Windows Analysis Report
L0pD1MkYx9.dll

Overview

General Information

Sample name: L0pD1MkYx9.dll
renamed because original name is a hash value
Original sample name: f6a464e21c347ce4291cd8c66b7cbf3802d67040d9f465a1087f097622385161.dll
Analysis ID: 1544797
MD5: f12f9a7bc0c99d92fa5509954af20b03
SHA1: 40ada28d5fb3450d7bc46025e1bbec8b8eb9b122
SHA256: f6a464e21c347ce4291cd8c66b7cbf3802d67040d9f465a1087f097622385161
Tags: 2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.8% probability

Bitcoin Miner
barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB81830 4_2_6CB81830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C831830 13_2_6C831830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C831830 17_2_6C831830
Uses 32bit PE files
Source: L0pD1MkYx9.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: L0pD1MkYx9.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 4_2_6CB52CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 4_2_6CB52CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 4_2_6CB6CEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 4_2_6CB79030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 4_2_6CB7A360
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 13_2_6C802CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 13_2_6C802CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 13_2_6C81CEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 13_2_6C829030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 13_2_6C82A360
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 17_2_6C802CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 17_2_6C802CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 17_2_6C81CEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 17_2_6C829030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 17_2_6C82A360
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB82A90 NtCreateWaitCompletionPacket, 4_2_6CB82A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB81A70 NtCreateWaitCompletionPacket, 4_2_6CB81A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB81570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 4_2_6CB81570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB811F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 4_2_6CB811F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C832A90 NtCreateWaitCompletionPacket, 13_2_6C832A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C831A70 NtCreateWaitCompletionPacket, 13_2_6C831A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C831570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 13_2_6C831570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8311F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 13_2_6C8311F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C832A90 NtCreateWaitCompletionPacket, 17_2_6C832A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C831A70 NtCreateWaitCompletionPacket, 17_2_6C831A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C831570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 17_2_6C831570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8311F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 17_2_6C8311F0
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB52CA6 4_2_6CB52CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB52CA0 4_2_6CB52CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBABC20 4_2_6CBABC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBD6C20 4_2_6CBD6C20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBD4D20 4_2_6CBD4D20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB7AD50 4_2_6CB7AD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB5BE90 4_2_6CB5BE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBCCEF0 4_2_6CBCCEF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBA5ED0 4_2_6CBA5ED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBE2E70 4_2_6CBE2E70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB8CF90 4_2_6CB8CF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBE4F30 4_2_6CBE4F30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBBA872 4_2_6CBBA872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB659F0 4_2_6CB659F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBD59D0 4_2_6CBD59D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB7D9C5 4_2_6CB7D9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB60AF0 4_2_6CB60AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB7CA30 4_2_6CB7CA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB5FBC0 4_2_6CB5FBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB7BB10 4_2_6CB7BB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB73400 4_2_6CB73400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB96470 4_2_6CB96470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB71440 4_2_6CB71440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBD95A0 4_2_6CBD95A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBA8570 4_2_6CBA8570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBD2560 4_2_6CBD2560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBAD6E0 4_2_6CBAD6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB7C6D0 4_2_6CB7C6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB76630 4_2_6CB76630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBCE740 4_2_6CBCE740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBD6740 4_2_6CBD6740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB680A0 4_2_6CB680A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB7C080 4_2_6CB7C080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB590F0 4_2_6CB590F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB86010 4_2_6CB86010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB7D040 4_2_6CB7D040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB532A0 4_2_6CB532A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBB7280 4_2_6CBB7280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB7B2D0 4_2_6CB7B2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBE3230 4_2_6CBE3230
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB8E240 4_2_6CB8E240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB793F0 4_2_6CB793F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBB332F 4_2_6CBB332F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB8A320 4_2_6CB8A320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C802CA0 13_2_6C802CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C802CA6 13_2_6C802CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C85BC20 13_2_6C85BC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C886C20 13_2_6C886C20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C884D20 13_2_6C884D20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C82AD50 13_2_6C82AD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C80BE90 13_2_6C80BE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C855ED0 13_2_6C855ED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C87CEF0 13_2_6C87CEF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C892E70 13_2_6C892E70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C83CF90 13_2_6C83CF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C894F30 13_2_6C894F30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C86A872 13_2_6C86A872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C82D9C5 13_2_6C82D9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8859D0 13_2_6C8859D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8159F0 13_2_6C8159F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C810AF0 13_2_6C810AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C82CA30 13_2_6C82CA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C80FBC0 13_2_6C80FBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C82BB10 13_2_6C82BB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C823400 13_2_6C823400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C821440 13_2_6C821440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C846470 13_2_6C846470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8895A0 13_2_6C8895A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C882560 13_2_6C882560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C858570 13_2_6C858570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C82C6D0 13_2_6C82C6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C85D6E0 13_2_6C85D6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C826630 13_2_6C826630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C87E740 13_2_6C87E740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C886740 13_2_6C886740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C82C080 13_2_6C82C080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8180A0 13_2_6C8180A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8090F0 13_2_6C8090F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C836010 13_2_6C836010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C82D040 13_2_6C82D040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C867280 13_2_6C867280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8032A0 13_2_6C8032A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C82B2D0 13_2_6C82B2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C893230 13_2_6C893230
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C83E240 13_2_6C83E240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8293F0 13_2_6C8293F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C83A320 13_2_6C83A320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C86332F 13_2_6C86332F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C802CA0 17_2_6C802CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C802CA6 17_2_6C802CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C85BC20 17_2_6C85BC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C886C20 17_2_6C886C20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C884D20 17_2_6C884D20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C82AD50 17_2_6C82AD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C80BE90 17_2_6C80BE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C855ED0 17_2_6C855ED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C87CEF0 17_2_6C87CEF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C892E70 17_2_6C892E70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C83CF90 17_2_6C83CF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C894F30 17_2_6C894F30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C86A872 17_2_6C86A872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C82D9C5 17_2_6C82D9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8859D0 17_2_6C8859D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8159F0 17_2_6C8159F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C810AF0 17_2_6C810AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C82CA30 17_2_6C82CA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C80FBC0 17_2_6C80FBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C82BB10 17_2_6C82BB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C823400 17_2_6C823400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C821440 17_2_6C821440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C846470 17_2_6C846470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8895A0 17_2_6C8895A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C882560 17_2_6C882560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C858570 17_2_6C858570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C82C6D0 17_2_6C82C6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C85D6E0 17_2_6C85D6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C826630 17_2_6C826630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C87E740 17_2_6C87E740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C886740 17_2_6C886740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C82C080 17_2_6C82C080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8180A0 17_2_6C8180A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8090F0 17_2_6C8090F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C836010 17_2_6C836010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C82D040 17_2_6C82D040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C867280 17_2_6C867280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8032A0 17_2_6C8032A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C82B2D0 17_2_6C82B2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C893230 17_2_6C893230
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C83E240 17_2_6C83E240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8293F0 17_2_6C8293F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C83A320 17_2_6C83A320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C86332F 17_2_6C86332F
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6C866A90 appears 962 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6C835080 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CB87410 appears 693 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CBB6A90 appears 481 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6C837410 appears 1386 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6C802C30 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6C833B30 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6C865740 appears 40 times
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 836
Uses 32bit PE files
Source: L0pD1MkYx9.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: classification engine Classification label: mal48.mine.winDLL@35/0@0/0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBE5B30 GetLastError,FormatMessageA,fprintf,LocalFree, 4_2_6CBE5B30
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\6358ab61-a4b6-4a38-a0a9-9c5979591139 Jump to behavior
Source: L0pD1MkYx9.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\L0pD1MkYx9.dll,BarCreate
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\L0pD1MkYx9.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 836
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 836
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\L0pD1MkYx9.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\L0pD1MkYx9.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",_cgo_dummy_export
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",SpellSpell
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 832
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\L0pD1MkYx9.dll,BarCreate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\L0pD1MkYx9.dll,BarDestroy Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\L0pD1MkYx9.dll,BarFreeRec Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",BarCreate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",BarDestroy Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",BarFreeRec Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",_cgo_dummy_export Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",SpellSpell Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",SpellInit Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",SpellFree Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",SignalInitializeCrashReporting Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",GetInstallDetailsPayload Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",BarRecognize Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: L0pD1MkYx9.dll Static PE information: Image base 0x6d8c0000 > 0x60000000
Source: L0pD1MkYx9.dll Static file information: File size 1368576 > 1048576
Source: L0pD1MkYx9.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB513E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 4_2_6CB513E0
PE file contains an invalid checksum
Source: L0pD1MkYx9.dll Static PE information: real checksum: 0x15874b should be: 0x1578fa
PE file contains sections with non-standard names
Source: L0pD1MkYx9.dll Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBC509D pushad ; ret 4_2_6CBC509E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBC5094 pushad ; ret 4_2_6CBC5095
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C3D813 push FFFFFFCCh; iretd 5_2_04C3D816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0543AF34 push eax; retf 11_2_0543AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0543C3B8 push esi; retf 11_2_0543C3C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04C3DCD3 push ebp; ret 12_2_04C3DCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04C3D7A4 push esp; iretd 12_2_04C3D7A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04C3D82C pushad ; iretd 12_2_04C3D82D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04C3DC76 pushad ; ret 12_2_04C3DC7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04C80397 push ebp; retf 12_2_04C8039B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C875094 pushad ; ret 13_2_6C875095
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C87509D pushad ; ret 13_2_6C87509E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0483CD50 push ecx; ret 15_2_0483CD78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0483CFB8 push esi; iretd 15_2_0483D226
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C875094 pushad ; ret 17_2_6C875095
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C87509D pushad ; ret 17_2_6C87509E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_0543CE06 push es; iretd 18_2_0543CE13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_0503AF38 push eax; retf 22_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_0503D2DD push esp; ret 22_2_0503D2E3
Source: C:\Windows\System32\loaddll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBBC0C0 rdtscp 4_2_6CBBC0C0
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 0.7 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 1.3 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBBC0C0 rdtscp 4_2_6CBBC0C0
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB513E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 4_2_6CB513E0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBE4E50 free,free,GetProcessHeap,HeapFree, 4_2_6CBE4E50
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBE6300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 4_2_6CBE6300
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8962FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 13_2_6C8962FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C896300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 13_2_6C896300
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8962FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 17_2_6C8962FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C896300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 17_2_6C896300
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBE6250 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 4_2_6CBE6250
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CB81C90 RtlGetVersion,RtlGetCurrentPeb, 4_2_6CB81C90
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544797 Sample: L0pD1MkYx9.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 48 27 AI detected suspicious sample 2->27 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 12 other processes 8->17 signatures5 29 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 10->29 19 WerFault.exe 2 10->19         started        21 rundll32.exe 13->21         started        23 WerFault.exe 2 15->23         started        process6 process7 25 WerFault.exe 2 21->25         started       
No contacted IP infos