Windows Analysis Report
d4Jre2L0d7.dll

Overview

General Information

Sample name: d4Jre2L0d7.dll
renamed because original name is a hash value
Original sample name: 25a0e1f9fb3348f374f9a4726d81a33a0e5f55774dbdf25dc770867cd213b73c.dll
Analysis ID: 1544806
MD5: 3e5c72ddd38e6c98341eb83146c2329f
SHA1: 29f6591666f9ab9f3b37ada5c80f979f48afba5b
SHA256: 25a0e1f9fb3348f374f9a4726d81a33a0e5f55774dbdf25dc770867cd213b73c
Tags: 2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability

Bitcoin Miner
barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D131830 4_2_6D131830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD61830 13_2_6CD61830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD61830 17_2_6CD61830
Uses 32bit PE files
Source: d4Jre2L0d7.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: d4Jre2L0d7.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 4_2_6D102CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 4_2_6D102CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 4_2_6D11CEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 4_2_6D129030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 4_2_6D12A360
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 13_2_6CD32CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 13_2_6CD32CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 13_2_6CD4CEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 13_2_6CD59030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 13_2_6CD5A360
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 17_2_6CD32CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 17_2_6CD32CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 17_2_6CD4CEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 17_2_6CD59030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 17_2_6CD5A360
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D131A70 NtCreateWaitCompletionPacket, 4_2_6D131A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D132A90 NtCreateWaitCompletionPacket, 4_2_6D132A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D131570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 4_2_6D131570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D1311F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 4_2_6D1311F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD62A90 NtCreateWaitCompletionPacket, 13_2_6CD62A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD61A70 NtCreateWaitCompletionPacket, 13_2_6CD61A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD61570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 13_2_6CD61570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD611F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 13_2_6CD611F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD62A90 NtCreateWaitCompletionPacket, 17_2_6CD62A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD61A70 NtCreateWaitCompletionPacket, 17_2_6CD61A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD61570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 17_2_6CD61570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD611F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 17_2_6CD611F0
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D184D20 4_2_6D184D20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D12AD50 4_2_6D12AD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D15BC20 4_2_6D15BC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D186C20 4_2_6D186C20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D102CA0 4_2_6D102CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D102CA6 4_2_6D102CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D194F30 4_2_6D194F30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D13CF90 4_2_6D13CF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D192E70 4_2_6D192E70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D10BE90 4_2_6D10BE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D155ED0 4_2_6D155ED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D17CEF0 4_2_6D17CEF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D1859D0 4_2_6D1859D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D12D9C5 4_2_6D12D9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D1159F0 4_2_6D1159F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D16A872 4_2_6D16A872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D12BB10 4_2_6D12BB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D10FBC0 4_2_6D10FBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D12CA30 4_2_6D12CA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D110AF0 4_2_6D110AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D158570 4_2_6D158570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D182560 4_2_6D182560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D1895A0 4_2_6D1895A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D123400 4_2_6D123400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D121440 4_2_6D121440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D146470 4_2_6D146470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D17E740 4_2_6D17E740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D186740 4_2_6D186740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D126630 4_2_6D126630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D12C6D0 4_2_6D12C6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D15D6E0 4_2_6D15D6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D136010 4_2_6D136010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D12D040 4_2_6D12D040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D12C080 4_2_6D12C080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D1180A0 4_2_6D1180A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D1090F0 4_2_6D1090F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D13A320 4_2_6D13A320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D16332F 4_2_6D16332F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D1293F0 4_2_6D1293F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D193230 4_2_6D193230
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D13E240 4_2_6D13E240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D167280 4_2_6D167280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D1032A0 4_2_6D1032A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D12B2D0 4_2_6D12B2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD32CA0 13_2_6CD32CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD32CA6 13_2_6CD32CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD8BC20 13_2_6CD8BC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CDB6C20 13_2_6CDB6C20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD5AD50 13_2_6CD5AD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CDB4D20 13_2_6CDB4D20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD85ED0 13_2_6CD85ED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CDACEF0 13_2_6CDACEF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD3BE90 13_2_6CD3BE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CDC2E70 13_2_6CDC2E70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD6CF90 13_2_6CD6CF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CDC4F30 13_2_6CDC4F30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD9A872 13_2_6CD9A872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CDB59D0 13_2_6CDB59D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD5D9C5 13_2_6CD5D9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD459F0 13_2_6CD459F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD40AF0 13_2_6CD40AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD5CA30 13_2_6CD5CA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD3FBC0 13_2_6CD3FBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD5BB10 13_2_6CD5BB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD51440 13_2_6CD51440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD76470 13_2_6CD76470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD53400 13_2_6CD53400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CDB95A0 13_2_6CDB95A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD88570 13_2_6CD88570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CDB2560 13_2_6CDB2560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD5C6D0 13_2_6CD5C6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD8D6E0 13_2_6CD8D6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD56630 13_2_6CD56630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CDAE740 13_2_6CDAE740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CDB6740 13_2_6CDB6740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD390F0 13_2_6CD390F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD5C080 13_2_6CD5C080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD480A0 13_2_6CD480A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD5D040 13_2_6CD5D040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD66010 13_2_6CD66010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD5B2D0 13_2_6CD5B2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD97280 13_2_6CD97280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD332A0 13_2_6CD332A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD6E240 13_2_6CD6E240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CDC3230 13_2_6CDC3230
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD593F0 13_2_6CD593F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD6A320 13_2_6CD6A320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD9332F 13_2_6CD9332F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD32CA0 17_2_6CD32CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD32CA6 17_2_6CD32CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD8BC20 17_2_6CD8BC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CDB6C20 17_2_6CDB6C20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD5AD50 17_2_6CD5AD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CDB4D20 17_2_6CDB4D20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD85ED0 17_2_6CD85ED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CDACEF0 17_2_6CDACEF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD3BE90 17_2_6CD3BE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CDC2E70 17_2_6CDC2E70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD6CF90 17_2_6CD6CF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CDC4F30 17_2_6CDC4F30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD9A872 17_2_6CD9A872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CDB59D0 17_2_6CDB59D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD5D9C5 17_2_6CD5D9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD459F0 17_2_6CD459F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD40AF0 17_2_6CD40AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD5CA30 17_2_6CD5CA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD3FBC0 17_2_6CD3FBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD5BB10 17_2_6CD5BB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD51440 17_2_6CD51440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD76470 17_2_6CD76470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD53400 17_2_6CD53400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CDB95A0 17_2_6CDB95A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD88570 17_2_6CD88570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CDB2560 17_2_6CDB2560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD5C6D0 17_2_6CD5C6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD8D6E0 17_2_6CD8D6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD56630 17_2_6CD56630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CDAE740 17_2_6CDAE740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CDB6740 17_2_6CDB6740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD390F0 17_2_6CD390F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD5C080 17_2_6CD5C080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD480A0 17_2_6CD480A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD5D040 17_2_6CD5D040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD66010 17_2_6CD66010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD5B2D0 17_2_6CD5B2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD97280 17_2_6CD97280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD332A0 17_2_6CD332A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD6E240 17_2_6CD6E240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CDC3230 17_2_6CDC3230
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD593F0 17_2_6CD593F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD6A320 17_2_6CD6A320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD9332F 17_2_6CD9332F
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D137410 appears 693 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CD96A90 appears 962 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D166A90 appears 481 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CD63B30 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CD65080 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CD95740 appears 40 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CD32C30 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CD67410 appears 1386 times
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 868
Uses 32bit PE files
Source: d4Jre2L0d7.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: classification engine Classification label: mal48.mine.winDLL@35/0@0/0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D195B30 GetLastError,FormatMessageA,fprintf,LocalFree, 4_2_6D195B30
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4256:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\65aa33f1-e5e7-477b-a9b5-35c4286b13fd Jump to behavior
Source: d4Jre2L0d7.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\d4Jre2L0d7.dll,BarCreate
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\d4Jre2L0d7.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 868
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 832
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\d4Jre2L0d7.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\d4Jre2L0d7.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",_cgo_dummy_export
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 824
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",SpellSpell
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\d4Jre2L0d7.dll,BarCreate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\d4Jre2L0d7.dll,BarDestroy Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\d4Jre2L0d7.dll,BarFreeRec Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",BarCreate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",BarDestroy Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",BarFreeRec Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",_cgo_dummy_export Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",SpellSpell Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 868 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",SpellFree Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",SignalInitializeCrashReporting Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",GetInstallDetailsPayload Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",BarRecognize Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: d4Jre2L0d7.dll Static PE information: Image base 0x6d8c0000 > 0x60000000
Source: d4Jre2L0d7.dll Static file information: File size 1368576 > 1048576
Source: d4Jre2L0d7.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D1013E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 4_2_6D1013E0
PE file contains an invalid checksum
Source: d4Jre2L0d7.dll Static PE information: real checksum: 0x1509e8 should be: 0x15b14c
PE file contains sections with non-standard names
Source: d4Jre2L0d7.dll Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0143AF38 push eax; retf 0_2_0143AF39
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0148043F pushfd ; iretd 0_2_01480443
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D175094 pushad ; ret 4_2_6D175095
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D17509D pushad ; ret 4_2_6D17509E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0483D7FF push cs; retf 5_2_0483D815
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04880891 push eax; iretd 5_2_04880894
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0443D82C push 00000046h; retf 12_2_0443D830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CDA509D pushad ; ret 13_2_6CDA509E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CDA5094 pushad ; ret 13_2_6CDA5095
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0503D800 push es; iretd 15_2_0503D803
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0503C8CB push ebp; iretd 15_2_0503C8E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0508036C push eax; ret 15_2_0508036E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CDA509D pushad ; ret 17_2_6CDA509E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CDA5094 pushad ; ret 17_2_6CDA5095
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0503AF38 push eax; retf 20_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_0503C3AB pushfd ; retf 21_2_0503C3AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_0503AF38 push eax; retf 22_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_050803A0 push ebx; retf 22_2_050803B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_0503AF38 push eax; retf 23_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0443CD73 push 00000045h; ret 24_2_0443CDD7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0443D7F6 pushad ; retf 24_2_0443D800
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0443C8F9 push 00000045h; ret 24_2_0443CDD7
Source: C:\Windows\System32\loaddll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D16C0C0 rdtscp 4_2_6D16C0C0
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 1.3 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D16C0C0 rdtscp 4_2_6D16C0C0
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D1013E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 4_2_6D1013E0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D194F30 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy,memset,IsBadReadPtr,realloc,SetLastError,SetLastError,SetLastError,SetLastError,SetLastError,memcpy,SetLastError,SetLastError,SetLastError,SetLastError, 4_2_6D194F30
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D196300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 4_2_6D196300
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D1962FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 4_2_6D1962FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CDC62FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 13_2_6CDC62FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CDC6300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 13_2_6CDC6300
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CDC62FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 17_2_6CDC62FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CDC6300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 17_2_6CDC6300
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D196250 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 4_2_6D196250
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D131C90 RtlGetVersion,RtlGetCurrentPeb, 4_2_6D131C90
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544806 Sample: d4Jre2L0d7.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 48 27 AI detected suspicious sample 2->27 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 12 other processes 8->17 signatures5 29 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 10->29 19 WerFault.exe 2 10->19         started        21 rundll32.exe 13->21         started        23 WerFault.exe 2 15->23         started        process6 process7 25 WerFault.exe 2 21->25         started       
No contacted IP infos