Windows Analysis Report
SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll

Overview

General Information

Sample name:	SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll (renamed file extension from exe to dll)
Original sample name:	SecuriteInfo.com.Application.Generic.3623086.1464.24272.exe
Analysis ID:	1417538
MD5:	72bca96a3c16575f9c41c971f290ef9d
SHA1:	ec2a063a295a44b559753048b69b13f6f29581be
SHA256:	0ba766c92ee65ba37d996bd0b1aaf5bbf9bdef6efe2473997972642d206c877f
Tags:	exe
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Found direct / indirect Syscall (likely to bypass EDR)

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Creates a process in suspended mode (likely to inject code)

Entry point lies outside standard sections

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Tries to load missing DLLs

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	ReversingLabs: Detection: 44%
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Virustotal: Detection: 47%			Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll

Joe Sandbox ML: detected

Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_cbea1377-9

Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: loaddll64.exe, 00000000.00000002.3788577625.00007FFBA9B09000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788526443.00007FFBA9B09000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: ".pdb*.$ source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: loaddll64.exe, 00000000.00000002.3788577625.00007FFBA9B09000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788526443.00007FFBA9B09000.00000040.00000001.01000000.00000003.sdmp

Source: rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://fontello.com
Source: loaddll64.exe, 00000000.00000002.3788294623.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp, loaddll64.exe, 00000000.00000003.1347874541.000001C442900000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1348219113.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://fontello.comCopyright
Source: loaddll64.exe, 00000000.00000002.3788294623.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp, loaddll64.exe, 00000000.00000003.1347874541.000001C442900000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1348219113.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLInterExtraLightOpen
Source: loaddll64.exe, 00000000.00000002.3788294623.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp, loaddll64.exe, 00000000.00000003.1347874541.000001C442900000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1348219113.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLInterLightOpen
Source: loaddll64.exe, 00000000.00000002.3788294623.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp, loaddll64.exe, 00000000.00000003.1347874541.000001C442900000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1348219113.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLInterMediumOpen
Source: loaddll64.exe, 00000000.00000002.3788294623.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp, loaddll64.exe, 00000000.00000003.1347874541.000001C442900000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1348219113.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLInterSemiBoldOpen
Source: loaddll64.exe, 00000000.00000002.3788294623.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp, loaddll64.exe, 00000000.00000003.1347874541.000001C442900000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1348219113.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLInterThinOpen
Source: rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLOpen
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://Mozilla/5.0Failed
Source: rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/Prax-Client/Releases/releases/latest
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.playhive.com/v0/game/all/
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.playhive.com/v0/game/all/GetHiveStats:
Source: rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/1157861980611297410/1163279643168747570/F6_T6MXXoAAH6os.jpg?e
Source: rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: loaddll64.exe, 00000000.00000002.3788294623.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp, loaddll64.exe, 00000000.00000003.1347874541.000001C442900000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1348219113.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/JetBrains/JetBrainsMono)JetBrains
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Prax-Client/Releases/raw/main/banner
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Prax-Client/Releases/raw/main/bannerstart_screenhud_screentextures/ui/titletextur
Source: rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Prax-Client/Releases/raw/main/fardreverb.wav
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Prax-Client/Releases/raw/main/killsound.wav
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Prax-Client/Releases/raw/main/killsound.wavCreated
Source: rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/rsms/inter)Inter
Source: loaddll64.exe, 00000000.00000002.3788294623.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp, loaddll64.exe, 00000000.00000003.1347874541.000001C442900000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1348219113.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/rsms/inter)InterBold3.019;RSMS;Inter-BoldInter
Source: loaddll64.exe, 00000000.00000002.3788294623.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp, loaddll64.exe, 00000000.00000003.1347874541.000001C442900000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1348219113.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/rsms/inter)InterRegular3.019;RSMS;Inter-RegularInter
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peoplehub-public.xboxlive.com/people/gt(
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peoplehub-public.xboxlive.com/people/gt(Rtn:
Source: rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://rsms.me/This
Source: loaddll64.exe, 00000000.00000002.3788294623.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp, loaddll64.exe, 00000000.00000003.1347874541.000001C442900000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1348219113.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://scripts.sil.org/OFLhttps://scripts.sil.org/OFL
Source: loaddll64.exe, 00000000.00000002.3788294623.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp, loaddll64.exe, 00000000.00000003.1347874541.000001C442900000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1348219113.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.jetbrains.comhttps://www.jetbrains.comThis
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://yiffing.zone/sounds/click.wav
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://yiffing.zone/sounds/click.wavhttps://yiffing.zone/sounds/notify_off.wavhttps://yiffing.zone/
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://yiffing.zone/sounds/notify_off.wav
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://yiffing.zone/sounds/notify_on.wav

System Summary

PE file contains section with special chars

Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:

PE file contains more sections than normal

Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll

Static PE information: Number of sections : 13 > 10

Tries to load missing DLLs

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: xaudio2_9.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior

Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: Section: ZLIB complexity 0.9958128511235955
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: Section: .reloc ZLIB complexity 1.5625

Source: classification engine

Classification label: mal80.evad.winDLL@6/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll",#1

Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	ReversingLabs: Detection: 44%
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Virustotal: Detection: 47%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll",#1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll",#1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\InprocServer32

Jump to behavior

Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll

Static file information: File size 6792208 > 1048576

Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: Raw size of is bigger than: 0x100000 < 0x12d800
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: Raw size of is bigger than: 0x100000 < 0x1a0a00
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x362c00

Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: loaddll64.exe, 00000000.00000002.3788577625.00007FFBA9B09000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788526443.00007FFBA9B09000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: ".pdb*.$ source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: loaddll64.exe, 00000000.00000002.3788577625.00007FFBA9B09000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788526443.00007FFBA9B09000.00000040.00000001.01000000.00000003.sdmp

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name: .themida
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name: .boot

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Windows\System32\loaddll64.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\loaddll64.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Windows\System32\loaddll64.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\rundll32.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\rundll32.exe TID: 7552

Thread sleep count: 40 > 30

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: loaddll64.exe, 00000000.00000002.3787758103.000001C440BCD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Your client sucks, just get SigmaT\VBOX__JHh
Source: loaddll64.exe, 00000000.00000002.3787758103.000001C440C00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rundll32.exe, 00000004.00000002.3787747090.000001B6B4963000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlloo

Source: C:\Windows\System32\loaddll64.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\System32\loaddll64.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread information set: HideFromDebugger			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Windows\System32\rundll32.exe	Open window title or class name: regmonclass
Source: C:\Windows\System32\rundll32.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Windows\System32\rundll32.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Windows\System32\rundll32.exe	Open window title or class name: procmon_window_class
Source: C:\Windows\System32\rundll32.exe	Open window title or class name: filemonclass
Source: C:\Windows\System32\rundll32.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll64.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\System32\loaddll64.exe	NtSetInformationThread: Indirect: 0x7FFBA9D73DDD	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	NtQueryInformationProcess: Indirect: 0x7FFBA9D263AA	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	NtQueryInformationProcess: Indirect: 0x7FFBA9D13298	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	NtQuerySystemInformation: Indirect: 0x7FFBA9D0554A	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll",#1

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	ReversingLabs: Detection: 44%
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Virustotal: Detection: 47%			Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll

Joe Sandbox ML: detected

Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_cbea1377-9

Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: loaddll64.exe, 00000000.00000002.3788577625.00007FFBA9B09000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788526443.00007FFBA9B09000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: ".pdb*.$ source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: loaddll64.exe, 00000000.00000002.3788577625.00007FFBA9B09000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788526443.00007FFBA9B09000.00000040.00000001.01000000.00000003.sdmp

Source: rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://fontello.com
Source: loaddll64.exe, 00000000.00000002.3788294623.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp, loaddll64.exe, 00000000.00000003.1347874541.000001C442900000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1348219113.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://fontello.comCopyright
Source: loaddll64.exe, 00000000.00000002.3788294623.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp, loaddll64.exe, 00000000.00000003.1347874541.000001C442900000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1348219113.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLInterExtraLightOpen
Source: loaddll64.exe, 00000000.00000002.3788294623.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp, loaddll64.exe, 00000000.00000003.1347874541.000001C442900000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1348219113.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLInterLightOpen
Source: loaddll64.exe, 00000000.00000002.3788294623.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp, loaddll64.exe, 00000000.00000003.1347874541.000001C442900000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1348219113.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLInterMediumOpen
Source: loaddll64.exe, 00000000.00000002.3788294623.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp, loaddll64.exe, 00000000.00000003.1347874541.000001C442900000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1348219113.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLInterSemiBoldOpen
Source: loaddll64.exe, 00000000.00000002.3788294623.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp, loaddll64.exe, 00000000.00000003.1347874541.000001C442900000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1348219113.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLInterThinOpen
Source: rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLOpen
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://Mozilla/5.0Failed
Source: rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/Prax-Client/Releases/releases/latest
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.playhive.com/v0/game/all/
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.playhive.com/v0/game/all/GetHiveStats:
Source: rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/1157861980611297410/1163279643168747570/F6_T6MXXoAAH6os.jpg?e
Source: rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: loaddll64.exe, 00000000.00000002.3788294623.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp, loaddll64.exe, 00000000.00000003.1347874541.000001C442900000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1348219113.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/JetBrains/JetBrainsMono)JetBrains
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Prax-Client/Releases/raw/main/banner
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Prax-Client/Releases/raw/main/bannerstart_screenhud_screentextures/ui/titletextur
Source: rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Prax-Client/Releases/raw/main/fardreverb.wav
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Prax-Client/Releases/raw/main/killsound.wav
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Prax-Client/Releases/raw/main/killsound.wavCreated
Source: rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/rsms/inter)Inter
Source: loaddll64.exe, 00000000.00000002.3788294623.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp, loaddll64.exe, 00000000.00000003.1347874541.000001C442900000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1348219113.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/rsms/inter)InterBold3.019;RSMS;Inter-BoldInter
Source: loaddll64.exe, 00000000.00000002.3788294623.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp, loaddll64.exe, 00000000.00000003.1347874541.000001C442900000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1348219113.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/rsms/inter)InterRegular3.019;RSMS;Inter-RegularInter
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peoplehub-public.xboxlive.com/people/gt(
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peoplehub-public.xboxlive.com/people/gt(Rtn:
Source: rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://rsms.me/This
Source: loaddll64.exe, 00000000.00000002.3788294623.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp, loaddll64.exe, 00000000.00000003.1347874541.000001C442900000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1348219113.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://scripts.sil.org/OFLhttps://scripts.sil.org/OFL
Source: loaddll64.exe, 00000000.00000002.3788294623.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp, loaddll64.exe, 00000000.00000003.1347874541.000001C442900000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1348219113.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3788253297.00007FFBA9464000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.jetbrains.comhttps://www.jetbrains.comThis
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://yiffing.zone/sounds/click.wav
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://yiffing.zone/sounds/click.wavhttps://yiffing.zone/sounds/notify_off.wavhttps://yiffing.zone/
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://yiffing.zone/sounds/notify_off.wav
Source: loaddll64.exe, 00000000.00000003.1347113703.000001C440D90000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.3788249388.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788213687.00007FFBA93E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1347485334.000001B6B6570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://yiffing.zone/sounds/notify_on.wav

System Summary

PE file contains section with special chars

Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:

PE file contains more sections than normal

Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll

Static PE information: Number of sections : 13 > 10

Tries to load missing DLLs

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: xaudio2_9.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior

Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: Section: ZLIB complexity 0.9958128511235955
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: Section: .reloc ZLIB complexity 1.5625

Source: classification engine

Classification label: mal80.evad.winDLL@6/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll",#1

Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	ReversingLabs: Detection: 44%
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Virustotal: Detection: 47%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll",#1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll",#1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\InprocServer32

Jump to behavior

Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll

Static file information: File size 6792208 > 1048576

Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: Raw size of is bigger than: 0x100000 < 0x12d800
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: Raw size of is bigger than: 0x100000 < 0x1a0a00
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x362c00

Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: loaddll64.exe, 00000000.00000002.3788577625.00007FFBA9B09000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788526443.00007FFBA9B09000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: ".pdb*.$ source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: loaddll64.exe, 00000000.00000002.3788577625.00007FFBA9B09000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3788526443.00007FFBA9B09000.00000040.00000001.01000000.00000003.sdmp

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name:
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name: .themida
Source: SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll	Static PE information: section name: .boot

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Windows\System32\loaddll64.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\loaddll64.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Windows\System32\loaddll64.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\rundll32.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\rundll32.exe TID: 7552

Thread sleep count: 40 > 30

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: loaddll64.exe, 00000000.00000002.3787758103.000001C440BCD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Your client sucks, just get SigmaT\VBOX__JHh
Source: loaddll64.exe, 00000000.00000002.3787758103.000001C440C00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rundll32.exe, 00000004.00000002.3787747090.000001B6B4963000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlloo

Source: C:\Windows\System32\loaddll64.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\System32\loaddll64.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread information set: HideFromDebugger			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Windows\System32\rundll32.exe	Open window title or class name: regmonclass
Source: C:\Windows\System32\rundll32.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Windows\System32\rundll32.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Windows\System32\rundll32.exe	Open window title or class name: procmon_window_class
Source: C:\Windows\System32\rundll32.exe	Open window title or class name: filemonclass
Source: C:\Windows\System32\rundll32.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll64.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\System32\loaddll64.exe	NtSetInformationThread: Indirect: 0x7FFBA9D73DDD	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	NtQueryInformationProcess: Indirect: 0x7FFBA9D263AA	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	NtQueryInformationProcess: Indirect: 0x7FFBA9D13298	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	NtQuerySystemInformation: Indirect: 0x7FFBA9D0554A	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll",#1

Jump to behavior

ID:	1417538
Product:	CloudBasic
Start time:	15:25:11
Start date:	29.03.2024
Sample:	SecuriteInfo.com.Application.Generic.3623086.1464.24272.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	72bca96a3c16575f9c41c971f290ef9d
SHA1:	ec2a063a295a44b559753048b69b13f6f29581be
SHA256:	0ba766c92ee65ba37d996bd0b1aaf5bbf9bdef6efe2473997972642d206c877f
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 86.43%

Windows Analysis Report
SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Windows Analysis Report SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.Application.Generic.3623086.1464.24272.dll