Windows Analysis Report
KfHeFsr9Ce.dll

ID:	1544810
Product:	CloudBasic
Start time:	19:14:01
Start date:	29.10.2024
Sample:	KfHeFsr9Ce.dll
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	ce3788861571ea3c978b7a1e4e053334
SHA1:	0f40ba47e4547602695850c2cf0ca99be45f76ec
SHA256:	b751e2ba0f0223835582e83eedf94b0e688e47484828be083f0469fb30e86302
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 95.46%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c5d089c8cf748e1b13ba2105216189e689b02e_7522e4b5_13afcf82-ac04-4d3d-a715-aa7139a6a92a\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	E6BBAEC743BE236791DB60F6670EAA9C	C0977C099B13C17050A377F39751BA80DF1489DD	B2BFCE7BAB011963F5190F1D9AAAF204178B96712C06BAB429F48875102C1B08
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7334.tmp.dmp	Mini DuMP crash report, 14 streams, Tue Oct 29 18:14:54 2024, 0x1205a4 type	324047FD8360A59B5229BEC9D32B4CCC	BCBDA42F42384960E8530EA53D308CF67BCEFB8D	F666086C1FF0340FD9AA7A133A17660CEDD42F5489734605D0F678C1A99AF843
C:\ProgramData\Microsoft\Windows\WER\Temp\WER73C2.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	39BC90B51972ACF092AE3CCE1B43DB1D	CE895D620906EC1B1F779C0E1709C4D53139B450	E363BED5B380D6B99B7F34D2C6017FC179FF61C1F11EBC50CFD769E405F48453
C:\ProgramData\Microsoft\Windows\WER\Temp\WER73F2.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	70DBA7CA60FD579D6EB0D92A76DB2161	E5D648A258DC31F2FD5EECBA6697D8AFB0DCDE0A	4C0D641DA73C78F41AB0D47D6290A64B2890C3F12A4D0B6364C063317B3B8D2C
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	73910DF7A1CBF6F4E9543B5EA194866A	45BDBF694DDAA4C95A7C0478DB79447DE3F48C4D	5687E729206B0CB2EBAA666C93357B3C2B302E89A2BFD8BEBFAAA59400742CB9

AV Detection

Source: KfHeFsr9Ce.dll

Avira: detected

Source: KfHeFsr9Ce.dll

ReversingLabs: Detection: 50%

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.1% probability

Compliance

Source: KfHeFsr9Ce.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI

Spreading

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_041BD1C4 FindFirstFileW,FindClose,		4_2_041BD1C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_041BCBF8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,		4_2_041BCBF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 40_2_0040D1C4 FindFirstFileW,FindClose,		40_2_0040D1C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 40_2_0040CBF8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,		40_2_0040CBF8

Networking

Source: unknown

DNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: Amcache.hve.8.dr

String found in binary or memory: http://upx.sf.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_0429A1D8 GetClipboardData,CopyEnhMetaFileW,GetEnhMetaFileHeader,

4_2_0429A1D8

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_0429AA7C GetObjectW,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

4_2_0429AA7C

System Summary

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_042A6444		4_2_042A6444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_042A6704		4_2_042A6704
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04260F64		4_2_04260F64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04296918		4_2_04296918
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_041EB4C4		4_2_041EB4C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_042610A8		4_2_042610A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_042AFD00		4_2_042AFD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0429FE80		4_2_0429FE80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_042A5F80		4_2_042A5F80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_042A1FC4		4_2_042A1FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 40_2_004F6444		40_2_004F6444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 40_2_004F6704		40_2_004F6704
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 40_2_004E6918		40_2_004E6918
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 40_2_004B0F64		40_2_004B0F64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 40_2_004B10A8		40_2_004B10A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 40_2_0043B4C4		40_2_0043B4C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 40_2_004FFD00		40_2_004FFD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 40_2_004EFE80		40_2_004EFE80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 40_2_004F1FC4		40_2_004F1FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 40_2_004F5F80		40_2_004F5F80

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 648

Source: KfHeFsr9Ce.dll

Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)

Source: KfHeFsr9Ce.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal60.winDLL@59/5@1/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_04295AA0 GetLastError,FormatMessageW,

4_2_04295AA0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_041D19D8 GetDiskFreeSpaceW,

4_2_041D19D8

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_0425A910 FindResourceW,LoadResource,SizeofResource,LockResource,

4_2_0425A910

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess968
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2816:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\72eb9324-90ea-41b3-85cd-9898baab4786

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KfHeFsr9Ce.dll,BarCreate

Source: KfHeFsr9Ce.dll

ReversingLabs: Detection: 50%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KfHeFsr9Ce.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 648
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KfHeFsr9Ce.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KfHeFsr9Ce.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeSetFocus
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeSetDirty
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeResize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkePaint2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeKillFocus
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeIsDirty
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeInitialize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeGetCaretRect
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeFireMouseWheelEvent
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeFireMouseEvent
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeFireKeyUpEvent
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeFireKeyPressEvent
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeFireKeyDownEvent
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeFireContextMenuEvent
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeFinalize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeDestroyWebView
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeCreateWebView
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",dbkFCallWrapperAddr
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KfHeFsr9Ce.dll,BarCreate			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KfHeFsr9Ce.dll,BarDestroy			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KfHeFsr9Ce.dll,BarFreeRec			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",BarCreate			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",BarDestroy			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",BarFreeRec			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeSetFocus			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeSetDirty			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeResize			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkePaint2			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeKillFocus			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeIsDirty			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeInitialize			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeGetCaretRect			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeFireMouseWheelEvent			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeFireMouseEvent			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeFireKeyUpEvent			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeFireKeyPressEvent			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeFireKeyDownEvent			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeFireContextMenuEvent			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeFinalize			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeDestroyWebView			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",wkeCreateWebView			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",dbkFCallWrapperAddr			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",__dbk_fcall_wrapper			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",#1			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll			Jump to behavior

Source: KfHeFsr9Ce.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: KfHeFsr9Ce.dll

Static file information: File size 1271296 > 1048576

Source: KfHeFsr9Ce.dll

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x10cc00

Data Obfuscation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_042B90EC LoadLibraryW,GetProcAddress,GetProcAddress,IsBadReadPtr,

4_2_042B90EC

Source: KfHeFsr9Ce.dll

Static PE information: section name: .didata

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_042BE47C push 042BE519h; ret		4_2_042BE511
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_042BE000 push 042BE0DEh; ret		4_2_042BE0D6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04214450 push ecx; mov dword ptr [esp], ecx		4_2_04214454
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_042BE540 push 042BE5F6h; ret		4_2_042BE5EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0427460C push ecx; mov dword ptr [esp], edx		4_2_0427460D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_042BE610 push 042BE671h; ret		4_2_042BE669
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0421670C push ecx; mov dword ptr [esp], edx		4_2_0421670D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0421671C push ecx; mov dword ptr [esp], edx		4_2_0421671D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_042BE740 push 042BE7DCh; ret		4_2_042BE7D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_042327C4 push 04232826h; ret		4_2_0423281E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_042B4014 push 042B403Ah; ret		4_2_042B4032
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04210068 push ecx; mov dword ptr [esp], edx		4_2_04210069
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_041E80A4 push ecx; mov dword ptr [esp], eax		4_2_041E80A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_042B41A4 push 042B41CAh; ret		4_2_042B41C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04214264 push ecx; mov dword ptr [esp], ecx		4_2_04214268
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04216248 push ecx; mov dword ptr [esp], ecx		4_2_0421624C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0426E2E4 push ecx; mov dword ptr [esp], edx		4_2_0426E2E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_042742F4 push ecx; mov dword ptr [esp], edx		4_2_042742F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_042182FC push ecx; mov dword ptr [esp], ecx		4_2_04218300
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0426A2F8 push ecx; mov dword ptr [esp], edx		4_2_0426A2FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04270340 push ecx; mov dword ptr [esp], edx		4_2_04270341
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_042B2340 push 042B2398h; ret		4_2_042B2390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_042BA35C push 042BA3A8h; ret		4_2_042BA3A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_042B239C push ecx; mov dword ptr [esp], ecx		4_2_042B23A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_041EA3D0 push ecx; mov dword ptr [esp], eax		4_2_041EA3D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04276C80 push ecx; mov dword ptr [esp], edx		4_2_04276C81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04212CE0 push ecx; mov dword ptr [esp], ecx		4_2_04212CE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04216CFC push ecx; mov dword ptr [esp], ecx		4_2_04216D00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_041E6D2C push ecx; mov dword ptr [esp], ecx		4_2_041E6D2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0426CE1C push ecx; mov dword ptr [esp], edx		4_2_0426CE1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04278E4C push ecx; mov dword ptr [esp], edx		4_2_04278E4D

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 4.6 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 4.5 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_041BD1C4 FindFirstFileW,FindClose,		4_2_041BD1C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_041BCBF8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,		4_2_041BCBF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 40_2_0040D1C4 FindFirstFileW,FindClose,		40_2_0040D1C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 40_2_0040CBF8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,		40_2_0040CBF8

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_041BEE84 GetSystemInfo,

4_2_041BEE84

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node

Anti Debugging

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_04268000 IsDebuggerPresent,RaiseException,

4_2_04268000

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_042B90EC LoadLibraryW,GetProcAddress,GetProcAddress,IsBadReadPtr,

4_2_042B90EC

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_042B8BF4 VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualAlloc,VirtualAlloc,

4_2_042B8BF4

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KfHeFsr9Ce.dll",#1

Jump to behavior

Language, Device and Operating System Detection

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_041B79E8 cpuid

4_2_041B79E8

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,		4_2_041BD2FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		4_2_041BC79C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		4_2_041D8FD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		4_2_041D920C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		4_2_041D5334
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		4_2_041D5380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,		40_2_0040D2FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		40_2_0040C79C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		40_2_00428FD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		40_2_0042920C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		40_2_00425334
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		40_2_00425380

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_041D3818 GetLocalTime,

4_2_041D3818

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_041BC520 InitializeCriticalSection,GetVersion,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,

4_2_041BC520

Lowering of HIPS / PFW / Operating System Security Settings

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe