Windows Analysis Report
dRs2BksGEy.dll

Overview

General Information

Sample name: dRs2BksGEy.dll
renamed because original name is a hash value
Original sample name: 5314ad14c81fa4099d8608c95c82d31f07d32a5c4c407c5ec3c3508a28e72b41.dll
Analysis ID: 1544794
MD5: 5408904cb76332f662c09afa85c2e530
SHA1: d0dc9556efac593d89f07c308a0edd6b58fe6f0e
SHA256: 5314ad14c81fa4099d8608c95c82d31f07d32a5c4c407c5ec3c3508a28e72b41
Tags: 2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.6% probability

Bitcoin Miner
barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D211830 3_2_6D211830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFD1830 13_2_6CFD1830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFD1830 17_2_6CFD1830
Uses 32bit PE files
Source: dRs2BksGEy.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: dRs2BksGEy.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 3_2_6D1E2CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 3_2_6D1E2CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 3_2_6D1FCEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 3_2_6D209030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 3_2_6D20A360
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 13_2_6CFA2CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 13_2_6CFA2CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 13_2_6CFBCEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 13_2_6CFC9030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 13_2_6CFCA360
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 17_2_6CFA2CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 17_2_6CFA2CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 17_2_6CFBCEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 17_2_6CFC9030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 17_2_6CFCA360
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D211A70 NtCreateWaitCompletionPacket, 3_2_6D211A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D212A90 NtCreateWaitCompletionPacket, 3_2_6D212A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D211570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 3_2_6D211570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D2111F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 3_2_6D2111F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFD2A90 NtCreateWaitCompletionPacket, 13_2_6CFD2A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFD1A70 NtCreateWaitCompletionPacket, 13_2_6CFD1A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFD1570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 13_2_6CFD1570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFD11F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 13_2_6CFD11F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFD2A90 NtCreateWaitCompletionPacket, 17_2_6CFD2A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFD1A70 NtCreateWaitCompletionPacket, 17_2_6CFD1A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFD1570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 17_2_6CFD1570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFD11F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 17_2_6CFD11F0
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D264D20 3_2_6D264D20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D20AD50 3_2_6D20AD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D23BC20 3_2_6D23BC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D266C20 3_2_6D266C20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D1E2CA6 3_2_6D1E2CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D1E2CA0 3_2_6D1E2CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D274F30 3_2_6D274F30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D21CF90 3_2_6D21CF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D272E70 3_2_6D272E70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D1EBE90 3_2_6D1EBE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D25CEF0 3_2_6D25CEF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D235ED0 3_2_6D235ED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D20D9C5 3_2_6D20D9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D1F59F0 3_2_6D1F59F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D2659D0 3_2_6D2659D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D24A872 3_2_6D24A872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D20BB10 3_2_6D20BB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D1EFBC0 3_2_6D1EFBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D20CA30 3_2_6D20CA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D1F0AF0 3_2_6D1F0AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D262560 3_2_6D262560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D238570 3_2_6D238570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D2695A0 3_2_6D2695A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D203400 3_2_6D203400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D226470 3_2_6D226470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D201440 3_2_6D201440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D25E740 3_2_6D25E740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D266740 3_2_6D266740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D206630 3_2_6D206630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D23D6E0 3_2_6D23D6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D20C6D0 3_2_6D20C6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D216010 3_2_6D216010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D20D040 3_2_6D20D040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D20C080 3_2_6D20C080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D1F80A0 3_2_6D1F80A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D1E90F0 3_2_6D1E90F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D21A320 3_2_6D21A320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D24332F 3_2_6D24332F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D2093F0 3_2_6D2093F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D273230 3_2_6D273230
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D21E240 3_2_6D21E240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D247280 3_2_6D247280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D1E32A0 3_2_6D1E32A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D20B2D0 3_2_6D20B2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D024D20 13_2_6D024D20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFA2CA0 13_2_6CFA2CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFA2CA6 13_2_6CFA2CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFFBC20 13_2_6CFFBC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D026C20 13_2_6D026C20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFCAD50 13_2_6CFCAD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFF5ED0 13_2_6CFF5ED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D034F30 13_2_6D034F30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFABE90 13_2_6CFABE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFDCF90 13_2_6CFDCF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D032E70 13_2_6D032E70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D01CEF0 13_2_6D01CEF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D0259D0 13_2_6D0259D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFB59F0 13_2_6CFB59F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFCD9C5 13_2_6CFCD9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D00A872 13_2_6D00A872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFB0AF0 13_2_6CFB0AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFCCA30 13_2_6CFCCA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFAFBC0 13_2_6CFAFBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFCBB10 13_2_6CFCBB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D022560 13_2_6D022560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFE6470 13_2_6CFE6470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D0295A0 13_2_6D0295A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFC1440 13_2_6CFC1440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFC3400 13_2_6CFC3400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFF8570 13_2_6CFF8570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFFD6E0 13_2_6CFFD6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFCC6D0 13_2_6CFCC6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D01E740 13_2_6D01E740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D026740 13_2_6D026740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFC6630 13_2_6CFC6630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFA90F0 13_2_6CFA90F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFB80A0 13_2_6CFB80A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFCC080 13_2_6CFCC080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFCD040 13_2_6CFCD040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFD6010 13_2_6CFD6010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFCB2D0 13_2_6CFCB2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D00332F 13_2_6D00332F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFA32A0 13_2_6CFA32A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFDE240 13_2_6CFDE240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFC93F0 13_2_6CFC93F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D033230 13_2_6D033230
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D007280 13_2_6D007280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CFDA320 13_2_6CFDA320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6D024D20 17_2_6D024D20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFA2CA0 17_2_6CFA2CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFA2CA6 17_2_6CFA2CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFFBC20 17_2_6CFFBC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6D026C20 17_2_6D026C20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFCAD50 17_2_6CFCAD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFF5ED0 17_2_6CFF5ED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6D034F30 17_2_6D034F30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFABE90 17_2_6CFABE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFDCF90 17_2_6CFDCF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6D032E70 17_2_6D032E70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6D01CEF0 17_2_6D01CEF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6D0259D0 17_2_6D0259D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFB59F0 17_2_6CFB59F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFCD9C5 17_2_6CFCD9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6D00A872 17_2_6D00A872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFB0AF0 17_2_6CFB0AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFCCA30 17_2_6CFCCA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFAFBC0 17_2_6CFAFBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFCBB10 17_2_6CFCBB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6D022560 17_2_6D022560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFE6470 17_2_6CFE6470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6D0295A0 17_2_6D0295A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFC1440 17_2_6CFC1440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFC3400 17_2_6CFC3400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFF8570 17_2_6CFF8570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFFD6E0 17_2_6CFFD6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFCC6D0 17_2_6CFCC6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6D01E740 17_2_6D01E740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6D026740 17_2_6D026740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFC6630 17_2_6CFC6630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFA90F0 17_2_6CFA90F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFB80A0 17_2_6CFB80A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFCC080 17_2_6CFCC080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFCD040 17_2_6CFCD040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFD6010 17_2_6CFD6010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFCB2D0 17_2_6CFCB2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6D00332F 17_2_6D00332F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFA32A0 17_2_6CFA32A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFDE240 17_2_6CFDE240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFC93F0 17_2_6CFC93F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6D033230 17_2_6D033230
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6D007280 17_2_6D007280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CFDA320 17_2_6CFDA320
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D217410 appears 693 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D006A90 appears 962 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D246A90 appears 481 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CFA2C30 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CFD7410 appears 1386 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CFD5080 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D005740 appears 40 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CFD3B30 appears 32 times
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 836
Uses 32bit PE files
Source: dRs2BksGEy.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: classification engine Classification label: mal48.mine.winDLL@35/0@0/0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D275B30 GetLastError,FormatMessageA,fprintf,LocalFree, 3_2_6D275B30
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\d9df36c7-8e70-4530-a918-8d962597685f Jump to behavior
Source: dRs2BksGEy.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dRs2BksGEy.dll,BarCreate
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dRs2BksGEy.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 836
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 828
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dRs2BksGEy.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dRs2BksGEy.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",_cgo_dummy_export
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",SpellSpell
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5552 -s 824
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dRs2BksGEy.dll,BarCreate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dRs2BksGEy.dll,BarDestroy Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dRs2BksGEy.dll,BarFreeRec Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",BarCreate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",BarDestroy Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",BarFreeRec Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",_cgo_dummy_export Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",SpellSpell Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",SpellInit Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",SpellFree Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",SignalInitializeCrashReporting Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",GetInstallDetailsPayload Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",BarRecognize Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: dRs2BksGEy.dll Static PE information: Image base 0x6d8c0000 > 0x60000000
Source: dRs2BksGEy.dll Static file information: File size 1368576 > 1048576
Source: dRs2BksGEy.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D1E13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_6D1E13E0
PE file contains an invalid checksum
Source: dRs2BksGEy.dll Static PE information: real checksum: 0x158f05 should be: 0x1505df
PE file contains sections with non-standard names
Source: dRs2BksGEy.dll Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0143D74E push cs; ret 0_2_0143D74F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0143CD7A push ebp; retf 0_2_0143CD7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D255094 pushad ; ret 3_2_6D255095
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D25509D pushad ; ret 3_2_6D25509E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0543C8DE push esp; ret 11_2_0543C8F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0543D7F9 pushfd ; iretd 11_2_0543D80C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0503AF34 push eax; retf 12_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D015094 pushad ; ret 13_2_6D015095
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D01509D pushad ; ret 13_2_6D01509E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04C3CD8B push esp; iretd 14_2_04C3CDAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04C3CD28 push eax; ret 14_2_04C3CD29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04C3AF34 push eax; retf 14_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0503D2D3 push esp; ret 15_2_0503D2ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0503AF34 push eax; retf 15_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6D015094 pushad ; ret 17_2_6D015095
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6D01509D pushad ; ret 17_2_6D01509E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_0503C34B pushfd ; retf 18_2_0503C369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_0503AF34 push eax; retf 18_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0443C90D push ds; ret 20_2_0443C90E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_0483AF58 push eax; retf 21_2_0483AF61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_0543C39F pushad ; iretd 22_2_0543C3A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_0543AF34 push eax; retf 22_2_0543AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_0543AF34 push eax; retf 23_2_0543AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0503C8B7 push ebp; retf 24_2_0503C8F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0503AF34 push eax; retf 24_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0503C39B push ebp; retf 24_2_0503C8F8
Source: C:\Windows\System32\loaddll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D24C0C0 rdtscp 3_2_6D24C0C0
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 1.8 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 1.3 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D24C0C0 rdtscp 3_2_6D24C0C0
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D1E13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_6D1E13E0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D274F30 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy,memset,IsBadReadPtr,realloc,SetLastError,SetLastError,SetLastError,SetLastError,SetLastError,memcpy,SetLastError,SetLastError,SetLastError,SetLastError, 3_2_6D274F30
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D276300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 3_2_6D276300
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D2762FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 3_2_6D2762FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D036300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 13_2_6D036300
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6D0362FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 13_2_6D0362FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6D036300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 17_2_6D036300
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6D0362FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 17_2_6D0362FC
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D276250 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 3_2_6D276250
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D211C90 RtlGetVersion,RtlGetCurrentPeb, 3_2_6D211C90
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544794 Sample: dRs2BksGEy.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 48 27 AI detected suspicious sample 2->27 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 12 other processes 8->17 signatures5 29 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 10->29 19 WerFault.exe 2 10->19         started        21 rundll32.exe 13->21         started        23 WerFault.exe 2 15->23         started        process6 process7 25 WerFault.exe 2 21->25         started       
No contacted IP infos