Windows Analysis Report
ndVERlNRYc.dll

Overview

General Information

Sample name: ndVERlNRYc.dll
renamed because original name is a hash value
Original sample name: 59d90ac1f1a6d0d0de4eb9e7624f72be537be300e5e2646cd3c6cb726368191a.dll
Analysis ID: 1544811
MD5: 035e7197381e431607e7018b272e4c6a
SHA1: 6a67771fdb0f51b0e1a5f90a1d2fe1e2aacbe228
SHA256: 59d90ac1f1a6d0d0de4eb9e7624f72be537be300e5e2646cd3c6cb726368191a
Tags: 2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.7% probability

Bitcoin Miner
barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D121830 4_2_6D121830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCF1830 13_2_6CCF1830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCF1830 17_2_6CCF1830
Uses 32bit PE files
Source: ndVERlNRYc.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: ndVERlNRYc.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 4_2_6D0F2CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 4_2_6D0F2CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 4_2_6D10CEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 4_2_6D119030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 4_2_6D11A360
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 13_2_6CCC2CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 13_2_6CCC2CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 13_2_6CCDCEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 13_2_6CCE9030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 13_2_6CCEA360
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 17_2_6CCC2CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 17_2_6CCC2CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 17_2_6CCDCEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 17_2_6CCE9030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 17_2_6CCEA360
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D121A70 NtCreateWaitCompletionPacket, 4_2_6D121A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D122A90 NtCreateWaitCompletionPacket, 4_2_6D122A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D121570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 4_2_6D121570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D1211F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 4_2_6D1211F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCF2A90 NtCreateWaitCompletionPacket, 13_2_6CCF2A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCF1A70 NtCreateWaitCompletionPacket, 13_2_6CCF1A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCF1570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 13_2_6CCF1570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCF11F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 13_2_6CCF11F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCF2A90 NtCreateWaitCompletionPacket, 17_2_6CCF2A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCF1A70 NtCreateWaitCompletionPacket, 17_2_6CCF1A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCF1570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 17_2_6CCF1570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCF11F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 17_2_6CCF11F0
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D174D20 4_2_6D174D20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D11AD50 4_2_6D11AD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D14BC20 4_2_6D14BC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D176C20 4_2_6D176C20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D0F2CA6 4_2_6D0F2CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D0F2CA0 4_2_6D0F2CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D184F30 4_2_6D184F30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D12CF90 4_2_6D12CF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D182E70 4_2_6D182E70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D0FBE90 4_2_6D0FBE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D145ED0 4_2_6D145ED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D16CEF0 4_2_6D16CEF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D1759D0 4_2_6D1759D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D11D9C5 4_2_6D11D9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D1059F0 4_2_6D1059F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D15A872 4_2_6D15A872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D11BB10 4_2_6D11BB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D0FFBC0 4_2_6D0FFBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D11CA30 4_2_6D11CA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D100AF0 4_2_6D100AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D148570 4_2_6D148570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D172560 4_2_6D172560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D1795A0 4_2_6D1795A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D113400 4_2_6D113400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D111440 4_2_6D111440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D136470 4_2_6D136470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D16E740 4_2_6D16E740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D176740 4_2_6D176740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D116630 4_2_6D116630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D11C6D0 4_2_6D11C6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D14D6E0 4_2_6D14D6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D126010 4_2_6D126010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D11D040 4_2_6D11D040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D11C080 4_2_6D11C080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D1080A0 4_2_6D1080A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D0F90F0 4_2_6D0F90F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D12A320 4_2_6D12A320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D15332F 4_2_6D15332F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D1193F0 4_2_6D1193F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D183230 4_2_6D183230
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D12E240 4_2_6D12E240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D157280 4_2_6D157280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D0F32A0 4_2_6D0F32A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D11B2D0 4_2_6D11B2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCC2CA6 13_2_6CCC2CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCC2CA0 13_2_6CCC2CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD1BC20 13_2_6CD1BC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCEAD50 13_2_6CCEAD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD15ED0 13_2_6CD15ED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCCBE90 13_2_6CCCBE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCFCF90 13_2_6CCFCF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD2A872 13_2_6CD2A872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCED9C5 13_2_6CCED9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCD59F0 13_2_6CCD59F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCD0AF0 13_2_6CCD0AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCECA30 13_2_6CCECA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCCFBC0 13_2_6CCCFBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCEBB10 13_2_6CCEBB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCE1440 13_2_6CCE1440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD06470 13_2_6CD06470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCE3400 13_2_6CCE3400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD18570 13_2_6CD18570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCEC6D0 13_2_6CCEC6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD1D6E0 13_2_6CD1D6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCE6630 13_2_6CCE6630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCC90F0 13_2_6CCC90F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCEC080 13_2_6CCEC080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCD80A0 13_2_6CCD80A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCED040 13_2_6CCED040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCF6010 13_2_6CCF6010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCEB2D0 13_2_6CCEB2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD27280 13_2_6CD27280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCC32A0 13_2_6CCC32A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCFE240 13_2_6CCFE240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCE93F0 13_2_6CCE93F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CCFA320 13_2_6CCFA320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD2332F 13_2_6CD2332F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCC2CA6 17_2_6CCC2CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCC2CA0 17_2_6CCC2CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD1BC20 17_2_6CD1BC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCEAD50 17_2_6CCEAD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD15ED0 17_2_6CD15ED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCCBE90 17_2_6CCCBE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCFCF90 17_2_6CCFCF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD2A872 17_2_6CD2A872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCED9C5 17_2_6CCED9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCD59F0 17_2_6CCD59F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCD0AF0 17_2_6CCD0AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCECA30 17_2_6CCECA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCCFBC0 17_2_6CCCFBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCEBB10 17_2_6CCEBB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCE1440 17_2_6CCE1440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD06470 17_2_6CD06470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCE3400 17_2_6CCE3400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD18570 17_2_6CD18570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCEC6D0 17_2_6CCEC6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD1D6E0 17_2_6CD1D6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCE6630 17_2_6CCE6630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCC90F0 17_2_6CCC90F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCEC080 17_2_6CCEC080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCD80A0 17_2_6CCD80A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCED040 17_2_6CCED040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCF6010 17_2_6CCF6010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCEB2D0 17_2_6CCEB2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD27280 17_2_6CD27280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCC32A0 17_2_6CCC32A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCFE240 17_2_6CCFE240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCE93F0 17_2_6CCE93F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CCFA320 17_2_6CCFA320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD2332F 17_2_6CD2332F
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CD26A90 appears 962 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CCF7410 appears 1382 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D127410 appears 693 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CCF5080 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D156A90 appears 481 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CCF3B30 appears 32 times
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 832
Uses 32bit PE files
Source: ndVERlNRYc.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: classification engine Classification label: mal48.mine.winDLL@35/0@0/0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D185B30 GetLastError,FormatMessageA,fprintf,LocalFree, 4_2_6D185B30
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4088:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\7d6cc847-7479-4e1b-a04f-03e8da9f2e05 Jump to behavior
Source: ndVERlNRYc.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",#1
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ndVERlNRYc.dll,BarCreate
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 832
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 836
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ndVERlNRYc.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ndVERlNRYc.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",_cgo_dummy_export
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",SpellSpell
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 856
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ndVERlNRYc.dll,BarCreate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ndVERlNRYc.dll,BarDestroy Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ndVERlNRYc.dll,BarFreeRec Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",BarCreate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",BarDestroy Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",BarFreeRec Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",_cgo_dummy_export Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",SpellSpell Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",SpellInit Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",SpellFree Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",SignalInitializeCrashReporting Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",GetInstallDetailsPayload Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",BarRecognize Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: ndVERlNRYc.dll Static PE information: Image base 0x6d8c0000 > 0x60000000
Source: ndVERlNRYc.dll Static file information: File size 1368576 > 1048576
Source: ndVERlNRYc.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D0F13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 4_2_6D0F13E0
PE file contains an invalid checksum
Source: ndVERlNRYc.dll Static PE information: real checksum: 0x15a82d should be: 0x159f84
PE file contains sections with non-standard names
Source: ndVERlNRYc.dll Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0143AF34 push eax; retf 0_2_0143AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D165094 pushad ; ret 4_2_6D165095
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D16509D pushad ; ret 4_2_6D16509E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0483D297 push es; retf 11_2_0483D29A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0483AF38 push eax; retf 11_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0488041E pushfd ; ret 11_2_0488041F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD35094 pushad ; ret 13_2_6CD35095
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD3509D pushad ; ret 13_2_6CD3509E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0503C3A4 push edi; iretd 14_2_0503C3A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0503C39C push ds; retf 14_2_0503C3A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0543AF62 push eax; retf 15_2_0543AF61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0543AF34 push eax; retf 15_2_0543AF61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD35094 pushad ; ret 17_2_6CD35095
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD3509D pushad ; ret 17_2_6CD3509E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04C3AF34 push eax; retf 20_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_04C3C31D push edx; ret 21_2_04C3C32B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_04C3AF34 push eax; retf 21_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_04C80928 push 00000063h; retf 21_2_04C80935
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_0483AF34 push eax; retf 22_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_0543AF34 push eax; retf 23_2_0543AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_05480D27 pushfd ; retf 23_2_05480D29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_0548043A push ecx; retf 23_2_0548043D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0543CDD9 push B275ACE3h; retf 24_2_0543CDDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0543AF34 push eax; retf 24_2_0543AF39
Source: C:\Windows\System32\loaddll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D15C0C0 rdtscp 4_2_6D15C0C0
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 1.4 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 1.4 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\WerFault.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\SysWOW64\WerFault.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D15C0C0 rdtscp 4_2_6D15C0C0
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D0F13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 4_2_6D0F13E0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D184F30 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy,memset,IsBadReadPtr,realloc,SetLastError,SetLastError,SetLastError,SetLastError,SetLastError,memcpy,SetLastError,SetLastError,SetLastError,SetLastError, 4_2_6D184F30
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D186300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 4_2_6D186300
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D1862FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 4_2_6D1862FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6CD56300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 13_2_6CD56300
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6CD56300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 17_2_6CD56300
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D186250 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 4_2_6D186250
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D121C90 RtlGetVersion,RtlGetCurrentPeb, 4_2_6D121C90
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544811 Sample: ndVERlNRYc.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 48 27 AI detected suspicious sample 2->27 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        14 rundll32.exe 8->14         started        16 12 other processes 8->16 process5 18 rundll32.exe 10->18         started        21 WerFault.exe 2 12->21         started        23 WerFault.exe 2 14->23         started        signatures6 29 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 18->29 25 WerFault.exe 2 18->25         started        process7
No contacted IP infos