Windows Analysis Report
WW15vnG9EY.dll

Overview

General Information

Sample name: WW15vnG9EY.dll
renamed because original name is a hash value
Original sample name: 70ebafe5935dc5fa81a5e82e5f9ed83c7862e3d785f6b52351703d44e644dbfa.dll
Analysis ID: 1544792
MD5: 4da91b21a75c396b98219ddf500051b7
SHA1: c84478746587c5bef9f1d2550629660197cd0b7b
SHA256: 70ebafe5935dc5fa81a5e82e5f9ed83c7862e3d785f6b52351703d44e644dbfa
Tags: 2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability

Bitcoin Miner
barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0C1830 3_2_6D0C1830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D101830 13_2_6D101830
Uses 32bit PE files
Source: WW15vnG9EY.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: WW15vnG9EY.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 3_2_6D092CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 3_2_6D092CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 3_2_6D0ACEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 3_2_6D0B9030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 3_2_6D0BA360
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 13_2_6D0D2CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 13_2_6D0D2CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 13_2_6D0ECEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 13_2_6D0F9030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 13_2_6D0FA360
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0C1A70 NtCreateWaitCompletionPacket, 3_2_6D0C1A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0C2A90 NtCreateWaitCompletionPacket, 3_2_6D0C2A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0C1570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 3_2_6D0C1570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0C11F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 3_2_6D0C11F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D101A70 NtCreateWaitCompletionPacket, 13_2_6D101A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D102A90 NtCreateWaitCompletionPacket, 13_2_6D102A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D101570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 13_2_6D101570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D1011F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 13_2_6D1011F0
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0EBD40 3_2_6D0EBD40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D116D40 3_2_6D116D40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0BAD50 3_2_6D0BAD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D092CA0 3_2_6D092CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D092CA6 3_2_6D092CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D122F90 3_2_6D122F90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0CCF90 3_2_6D0CCF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0E5FF0 3_2_6D0E5FF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D114E40 3_2_6D114E40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D09BE90 3_2_6D09BE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0FA992 3_2_6D0FA992
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0BD9C5 3_2_6D0BD9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0A59F0 3_2_6D0A59F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0ED800 3_2_6D0ED800
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D10E860 3_2_6D10E860
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D116860 3_2_6D116860
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D127B10 3_2_6D127B10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0BBB10 3_2_6D0BBB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D09FBC0 3_2_6D09FBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0BCA30 3_2_6D0BCA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D115AF0 3_2_6D115AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0A0AF0 3_2_6D0A0AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0B3400 3_2_6D0B3400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0F344F 3_2_6D0F344F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0B1440 3_2_6D0B1440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0D6470 3_2_6D0D6470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0B6630 3_2_6D0B6630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D112680 3_2_6D112680
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0E8690 3_2_6D0E8690
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D1196C0 3_2_6D1196C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0BC6D0 3_2_6D0BC6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D10D010 3_2_6D10D010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0C6010 3_2_6D0C6010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0BD040 3_2_6D0BD040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0BC080 3_2_6D0BC080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0A80A0 3_2_6D0A80A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0990F0 3_2_6D0990F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0CA320 3_2_6D0CA320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D123350 3_2_6D123350
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0F73A0 3_2_6D0F73A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0B93F0 3_2_6D0B93F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0CE240 3_2_6D0CE240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0932A0 3_2_6D0932A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0BB2D0 3_2_6D0BB2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D12BD40 13_2_6D12BD40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D156D40 13_2_6D156D40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D0FAD50 13_2_6D0FAD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D0D2CA6 13_2_6D0D2CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D0D2CA0 13_2_6D0D2CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D10CF90 13_2_6D10CF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D162F90 13_2_6D162F90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D125FF0 13_2_6D125FF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D154E40 13_2_6D154E40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D0DBE90 13_2_6D0DBE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D13A992 13_2_6D13A992
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D0FD9C5 13_2_6D0FD9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D0E59F0 13_2_6D0E59F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D12D800 13_2_6D12D800
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D14E860 13_2_6D14E860
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D156860 13_2_6D156860
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D167B10 13_2_6D167B10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D0FBB10 13_2_6D0FBB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D0DFBC0 13_2_6D0DFBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D0FCA30 13_2_6D0FCA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D155AF0 13_2_6D155AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D0E0AF0 13_2_6D0E0AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D0F3400 13_2_6D0F3400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D0F1440 13_2_6D0F1440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D13344F 13_2_6D13344F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D116470 13_2_6D116470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D0F6630 13_2_6D0F6630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D128690 13_2_6D128690
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D152680 13_2_6D152680
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D1596C0 13_2_6D1596C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D0FC6D0 13_2_6D0FC6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D106010 13_2_6D106010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D14D010 13_2_6D14D010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D0FD040 13_2_6D0FD040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D0FC080 13_2_6D0FC080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D0E80A0 13_2_6D0E80A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D0D90F0 13_2_6D0D90F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D10A320 13_2_6D10A320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D163350 13_2_6D163350
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D1373A0 13_2_6D1373A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D0F93F0 13_2_6D0F93F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D10E240 13_2_6D10E240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D0D32A0 13_2_6D0D32A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D0FB2D0 13_2_6D0FB2D0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D136BB0 appears 482 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D107410 appears 693 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D0C7410 appears 693 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D0F6BB0 appears 482 times
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 828
Uses 32bit PE files
Source: WW15vnG9EY.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: classification engine Classification label: mal48.mine.winDLL@35/0@0/0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D125CF0 GetLastError,FormatMessageA,LocalFree, 3_2_6D125CF0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1080:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\c6458ac8-0653-452c-82ed-4dcac49bf54c Jump to behavior
Source: WW15vnG9EY.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WW15vnG9EY.dll,BarCreate
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exe String found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exe String found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WW15vnG9EY.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 828
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 836
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WW15vnG9EY.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WW15vnG9EY.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",_cgo_dummy_export
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 864
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",SpellSpell
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WW15vnG9EY.dll,BarCreate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WW15vnG9EY.dll,BarDestroy Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WW15vnG9EY.dll,BarFreeRec Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",BarCreate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",BarDestroy Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",BarFreeRec Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",_cgo_dummy_export Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",SpellSpell Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",SpellInit Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",SpellFree Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",SignalInitializeCrashReporting Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",GetInstallDetailsPayload Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",BarRecognize Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: WW15vnG9EY.dll Static PE information: Image base 0x6d8c0000 > 0x60000000
Source: WW15vnG9EY.dll Static file information: File size 1397248 > 1048576
Source: WW15vnG9EY.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0913E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_6D0913E0
PE file contains an invalid checksum
Source: WW15vnG9EY.dll Static PE information: real checksum: 0x15d76d should be: 0x16140a
PE file contains sections with non-standard names
Source: WW15vnG9EY.dll Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0103AF38 push eax; retf 0_2_0103AF39
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01080353 push 49A291CCh; ret 0_2_01080358
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0503C884 push edx; ret 4_2_0503C885
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C8042D push dword ptr [eax+52D9574Bh]; iretd 11_2_04C80436
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0443D248 push dword ptr [esi+291909C3h]; iretd 12_2_0443D26F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0503AF59 push eax; retf 14_2_0503AF61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_0503AF38 push eax; retf 16_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_05080336 push eax; retf 16_2_0508035D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_0483D229 pushfd ; retf 19_2_0483D22C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_0483AF38 push eax; retf 19_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0443AF38 push eax; retf 20_2_0443AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_0483AF38 push eax; retf 21_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_0483AF60 push eax; retf 22_2_0483AF61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_0483C87D pushfd ; iretd 22_2_0483C88A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_04880353 push esi; iretd 22_2_04880376
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_0543D7C5 push ds; retf 23_2_0543D7F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0503D253 push ebp; retf 24_2_0503D254
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0503D2F3 push esp; retf 24_2_0503D2F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0503AF38 push eax; retf 24_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_05080411 pushad ; retf 24_2_05080413
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0510443E pushad ; ret 24_2_0510443F
Source: C:\Windows\System32\loaddll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0FC1E0 rdtscp 3_2_6D0FC1E0
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 0.8 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 1.0 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0FC1E0 rdtscp 3_2_6D0FC1E0
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0913E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_6D0913E0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D124FE0 free,free,GetProcessHeap,HeapFree, 3_2_6D124FE0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D0C1C90 RtlGetVersion,RtlGetCurrentPeb, 3_2_6D0C1C90
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544792 Sample: WW15vnG9EY.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 48 27 AI detected suspicious sample 2->27 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 12 other processes 8->17 signatures5 29 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 10->29 19 WerFault.exe 2 10->19         started        21 rundll32.exe 13->21         started        23 WerFault.exe 2 15->23         started        process6 process7 25 WerFault.exe 2 21->25         started       
No contacted IP infos