Windows Analysis Report
VgABl5OHWd.dll

Overview

General Information

Sample name: VgABl5OHWd.dll
renamed because original name is a hash value
Original sample name: be9a28ccd089b684187a96e3b4db60ffc3e69ef38bd7222db8d62b604894039f.dll
Analysis ID: 1544815
MD5: 1189b769816d204c828cf0430e53b776
SHA1: f18477eccdebeb7d16d696f82f2d14e22d16ac47
SHA256: be9a28ccd089b684187a96e3b4db60ffc3e69ef38bd7222db8d62b604894039f
Tags: 2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 97.9% probability

Bitcoin Miner
barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC11830 4_2_6CC11830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C861830 13_2_6C861830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C861830 17_2_6C861830
Uses 32bit PE files
Source: VgABl5OHWd.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: VgABl5OHWd.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 4_2_6CBE2CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 4_2_6CBE2CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 4_2_6CBFCEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 4_2_6CC09030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 4_2_6CC0A360
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 13_2_6C832CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 13_2_6C832CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 13_2_6C84CEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 13_2_6C859030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 13_2_6C85A360
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 17_2_6C832CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 17_2_6C832CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then mov dword ptr [esp], edx 17_2_6C84CEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ebp, 0Dh 17_2_6C859030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then shr ecx, 0Dh 17_2_6C85A360
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC12A90 NtCreateWaitCompletionPacket, 4_2_6CC12A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC11A70 NtCreateWaitCompletionPacket, 4_2_6CC11A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC11570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 4_2_6CC11570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC111F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 4_2_6CC111F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C862A90 NtCreateWaitCompletionPacket, 13_2_6C862A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C861A70 NtCreateWaitCompletionPacket, 13_2_6C861A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C861570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 13_2_6C861570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8611F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 13_2_6C8611F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C862A90 NtCreateWaitCompletionPacket, 17_2_6C862A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C861A70 NtCreateWaitCompletionPacket, 17_2_6C861A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C861570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 17_2_6C861570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8611F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket, 17_2_6C8611F0
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBE2CA6 4_2_6CBE2CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBE2CA0 4_2_6CBE2CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC3BC20 4_2_6CC3BC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC66C20 4_2_6CC66C20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC0AD50 4_2_6CC0AD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC64D20 4_2_6CC64D20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC35ED0 4_2_6CC35ED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBEBE90 4_2_6CBEBE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC5CEF0 4_2_6CC5CEF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC72E70 4_2_6CC72E70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC1CF90 4_2_6CC1CF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC74F30 4_2_6CC74F30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC4A872 4_2_6CC4A872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC0D9C5 4_2_6CC0D9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC659D0 4_2_6CC659D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBF59F0 4_2_6CBF59F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBF0AF0 4_2_6CBF0AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC0CA30 4_2_6CC0CA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBEFBC0 4_2_6CBEFBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC0BB10 4_2_6CC0BB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC01440 4_2_6CC01440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC26470 4_2_6CC26470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC03400 4_2_6CC03400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC695A0 4_2_6CC695A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC62560 4_2_6CC62560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC38570 4_2_6CC38570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC0C6D0 4_2_6CC0C6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC3D6E0 4_2_6CC3D6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC06630 4_2_6CC06630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC5E740 4_2_6CC5E740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC66740 4_2_6CC66740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBF80A0 4_2_6CBF80A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC0C080 4_2_6CC0C080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBE90F0 4_2_6CBE90F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC0D040 4_2_6CC0D040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC16010 4_2_6CC16010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC0B2D0 4_2_6CC0B2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBE32A0 4_2_6CBE32A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC47280 4_2_6CC47280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC1E240 4_2_6CC1E240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC73230 4_2_6CC73230
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC093F0 4_2_6CC093F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC1A320 4_2_6CC1A320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC4332F 4_2_6CC4332F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C832CA0 13_2_6C832CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C832CA6 13_2_6C832CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C88BC20 13_2_6C88BC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8B6C20 13_2_6C8B6C20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8B4D20 13_2_6C8B4D20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C85AD50 13_2_6C85AD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C83BE90 13_2_6C83BE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C885ED0 13_2_6C885ED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8ACEF0 13_2_6C8ACEF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8C2E70 13_2_6C8C2E70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C86CF90 13_2_6C86CF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8C4F30 13_2_6C8C4F30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C89A872 13_2_6C89A872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C85D9C5 13_2_6C85D9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8B59D0 13_2_6C8B59D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8459F0 13_2_6C8459F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C840AF0 13_2_6C840AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C85CA30 13_2_6C85CA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C83FBC0 13_2_6C83FBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C85BB10 13_2_6C85BB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C853400 13_2_6C853400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C851440 13_2_6C851440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C876470 13_2_6C876470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8B95A0 13_2_6C8B95A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8B2560 13_2_6C8B2560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C888570 13_2_6C888570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C85C6D0 13_2_6C85C6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C88D6E0 13_2_6C88D6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C856630 13_2_6C856630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8AE740 13_2_6C8AE740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8B6740 13_2_6C8B6740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C85C080 13_2_6C85C080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8480A0 13_2_6C8480A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8390F0 13_2_6C8390F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C866010 13_2_6C866010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C85D040 13_2_6C85D040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C897280 13_2_6C897280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8332A0 13_2_6C8332A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C85B2D0 13_2_6C85B2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8C3230 13_2_6C8C3230
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C86E240 13_2_6C86E240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8593F0 13_2_6C8593F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C86A320 13_2_6C86A320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C89332F 13_2_6C89332F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C832CA0 17_2_6C832CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C832CA6 17_2_6C832CA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C88BC20 17_2_6C88BC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8B6C20 17_2_6C8B6C20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8B4D20 17_2_6C8B4D20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C85AD50 17_2_6C85AD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C83BE90 17_2_6C83BE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C885ED0 17_2_6C885ED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8ACEF0 17_2_6C8ACEF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8C2E70 17_2_6C8C2E70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C86CF90 17_2_6C86CF90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8C4F30 17_2_6C8C4F30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C89A872 17_2_6C89A872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C85D9C5 17_2_6C85D9C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8B59D0 17_2_6C8B59D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8459F0 17_2_6C8459F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C840AF0 17_2_6C840AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C85CA30 17_2_6C85CA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C83FBC0 17_2_6C83FBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C85BB10 17_2_6C85BB10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C853400 17_2_6C853400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C851440 17_2_6C851440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C876470 17_2_6C876470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8B95A0 17_2_6C8B95A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8B2560 17_2_6C8B2560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C888570 17_2_6C888570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C85C6D0 17_2_6C85C6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C88D6E0 17_2_6C88D6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C856630 17_2_6C856630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8AE740 17_2_6C8AE740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8B6740 17_2_6C8B6740
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C85C080 17_2_6C85C080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8480A0 17_2_6C8480A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8390F0 17_2_6C8390F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C866010 17_2_6C866010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C85D040 17_2_6C85D040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C897280 17_2_6C897280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8332A0 17_2_6C8332A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C85B2D0 17_2_6C85B2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8C3230 17_2_6C8C3230
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C86E240 17_2_6C86E240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8593F0 17_2_6C8593F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C86A320 17_2_6C86A320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C89332F 17_2_6C89332F
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CC46A90 appears 481 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6C896A90 appears 962 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6C863B30 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6C895740 appears 40 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6C867410 appears 1386 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6C865080 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6C832C30 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CC17410 appears 693 times
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 856
Uses 32bit PE files
Source: VgABl5OHWd.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: classification engine Classification label: mal48.mine.winDLL@35/0@0/0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC75B30 GetLastError,FormatMessageA,fprintf,LocalFree, 4_2_6CC75B30
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6152:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\b826d8fd-12db-44da-b33f-df35cd54f9eb Jump to behavior
Source: VgABl5OHWd.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\VgABl5OHWd.dll,BarCreate
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\VgABl5OHWd.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 856
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 844
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\VgABl5OHWd.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\VgABl5OHWd.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",_cgo_dummy_export
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6804 -s 824
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",SpellSpell
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\VgABl5OHWd.dll,BarCreate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\VgABl5OHWd.dll,BarDestroy Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\VgABl5OHWd.dll,BarFreeRec Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",BarCreate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",BarDestroy Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",BarFreeRec Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",_cgo_dummy_export Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",SpellSpell Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",SpellInit Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",SpellFree Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",SignalInitializeCrashReporting Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",GetInstallDetailsPayload Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",BarRecognize Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: VgABl5OHWd.dll Static PE information: Image base 0x6d8c0000 > 0x60000000
Source: VgABl5OHWd.dll Static file information: File size 1368576 > 1048576
Source: VgABl5OHWd.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBE13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 4_2_6CBE13E0
PE file contains an invalid checksum
Source: VgABl5OHWd.dll Static PE information: real checksum: 0x1567d9 should be: 0x1547e0
PE file contains sections with non-standard names
Source: VgABl5OHWd.dll Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC55094 pushad ; ret 4_2_6CC55095
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC5509D pushad ; ret 4_2_6CC5509E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0483AF60 push eax; retf 5_2_0483AF61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0443D24C push edi; iretd 11_2_0443D27A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0443D315 push esi; retf 12_2_0443D316
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0443AF38 push eax; retf 12_2_0443AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_044808FF push 00000036h; retf 12_2_0448090D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8A509D pushad ; ret 13_2_6C8A509E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8A5094 pushad ; ret 13_2_6C8A5095
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8A509D pushad ; ret 17_2_6C8A509E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8A5094 pushad ; ret 17_2_6C8A5095
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_0443AF60 push eax; retf 19_2_0443AF61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04C3BF60 push eax; retf 20_2_04C3BF61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04C80E1C push esi; iretd 20_2_04C80E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04C80910 push edx; iretd 20_2_04C8091C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_0483C369 push esi; retf 21_2_0483C36A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_0483AF38 push eax; retf 21_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_04880456 push eax; ret 21_2_04880457
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_0503D7F5 push ebp; retf 22_2_0503D7F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 22_2_0503AF38 push eax; retf 22_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_0483AF38 push eax; retf 23_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_0483D29F push ecx; retf 23_2_0483D2A8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0483AF38 push eax; retf 24_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0488039D pushfd ; iretd 24_2_048803A7
Source: C:\Windows\System32\loaddll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC4C0C0 rdtscp 4_2_6CC4C0C0
Contains functionality to detect virtual machines (SLDT)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_04480000 sldt word ptr [eax] 16_2_04480000
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 1.3 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC4C0C0 rdtscp 4_2_6CC4C0C0
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CBE13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 4_2_6CBE13E0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC74E50 free,free,GetProcessHeap,HeapFree, 4_2_6CC74E50
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC762FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 4_2_6CC762FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC76300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 4_2_6CC76300
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8C62FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 13_2_6C8C62FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_6C8C6300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 13_2_6C8C6300
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8C62FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 17_2_6C8C62FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_6C8C6300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 17_2_6C8C6300
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC76250 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 4_2_6CC76250
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6CC11C90 RtlGetVersion,RtlGetCurrentPeb, 4_2_6CC11C90
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544815 Sample: VgABl5OHWd.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 48 27 AI detected suspicious sample 2->27 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 12 other processes 8->17 signatures5 29 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 10->29 19 WerFault.exe 2 10->19         started        21 rundll32.exe 13->21         started        23 WerFault.exe 2 15->23         started        process6 process7 25 WerFault.exe 2 21->25         started       
No contacted IP infos