Windows Analysis Report
wPXfGrAC5q.dll

Overview

General Information

Sample name: wPXfGrAC5q.dll
renamed because original name is a hash value
Original sample name: 4763aeaf5e201de4c17fb127a565b73940ec67292bc75ce6bd45feb4104319ef.dll
Analysis ID: 1544812
MD5: c5255f9a1c66c5dad7434ae8ecb90318
SHA1: 5d41f3073653f7d92079ca2b938778c000be6412
SHA256: 4763aeaf5e201de4c17fb127a565b73940ec67292bc75ce6bd45feb4104319ef
Tags: 2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability

Bitcoin Miner
barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4C1830 3_2_6D4C1830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D451830 20_2_6D451830
Uses 32bit PE files
Source: wPXfGrAC5q.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: wPXfGrAC5q.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 3_2_6D492CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 3_2_6D492CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 3_2_6D4ACEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 3_2_6D4B9030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 3_2_6D4BA360
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 20_2_6D422CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 20_2_6D422CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 20_2_6D43CEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 20_2_6D449030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 20_2_6D44A360
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4C1A70 NtCreateWaitCompletionPacket, 3_2_6D4C1A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4C2A90 NtCreateWaitCompletionPacket, 3_2_6D4C2A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4C1570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 3_2_6D4C1570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4C11F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 3_2_6D4C11F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D451A70 NtCreateWaitCompletionPacket, 20_2_6D451A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D452A90 NtCreateWaitCompletionPacket, 20_2_6D452A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D451570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 20_2_6D451570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D4511F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 20_2_6D4511F0
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4BAD50 3_2_6D4BAD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4EBC20 3_2_6D4EBC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D492CA0 3_2_6D492CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D492CA6 3_2_6D492CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4CCF90 3_2_6D4CCF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4E5ED0 3_2_6D4E5ED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D49BE90 3_2_6D49BE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4BD9C5 3_2_6D4BD9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4A59F0 3_2_6D4A59F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4FA872 3_2_6D4FA872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4BBB10 3_2_6D4BBB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D49FBC0 3_2_6D49FBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4BCA30 3_2_6D4BCA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4A0AF0 3_2_6D4A0AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4E8570 3_2_6D4E8570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4B1440 3_2_6D4B1440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4D6470 3_2_6D4D6470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4B3400 3_2_6D4B3400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4B6630 3_2_6D4B6630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4BC6D0 3_2_6D4BC6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4ED6E0 3_2_6D4ED6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4BD040 3_2_6D4BD040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4C6010 3_2_6D4C6010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4990F0 3_2_6D4990F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4BC080 3_2_6D4BC080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4A80A0 3_2_6D4A80A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4F332F 3_2_6D4F332F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4CA320 3_2_6D4CA320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4B93F0 3_2_6D4B93F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4CE240 3_2_6D4CE240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4BB2D0 3_2_6D4BB2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4F7280 3_2_6D4F7280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4932A0 3_2_6D4932A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D44AD50 20_2_6D44AD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D47BC20 20_2_6D47BC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D422CA0 20_2_6D422CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D422CA6 20_2_6D422CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D45CF90 20_2_6D45CF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D475ED0 20_2_6D475ED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D42BE90 20_2_6D42BE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D44D9C5 20_2_6D44D9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D4359F0 20_2_6D4359F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D48A872 20_2_6D48A872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D44BB10 20_2_6D44BB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D42FBC0 20_2_6D42FBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D44CA30 20_2_6D44CA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D430AF0 20_2_6D430AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D478570 20_2_6D478570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D441440 20_2_6D441440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D466470 20_2_6D466470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D443400 20_2_6D443400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D446630 20_2_6D446630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D44C6D0 20_2_6D44C6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D47D6E0 20_2_6D47D6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D44D040 20_2_6D44D040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D456010 20_2_6D456010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D4290F0 20_2_6D4290F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D44C080 20_2_6D44C080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D4380A0 20_2_6D4380A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D45A320 20_2_6D45A320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D48332F 20_2_6D48332F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D4493F0 20_2_6D4493F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D45E240 20_2_6D45E240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D44B2D0 20_2_6D44B2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D487280 20_2_6D487280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D4232A0 20_2_6D4232A0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D4C7410 appears 691 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D4F6A90 appears 480 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D486A90 appears 480 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D457410 appears 691 times
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 824
Uses 32bit PE files
Source: wPXfGrAC5q.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: classification engine Classification label: mal48.mine.winDLL@35/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4296:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\bba3320f-8344-4456-9708-84adcbee543e Jump to behavior
Source: wPXfGrAC5q.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wPXfGrAC5q.dll,BarCreate
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wPXfGrAC5q.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 824
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 840
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wPXfGrAC5q.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wPXfGrAC5q.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",_cgo_dummy_export
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7596 -s 832
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",SpellSpell
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wPXfGrAC5q.dll,BarCreate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wPXfGrAC5q.dll,BarDestroy Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wPXfGrAC5q.dll,BarFreeRec Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",BarCreate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",BarDestroy Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",BarFreeRec Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",_cgo_dummy_export Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",SpellSpell Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",SpellInit Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",SpellFree Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",SignalInitializeCrashReporting Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",GetInstallDetailsPayload Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",BarRecognize Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: wPXfGrAC5q.dll Static PE information: Image base 0x6d8c0000 > 0x60000000
Source: wPXfGrAC5q.dll Static file information: File size 1368576 > 1048576
Source: wPXfGrAC5q.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4913E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_6D4913E0
PE file contains an invalid checksum
Source: wPXfGrAC5q.dll Static PE information: real checksum: 0x14e6bf should be: 0x154eea
PE file contains sections with non-standard names
Source: wPXfGrAC5q.dll Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0183AF34 push eax; retf 0_2_0183AF39
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0183CD7B push ss; iretd 0_2_0183CD92
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_018803E8 push edx; retf 0_2_018803F4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0188036E push edx; iretd 0_2_0188038B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D505094 pushad ; ret 3_2_6D505095
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D50509D pushad ; ret 3_2_6D50509E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0543AF34 push eax; retf 4_2_0543AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054823ED push edx; retf 4_2_054823F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_054828A2 push cs; iretd 4_2_054828B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0483D763 push esp; retf 17_2_0483D764
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_0543AF34 push eax; retf 19_2_0543AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D49509D pushad ; ret 20_2_6D49509E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D495094 pushad ; ret 20_2_6D495095
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_0503AF34 push eax; retf 21_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_0503CE1C push edx; ret 21_2_0503CE2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_04C3AF34 push eax; retf 22_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_04C80394 push ecx; iretd 22_2_04C803A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04C3AF34 push eax; retf 24_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04C3AF34 push eax; retf 26_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 27_2_04C3D30B push ebp; iretd 27_2_04C3D311
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 27_2_04C3AF34 push eax; retf 27_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_0443AF34 push eax; retf 28_2_0443AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 29_2_0443C926 push C790B133h; retf 29_2_0443CD8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 29_2_0443CD6E push C790B133h; retf 29_2_0443CD8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 29_2_0443AF34 push eax; retf 29_2_0443AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 30_2_0503AF34 push eax; retf 30_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 31_2_0543C8A3 push ss; retf 31_2_0543C8A5
Source: C:\Windows\System32\loaddll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4FC0C0 rdtscp 3_2_6D4FC0C0
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 1.4 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 1.4 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4FC0C0 rdtscp 3_2_6D4FC0C0
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4913E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_6D4913E0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D526300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 3_2_6D526300
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_6D4B6300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 20_2_6D4B6300
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D526250 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 3_2_6D526250
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4C1C90 RtlGetVersion,RtlGetCurrentPeb, 3_2_6D4C1C90
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544812 Sample: wPXfGrAC5q.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 48 27 AI detected suspicious sample 2->27 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 12 other processes 8->17 signatures5 29 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 10->29 19 WerFault.exe 2 10->19         started        21 rundll32.exe 13->21         started        23 WerFault.exe 2 15->23         started        process6 process7 25 WerFault.exe 2 21->25         started       
No contacted IP infos