Windows Analysis Report
HM6fo6Fz5H.dll

Overview

General Information

Sample name: HM6fo6Fz5H.dll
renamed because original name is a hash value
Original sample name: 94190206516c7abb012c86153f5b26cb9854fccc69d457f40421361c22ff6032.dll
Analysis ID: 1544807
MD5: b5acfda8a748d117f127765c8abe7ff0
SHA1: 1252d0ce52684b957636262978f3d701b139ae5b
SHA256: 94190206516c7abb012c86153f5b26cb9854fccc69d457f40421361c22ff6032
Tags: 2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.6% probability

Bitcoin Miner
barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D371830 9_2_6D371830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFD1830 18_2_6CFD1830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFD1830 22_2_6CFD1830
Uses 32bit PE files
Source: HM6fo6Fz5H.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: HM6fo6Fz5H.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 9_2_6D342CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 9_2_6D342CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 9_2_6D35CEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 9_2_6D369030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 9_2_6D36A360
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 18_2_6CFA2CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 18_2_6CFA2CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 18_2_6CFBCEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 18_2_6CFC9030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 18_2_6CFCA360
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 22_2_6CFA2CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 22_2_6CFA2CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 22_2_6CFBCEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 22_2_6CFC9030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 22_2_6CFCA360
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D371A70 NtCreateWaitCompletionPacket, 9_2_6D371A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D372A90 NtCreateWaitCompletionPacket, 9_2_6D372A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D371570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 9_2_6D371570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3711F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 9_2_6D3711F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFD2A90 NtCreateWaitCompletionPacket, 18_2_6CFD2A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFD1A70 NtCreateWaitCompletionPacket, 18_2_6CFD1A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFD1570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 18_2_6CFD1570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFD11F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 18_2_6CFD11F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFD2A90 NtCreateWaitCompletionPacket, 22_2_6CFD2A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFD1A70 NtCreateWaitCompletionPacket, 22_2_6CFD1A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFD1570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 22_2_6CFD1570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFD11F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 22_2_6CFD11F0
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3C4D20 9_2_6D3C4D20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D36AD50 9_2_6D36AD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D39BC20 9_2_6D39BC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3C6C20 9_2_6D3C6C20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D342CA6 9_2_6D342CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D342CA0 9_2_6D342CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3D4F30 9_2_6D3D4F30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D37CF90 9_2_6D37CF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3D2E70 9_2_6D3D2E70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D34BE90 9_2_6D34BE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3BCEF0 9_2_6D3BCEF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D395ED0 9_2_6D395ED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3559F0 9_2_6D3559F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3C59D0 9_2_6D3C59D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D36D9C5 9_2_6D36D9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3AA872 9_2_6D3AA872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D36BB10 9_2_6D36BB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D34FBC0 9_2_6D34FBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D36CA30 9_2_6D36CA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D350AF0 9_2_6D350AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D398570 9_2_6D398570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3C2560 9_2_6D3C2560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3C95A0 9_2_6D3C95A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D363400 9_2_6D363400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D386470 9_2_6D386470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D361440 9_2_6D361440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3BE740 9_2_6D3BE740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3C6740 9_2_6D3C6740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D366630 9_2_6D366630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D39D6E0 9_2_6D39D6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D36C6D0 9_2_6D36C6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D376010 9_2_6D376010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D36D040 9_2_6D36D040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3580A0 9_2_6D3580A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D36C080 9_2_6D36C080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3490F0 9_2_6D3490F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3A332F 9_2_6D3A332F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D37A320 9_2_6D37A320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3693F0 9_2_6D3693F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3D3230 9_2_6D3D3230
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D37E240 9_2_6D37E240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3432A0 9_2_6D3432A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3A7280 9_2_6D3A7280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D36B2D0 9_2_6D36B2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6D024D20 18_2_6D024D20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFA2CA0 18_2_6CFA2CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFA2CA6 18_2_6CFA2CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFFBC20 18_2_6CFFBC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6D026C20 18_2_6D026C20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFCAD50 18_2_6CFCAD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFF5ED0 18_2_6CFF5ED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6D034F30 18_2_6D034F30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFABE90 18_2_6CFABE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFDCF90 18_2_6CFDCF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6D032E70 18_2_6D032E70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6D01CEF0 18_2_6D01CEF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6D0259D0 18_2_6D0259D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFB59F0 18_2_6CFB59F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFCD9C5 18_2_6CFCD9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6D00A872 18_2_6D00A872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFB0AF0 18_2_6CFB0AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFCCA30 18_2_6CFCCA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFAFBC0 18_2_6CFAFBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFCBB10 18_2_6CFCBB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6D022560 18_2_6D022560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFE6470 18_2_6CFE6470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6D0295A0 18_2_6D0295A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFC1440 18_2_6CFC1440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFC3400 18_2_6CFC3400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFF8570 18_2_6CFF8570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFFD6E0 18_2_6CFFD6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFCC6D0 18_2_6CFCC6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6D01E740 18_2_6D01E740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6D026740 18_2_6D026740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFC6630 18_2_6CFC6630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFA90F0 18_2_6CFA90F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFB80A0 18_2_6CFB80A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFCC080 18_2_6CFCC080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFCD040 18_2_6CFCD040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFD6010 18_2_6CFD6010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFCB2D0 18_2_6CFCB2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6D00332F 18_2_6D00332F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFA32A0 18_2_6CFA32A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFDE240 18_2_6CFDE240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFC93F0 18_2_6CFC93F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6D033230 18_2_6D033230
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6D007280 18_2_6D007280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6CFDA320 18_2_6CFDA320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6D024D20 22_2_6D024D20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFA2CA0 22_2_6CFA2CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFA2CA6 22_2_6CFA2CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFFBC20 22_2_6CFFBC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6D026C20 22_2_6D026C20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFCAD50 22_2_6CFCAD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFF5ED0 22_2_6CFF5ED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6D034F30 22_2_6D034F30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFABE90 22_2_6CFABE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFDCF90 22_2_6CFDCF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6D032E70 22_2_6D032E70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6D01CEF0 22_2_6D01CEF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6D0259D0 22_2_6D0259D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFB59F0 22_2_6CFB59F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFCD9C5 22_2_6CFCD9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6D00A872 22_2_6D00A872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFB0AF0 22_2_6CFB0AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFCCA30 22_2_6CFCCA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFAFBC0 22_2_6CFAFBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFCBB10 22_2_6CFCBB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6D022560 22_2_6D022560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFE6470 22_2_6CFE6470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6D0295A0 22_2_6D0295A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFC1440 22_2_6CFC1440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFC3400 22_2_6CFC3400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFF8570 22_2_6CFF8570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFFD6E0 22_2_6CFFD6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFCC6D0 22_2_6CFCC6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6D01E740 22_2_6D01E740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6D026740 22_2_6D026740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFC6630 22_2_6CFC6630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFA90F0 22_2_6CFA90F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFB80A0 22_2_6CFB80A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFCC080 22_2_6CFCC080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFCD040 22_2_6CFCD040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFD6010 22_2_6CFD6010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFCB2D0 22_2_6CFCB2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6D00332F 22_2_6D00332F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFA32A0 22_2_6CFA32A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFDE240 22_2_6CFDE240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFC93F0 22_2_6CFC93F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6D033230 22_2_6D033230
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6D007280 22_2_6D007280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6CFDA320 22_2_6CFDA320
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D006A90 appears 962 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CFA2C30 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D3A6A90 appears 481 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CFD7410 appears 1386 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CFD5080 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D377410 appears 693 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D005740 appears 40 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CFD3B30 appears 32 times
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6828 -s 840
Uses 32bit PE files
Source: HM6fo6Fz5H.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: classification engine Classification label: mal48.mine.winDLL@35/0@0/0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3D5B30 GetLastError,FormatMessageA,fprintf,LocalFree, 9_2_6D3D5B30
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8084:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\41f66fb5-379b-4989-b4e0-9733f1975541 Jump to behavior
Source: HM6fo6Fz5H.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HM6fo6Fz5H.dll,BarCreate
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HM6fo6Fz5H.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6828 -s 840
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8160 -s 852
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HM6fo6Fz5H.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HM6fo6Fz5H.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",_cgo_dummy_export
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5612 -s 824
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",SpellSpell
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HM6fo6Fz5H.dll,BarCreate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HM6fo6Fz5H.dll,BarDestroy Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HM6fo6Fz5H.dll,BarFreeRec Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",BarCreate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",BarDestroy Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",BarFreeRec Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",_cgo_dummy_export Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",SpellSpell Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",SpellInit Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",SpellFree Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",SignalInitializeCrashReporting Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",GetInstallDetailsPayload Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",BarRecognize Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: HM6fo6Fz5H.dll Static PE information: Image base 0x6d8c0000 > 0x60000000
Source: HM6fo6Fz5H.dll Static file information: File size 1368576 > 1048576
Source: HM6fo6Fz5H.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3413E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 9_2_6D3413E0
PE file contains an invalid checksum
Source: HM6fo6Fz5H.dll Static PE information: real checksum: 0x15674c should be: 0x155db1
PE file contains sections with non-standard names
Source: HM6fo6Fz5H.dll Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 5_2_01C3D7BF push ecx; retf 5_2_01C3D7C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3B509D pushad ; ret 9_2_6D3B509E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3B5094 pushad ; ret 9_2_6D3B5095
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_0510282D push eax; iretd 16_2_0510282E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6D015094 pushad ; ret 18_2_6D015095
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6D01509D pushad ; ret 18_2_6D01509E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04C3D285 push 5EA0C0B3h; iretd 19_2_04C3D2A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04C3AF34 push eax; retf 19_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04C3DD3A push esp; ret 19_2_04C3DD3E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0443AF62 push eax; retf 20_2_0443AF61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0443CD40 push esi; retf 20_2_0443CD53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0443AF34 push eax; retf 20_2_0443AF61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6D015094 pushad ; ret 22_2_6D015095
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6D01509D pushad ; ret 22_2_6D01509E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0483C388 push 12969CE4h; retf 24_2_0483C397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0483C357 push cs; retf 24_2_0483C361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0483AF34 push eax; retf 24_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0483AF34 push eax; retf 25_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_0483AF34 push eax; retf 26_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_048800BF push esi; ret 26_2_048803E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_048803D3 push esi; ret 26_2_048803E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_048803F5 push esi; ret 26_2_048803E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_0483C394 push cs; ret 28_2_0483C39A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_0483AF34 push eax; retf 28_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 29_2_0503AF34 push eax; retf 29_2_0503AF39
Source: C:\Windows\System32\loaddll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3AC0C0 rdtscp 9_2_6D3AC0C0
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 0.9 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 1.3 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3AC0C0 rdtscp 9_2_6D3AC0C0
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3413E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 9_2_6D3413E0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3D4F30 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy,memset,IsBadReadPtr,realloc,SetLastError,SetLastError,SetLastError,SetLastError,SetLastError,memcpy,SetLastError,SetLastError,SetLastError,SetLastError, 9_2_6D3D4F30
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3D6300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 9_2_6D3D6300
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6D036300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 18_2_6D036300
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_6D0362FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 18_2_6D0362FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6D036300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 22_2_6D036300
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_6D0362FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 22_2_6D0362FC
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D3D6250 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 9_2_6D3D6250
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_6D371C90 RtlGetVersion,RtlGetCurrentPeb, 9_2_6D371C90
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544807 Sample: HM6fo6Fz5H.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 48 27 AI detected suspicious sample 2->27 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 12 other processes 8->17 signatures5 29 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 10->29 19 WerFault.exe 2 10->19         started        21 rundll32.exe 13->21         started        23 WerFault.exe 2 15->23         started        process6 process7 25 WerFault.exe 2 21->25         started       
No contacted IP infos