Windows Analysis Report
wfdrproxy.dll

Overview

General Information

Sample name: wfdrproxy.dll
Analysis ID: 1584174
MD5: d0aec875dd42dceebc1a480b6aac1654
SHA1: 69670ae930e294c6587547e3c98a943e271dde20
SHA256: e493d38dcca74cc9d8309c966728e71bb3a93b342ab77ab50b4fa3ef7890d0da
Tags: dlluser-zhuzhu0009
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: wfdrproxy.dll ReversingLabs: Detection: 58%
Source: wfdrproxy.dll Virustotal: Detection: 56% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Uses 32bit PE files
Source: wfdrproxy.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: wfdrproxy.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\DSAJKLDSJLAJKSAJFKSAJKFSAJKSAJFKSAJKFAFF\Debug\wfdrproxy.pdb source: loaddll32.exe, 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1710838785.000000006CBCC000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1740661966.000000006CBCC000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1770784581.000000006CBCC000.00000002.00000001.01000000.00000003.sdmp, wfdrproxy.dll
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CDB019A FindFirstFileExW, 0_2_6CDB019A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CE21660 FindFirstFileExW,FindNextFileW, 0_2_6CE21660
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CE21200 FindFirstFileExW,FindNextFileW, 0_2_6CE21200
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB2019A FindFirstFileExW, 3_2_6CB2019A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB91660 FindFirstFileExW,FindNextFileW, 3_2_6CB91660
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB91200 FindFirstFileExW,FindNextFileW, 3_2_6CB91200
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CE3BE80 0_2_6CE3BE80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CBABE80 3_2_6CBABE80
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6CDB3197 appears 377 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6CDB11C1 appears 108 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6CE1F1D0 appears 34 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6CDB0BB8 appears 454 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CB23197 appears 422 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CB8F1D0 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CB20BB8 appears 507 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6CB211C1 appears 108 times
Uses 32bit PE files
Source: wfdrproxy.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engine Classification label: mal52.winDLL@12/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2696:120:WilError_03
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wfdrproxy.dll,DestroyFolderWatcher
Source: wfdrproxy.dll ReversingLabs: Detection: 58%
Source: wfdrproxy.dll Virustotal: Detection: 56%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\wfdrproxy.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wfdrproxy.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wfdrproxy.dll,DestroyFolderWatcher
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wfdrproxy.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wfdrproxy.dll,DestroyUpload
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wfdrproxy.dll,GetAllBypass
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wfdrproxy.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wfdrproxy.dll,DestroyFolderWatcher Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wfdrproxy.dll,DestroyUpload Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wfdrproxy.dll,GetAllBypass Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wfdrproxy.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: wfdrproxy.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: wfdrproxy.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: wfdrproxy.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: wfdrproxy.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: wfdrproxy.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: wfdrproxy.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: wfdrproxy.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: wfdrproxy.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\DSAJKLDSJLAJKSAJFKSAJKFSAJKSAJFKSAJKFAFF\Debug\wfdrproxy.pdb source: loaddll32.exe, 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1710838785.000000006CBCC000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1740661966.000000006CBCC000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1770784581.000000006CBCC000.00000002.00000001.01000000.00000003.sdmp, wfdrproxy.dll
PE file contains sections with non-standard names
Source: wfdrproxy.dll Static PE information: section name: .textbss
Source: wfdrproxy.dll Static PE information: section name: .msvcjmc
Source: wfdrproxy.dll Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CDB0B54 push ecx; ret 0_2_6CE55013
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB20B54 push ecx; ret 3_2_6CBC5013
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\System32\loaddll32.exe API coverage: 4.1 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 4.2 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CDB019A FindFirstFileExW, 0_2_6CDB019A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CE21660 FindFirstFileExW,FindNextFileW, 0_2_6CE21660
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CE21200 FindFirstFileExW,FindNextFileW, 0_2_6CE21200
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB2019A FindFirstFileExW, 3_2_6CB2019A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB91660 FindFirstFileExW,FindNextFileW, 3_2_6CB91660
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB91200 FindFirstFileExW,FindNextFileW, 3_2_6CB91200
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CE10E40 GetSystemInfo, 0_2_6CE10E40
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CDC0C20 MultiByteToWideChar,MultiByteToWideChar,DebuggerProbe,DebuggerRuntime,IsDebuggerPresent,WideCharToMultiByte,WideCharToMultiByte, 0_2_6CDC0C20
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CE1BD90 OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,GetFileType,WriteConsoleW,GetLastError,WriteFile,WriteFile,OutputDebugStringW, 0_2_6CE1BD90
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CDD83B0 mov eax, dword ptr fs:[00000030h] 0_2_6CDD83B0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CE19D10 mov ecx, dword ptr fs:[00000030h] 0_2_6CE19D10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CE19C40 mov ecx, dword ptr fs:[00000030h] 0_2_6CE19C40
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CE19AA0 mov ecx, dword ptr fs:[00000030h] 0_2_6CE19AA0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CE19B70 mov ecx, dword ptr fs:[00000030h] 0_2_6CE19B70
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CDBD3B0 mov eax, dword ptr fs:[00000030h] 0_2_6CDBD3B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB483B0 mov eax, dword ptr fs:[00000030h] 3_2_6CB483B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB89D10 mov ecx, dword ptr fs:[00000030h] 3_2_6CB89D10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB89C40 mov ecx, dword ptr fs:[00000030h] 3_2_6CB89C40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB89AA0 mov ecx, dword ptr fs:[00000030h] 3_2_6CB89AA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB89B70 mov ecx, dword ptr fs:[00000030h] 3_2_6CB89B70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB2D3B0 mov eax, dword ptr fs:[00000030h] 3_2_6CB2D3B0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CDC24C0 VirtualQuery,GetProcAddress,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc, 0_2_6CDC24C0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CDBF5F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6CDBF5F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CDD8810 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CDD8810
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CDB013B SetUnhandledExceptionFilter, 0_2_6CDB013B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CDC1690 SetUnhandledExceptionFilter, 0_2_6CDC1690
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CDC13E0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CDC13E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB2F5F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6CB2F5F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB48810 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6CB48810
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB2013B SetUnhandledExceptionFilter, 3_2_6CB2013B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB31690 SetUnhandledExceptionFilter, 3_2_6CB31690
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6CB313E0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6CB313E0
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wfdrproxy.dll",#1 Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetACP,GetLocaleInfoW, 0_2_6CE42E60
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6CE42FA0
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6CE1EA90
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6CE42B60
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6CE42450
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_6CE425A0
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6CE420D0
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6CE42260
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6CE42330
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6CE1FA50
Source: C:\Windows\System32\loaddll32.exe Code function: IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_6CE430F0
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6CDB0ED8
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6CDB3679
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetACP,GetLocaleInfoW, 3_2_6CBB2E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6CBB2FA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6CB8EA90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6CBB2B60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6CBB2450
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 3_2_6CBB25A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6CBB20D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6CBB2260
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6CBB2330
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6CB8FA50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_6CBB30F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6CB23679
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6CB20ED8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6CE1FAD0 GetSystemTimeAsFileTime, 0_2_6CE1FAD0
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1584174 Sample: wfdrproxy.dll Startdate: 04/01/2025 Architecture: WINDOWS Score: 52 19 Multi AV Scanner detection for submitted file 2->19 21 AI detected suspicious sample 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        13 rundll32.exe 7->13         started        15 2 other processes 7->15 process5 17 rundll32.exe 9->17         started       
No contacted IP infos