Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
8082-x86.dll

Overview

General Information

Sample Name:8082-x86.dll
Analysis ID:780200
MD5:8d72fc6ff9cb0971df587d20dda5e8c8
SHA1:d6031029133084901392b856fe66f00f438d95d9
SHA256:0b7d19cf030839c3df481069772c7a32b5a3be4c41ce6b436ab69015fa90d98a
Tags:45139105143CobaltStrikedllopendir
Infos:

Detection

CobaltStrike
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected CobaltStrike
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Yara signature match
Tries to load missing DLLs
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5180 cmdline: loaddll32.exe "C:\Users\user\Desktop\8082-x86.dll" MD5: 1F562FBF37040EC6C43C8D5EF619EA39)
    • conhost.exe (PID: 5220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 4908 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5128 cmdline: rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 5136 cmdline: regsvr32.exe /s C:\Users\user\Desktop\8082-x86.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • rundll32.exe (PID: 3636 cmdline: rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllGetClassObject MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4868 cmdline: rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllMain MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4936 cmdline: rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
8082-x86.dllCobaltStrike_Resources_Artifact32_v3_14_to_v4_xCobalt Strike\'s resources/artifact32{.dll,.exe,big.exe,big.dll,bigsvc.exe} signature for versions 3.14 to 4.x and resources/artifact32svc.exe for 3.14 to 4.x and resources/artifact32uac.dll for v3.14 and v4.0gssincla@google.com
  • 0xacb:$pushFmtStr: C7 44 24 28 5C 00 00 00 C7 44 24 24 65 00 00 00 C7 44 24 20 70 00 00 00 C7 44 24 1C 69 00 00 00 C7 44 24 18 70 00 00 00 F7 F1 C7 44 24 14 5C 00 00 00 C7 44 24 10 2E 00 00 00 C7 44 24 0C 5C 00 ...
  • 0x44624:$fmtStr: %c%c%c%c%c%c%c%c%cMSSE-%d-server
8082-x86.dllJoeSecurity_CobaltStrike_4Yara detected CobaltStrikeJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: 8082-x86.dllAvira: detected
    Multi AV Scanner detection for submitted file
    Source: 8082-x86.dllReversingLabs: Detection: 87%
    Source: 8082-x86.dllVirustotal: Detection: 70%Perma Link
    Machine Learning detection for sample
    Source: 8082-x86.dllJoe Sandbox ML: detected
    Source: 8082-x86.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
    Source: 8082-x86.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
    Source: 8082-x86.dll, type: SAMPLEMatched rule: CobaltStrike_Resources_Artifact32_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32{.dll,.exe,big.exe,big.dll,bigsvc.exe} signature for versions 3.14 to 4.x and resources/artifact32svc.exe for 3.14 to 4.x and resources/artifact32uac.dll for v3.14 and v4.0, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 888bae8d89c03c1d529b04f9e4a051140ce3d7b39bc9ea021ad9fc7c9f467719
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
    Source: 8082-x86.dllReversingLabs: Detection: 87%
    Source: 8082-x86.dllVirustotal: Detection: 70%
    Source: 8082-x86.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: classification engineClassification label: mal68.troj.winDLL@14/0@0/0
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1
    Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\8082-x86.dll"
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\8082-x86.dll
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllGetClassObject
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllMain
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllRegisterServer
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\8082-x86.dll
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllGetClassObject
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllMain
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllRegisterServer
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5220:120:WilError_01
    Source: 8082-x86.dllStatic PE information: Image base 0x6bac0000 > 0x60000000
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\8082-x86.dll
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1

    Remote Access Functionality

    barindex
    Yara detected CobaltStrike
    Source: Yara matchFile source: 8082-x86.dll, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management Instrumentation1
    DLL Side-Loading    		11
    Process Injection    		1
    Regsvr32    		OS Credential Dumping1
    Virtualization/Sandbox Evasion    		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Rundll32    		LSASS Memory1
    System Information Discovery    		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
    Virtualization/Sandbox Evasion    		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
    Process Injection    		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 780200 Sample: 8082-x86.dll Startdate: 08/01/2023 Architecture: WINDOWS Score: 68 19 Antivirus / Scanner detection for submitted sample 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 Yara detected CobaltStrike 2->23 25 Machine Learning detection for sample 2->25 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 regsvr32.exe 7->11         started        13 rundll32.exe 7->13         started        15 3 other processes 7->15 process5 17 rundll32.exe 9->17         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    8082-x86.dll88%ReversingLabsWin32.Trojan.CobaltStrike
    8082-x86.dll70%VirustotalBrowse
    8082-x86.dll100%AviraHEUR/AGEN.1235510
    8082-x86.dll100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:36.0.0 Rainbow Opal
    Analysis ID:780200
    Start date and time:2023-01-08 15:58:23 +01:00
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 3m 0s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:8082-x86.dll
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:8
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal68.troj.winDLL@14/0@0/0
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .dll
    • Stop behavior analysis, all processes terminated

    Warnings

    • Excluded domains from analysis (whitelisted): fs.microsoft.com
    • Not all processes where analyzed, report is missing behavior information

    Simulations

    Behavior and APIs

    TimeTypeDescription
    15:59:29API Interceptor1x Sleep call for process: loaddll32.exe modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
    Entropy (8bit):6.6495124481937875
    TrID:
    • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
    • Generic Win/DOS Executable (2004/3) 0.20%
    • DOS Executable Generic (2002/1) 0.20%
    • VXD Driver (31/22) 0.00%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:8082-x86.dll
    File size:285184
    MD5:8d72fc6ff9cb0971df587d20dda5e8c8
    SHA1:d6031029133084901392b856fe66f00f438d95d9
    SHA256:0b7d19cf030839c3df481069772c7a32b5a3be4c41ce6b436ab69015fa90d98a
    SHA512:9c2074e9e68676ce41346f9bce266fb1155d75fc4f1efc6f40bbcb7871ab6a2f7eda724c4381dd288d817929117fbea9bd3a6d0c977f3db5a55fad1bb35e294d
    SSDEEP:3072:GjXnzH5O+xdKYgC2F/bHnOdisDmtam6SBSZge2x7WBNvjxDld7JOwy6t7bAl+dBj:mNaYn+HNtaJD7VUwl7Y+T
    TLSH:1154CFE5B1DC6B67F844BABA93E1EA0A32A93CD88214E511B3FDDFF6210145CB8D44C5
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......^...........#.........V...... ........0.....k................................4......... ............................

    File Icon

    Icon Hash:74f0e4ecccdce0e4

    Static PE Info

    General

    Entrypoint:0x6bac1420
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x6bac0000
    Subsystem:windows cui
    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
    DLL Characteristics:
    Time Stamp:0x5EDED50C [Tue Jun 9 00:17:16 2020 UTC]
    TLS Callbacks:0x6bac1a50, 0x6bac1a00
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:e1dcffde169ed8b947dc63acdb78aeca

    Entrypoint Preview

    Instruction
    sub esp, 1Ch
    mov edx, dword ptr [esp+24h]
    mov dword ptr [6BB07018h], 00000000h
    cmp edx, 01h
    je 00007F0C30DAD01Ch
    mov ecx, dword ptr [esp+28h]
    mov eax, dword ptr [esp+20h]
    call 00007F0C30DACE22h
    add esp, 1Ch
    retn 000Ch
    lea esi, dword ptr [esi+00000000h]
    mov dword ptr [esp+0Ch], edx
    call 00007F0C30DADD9Ch
    mov edx, dword ptr [esp+0Ch]
    jmp 00007F0C30DACFD9h
    nop
    push ebp
    mov ebp, esp
    sub esp, 18h
    mov eax, dword ptr [6BB05418h]
    test eax, eax
    je 00007F0C30DAD03Eh
    mov dword ptr [esp], 6BB06000h
    call dword ptr [6BB09138h]
    mov edx, 00000000h
    sub esp, 04h
    test eax, eax
    je 00007F0C30DAD018h
    mov dword ptr [esp+04h], 6BB0600Eh
    mov dword ptr [esp], eax
    call dword ptr [6BB0913Ch]
    sub esp, 08h
    mov edx, eax
    test edx, edx
    je 00007F0C30DAD00Bh
    mov dword ptr [esp], 6BB05418h
    call edx
    leave
    ret
    lea esi, dword ptr [esi+00h]
    push ebp
    mov ebp, esp
    pop ebp
    ret
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    push ebp
    mov ebp, esp
    push edi
    push esi
    push ebx
    sub esp, 4Ch
    mov edi, dword ptr [ebp+08h]
    mov esi, dword ptr [ebp+0Ch]
    mov dword ptr [ebp-1Ch], 00000000h
    mov dword ptr [esp+1Ch], 00000000h
    mov dword ptr [esp+18h], 00000000h
    mov dword ptr [eax+eax+00h], 00000000h

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x480000xb0.edata
    IMAGE_DIRECTORY_ENTRY_IMPORT0x490000x5bc.idata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x4c0000x4ac.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x4b0000x18.tls
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x491080xcc.idata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x1a840x1c00False0.5262276785714286data5.9055220621274644IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .data0x30000x4241c0x42600False0.5397871056967984data6.6586521702558805IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rdata0x460000x1a00x200False0.529296875data4.462802731767267IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
    .bss0x470000x4180x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .edata0x480000xb00x200False0.2734375data1.9817948694706844IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
    .idata0x490000x5bc0x600False0.4296875data4.870768861754693IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .CRT0x4a0000x2c0x200False0.052734375data0.18120187678200297IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .tls0x4b0000x200x200False0.0546875data0.2797047950073886IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .reloc0x4c0000x4ac0x600False0.7005208333333334data5.557340256736937IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

    Imports

    DLLImport
    KERNEL32.dllCloseHandle, ConnectNamedPipe, CreateFileA, CreateNamedPipeA, CreateThread, DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetLastError, GetModuleHandleA, GetProcAddress, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, QueryPerformanceCounter, ReadFile, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualProtect, VirtualQuery, WriteFile
    msvcrt.dll__dllonexit, _amsg_exit, _initterm, _iob, _lock, _onexit, _unlock, _winmajor, abort, calloc, free, fwrite, malloc, memcpy, sprintf, strlen, strncmp, vfprintf

    Exports

    NameOrdinalAddress
    DllGetClassObject10x6bac17ee
    DllMain20x6bac178b
    DllRegisterServer30x6bac17e0
    DllUnregisterServer40x6bac17e7
    StartW50x6bac1803

    Network Behavior

    No network behavior found

    Statistics

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:15:59:19
    Start date:08/01/2023
    Path:C:\Windows\System32\loaddll32.exe
    Wow64 process (32bit):true
    Commandline:loaddll32.exe "C:\Users\user\Desktop\8082-x86.dll"
    Imagebase:0xbf0000
    File size:116736 bytes
    MD5 hash:1F562FBF37040EC6C43C8D5EF619EA39
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Target ID:1
    Start time:15:59:19
    Start date:08/01/2023
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6da640000
    File size:625664 bytes
    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Target ID:2
    Start time:15:59:19
    Start date:08/01/2023
    Path:C:\Windows\SysWOW64\cmd.exe
    Wow64 process (32bit):true
    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1
    Imagebase:0x1b0000
    File size:232960 bytes
    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Target ID:3
    Start time:15:59:19
    Start date:08/01/2023
    Path:C:\Windows\SysWOW64\regsvr32.exe
    Wow64 process (32bit):true
    Commandline:regsvr32.exe /s C:\Users\user\Desktop\8082-x86.dll
    Imagebase:0xa30000
    File size:20992 bytes
    MD5 hash:426E7499F6A7346F0410DEAD0805586B
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Target ID:4
    Start time:15:59:19
    Start date:08/01/2023
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1
    Imagebase:0x960000
    File size:61952 bytes
    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Target ID:5
    Start time:15:59:19
    Start date:08/01/2023
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllGetClassObject
    Imagebase:0x960000
    File size:61952 bytes
    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Target ID:6
    Start time:15:59:23
    Start date:08/01/2023
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllMain
    Imagebase:0x960000
    File size:61952 bytes
    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language

    General

    Target ID:7
    Start time:15:59:26
    Start date:08/01/2023
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllRegisterServer
    Imagebase:0x960000
    File size:61952 bytes
    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language

    Disassembly

    No disassembly