13_2_6CD53000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD761A0	13_2_6CD761A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD7C100	13_2_6CD7C100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDC5100	13_2_6CDC5100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD592E0	13_2_6CD592E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDC6240	13_2_6CDC6240

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CD84FD0 appears 461 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CD87450 appears 687 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D137450 appears 687 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D134FD0 appears 461 times

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7700 -s 808

Uses 32bit PE files

Source: jIcqgmCcrZ.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: classification engine

Classification label: mal48.mine.winDLL@35/0@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D184310 GetLastError,FormatMessageA,fprintf,LocalFree,

4_2_6D184310

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\1d736759-b1ac-4fb9-b2d8-b54927f0f08f

Jump to behavior

Source: jIcqgmCcrZ.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jIcqgmCcrZ.dll,BarCreate

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jIcqgmCcrZ.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7700 -s 808
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 840
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jIcqgmCcrZ.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jIcqgmCcrZ.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",_cgo_dummy_export
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8064 -s 820
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SpellSpell
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jIcqgmCcrZ.dll,BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jIcqgmCcrZ.dll,BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jIcqgmCcrZ.dll,BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",_cgo_dummy_export	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SpellSpell	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SpellInit	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SpellFree	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SignalInitializeCrashReporting	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",GetInstallDetailsPayload	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarRecognize	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: jIcqgmCcrZ.dll

Static PE information: Image base 0x6d8c0000 > 0x60000000

Source: jIcqgmCcrZ.dll

Static file information: File size 1198080 > 1048576

Source: jIcqgmCcrZ.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D1013E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_6D1013E0

PE file contains an invalid checksum

Source: jIcqgmCcrZ.dll

Static PE information: real checksum: 0x12f39a should be: 0x12e36a

PE file contains sections with non-standard names

Source: jIcqgmCcrZ.dll

Static PE information: section name: .eh_fram

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D1F6FBD push cs; ret	4_2_6D1F6FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D1F59F2 push es; iretd	4_2_6D1F5A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D1F76AA push ebx; iretd	4_2_6D1F79EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D1F9120 push esp; iretd	4_2_6D1F918F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05080931 pushfd ; iretd	5_2_05080935
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE46FBD push cs; ret	13_2_6CE46FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE459F2 push es; iretd	13_2_6CE45A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE476AA push ebx; iretd	13_2_6CE479EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE49120 push esp; iretd	13_2_6CE4918F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C38F4B push es; ret	14_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C38F34 push es; ret	14_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C38F4B push es; ret	15_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C38F34 push es; ret	15_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0503A390 push ebp; ret	19_2_0503A398
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_04C38F4F push es; ret	20_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_04C3A464 push 0000007Dh; iretd	20_2_04C3A46E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_04C38F3B push es; ret	20_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_054803EA push es; ret	22_2_054803EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0443B4A6 push edi; iretd	23_2_0443B4A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0443AF4F push E196DF79h; retf	23_2_0443AF54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_0503A47A push ebx; ret	24_2_0503A47D

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D160F80 rdtscp

4_2_6D160F80

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 0000000F.00000002.1499455849.0000000002DDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: rundll32.exe, 0000000E.00000002.1499453953.0000000002EFA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000015.00000002.1502118440.0000000002D7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)
Source: rundll32.exe, 00000018.00000002.1503835346.0000000002CDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli
Source: rundll32.exe, 00000013.00000002.1502109369.0000000002EBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
Source: loaddll32.exe, 00000000.00000002.1504048906.0000000000A1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1408565033.0000000002A9A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1408831398.000000000311A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1439715963.00000000033FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1466006166.00000000026DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.1500561092.000000000280A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.1499453953.0000000002EFA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000002.1501918757.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000002.1503606102.000000000328A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.1503891564.00000000025BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rundll32.exe, 00000011.00000002.1500255453.000000000278A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D160F80 rdtscp

4_2_6D160F80

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D1013E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_6D1013E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D183710 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy,memset,IsBadReadPtr,realloc,SetLastError,SetLastError,SetLastError,SetLastError,SetLastError,memcpy,SetLastError,SetLastError,SetLastError,SetLastError,

4_2_6D183710

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D184ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	4_2_6D184ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D184AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	4_2_6D184AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDD4ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	13_2_6CDD4ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDD4AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	13_2_6CDD4AE0

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D184A30 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

4_2_6D184A30

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 91.6% probability

Bitcoin Miner

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D1314C0		4_2_6D1314C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD814C0		13_2_6CD814C0

Uses 32bit PE files

Source: jIcqgmCcrZ.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: jIcqgmCcrZ.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	4_2_6D129DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	4_2_6D11CB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	4_2_6D128A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	4_2_6D103000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	13_2_6CD79DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	13_2_6CD78A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	13_2_6CD6CB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	13_2_6CD53000

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D12AD00	4_2_6D12AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D117DD0	4_2_6D117DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D157FB0	4_2_6D157FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D176FB0	4_2_6D176FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D128E10	4_2_6D128E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D13CE40	4_2_6D13CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D10BE4F	4_2_6D10BE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D172940	4_2_6D172940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D110830	4_2_6D110830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D115820	4_2_6D115820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D181A00	4_2_6D181A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D12CA70	4_2_6D12CA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D10CA60	4_2_6D10CA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D12BAB0	4_2_6D12BAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D12D525	4_2_6D12D525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D12B540	4_2_6D12B540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D175590	4_2_6D175590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D12C460	4_2_6D12C460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D177490	4_2_6D177490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D183710	4_2_6D183710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D146730	4_2_6D146730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D15F732	4_2_6D15F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D12A790	4_2_6D12A790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D103620	4_2_6D103620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D181640	4_2_6D181640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D12C100	4_2_6D12C100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D175100	4_2_6D175100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D1261A0	4_2_6D1261A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D103000	4_2_6D103000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D13E040	4_2_6D13E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D136040	4_2_6D136040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D123090	4_2_6D123090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D1210D0	4_2_6D1210D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D176240	4_2_6D176240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D1092E0	4_2_6D1092E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD67DD0	13_2_6CD67DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD7AD00	13_2_6CD7AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD8CE40	13_2_6CD8CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD5BE4F	13_2_6CD5BE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD78E10	13_2_6CD78E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDA7FB0	13_2_6CDA7FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDC6FB0	13_2_6CDC6FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD60830	13_2_6CD60830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD65820	13_2_6CD65820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDC2940	13_2_6CDC2940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD7BAB0	13_2_6CD7BAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD7CA70	13_2_6CD7CA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD5CA60	13_2_6CD5CA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDD1A00	13_2_6CDD1A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDC7490	13_2_6CDC7490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD7C460	13_2_6CD7C460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDC5590	13_2_6CDC5590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD7B540	13_2_6CD7B540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD7D525	13_2_6CD7D525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDD1640	13_2_6CDD1640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD53620	13_2_6CD53620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD7A790	13_2_6CD7A790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDD3710	13_2_6CDD3710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDAF732	13_2_6CDAF732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD96730	13_2_6CD96730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD710D0	13_2_6CD710D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD73090	13_2_6CD73090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD8E040	13_2_6CD8E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD86040	13_2_6CD86040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD53000	13_2_6CD53000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD761A0	13_2_6CD761A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD7C100	13_2_6CD7C100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDC5100	13_2_6CDC5100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD592E0	13_2_6CD592E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDC6240	13_2_6CDC6240

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CD84FD0 appears 461 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CD87450 appears 687 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D137450 appears 687 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D134FD0 appears 461 times

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7700 -s 808

Uses 32bit PE files

Source: jIcqgmCcrZ.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: classification engine

Classification label: mal48.mine.winDLL@35/0@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D184310 GetLastError,FormatMessageA,fprintf,LocalFree,

4_2_6D184310

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\1d736759-b1ac-4fb9-b2d8-b54927f0f08f

Jump to behavior

Source: jIcqgmCcrZ.dll

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jIcqgmCcrZ.dll,BarCreate

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jIcqgmCcrZ.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7700 -s 808
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 840
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jIcqgmCcrZ.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jIcqgmCcrZ.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",_cgo_dummy_export
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8064 -s 820
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SpellSpell
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jIcqgmCcrZ.dll,BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jIcqgmCcrZ.dll,BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jIcqgmCcrZ.dll,BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",_cgo_dummy_export	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SpellSpell	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SpellInit	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SpellFree	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SignalInitializeCrashReporting	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",GetInstallDetailsPayload	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarRecognize	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: jIcqgmCcrZ.dll

Static PE information: Image base 0x6d8c0000 > 0x60000000

Source: jIcqgmCcrZ.dll

Static file information: File size 1198080 > 1048576

Source: jIcqgmCcrZ.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D1013E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_6D1013E0

PE file contains an invalid checksum

Source: jIcqgmCcrZ.dll

Static PE information: real checksum: 0x12f39a should be: 0x12e36a

PE file contains sections with non-standard names

Source: jIcqgmCcrZ.dll

Static PE information: section name: .eh_fram

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D1F6FBD push cs; ret	4_2_6D1F6FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D1F59F2 push es; iretd	4_2_6D1F5A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D1F76AA push ebx; iretd	4_2_6D1F79EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D1F9120 push esp; iretd	4_2_6D1F918F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05080931 pushfd ; iretd	5_2_05080935
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE46FBD push cs; ret	13_2_6CE46FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE459F2 push es; iretd	13_2_6CE45A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE476AA push ebx; iretd	13_2_6CE479EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE49120 push esp; iretd	13_2_6CE4918F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C38F4B push es; ret	14_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C38F34 push es; ret	14_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C38F4B push es; ret	15_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C38F34 push es; ret	15_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0503A390 push ebp; ret	19_2_0503A398
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_04C38F4F push es; ret	20_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_04C3A464 push 0000007Dh; iretd	20_2_04C3A46E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_04C38F3B push es; ret	20_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_054803EA push es; ret	22_2_054803EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0443B4A6 push edi; iretd	23_2_0443B4A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0443AF4F push E196DF79h; retf	23_2_0443AF54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_0503A47A push ebx; ret	24_2_0503A47D

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D160F80 rdtscp

4_2_6D160F80

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 0000000F.00000002.1499455849.0000000002DDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: rundll32.exe, 0000000E.00000002.1499453953.0000000002EFA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000015.00000002.1502118440.0000000002D7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)
Source: rundll32.exe, 00000018.00000002.1503835346.0000000002CDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli
Source: rundll32.exe, 00000013.00000002.1502109369.0000000002EBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
Source: loaddll32.exe, 00000000.00000002.1504048906.0000000000A1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1408565033.0000000002A9A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1408831398.000000000311A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1439715963.00000000033FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1466006166.00000000026DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.1500561092.000000000280A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.1499453953.0000000002EFA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000002.1501918757.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000002.1503606102.000000000328A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.1503891564.00000000025BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rundll32.exe, 00000011.00000002.1500255453.000000000278A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D160F80 rdtscp

4_2_6D160F80

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D1013E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_6D1013E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

4_2_6D183710

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D184ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	4_2_6D184ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D184AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	4_2_6D184AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDD4ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	13_2_6CDD4ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDD4AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	13_2_6CDD4AE0

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D184A30 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

4_2_6D184A30

ID:	1544813
Product:	CloudBasic
Start time:	19:25:24
Start date:	29.10.2024
Sample:	jIcqgmCcrZ.dll
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	cf9ab2f055c7237719fbb9adad6e166a
SHA1:	140c28115a21e2b53d02e754b38316764a39cdfb
SHA256:	9b3744c4390d6fca4984674ada398a9a59872cbc3eefa3e36623550e4abff4cf
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Windows Analysis Report
jIcqgmCcrZ.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Bitcoin Miner

Compliance

Software Vulnerabilities

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report jIcqgmCcrZ.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Bitcoin Miner

Compliance

Software Vulnerabilities

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
jIcqgmCcrZ.dll