Windows Analysis Report
Q3kUbU2aJq.dll

Overview

General Information

Sample name: Q3kUbU2aJq.dll
renamed because original name is a hash value
Original sample name: 407c05036609108e374e4bd1e09a9d99a9c21c91f60f381ffb7a3d6375e9d1c5.dll
Analysis ID: 1544808
MD5: c6563a67de8b0016d8449ef98ec1055c
SHA1: c2602d3bfb6a5f53509fbd48a62a14e046ff2664
SHA256: 407c05036609108e374e4bd1e09a9d99a9c21c91f60f381ffb7a3d6375e9d1c5
Tags: 2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Q3kUbU2aJq.dll ReversingLabs: Detection: 13%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability

Bitcoin Miner
barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC71830 3_2_6CC71830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCB1830 13_2_6CCB1830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCB1830 17_2_6CCB1830
Uses 32bit PE files
Source: Q3kUbU2aJq.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: Q3kUbU2aJq.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 3_2_6CC42CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 3_2_6CC42CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 3_2_6CC5CEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 3_2_6CC69030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 3_2_6CC6A360
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 13_2_6CC82CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 13_2_6CC82CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 13_2_6CC9CEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 13_2_6CCA9030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 13_2_6CCAA360
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 17_2_6CC82CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 17_2_6CC82CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 17_2_6CC9CEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 17_2_6CCA9030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 17_2_6CCAA360
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC72A90 NtCreateWaitCompletionPacket, 3_2_6CC72A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC71A70 NtCreateWaitCompletionPacket, 3_2_6CC71A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC71570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 3_2_6CC71570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC711F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 3_2_6CC711F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCB2A90 NtCreateWaitCompletionPacket, 13_2_6CCB2A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCB1A70 NtCreateWaitCompletionPacket, 13_2_6CCB1A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCB1570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 13_2_6CCB1570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCB11F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 13_2_6CCB11F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCB2A90 NtCreateWaitCompletionPacket, 17_2_6CCB2A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCB1A70 NtCreateWaitCompletionPacket, 17_2_6CCB1A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCB1570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 17_2_6CCB1570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCB11F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 17_2_6CCB11F0
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC42CA6 3_2_6CC42CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC42CA0 3_2_6CC42CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC9BC20 3_2_6CC9BC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CCC6C20 3_2_6CCC6C20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC6AD50 3_2_6CC6AD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CCC4D20 3_2_6CCC4D20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC95ED0 3_2_6CC95ED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CCBCEF0 3_2_6CCBCEF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC4BE90 3_2_6CC4BE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CCD2E70 3_2_6CCD2E70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC7CF90 3_2_6CC7CF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CCD4F30 3_2_6CCD4F30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CCAA872 3_2_6CCAA872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC6D9C5 3_2_6CC6D9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CCC59D0 3_2_6CCC59D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC559F0 3_2_6CC559F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC50AF0 3_2_6CC50AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC6CA30 3_2_6CC6CA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC4FBC0 3_2_6CC4FBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC6BB10 3_2_6CC6BB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC61440 3_2_6CC61440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC86470 3_2_6CC86470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC63400 3_2_6CC63400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CCC95A0 3_2_6CCC95A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CCC2560 3_2_6CCC2560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC98570 3_2_6CC98570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC6C6D0 3_2_6CC6C6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC9D6E0 3_2_6CC9D6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC66630 3_2_6CC66630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CCBE740 3_2_6CCBE740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CCC6740 3_2_6CCC6740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC490F0 3_2_6CC490F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC6C080 3_2_6CC6C080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC580A0 3_2_6CC580A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC6D040 3_2_6CC6D040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC76010 3_2_6CC76010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC6B2D0 3_2_6CC6B2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CCA7280 3_2_6CCA7280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC432A0 3_2_6CC432A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC7E240 3_2_6CC7E240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CCD3230 3_2_6CCD3230
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC693F0 3_2_6CC693F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CCA332F 3_2_6CCA332F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC7A320 3_2_6CC7A320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CC82CA0 13_2_6CC82CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CC82CA6 13_2_6CC82CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCDBC20 13_2_6CCDBC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD06C20 13_2_6CD06C20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCAAD50 13_2_6CCAAD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD04D20 13_2_6CD04D20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCD5ED0 13_2_6CCD5ED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCFCEF0 13_2_6CCFCEF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CC8BE90 13_2_6CC8BE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD12E70 13_2_6CD12E70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCBCF90 13_2_6CCBCF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD14F30 13_2_6CD14F30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCEA872 13_2_6CCEA872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD059D0 13_2_6CD059D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCAD9C5 13_2_6CCAD9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CC959F0 13_2_6CC959F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CC90AF0 13_2_6CC90AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCACA30 13_2_6CCACA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CC8FBC0 13_2_6CC8FBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCABB10 13_2_6CCABB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCA1440 13_2_6CCA1440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCC6470 13_2_6CCC6470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCA3400 13_2_6CCA3400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD095A0 13_2_6CD095A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD02560 13_2_6CD02560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCD8570 13_2_6CCD8570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCAC6D0 13_2_6CCAC6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCDD6E0 13_2_6CCDD6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCA6630 13_2_6CCA6630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCFE740 13_2_6CCFE740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD06740 13_2_6CD06740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CC890F0 13_2_6CC890F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCAC080 13_2_6CCAC080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CC980A0 13_2_6CC980A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCAD040 13_2_6CCAD040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCB6010 13_2_6CCB6010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCAB2D0 13_2_6CCAB2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCE7280 13_2_6CCE7280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CC832A0 13_2_6CC832A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCBE240 13_2_6CCBE240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD13230 13_2_6CD13230
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCA93F0 13_2_6CCA93F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCE332F 13_2_6CCE332F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCBA320 13_2_6CCBA320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CC82CA0 17_2_6CC82CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CC82CA6 17_2_6CC82CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCDBC20 17_2_6CCDBC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD06C20 17_2_6CD06C20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCAAD50 17_2_6CCAAD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD04D20 17_2_6CD04D20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCD5ED0 17_2_6CCD5ED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCFCEF0 17_2_6CCFCEF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CC8BE90 17_2_6CC8BE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD12E70 17_2_6CD12E70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCBCF90 17_2_6CCBCF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD14F30 17_2_6CD14F30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCEA872 17_2_6CCEA872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD059D0 17_2_6CD059D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCAD9C5 17_2_6CCAD9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CC959F0 17_2_6CC959F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CC90AF0 17_2_6CC90AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCACA30 17_2_6CCACA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CC8FBC0 17_2_6CC8FBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCABB10 17_2_6CCABB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCA1440 17_2_6CCA1440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCC6470 17_2_6CCC6470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCA3400 17_2_6CCA3400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD095A0 17_2_6CD095A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD02560 17_2_6CD02560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCD8570 17_2_6CCD8570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCAC6D0 17_2_6CCAC6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCDD6E0 17_2_6CCDD6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCA6630 17_2_6CCA6630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCFE740 17_2_6CCFE740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD06740 17_2_6CD06740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CC890F0 17_2_6CC890F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCAC080 17_2_6CCAC080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CC980A0 17_2_6CC980A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCAD040 17_2_6CCAD040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCB6010 17_2_6CCB6010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCAB2D0 17_2_6CCAB2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCE7280 17_2_6CCE7280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CC832A0 17_2_6CC832A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCBE240 17_2_6CCBE240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD13230 17_2_6CD13230
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCA93F0 17_2_6CCA93F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCE332F 17_2_6CCE332F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCBA320 17_2_6CCBA320
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CC82C30 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CC77410 appears 693 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CCB3B30 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CCA6A90 appears 481 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CCE6A90 appears 962 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CCB5080 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CCB7410 appears 1386 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CCE5740 appears 40 times
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 800
Uses 32bit PE files
Source: Q3kUbU2aJq.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: classification engine Classification label: mal56.mine.winDLL@35/0@0/0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CCD5B30 GetLastError,FormatMessageA,fprintf,LocalFree, 3_2_6CCD5B30
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7492:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\e5b5ebcb-8ed6-4a13-a26c-312bcfb0d6a5 Jump to behavior
Source: Q3kUbU2aJq.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Q3kUbU2aJq.dll,BarCreate
Source: Q3kUbU2aJq.dll ReversingLabs: Detection: 13%
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Q3kUbU2aJq.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 800
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7568 -s 832
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Q3kUbU2aJq.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Q3kUbU2aJq.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",_cgo_dummy_export
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7980 -s 796
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",SpellSpell
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Q3kUbU2aJq.dll,BarCreate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Q3kUbU2aJq.dll,BarDestroy Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Q3kUbU2aJq.dll,BarFreeRec Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",BarCreate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",BarDestroy Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",BarFreeRec Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",_cgo_dummy_export Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",SpellSpell Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",SpellInit Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",SpellFree Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",SignalInitializeCrashReporting Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",GetInstallDetailsPayload Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",BarRecognize Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: Q3kUbU2aJq.dll Static PE information: Image base 0x6d8c0000 > 0x60000000
Source: Q3kUbU2aJq.dll Static file information: File size 1368576 > 1048576
Source: Q3kUbU2aJq.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC413E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_6CC413E0
PE file contains an invalid checksum
Source: Q3kUbU2aJq.dll Static PE information: real checksum: 0x151005 should be: 0x152b80
PE file contains sections with non-standard names
Source: Q3kUbU2aJq.dll Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0183AF38 push eax; retf 0_2_0183AF39
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_018803C9 push edx; retf 0_2_018803CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC51E08 push edx; iretd 3_2_6CC51E09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC52B27 pushfd ; iretd 3_2_6CC52B29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC5246E push FFFFFF9Fh; iretd 3_2_6CC52470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CCB509D pushad ; ret 3_2_6CCB509E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CCB5094 pushad ; ret 3_2_6CCB5095
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0483AF38 push eax; retf 4_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04882378 push 92D155A5h; iretd 4_2_0488237E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0503AF59 push eax; retf 11_2_0503AF61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04C3D822 pushfd ; ret 12_2_04C3D823
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCF509D pushad ; ret 13_2_6CCF509E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCF5094 pushad ; ret 13_2_6CCF5095
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0543AFC5 push eax; retf 14_2_0543AF61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0543AF59 push eax; retf 14_2_0543AF61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_054803A8 pushad ; iretd 14_2_054803C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_054803E6 pushad ; iretd 14_2_054803C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0510284D push esi; iretd 15_2_0510284F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCF509D pushad ; ret 17_2_6CCF509E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCF5094 pushad ; ret 17_2_6CCF5095
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_0483AF60 push eax; retf 19_2_0483AF61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_0483CD50 push FFFFFFC2h; iretd 19_2_0483CD52
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_0503AF38 push eax; retf 21_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05080DDD push es; ret 21_2_05080DE6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_0483AF38 push eax; retf 23_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04C3C41F pushad ; retf 24_2_04C3C426
Source: C:\Windows\System32\loaddll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CCAC0C0 rdtscp 3_2_6CCAC0C0
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 0.7 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 1.3 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CCAC0C0 rdtscp 3_2_6CCAC0C0
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC413E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_6CC413E0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CCD4E50 free,free,GetProcessHeap,HeapFree, 3_2_6CCD4E50
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CCD6300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 3_2_6CCD6300
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD162FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 13_2_6CD162FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD16300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 13_2_6CD16300
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD162FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 17_2_6CD162FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD16300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 17_2_6CD16300
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CCD6250 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 3_2_6CCD6250
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CC71C90 RtlGetVersion,RtlGetCurrentPeb, 3_2_6CC71C90
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544808 Sample: Q3kUbU2aJq.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 56 27 Multi AV Scanner detection for submitted file 2->27 29 AI detected suspicious sample 2->29 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 12 other processes 8->17 signatures5 31 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 10->31 19 WerFault.exe 2 10->19         started        21 rundll32.exe 13->21         started        23 WerFault.exe 2 15->23         started        process6 process7 25 WerFault.exe 2 21->25         started       
No contacted IP infos

Contacted Domains

Name IP Active
s-part-0017.t-0009.t-msedge.net 13.107.246.45 true