Windows Analysis Report
xDiFxvBGxr.dll

Overview

General Information

Sample name: xDiFxvBGxr.dll
renamed because original name is a hash value
Original sample name: 4e9da8e38d853b28552c0e6fab42435765d199ff7274dda0bf9056eb28d561d4.dll
Analysis ID: 1544805
MD5: 61bfb54126141190fb295481d67f8ca1
SHA1: c4100746f947bf262024d57f9542cd35bb6088e3
SHA256: 4e9da8e38d853b28552c0e6fab42435765d199ff7274dda0bf9056eb28d561d4
Tags: 2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability

Bitcoin Miner
barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2A1830 4_2_6D2A1830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF01830 13_2_6CF01830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF01830 17_2_6CF01830
Uses 32bit PE files
Source: xDiFxvBGxr.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: xDiFxvBGxr.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 4_2_6D272CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 4_2_6D272CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 4_2_6D28CEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 4_2_6D299030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 4_2_6D29A360
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 13_2_6CED2CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 13_2_6CED2CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 13_2_6CEECEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 13_2_6CEF9030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 13_2_6CEFA360
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 17_2_6CED2CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 17_2_6CED2CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 17_2_6CEECEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 17_2_6CEF9030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 17_2_6CEFA360
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2A1A70 NtCreateWaitCompletionPacket, 4_2_6D2A1A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2A2A90 NtCreateWaitCompletionPacket, 4_2_6D2A2A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2A1570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 4_2_6D2A1570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2A11F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 4_2_6D2A11F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF02A90 NtCreateWaitCompletionPacket, 13_2_6CF02A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF01A70 NtCreateWaitCompletionPacket, 13_2_6CF01A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF01570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 13_2_6CF01570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF011F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 13_2_6CF011F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF02A90 NtCreateWaitCompletionPacket, 17_2_6CF02A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF01A70 NtCreateWaitCompletionPacket, 17_2_6CF01A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF01570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 17_2_6CF01570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF011F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 17_2_6CF011F0
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2CBD40 4_2_6D2CBD40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2F6D40 4_2_6D2F6D40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D29AD50 4_2_6D29AD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D272CA6 4_2_6D272CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D272CA0 4_2_6D272CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D302F90 4_2_6D302F90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2ACF90 4_2_6D2ACF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2C5FF0 4_2_6D2C5FF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2F4E40 4_2_6D2F4E40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D27BE90 4_2_6D27BE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2DA992 4_2_6D2DA992
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2859F0 4_2_6D2859F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D29D9C5 4_2_6D29D9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2CD800 4_2_6D2CD800
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2EE860 4_2_6D2EE860
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2F6860 4_2_6D2F6860
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D307B10 4_2_6D307B10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D29BB10 4_2_6D29BB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D27FBC0 4_2_6D27FBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D29CA30 4_2_6D29CA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D280AF0 4_2_6D280AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2F5AF0 4_2_6D2F5AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D293400 4_2_6D293400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2B6470 4_2_6D2B6470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2D344F 4_2_6D2D344F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D291440 4_2_6D291440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D296630 4_2_6D296630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2F2680 4_2_6D2F2680
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2C8690 4_2_6D2C8690
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2F96C0 4_2_6D2F96C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D29C6D0 4_2_6D29C6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2A6010 4_2_6D2A6010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2ED010 4_2_6D2ED010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D29D040 4_2_6D29D040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2880A0 4_2_6D2880A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D29C080 4_2_6D29C080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2790F0 4_2_6D2790F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2AA320 4_2_6D2AA320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D303350 4_2_6D303350
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2D73A0 4_2_6D2D73A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2993F0 4_2_6D2993F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2AE240 4_2_6D2AE240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2732A0 4_2_6D2732A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D29B2D0 4_2_6D29B2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CED2CA6 13_2_6CED2CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CED2CA0 13_2_6CED2CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF2BD40 13_2_6CF2BD40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF56D40 13_2_6CF56D40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CEFAD50 13_2_6CEFAD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CEDBE90 13_2_6CEDBE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF54E40 13_2_6CF54E40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF25FF0 13_2_6CF25FF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF0CF90 13_2_6CF0CF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF62F90 13_2_6CF62F90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF4E860 13_2_6CF4E860
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF56860 13_2_6CF56860
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF2D800 13_2_6CF2D800
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CEE59F0 13_2_6CEE59F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CEFD9C5 13_2_6CEFD9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF3A992 13_2_6CF3A992
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF55AF0 13_2_6CF55AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CEE0AF0 13_2_6CEE0AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CEFCA30 13_2_6CEFCA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CEDFBC0 13_2_6CEDFBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF67B10 13_2_6CF67B10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CEFBB10 13_2_6CEFBB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF16470 13_2_6CF16470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CEF1440 13_2_6CEF1440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF3344F 13_2_6CF3344F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CEF3400 13_2_6CEF3400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF596C0 13_2_6CF596C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CEFC6D0 13_2_6CEFC6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF28690 13_2_6CF28690
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF52680 13_2_6CF52680
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CEF6630 13_2_6CEF6630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CED90F0 13_2_6CED90F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CEE80A0 13_2_6CEE80A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CEFC080 13_2_6CEFC080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CEFD040 13_2_6CEFD040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF06010 13_2_6CF06010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF4D010 13_2_6CF4D010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CEFB2D0 13_2_6CEFB2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CED32A0 13_2_6CED32A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF0E240 13_2_6CF0E240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CEF93F0 13_2_6CEF93F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF373A0 13_2_6CF373A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF63350 13_2_6CF63350
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CF0A320 13_2_6CF0A320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CED2CA6 17_2_6CED2CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CED2CA0 17_2_6CED2CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF2BD40 17_2_6CF2BD40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF56D40 17_2_6CF56D40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CEFAD50 17_2_6CEFAD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CEDBE90 17_2_6CEDBE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF54E40 17_2_6CF54E40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF25FF0 17_2_6CF25FF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF0CF90 17_2_6CF0CF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF62F90 17_2_6CF62F90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF4E860 17_2_6CF4E860
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF56860 17_2_6CF56860
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF2D800 17_2_6CF2D800
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CEE59F0 17_2_6CEE59F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CEFD9C5 17_2_6CEFD9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF3A992 17_2_6CF3A992
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF55AF0 17_2_6CF55AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CEE0AF0 17_2_6CEE0AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CEFCA30 17_2_6CEFCA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CEDFBC0 17_2_6CEDFBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF67B10 17_2_6CF67B10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CEFBB10 17_2_6CEFBB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF16470 17_2_6CF16470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CEF1440 17_2_6CEF1440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF3344F 17_2_6CF3344F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CEF3400 17_2_6CEF3400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF596C0 17_2_6CF596C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CEFC6D0 17_2_6CEFC6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF28690 17_2_6CF28690
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF52680 17_2_6CF52680
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CEF6630 17_2_6CEF6630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CED90F0 17_2_6CED90F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CEE80A0 17_2_6CEE80A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CEFC080 17_2_6CEFC080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CEFD040 17_2_6CEFD040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF06010 17_2_6CF06010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF4D010 17_2_6CF4D010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CEFB2D0 17_2_6CEFB2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CED32A0 17_2_6CED32A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF0E240 17_2_6CF0E240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CEF93F0 17_2_6CEF93F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF373A0 17_2_6CF373A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF63350 17_2_6CF63350
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CF0A320 17_2_6CF0A320
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CF36BB0 appears 964 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CF03B30 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D2D6BB0 appears 482 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CF05080 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D2A7410 appears 693 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CF07410 appears 1386 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CF35860 appears 40 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CED2C30 appears 34 times
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7792 -s 824
Uses 32bit PE files
Source: xDiFxvBGxr.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: classification engine Classification label: mal48.mine.winDLL@35/0@0/0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D305CF0 GetLastError,FormatMessageA,LocalFree, 4_2_6D305CF0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\045777b6-e412-4cd2-bb5c-c660db4c6c29 Jump to behavior
Source: xDiFxvBGxr.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\xDiFxvBGxr.dll,BarCreate
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exe String found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exe String found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exe String found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\xDiFxvBGxr.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7792 -s 824
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7812 -s 864
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\xDiFxvBGxr.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\xDiFxvBGxr.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",_cgo_dummy_export
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8164 -s 804
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",SpellSpell
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\xDiFxvBGxr.dll,BarCreate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\xDiFxvBGxr.dll,BarDestroy Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\xDiFxvBGxr.dll,BarFreeRec Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",BarCreate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",BarDestroy Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",BarFreeRec Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",_cgo_dummy_export Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",SpellSpell Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",SpellInit Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",SpellFree Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",SignalInitializeCrashReporting Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",GetInstallDetailsPayload Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",BarRecognize Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: xDiFxvBGxr.dll Static PE information: Image base 0x6d8c0000 > 0x60000000
Source: xDiFxvBGxr.dll Static file information: File size 1397248 > 1048576
Source: xDiFxvBGxr.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2713E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 4_2_6D2713E0
PE file contains an invalid checksum
Source: xDiFxvBGxr.dll Static PE information: real checksum: 0x162d6f should be: 0x15b6c1
PE file contains sections with non-standard names
Source: xDiFxvBGxr.dll Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0183C3C1 push ebp; retf 0_2_0183C3C3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0183D80F push edi; iretd 0_2_0183D827
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0183AF34 push eax; retf 0_2_0183AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04C3AF34 push eax; retf 5_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0483AF34 push eax; retf 11_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0443AF34 push eax; retf 12_2_0443AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0443D7FC push ebp; iretd 12_2_0443D7FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04C3AF34 push eax; retf 14_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04C80371 push cs; ret 14_2_04C8037A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04C3AF34 push eax; retf 15_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04C3D81A push 8BF3197Ch; iretd 19_2_04C3D821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04D021B6 push cs; iretd 19_2_04D02335
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0443C8C5 pushfd ; iretd 20_2_0443C8CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0443AF34 push eax; retf 20_2_0443AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_0503C3DA push ecx; retf 21_2_0503C3DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_0503AF34 push eax; retf 21_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_04C3AF34 push eax; retf 22_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_0543AF34 push eax; retf 23_2_0543AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0443AF34 push eax; retf 24_2_0443AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_044803BA push es; retf 24_2_044803C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_044808F7 push ss; retf 24_2_044808F8
Source: C:\Windows\System32\loaddll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2DC1E0 rdtscp 4_2_6D2DC1E0
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 0.8 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 1.3 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2DC1E0 rdtscp 4_2_6D2DC1E0
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2713E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 4_2_6D2713E0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D304FE0 free,free,GetProcessHeap,HeapFree, 4_2_6D304FE0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D2A1C90 RtlGetVersion,RtlGetCurrentPeb, 4_2_6D2A1C90
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544805 Sample: xDiFxvBGxr.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 48 27 AI detected suspicious sample 2->27 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 12 other processes 8->17 signatures5 29 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 10->29 19 WerFault.exe 2 10->19         started        21 rundll32.exe 13->21         started        23 WerFault.exe 2 15->23         started        process6 process7 25 WerFault.exe 2 21->25         started       
No contacted IP infos