Windows Analysis Report
A5r0ypOR77.dll

Overview

General Information

Sample name:	A5r0ypOR77.dll renamed because original name is a hash value
Original sample name:	d8317f94e3cb97069214163f7d5de3591571e0e607f0629c6c985998f2702422.dll
Analysis ID:	1544816
MD5:	7e3af38131464ec77c3305b057034fc2
SHA1:	3bef744c86fe6f93ec7527251e50d83bae11ada7
SHA256:	d8317f94e3cb97069214163f7d5de3591571e0e607f0629c6c985998f2702422
Tags:	2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

One or more processes crash

PE file contains an invalid checksum

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.5% probability

Bitcoin Miner

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0E1420	3_2_6D0E1420
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0E1420	10_2_6D0E1420
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D071420	12_2_6D071420

Uses 32bit PE files

Source: A5r0ypOR77.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: A5r0ypOR77.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	3_2_6D0D9D00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	3_2_6D0B2F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	3_2_6D0B2F66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	3_2_6D0D89B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	3_2_6D0CCAC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ecx, dword ptr [esp+5Ch]	3_2_6D11E520
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	10_2_6D0D9D00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	10_2_6D0B2F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	10_2_6D0B2F66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	10_2_6D0D89B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	10_2_6D0CCAC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ecx, dword ptr [esp+5Ch]	10_2_6D11E520
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	12_2_6D069D00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	12_2_6D042F66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	12_2_6D042F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	12_2_6D0689B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	12_2_6D05CAC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ecx, dword ptr [esp+5Ch]	12_2_6D0AE520

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0C7D30	3_2_6D0C7D30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0D8D70	3_2_6D0D8D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0BBDAF	3_2_6D0BBDAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0ECDA0	3_2_6D0ECDA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0DAC60	3_2_6D0DAC60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0B2F60	3_2_6D0B2F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0B2F66	3_2_6D0B2F66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0EDFA0	3_2_6D0EDFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0E5FA0	3_2_6D0E5FA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0D2FF0	3_2_6D0D2FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D124E20	3_2_6D124E20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D129970	3_2_6D129970
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0BC9C0	3_2_6D0BC9C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D11E9C0	3_2_6D11E9C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0DC9D0	3_2_6D0DC9D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D10F892	3_2_6D10F892
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0DBA10	3_2_6D0DBA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D11DA50	3_2_6D11DA50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D127A70	3_2_6D127A70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D11E520	3_2_6D11E520
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0B3580	3_2_6D0B3580
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1275E0	3_2_6D1275E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D129490	3_2_6D129490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0DD485	3_2_6D0DD485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0DB4A0	3_2_6D0DB4A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D128720	3_2_6D128720
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0C5780	3_2_6D0C5780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0C0790	3_2_6D0C0790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0F6690	3_2_6D0F6690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0DA6F0	3_2_6D0DA6F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D108110	3_2_6D108110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0D6100	3_2_6D0D6100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D135170	3_2_6D135170
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D11E1F0	3_2_6D11E1F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D11D030	3_2_6D11D030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0D1030	3_2_6D0D1030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0DC060	3_2_6D0DC060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0DC3C0	3_2_6D0DC3C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0B9240	3_2_6D0B9240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0C7D30	10_2_6D0C7D30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0D8D70	10_2_6D0D8D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0BBDAF	10_2_6D0BBDAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0ECDA0	10_2_6D0ECDA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0DAC60	10_2_6D0DAC60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0B2F60	10_2_6D0B2F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0B2F66	10_2_6D0B2F66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0EDFA0	10_2_6D0EDFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0E5FA0	10_2_6D0E5FA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0D2FF0	10_2_6D0D2FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D124E20	10_2_6D124E20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D129970	10_2_6D129970
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0BC9C0	10_2_6D0BC9C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D11E9C0	10_2_6D11E9C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0DC9D0	10_2_6D0DC9D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D10F892	10_2_6D10F892
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0DBA10	10_2_6D0DBA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D11DA50	10_2_6D11DA50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D127A70	10_2_6D127A70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D11E520	10_2_6D11E520
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0B3580	10_2_6D0B3580
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D1275E0	10_2_6D1275E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D129490	10_2_6D129490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0DD485	10_2_6D0DD485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0DB4A0	10_2_6D0DB4A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D128720	10_2_6D128720
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0C5780	10_2_6D0C5780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0C0790	10_2_6D0C0790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0F6690	10_2_6D0F6690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0DA6F0	10_2_6D0DA6F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D108110	10_2_6D108110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0D6100	10_2_6D0D6100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D135170	10_2_6D135170
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D11E1F0	10_2_6D11E1F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D11D030	10_2_6D11D030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0D1030	10_2_6D0D1030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0DC060	10_2_6D0DC060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0DC3C0	10_2_6D0DC3C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0B9240	10_2_6D0B9240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D057D30	12_2_6D057D30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D068D70	12_2_6D068D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D07CDA0	12_2_6D07CDA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D04BDAF	12_2_6D04BDAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D06AC60	12_2_6D06AC60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D042F66	12_2_6D042F66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D042F60	12_2_6D042F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D07DFA0	12_2_6D07DFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D075FA0	12_2_6D075FA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D062FF0	12_2_6D062FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0B4E20	12_2_6D0B4E20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0B9970	12_2_6D0B9970
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D04C9C0	12_2_6D04C9C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0AE9C0	12_2_6D0AE9C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D06C9D0	12_2_6D06C9D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D09F892	12_2_6D09F892
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D06BA10	12_2_6D06BA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0ADA50	12_2_6D0ADA50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0B7A70	12_2_6D0B7A70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0AE520	12_2_6D0AE520
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D043580	12_2_6D043580
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0B75E0	12_2_6D0B75E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D06D485	12_2_6D06D485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0B9490	12_2_6D0B9490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D06B4A0	12_2_6D06B4A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0B8720	12_2_6D0B8720
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D055780	12_2_6D055780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D050790	12_2_6D050790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D086690	12_2_6D086690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D06A6F0	12_2_6D06A6F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D066100	12_2_6D066100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D098110	12_2_6D098110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0C5170	12_2_6D0C5170
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0AE1F0	12_2_6D0AE1F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D061030	12_2_6D061030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0AD030	12_2_6D0AD030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D06C060	12_2_6D06C060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D06C3C0	12_2_6D06C3C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D049240	12_2_6D049240

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D135FB0 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D0E4F30 appears 922 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D0773B0 appears 685 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D0E73B0 appears 1370 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D0BF430 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D0E3580 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D0E5000 appears 38 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D0B2EF0 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D074F30 appears 461 times

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 824

Uses 32bit PE files

Source: A5r0ypOR77.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: classification engine

Classification label: mal48.mine.winDLL@53/0@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D135D70 GetLastError,FormatMessageA,LocalFree,

3_2_6D135D70

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3784:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\99abf9b2-658f-4593-8af8-33293fb3c298

Jump to behavior

Source: A5r0ypOR77.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5r0ypOR77.dll,BarCreate

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5r0ypOR77.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 824
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7020 -s 856
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5r0ypOR77.dll,_cgo_dummy_export
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5r0ypOR77.dll,acidulavamBelchior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",_cgo_dummy_export
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",acidulavamBelchior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",ziguezagueemosPiaremos
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 832
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",vitalizeiAglomerarmo
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",renuncieDesembocava
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",refreasseisFestejarieis
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",problematizastesForcaram
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",paralisaremoEmborcaveis
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",lastimareisConfiscara
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",imprevisivelRecondicionaveis
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",franzasDoutrinasses
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",entristecendoControlar
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",ensebaveisApaixonaste
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",desconsiderassemBordejam
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",compensacoesRefroes
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",bacanerrimoEsquecido
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",assentidoRefreava
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",aprendizDesmistificarmo
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5r0ypOR77.dll,BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5r0ypOR77.dll,_cgo_dummy_export	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5r0ypOR77.dll,acidulavamBelchior	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",_cgo_dummy_export	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",acidulavamBelchior	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",ziguezagueemosPiaremos	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",vitalizeiAglomerarmo	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",renuncieDesembocava	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",refreasseisFestejarieis	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",problematizastesForcaram	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",paralisaremoEmborcaveis	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",lastimareisConfiscara	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",imprevisivelRecondicionaveis	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",franzasDoutrinasses	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",entristecendoControlar	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",ensebaveisApaixonaste	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",desconsiderassemBordejam	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",compensacoesRefroes	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",bacanerrimoEsquecido	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",assentidoRefreava	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",aprendizDesmistificarmo	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: A5r0ypOR77.dll

Static PE information: Image base 0x6d8c0000 > 0x60000000

Source: A5r0ypOR77.dll

Static file information: File size 1213952 > 1048576

Source: A5r0ypOR77.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains an invalid checksum

Source: A5r0ypOR77.dll

Static PE information: real checksum: 0x12aadd should be: 0x134c4f

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_014803C7 push ebx; retf	0_2_014803D3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D118096 pushad ; retf	3_2_6D118097
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D11808D pushad ; retf	3_2_6D11808E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1173E2 pushad ; ret	3_2_6D1173E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D118096 pushad ; retf	10_2_6D118097
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D11808D pushad ; retf	10_2_6D11808E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D1173E2 pushad ; ret	10_2_6D1173E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0443AEDF push ecx; ret	11_2_0443B428
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0A808D pushad ; retf	12_2_6D0A808E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0A8096 pushad ; retf	12_2_6D0A8097
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0A73E2 pushad ; ret	12_2_6D0A73E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0A73F1 pushad ; ret	12_2_6D0A73F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0443B4EC push cs; retf	13_2_0443B985
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0443B4FC push cs; retf	13_2_0443B985
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04480001 push 00000004h; iretd	13_2_04480393
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0543AEE2 push ebx; retf	16_2_0543AEF6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0543AF1E push esi; ret	16_2_0543AF27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_05480001 push es; ret	16_2_054803D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04C38F4F push es; ret	18_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04C38F3B push es; ret	18_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0503A3DA push 15CE8943h; iretd	20_2_0503A40F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04C38F4F push es; ret	21_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04C38F3B push es; ret	21_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04C3A9B9 push esi; ret	21_2_04C3A9BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04C803BE push 00000022h; retf	21_2_04C803D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_0543A418 push ecx; iretd	24_2_0543A438
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_0543BAAE push esi; retf	24_2_0543BAAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_0543A91A push edi; retf	25_2_0543A942
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 27_2_0503B9CA push esp; retf	27_2_0503B9CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 27_2_0503AF14 pushfd ; ret	27_2_0503AF13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 27_2_0503AEDC pushfd ; ret	27_2_0503AF13

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D1110E0 rdtscp

3_2_6D1110E0

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 0000001F.00000002.2261161419.0000000002D7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
Source: rundll32.exe, 00000016.00000002.2252154580.00000000004AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
Source: loaddll32.exe, 00000000.00000002.2265356262.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
Source: rundll32.exe, 00000004.00000002.2156162399.000000000329A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
Source: rundll32.exe, 00000003.00000002.2156228001.000000000327A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2213462157.000000000086A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2248101246.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.2246865013.000000000067A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2248522596.000000000338A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2249290831.000000000080A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000002.2251125196.00000000030DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2252025975.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2253787761.000000000042A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.2255765049.00000000033CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.2258269716.00000000034EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rundll32.exe, 0000000D.00000002.2245871499.00000000007DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
Source: rundll32.exe, 00000012.00000002.2248598007.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001B.00000002.2260515894.000000000314A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrr

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D1110E0 rdtscp

3_2_6D1110E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D135170 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy,memset,IsBadReadPtr,realloc,SetLastError,SetLastError,SetLastError,SetLastError,SetLastError,memcpy,SetLastError,SetLastError,SetLastError,SetLastError,

3_2_6D135170

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1364D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_6D1364D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1364CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_6D1364CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D1364D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	10_2_6D1364D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D1364CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	10_2_6D1364CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0C64CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	12_2_6D0C64CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0C64D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	12_2_6D0C64D0

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D136420 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_6D136420

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.5% probability

Bitcoin Miner

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0E1420	3_2_6D0E1420
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0E1420	10_2_6D0E1420
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D071420	12_2_6D071420

Uses 32bit PE files

Source: A5r0ypOR77.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: A5r0ypOR77.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	3_2_6D0D9D00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	3_2_6D0B2F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	3_2_6D0B2F66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	3_2_6D0D89B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	3_2_6D0CCAC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ecx, dword ptr [esp+5Ch]	3_2_6D11E520
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	10_2_6D0D9D00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	10_2_6D0B2F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	10_2_6D0B2F66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	10_2_6D0D89B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	10_2_6D0CCAC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ecx, dword ptr [esp+5Ch]	10_2_6D11E520
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	12_2_6D069D00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	12_2_6D042F66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	12_2_6D042F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	12_2_6D0689B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	12_2_6D05CAC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ecx, dword ptr [esp+5Ch]	12_2_6D0AE520

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0C7D30	3_2_6D0C7D30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0D8D70	3_2_6D0D8D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0BBDAF	3_2_6D0BBDAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0ECDA0	3_2_6D0ECDA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0DAC60	3_2_6D0DAC60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0B2F60	3_2_6D0B2F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0B2F66	3_2_6D0B2F66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0EDFA0	3_2_6D0EDFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0E5FA0	3_2_6D0E5FA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0D2FF0	3_2_6D0D2FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D124E20	3_2_6D124E20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D129970	3_2_6D129970
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0BC9C0	3_2_6D0BC9C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D11E9C0	3_2_6D11E9C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0DC9D0	3_2_6D0DC9D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D10F892	3_2_6D10F892
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0DBA10	3_2_6D0DBA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D11DA50	3_2_6D11DA50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D127A70	3_2_6D127A70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D11E520	3_2_6D11E520
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0B3580	3_2_6D0B3580
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1275E0	3_2_6D1275E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D129490	3_2_6D129490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0DD485	3_2_6D0DD485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0DB4A0	3_2_6D0DB4A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D128720	3_2_6D128720
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0C5780	3_2_6D0C5780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0C0790	3_2_6D0C0790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0F6690	3_2_6D0F6690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0DA6F0	3_2_6D0DA6F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D108110	3_2_6D108110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0D6100	3_2_6D0D6100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D135170	3_2_6D135170
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D11E1F0	3_2_6D11E1F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D11D030	3_2_6D11D030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0D1030	3_2_6D0D1030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0DC060	3_2_6D0DC060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0DC3C0	3_2_6D0DC3C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0B9240	3_2_6D0B9240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0C7D30	10_2_6D0C7D30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0D8D70	10_2_6D0D8D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0BBDAF	10_2_6D0BBDAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0ECDA0	10_2_6D0ECDA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0DAC60	10_2_6D0DAC60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0B2F60	10_2_6D0B2F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0B2F66	10_2_6D0B2F66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0EDFA0	10_2_6D0EDFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0E5FA0	10_2_6D0E5FA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0D2FF0	10_2_6D0D2FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D124E20	10_2_6D124E20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D129970	10_2_6D129970
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0BC9C0	10_2_6D0BC9C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D11E9C0	10_2_6D11E9C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0DC9D0	10_2_6D0DC9D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D10F892	10_2_6D10F892
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0DBA10	10_2_6D0DBA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D11DA50	10_2_6D11DA50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D127A70	10_2_6D127A70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D11E520	10_2_6D11E520
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0B3580	10_2_6D0B3580
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D1275E0	10_2_6D1275E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D129490	10_2_6D129490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0DD485	10_2_6D0DD485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0DB4A0	10_2_6D0DB4A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D128720	10_2_6D128720
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0C5780	10_2_6D0C5780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0C0790	10_2_6D0C0790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0F6690	10_2_6D0F6690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0DA6F0	10_2_6D0DA6F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D108110	10_2_6D108110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0D6100	10_2_6D0D6100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D135170	10_2_6D135170
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D11E1F0	10_2_6D11E1F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D11D030	10_2_6D11D030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0D1030	10_2_6D0D1030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0DC060	10_2_6D0DC060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0DC3C0	10_2_6D0DC3C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D0B9240	10_2_6D0B9240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D057D30	12_2_6D057D30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D068D70	12_2_6D068D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D07CDA0	12_2_6D07CDA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D04BDAF	12_2_6D04BDAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D06AC60	12_2_6D06AC60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D042F66	12_2_6D042F66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D042F60	12_2_6D042F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D07DFA0	12_2_6D07DFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D075FA0	12_2_6D075FA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D062FF0	12_2_6D062FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0B4E20	12_2_6D0B4E20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0B9970	12_2_6D0B9970
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D04C9C0	12_2_6D04C9C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0AE9C0	12_2_6D0AE9C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D06C9D0	12_2_6D06C9D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D09F892	12_2_6D09F892
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D06BA10	12_2_6D06BA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0ADA50	12_2_6D0ADA50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0B7A70	12_2_6D0B7A70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0AE520	12_2_6D0AE520
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D043580	12_2_6D043580
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0B75E0	12_2_6D0B75E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D06D485	12_2_6D06D485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0B9490	12_2_6D0B9490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D06B4A0	12_2_6D06B4A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0B8720	12_2_6D0B8720
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D055780	12_2_6D055780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D050790	12_2_6D050790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D086690	12_2_6D086690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D06A6F0	12_2_6D06A6F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D066100	12_2_6D066100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D098110	12_2_6D098110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0C5170	12_2_6D0C5170
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0AE1F0	12_2_6D0AE1F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D061030	12_2_6D061030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0AD030	12_2_6D0AD030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D06C060	12_2_6D06C060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D06C3C0	12_2_6D06C3C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D049240	12_2_6D049240

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D135FB0 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D0E4F30 appears 922 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D0773B0 appears 685 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D0E73B0 appears 1370 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D0BF430 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D0E3580 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D0E5000 appears 38 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D0B2EF0 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D074F30 appears 461 times

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 824

Uses 32bit PE files

Source: A5r0ypOR77.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: classification engine

Classification label: mal48.mine.winDLL@53/0@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D135D70 GetLastError,FormatMessageA,LocalFree,

3_2_6D135D70

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3784:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\99abf9b2-658f-4593-8af8-33293fb3c298

Jump to behavior

Source: A5r0ypOR77.dll

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5r0ypOR77.dll,BarCreate

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5r0ypOR77.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 824
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7020 -s 856
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5r0ypOR77.dll,_cgo_dummy_export
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5r0ypOR77.dll,acidulavamBelchior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",_cgo_dummy_export
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",acidulavamBelchior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",ziguezagueemosPiaremos
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 832
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",vitalizeiAglomerarmo
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",renuncieDesembocava
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",refreasseisFestejarieis
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",problematizastesForcaram
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",paralisaremoEmborcaveis
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",lastimareisConfiscara
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",imprevisivelRecondicionaveis
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",franzasDoutrinasses
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",entristecendoControlar
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",ensebaveisApaixonaste
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",desconsiderassemBordejam
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",compensacoesRefroes
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",bacanerrimoEsquecido
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",assentidoRefreava
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",aprendizDesmistificarmo
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5r0ypOR77.dll,BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5r0ypOR77.dll,_cgo_dummy_export	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5r0ypOR77.dll,acidulavamBelchior	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",_cgo_dummy_export	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",acidulavamBelchior	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",ziguezagueemosPiaremos	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",vitalizeiAglomerarmo	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",renuncieDesembocava	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",refreasseisFestejarieis	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",problematizastesForcaram	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",paralisaremoEmborcaveis	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",lastimareisConfiscara	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",imprevisivelRecondicionaveis	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",franzasDoutrinasses	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",entristecendoControlar	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",ensebaveisApaixonaste	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",desconsiderassemBordejam	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",compensacoesRefroes	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",bacanerrimoEsquecido	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",assentidoRefreava	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",aprendizDesmistificarmo	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: A5r0ypOR77.dll

Static PE information: Image base 0x6d8c0000 > 0x60000000

Source: A5r0ypOR77.dll

Static file information: File size 1213952 > 1048576

Source: A5r0ypOR77.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains an invalid checksum

Source: A5r0ypOR77.dll

Static PE information: real checksum: 0x12aadd should be: 0x134c4f

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_014803C7 push ebx; retf	0_2_014803D3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D118096 pushad ; retf	3_2_6D118097
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D11808D pushad ; retf	3_2_6D11808E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1173E2 pushad ; ret	3_2_6D1173E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D118096 pushad ; retf	10_2_6D118097
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D11808D pushad ; retf	10_2_6D11808E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D1173E2 pushad ; ret	10_2_6D1173E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0443AEDF push ecx; ret	11_2_0443B428
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0A808D pushad ; retf	12_2_6D0A808E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0A8096 pushad ; retf	12_2_6D0A8097
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0A73E2 pushad ; ret	12_2_6D0A73E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0A73F1 pushad ; ret	12_2_6D0A73F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0443B4EC push cs; retf	13_2_0443B985
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0443B4FC push cs; retf	13_2_0443B985
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04480001 push 00000004h; iretd	13_2_04480393
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0543AEE2 push ebx; retf	16_2_0543AEF6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0543AF1E push esi; ret	16_2_0543AF27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_05480001 push es; ret	16_2_054803D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04C38F4F push es; ret	18_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04C38F3B push es; ret	18_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0503A3DA push 15CE8943h; iretd	20_2_0503A40F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04C38F4F push es; ret	21_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04C38F3B push es; ret	21_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04C3A9B9 push esi; ret	21_2_04C3A9BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04C803BE push 00000022h; retf	21_2_04C803D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_0543A418 push ecx; iretd	24_2_0543A438
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_0543BAAE push esi; retf	24_2_0543BAAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_0543A91A push edi; retf	25_2_0543A942
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 27_2_0503B9CA push esp; retf	27_2_0503B9CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 27_2_0503AF14 pushfd ; ret	27_2_0503AF13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 27_2_0503AEDC pushfd ; ret	27_2_0503AF13

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D1110E0 rdtscp

3_2_6D1110E0

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 0000001F.00000002.2261161419.0000000002D7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
Source: rundll32.exe, 00000016.00000002.2252154580.00000000004AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
Source: loaddll32.exe, 00000000.00000002.2265356262.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
Source: rundll32.exe, 00000004.00000002.2156162399.000000000329A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
Source: rundll32.exe, 00000003.00000002.2156228001.000000000327A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2213462157.000000000086A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2248101246.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.2246865013.000000000067A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2248522596.000000000338A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2249290831.000000000080A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000002.2251125196.00000000030DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2252025975.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2253787761.000000000042A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.2255765049.00000000033CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.2258269716.00000000034EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rundll32.exe, 0000000D.00000002.2245871499.00000000007DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
Source: rundll32.exe, 00000012.00000002.2248598007.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001B.00000002.2260515894.000000000314A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrr

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D1110E0 rdtscp

3_2_6D1110E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_6D135170

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1364D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_6D1364D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1364CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_6D1364CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D1364D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	10_2_6D1364D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6D1364CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	10_2_6D1364CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0C64CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	12_2_6D0C64CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6D0C64D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	12_2_6D0C64D0

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D136420 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_6D136420

ID:	1544816
Product:	CloudBasic
Start time:	19:28:38
Start date:	29.10.2024
Sample:	A5r0ypOR77.dll
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	7e3af38131464ec77c3305b057034fc2
SHA1:	3bef744c86fe6f93ec7527251e50d83bae11ada7
SHA256:	d8317f94e3cb97069214163f7d5de3591571e0e607f0629c6c985998f2702422
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Windows Analysis Report
A5r0ypOR77.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Bitcoin Miner

Compliance

Software Vulnerabilities

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report A5r0ypOR77.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Bitcoin Miner

Compliance

Software Vulnerabilities

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
A5r0ypOR77.dll