Windows Analysis Report
iK9pj4aPIU.dll

Overview

General Information

Sample name:	iK9pj4aPIU.dll renamed because original name is a hash value
Original sample name:	c4fa313465383c60f92c1018c825c98dd25860891996f1f6993ad080c63b194a.dll
Analysis ID:	1544818
MD5:	1fc765a87c062b0c11bb9043679efa7c
SHA1:	dfe08757e7d81b23ee66bdcdda451acb58f47435
SHA256:	c4fa313465383c60f92c1018c825c98dd25860891996f1f6993ad080c63b194a
Tags:	2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.4% probability

Bitcoin Miner

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1D14C0	3_2_6D1D14C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF114C0	13_2_6CF114C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF114C0	17_2_6CF114C0

Uses 32bit PE files

Source: iK9pj4aPIU.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: iK9pj4aPIU.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	3_2_6D1C9DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	3_2_6D1BCB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	3_2_6D1C8A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	3_2_6D1A3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	13_2_6CF09DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	13_2_6CF08A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	13_2_6CEFCB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	13_2_6CEE3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	17_2_6CF09DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	17_2_6CF08A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	17_2_6CEFCB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	17_2_6CEE3000

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1CAD00	3_2_6D1CAD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1B7DD0	3_2_6D1B7DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D216FB0	3_2_6D216FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1F7FB0	3_2_6D1F7FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1C8E10	3_2_6D1C8E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1ABE4F	3_2_6D1ABE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1DCE40	3_2_6D1DCE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D212940	3_2_6D212940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1B0830	3_2_6D1B0830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1B5820	3_2_6D1B5820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D221A00	3_2_6D221A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1CCA70	3_2_6D1CCA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1ACA60	3_2_6D1ACA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1CBAB0	3_2_6D1CBAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1CD525	3_2_6D1CD525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1CB540	3_2_6D1CB540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D215590	3_2_6D215590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1CC460	3_2_6D1CC460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D217490	3_2_6D217490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1FF732	3_2_6D1FF732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1E6730	3_2_6D1E6730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D223710	3_2_6D223710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1CA790	3_2_6D1CA790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1A3620	3_2_6D1A3620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D221640	3_2_6D221640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1CC100	3_2_6D1CC100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D215100	3_2_6D215100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1C61A0	3_2_6D1C61A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1A3000	3_2_6D1A3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1DE040	3_2_6D1DE040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1D6040	3_2_6D1D6040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1C3090	3_2_6D1C3090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1C10D0	3_2_6D1C10D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D216240	3_2_6D216240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1A92E0	3_2_6D1A92E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEF7DD0	13_2_6CEF7DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0AD00	13_2_6CF0AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEEBE4F	13_2_6CEEBE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF1CE40	13_2_6CF1CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF08E10	13_2_6CF08E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF37FB0	13_2_6CF37FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF56FB0	13_2_6CF56FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEF5820	13_2_6CEF5820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEF0830	13_2_6CEF0830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF52940	13_2_6CF52940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0BAB0	13_2_6CF0BAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0CA70	13_2_6CF0CA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEECA60	13_2_6CEECA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF61A00	13_2_6CF61A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF57490	13_2_6CF57490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0C460	13_2_6CF0C460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF55590	13_2_6CF55590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0B540	13_2_6CF0B540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0D525	13_2_6CF0D525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF61640	13_2_6CF61640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEE3620	13_2_6CEE3620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0A790	13_2_6CF0A790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF3F732	13_2_6CF3F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF26730	13_2_6CF26730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF63710	13_2_6CF63710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF010D0	13_2_6CF010D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF03090	13_2_6CF03090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF1E040	13_2_6CF1E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF16040	13_2_6CF16040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEE3000	13_2_6CEE3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF061A0	13_2_6CF061A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0C100	13_2_6CF0C100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF55100	13_2_6CF55100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEE92E0	13_2_6CEE92E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF56240	13_2_6CF56240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEF7DD0	17_2_6CEF7DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0AD00	17_2_6CF0AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEEBE4F	17_2_6CEEBE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF1CE40	17_2_6CF1CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF08E10	17_2_6CF08E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF37FB0	17_2_6CF37FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF56FB0	17_2_6CF56FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEF5820	17_2_6CEF5820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEF0830	17_2_6CEF0830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF52940	17_2_6CF52940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0BAB0	17_2_6CF0BAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0CA70	17_2_6CF0CA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEECA60	17_2_6CEECA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF61A00	17_2_6CF61A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF57490	17_2_6CF57490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0C460	17_2_6CF0C460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF55590	17_2_6CF55590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0B540	17_2_6CF0B540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0D525	17_2_6CF0D525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF61640	17_2_6CF61640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEE3620	17_2_6CEE3620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0A790	17_2_6CF0A790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF3F732	17_2_6CF3F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF26730	17_2_6CF26730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF63710	17_2_6CF63710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF010D0	17_2_6CF010D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF03090	17_2_6CF03090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF1E040	17_2_6CF1E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF16040	17_2_6CF16040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEE3000	17_2_6CEE3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF061A0	17_2_6CF061A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0C100	17_2_6CF0C100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF55100	17_2_6CF55100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEE92E0	17_2_6CEE92E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF56240	17_2_6CF56240

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D1D7450 appears 687 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CEEF4D0 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CF14FD0 appears 922 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D1D4FD0 appears 461 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CF17450 appears 1374 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CEE2F90 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CF150A0 appears 38 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CF13620 appears 32 times

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 840

Uses 32bit PE files

Source: iK9pj4aPIU.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: classification engine

Classification label: mal48.mine.winDLL@35/0@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D224310 GetLastError,FormatMessageA,fprintf,LocalFree,

3_2_6D224310

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2952:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\7e5fc8c4-0319-464e-b65e-f047036d7275

Jump to behavior

Source: iK9pj4aPIU.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iK9pj4aPIU.dll,BarCreate

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iK9pj4aPIU.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 840
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 812
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iK9pj4aPIU.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iK9pj4aPIU.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",_cgo_dummy_export
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SpellSpell
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 844
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iK9pj4aPIU.dll,BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iK9pj4aPIU.dll,BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iK9pj4aPIU.dll,BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",_cgo_dummy_export	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SpellSpell	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SpellInit	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SpellFree	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SignalInitializeCrashReporting	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",GetInstallDetailsPayload	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarRecognize	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: iK9pj4aPIU.dll

Static PE information: Image base 0x6d8c0000 > 0x60000000

Source: iK9pj4aPIU.dll

Static file information: File size 1198080 > 1048576

Source: iK9pj4aPIU.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D1A13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6D1A13E0

PE file contains an invalid checksum

Source: iK9pj4aPIU.dll

Static PE information: real checksum: 0x125242 should be: 0x12517a

PE file contains sections with non-standard names

Source: iK9pj4aPIU.dll

Static PE information: section name: .eh_fram

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D296FBD push cs; ret	3_2_6D296FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D2959F2 push es; iretd	3_2_6D295A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D2976AA push ebx; iretd	3_2_6D2979EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D299120 push esp; iretd	3_2_6D29918F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C38F4F push es; ret	4_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C3B510 push esp; ret	4_2_04C3B98A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C38F3B push es; ret	4_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04C3A49A push cs; ret	11_2_04C3A4B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04C3AF6A push es; ret	11_2_04C3B08A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CFD6FBD push cs; ret	13_2_6CFD6FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CFD59F2 push es; iretd	13_2_6CFD5A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CFD76AA push ebx; iretd	13_2_6CFD79EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CFD9120 push esp; iretd	13_2_6CFD918F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C38F4F push es; ret	14_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C38F3B push es; ret	14_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C80ED4 push 732236DAh; ret	14_2_04C80EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C80F17 push 732236DAh; ret	14_2_04C80EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C3A483 push 0004C303h; ret	15_2_04C3A58A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C3A997 push es; retf	15_2_04C3A999
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C3AEFC push es; ret	15_2_04C3B08A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CFD6FBD push cs; ret	17_2_6CFD6FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CFD59F2 push es; iretd	17_2_6CFD5A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CFD76AA push ebx; iretd	17_2_6CFD79EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CFD9120 push esp; iretd	17_2_6CFD918F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04C38F4B push es; ret	18_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04C3B50F pushad ; iretd	18_2_04C3B511
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04C38F34 push es; ret	18_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0443A972 push edx; iretd	20_2_0443A973
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_044803C4 pushfd ; retf	20_2_044803D3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04C38F4F push es; ret	21_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04C38F3B push es; ret	21_2_04C38F4A

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D200F80 rdtscp

3_2_6D200F80

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 00000012.00000002.1548712859.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
Source: rundll32.exe, 00000017.00000002.1548984276.0000000002B6A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw
Source: rundll32.exe, 00000004.00000002.1445793275.0000000002CEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY
Source: rundll32.exe, 0000000E.00000002.1533763667.0000000002CEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: rundll32.exe, 00000015.00000002.1548518911.0000000002F3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: rundll32.exe, 0000000F.00000002.1535277386.0000000002A7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
Source: loaddll32.exe, 00000000.00000002.1551245452.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`
Source: rundll32.exe, 00000003.00000002.1445708441.000000000284A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: rundll32.exe, 0000000B.00000002.1471024831.0000000002EAA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1500995544.00000000034CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.1540552760.000000000333A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000002.1536951191.000000000041A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000002.1549786205.000000000293A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1550313048.0000000002C5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D200F80 rdtscp

3_2_6D200F80

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D1A13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6D1A13E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D223710 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy,memset,IsBadReadPtr,realloc,SetLastError,SetLastError,SetLastError,SetLastError,SetLastError,memcpy,SetLastError,SetLastError,SetLastError,SetLastError,

3_2_6D223710

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D224AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_6D224AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D224ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_6D224ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF64AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	13_2_6CF64AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF64ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	13_2_6CF64ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF64AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	17_2_6CF64AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF64ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	17_2_6CF64ADC

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D224A30 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_6D224A30

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.4% probability

Bitcoin Miner

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1D14C0	3_2_6D1D14C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF114C0	13_2_6CF114C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF114C0	17_2_6CF114C0

Uses 32bit PE files

Source: iK9pj4aPIU.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: iK9pj4aPIU.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	3_2_6D1C9DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	3_2_6D1BCB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	3_2_6D1C8A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	3_2_6D1A3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	13_2_6CF09DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	13_2_6CF08A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	13_2_6CEFCB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	13_2_6CEE3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	17_2_6CF09DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	17_2_6CF08A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	17_2_6CEFCB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	17_2_6CEE3000

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1CAD00	3_2_6D1CAD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1B7DD0	3_2_6D1B7DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D216FB0	3_2_6D216FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1F7FB0	3_2_6D1F7FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1C8E10	3_2_6D1C8E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1ABE4F	3_2_6D1ABE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1DCE40	3_2_6D1DCE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D212940	3_2_6D212940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1B0830	3_2_6D1B0830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1B5820	3_2_6D1B5820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D221A00	3_2_6D221A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1CCA70	3_2_6D1CCA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1ACA60	3_2_6D1ACA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1CBAB0	3_2_6D1CBAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1CD525	3_2_6D1CD525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1CB540	3_2_6D1CB540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D215590	3_2_6D215590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1CC460	3_2_6D1CC460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D217490	3_2_6D217490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1FF732	3_2_6D1FF732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1E6730	3_2_6D1E6730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D223710	3_2_6D223710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1CA790	3_2_6D1CA790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1A3620	3_2_6D1A3620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D221640	3_2_6D221640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1CC100	3_2_6D1CC100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D215100	3_2_6D215100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1C61A0	3_2_6D1C61A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1A3000	3_2_6D1A3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1DE040	3_2_6D1DE040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1D6040	3_2_6D1D6040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1C3090	3_2_6D1C3090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1C10D0	3_2_6D1C10D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D216240	3_2_6D216240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1A92E0	3_2_6D1A92E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEF7DD0	13_2_6CEF7DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0AD00	13_2_6CF0AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEEBE4F	13_2_6CEEBE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF1CE40	13_2_6CF1CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF08E10	13_2_6CF08E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF37FB0	13_2_6CF37FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF56FB0	13_2_6CF56FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEF5820	13_2_6CEF5820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEF0830	13_2_6CEF0830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF52940	13_2_6CF52940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0BAB0	13_2_6CF0BAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0CA70	13_2_6CF0CA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEECA60	13_2_6CEECA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF61A00	13_2_6CF61A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF57490	13_2_6CF57490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0C460	13_2_6CF0C460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF55590	13_2_6CF55590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0B540	13_2_6CF0B540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0D525	13_2_6CF0D525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF61640	13_2_6CF61640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEE3620	13_2_6CEE3620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0A790	13_2_6CF0A790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF3F732	13_2_6CF3F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF26730	13_2_6CF26730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF63710	13_2_6CF63710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF010D0	13_2_6CF010D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF03090	13_2_6CF03090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF1E040	13_2_6CF1E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF16040	13_2_6CF16040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEE3000	13_2_6CEE3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF061A0	13_2_6CF061A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0C100	13_2_6CF0C100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF55100	13_2_6CF55100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEE92E0	13_2_6CEE92E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF56240	13_2_6CF56240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEF7DD0	17_2_6CEF7DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0AD00	17_2_6CF0AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEEBE4F	17_2_6CEEBE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF1CE40	17_2_6CF1CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF08E10	17_2_6CF08E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF37FB0	17_2_6CF37FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF56FB0	17_2_6CF56FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEF5820	17_2_6CEF5820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEF0830	17_2_6CEF0830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF52940	17_2_6CF52940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0BAB0	17_2_6CF0BAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0CA70	17_2_6CF0CA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEECA60	17_2_6CEECA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF61A00	17_2_6CF61A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF57490	17_2_6CF57490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0C460	17_2_6CF0C460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF55590	17_2_6CF55590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0B540	17_2_6CF0B540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0D525	17_2_6CF0D525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF61640	17_2_6CF61640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEE3620	17_2_6CEE3620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0A790	17_2_6CF0A790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF3F732	17_2_6CF3F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF26730	17_2_6CF26730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF63710	17_2_6CF63710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF010D0	17_2_6CF010D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF03090	17_2_6CF03090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF1E040	17_2_6CF1E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF16040	17_2_6CF16040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEE3000	17_2_6CEE3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF061A0	17_2_6CF061A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0C100	17_2_6CF0C100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF55100	17_2_6CF55100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEE92E0	17_2_6CEE92E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF56240	17_2_6CF56240

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D1D7450 appears 687 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CEEF4D0 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CF14FD0 appears 922 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D1D4FD0 appears 461 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CF17450 appears 1374 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CEE2F90 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CF150A0 appears 38 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CF13620 appears 32 times

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 840

Uses 32bit PE files

Source: iK9pj4aPIU.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: classification engine

Classification label: mal48.mine.winDLL@35/0@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D224310 GetLastError,FormatMessageA,fprintf,LocalFree,

3_2_6D224310

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2952:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\7e5fc8c4-0319-464e-b65e-f047036d7275

Jump to behavior

Source: iK9pj4aPIU.dll

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iK9pj4aPIU.dll,BarCreate

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iK9pj4aPIU.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 840
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 812
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iK9pj4aPIU.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iK9pj4aPIU.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",_cgo_dummy_export
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SpellSpell
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 844
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iK9pj4aPIU.dll,BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iK9pj4aPIU.dll,BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iK9pj4aPIU.dll,BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",_cgo_dummy_export	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SpellSpell	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SpellInit	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SpellFree	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SignalInitializeCrashReporting	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",GetInstallDetailsPayload	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarRecognize	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: iK9pj4aPIU.dll

Static PE information: Image base 0x6d8c0000 > 0x60000000

Source: iK9pj4aPIU.dll

Static file information: File size 1198080 > 1048576

Source: iK9pj4aPIU.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D1A13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6D1A13E0

PE file contains an invalid checksum

Source: iK9pj4aPIU.dll

Static PE information: real checksum: 0x125242 should be: 0x12517a

PE file contains sections with non-standard names

Source: iK9pj4aPIU.dll

Static PE information: section name: .eh_fram

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D296FBD push cs; ret	3_2_6D296FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D2959F2 push es; iretd	3_2_6D295A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D2976AA push ebx; iretd	3_2_6D2979EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D299120 push esp; iretd	3_2_6D29918F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C38F4F push es; ret	4_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C3B510 push esp; ret	4_2_04C3B98A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C38F3B push es; ret	4_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04C3A49A push cs; ret	11_2_04C3A4B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04C3AF6A push es; ret	11_2_04C3B08A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CFD6FBD push cs; ret	13_2_6CFD6FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CFD59F2 push es; iretd	13_2_6CFD5A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CFD76AA push ebx; iretd	13_2_6CFD79EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CFD9120 push esp; iretd	13_2_6CFD918F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C38F4F push es; ret	14_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C38F3B push es; ret	14_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C80ED4 push 732236DAh; ret	14_2_04C80EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C80F17 push 732236DAh; ret	14_2_04C80EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C3A483 push 0004C303h; ret	15_2_04C3A58A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C3A997 push es; retf	15_2_04C3A999
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C3AEFC push es; ret	15_2_04C3B08A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CFD6FBD push cs; ret	17_2_6CFD6FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CFD59F2 push es; iretd	17_2_6CFD5A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CFD76AA push ebx; iretd	17_2_6CFD79EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CFD9120 push esp; iretd	17_2_6CFD918F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04C38F4B push es; ret	18_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04C3B50F pushad ; iretd	18_2_04C3B511
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04C38F34 push es; ret	18_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0443A972 push edx; iretd	20_2_0443A973
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_044803C4 pushfd ; retf	20_2_044803D3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04C38F4F push es; ret	21_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04C38F3B push es; ret	21_2_04C38F4A

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D200F80 rdtscp

3_2_6D200F80

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 00000012.00000002.1548712859.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
Source: rundll32.exe, 00000017.00000002.1548984276.0000000002B6A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw
Source: rundll32.exe, 00000004.00000002.1445793275.0000000002CEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY
Source: rundll32.exe, 0000000E.00000002.1533763667.0000000002CEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: rundll32.exe, 00000015.00000002.1548518911.0000000002F3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: rundll32.exe, 0000000F.00000002.1535277386.0000000002A7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
Source: loaddll32.exe, 00000000.00000002.1551245452.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`
Source: rundll32.exe, 00000003.00000002.1445708441.000000000284A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: rundll32.exe, 0000000B.00000002.1471024831.0000000002EAA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1500995544.00000000034CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.1540552760.000000000333A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000002.1536951191.000000000041A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000002.1549786205.000000000293A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1550313048.0000000002C5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D200F80 rdtscp

3_2_6D200F80

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D1A13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6D1A13E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_6D223710

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D224AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_6D224AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D224ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_6D224ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF64AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	13_2_6CF64AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF64ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	13_2_6CF64ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF64AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	17_2_6CF64AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF64ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	17_2_6CF64ADC

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D224A30 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_6D224A30

ID:	1544818
Product:	CloudBasic
Start time:	19:28:57
Start date:	29.10.2024
Sample:	iK9pj4aPIU.dll
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	1fc765a87c062b0c11bb9043679efa7c
SHA1:	dfe08757e7d81b23ee66bdcdda451acb58f47435
SHA256:	c4fa313465383c60f92c1018c825c98dd25860891996f1f6993ad080c63b194a
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Windows Analysis Report
iK9pj4aPIU.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Bitcoin Miner

Compliance

Software Vulnerabilities

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report iK9pj4aPIU.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Bitcoin Miner

Compliance

Software Vulnerabilities

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
iK9pj4aPIU.dll